Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 10 will not boot; viruses found


  • This topic is locked This topic is locked
15 replies to this topic

#1 Big Ern

Big Ern

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:GA
  • Local time:07:51 AM

Posted 10 March 2017 - 06:00 PM

I have a dell laptop with windows 10 that will not boot up to OS. I get a missing boot device message.

I used Kaspersky rescue 10 to find and delete many viruses. It still will not boot.

I have tried a windows 10 iso bootable usb to try and repair the OS to no avail.

Any help would be appreciated!!



BC AdBot (Login to Remove)

 


#2 Big Ern

Big Ern
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:GA
  • Local time:07:51 AM

Posted 12 March 2017 - 12:27 PM

Found out it will boot if i change bios to UEFI. Boots to a password protected account named "Anonymous"...

was able to modify some files in win32 folder using Ubuntu and changed the password for the acct.

 

So I can get into the computer now that way; but would like to get it back to normal if possible.

 



#3 Big Ern

Big Ern
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:GA
  • Local time:07:51 AM

Posted 12 March 2017 - 08:21 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-03-2017
Ran by Anonymous (administrator) on DESKTOP-HT6OOIH (13-03-2017 01:11:56)
Running from C:\Users\Anonymous\Downloads
Loaded Profiles: Anonymous (Available Profiles: Anonymous)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel Security, Inc.) C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\utilities\ibtsiva.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(Waves Audio Ltd.) C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Intel) C:\Program Files\Intel Corporation\USB over IP\bin\UoipService.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe
(Dell Inc.) C:\Program Files (x86)\Dell Customer Connect\DCCService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Waves Audio Ltd.) C:\Program Files\Waves\MaxxAudio\WavesSvc64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Dell) C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe
(CyberLink) C:\Program Files (x86)\CyberLink\CyberLink Media Suite\Power2Go8\CLMLSvc_P2G8.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\CSP\1.9.829.0\McCSPServiceHost.exe
(McAfee, Inc.) C:\Program Files\mcafee\msc\McAPExe.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(Tweaking.com) C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\NetworkUXBroker.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpTray.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
(Dell Inc.) C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVault.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\platform\McUICnt.exe
(Dell) C:\Program Files\Dell\Dell Foundation Services\DFS.Common.Agent.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Security Assist\isa.exe
(Dell) C:\Program Files\Dell\Dell Product Registration\PRSvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Security) C:\Program Files\Common Files\McAfee\ClientAnalytics\McClientAnalytics.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8495320 2015-06-23] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_MAXX6] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1393880 2015-04-28] (Realtek Semiconductor)
HKLM\...\Run: [WavesSvc] => C:\Program Files\Waves\MaxxAudio\WavesSvc64.exe [611248 2015-05-26] (Waves Audio Ltd.)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\Run: [ZT1E14DSFG] => "C:\Program Files\TQEZ94TXBC\TQEZ94TXB.exe"
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\Run: [DAJ0442HT4] => "C:\Program Files\MX3UBBNO6L\MX3UBBNO6.exe"
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\Run: [1PVU9MK977] => "C:\Program Files\XUZ7GK7T5F\XUZ7GK7T5.exe"
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\Run: [sanatorium] => "C:\Program Files (x86)\Campground\meg.exe"
HKU\S-1-5-18\...\Run: [] => [X]
Startup: C:\Users\Anonymous\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amc.lnk [2017-02-09]
ShortcutTarget: amc.lnk -> C:\Program Files (x86)\Campground\meg.exe (No File)
GroupPolicy: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\Parameters: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{1f398c85-e2bf-41f9-af8c-de6c2c1e78b5}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{257b836f-5da8-4e27-b23c-e665585f4666}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{26b11a49-585f-4b43-a90c-9af3c3d7b25b}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{36cc4bb5-9d14-4537-8c33-ded14e18893c}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{56990b27-ed9a-11e6-b3ee-806e6f6e6963}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{609c0b0b-99e1-487e-9381-7683a3330a80}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{95971474-7de5-44cb-93b6-ac0f10a4db9a}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{cb51b488-8f46-4193-b6aa-b3fe7d466b8d}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{cd999e18-c348-4a31-8868-bfb8b9053d83}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{d41a0288-a387-4bab-8fe2-f76c79282fbe}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{d41a0288-a387-4bab-8fe2-f76c79282fbe}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{f0c65bf8-22cb-499a-8c65-9831275db355}: [NameServer] 8.8.8.8
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-135991085-411779553-2117316153-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-135991085-411779553-2117316153-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-135991085-411779553-2117316153-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll [2016-09-23] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll [2016-09-23] (McAfee, Inc.)
 
