Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UUUUUUUU.uuu persists on SD, Android despite following multiple web suggestions


  • Please log in to reply
101 replies to this topic

#1 SeatedWithHim

SeatedWithHim

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 30 April 2017 - 06:56 AM

I purchased a "new" Huawei Ascend Y330 and Samsung microSDHC card.  Apparently something had been used previously as I have the UUUUUUUU.uuu virus(?).  It does not seem to wipe out my current data, but whenever I create a new folder it fills the new folder with 1024 more folders all called UUUUUUUU.uuu, none of which can I open or delete.  I believe these folders have been created on the SD card both when it is in my SD slot in my laptop, and when it is in my Android phone. (It does not happen to folders on my laptop.)  If I pop the SD card into my laptop, Windows scans and fixes it so that I can delete the new folder and all the bogus sub-folders.

 

Initially I had been just using Microsoft Security Essentials.  Then I got Kaspersky Endpoint Security 10.  Neither have identified any viruses or other problems.  I have tried various suggestions I've found on the internet, including ComboFix.

 

I have a 2Tb external hard drive that also connects through USB, so would want to make sure it is clean also, in addition to the laptop, SD card and Android mobile phone.

 

Thanks for any help you can offer.

 

Here is the FRST.txt log:

====================

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 27-04-2017
Ran by Peter (administrator) on D4ZCDF12 (30-04-2017 18:57:28)
Running from C:\Users\Peter\Downloads\Antivirus software
Loaded Profiles: Peter (Available Profiles: Admin & Peter)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(AMD) C:\Windows\System32\atieclxx.exe
() C:\Program Files (x86)\Common Files\DeviceHelper\DeviceManager.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
() C:\ProgramData\DatacardService\HWDeviceService64.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\mdm.exe
() C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows\avp.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Huawei Technologies Co., Ltd.) C:\ProgramData\DatacardService\DCSHelper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Waves Audio Ltd.) C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(FreeDownloadManager.org) C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\fdm.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GlassWire.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Creative Technology Ltd) C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
() C:\Program Files (x86)\DIGICEL USB Modem\ModemListener.exe
() C:\Program Files (x86)\OfficePopup\OfficePopup.exe
(WordWeb Software) C:\Program Files (x86)\WordWeb\wweb32.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWIdlMon.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows\avp.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\btplayerctrl.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
() C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\browsernativehost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(O2Micro International) C:\Windows\System32\drivers\o2flash.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
() C:\Users\Peter\Downloads\Antivirus software\adwcleaner_6.046.exe
(Microsoft Corporation) C:\Windows\System32\prevhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Dominik Reichl) C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
(Rick Meyers) C:\Program Files (x86)\e-Sword\e-Sword.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Farbar) C:\Users\Peter\Downloads\Antivirus software\Farbar Recovery Scan Tool FRST64.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7191768 2013-06-28] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1291848 2013-03-23] (Realtek Semiconductor)
HKLM\...\Run: [WavesSvc] => C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe [114944 2013-04-19] (Waves Audio Ltd.)
HKLM\...\Run: [RtHDVBg_PushButton] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1291848 2013-03-23] (Realtek Semiconductor)
HKLM\...\Run: [BLEServicesCtrl] => C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe [184112 2012-09-17] (Intel Corporation)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [698712 2013-05-03] (Alps Electric Co., Ltd.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1340192 2016-01-29] (Microsoft Corporation)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [134616 2013-07-02] (Intel Corporation)
HKLM-x32\...\Run: [Dell Webcam Central] => C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-25] (Creative Technology Ltd)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1085656 2016-06-24] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642816 2013-07-23] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [ModemListener] => C:\Program Files (x86)\DIGICEL USB Modem\ModemListener.exe [98304 2011-01-11] ()
HKLM-x32\...\Run: [WordWeb] => C:\Program Files (x86)\WordWeb\wweb32.exe [80000 2014-07-05] (WordWeb Software)
HKLM-x32\...\Run: [KeePass 2 PreLoad] => C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe [2779136 2016-06-11] (Dominik Reichl)
HKLM-x32\...\Run: [AVP] => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows\avp.exe [741360 2013-11-27] (Kaspersky Lab ZAO)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [6501656 2014-10-24] (Piriform Ltd)
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\...\Run: [Free Download Manager] => C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\fdm.exe [8501760 2016-04-07] (FreeDownloadManager.org)
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\...\Run: [GlassWire] => C:\Program Files (x86)\GlassWire\glasswire.exe [5728208 2016-11-19] (SecureMix LLC)
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\...\MountPoints2: {88f37bd8-2087-11e5-9834-ecf4bb3b7076} - F:\autorun.exe
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\...\MountPoints2: {f8727c03-a32f-11e4-9956-ecf4bb3b7076} - E:\AutoRun.exe
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\...\MountPoints2: {f8727c11-a32f-11e4-9956-ecf4bb3b7076} - E:\AutoRun.exe
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\...\MountPoints2: {f8727c2d-a32f-11e4-9956-ecf4bb3b7076} - E:\AutoRun.exe
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Mystify.scr [242688 2010-11-21] (Microsoft Corporation)
Startup: C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP DeskJet 2130 series.lnk [2017-04-29]
ShortcutTarget: Monitor Ink Alerts - HP DeskJet 2130 series.lnk -> C:\Program Files\HP\HP DeskJet 2130 series\Bin\HPStatusBL.dll (Hewlett-Packard Development Company, LP)
Startup: C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OfficePopup.lnk [2015-02-11]
ShortcutTarget: OfficePopup.lnk -> C:\Program Files (x86)\OfficePopup\OfficePopup.exe ()
GroupPolicyScripts: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.239.1
Tcpip\..\Interfaces\{0C389E9B-7597-4DAE-B62B-7B15C312C29C}: [DhcpNameServer] 172.23.68.41 172.23.68.42
Tcpip\..\Interfaces\{145459EC-A593-42BE-9AA4-E1A6B8FB6F5D}: [NameServer] 10.149.64.76 8.8.8.8
Tcpip\..\Interfaces\{1D9B7E7D-BE1C-44A9-A381-97E28454E879}: [DhcpNameServer] 192.168.1.151 192.168.1.152
Tcpip\..\Interfaces\{2C8B24FA-FB9A-4BFC-A382-6A43E43F88DC}: [NameServer] 10.149.64.76 8.8.8.8
Tcpip\..\Interfaces\{41DB219B-71E4-4903-8D05-8931B81538A7}: [DhcpNameServer] 192.168.1.151 192.168.1.152
Tcpip\..\Interfaces\{55086DDC-9DF2-40C1-89C2-E5ABFC0C592B}: [DhcpNameServer] 192.168.1.151 192.168.1.152
Tcpip\..\Interfaces\{E225CA54-EDFA-46D1-856D-AA0363BA6F8E}: [DhcpNameServer] 192.168.239.1
Tcpip\..\Interfaces\{E6CDF7EF-5E08-49F6-A5A6-E8B58C498A93}: [DhcpNameServer] 192.168.1.151 192.168.1.152
Tcpip\..\Interfaces\{F73D4017-AEB7-43EE-837A-8FAB189CD964}: [DhcpNameServer] 192.168.1.151 192.168.1.152
 