FireFox:
========
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: (McAfee Anti-Spam Thunderbird Extension) - C:\Program Files\McAfee\MSK [2017-03-09] [not signed]
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2016-09-23] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.68 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [2016-09-23] ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-02-07] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-02-07] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default [2017-03-13]
CHR Extension: (No Name) - C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\ahggfmgiidlaceichjfemgbaggnbaloe [2017-02-10]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-11]
CHR Extension: (Chrome Media Router) - C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-08]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Dell Customer Connect; C:\Program Files (x86)\Dell Customer Connect\DCCService.exe [137968 2015-09-22] (Dell Inc.)
R2 Dell Foundation Services; C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe [97616 2017-01-11] (Dell)
S2 Dell Help & Support; C:\Program Files\Dell\Dell Help & Support\MDLCSvc.exe [77648 2016-12-22] (Dell Inc.)
R2 DellDataVault; C:\Program Files\Dell\DellDataVault\DellDataVault.exe [2572024 2016-06-23] (Dell Inc.)
R2 DellDataVaultWiz; C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe [202488 2016-06-23] (Dell Inc.)
R2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [237272 2015-06-09] (Dell Inc.)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
R2 ibtsiva; C:\Program Files (x86)\Intel\Bluetooth\utilities\ibtsiva.exe [150256 2015-06-09] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [350312 2015-09-08] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [881152 2015-05-22] (Intel® Corporation)
R3 Intel® Security Assist; C:\Program Files (x86)\Intel\Intel® Security Assist\isa.exe [335872 2015-05-19] (Intel Corporation) [File not signed]
S3 Intel® WiDi SAM; C:\Program Files (x86)\Intel Corporation\Intel WiDi\Intel® Software Asset Manager\bin\IntelSoftwareAssetManagerService.exe [19088 2015-06-17] (Intel Corporation)
R2 IntelUSBoverIP; C:\Program Files\Intel Corporation\USB over IP\bin\UoipService.exe [396992 2015-07-06] (Intel)
S2 isaHelperSvc; C:\Program Files (x86)\Intel\Intel® Security Assist\isaHelperService.exe [7680 2015-05-19] () [File not signed]
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [223520 2015-07-11] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [993824 2016-09-23] (McAfee, Inc.)
S3 McAWFwk; C:\Program Files\Common Files\McAfee\ActWiz\McAWFwk.exe [338208 2015-03-19] (McAfee, Inc.)
R2 McBootDelayStartSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
R2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.9.829.0\\McCSPServiceHost.exe [1910000 2016-05-31] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [816128 2016-06-21] (McAfee, Inc.)
S4 McOobeSv2; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
R3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232688 2016-04-26] (McAfee, Inc.)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [382456 2016-08-02] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [277744 2016-04-26] (McAfee, Inc.)
R2 ModuleCoreService; C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe [1454216 2016-09-13] (McAfee, Inc.)
S3 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268192 2015-06-12] ()
R2 PEFService; C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe [1045336 2016-05-25] (Intel Security, Inc.)
R2 Product Registration; C:\Program Files\Dell\Dell Product Registration\PRSvc.exe [80208 2016-09-22] (Dell)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [253776 2014-04-14] ()
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [294616 2015-05-22] (Realtek Semiconductor)
R2 SupportAssistAgent; C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [31704 2016-09-09] (Dell Inc.)
R2 WavesSysSvc; C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe [564144 2015-05-26] (Waves Audio Ltd.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2016-10-25] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2016-10-25] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3831200 2015-06-12] (Intel® Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 cfwids; C:\WINDOWS\System32\drivers\cfwids.sys [78632 2016-08-02] (McAfee, Inc.)
R1 CLVirtualDrive; C:\WINDOWS\system32\DRIVERS\CLVirtualDrive.sys [91912 2013-11-12] (CyberLink)
R3 DDDriver; C:\WINDOWS\system32\drivers\DDDriver64Dcsa.sys [32464 2015-09-11] (Dell Computer Corporation)
R3 DellProf; C:\WINDOWS\system32\drivers\DellProf.sys [24240 2015-09-11] (Dell Computer Corporation)
R3 DellRbtn; C:\WINDOWS\System32\drivers\DellRbtn.sys [19440 2015-05-08] (OSR Open Systems Resources, Inc.)
S3 HipShieldK; C:\WINDOWS\System32\drivers\HipShieldK.sys [216704 2016-08-02] (McAfee, Inc.)
S3 iaLPSS_GPIO; C:\WINDOWS\System32\drivers\iaLPSS_GPIO.sys [46856 2015-06-15] (Intel Corporation)
S3 iaLPSS_I2C; C:\WINDOWS\System32\drivers\iaLPSS_I2C.sys [132360 2015-06-15] (Intel Corporation)
S3 iaLPSS_SPI; C:\WINDOWS\System32\drivers\iaLPSS_SPI.sys [113416 2015-06-15] (Intel Corporation)
S3 iaLPSS_UART2; C:\WINDOWS\System32\drivers\iaLPSS_UART2.sys [155400 2015-06-15] (Intel Corporation)
R3 ibtusb; C:\WINDOWS\system32\DRIVERS\ibtusb.sys [263952 2016-02-21] (Intel Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [251840 2017-03-13] (Malwarebytes)
R2 mfeaack; C:\WINDOWS\System32\drivers\mfeaack.sys [419624 2016-08-02] (McAfee, Inc.)
R3 mfeavfk; C:\WINDOWS\System32\drivers\mfeavfk.sys [349480 2016-08-02] (McAfee, Inc.)
S0 mfeelamk; C:\WINDOWS\System32\drivers\mfeelamk.sys [83608 2016-08-02] (McAfee, Inc.)
R3 mfefirek; C:\WINDOWS\System32\drivers\mfefirek.sys [493352 2016-08-02] (McAfee, Inc.)
R0 mfehidk; C:\WINDOWS\System32\drivers\mfehidk.sys [843048 2016-08-02] (McAfee, Inc.)
R3 mfencbdc; C:\WINDOWS\System32\DRIVERS\mfencbdc.sys [519456 2016-08-01] (McAfee, Inc.)
S3 mfencrk; C:\WINDOWS\System32\DRIVERS\mfencrk.sys [100136 2016-08-01] (McAfee, Inc.)
R0 mfewfpk; C:\WINDOWS\System32\drivers\mfewfpk.sys [243496 2016-08-02] (McAfee, Inc.)
R3 NETwNb64; C:\WINDOWS\System32\drivers\Netwbw02.sys [3485696 2015-10-30] (Intel Corporation)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [896744 2016-02-21] (Realtek                                            )
R3 RTSUER; C:\WINDOWS\system32\Drivers\RtsUer.sys [402960 2015-05-13] (Realsil Semiconductor Corporation)
S3 usb3Hub; C:\WINDOWS\System32\drivers\usb3Hub.sys [212056 2015-07-06] (Windows ® Win 7 DDK provider)
S1 VBoxNetAdp; C:\WINDOWS\system32\DRIVERS\VBoxNetAdp6.sys [131144 2017-01-16] (Oracle Corporation)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-03-13 01:11 - 2017-03-13 01:13 - 00019124 _____ C:\Users\Anonymous\Downloads\FRST.txt
2017-03-13 01:09 - 2017-03-13 01:11 - 00000000 ____D C:\FRST
2017-03-13 01:07 - 2017-03-13 01:09 - 02424832 _____ (Farbar) C:\Users\Anonymous\Downloads\FRST64.exe
2017-03-13 00:53 - 2017-03-13 00:53 - 00004208 _____ C:\WINDOWS\System32\Tasks\Intel Security DAT Reputation (AMCore) Post DAT update endpoint safety pulse
2017-03-13 00:23 - 2017-03-13 00:23 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2017-03-13 00:16 - 2016-10-27 21:22 - 00485032 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2017-03-12 22:50 - 2017-03-12 22:50 - 00879220 _____ C:\WINDOWS\SysWOW64\PerfStringBackup.INI
2017-03-12 20:03 - 2017-03-12 20:09 - 00000000 ____D C:\$WINDOWS.~BT
2017-03-12 07:23 - 2017-03-12 07:27 - 34885984 _____ (Adlice Software ) C:\Users\Anonymous\Desktop\setup (1).exe
2017-03-12 07:19 - 2017-03-12 07:20 - 00268760 _____ C:\TDSSKiller.3.1.0.12_12.03.2017_07.19.39_log.txt
2017-03-12 07:14 - 2017-03-12 07:14 - 730974241 _____ C:\WINDOWS\MEMORY.DMP
2017-03-12 07:14 - 2017-03-12 07:14 - 00198636 _____ C:\WINDOWS\Minidump\031217-18546-01.dmp
2017-03-12 07:14 - 2017-03-12 07:14 - 00000000 ____D C:\WINDOWS\Minidump
2017-03-12 06:39 - 2017-03-13 00:23 - 00028272 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2017-03-12 06:39 - 2017-03-12 07:27 - 00000901 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2017-03-12 06:39 - 2017-03-12 07:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2017-03-12 06:39 - 2017-03-12 07:27 - 00000000 ____D C:\Program Files\RogueKiller
2017-03-12 06:38 - 2017-03-12 08:07 - 00000000 ____D C:\ProgramData\RogueKiller
2017-03-12 06:28 - 2017-03-12 06:38 - 34885984 _____ (Adlice Software ) C:\Users\Anonymous\Downloads\setup.exe
2017-03-12 06:28 - 2017-03-12 06:37 - 00002480 _____ C:\Users\Anonymous\Desktop\unhide.txt
2017-03-12 06:28 - 2017-03-12 06:28 - 00427648 _____ (Bleeping Computer, LLC) C:\Users\Anonymous\Downloads\unhide (1).exe
2017-03-12 06:27 - 2017-03-12 07:19 - 04747704 _____ (AO Kaspersky Lab) C:\Users\Anonymous\Downloads\tdsskiller.exe
2017-03-12 06:25 - 2017-03-12 06:25 - 00427648 _____ (Bleeping Computer, LLC) C:\Users\Anonymous\Downloads\unhide.exe
2017-03-12 06:24 - 2017-03-12 06:24 - 00007529 _____ C:\WINDOWS\system32\Drivers\etc\hosts.bak
2017-03-12 06:14 - 2017-03-12 07:19 - 00019800 _____ C:\WINDOWS\ntbtlog.txt
2017-03-12 06:13 - 2017-03-12 06:39 - 00000000 ____D C:\Users\Anonymous\AppData\Local\CrashDumps
2017-03-12 06:13 - 2017-03-12 06:13 - 03423928 _____ (Symantec Corporation) C:\Users\Anonymous\Downloads\NPE.exe
2017-03-11 21:40 - 2017-03-12 06:15 - 00000000 ____D C:\NPE
2017-03-11 21:39 - 2017-03-11 21:39 - 00111288 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SMR501.SYS.bak
2017-03-11 21:39 - 2017-03-11 21:39 - 00000000 ____D C:\ProgramData\SMR501
2017-03-11 21:38 - 2017-03-12 07:19 - 00000000 ____D C:\Users\Anonymous\AppData\Local\NPE
2017-03-11 21:38 - 2017-03-11 21:39 - 00000000 ____D C:\ProgramData\Norton
2017-03-11 20:55 - 2017-03-13 01:03 - 00004020 _____ C:\WINDOWS\System32\Tasks\Intel Security DAT Reputation (AMCore) periodic endpoint safety pulse
2017-03-11 19:47 - 2017-03-11 21:36 - 00000000 ____D C:\KVRT_Data
2017-03-11 19:26 - 2017-03-12 22:59 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2017-03-11 19:24 - 2017-03-12 19:58 - 00000000 ____D C:\WINDOWS\pss
2017-03-11 19:21 - 2017-03-11 19:21 - 00000207 _____ C:\WINDOWS\tweaking.com-regbackup-DESKTOP-HT6OOIH-Windows-10-Home-(64-bit).dat
2017-03-11 19:21 - 2017-03-11 19:21 - 00000000 ____D C:\RegBackup
2017-03-11 19:12 - 2017-03-11 19:12 - 00000000 __SHD C:\found.002
2017-03-11 18:05 - 2017-03-11 18:05 - 00000000 ____D C:\ProgramData\PC-Doctor for Windows
2017-03-11 18:05 - 2017-03-11 18:05 - 00000000 ____D C:\Program Files\Dell Support Center
2017-03-11 17:57 - 2017-03-11 17:57 - 00000000 __SHD C:\found.001
2017-03-11 17:57 - 2017-03-11 17:57 - 00000000 __SHD C:\found.000
2017-03-11 17:53 - 2017-03-11 17:53 - 06751360 _____ (ESET spol. s r.o.) C:\Users\Anonymous\Downloads\esetonlinescanner_enu.exe
2017-03-11 17:53 - 2017-03-11 17:53 - 00000000 ____D C:\Users\Anonymous\AppData\Local\ESET
2017-03-11 17:36 - 2017-03-11 17:36 - 00190804 _____ C:\WINDOWS\Tweaking.com - Windows Repair Setup Log.txt
2017-03-11 17:36 - 2017-03-11 17:36 - 00003790 _____ C:\WINDOWS\System32\Tasks\Tweaking.com - Windows Repair Tray Icon
2017-03-11 17:36 - 2017-03-11 17:36 - 00002234 _____ C:\Users\Anonymous\Desktop\Tweaking.com - Windows Repair.lnk
2017-03-11 17:36 - 2017-03-11 17:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2017-03-11 17:36 - 2017-03-11 17:36 - 00000000 ____D C:\Program Files (x86)\Tweaking.com
2017-03-11 17:35 - 2017-03-11 17:35 - 32823032 _____ (Tweaking.com) C:\Users\Anonymous\Downloads\tweaking.com_windows_repair_aio_setup.exe
2017-03-11 17:33 - 2017-03-11 17:33 - 31160157 _____ C:\Users\Anonymous\Downloads\tweaking.com_windows_repair_aio.zip
2017-03-11 17:33 - 2017-03-11 17:33 - 00000000 ____D C:\ProgramData\4ad2a654-e39f-46db-97df-cd5dee76f248
2017-03-11 17:15 - 2017-03-13 01:12 - 00250816 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-03-11 17:14 - 2017-03-13 01:12 - 00077408 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-03-11 17:14 - 2017-03-11 17:14 - 00001914 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-03-11 17:14 - 2017-03-11 17:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-03-11 17:14 - 2017-03-11 17:14 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-03-11 17:14 - 2017-03-11 17:14 - 00000000 ____D C:\Program Files\Malwarebytes
2017-03-11 11:36 - 2015-10-30 03:17 - 00233984 _____ (Microsoft Corporation) C:\WINDOWS\system32\cmd (copy).exe
2017-03-11 11:03 - 2017-03-11 11:10 - 00000000 ____D C:\WINDOWS\Microsoft Antimalware
2017-03-10 09:02 - 2017-03-10 09:08 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2017-02-11 12:35 - 2017-02-11 12:35 - 00000000 ____D C:\Users\Anonymous\Desktop\New folder
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-03-13 00:45 - 2015-11-03 06:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell
2017-03-13 00:45 - 2015-11-03 06:46 - 00000000 ____D C:\Program Files (x86)\InstallShield Installation Information
2017-03-13 00:39 - 2015-11-03 06:58 - 00000000 ____D C:\Program Files\Dell
2017-03-13 00:39 - 2015-11-03 06:08 - 00000000 ____D C:\ProgramData\Dell
2017-03-13 00:20 - 2017-02-07 23:50 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-03-13 00:15 - 2017-02-07 23:48 - 00000000 ____D C:\WINDOWS\INF
2017-03-13 00:15 - 2015-11-03 06:52 - 00814664 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-03-13 00:12 - 2017-02-07 21:09 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2017-03-13 00:12 - 2017-02-07 08:34 - 00000000 __SHD C:\Users\Anonymous\IntelGraphicsProfiles
2017-03-13 00:10 - 2017-02-07 21:04 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-03-13 00:06 - 2017-02-07 21:03 - 00203432 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-03-13 00:05 - 2017-02-07 23:29 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2017-03-12 23:35 - 2017-02-07 23:41 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-03-12 23:07 - 2017-02-07 22:17 - 00000000 ____D C:\Users\Anonymous\AppData\Local\Packages
2017-03-12 22:52 - 2017-02-07 07:41 - 00000000 _____ C:\Recovery.txt
2017-03-12 20:20 - 2017-02-07 21:35 - 00000000 ____D C:\Users\Anonymous
2017-03-12 20:09 - 2017-02-08 00:01 - 00000000 ___DC C:\WINDOWS\Panther
2017-03-12 20:09 - 2015-11-03 07:29 - 00001908 _____ C:\WINDOWS\diagwrn.xml
2017-03-12 20:09 - 2015-11-03 07:29 - 00001908 _____ C:\WINDOWS\diagerr.xml
2017-03-12 07:14 - 2017-02-09 02:19 - 00000000 ____D C:\Program Files (x86)\fatback
2017-03-12 06:24 - 2015-07-10 07:04 - 00000054 _____ C:\WINDOWS\system32\Drivers\etc\hosts_bak_609
2017-03-12 06:17 - 2017-02-08 10:28 - 00002768 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task v2
2017-03-12 06:17 - 2017-02-07 22:20 - 00002377 _____ C:\Users\Anonymous\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-03-12 06:17 - 2017-02-07 08:39 - 00000000 ___RD C:\Users\Anonymous\OneDrive
2017-03-11 23:40 - 2017-02-07 23:50 - 00000000 ____D C:\WINDOWS\rescache
2017-03-11 19:20 - 2017-02-08 00:55 - 00000000 ____D C:\Program Files (x86)\ITSecTeam
2017-03-11 18:23 - 2017-02-09 00:23 - 00000000 ____D C:\Users\Anonymous\Desktop\havij 1.17
2017-03-11 17:36 - 2017-02-08 01:12 - 00000167 _____ C:\WINDOWS\SysWOW64\DLC_Debug_log.txt
2017-03-11 17:25 - 2017-02-08 00:35 - 00002346 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-03-11 17:25 - 2017-02-08 00:35 - 00002334 _____ C:\Users\Anonymous\Desktop\Google Chrome.lnk
2017-03-10 11:38 - 2017-02-09 02:19 - 00000000 ____D C:\Program Files (x86)\Campground
2017-03-10 09:08 - 2017-02-09 02:19 - 00000000 ____D C:\Program Files (x86)\Nobleness
2017-03-10 09:04 - 2017-02-09 02:24 - 00000000 ____D C:\Program Files (x86)\linker
2017-03-10 09:00 - 2017-02-09 02:22 - 00000000 ____D C:\Program Files\XUZ7GK7T5F
2017-03-10 08:57 - 2017-02-09 02:19 - 00000000 ____D C:\Program Files\MX3UBBNO6L
2017-03-10 08:57 - 2017-02-09 02:18 - 00000000 ____D C:\Program Files\TQEZ94TXBC
2017-03-09 21:26 - 2017-02-09 23:51 - 00000000 ____D C:\Program Files\WinRAR
2017-03-09 21:26 - 2017-02-09 02:42 - 00000000 ____D C:\Program Files (x86)\Trojan Remover
2017-03-09 21:26 - 2017-02-09 01:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gmail Hacker Pro v2.9.0
2017-03-09 21:26 - 2017-02-08 12:35 - 00000000 ____D C:\Users\Anonymous\Desktop\rufus_files
2017-03-09 21:26 - 2017-02-08 05:46 - 00000000 ____D C:\WINDOWS\System32\Tasks\McAfee
2017-03-09 21:26 - 2017-02-08 04:53 - 00000000 ____D C:\Users\Anonymous\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2017-03-09 21:26 - 2017-02-08 04:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2017-03-09 21:26 - 2017-02-07 23:50 - 00000000 ____D C:\WINDOWS\SysWOW64\GroupPolicy
2017-03-09 21:26 - 2017-02-07 23:50 - 00000000 ____D C:\WINDOWS\system32\Sysprep
2017-03-09 21:26 - 2017-02-07 23:50 - 00000000 ____D C:\WINDOWS\ELAMBKUP
2017-03-09 21:26 - 2017-02-07 23:29 - 00000000 ____D C:\WINDOWS\servicing
2017-03-09 21:26 - 2017-02-07 23:14 - 00000000 ____D C:\Program Files (x86)\Dell Customer Connect
2017-03-09 21:26 - 2015-11-03 07:02 - 00000000 ____D C:\Program Files\mcafee
2017-03-09 21:26 - 2015-11-03 07:02 - 00000000 ____D C:\Program Files\Common Files\McAfee
2017-03-09 21:26 - 2015-11-03 06:59 - 00000000 ____D C:\Program Files (x86)\Dell Digital Delivery
2017-03-09 21:26 - 2015-11-03 06:55 - 00000000 ___HD C:\WINDOWS\system32\WLANProfiles
2017-03-09 21:26 - 2015-07-10 07:04 - 00000000 ____D C:\WINDOWS\system32\GroupPolicy
2017-03-09 21:23 - 2017-02-07 23:50 - 00000000 ____D C:\Program Files\WindowsApps
2017-03-09 21:18 - 2017-02-07 23:50 - 00000000 ____D C:\WINDOWS\registration
2017-03-09 21:18 - 2015-11-03 07:02 - 00000000 ____D C:\ProgramData\McAfee
2017-03-09 21:17 - 2015-11-03 07:02 - 00000000 ____D C:\Program Files (x86)\McAfee
2017-03-09 09:49 - 2017-02-07 23:29 - 00032768 ___SH C:\WINDOWS\system32\config\ELAM
 
==================== Files in the root of some directories =======
 
2017-02-07 21:09 - 2017-02-07 21:09 - 0000000 _____ () C:\ProgramData\DP45977C.lfl
2015-11-03 06:51 - 2015-11-03 06:51 - 0000121 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2015-11-03 06:46 - 2015-11-03 06:47 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2015-11-03 06:49 - 2015-11-03 06:51 - 0000108 _____ () C:\ProgramData\{B46BEA36-0B71-4A4E-AE41-87241643FA0A}.log
2015-11-03 06:47 - 2015-11-03 06:49 - 0000113 _____ () C:\ProgramData\{E1646825-D391-42A0-93AA-27FA810DA093}.log
 
Some files in TEMP:
====================
2017-03-13 00:23 - 2016-10-25 05:41 - 1819208 _____ (Microsoft Corporation) C:\Users\Anonymous\AppData\Local\Temp\dllnt_dump.dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-03-11 21:08
 
==================== End of FRST.txt ============================



#4 Big Ern

Big Ern
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:GA
  • Local time:07:51 AM

Posted 12 March 2017 - 08:35 PM

I cannot figure out how to attach the addition.txt file. I see no attach file button like the prep instructions show.