Internet Explorer:
==================
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://usa.ntm.org/
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com/ie
SearchScopes: HKU\S-1-5-21-473292948-3015293580-4091639569-1003 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?q={sear
BHO: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-05-06] (Google Inc.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-05-06] (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-05-06] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-05-06] (Google Inc.)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} -  No File
 
FireFox:
========
FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\FirefoxExtension => not found
FF HKLM-x32\...\Firefox\Extensions: [wcapturex@deskperience.com] - C:\Program Files (x86)\WordWeb\WCaptureMoz
FF Extension: (WordWeb one-click lookup) - C:\Program Files (x86)\WordWeb\WCaptureMoz [2016-05-15] [not signed]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2015-10-13] (Google, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.1 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-07-02] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-07-02] (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-30] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-30] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2016-06-24] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR Profile: C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default [2017-04-30]
CHR Extension: (Google Slides) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-09]
CHR Extension: (Free Download Manager Chrome extension) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\ahmpjcflkgiildlgicmcieglgoilbfdp [2017-03-11]
CHR Extension: (Google Docs) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-09]
CHR Extension: (Google Drive) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-04-17]
CHR Extension: (YouTube) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-04-17]
CHR Extension: (Google Search) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-04-15]
CHR Extension: (Google Sheets) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-09]
CHR Extension: (Google Docs Offline) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-17]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-16]
CHR Extension: (Gmail) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-04-15]
CHR Extension: (Chrome Media Router) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-07]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AVP; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows\avp.exe [741360 2013-11-27] (Kaspersky Lab ZAO)
R2 DeviceManager; C:\Program Files (x86)\Common Files\DeviceHelper\DeviceManager.exe [40960 2010-08-27] () [File not signed]
R2 GlassWire; C:\Program Files (x86)\GlassWire\GWCtlSrv.exe [4397008 2016-11-19] (SecureMix LLC)
R2 HWDeviceService64.exe; C:\ProgramData\DatacardService\HWDeviceService64.exe [346976 2011-03-15] ()
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-12] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-12] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-07-02] (Intel Corporation)
R2 MDM; C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [335872 2006-10-27] (Microsoft Corporation) [File not signed]
S2 Mobile Partner. RunOuc; C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe [657504 2012-11-12] ()
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2016-01-29] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [374344 2016-01-29] (Microsoft Corporation)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [223816 2013-01-10] (Realtek Semiconductor)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 amdkmpfd; C:\Windows\System32\DRIVERS\amdkmpfd.sys [35936 2013-04-10] (Advanced Micro Devices, Inc.)
S3 btmaux; C:\Windows\System32\DRIVERS\btmaux.sys [132920 2013-04-24] (Motorola Solutions, Inc.)
S3 btmhsf; C:\Windows\System32\DRIVERS\btmhsf.sys [1385272 2013-04-24] (Motorola Solutions, Inc.)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [489752 2014-08-15] (Intel Corporation)
R1 gwdrv; C:\Windows\System32\DRIVERS\gwdrv.sys [33248 2015-05-29] (SecureMix LLC)
S3 huawei_wwanecm; C:\Windows\System32\DRIVERS\ew_juwwanecm.sys [241152 2012-12-03] (Huawei Technologies Co., Ltd.)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [28656 2013-05-21] (Intel Corporation)
S3 ibtusb; C:\Windows\System32\DRIVERS\ibtusb.sys [112072 2013-06-14] (Intel Corporation)
R3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHD64.sys [2161752 2013-06-29] (Realtek Semiconductor Corp.)
S3 irstrtdv; C:\Windows\system32\drivers\irstrtdv.sys [43800 2013-03-22] (Intel Corporation)
S3 ISCT; C:\Windows\system32\drivers\ISCTD64.sys [46568 2013-02-14] ()
S3 jrdusbser; C:\Windows\System32\DRIVERS\jrdusbser.sys [119680 2010-08-27] (TCT International Mobile Ltd)
R0 KL1; C:\Windows\System32\DRIVERS\kl1.sys [7717984 2013-09-05] (Kaspersky Lab ZAO)
U5 klflt; C:\Windows\System32\Drivers\klflt.sys [98400 2017-04-27] (Kaspersky Lab ZAO)
R1 KLFLTDEV; C:\Windows\System32\DRIVERS\klfltdev.sys [30816 2013-07-08] (Kaspersky Lab ZAO)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [661600 2017-04-27] (Kaspersky Lab ZAO)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [29792 2013-07-11] (Kaspersky Lab ZAO)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [54104 2012-11-22] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [177760 2013-07-01] (Kaspersky Lab ZAO)
S3 lehidmini; C:\Windows\system32\drivers\leath_hid.sys [39704 2013-10-23] (Atheros)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [100312 2013-07-02] (Intel Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [289120 2015-11-13] (Microsoft Corporation)
S2 mrtRate; C:\Windows\SysWow64\Drivers\mrtRate.sys [34916 1999-08-30] (Marimba, Inc.) [File not signed]
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133816 2015-11-13] (Microsoft Corporation)
R3 O2FJ2RDR; C:\Windows\System32\DRIVERS\O2FJ2w7x64.sys [185760 2013-05-08] (O2Micro )
S2 PMEM; C:\Windows\SysWOW64\drivers\pmemnt.sys [7168 1999-03-08] (Microsoft Corporation) [File not signed]
R3 ST_ACCEL; C:\Windows\System32\DRIVERS\ST_Accel.sys [89312 2013-03-28] (STMicroelectronics)
S3 USA19H; C:\Windows\System32\DRIVERS\USA19Hx64.sys [740096 2007-10-30] (Keyspan)
S3 USA19HP; C:\Windows\System32\DRIVERS\USA19Hx64p.SYS [35840 2007-10-23] (Keyspan)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-04-30 18:57 - 2017-04-30 18:57 - 00000000 ____D C:\FRST
2017-04-30 13:15 - 2017-04-30 13:15 - 00001113 _____ C:\Users\Public\Desktop\DriveImage XML.lnk
2017-04-30 13:15 - 2017-04-30 13:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Runtime Software
2017-04-30 13:15 - 2017-04-30 13:15 - 00000000 ____D C:\Program Files (x86)\Runtime Software
2017-04-30 13:13 - 2017-04-30 18:54 - 00000000 ____D C:\Users\Peter\Downloads\Backup software
2017-04-29 18:19 - 2017-04-29 18:22 - 00000000 ____D C:\AdwCleaner
2017-04-29 17:53 - 2017-04-29 18:05 - 00235198 _____ C:\TDSSKiller.3.1.0.15_29.04.2017_17.53.55_log.txt
2017-04-29 17:49 - 2017-04-29 17:50 - 00816368 _____ C:\TDSSKiller.3.1.0.15_29.04.2017_17.49.00_log.txt
2017-04-29 17:44 - 2017-04-29 17:48 - 00232438 _____ C:\TDSSKiller.3.1.0.15_29.04.2017_17.44.00_log.txt
2017-04-29 16:40 - 2017-04-29 16:40 - 00109321 _____ C:\Users\Peter\Desktop\UsbFix_Report.txt
2017-04-29 14:31 - 2017-04-29 14:31 - 00001454 _____ C:\Users\Peter\Desktop\UsbFix.lnk
2017-04-29 14:31 - 2017-04-29 14:31 - 00000000 ____D C:\UsbFix
2017-04-29 08:31 - 2017-04-29 08:57 - 15957775 _____ C:\Users\Peter\Downloads\How To Remove UUUUUUUU.uuu Ransomware From Your Computer System - Powerful Way.mp4
2017-04-29 08:31 - 2017-04-29 08:31 - 00000000 ____D C:\Program Files (x86)\ESET
2017-04-28 14:53 - 2017-04-28 14:53 - 28493342 _____ C:\Users\Peter\Downloads\_The 3 little pigs_ in Tok Pisin (PNG) Lik lik pik.mp4
2017-04-27 16:52 - 2017-04-27 16:52 - 00249832 _____ C:\Users\Peter\Documents\Kaspersky update failure report 2017 04 27 4.52 pm.txt
2017-04-27 11:54 - 2017-04-27 11:54 - 00001587 _____ C:\Users\Peter\Documents\54DC952C.key
2017-04-27 11:07 - 2017-04-27 11:07 - 00661600 _____ (Kaspersky Lab ZAO) C:\Windows\system32\Drivers\klif.sys
2017-04-27 11:07 - 2017-04-27 11:07 - 00098400 _____ (Kaspersky Lab ZAO) C:\Windows\system32\Drivers\klflt.sys
2017-04-27 11:07 - 2017-04-27 11:07 - 00000000 ____D C:\Windows\ELAMBKUP
2017-04-27 11:07 - 2017-04-27 11:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaspersky Endpoint Security 10 for Windows
2017-04-27 08:28 - 2017-04-30 18:57 - 00000000 ____D C:\Users\Peter\Downloads\Antivirus software
2017-04-26 14:10 - 2017-04-30 18:47 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2017-04-26 14:10 - 2017-04-27 11:07 - 00000000 ____D C:\Program Files (x86)\Kaspersky Lab
2017-04-26 13:30 - 2017-04-26 13:33 - 00000000 ____D C:\ProgramData\Kaspersky Lab Setup Files
2017-04-26 13:14 - 2017-04-26 13:14 - 00002177 _____ C:\Users\Peter\Documents\malwarebytes scan log 2017 04 26.txt
2017-04-26 11:20 - 2017-04-26 11:20 - 00023140 _____ C:\ComboFix.txt
2017-04-26 11:10 - 2017-04-27 11:01 - 00000000 ____D C:\Windows\erdnt
2017-04-26 11:10 - 2017-04-26 11:20 - 00000000 ____D C:\Qoobox
2017-04-26 05:39 - 2017-04-26 05:40 - 00159590 _____ C:\Users\Peter\Downloads\Bryan Girard Neat Image.html
2017-04-25 18:01 - 2017-04-25 18:01 - 00000208 _____ C:\Users\Peter\Documents\virus pickup.txt
2017-04-25 17:40 - 2017-04-25 17:40 - 00000000 ____D C:\Users\Admin\Documents\e-Sword
2017-04-24 16:27 - 2017-04-27 09:21 - 00000000 ____D C:\Users\Peter\Downloads\Huawei Ascend Y330 info
2017-04-22 08:01 - 2017-04-22 08:01 - 00290689 _____ C:\Users\Peter\Downloads\GuideStone eDelivery_Legal_Disclaimer.pdf
2017-04-20 08:17 - 2017-04-20 08:17 - 17821188 _____ C:\Users\Peter\Downloads\Whatever Happened to Marriage by Robbie Hiner.mp4
2017-04-18 11:47 - 2017-04-18 11:47 - 00000000 ____D C:\Users\Peter\Documents\Easy Duplicate Finder scans
2017-04-06 08:17 - 2017-04-06 08:17 - 00373747 _____ C:\Users\Peter\Documents\Windows 7 How To Disable Updates in Windows 7.pdf
2017-04-06 08:17 - 2017-04-06 08:17 - 00164000 _____ C:\Users\Peter\Documents\Windows 7_ How can I get permission to turn off automatic updates_ - Super User.pdf
2017-04-04 00:43 - 2017-04-04 00:43 - 06631034 _____ C:\Users\Peter\Downloads\How it works_ Easy Duplicate Finder.mp4
2017-04-04 00:25 - 2017-04-04 00:25 - 20193781 _____ C:\Users\Peter\Downloads\Easy Duplicate Finder Review.mp4
2017-04-04 00:23 - 2017-04-04 00:23 - 09905341 _____ C:\Users\Peter\Downloads\Easy Duplicate Finder.mp4
2017-04-03 23:27 - 2017-04-03 23:27 - 00000964 _____ C:\Users\Public\Desktop\Easy Duplicate Finder .lnk
2017-04-03 23:27 - 2017-04-03 23:27 - 00000000 ____D C:\Users\Peter\Documents\EasyDuplicateFinder
2017-04-03 23:27 - 2017-04-03 23:27 - 00000000 ____D C:\Users\Peter\AppData\Roaming\EasyDuplicateFinder
2017-04-03 23:27 - 2017-04-03 23:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Easy Duplicate Finder
2017-04-03 23:27 - 2017-04-03 23:27 - 00000000 ____D C:\ProgramData\Easy Duplicate Finder
2017-04-03 23:27 - 2017-04-03 23:27 - 00000000 ____D C:\Program Files\Easy Duplicate Finder
2017-04-03 23:08 - 2017-04-04 00:44 - 27402938 _____ C:\Users\Peter\Downloads\Easy Duplicate Finder Review_ Delete Duplicate Files with Ease.mp4
2017-04-03 23:04 - 2017-04-03 23:07 - 01339224 _____ (WebMinds, Inc. ) C:\Users\Peter\Downloads\Easy Duplicate Finder edfSetup.exe
2017-04-03 22:29 - 2006-06-16 06:22 - 00496128 _____ C:\Users\Peter\Documents\Weather record.xls
2017-04-02 08:32 - 2017-04-02 08:32 - 00198626 _____ C:\Users\Peter\Documents\Songs for Sunday, April 2 2017.pptx
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-04-30 18:56 - 2016-04-19 20:23 - 00000000 ____D C:\Users\Peter\AppData\Local\Free Download Manager
2017-04-30 13:10 - 2009-07-14 15:13 - 00802658 _____ C:\Windows\system32\PerfStringBackup.INI
2017-04-30 13:10 - 2009-07-14 13:20 - 00000000 ____D C:\Windows\inf
2017-04-30 06:23 - 2014-11-11 02:52 - 00003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2017-04-30 06:23 - 2014-11-11 02:52 - 00003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2017-04-30 06:20 - 2016-07-13 18:36 - 00038692 _____ C:\Users\Peter\Documents\Check in List for Tribal locations 2016 07.xlsx
2017-04-30 06:15 - 2009-07-14 14:45 - 00030896 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-04-30 06:15 - 2009-07-14 14:45 - 00030896 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-04-29 18:09 - 2014-08-02 04:29 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-04-29 17:48 - 2009-07-14 15:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-04-29 16:12 - 2016-10-09 07:20 - 00000000 ____D C:\Users\Peter\AppData\Local\CrashDumps
2017-04-29 11:35 - 2016-07-13 22:10 - 00021415 _____ C:\Users\Peter\Documents\Initials for Weekly Van Der Decker Prayer Requests.xlsx
2017-04-28 06:30 - 2015-01-08 04:34 - 00000000 ____D C:\Users\Peter\Documents\e-Sword
2017-04-27 15:12 - 2016-11-01 17:26 - 00000000 ____D C:\Users\Peter\Documents\temp
2017-04-27 11:08 - 2009-07-14 13:20 - 00000000 ____D C:\Windows\system32\GroupPolicy
2017-04-27 11:01 - 2016-08-09 21:33 - 00000000 ____D C:\Program Files (x86)\KeePass Password Safe 2
2017-04-27 11:01 - 2016-07-07 16:49 - 00000000 ____D C:\QUICKENW
2017-04-27 11:01 - 2016-06-22 22:35 - 00000000 ____D C:\Program Files\Bulk Rename Utility
2017-04-27 11:01 - 2015-12-31 09:21 - 00000000 ____D C:\Users\Peter\AppData\Roaming\dvdcss
2017-04-27 11:01 - 2015-03-04 18:56 - 00000000 ____D C:\Users\Peter\AppData\Roaming\vlc
2017-04-27 11:01 - 2014-08-02 03:39 - 00000000 ____D C:\lotus
2017-04-27 11:01 - 2014-08-02 01:23 - 00000000 ____D C:\Users\Peter
2017-04-27 11:01 - 2014-01-14 01:40 - 00000000 ____D C:\Users\Admin
2017-04-27 11:01 - 2013-12-07 12:25 - 00000000 ____D C:\ProgramData\Temp
2017-04-27 11:01 - 2009-07-14 15:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2017-04-27 11:01 - 2009-07-14 13:20 - 00000000 ____D C:\Windows\system32\NDF
2017-04-27 11:01 - 2009-07-14 13:20 - 00000000 ____D C:\Windows\registration
2017-04-27 08:06 - 2015-02-14 12:42 - 00381952 ___SH C:\Users\Peter\Documents\Thumbs.db
2017-04-26 08:26 - 2016-08-09 22:35 - 00003646 _____ C:\Users\Peter\Documents\Peter Van Der Decker.kdbx
2017-04-26 08:26 - 2016-08-09 22:35 - 00000000 ____D C:\Users\Peter\AppData\Roaming\KeePass
2017-04-25 16:42 - 2014-06-24 03:56 - 00000000 ____D C:\Users\Admin\AppData\Local\Google
2017-04-15 07:21 - 2014-03-07 02:53 - 00004312 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-04-15 07:21 - 2014-01-14 07:50 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-04-15 07:21 - 2014-01-14 07:50 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-04-15 07:21 - 2014-01-14 07:50 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-04-15 07:21 - 2014-01-14 07:50 - 00000000 ____D C:\Windows\system32\Macromed
2017-04-08 10:36 - 2009-07-14 13:20 - 00000000 ____D C:\Windows\rescache
2017-04-08 08:06 - 2010-11-21 13:27 - 00532136 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2017-04-07 21:16 - 2016-08-04 11:54 - 00054035 _____ C:\Users\Peter\Documents\Digicel Data Bundle Plans.xlsx
2017-04-07 21:12 - 2016-07-06 14:32 - 00000000 ____D C:\UUPlus6
2017-04-06 07:49 - 2009-07-14 14:45 - 00595120 _____ C:\Windows\system32\FNTCACHE.DAT
2017-04-06 07:06 - 2009-07-14 15:32 - 00000000 ____D C:\Program Files\DVD Maker
2017-04-06 06:46 - 2014-12-23 17:43 - 00002201 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-04-06 06:46 - 2014-12-23 17:43 - 00002189 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-04-03 12:01 - 2017-01-28 07:38 - 00089901 _____ C:\Users\Peter\Documents\Rain Guage, Lavalus.xlsx
 