#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:51 AM

Posted 16 March 2017 - 03:25 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/641773 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:51 AM

Posted 16 March 2017 - 07:40 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

If you still need help please execute these instructions.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\Run: [ZT1E14DSFG] => "C:\Program Files\TQEZ94TXBC\TQEZ94TXB.exe"
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\Run: [DAJ0442HT4] => "C:\Program Files\MX3UBBNO6L\MX3UBBNO6.exe"
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\Run: [sanatorium] => "C:\Program Files (x86)\Campground\meg.exe"
HKU\S-1-5-18\...\Run: [] => [X]
ShortcutTarget: amc.lnk -> C:\Program Files (x86)\Campground\meg.exe (No File)
GroupPolicy: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-135991085-411779553-2117316153-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR Extension: (Chrome Web Store Payments) - C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-11]
CHR Extension: (Chrome Media Router) - C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-08]


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.
===

p.s.
Please paste the Addition.txt file and I will review it.

#7 Big Ern

Big Ern
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:GA
  • Local time:07:51 AM

Posted 16 March 2017 - 07:56 AM

This is my bosses daughters laptop. I do not know the full history....I was given it around the 10th of march.

computer would not boot up normally. Came to a black screen saying "could not find boot device" I changed the bios from legacy boot to UEFI boot and it did boot to windows. the only account is named "anonymous"...password locked. I used command prompt to change the password and was able to get into the acct. looks like there are no pictures,videos or documents on it.  I tried to use a win 10 boot usb to repair it when I could not get it to boot. No success. I was able to get to a point to where I could have repaired the installation on the "Anonymous acct, but I decided to wait.

I have ran the following programs in an attempt to restore it before the viruses hit it:

 

Norton rescue 10

Mbam

rouge killer

tdsskiller-either wouldn't run or found nothing.

eset online scan

norton eraser

Windows all in one repair

All programs found items and supposedly deleted or cleaned.(Some found many trojans and viruses)

 

Here are the FRST logs:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by Anonymous (administrator) on DESKTOP-HT6OOIH (16-03-2017 12:43:53)
Running from C:\Users\Anonymous\Desktop
Loaded Profiles: Anonymous (Available Profiles: Anonymous)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel Security, Inc.) C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\utilities\ibtsiva.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(Waves Audio Ltd.) C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Intel) C:\Program Files\Intel Corporation\USB over IP\bin\UoipService.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe
(Dell Inc.) C:\Program Files (x86)\Dell Customer Connect\DCCService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Waves Audio Ltd.) C:\Program Files\Waves\MaxxAudio\WavesSvc64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Dell) C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe
(CyberLink) C:\Program Files (x86)\CyberLink\CyberLink Media Suite\Power2Go8\CLMLSvc_P2G8.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\CSP\1.9.829.0\McCSPServiceHost.exe
(McAfee, Inc.) C:\Program Files\mcafee\msc\McAPExe.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(Tweaking.com) C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\NetworkUXBroker.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpTray.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
(Dell Inc.) C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVault.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\platform\McUICnt.exe
(Dell) C:\Program Files\Dell\Dell Foundation Services\DFS.Common.Agent.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Security Assist\isa.exe
(Dell) C:\Program Files\Dell\Dell Product Registration\PRSvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\mhn\AlertHost.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
(Microsoft Corporation) C:\Windows\System32\UI0Detect.exe
(Intel Security) C:\Program Files\Common Files\McAfee\ClientAnalytics\McClientAnalytics.exe
(PC-Doctor, Inc.) C:\Program Files\Dell\SupportAssist\imstrayicon.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Farbar) C:\Users\Anonymous\Desktop\FRST64 (1).exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8495320 2015-06-23] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_MAXX6] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1393880 2015-04-28] (Realtek Semiconductor)
HKLM\...\Run: [WavesSvc] => C:\Program Files\Waves\MaxxAudio\WavesSvc64.exe [611248 2015-05-26] (Waves Audio Ltd.)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\Run: [ZT1E14DSFG] => "C:\Program Files\TQEZ94TXBC\TQEZ94TXB.exe"
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\Run: [DAJ0442HT4] => "C:\Program Files\MX3UBBNO6L\MX3UBBNO6.exe"
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\Run: [1PVU9MK977] => "C:\Program Files\XUZ7GK7T5F\XUZ7GK7T5.exe"
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\Run: [sanatorium] => "C:\Program Files (x86)\Campground\meg.exe"
HKU\S-1-5-18\...\Run: [] => [X]
Startup: C:\Users\Anonymous\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amc.lnk [2017-02-09]
ShortcutTarget: amc.lnk -> C:\Program Files (x86)\Campground\meg.exe (No File)
GroupPolicy: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\Parameters: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{1f398c85-e2bf-41f9-af8c-de6c2c1e78b5}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{257b836f-5da8-4e27-b23c-e665585f4666}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{26b11a49-585f-4b43-a90c-9af3c3d7b25b}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{36cc4bb5-9d14-4537-8c33-ded14e18893c}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{56990b27-ed9a-11e6-b3ee-806e6f6e6963}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{609c0b0b-99e1-487e-9381-7683a3330a80}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{95971474-7de5-44cb-93b6-ac0f10a4db9a}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{cb51b488-8f46-4193-b6aa-b3fe7d466b8d}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{cd999e18-c348-4a31-8868-bfb8b9053d83}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{d41a0288-a387-4bab-8fe2-f76c79282fbe}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{d41a0288-a387-4bab-8fe2-f76c79282fbe}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{f0c65bf8-22cb-499a-8c65-9831275db355}: [NameServer] 8.8.8.8
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-135991085-411779553-2117316153-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-135991085-411779553-2117316153-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-135991085-411779553-2117316153-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll [2016-09-23] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll [2016-09-23] (McAfee, Inc.)
 