==================== Files in the root of some directories =======
 
2014-08-02 03:40 - 2015-04-11 10:37 - 0006656 _____ () C:\Users\Peter\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-12-07 11:05 - 2015-12-07 11:05 - 0007609 _____ () C:\Users\Peter\AppData\Local\Resmon.ResmonCfg
2016-04-15 22:29 - 2016-04-15 22:29 - 0000057 _____ () C:\ProgramData\Ament.ini
 
Some files in TEMP:
====================
2014-01-14 07:53 - 2014-01-14 08:02 - 98936120 _____ (                                                            ) C:\Users\Admin\AppData\Local\Temp\8A92.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-04-24 10:00
 
==================== End of FRST.txt ============================

Attached Files


Edited by hamluis, 30 April 2017 - 07:50 AM.


BC AdBot (Login to Remove)

 


#2 SeatedWithHim

SeatedWithHim
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 30 April 2017 - 11:19 PM

One more thing I had forgotten to mention:  I have also tried reformatting the SD card, and reseting the phone to factory settings and still the problem comes back.



#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 05 May 2017 - 07:00 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/645568 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:19 AM

Posted 10 May 2017 - 07:05 AM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!

 

Mod Edit:  Reopened per OP request rec'd via PM - Hamluis.


Edited by hamluis, 30 May 2017 - 07:18 AM.


#5 SeatedWithHim

SeatedWithHim
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 02 June 2017 - 02:36 AM

I originally posted this on 30 April 2017 - 09:56 PM, but the post got hung up, so am starting a new post here with updated info.

 

I purchased a "new" Huawei Ascend Y330 and Samsung microSDHC card.  Apparently something had been used previously as I have the UUUUUUUU.uuu virus(?).  It does not seem to wipe out my current data, but whenever I create a new folder it fills the new folder with 1024 more folders all called UUUUUUUU.uuu, none of which can I open or delete.  I believe these folders have been created on the SD card both when it is in my SD slot in my laptop, and when it is in my Android phone. (It does not happen to folders on my laptop.)  If I pop the SD card into my laptop, Windows scans and fixes it so that I can delete the new folder and all the bogus sub-folders.

 

I have also tried reformatting the SD card, and reseting the phone to factory settings and still the problem comes back.

 

Initially I had been just using Microsoft Security Essentials.  Then I got Kaspersky Endpoint Security 10.  Neither have identified any viruses or other problems.  I have tried various suggestions I've found on the internet, including ComboFix.

 

I have a 2Tb external hard drive that also connects through USB, so would want to make sure it is clean also, in addition to the laptop, SD card and Android mobile phone.

 

Thanks for any help you can offer.

 

Here is the FRST.txt log:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 01-06-2017
Ran by Peter (administrator) on D4ZCDF12 (02-06-2017 17:25:57)
Running from C:\Users\Peter\Downloads
Loaded Profiles: Peter (Available Profiles: Admin & Peter)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(AMD) C:\Windows\System32\atieclxx.exe
() C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\winwfpmonitor.exe
() C:\Program Files (x86)\Common Files\DeviceHelper\DeviceManager.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
() C:\ProgramData\DatacardService\HWDeviceService64.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\mdm.exe
() C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe
(Huawei Technologies Co., Ltd.) C:\ProgramData\DatacardService\DCSHelper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Waves Audio Ltd.) C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(FreeDownloadManager.org) C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\fdm.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GlassWire.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Creative Technology Ltd) C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
() C:\Program Files (x86)\DIGICEL USB Modem\ModemListener.exe
(WordWeb Software) C:\Program Files (x86)\WordWeb\wweb32.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows\avp.exe
() C:\Program Files (x86)\OfficePopup\OfficePopup.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWIdlMon.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows\avp.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\btplayerctrl.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
() C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\browsernativehost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(O2Micro International) C:\Windows\System32\drivers\o2flash.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
(Farbar) C:\Users\Peter\Downloads\Farbar Recovery Scan Tool FRST64.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7191768 2013-06-28] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1291848 2013-03-23] (Realtek Semiconductor)
HKLM\...\Run: [WavesSvc] => C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe [114944 2013-04-19] (Waves Audio Ltd.)
HKLM\...\Run: [RtHDVBg_PushButton] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1291848 2013-03-23] (Realtek Semiconductor)
HKLM\...\Run: [BLEServicesCtrl] => C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe [184112 2012-09-17] (Intel Corporation)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [698712 2013-05-03] (Alps Electric Co., Ltd.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1340192 2016-01-29] (Microsoft Corporation)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [134616 2013-07-02] (Intel Corporation)
HKLM-x32\...\Run: [Dell Webcam Central] => C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-25] (Creative Technology Ltd)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1085656 2016-06-24] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642816 2013-07-23] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [ModemListener] => C:\Program Files (x86)\DIGICEL USB Modem\ModemListener.exe [98304 2011-01-11] ()
HKLM-x32\...\Run: [WordWeb] => C:\Program Files (x86)\WordWeb\wweb32.exe [80000 2014-07-05] (WordWeb Software)
HKLM-x32\...\Run: [KeePass 2 PreLoad] => C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe [2779136 2016-06-11] (Dominik Reichl)
HKLM-x32\...\Run: [AVP] => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows\avp.exe [741360 2013-11-27] (Kaspersky Lab ZAO)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\ DisallowedCertificates: 1916A2AF346D399F50313C393200F14140456616 (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 2A83E9020591A55FC6DDAD3FB102794C52B24E70 (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 2B84BFBB34EE2EF949FE1CBE30AA026416EB2216 (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 305F8BD17AA2CBC483A4C41B19A39A0C75DA39D6 (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 367D4B3B4FCBBC0B767B2EC0CDB2A36EAB71A4EB (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 3A850044D8A195CD401A680C012CB0A3B5F8DC08 (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 40AA38731BD189F9CDB5B9DC35E2136F38777AF4 (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 43D9BCB568E039D073A74A71D8511F7476089CC3 (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 471C949A8143DB5AD5CDF1C972864A2504FA23C9 (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 51C3247D60F356C7CA3BAF4C3F429DAC93EE7B74 (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 5DE83EE82AC5090AEA9D6AC4E7A6E213F946E179 (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 61793FCBFA4F9008309BBA5FF12D2CB29CD4151A (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6 (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 63FEAE960BAA91E343CE2BD8B71798C76BDB77D0 (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 6431723036FD26DEA502792FA595922493030F97 (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 7D7F4414CCEF168ADF6BF40753B5BECD78375931 (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 80962AE4D6C5B442894E95A13E4A699E07D694CF (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 86E817C81A5CA672FE000F36F878C19518D6F844 (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 8E5BD50D6AE686D65252F843A9D4B96D197730AB (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 9845A431D51959CAF225322B4A4FE9F223CE6D15 (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: B533345D06F64516403C00DA03187D3BFEF59156 (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: B86E791620F759F17B8D25E38CA8BE32E7D5EAC2 (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: C060ED44CBD881BD0EF86C0BA287DDCF8167478C (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: CEA586B2CE593EC7D939898337C57814708AB2BE (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: D018B62DC518907247DF50925BB09ACF4A5CB3AD (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: F8A54E03AADC5692B850496A4C4630FFEAA29D83 (Avast Antivirus/Software) <==== ATTENTION
HKLM\ DisallowedCertificates: FA6660A94AB45F6A88C0D7874D89A863D74DEE97 (Avast Antivirus/Software) <==== ATTENTION
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [6501656 2014-10-24] (Piriform Ltd)
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\...\Run: [Free Download Manager] => C:\Program Files\FreeDownloadManager.ORG\Free Download Manager\fdm.exe [8501760 2016-04-07] (FreeDownloadManager.org)
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\...\Run: [GlassWire] => C:\Program Files (x86)\GlassWire\glasswire.exe [5728208 2016-11-19] (SecureMix LLC)
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\...\MountPoints2: {88f37bd8-2087-11e5-9834-ecf4bb3b7076} - F:\autorun.exe
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\...\MountPoints2: {f8727c03-a32f-11e4-9956-ecf4bb3b7076} - E:\AutoRun.exe
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\...\MountPoints2: {f8727c11-a32f-11e4-9956-ecf4bb3b7076} - E:\AutoRun.exe
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\...\MountPoints2: {f8727c2d-a32f-11e4-9956-ecf4bb3b7076} - E:\AutoRun.exe
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Mystify.scr [242688 2010-11-21] (Microsoft Corporation)
Startup: C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP DeskJet 2130 series.lnk [2017-06-02]
ShortcutTarget: Monitor Ink Alerts - HP DeskJet 2130 series.lnk -> C:\Program Files\HP\HP DeskJet 2130 series\Bin\HPStatusBL.dll (Hewlett-Packard Development Company, LP)
Startup: C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OfficePopup.lnk [2015-02-11]
ShortcutTarget: OfficePopup.lnk -> C:\Program Files (x86)\OfficePopup\OfficePopup.exe ()
GroupPolicyScripts: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.239.1
Tcpip\..\Interfaces\{0C389E9B-7597-4DAE-B62B-7B15C312C29C}: [DhcpNameServer] 172.23.68.41 172.23.68.42
Tcpip\..\Interfaces\{145459EC-A593-42BE-9AA4-E1A6B8FB6F5D}: [NameServer] 10.149.64.76 8.8.8.8
Tcpip\..\Interfaces\{1D9B7E7D-BE1C-44A9-A381-97E28454E879}: [DhcpNameServer] 192.168.1.151 192.168.1.152
Tcpip\..\Interfaces\{2C8B24FA-FB9A-4BFC-A382-6A43E43F88DC}: [NameServer] 10.149.64.76 8.8.8.8
Tcpip\..\Interfaces\{41DB219B-71E4-4903-8D05-8931B81538A7}: [DhcpNameServer] 192.168.1.151 192.168.1.152
Tcpip\..\Interfaces\{55086DDC-9DF2-40C1-89C2-E5ABFC0C592B}: [DhcpNameServer] 192.168.1.151 192.168.1.152
Tcpip\..\Interfaces\{E225CA54-EDFA-46D1-856D-AA0363BA6F8E}: [DhcpNameServer] 192.168.239.1
Tcpip\..\Interfaces\{E6CDF7EF-5E08-49F6-A5A6-E8B58C498A93}: [DhcpNameServer] 192.168.1.151 192.168.1.152
Tcpip\..\Interfaces\{F73D4017-AEB7-43EE-837A-8FAB189CD964}: [DhcpNameServer] 192.168.1.151 192.168.1.152
 
Internet Explorer:
==================
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://usa.ntm.org/
HKU\S-1-5-21-473292948-3015293580-4091639569-1003\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com/ie
SearchScopes: HKU\S-1-5-21-473292948-3015293580-4091639569-1003 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?q={sear
BHO: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-05-06] (Google Inc.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-05-06] (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-05-06] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-05-06] (Google Inc.)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} -  No File
 