FireFox:
========
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: (McAfee Anti-Spam Thunderbird Extension) - C:\Program Files\McAfee\MSK [2017-03-09] [not signed]
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2016-09-23] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.68 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [2016-09-23] ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-02-07] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-02-07] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default [2017-03-16]
CHR Extension: (No Name) - C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\ahggfmgiidlaceichjfemgbaggnbaloe [2017-02-10]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-11]
CHR Extension: (Chrome Media Router) - C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-08]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Dell Customer Connect; C:\Program Files (x86)\Dell Customer Connect\DCCService.exe [137968 2015-09-22] (Dell Inc.)
R2 Dell Foundation Services; C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe [97616 2017-01-11] (Dell)
S2 Dell Help & Support; C:\Program Files\Dell\Dell Help & Support\MDLCSvc.exe [77648 2016-12-22] (Dell Inc.)
R2 DellDataVault; C:\Program Files\Dell\DellDataVault\DellDataVault.exe [2572024 2016-06-23] (Dell Inc.)
R2 DellDataVaultWiz; C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe [202488 2016-06-23] (Dell Inc.)
R2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [237272 2015-06-09] (Dell Inc.)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
R2 ibtsiva; C:\Program Files (x86)\Intel\Bluetooth\utilities\ibtsiva.exe [150256 2015-06-09] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [350312 2015-09-08] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [881152 2015-05-22] (Intel® Corporation)
R3 Intel® Security Assist; C:\Program Files (x86)\Intel\Intel® Security Assist\isa.exe [335872 2015-05-19] (Intel Corporation) [File not signed]
S3 Intel® WiDi SAM; C:\Program Files (x86)\Intel Corporation\Intel WiDi\Intel® Software Asset Manager\bin\IntelSoftwareAssetManagerService.exe [19088 2015-06-17] (Intel Corporation)
R2 IntelUSBoverIP; C:\Program Files\Intel Corporation\USB over IP\bin\UoipService.exe [396992 2015-07-06] (Intel)
S2 isaHelperSvc; C:\Program Files (x86)\Intel\Intel® Security Assist\isaHelperService.exe [7680 2015-05-19] () [File not signed]
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [223520 2015-07-11] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [993824 2016-09-23] (McAfee, Inc.)
S3 McAWFwk; C:\Program Files\Common Files\McAfee\ActWiz\McAWFwk.exe [338208 2015-03-19] (McAfee, Inc.)
R2 McBootDelayStartSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
R2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.9.829.0\\McCSPServiceHost.exe [1910000 2016-05-31] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [816128 2016-06-21] (McAfee, Inc.)
S4 McOobeSv2; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
R3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232688 2016-04-26] (McAfee, Inc.)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [382456 2016-08-02] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [277744 2016-04-26] (McAfee, Inc.)
R2 ModuleCoreService; C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe [1454216 2016-09-13] (McAfee, Inc.)
S3 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268192 2015-06-12] ()
R2 PEFService; C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe [1045336 2016-05-25] (Intel Security, Inc.)
R2 Product Registration; C:\Program Files\Dell\Dell Product Registration\PRSvc.exe [80208 2016-09-22] (Dell)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [253776 2014-04-14] ()
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [294616 2015-05-22] (Realtek Semiconductor)
R2 SupportAssistAgent; C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [31704 2016-09-09] (Dell Inc.)
R2 WavesSysSvc; C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe [564144 2015-05-26] (Waves Audio Ltd.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2016-10-25] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2016-10-25] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3831200 2015-06-12] (Intel® Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 cfwids; C:\WINDOWS\System32\drivers\cfwids.sys [78632 2016-08-02] (McAfee, Inc.)
R1 CLVirtualDrive; C:\WINDOWS\system32\DRIVERS\CLVirtualDrive.sys [91912 2013-11-12] (CyberLink)
R3 DDDriver; C:\WINDOWS\system32\drivers\DDDriver64Dcsa.sys [32464 2015-09-11] (Dell Computer Corporation)
R3 DellProf; C:\WINDOWS\system32\drivers\DellProf.sys [24240 2015-09-11] (Dell Computer Corporation)
R3 DellRbtn; C:\WINDOWS\System32\drivers\DellRbtn.sys [19440 2015-05-08] (OSR Open Systems Resources, Inc.)
S3 HipShieldK; C:\WINDOWS\System32\drivers\HipShieldK.sys [216704 2016-08-02] (McAfee, Inc.)
S3 iaLPSS_GPIO; C:\WINDOWS\System32\drivers\iaLPSS_GPIO.sys [46856 2015-06-15] (Intel Corporation)
S3 iaLPSS_I2C; C:\WINDOWS\System32\drivers\iaLPSS_I2C.sys [132360 2015-06-15] (Intel Corporation)
S3 iaLPSS_SPI; C:\WINDOWS\System32\drivers\iaLPSS_SPI.sys [113416 2015-06-15] (Intel Corporation)
S3 iaLPSS_UART2; C:\WINDOWS\System32\drivers\iaLPSS_UART2.sys [155400 2015-06-15] (Intel Corporation)
R3 ibtusb; C:\WINDOWS\system32\DRIVERS\ibtusb.sys [263952 2016-02-21] (Intel Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [251840 2017-03-16] (Malwarebytes)
R2 mfeaack; C:\WINDOWS\System32\drivers\mfeaack.sys [419624 2016-08-02] (McAfee, Inc.)
R3 mfeavfk; C:\WINDOWS\System32\drivers\mfeavfk.sys [349480 2016-08-02] (McAfee, Inc.)
S0 mfeelamk; C:\WINDOWS\System32\drivers\mfeelamk.sys [83608 2016-08-02] (McAfee, Inc.)
R3 mfefirek; C:\WINDOWS\System32\drivers\mfefirek.sys [493352 2016-08-02] (McAfee, Inc.)
R0 mfehidk; C:\WINDOWS\System32\drivers\mfehidk.sys [843048 2016-08-02] (McAfee, Inc.)
R3 mfencbdc; C:\WINDOWS\System32\DRIVERS\mfencbdc.sys [519456 2016-08-01] (McAfee, Inc.)
S3 mfencrk; C:\WINDOWS\System32\DRIVERS\mfencrk.sys [100136 2016-08-01] (McAfee, Inc.)
R0 mfewfpk; C:\WINDOWS\System32\drivers\mfewfpk.sys [243496 2016-08-02] (McAfee, Inc.)
R3 NETwNb64; C:\WINDOWS\System32\drivers\Netwbw02.sys [3485696 2015-10-30] (Intel Corporation)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [896744 2016-02-21] (Realtek                                            )
R3 RTSUER; C:\WINDOWS\system32\Drivers\RtsUer.sys [402960 2015-05-13] (Realsil Semiconductor Corporation)
S3 usb3Hub; C:\WINDOWS\System32\drivers\usb3Hub.sys [212056 2015-07-06] (Windows ® Win 7 DDK provider)
S1 VBoxNetAdp; C:\WINDOWS\system32\DRIVERS\VBoxNetAdp6.sys [131144 2017-01-16] (Oracle Corporation)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-03-16 12:43 - 2017-03-16 12:45 - 00019285 _____ C:\Users\Anonymous\Desktop\FRST.txt
2017-03-16 12:42 - 2017-03-16 12:42 - 02424832 _____ (Farbar) C:\Users\Anonymous\Downloads\FRST64 (2).exe
2017-03-16 12:04 - 2017-03-16 12:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2017-03-16 12:01 - 2017-03-16 12:40 - 02424832 _____ (Farbar) C:\Users\Anonymous\Desktop\FRST64 (1).exe
2017-03-13 01:09 - 2017-03-16 12:43 - 00000000 ____D C:\FRST
2017-03-13 01:07 - 2017-03-13 01:09 - 02424832 _____ (Farbar) C:\Users\Anonymous\Downloads\FRST64.exe
2017-03-13 00:53 - 2017-03-16 12:01 - 00004208 _____ C:\WINDOWS\System32\Tasks\Intel Security DAT Reputation (AMCore) Post DAT update endpoint safety pulse
2017-03-13 00:16 - 2016-10-27 21:22 - 00485032 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2017-03-12 22:50 - 2017-03-12 22:50 - 00879220 _____ C:\WINDOWS\SysWOW64\PerfStringBackup.INI
2017-03-12 20:03 - 2017-03-12 20:09 - 00000000 ____D C:\$WINDOWS.~BT
2017-03-12 07:19 - 2017-03-12 07:20 - 00268760 _____ C:\TDSSKiller.3.1.0.12_12.03.2017_07.19.39_log.txt
2017-03-12 07:14 - 2017-03-12 07:14 - 730974241 _____ C:\WINDOWS\MEMORY.DMP
2017-03-12 07:14 - 2017-03-12 07:14 - 00198636 _____ C:\WINDOWS\Minidump\031217-18546-01.dmp
2017-03-12 07:14 - 2017-03-12 07:14 - 00000000 ____D C:\WINDOWS\Minidump
2017-03-12 06:39 - 2017-03-13 00:23 - 00028272 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2017-03-12 06:38 - 2017-03-12 08:07 - 00000000 ____D C:\ProgramData\RogueKiller
2017-03-12 06:28 - 2017-03-12 06:38 - 34885984 _____ (Adlice Software ) C:\Users\Anonymous\Downloads\setup.exe
2017-03-12 06:28 - 2017-03-12 06:28 - 00427648 _____ (Bleeping Computer, LLC) C:\Users\Anonymous\Downloads\unhide (1).exe
2017-03-12 06:27 - 2017-03-12 07:19 - 04747704 _____ (AO Kaspersky Lab) C:\Users\Anonymous\Downloads\tdsskiller.exe
2017-03-12 06:25 - 2017-03-12 06:25 - 00427648 _____ (Bleeping Computer, LLC) C:\Users\Anonymous\Downloads\unhide.exe
2017-03-12 06:24 - 2017-03-12 06:24 - 00007529 _____ C:\WINDOWS\system32\Drivers\etc\hosts.bak
2017-03-12 06:14 - 2017-03-12 07:19 - 00019800 _____ C:\WINDOWS\ntbtlog.txt
2017-03-12 06:13 - 2017-03-12 06:39 - 00000000 ____D C:\Users\Anonymous\AppData\Local\CrashDumps
2017-03-12 06:13 - 2017-03-12 06:13 - 03423928 _____ (Symantec Corporation) C:\Users\Anonymous\Downloads\NPE.exe
2017-03-11 21:40 - 2017-03-12 06:15 - 00000000 ____D C:\NPE
2017-03-11 21:39 - 2017-03-11 21:39 - 00111288 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SMR501.SYS.bak
2017-03-11 21:39 - 2017-03-11 21:39 - 00000000 ____D C:\ProgramData\SMR501
2017-03-11 21:38 - 2017-03-12 07:19 - 00000000 ____D C:\Users\Anonymous\AppData\Local\NPE
2017-03-11 21:38 - 2017-03-11 21:39 - 00000000 ____D C:\ProgramData\Norton
2017-03-11 20:55 - 2017-03-16 12:41 - 00004020 _____ C:\WINDOWS\System32\Tasks\Intel Security DAT Reputation (AMCore) periodic endpoint safety pulse
2017-03-11 19:47 - 2017-03-11 21:36 - 00000000 ____D C:\KVRT_Data
2017-03-11 19:26 - 2017-03-12 22:59 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2017-03-11 19:24 - 2017-03-12 19:58 - 00000000 ____D C:\WINDOWS\pss
2017-03-11 19:21 - 2017-03-11 19:21 - 00000207 _____ C:\WINDOWS\tweaking.com-regbackup-DESKTOP-HT6OOIH-Windows-10-Home-(64-bit).dat
2017-03-11 19:21 - 2017-03-11 19:21 - 00000000 ____D C:\RegBackup
2017-03-11 19:12 - 2017-03-11 19:12 - 00000000 __SHD C:\found.002
2017-03-11 18:05 - 2017-03-11 18:05 - 00000000 ____D C:\ProgramData\PC-Doctor for Windows
2017-03-11 18:05 - 2017-03-11 18:05 - 00000000 ____D C:\Program Files\Dell Support Center
2017-03-11 17:57 - 2017-03-11 17:57 - 00000000 __SHD C:\found.001
2017-03-11 17:57 - 2017-03-11 17:57 - 00000000 __SHD C:\found.000
2017-03-11 17:53 - 2017-03-11 17:53 - 06751360 _____ (ESET spol. s r.o.) C:\Users\Anonymous\Downloads\esetonlinescanner_enu.exe
2017-03-11 17:53 - 2017-03-11 17:53 - 00000000 ____D C:\Users\Anonymous\AppData\Local\ESET
2017-03-11 17:36 - 2017-03-11 17:36 - 00190804 _____ C:\WINDOWS\Tweaking.com - Windows Repair Setup Log.txt
2017-03-11 17:36 - 2017-03-11 17:36 - 00003790 _____ C:\WINDOWS\System32\Tasks\Tweaking.com - Windows Repair Tray Icon
2017-03-11 17:36 - 2017-03-11 17:36 - 00002234 _____ C:\Users\Anonymous\Desktop\Tweaking.com - Windows Repair.lnk
2017-03-11 17:36 - 2017-03-11 17:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2017-03-11 17:36 - 2017-03-11 17:36 - 00000000 ____D C:\Program Files (x86)\Tweaking.com
2017-03-11 17:35 - 2017-03-11 17:35 - 32823032 _____ (Tweaking.com) C:\Users\Anonymous\Downloads\tweaking.com_windows_repair_aio_setup.exe
2017-03-11 17:33 - 2017-03-11 17:33 - 31160157 _____ C:\Users\Anonymous\Downloads\tweaking.com_windows_repair_aio.zip
2017-03-11 17:33 - 2017-03-11 17:33 - 00000000 ____D C:\ProgramData\4ad2a654-e39f-46db-97df-cd5dee76f248
2017-03-11 17:15 - 2017-03-16 12:17 - 00251840 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-03-11 17:14 - 2017-03-16 12:16 - 00077408 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-03-11 17:14 - 2017-03-11 17:14 - 00001914 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-03-11 17:14 - 2017-03-11 17:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-03-11 17:14 - 2017-03-11 17:14 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-03-11 17:14 - 2017-03-11 17:14 - 00000000 ____D C:\Program Files\Malwarebytes
2017-03-11 11:36 - 2015-10-30 03:17 - 00233984 _____ (Microsoft Corporation) C:\WINDOWS\system32\cmd (copy).exe
2017-03-11 11:03 - 2017-03-11 11:10 - 00000000 ____D C:\WINDOWS\Microsoft Antimalware
2017-03-10 09:02 - 2017-03-10 09:08 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-03-16 12:17 - 2017-02-07 23:50 - 00000000 ____D C:\Program Files\WindowsApps
2017-03-16 12:17 - 2017-02-07 23:41 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-03-16 12:16 - 2017-02-07 23:50 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-03-16 12:01 - 2017-02-07 23:29 - 00032768 ___SH C:\WINDOWS\system32\config\ELAM
2017-03-16 11:56 - 2017-02-07 23:48 - 00000000 ____D C:\WINDOWS\INF
2017-03-16 11:56 - 2015-11-03 06:52 - 00814664 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-03-13 00:45 - 2015-11-03 06:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell
2017-03-13 00:45 - 2015-11-03 06:46 - 00000000 ____D C:\Program Files (x86)\InstallShield Installation Information
2017-03-13 00:39 - 2015-11-03 06:58 - 00000000 ____D C:\Program Files\Dell
2017-03-13 00:39 - 2015-11-03 06:08 - 00000000 ____D C:\ProgramData\Dell
2017-03-13 00:12 - 2017-02-07 21:09 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2017-03-13 00:12 - 2017-02-07 08:34 - 00000000 __SHD C:\Users\Anonymous\IntelGraphicsProfiles
2017-03-13 00:10 - 2017-02-07 21:04 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-03-13 00:06 - 2017-02-07 21:03 - 00203432 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-03-13 00:05 - 2017-02-07 23:29 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2017-03-12 23:07 - 2017-02-07 22:17 - 00000000 ____D C:\Users\Anonymous\AppData\Local\Packages
2017-03-12 22:52 - 2017-02-07 07:41 - 00000000 _____ C:\Recovery.txt
2017-03-12 20:20 - 2017-02-07 21:35 - 00000000 ____D C:\Users\Anonymous
2017-03-12 20:09 - 2017-02-08 00:01 - 00000000 ___DC C:\WINDOWS\Panther
2017-03-12 20:09 - 2015-11-03 07:29 - 00001908 _____ C:\WINDOWS\diagwrn.xml
2017-03-12 20:09 - 2015-11-03 07:29 - 00001908 _____ C:\WINDOWS\diagerr.xml
2017-03-12 07:14 - 2017-02-09 02:19 - 00000000 ____D C:\Program Files (x86)\fatback
2017-03-12 06:24 - 2015-07-10 07:04 - 00000054 _____ C:\WINDOWS\system32\Drivers\etc\hosts_bak_609
2017-03-12 06:17 - 2017-02-08 10:28 - 00002768 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task v2
2017-03-12 06:17 - 2017-02-07 22:20 - 00002377 _____ C:\Users\Anonymous\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-03-12 06:17 - 2017-02-07 08:39 - 00000000 ___RD C:\Users\Anonymous\OneDrive
2017-03-11 23:40 - 2017-02-07 23:50 - 00000000 ____D C:\WINDOWS\rescache
2017-03-11 19:20 - 2017-02-08 00:55 - 00000000 ____D C:\Program Files (x86)\ITSecTeam
2017-03-11 18:23 - 2017-02-09 00:23 - 00000000 ____D C:\Users\Anonymous\Desktop\havij 1.17
2017-03-11 17:36 - 2017-02-08 01:12 - 00000167 _____ C:\WINDOWS\SysWOW64\DLC_Debug_log.txt
2017-03-11 17:25 - 2017-02-08 00:35 - 00002346 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-03-11 17:25 - 2017-02-08 00:35 - 00002334 _____ C:\Users\Anonymous\Desktop\Google Chrome.lnk
2017-03-10 11:38 - 2017-02-09 02:19 - 00000000 ____D C:\Program Files (x86)\Campground
2017-03-10 09:08 - 2017-02-09 02:19 - 00000000 ____D C:\Program Files (x86)\Nobleness
2017-03-10 09:04 - 2017-02-09 02:24 - 00000000 ____D C:\Program Files (x86)\linker
2017-03-10 09:00 - 2017-02-09 02:22 - 00000000 ____D C:\Program Files\XUZ7GK7T5F
2017-03-10 08:57 - 2017-02-09 02:19 - 00000000 ____D C:\Program Files\MX3UBBNO6L
2017-03-10 08:57 - 2017-02-09 02:18 - 00000000 ____D C:\Program Files\TQEZ94TXBC
2017-03-09 21:26 - 2017-02-09 23:51 - 00000000 ____D C:\Program Files\WinRAR
2017-03-09 21:26 - 2017-02-09 02:42 - 00000000 ____D C:\Program Files (x86)\Trojan Remover
2017-03-09 21:26 - 2017-02-09 01:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gmail Hacker Pro v2.9.0
2017-03-09 21:26 - 2017-02-08 12:35 - 00000000 ____D C:\Users\Anonymous\Desktop\rufus_files
2017-03-09 21:26 - 2017-02-08 05:46 - 00000000 ____D C:\WINDOWS\System32\Tasks\McAfee
2017-03-09 21:26 - 2017-02-08 04:53 - 00000000 ____D C:\Users\Anonymous\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2017-03-09 21:26 - 2017-02-08 04:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2017-03-09 21:26 - 2017-02-07 23:50 - 00000000 ____D C:\WINDOWS\SysWOW64\GroupPolicy
2017-03-09 21:26 - 2017-02-07 23:50 - 00000000 ____D C:\WINDOWS\system32\Sysprep
2017-03-09 21:26 - 2017-02-07 23:50 - 00000000 ____D C:\WINDOWS\ELAMBKUP
2017-03-09 21:26 - 2017-02-07 23:29 - 00000000 ____D C:\WINDOWS\servicing
2017-03-09 21:26 - 2017-02-07 23:14 - 00000000 ____D C:\Program Files (x86)\Dell Customer Connect
2017-03-09 21:26 - 2015-11-03 07:02 - 00000000 ____D C:\Program Files\mcafee
2017-03-09 21:26 - 2015-11-03 07:02 - 00000000 ____D C:\Program Files\Common Files\McAfee
2017-03-09 21:26 - 2015-11-03 06:59 - 00000000 ____D C:\Program Files (x86)\Dell Digital Delivery
2017-03-09 21:26 - 2015-11-03 06:55 - 00000000 ___HD C:\WINDOWS\system32\WLANProfiles
2017-03-09 21:26 - 2015-07-10 07:04 - 00000000 ____D C:\WINDOWS\system32\GroupPolicy
2017-03-09 21:18 - 2017-02-07 23:50 - 00000000 ____D C:\WINDOWS\registration
2017-03-09 21:18 - 2015-11-03 07:02 - 00000000 ____D C:\ProgramData\McAfee
2017-03-09 21:17 - 2015-11-03 07:02 - 00000000 ____D C:\Program Files (x86)\McAfee
 
==================== Files in the root of some directories =======
 
2017-02-07 21:09 - 2017-02-07 21:09 - 0000000 _____ () C:\ProgramData\DP45977C.lfl
2015-11-03 06:51 - 2015-11-03 06:51 - 0000121 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2015-11-03 06:46 - 2015-11-03 06:47 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2015-11-03 06:49 - 2015-11-03 06:51 - 0000108 _____ () C:\ProgramData\{B46BEA36-0B71-4A4E-AE41-87241643FA0A}.log
2015-11-03 06:47 - 2015-11-03 06:49 - 0000113 _____ () C:\ProgramData\{E1646825-D391-42A0-93AA-27FA810DA093}.log
 
Some files in TEMP:
====================
2017-03-13 00:23 - 2016-10-25 05:41 - 1819208 _____ (Microsoft Corporation) C:\Users\Anonymous\AppData\Local\Temp\dllnt_dump.dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-03-11 21:08
 
==================== End of FRST.txt ============================
 
Could not attach the addition file in this forum so here is a file dropper link:
 


#8 Big Ern

Big Ern
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:GA
  • Local time:07:51 AM

Posted 16 March 2017 - 07:57 AM

This is my bosses daughters laptop. I do not know the full history....I was given it around the 10th of march.

computer would not boot up normally. Came to a black screen saying "could not find boot device" I changed the bios from legacy boot to UEFI boot and it did boot to windows. the only account is named "anonymous"...password locked. I used command prompt to change the password and was able to get into the acct. looks like there are no pictures,videos or documents on it.  I tried to use a win 10 boot usb to repair it when I could not get it to boot. No success. I was able to get to a point to where I could have repaired the installation on the "Anonymous acct, but I decided to wait.