FireFox:
========
FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\FirefoxExtension => not found
FF HKLM-x32\...\Firefox\Extensions: [wcapturex@deskperience.com] - C:\Program Files (x86)\WordWeb\WCaptureMoz
FF Extension: (WordWeb one-click lookup) - C:\Program Files (x86)\WordWeb\WCaptureMoz [2016-05-15] [not signed]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2015-10-13] (Google, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.1 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-07-02] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-07-02] (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-30] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-30] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2016-06-24] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR Profile: C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default [2017-06-02]
CHR Extension: (Google Slides) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-09]
CHR Extension: (Free Download Manager Chrome extension) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\ahmpjcflkgiildlgicmcieglgoilbfdp [2017-03-11]
CHR Extension: (Google Docs) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-09]
CHR Extension: (Google Drive) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-04-17]
CHR Extension: (YouTube) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-04-17]
CHR Extension: (Google Search) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-04-15]
CHR Extension: (Google Sheets) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-09]
CHR Extension: (Google Docs Offline) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-17]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-16]
CHR Extension: (Gmail) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-04-15]
CHR Extension: (Chrome Media Router) - C:\Users\Peter\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-02]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AVP; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows\avp.exe [741360 2013-11-27] (Kaspersky Lab ZAO)
R2 DeviceManager; C:\Program Files (x86)\Common Files\DeviceHelper\DeviceManager.exe [40960 2010-08-27] () [File not signed]
R2 GlassWire; C:\Program Files (x86)\GlassWire\GWCtlSrv.exe [4397008 2016-11-19] (SecureMix LLC)
R2 HWDeviceService64.exe; C:\ProgramData\DatacardService\HWDeviceService64.exe [346976 2011-03-15] ()
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-12] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-12] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-07-02] (Intel Corporation)
R2 MDM; C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [335872 2006-10-27] (Microsoft Corporation) [File not signed]
S2 Mobile Partner. RunOuc; C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe [657504 2012-11-12] ()
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2016-01-29] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [374344 2016-01-29] (Microsoft Corporation)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [223816 2013-01-10] (Realtek Semiconductor)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 amdkmpfd; C:\Windows\System32\DRIVERS\amdkmpfd.sys [35936 2013-04-10] (Advanced Micro Devices, Inc.)
S3 btmaux; C:\Windows\System32\DRIVERS\btmaux.sys [132920 2013-04-24] (Motorola Solutions, Inc.)
S3 btmhsf; C:\Windows\System32\DRIVERS\btmhsf.sys [1385272 2013-04-24] (Motorola Solutions, Inc.)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [489752 2014-08-15] (Intel Corporation)
R1 gwdrv; C:\Windows\System32\DRIVERS\gwdrv.sys [33248 2015-05-29] (SecureMix LLC)
S3 huawei_wwanecm; C:\Windows\System32\DRIVERS\ew_juwwanecm.sys [241152 2012-12-03] (Huawei Technologies Co., Ltd.)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [28656 2013-05-21] (Intel Corporation)
S3 ibtusb; C:\Windows\System32\DRIVERS\ibtusb.sys [112072 2013-06-14] (Intel Corporation)
R3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHD64.sys [2161752 2013-06-29] (Realtek Semiconductor Corp.)
S3 irstrtdv; C:\Windows\system32\drivers\irstrtdv.sys [43800 2013-03-22] (Intel Corporation)
S3 ISCT; C:\Windows\system32\drivers\ISCTD64.sys [46568 2013-02-14] ()
S3 jrdusbser; C:\Windows\System32\DRIVERS\jrdusbser.sys [119680 2010-08-27] (TCT International Mobile Ltd)
R0 KL1; C:\Windows\System32\DRIVERS\kl1.sys [7717984 2013-09-05] (Kaspersky Lab ZAO)
U5 klflt; C:\Windows\System32\Drivers\klflt.sys [98400 2017-04-27] (Kaspersky Lab ZAO)
R1 KLFLTDEV; C:\Windows\System32\DRIVERS\klfltdev.sys [30816 2013-07-08] (Kaspersky Lab ZAO)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [661600 2017-04-27] (Kaspersky Lab ZAO)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [29792 2013-07-11] (Kaspersky Lab ZAO)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [54104 2012-11-22] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [177760 2013-07-01] (Kaspersky Lab ZAO)
S3 lehidmini; C:\Windows\system32\drivers\leath_hid.sys [39704 2013-10-23] (Atheros)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [100312 2013-07-02] (Intel Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [289120 2015-11-13] (Microsoft Corporation)
S2 mrtRate; C:\Windows\SysWow64\Drivers\mrtRate.sys [34916 1999-08-30] (Marimba, Inc.) [File not signed]
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133816 2015-11-13] (Microsoft Corporation)
R3 O2FJ2RDR; C:\Windows\System32\DRIVERS\O2FJ2w7x64.sys [185760 2013-05-08] (O2Micro )
S2 PMEM; C:\Windows\SysWOW64\drivers\pmemnt.sys [7168 1999-03-08] (Microsoft Corporation) [File not signed]
R3 ST_ACCEL; C:\Windows\System32\DRIVERS\ST_Accel.sys [89312 2013-03-28] (STMicroelectronics)
S3 USA19H; C:\Windows\System32\DRIVERS\USA19Hx64.sys [740096 2007-10-30] (Keyspan)
S3 USA19HP; C:\Windows\System32\DRIVERS\USA19Hx64p.SYS [35840 2007-10-23] (Keyspan)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-02 17:25 - 2017-06-02 17:26 - 00024373 _____ C:\Users\Peter\Downloads\FRST.txt
2017-06-02 17:22 - 2017-06-02 17:23 - 02433536 _____ (Farbar) C:\Users\Peter\Downloads\Farbar Recovery Scan Tool FRST64.exe
2017-06-02 14:53 - 2017-06-02 17:22 - 30663168 _____ (SecureMix LLC) C:\Users\Peter\Downloads\GlassWireSetup (2).exe
2017-06-02 13:49 - 2017-06-02 14:48 - 95375707 _____ C:\Users\Peter\Downloads\~yt44BE.tmp
2017-06-01 10:28 - 2017-06-02 05:48 - 344921464 _____ C:\Users\Peter\Downloads\~ytBB92.tmp
2017-05-30 06:52 - 2017-05-30 08:16 - 00009814 _____ C:\Users\Peter\Documents\Flight Manifest 170530 AYKC to AYHK.xlsx
2017-05-28 05:43 - 2017-05-29 11:51 - 00013810 _____ C:\Users\Peter\Documents\Lavalus Inventory, Stock Take & Needs List.xlsx
2017-05-27 20:16 - 2017-05-27 20:19 - 00010245 _____ C:\Users\Peter\Documents\VDD kids' heights - Jotham.xlsx
2017-05-27 15:03 - 2017-05-27 15:02 - 00015413 _____ C:\Users\Peter\Documents\VDD kids' heights1.xlsx
2017-05-21 16:01 - 2017-05-21 16:02 - 00000000 ____D C:\Users\Peter\Downloads\Kaulong Mobile SD cards
2017-05-20 13:30 - 2017-05-20 13:30 - 00000000 ____D C:\Program Files (x86)\Harmonic Vision
2017-05-20 13:29 - 2017-05-20 13:29 - 00003032 _____ C:\Windows\System32\Tasks\{149893F4-2411-4518-B635-9E3C2E92F3E5}
2017-05-06 14:32 - 2017-05-31 06:18 - 00097360 _____ C:\Users\Peter\Documents\For Sale and sorted stuff.xlsx
2017-05-06 14:32 - 2017-05-06 14:32 - 00000165 ____H C:\Users\Peter\Documents\~$For Sale and sorted stuff.xlsx
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-02 17:25 - 2017-04-30 18:57 - 00000000 ____D C:\FRST
2017-06-02 17:24 - 2009-07-14 14:45 - 00030896 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-06-02 17:24 - 2009-07-14 14:45 - 00030896 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-06-02 17:23 - 2016-04-19 20:23 - 00000000 ____D C:\Users\Peter\AppData\Local\Free Download Manager
2017-06-02 17:22 - 2009-07-14 15:13 - 00802658 _____ C:\Windows\system32\PerfStringBackup.INI
2017-06-02 17:22 - 2009-07-14 13:20 - 00000000 ____D C:\Windows\inf
2017-06-02 17:16 - 2017-04-26 14:10 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2017-06-02 17:16 - 2009-07-14 15:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-06-02 14:48 - 2017-04-27 08:28 - 00000000 ____D C:\Users\Peter\Downloads\Antivirus software
2017-06-02 14:48 - 2016-08-09 22:35 - 00004142 _____ C:\Users\Peter\Documents\Peter Van Der Decker.kdbx
2017-06-02 14:48 - 2016-08-09 22:35 - 00000000 ____D C:\Users\Peter\AppData\Roaming\KeePass
2017-06-02 13:46 - 2016-07-13 18:36 - 00040096 _____ C:\Users\Peter\Documents\Check in List for Tribal locations 2016 07.xlsx
2017-05-31 16:34 - 2016-07-06 14:32 - 00000000 ____D C:\UUPlus6
2017-05-31 12:01 - 2013-12-07 12:39 - 00795272 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2017-05-31 09:05 - 2014-12-23 17:43 - 00002201 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-05-31 09:05 - 2014-12-23 17:43 - 00002189 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-05-30 17:29 - 2014-03-07 02:53 - 00004312 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-05-30 17:28 - 2014-01-14 07:50 - 00803320 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-05-30 17:28 - 2014-01-14 07:50 - 00144888 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-05-30 17:28 - 2014-01-14 07:50 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-05-30 17:28 - 2014-01-14 07:50 - 00000000 ____D C:\Windows\system32\Macromed
2017-05-21 12:52 - 2016-10-09 07:20 - 00000000 ____D C:\Users\Peter\AppData\Local\CrashDumps
2017-05-20 13:35 - 2013-12-07 12:26 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2017-05-15 04:50 - 2015-01-08 04:34 - 00000000 ____D C:\Users\Peter\Documents\e-Sword
 