I have ran the following programs in an attempt to restore it before the viruses hit it:

 

Norton rescue 10

Mbam

rouge killer

tdsskiller-either wouldn't run or found nothing.

eset online scan

norton eraser

Windows all in one repair

All programs found items and supposedly deleted or cleaned.(Some found many trojans and viruses)

 

Here are the FRST logs:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by Anonymous (administrator) on DESKTOP-HT6OOIH (16-03-2017 12:43:53)
Running from C:\Users\Anonymous\Desktop
Loaded Profiles: Anonymous (Available Profiles: Anonymous)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel Security, Inc.) C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\utilities\ibtsiva.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(Waves Audio Ltd.) C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Intel) C:\Program Files\Intel Corporation\USB over IP\bin\UoipService.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe
(Dell Inc.) C:\Program Files (x86)\Dell Customer Connect\DCCService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Waves Audio Ltd.) C:\Program Files\Waves\MaxxAudio\WavesSvc64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Dell) C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe
(CyberLink) C:\Program Files (x86)\CyberLink\CyberLink Media Suite\Power2Go8\CLMLSvc_P2G8.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\CSP\1.9.829.0\McCSPServiceHost.exe
(McAfee, Inc.) C:\Program Files\mcafee\msc\McAPExe.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(Tweaking.com) C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\NetworkUXBroker.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpTray.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
(Dell Inc.) C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVault.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\platform\McUICnt.exe
(Dell) C:\Program Files\Dell\Dell Foundation Services\DFS.Common.Agent.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Security Assist\isa.exe
(Dell) C:\Program Files\Dell\Dell Product Registration\PRSvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\mhn\AlertHost.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
(Microsoft Corporation) C:\Windows\System32\UI0Detect.exe
(Intel Security) C:\Program Files\Common Files\McAfee\ClientAnalytics\McClientAnalytics.exe
(PC-Doctor, Inc.) C:\Program Files\Dell\SupportAssist\imstrayicon.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Farbar) C:\Users\Anonymous\Desktop\FRST64 (1).exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8495320 2015-06-23] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_MAXX6] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1393880 2015-04-28] (Realtek Semiconductor)
HKLM\...\Run: [WavesSvc] => C:\Program Files\Waves\MaxxAudio\WavesSvc64.exe [611248 2015-05-26] (Waves Audio Ltd.)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\Run: [ZT1E14DSFG] => "C:\Program Files\TQEZ94TXBC\TQEZ94TXB.exe"
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\Run: [DAJ0442HT4] => "C:\Program Files\MX3UBBNO6L\MX3UBBNO6.exe"
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\Run: [1PVU9MK977] => "C:\Program Files\XUZ7GK7T5F\XUZ7GK7T5.exe"
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\Run: [sanatorium] => "C:\Program Files (x86)\Campground\meg.exe"
HKU\S-1-5-18\...\Run: [] => [X]
Startup: C:\Users\Anonymous\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amc.lnk [2017-02-09]
ShortcutTarget: amc.lnk -> C:\Program Files (x86)\Campground\meg.exe (No File)
GroupPolicy: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\Parameters: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{1f398c85-e2bf-41f9-af8c-de6c2c1e78b5}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{257b836f-5da8-4e27-b23c-e665585f4666}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{26b11a49-585f-4b43-a90c-9af3c3d7b25b}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{36cc4bb5-9d14-4537-8c33-ded14e18893c}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{56990b27-ed9a-11e6-b3ee-806e6f6e6963}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{609c0b0b-99e1-487e-9381-7683a3330a80}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{95971474-7de5-44cb-93b6-ac0f10a4db9a}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{cb51b488-8f46-4193-b6aa-b3fe7d466b8d}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{cd999e18-c348-4a31-8868-bfb8b9053d83}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{d41a0288-a387-4bab-8fe2-f76c79282fbe}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{d41a0288-a387-4bab-8fe2-f76c79282fbe}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{f0c65bf8-22cb-499a-8c65-9831275db355}: [NameServer] 8.8.8.8
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-135991085-411779553-2117316153-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-135991085-411779553-2117316153-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-135991085-411779553-2117316153-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll [2016-09-23] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll [2016-09-23] (McAfee, Inc.)
 