==================== Files in the root of some directories =======
 
2014-08-02 03:40 - 2015-04-11 10:37 - 0006656 _____ () C:\Users\Peter\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-12-07 11:05 - 2015-12-07 11:05 - 0007609 _____ () C:\Users\Peter\AppData\Local\Resmon.ResmonCfg
2016-04-15 22:29 - 2016-04-15 22:29 - 0000057 _____ () C:\ProgramData\Ament.ini
 
Some files in TEMP:
====================
2014-01-14 07:53 - 2014-01-14 08:02 - 98936120 _____ (                                                            ) C:\Users\Admin\AppData\Local\Temp\8A92.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-06-02 12:59
 
==================== End of FRST.txt ============================

Edited by hamluis, 02 June 2017 - 01:11 PM.
Merged topics - Hamluis.


#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,670 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:19 AM

Posted 04 June 2017 - 07:23 AM

Greetings SeatedWithHim and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Your computer is clean.

When you reformatted the SD card was the Quick Format option checked? If so, uncheck it and reformat again. I would also suggest trying an new SD card to see if the issue persists. Since this Forum does not deal with phone issues there isn't much else I can offer.

In order to scan the external drive you can do this.

===================================================

ESET Online Scanner Including External Drive Option

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may take several hours, that is normal.
  • Download esetsmartinstaller_enu.exe and save it to your Desktop
  • Double click the icon
  • Check YES, I accept the Terms of Use
  • Click the Start button
  • Accept any security warnings from your browser
  • Click Advanced settings
  • Check the following items

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK
  • Click Start
  • ESET will then download updates and begin scanning your computer
  • If no threats are found simply click Uninstall application on close and hit Finish
  • If threats are found click List of found threats
  • Click Export to text file
  • Save the file on your Desktop as ESET.txt
  • Click Back
  • Check Uninstall application on close and Delete quarantined files
  • Click Finish
  • Close the ESET Online Scanner window
  • Copy and paste the contents of ESET.txt in your reply
===================================================

Malwarebytes Anti-Malware Including External Drive Option

----------
  • If Malwarebytes is already installed launch the program, update the database if necessary, attached any external drives you want to scan, and go directly to the Scan instructions below
  • If Malwarebytes is not installed download Malwarebytes Anti-Malware and save it to your desktop
  • Right click the desktop icon and select Run as administrator
  • Click OK for English, then click Next
  • Select I accept the agreement then continue to click Next then finally click Install
  • Uncheck Enable free trial of Malwarebytes Anti-Malware Premium if you do not want the free trial of the paid version, then click Finish
  • If you are notified the Database is out of date click Update Now
  • Hold down the Shift key then attach any external drives you want to scan
  • Click the Scan button near the top
  • Select Custom Scan then click Configure Scan
  • Place a check mark in Scan for rootkits, Scan Startup and Registry Settings, the C: drive, and any additional drives you would like to scan
  • Click Scan now
  • Note: If Malwarebytes will not launch stop and let me know
  • When completed review the Scan Results list and uncheck any items you want to keep (if there are identified items)
  • Click Quarantine threats
  • If requested restart your computer
  • Relaunch Malwarebytes
  • Click the Reports tab
  • Place a check mark in the most recent Scan Report then click View Report
  • Click Export, then select Text File (/txt)
  • Save the file on your Desktop as MBAM.txt
  • Copy and paste the contents of the report in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Reformat SD?
  • ESET report
  • MBAM report

Edited by Oh My!, 07 June 2017 - 08:22 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 SeatedWithHim

SeatedWithHim
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 05 June 2017 - 04:27 AM

Hi Gary,  Thanks so much for your help.  I really appreciate it, and especially knowing that it is "volunteer" help.  Thank you.

 

I am working through the steps you have given me.

 

SD Cards

I believe this is a separate issue from the phone, as it impacts just the SD cards.  I use SD cards for my work as a memory device on my computer alone (ie, not putting them in other computers).  So if we can continue to follow this one out, I'd really appreciate it.

 

I believe my computer is not clean.  Let me explain why I think that.

 

Since getting your suggestions, I've been trying some different things, all within the parameters of what you have said.  I can quick format or full format an SD card - it makes no difference - and when I copy certain folders to the SD card (trying it with two different ones, one fairly new, one used) then this UUUUUUUU.uuu problem arises.  I can copy other folders and there is no problem.  If I remember correctly, when I copy these files through a network onto an SD card in someone else's computer, I do not get this error.

 

Ok, this error seems to not be triggered by small folders, but rather only with large ones.  I can full reformat the card, create new folders, copy small folders, and no problem.  But when I copy a larger folder, and then make a new folder, it fills it with 1024 new UUUUUUUU.uuu folders.