FireFox:
========
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: (McAfee Anti-Spam Thunderbird Extension) - C:\Program Files\McAfee\MSK [2017-03-09] [not signed]
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2016-09-23] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.68 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [2016-09-23] ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-02-07] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-02-07] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default [2017-03-16]
CHR Extension: (No Name) - C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\ahggfmgiidlaceichjfemgbaggnbaloe [2017-02-10]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-11]
CHR Extension: (Chrome Media Router) - C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-08]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Dell Customer Connect; C:\Program Files (x86)\Dell Customer Connect\DCCService.exe [137968 2015-09-22] (Dell Inc.)
R2 Dell Foundation Services; C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe [97616 2017-01-11] (Dell)
S2 Dell Help & Support; C:\Program Files\Dell\Dell Help & Support\MDLCSvc.exe [77648 2016-12-22] (Dell Inc.)
R2 DellDataVault; C:\Program Files\Dell\DellDataVault\DellDataVault.exe [2572024 2016-06-23] (Dell Inc.)
R2 DellDataVaultWiz; C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe [202488 2016-06-23] (Dell Inc.)
R2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [237272 2015-06-09] (Dell Inc.)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
R2 ibtsiva; C:\Program Files (x86)\Intel\Bluetooth\utilities\ibtsiva.exe [150256 2015-06-09] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [350312 2015-09-08] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [881152 2015-05-22] (Intel® Corporation)
R3 Intel® Security Assist; C:\Program Files (x86)\Intel\Intel® Security Assist\isa.exe [335872 2015-05-19] (Intel Corporation) [File not signed]
S3 Intel® WiDi SAM; C:\Program Files (x86)\Intel Corporation\Intel WiDi\Intel® Software Asset Manager\bin\IntelSoftwareAssetManagerService.exe [19088 2015-06-17] (Intel Corporation)
R2 IntelUSBoverIP; C:\Program Files\Intel Corporation\USB over IP\bin\UoipService.exe [396992 2015-07-06] (Intel)
S2 isaHelperSvc; C:\Program Files (x86)\Intel\Intel® Security Assist\isaHelperService.exe [7680 2015-05-19] () [File not signed]
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [223520 2015-07-11] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [993824 2016-09-23] (McAfee, Inc.)
S3 McAWFwk; C:\Program Files\Common Files\McAfee\ActWiz\McAWFwk.exe [338208 2015-03-19] (McAfee, Inc.)
R2 McBootDelayStartSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
R2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.9.829.0\\McCSPServiceHost.exe [1910000 2016-05-31] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [816128 2016-06-21] (McAfee, Inc.)
S4 McOobeSv2; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
R3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232688 2016-04-26] (McAfee, Inc.)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [382456 2016-08-02] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [277744 2016-04-26] (McAfee, Inc.)
R2 ModuleCoreService; C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe [1454216 2016-09-13] (McAfee, Inc.)
S3 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [596768 2016-07-07] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268192 2015-06-12] ()
R2 PEFService; C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe [1045336 2016-05-25] (Intel Security, Inc.)
R2 Product Registration; C:\Program Files\Dell\Dell Product Registration\PRSvc.exe [80208 2016-09-22] (Dell)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [253776 2014-04-14] ()
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [294616 2015-05-22] (Realtek Semiconductor)
R2 SupportAssistAgent; C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [31704 2016-09-09] (Dell Inc.)
R2 WavesSysSvc; C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe [564144 2015-05-26] (Waves Audio Ltd.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2016-10-25] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2016-10-25] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3831200 2015-06-12] (Intel® Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 cfwids; C:\WINDOWS\System32\drivers\cfwids.sys [78632 2016-08-02] (McAfee, Inc.)
R1 CLVirtualDrive; C:\WINDOWS\system32\DRIVERS\CLVirtualDrive.sys [91912 2013-11-12] (CyberLink)
R3 DDDriver; C:\WINDOWS\system32\drivers\DDDriver64Dcsa.sys [32464 2015-09-11] (Dell Computer Corporation)
R3 DellProf; C:\WINDOWS\system32\drivers\DellProf.sys [24240 2015-09-11] (Dell Computer Corporation)
R3 DellRbtn; C:\WINDOWS\System32\drivers\DellRbtn.sys [19440 2015-05-08] (OSR Open Systems Resources, Inc.)
S3 HipShieldK; C:\WINDOWS\System32\drivers\HipShieldK.sys [216704 2016-08-02] (McAfee, Inc.)
S3 iaLPSS_GPIO; C:\WINDOWS\System32\drivers\iaLPSS_GPIO.sys [46856 2015-06-15] (Intel Corporation)
S3 iaLPSS_I2C; C:\WINDOWS\System32\drivers\iaLPSS_I2C.sys [132360 2015-06-15] (Intel Corporation)
S3 iaLPSS_SPI; C:\WINDOWS\System32\drivers\iaLPSS_SPI.sys [113416 2015-06-15] (Intel Corporation)
S3 iaLPSS_UART2; C:\WINDOWS\System32\drivers\iaLPSS_UART2.sys [155400 2015-06-15] (Intel Corporation)
R3 ibtusb; C:\WINDOWS\system32\DRIVERS\ibtusb.sys [263952 2016-02-21] (Intel Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [251840 2017-03-16] (Malwarebytes)
R2 mfeaack; C:\WINDOWS\System32\drivers\mfeaack.sys [419624 2016-08-02] (McAfee, Inc.)
R3 mfeavfk; C:\WINDOWS\System32\drivers\mfeavfk.sys [349480 2016-08-02] (McAfee, Inc.)
S0 mfeelamk; C:\WINDOWS\System32\drivers\mfeelamk.sys [83608 2016-08-02] (McAfee, Inc.)
R3 mfefirek; C:\WINDOWS\System32\drivers\mfefirek.sys [493352 2016-08-02] (McAfee, Inc.)
R0 mfehidk; C:\WINDOWS\System32\drivers\mfehidk.sys [843048 2016-08-02] (McAfee, Inc.)
R3 mfencbdc; C:\WINDOWS\System32\DRIVERS\mfencbdc.sys [519456 2016-08-01] (McAfee, Inc.)
S3 mfencrk; C:\WINDOWS\System32\DRIVERS\mfencrk.sys [100136 2016-08-01] (McAfee, Inc.)
R0 mfewfpk; C:\WINDOWS\System32\drivers\mfewfpk.sys [243496 2016-08-02] (McAfee, Inc.)
R3 NETwNb64; C:\WINDOWS\System32\drivers\Netwbw02.sys [3485696 2015-10-30] (Intel Corporation)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [896744 2016-02-21] (Realtek                                            )
R3 RTSUER; C:\WINDOWS\system32\Drivers\RtsUer.sys [402960 2015-05-13] (Realsil Semiconductor Corporation)
S3 usb3Hub; C:\WINDOWS\System32\drivers\usb3Hub.sys [212056 2015-07-06] (Windows ® Win 7 DDK provider)
S1 VBoxNetAdp; C:\WINDOWS\system32\DRIVERS\VBoxNetAdp6.sys [131144 2017-01-16] (Oracle Corporation)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-03-16 12:43 - 2017-03-16 12:45 - 00019285 _____ C:\Users\Anonymous\Desktop\FRST.txt
2017-03-16 12:42 - 2017-03-16 12:42 - 02424832 _____ (Farbar) C:\Users\Anonymous\Downloads\FRST64 (2).exe
2017-03-16 12:04 - 2017-03-16 12:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2017-03-16 12:01 - 2017-03-16 12:40 - 02424832 _____ (Farbar) C:\Users\Anonymous\Desktop\FRST64 (1).exe
2017-03-13 01:09 - 2017-03-16 12:43 - 00000000 ____D C:\FRST
2017-03-13 01:07 - 2017-03-13 01:09 - 02424832 _____ (Farbar) C:\Users\Anonymous\Downloads\FRST64.exe
2017-03-13 00:53 - 2017-03-16 12:01 - 00004208 _____ C:\WINDOWS\System32\Tasks\Intel Security DAT Reputation (AMCore) Post DAT update endpoint safety pulse
2017-03-13 00:16 - 2016-10-27 21:22 - 00485032 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2017-03-12 22:50 - 2017-03-12 22:50 - 00879220 _____ C:\WINDOWS\SysWOW64\PerfStringBackup.INI
2017-03-12 20:03 - 2017-03-12 20:09 - 00000000 ____D C:\$WINDOWS.~BT
2017-03-12 07:19 - 2017-03-12 07:20 - 00268760 _____ C:\TDSSKiller.3.1.0.12_12.03.2017_07.19.39_log.txt
2017-03-12 07:14 - 2017-03-12 07:14 - 730974241 _____ C:\WINDOWS\MEMORY.DMP
2017-03-12 07:14 - 2017-03-12 07:14 - 00198636 _____ C:\WINDOWS\Minidump\031217-18546-01.dmp
2017-03-12 07:14 - 2017-03-12 07:14 - 00000000 ____D C:\WINDOWS\Minidump
2017-03-12 06:39 - 2017-03-13 00:23 - 00028272 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2017-03-12 06:38 - 2017-03-12 08:07 - 00000000 ____D C:\ProgramData\RogueKiller
2017-03-12 06:28 - 2017-03-12 06:38 - 34885984 _____ (Adlice Software ) C:\Users\Anonymous\Downloads\setup.exe
2017-03-12 06:28 - 2017-03-12 06:28 - 00427648 _____ (Bleeping Computer, LLC) C:\Users\Anonymous\Downloads\unhide (1).exe
2017-03-12 06:27 - 2017-03-12 07:19 - 04747704 _____ (AO Kaspersky Lab) C:\Users\Anonymous\Downloads\tdsskiller.exe
2017-03-12 06:25 - 2017-03-12 06:25 - 00427648 _____ (Bleeping Computer, LLC) C:\Users\Anonymous\Downloads\unhide.exe
2017-03-12 06:24 - 2017-03-12 06:24 - 00007529 _____ C:\WINDOWS\system32\Drivers\etc\hosts.bak
2017-03-12 06:14 - 2017-03-12 07:19 - 00019800 _____ C:\WINDOWS\ntbtlog.txt
2017-03-12 06:13 - 2017-03-12 06:39 - 00000000 ____D C:\Users\Anonymous\AppData\Local\CrashDumps
2017-03-12 06:13 - 2017-03-12 06:13 - 03423928 _____ (Symantec Corporation) C:\Users\Anonymous\Downloads\NPE.exe
2017-03-11 21:40 - 2017-03-12 06:15 - 00000000 ____D C:\NPE
2017-03-11 21:39 - 2017-03-11 21:39 - 00111288 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SMR501.SYS.bak
2017-03-11 21:39 - 2017-03-11 21:39 - 00000000 ____D C:\ProgramData\SMR501
2017-03-11 21:38 - 2017-03-12 07:19 - 00000000 ____D C:\Users\Anonymous\AppData\Local\NPE
2017-03-11 21:38 - 2017-03-11 21:39 - 00000000 ____D C:\ProgramData\Norton
2017-03-11 20:55 - 2017-03-16 12:41 - 00004020 _____ C:\WINDOWS\System32\Tasks\Intel Security DAT Reputation (AMCore) periodic endpoint safety pulse
2017-03-11 19:47 - 2017-03-11 21:36 - 00000000 ____D C:\KVRT_Data
2017-03-11 19:26 - 2017-03-12 22:59 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2017-03-11 19:24 - 2017-03-12 19:58 - 00000000 ____D C:\WINDOWS\pss
2017-03-11 19:21 - 2017-03-11 19:21 - 00000207 _____ C:\WINDOWS\tweaking.com-regbackup-DESKTOP-HT6OOIH-Windows-10-Home-(64-bit).dat
2017-03-11 19:21 - 2017-03-11 19:21 - 00000000 ____D C:\RegBackup
2017-03-11 19:12 - 2017-03-11 19:12 - 00000000 __SHD C:\found.002
2017-03-11 18:05 - 2017-03-11 18:05 - 00000000 ____D C:\ProgramData\PC-Doctor for Windows
2017-03-11 18:05 - 2017-03-11 18:05 - 00000000 ____D C:\Program Files\Dell Support Center
2017-03-11 17:57 - 2017-03-11 17:57 - 00000000 __SHD C:\found.001
2017-03-11 17:57 - 2017-03-11 17:57 - 00000000 __SHD C:\found.000
2017-03-11 17:53 - 2017-03-11 17:53 - 06751360 _____ (ESET spol. s r.o.) C:\Users\Anonymous\Downloads\esetonlinescanner_enu.exe
2017-03-11 17:53 - 2017-03-11 17:53 - 00000000 ____D C:\Users\Anonymous\AppData\Local\ESET
2017-03-11 17:36 - 2017-03-11 17:36 - 00190804 _____ C:\WINDOWS\Tweaking.com - Windows Repair Setup Log.txt
2017-03-11 17:36 - 2017-03-11 17:36 - 00003790 _____ C:\WINDOWS\System32\Tasks\Tweaking.com - Windows Repair Tray Icon
2017-03-11 17:36 - 2017-03-11 17:36 - 00002234 _____ C:\Users\Anonymous\Desktop\Tweaking.com - Windows Repair.lnk
2017-03-11 17:36 - 2017-03-11 17:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2017-03-11 17:36 - 2017-03-11 17:36 - 00000000 ____D C:\Program Files (x86)\Tweaking.com
2017-03-11 17:35 - 2017-03-11 17:35 - 32823032 _____ (Tweaking.com) C:\Users\Anonymous\Downloads\tweaking.com_windows_repair_aio_setup.exe
2017-03-11 17:33 - 2017-03-11 17:33 - 31160157 _____ C:\Users\Anonymous\Downloads\tweaking.com_windows_repair_aio.zip
2017-03-11 17:33 - 2017-03-11 17:33 - 00000000 ____D C:\ProgramData\4ad2a654-e39f-46db-97df-cd5dee76f248
2017-03-11 17:15 - 2017-03-16 12:17 - 00251840 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-03-11 17:14 - 2017-03-16 12:16 - 00077408 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-03-11 17:14 - 2017-03-11 17:14 - 00001914 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-03-11 17:14 - 2017-03-11 17:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-03-11 17:14 - 2017-03-11 17:14 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-03-11 17:14 - 2017-03-11 17:14 - 00000000 ____D C:\Program Files\Malwarebytes
2017-03-11 11:36 - 2015-10-30 03:17 - 00233984 _____ (Microsoft Corporation) C:\WINDOWS\system32\cmd (copy).exe
2017-03-11 11:03 - 2017-03-11 11:10 - 00000000 ____D C:\WINDOWS\Microsoft Antimalware
2017-03-10 09:02 - 2017-03-10 09:08 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-03-16 12:17 - 2017-02-07 23:50 - 00000000 ____D C:\Program Files\WindowsApps
2017-03-16 12:17 - 2017-02-07 23:41 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-03-16 12:16 - 2017-02-07 23:50 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-03-16 12:01 - 2017-02-07 23:29 - 00032768 ___SH C:\WINDOWS\system32\config\ELAM
2017-03-16 11:56 - 2017-02-07 23:48 - 00000000 ____D C:\WINDOWS\INF
2017-03-16 11:56 - 2015-11-03 06:52 - 00814664 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-03-13 00:45 - 2015-11-03 06:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell
2017-03-13 00:45 - 2015-11-03 06:46 - 00000000 ____D C:\Program Files (x86)\InstallShield Installation Information
2017-03-13 00:39 - 2015-11-03 06:58 - 00000000 ____D C:\Program Files\Dell
2017-03-13 00:39 - 2015-11-03 06:08 - 00000000 ____D C:\ProgramData\Dell
2017-03-13 00:12 - 2017-02-07 21:09 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2017-03-13 00:12 - 2017-02-07 08:34 - 00000000 __SHD C:\Users\Anonymous\IntelGraphicsProfiles
2017-03-13 00:10 - 2017-02-07 21:04 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-03-13 00:06 - 2017-02-07 21:03 - 00203432 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-03-13 00:05 - 2017-02-07 23:29 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2017-03-12 23:07 - 2017-02-07 22:17 - 00000000 ____D C:\Users\Anonymous\AppData\Local\Packages
2017-03-12 22:52 - 2017-02-07 07:41 - 00000000 _____ C:\Recovery.txt
2017-03-12 20:20 - 2017-02-07 21:35 - 00000000 ____D C:\Users\Anonymous
2017-03-12 20:09 - 2017-02-08 00:01 - 00000000 ___DC C:\WINDOWS\Panther
2017-03-12 20:09 - 2015-11-03 07:29 - 00001908 _____ C:\WINDOWS\diagwrn.xml
2017-03-12 20:09 - 2015-11-03 07:29 - 00001908 _____ C:\WINDOWS\diagerr.xml
2017-03-12 07:14 - 2017-02-09 02:19 - 00000000 ____D C:\Program Files (x86)\fatback
2017-03-12 06:24 - 2015-07-10 07:04 - 00000054 _____ C:\WINDOWS\system32\Drivers\etc\hosts_bak_609
2017-03-12 06:17 - 2017-02-08 10:28 - 00002768 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task v2
2017-03-12 06:17 - 2017-02-07 22:20 - 00002377 _____ C:\Users\Anonymous\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-03-12 06:17 - 2017-02-07 08:39 - 00000000 ___RD C:\Users\Anonymous\OneDrive
2017-03-11 23:40 - 2017-02-07 23:50 - 00000000 ____D C:\WINDOWS\rescache
2017-03-11 19:20 - 2017-02-08 00:55 - 00000000 ____D C:\Program Files (x86)\ITSecTeam
2017-03-11 18:23 - 2017-02-09 00:23 - 00000000 ____D C:\Users\Anonymous\Desktop\havij 1.17
2017-03-11 17:36 - 2017-02-08 01:12 - 00000167 _____ C:\WINDOWS\SysWOW64\DLC_Debug_log.txt
2017-03-11 17:25 - 2017-02-08 00:35 - 00002346 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-03-11 17:25 - 2017-02-08 00:35 - 00002334 _____ C:\Users\Anonymous\Desktop\Google Chrome.lnk
2017-03-10 11:38 - 2017-02-09 02:19 - 00000000 ____D C:\Program Files (x86)\Campground
2017-03-10 09:08 - 2017-02-09 02:19 - 00000000 ____D C:\Program Files (x86)\Nobleness
2017-03-10 09:04 - 2017-02-09 02:24 - 00000000 ____D C:\Program Files (x86)\linker
2017-03-10 09:00 - 2017-02-09 02:22 - 00000000 ____D C:\Program Files\XUZ7GK7T5F
2017-03-10 08:57 - 2017-02-09 02:19 - 00000000 ____D C:\Program Files\MX3UBBNO6L
2017-03-10 08:57 - 2017-02-09 02:18 - 00000000 ____D C:\Program Files\TQEZ94TXBC
2017-03-09 21:26 - 2017-02-09 23:51 - 00000000 ____D C:\Program Files\WinRAR
2017-03-09 21:26 - 2017-02-09 02:42 - 00000000 ____D C:\Program Files (x86)\Trojan Remover
2017-03-09 21:26 - 2017-02-09 01:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gmail Hacker Pro v2.9.0
2017-03-09 21:26 - 2017-02-08 12:35 - 00000000 ____D C:\Users\Anonymous\Desktop\rufus_files
2017-03-09 21:26 - 2017-02-08 05:46 - 00000000 ____D C:\WINDOWS\System32\Tasks\McAfee
2017-03-09 21:26 - 2017-02-08 04:53 - 00000000 ____D C:\Users\Anonymous\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2017-03-09 21:26 - 2017-02-08 04:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2017-03-09 21:26 - 2017-02-07 23:50 - 00000000 ____D C:\WINDOWS\SysWOW64\GroupPolicy
2017-03-09 21:26 - 2017-02-07 23:50 - 00000000 ____D C:\WINDOWS\system32\Sysprep
2017-03-09 21:26 - 2017-02-07 23:50 - 00000000 ____D C:\WINDOWS\ELAMBKUP
2017-03-09 21:26 - 2017-02-07 23:29 - 00000000 ____D C:\WINDOWS\servicing
2017-03-09 21:26 - 2017-02-07 23:14 - 00000000 ____D C:\Program Files (x86)\Dell Customer Connect
2017-03-09 21:26 - 2015-11-03 07:02 - 00000000 ____D C:\Program Files\mcafee
2017-03-09 21:26 - 2015-11-03 07:02 - 00000000 ____D C:\Program Files\Common Files\McAfee
2017-03-09 21:26 - 2015-11-03 06:59 - 00000000 ____D C:\Program Files (x86)\Dell Digital Delivery
2017-03-09 21:26 - 2015-11-03 06:55 - 00000000 ___HD C:\WINDOWS\system32\WLANProfiles
2017-03-09 21:26 - 2015-07-10 07:04 - 00000000 ____D C:\WINDOWS\system32\GroupPolicy
2017-03-09 21:18 - 2017-02-07 23:50 - 00000000 ____D C:\WINDOWS\registration
2017-03-09 21:18 - 2015-11-03 07:02 - 00000000 ____D C:\ProgramData\McAfee
2017-03-09 21:17 - 2015-11-03 07:02 - 00000000 ____D C:\Program Files (x86)\McAfee
 
==================== Files in the root of some directories =======
 
2017-02-07 21:09 - 2017-02-07 21:09 - 0000000 _____ () C:\ProgramData\DP45977C.lfl
2015-11-03 06:51 - 2015-11-03 06:51 - 0000121 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2015-11-03 06:46 - 2015-11-03 06:47 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2015-11-03 06:49 - 2015-11-03 06:51 - 0000108 _____ () C:\ProgramData\{B46BEA36-0B71-4A4E-AE41-87241643FA0A}.log
2015-11-03 06:47 - 2015-11-03 06:49 - 0000113 _____ () C:\ProgramData\{E1646825-D391-42A0-93AA-27FA810DA093}.log
 
Some files in TEMP:
====================
2017-03-13 00:23 - 2016-10-25 05:41 - 1819208 _____ (Microsoft Corporation) C:\Users\Anonymous\AppData\Local\Temp\dllnt_dump.dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-03-11 21:08
 
==================== End of FRST.txt ============================
 
Could not attach the addition file in this forum so here is a file dropper link:
 


#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:51 AM

Posted 16 March 2017 - 12:36 PM



Please if not already done execute the fix suggested in my post No. 6. and post the Fixlog.txt log for my review.


I cannot download the file from the Dropbox site.

Please copy and paste the content of the Addition.txt file in your next reply.

#10 Big Ern

Big Ern
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:GA
  • Local time:07:51 AM

Posted 16 March 2017 - 02:50 PM

Nasdaq,
Thank you for your assistance!
Here are the logs. I will will report back shortly with another post about what problems persist.
 
 
Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Anonymous (16-03-2017 19:36:22) Run:1
Running from C:\Users\Anonymous\Desktop
Loaded Profiles: Anonymous (Available Profiles: Anonymous)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\Run: [ZT1E14DSFG] => "C:\Program Files\TQEZ94TXBC\TQEZ94TXB.exe"
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\Run: [DAJ0442HT4] => "C:\Program Files\MX3UBBNO6L\MX3UBBNO6.exe"
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\Run: [sanatorium] => "C:\Program Files (x86)\Campground\meg.exe"
HKU\S-1-5-18\...\Run: [] => [X]
ShortcutTarget: amc.lnk -> C:\Program Files (x86)\Campground\meg.exe (No File)
GroupPolicy: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-135991085-411779553-2117316153-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR Extension: (Chrome Web Store Payments) - C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-11]
CHR Extension: (Chrome Media Router) - C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-08]
 
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-135991085-411779553-2117316153-1001\Software\Microsoft\Windows\CurrentVersion\Run\\ZT1E14DSFG => value removed successfully
HKU\S-1-5-21-135991085-411779553-2117316153-1001\Software\Microsoft\Windows\CurrentVersion\Run\\DAJ0442HT4 => value removed successfully
HKU\S-1-5-21-135991085-411779553-2117316153-1001\Software\Microsoft\Windows\CurrentVersion\Run\\sanatorium => value removed successfully
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
C:\Program Files (x86)\Campground\meg.exe => not found.
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\S-1-5-21-135991085-411779553-2117316153-1001\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 57687 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 7384828 B
Java, Flash, Steam htmlcache => 2739 B
Windows/system/drivers => 1999606 B
Edge => 896744 B
Chrome => 78740385 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 74 B
systemprofile32 => 128 B
LocalService => 46782 B
NetworkService => 10344 B
Anonymous => 7862231 B
 
RecycleBin => 35003811 B
EmptyTemp: => 125.9 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 19:37:42 ====
 
 
 
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Anonymous (16-03-2017 19:34:43)
Running from C:\Users\Anonymous\Desktop
Windows 10 Home Version 1511 (X64) (2017-02-08 01:41:00)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-135991085-411779553-2117316153-500 - Administrator - Disabled)
Anonymous (S-1-5-21-135991085-411779553-2117316153-1001 - Administrator - Enabled) => C:\Users\Anonymous
DefaultAccount (S-1-5-21-135991085-411779553-2117316153-503 - Limited - Disabled)
Guest (S-1-5-21-135991085-411779553-2117316153-501 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {DA9F8ED0-D0DE-39CC-F55A-51AB4CC1B556}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {61FE6F34-F6E4-3642-CFEA-6AD93746FFEB}
FW: McAfee Firewall (Enabled) {E2A40FF5-9AB1-3894-DE05-F89EB212F22D}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
CyberLink Media Suite Essentials (HKLM-x32\...\InstallShield_{8F14AA37-5193-4A14-BD5B-BDF9B361AEF7}) (Version: 12 - CyberLink Corp.)
Dell Customer Connect (HKLM-x32\...\{124DE80C-9BFE-4D04-A8D9-69C5019DEEBF}) (Version: 1.3.28.0 - Dell Inc.)
Dell Data Vault (Version: 4.3.9.0 - Dell Inc.) Hidden
Dell Digital Delivery (HKLM-x32\...\{AB7F2792-2ED1-4C5C-9F28-680E5110BF72}) (Version: 3.1.1018.0 - Dell Products, LP)
Dell Foundation Services (HKLM\...\{BDB50421-E961-42F3-B803-6DAC6F173834}) (Version: 3.4.16100.0 - Dell Inc.)
Dell Help & Support (HKLM-x32\...\InstallShield_{E8669F4E-F2BE-48A9-B5A5-0BC12CA4CB4F}) (Version: 2.4.18.0 - Dell Inc.)
Dell Help & Support (Version: 2.4.18.0 - Dell Inc.) Hidden
Dell Power Manager Lite (HKLM-x32\...\InstallShield_{BF1F9D57-57A1-4E87-A8E8-41F2B2AD6F53}) (Version: 1.0.0.3 - Compal Inc.)
Dell Power Manager Lite (x32 Version: 1.0.0.3 - Compal Inc.) Hidden
Dell Product Registration (HKLM-x32\...\InstallShield_{85B14AE3-1624-45BE-942B-A528DF6F1CCE}) (Version: 3.0.123.0 - Dell Inc.)
Dell SupportAssist (HKLM\...\PC-Doctor for Windows) (Version: 1.3.6855.72 - Dell)
Dell SupportAssistAgent (HKLM-x32\...\{27130E51-9555-408B-8134-7BFF54EDE27B}) (Version: 1.3.0.72 - Dell)
Dell Update (HKLM-x32\...\{90437913-9D4D-4D9D-B438-B8664DF851E9}) (Version: 1.7.1007.0 - Dell Inc.)
Dropbox 20 GB (HKLM-x32\...\{597A58EC-42D6-4940-8739-FB94491B013C}) (Version: 1.0.8.0 - Dropbox, Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 56.0.2924.87 - Google Inc.)
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
Intel® Chipset Device Software (x32 Version: 10.1.1.7 - Intel® Corporation) Hidden
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.0.0.1158 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.15.4278 - Intel Corporation)
Intel® Serial IO (HKLM\...\{9FD91C5C-44AE-4D9D-85BE-AE52816B0294}) (Version: 1.1.253.0 - Intel Corporation)
Intel® WiDi (HKLM\...\{76FAF7E1-52D0-49F7-A627-E78303F9C7EF}) (Version: 6.0.39.0 - Intel Corporation)
Intel® WiDi Software Asset Manager (x32 Version: 1.1.347 - Intel Corporation) Hidden
Intel® Wireless Bluetooth® (HKLM-x32\...\{DC5673D2-228D-45BC-B9BB-9610CE67DFC0}) (Version: 17.1.1524.1353 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{4544164b-edf0-455c-b150-bed7109d751e}) (Version: 18.11.0 - Intel Corporation)
Intel® Security Assist (HKLM-x32\...\{4B230374-6475-4A73-BA6E-41015E9C5013}) (Version: 1.0.0.532 - Intel Corporation)
Malwarebytes version 3.0.6.1469 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.6.1469 - Malwarebytes)
Maxx Audio Installer (x64) (Version: 2.6.6168.9 - Waves Audio Ltd.) Hidden
McAfee LiveSafe (HKLM-x32\...\MSC) (Version: 15.0.179 - McAfee, Inc.)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4693.1005 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\OneDriveSetup.exe) (Version: 17.3.6798.0207 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Product Registration (Version: 3.0.123.0 - Dell Inc.) Hidden
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.3.9600.31213 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7544 - Realtek Semiconductor Corp.)
Tweaking.com - Windows Repair (HKLM-x32\...\Tweaking.com - Windows Repair) (Version: 3.9.26 - Tweaking.com)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {01C0F1D1-856F-4144-A811-7E0D3E9D26E9} - System32\Tasks\McAfeeLogon => C:\Program Files\Common Files\McAfee\platform\McUICnt.exe [2016-09-20] (McAfee, Inc.)
Task: {064091F8-96ED-442B-9340-E4ADE3451F68} - System32\Tasks\Dell SupportAssistAgent AutoUpdate => C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssist.exe [2016-09-09] (Dell Inc.)
Task: {0F51CDFD-0A7E-4B48-933F-9CC0DA4F702C} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-02-07] (Google Inc.)
Task: {438BD090-51D0-432E-8007-1C43493DFA91} - System32\Tasks\Tweaking.com - Windows Repair Tray Icon => C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe [2015-03-11] (Tweaking.com)
Task: {445C14A0-8708-41B5-8CFC-0F7A0B628660} - System32\Tasks\SystemToolsDailyTest => uaclauncher.exe 
Task: {4858A0DE-ED67-496C-B543-2B0E69ABA96E} - System32\Tasks\IntelWiDi-Upgrade-91ba0caa-28a7-4f47-8d08-f71b4b10fbec-Logon => C:\Program Files (x86)\Intel Corporation\Intel WiDi\Intel® Software Asset Manager\bin\IntelSoftwareAssetManagerService.exe [2015-06-17] (Intel Corporation)
Task: {4CC29220-BD46-4AB3-96C6-1769C3CE9CEB} - System32\Tasks\PCDDataUploadTask => uaclauncher.exe 
Task: {525E2A68-AF41-4F3B-A5DF-339606C60C22} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe 
Task: {5C977C09-D981-462E-A0D1-3B62DB9AB091} - System32\Tasks\Intel Security DAT Reputation (AMCore) periodic endpoint safety pulse => C:\Program Files\Common Files\McAfee\AMContent\scanners\x86_64\datrep\54.0\mcdatrep.exe [2017-03-11] (McAfee, Inc.)
Task: {6BDD670C-22E0-4BD1-8731-2022C1208616} - System32\Tasks\McAfee\McAfee Idle Detection Task
Task: {7DA7DE62-781C-4CB3-9F94-FEBE9FA909D4} - System32\Tasks\CLVDLauncher => C:\Program Files (x86)\CyberLink\CyberLink Media Suite\Power2Go8\CLVDLauncher.exe [2015-01-28] (CyberLink Corp.)
Task: {83DE6FB0-201A-4528-9857-8F55265D61BE} - System32\Tasks\Intel Security DAT Reputation (AMCore) Post DAT update endpoint safety pulse => C:\Program Files\Common Files\McAfee\AMContent\scanners\x86_64\datrep\54.0\mcdatrep.exe [2017-03-11] (McAfee, Inc.)
Task: {8BEBF1AB-582A-494A-BB1E-8BC1CD77D6D0} - System32\Tasks\PCDoctorBackgroundMonitorTask => C:\Program Files\Dell\SupportAssist\uaclauncher.exe [2017-02-17] (PC-Doctor, Inc.)
Task: {A69A6A33-1BF8-47E1-B047-4C0C3DB868DE} - System32\Tasks\DropboxOEM => C:\Program Files (x86)\Dropbox\DropboxOEM\DropboxOEM.exe [2015-05-29] ()
Task: {A8BD3155-63B0-472A-A36A-3B6E358611BD} - System32\Tasks\IntelWiDi-Upgrade-91ba0caa-28a7-4f47-8d08-f71b4b10fbec => C:\Program Files (x86)\Intel Corporation\Intel WiDi\Intel® Software Asset Manager\bin\IntelSoftwareAssetManagerService.exe [2015-06-17] (Intel Corporation)
Task: {B86E7AF8-5ACC-4BF8-84CC-57DFE16CAB85} - System32\Tasks\RtHDVBg_PushButton => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2015-04-28] (Realtek Semiconductor)
Task: {C2EC3E5A-7C99-45F4-8E65-D5DD09C72CAB} - System32\Tasks\PCDEventLauncherTask => C:\Program Files\Dell\SupportAssist\sessionchecker.exe [2017-02-17] (PC-Doctor, Inc.)
Task: {D1596A2E-A0AB-443B-A42D-73621DA93824} - System32\Tasks\Intel\Intel Telemetry 2 => C:\Program Files\Intel\Telemetry 2.0\lrio.exe [2015-06-05] (Intel Corporation)
Task: {DD62AA5A-B1E8-45C7-B0C9-C905E3A7470A} - System32\Tasks\CLMLSvc_P2G8 => C:\Program Files (x86)\CyberLink\CyberLink Media Suite\Power2Go8\CLMLSvc_P2G8.exe [2015-08-18] (CyberLink)
Task: {DF05874C-5343-49DB-A4AF-8DBD51E73479} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-02-07] (Google Inc.)
Task: {F739C6E2-C66E-49BE-B1AB-7259DAADB017} - System32\Tasks\McAfee\McAfee Auto Maintenance Task Agent
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-10-30 03:18 - 2015-10-30 03:18 - 00185856 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2016-12-17 21:23 - 2016-10-25 05:42 - 02656952 _____ () c:\windows\system32\CoreUIComponents.dll
2015-11-03 06:49 - 2014-04-14 22:59 - 00253776 _____ () C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
2017-03-11 17:14 - 2017-03-16 12:16 - 02264352 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll
2016-12-17 21:23 - 2016-10-25 05:42 - 02656952 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2016-12-17 21:23 - 2016-10-25 05:42 - 02656952 _____ () C:\WINDOWS\System32\CoreUIComponents.dll
2015-11-03 06:13 - 2015-09-08 14:17 - 00395880 _____ () C:\WINDOWS\system32\igfxTray.exe
2017-02-08 16:53 - 2017-02-08 17:16 - 00144384 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
2016-02-28 23:50 - 2016-02-28 23:50 - 00093696 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Windows.UI.Shell.SharedUtilities.dll
2016-07-22 20:07 - 2016-06-30 23:48 - 00472064 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\QuickActions.dll
2016-12-17 21:23 - 2016-10-25 00:49 - 07992832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-12-17 21:23 - 2016-10-25 00:44 - 00591360 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-12-17 21:23 - 2016-10-25 00:45 - 02483200 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-12-17 21:23 - 2016-10-25 00:48 - 04089856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2017-02-08 00:34 - 2017-02-01 05:47 - 02459992 _____ () C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\libglesv2.dll
2017-02-08 00:34 - 2017-02-01 05:47 - 00099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\libegl.dll
2017-03-16 11:55 - 2017-03-16 11:55 - 31099992 _____ () C:\Users\Anonymous\AppData\Local\Google\Chrome\User Data\PepperFlash\25.0.0.127\pepflashplayer.dll
2017-02-08 16:53 - 2017-02-08 17:16 - 00141312 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeBackgroundTasks.dll
2017-02-08 16:53 - 2017-02-08 17:16 - 22284800 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkyWrap.dll
2015-11-03 06:47 - 2014-12-08 03:28 - 00627672 _____ () C:\Program Files (x86)\CyberLink\CyberLink Media Suite\Power2Go8\CLMediaLibrary.dll
2014-12-08 19:28 - 2014-12-08 19:28 - 00016856 _____ () C:\Program Files (x86)\CyberLink\CyberLink Media Suite\Power2Go8\CLMLSvcPS.dll
2015-07-11 03:37 - 2015-07-11 03:37 - 01243936 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\ProgramData\Temp:CB0AACC9 [133]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WSService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcapexe => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McNaiAnn => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfemms => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SamSs => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv2 => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srvnet => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WSService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2015-07-10 07:04 - 2017-03-12 22:59 - 00000855 ____A C:\WINDOWS\system32\Drivers\etc\hosts
 
127.0.0.1       localhost
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-135991085-411779553-2117316153-1001\Control Panel\Desktop\\Wallpaper -> c:\windows\web\wallpaper\windows\img0.jpg
DNS Servers: 8.8.8.8
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\StartupApproved\StartupFolder: => "amc.lnk"
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\StartupApproved\Run: => "sanatorium"
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\StartupApproved\Run: => "DAJ0442HT4"
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\StartupApproved\Run: => "ZT1E14DSFG"
HKU\S-1-5-21-135991085-411779553-2117316153-1001\...\StartupApproved\Run: => "1PVU9MK977"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{10C48820-BD7D-4A6A-9C9E-E3FADB9DCA81}] => (Allow) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
FirewallRules: [{5DF11B6E-4234-4752-9F2A-AD53F82ADFD7}] => (Allow) C:\Program Files\Intel Corporation\USB over IP\bin\UoipService.exe
FirewallRules: [{E7D8554D-9A6F-405C-BD60-DC8E4D9F4E6C}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\SmartAgentTest.exe
FirewallRules: [{990FACA1-9152-456A-97D0-1EEB1537493E}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\Next\WirelessDisplay.exe
FirewallRules: [{ED338275-BED0-487B-9007-C8D618FCBC17}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\WiDiAppOld.exe
FirewallRules: [{2BEDB0A0-A929-456C-9888-580C0D465AA3}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\WiDiApp.exe
FirewallRules: [{E392CAFF-18C8-4246-9557-85372994B023}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [{828AE70B-4293-46E7-8275-892CDB148341}] => (Allow) C:\Program Files (x86)\CyberLink\CyberLink Media Suite\PowerDVD12\Movie\PowerDVD Cinema\PowerDVDCinema12.exe
FirewallRules: [{C2D1052D-29D4-4A54-841E-0B0112EF3324}] => (Allow) C:\Program Files (x86)\CyberLink\CyberLink Media Suite\PowerDirector12\PDR10.EXE
FirewallRules: [{34B062B1-A9EA-46E5-8746-9174C3253522}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{FBE2DE0D-316C-4A39-95FD-939A460280E7}] => (Allow) C:\WINDOWS\system32\rundll32.exe
FirewallRules: [{9BAA58DC-40D5-4DB8-B09A-B1E2F50D0904}] => (Allow) C:\WINDOWS\Temp\1BC2.tmp
FirewallRules: [{D59A834B-A521-4D3C-90CA-8B11AC147A2E}] => (Allow) C:\Program Files (x86)\Campground\meg.exe
FirewallRules: [{AFBF09E2-5CB0-44B9-AD25-667CB046A158}] => (Allow) C:\Program Files (x86)\Nobleness\meg.exe
 
==================== Restore Points =========================
 
12-03-2017 20:11:05 Tweaking.com - Windows Repair
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (03/16/2017 11:55:58 AM) (Source: Perflib) (EventID: 1008) (User: )
Description: The Open Procedure for service ".NETFramework" in DLL "C:\WINDOWS\system32\mscoree.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
 
Error: (03/16/2017 11:55:17 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-HT6OOIH)
Description: Activation of app Microsoft.Windows.Photos_8wekyb3d8bbwe!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (03/13/2017 12:51:41 AM) (Source: Microsoft Security Client) (EventID: 5000) (User: )
Description: Event-ID 5000
 
Error: (03/13/2017 12:51:41 AM) (Source: Microsoft Security Client) (EventID: 5000) (User: )
Description: Event-ID 5000
 
Error: (03/13/2017 12:20:52 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program DropboxOEM.exe version 1.0.8.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
 
Process ID: fdc
 
Start Time: 01d29bb0929c4612
 
Termination Time: 135
 
Application Path: C:\Program Files (x86)\Dropbox\DropboxOEM\DropboxOEM.exe
 
Report Id: 6984a46c-07a4-11e7-9beb-780cb88b8453
 
Faulting package full name: 
 
Faulting package-relative application ID:
 
Error: (03/13/2017 12:17:23 AM) (Source: Perflib) (EventID: 1008) (User: )
Description: The Open Procedure for service ".NETFramework" in DLL "C:\WINDOWS\system32\mscoree.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
 
Error: (03/13/2017 12:16:27 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: MDLCSvc.exe, version: 2.4.18.0, time stamp: 0x585c0a1b
Faulting module name: KERNELBASE.dll, version: 10.0.10586.589, time stamp: 0x57cf948c
Exception code: 0xe0434352
Fault offset: 0x0000000000071f28
Faulting process id: 0x10a4
Faulting application start time: 0x01d29bb090427cd4
Faulting application path: C:\Program Files\Dell\Dell Help & Support\MDLCSvc.exe
Faulting module path: C:\WINDOWS\system32\KERNELBASE.dll
Report Id: 9a03e0c5-8eb4-4e9a-b3f7-398ba80f12e6
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (03/13/2017 12:16:24 AM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: MDLCSvc.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.FileNotFoundException
   at #I1.#V2.#S2()
   at #I1.#Fs.#N1()
   at #I1.#Fs.#Ds(System.String[])
 
Error: (03/12/2017 11:35:55 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3009) (User: DESKTOP-HT6OOIH)
Description: Installing the performance counter strings for service .NET CLR Data () failed. The first DWORD in the Data section contains the error code.
 
Error: (03/12/2017 11:35:55 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3009) (User: DESKTOP-HT6OOIH)
Description: Installing the performance counter strings for service .NET CLR Networking () failed. The first DWORD in the Data section contains the error code.
 
 
System errors:
=============
Error: (03/16/2017 07:33:26 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "WORKGROUP      :1d" could not be registered on the interface with IP address 192.168.1.17.
The computer with the IP address 192.168.1.3 did not allow the name to be claimed by
this computer.
 
Error: (03/16/2017 07:28:16 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "WORKGROUP      :1d" could not be registered on the interface with IP address 192.168.1.17.
The computer with the IP address 192.168.1.3 did not allow the name to be claimed by
this computer.
 
Error: (03/16/2017 12:59:24 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "WORKGROUP      :1d" could not be registered on the interface with IP address 192.168.1.17.
The computer with the IP address 192.168.1.3 did not allow the name to be claimed by
this computer.
 
Error: (03/16/2017 12:54:14 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "WORKGROUP      :1d" could not be registered on the interface with IP address 192.168.1.17.
The computer with the IP address 192.168.1.3 did not allow the name to be claimed by
this computer.
 
Error: (03/16/2017 12:53:59 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x8024200d: Feature update to Windows 10, version 1607.
 
Error: (03/16/2017 12:49:04 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "WORKGROUP      :1d" could not be registered on the interface with IP address 192.168.1.17.
The computer with the IP address 192.168.1.3 did not allow the name to be claimed by
this computer.
 
Error: (03/16/2017 12:41:58 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "WORKGROUP      :1d" could not be registered on the interface with IP address 192.168.1.17.
The computer with the IP address 192.168.1.3 did not allow the name to be claimed by
this computer.
 
Error: (03/16/2017 12:36:48 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "WORKGROUP      :1d" could not be registered on the interface with IP address 192.168.1.17.
The computer with the IP address 192.168.1.3 did not allow the name to be claimed by
this computer.
 
Error: (03/16/2017 12:31:38 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "WORKGROUP      :1d" could not be registered on the interface with IP address 192.168.1.17.
The computer with the IP address 192.168.1.3 did not allow the name to be claimed by
this computer.
 
Error: (03/16/2017 12:26:28 PM) (Source: NetBT) (EventID: 4321) (User: )
Description: The name "WORKGROUP      :1d" could not be registered on the interface with IP address 192.168.1.17.
The computer with the IP address 192.168.1.3 did not allow the name to be claimed by
this computer.
 
 
CodeIntegrity:
===================================
  Date: 2017-03-13 00:14:25.515
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2017-03-09 17:45:32.789
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-02-09 13:53:14.117
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-02-09 01:34:43.887
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-02-08 14:41:55.015
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-02-08 12:34:20.119
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-02-07 22:10:07.880
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-02-07 22:08:56.318
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-02-07 20:32:30.606
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2017-02-07 20:07:33.224
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i3-4005U CPU @ 1.70GHz
Percentage of memory in use: 81%
Total physical RAM: 4012.61 MB
Available physical RAM: 735.87 MB
Total Virtual: 4716.61 MB
Available Virtual: 1925.74 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:452.12 GB) (Free:407 GB) NTFS
Drive d: (BRIDESMAIDS) (CDROM) (Total:7.78 GB) (Free:0 GB) UDF
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: FD217B6B)
 
Partition: GPT.
 
==================== End of Addition.txt ============================


#11 Big Ern

Big Ern
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:GA
  • Local time:07:51 AM

Posted 16 March 2017 - 03:04 PM

Problems I still see:

Computer will only boot from UEFI boot option. when i got it the bios listed legacy as the boot choice....not sure if normal or a change by infection.

there is no other account listed other than anonymous. seems the acct that was on before infection was deleted or hidden?

I cannot find any pictures or videos the owner of laptop was hoping to recover

Microsoft edge cannot access the internet.



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:51 AM

Posted 17 March 2017 - 09:18 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixldog.txt and let me know what problem persists.

P.S.
With Ubuntu can you see the Windows 10 recovery environment (console)?

#13 Big Ern

Big Ern
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:GA
  • Local time:07:51 AM

Posted 17 March 2017 - 02:07 PM

Not sure on how to go about seeing the recovery environment with Ubuntu...Please advise

 

It seems nothing changed after fix...same problems as in post # 11

 

here is the fix log:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Anonymous (17-03-2017 18:31:38) Run:2
Running from C:\Users\Anonymous\Desktop
Loaded Profiles: Anonymous (Available Profiles: Anonymous)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
CloseProcesses:
 
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
 
Reboot:
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
 
========= ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
========= IPCONFIG /release =========
 
 
Windows IP Configuration
 
No operation can be performed on Ethernet while it has its media disconnected.
No operation can be performed on Local Area Connection* 2 while it has its media disconnected.
No operation can be performed on Bluetooth Network Connection while it has its media disconnected.
 
Ethernet adapter Ethernet:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Local Area Connection* 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Wi-Fi:
 
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::bcc4:c171:c10:e939%16
   Default Gateway . . . . . . . . . : 
 
Ethernet adapter Bluetooth Network Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Tunnel adapter isatap.{D41A0288-A387-4BAB-8FE2-F76C79282FBE}:
 
   Media State . . . . . . . . . . . : Media unoperational
   Connection-specific DNS Suffix  . : 
 
========= End of CMD: =========
 
 
========= IPCONFIG /renew =========
 
 
Windows IP Configuration
 
No operation can be performed on Ethernet while it has its media disconnected.
No operation can be performed on Local Area Connection* 2 while it has its media disconnected.
No operation can be performed on Bluetooth Network Connection while it has its media disconnected.
 
Ethernet adapter Ethernet:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Local Area Connection* 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Wi-Fi:
 
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::bcc4:c171:c10:e939%16
   IPv4 Address. . . . . . . . . . . : 192.168.1.17
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
 
Ethernet adapter Bluetooth Network Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:78cf:18ed:956:bd27:2bdd
   Link-local IPv6 Address . . . . . : fe80::18ed:956:bd27:2bdd%15
   Default Gateway . . . . . . . . . : ::
 
Tunnel adapter isatap.{D41A0288-A387-4BAB-8FE2-F76C79282FBE}:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
========= End of CMD: =========
 
 
========= netsh advfirewall reset =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= netsh advfirewall set allprofiles state ON =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= netsh winsock reset catalog =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
========= netsh int ip reset c:\resetlog.txt =========
 
Resetting Global, OK!
Resetting Interface, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
========= netsh int ipv4 reset =========
 
Resetting , failed.
Access is denied.
 
There's no user specified settings to be reset.
 
 
========= End of CMD: =========
 
 
========= netsh int ipv6 reset =========
 
Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
========= bitsadmin /reset /allusers =========
 
 
BITSADMIN version 3.0 [ 7.8.10586 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
Unable to cancel {BC094F8D-4E99-49EB-8DD3-85DA02B43066}.
Unable to cancel {D666CC5C-698A-428C-8F17-798C2C7A815E}.
Unable to cancel {9C1C5AFA-9A9F-4E08-8BCE-932AAB24C210}.
0 out of 3 jobs canceled.
 
========= End of CMD: =========
 
 
 
The system needed a reboot.
 
==== End of Fixlog 18:32:29 ====


#14 Big Ern

Big Ern
  • Topic Starter

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:GA
  • Local time:07:51 AM

Posted 17 March 2017 - 02:11 PM

I can get to the recovery options while in the "Anonymous" acct...



#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:51 AM

Posted 18 March 2017 - 08:28 AM


How To Rebuild the BCD in Windows
Rebuild the Boot Configuration Data to Fix Some Windows Startup Issues

https://www.lifewire.com/how-to-rebuild-the-bcd-in-windows-2624508

Print and read this article.

Try the rebuild suggested.

===

Since this is not my forte and problems may occurs I suggest you start a new topic in the Windows 10 support.

https://www.bleepingcomputer.com/forums/f/229/windows-10-support/

Explain what you did so far.

An expert in that field should be able to guide you better that I can.

While waiting for a reply you can peruse the Windows 10 support forum.
Executing a search for bootrec will give you the type of problems encounter by users.

I will leave this topic open.

If you need additional information please ask.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users