 

I wanted to get this sent to you so you might be able to think on it.  I can still run the rest of the steps you asked me to run on the hard drive if you want me to.  But I am concerned that if this virus is on my computer it will just put it back on the hard-drive too.

 

Another question, I have several USB thumb drives that need to be cleaned too.  The steps you give for cleaning my HD, can I re-run those steps for each thumb drive I need to clean, or what would be the best way to do that?

 

Thanks again.



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,670 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:19 AM

Posted 06 June 2017 - 02:37 PM

Greetings Peter.

OK, let's continue to address your computer. I will wait for your 2 scan reports. 

when I copy certain folders to the SD card

What folder(s) are you trying to copy?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 SeatedWithHim

SeatedWithHim
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 06 June 2017 - 06:48 PM

A Question and two answers...

 

Question:

Our internet is really slow here.  Several times now I have received the following error with ESET in the Initialization (step 2 of 4) step:  "Cannot get update.  Is proxy configured?"  First time it got to 4%, second time to 96%, and just now to 4% again, and again since I started writing this post.

 

For downloads here I usually use Free Download Manager, so that it can pick back up where it left off when the internet has troubles.  Is there a way that I can do something like that with ESET?  I will continue to go "back" and "Start" again until I hear from you.  But I don't know.  It got to the the 96% when I let it run overnight.  I doubt it will do better during the day, but I'll keep trying.

 

Answers:

The quick one first, It seems to make no difference whether I do a Quick Format of the SD card or a Full Format.  I've gotten into the habit now of only doing a Full format, but the virus always returns.

 

Regarding what folders I have tried to copy to the SD cards, initially I was trying to put an audio New Testament (836mb), and then from a different original source, a video folder (Jesus video, etc, 956mb) and another audio file folder with teaching (1.39gb) and they each would cause the virus to run.  Each of these are located in a "My Downloads" folder.

 

I tried numerous other small folders, and it would not trigger the virus.  

 

So then I was suspecting it might have something to do with the source that these folders came from, so I tried copying "My Documents" folder (20.7gb) and then before it had a chance to tell me that there wouldn't be enough space, I tried creating another folder on the SD card, and it triggered the virus.  So that is what led me to think that it has to be a larger file folder that would trigger it.

 

Thanks for your continued help.  If I can get ESET and Malewarebytes to run (in that order) I'll send you the logs for that.

 



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,670 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:19 AM

Posted 06 June 2017 - 07:28 PM

Thanks for the information.

 

Skip ESET and try Malwarebytes.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 SeatedWithHim

SeatedWithHim
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 07 June 2017 - 05:56 PM

I was eventually able to get both ESET and Malwarebytes to download.  Here's the results of ESET.  Due to the difficulty of downloading that program, I did not uninstall it, but kept it for future use per chance it should be needed.

 

C:\Users\All Users\YTD Video Downloader\ytd_installer.exe a variant of Win32/Spigot.D potentially unwanted application
C:\Program Files (x86)\NCH Software\PitchPerfect\pitchperfect.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application cleaned by deleting
C:\Program Files (x86)\NCH Software\PitchPerfect\pitchperfectsetup_v2.12.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application deleted
C:\Program Files (x86)\NCH Software\Recordpad\recordpad.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application cleaned by deleting
C:\Program Files (x86)\NCH Software\Recordpad\recordpadsetup_v5.35.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application deleted
C:\Program Files (x86)\NCH Software\TempoPerfect\tempoperfect.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application cleaned by deleting
C:\Program Files (x86)\NCH Software\TempoPerfect\tempoperfectsetup_v4.08.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application deleted
C:\ProgramData\YTD Video Downloader\ytd_installer.exe a variant of Win32/Spigot.D potentially unwanted application cleaned by deleting
C:\Users\Peter\Downloads\HP Deskjet 1510 driver DJ1510_188.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting
C:\Users\Peter\Downloads\Perfect Pitch setup.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application deleted
C:\Users\Peter\Downloads\Record Pad rpsetup.exe a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application deleted
C:\Users\Peter\My Documents, Old\My Downloads\CCleaner ccsetup407.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting
C:\Users\Peter\My Documents, Old\My Downloads\YouTubeDownloaderSetup33.exe a variant of Win32/Toolbar.Widgi potentially unwanted application cleaned by deleting
F:\Peter's Old Office Drive, pre 2015\Documents and Settings\Peter\My Documents\My Downloads\CCleaner ccsetup407.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting
F:\Peter's Old Office Drive, pre 2015\Documents and Settings\Peter\My Documents\My Downloads\YouTubeDownloaderSetup33.exe a variant of Win32/Toolbar.Widgi potentially unwanted application cleaned by deleting
F:\Peter's Old Office Drive, pre 2015\Program Files\Common Files\Spigot\Search Settings\SearchSettings64.exe a variant of Win64/Toolbar.Widgi.A potentially unwanted application cleaned by deleting
F:\Peter's Old Office Drive, pre 2015\WINDOWS\Installer\77da140b.msi a variant of Win32/Toolbar.Widgi potentially unwanted application deleted
F:\Peter's Old Office Drive, pre 2015\WINDOWS\system32\config\systemprofile\Application Data\Application Updater\temp\~wt703.tmp a variant of Win32/Toolbar.Widgi.B potentially unwanted application cleaned by deleting
F:\Peter's Old Office Drive, pre 2015\WINDOWS\Temp\pdfforgeToolbar.exe a variant of Win32/Toolbar.Widgi.B potentially unwanted application cleaned by deleting
 
It would seem that the malwarebytes program has been updated since the instructions for its use were written.  
  • Uncheck Enable free trial of Malwarebytes Anti-Malware Premium if you do not want the free trial of the paid version, then click Finish
  • If you are notified the Database is out of date click Update Now
From this point on, what I see on the screen does not appear to be what the instructions describe.  I had no option for avoiding the free trial.  The Scan button is on the left now, etc.
 
I followed your instructions as best I could with the newer program, and here is the report (no threats were found):
Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 6/8/17
Scan Time: 6:50 AM
Log File: MBAM.txt
Administrator: Yes
 
-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.141
Update Package Version: 1.0.2107
License: Trial
 
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: D4ZCDF12\Peter
 
-Scan Summary-
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 428956
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 1 hr, 58 min, 35 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 0
(No malicious items detected)
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)
 
I think that is it.  I'll wait to hear back from you.  Thanks.
 


#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,670 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:19 AM

Posted 07 June 2017 - 08:25 PM

Greetings Peter.

Thank you for the Malwarebytes information. They change the user interface on occasion.

Please do this.

===================================================

USB Fix

--------------
  • Download UsbFix and save it to your Desktop
  • Disable any antivirus programs you have running
  • Close any open windows
  • Right click on the icon and select Run as administrator
  • Click Accept
  • Click Clean
  • Attach your external devices as instructed in the pop up screen
  • Click OK
  • Click OK on the Please register your current work screen
  • Copy and paste the contents of the report that will appear on your desktop in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • UsbFix report

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 SeatedWithHim

SeatedWithHim
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 07 June 2017 - 11:02 PM

Quick question:  I had had Windows Essentials, and then it was recommended that I use Kaspersky Endpoint Security 10.  But I can't figure out how to turn it off.  I can't find anything on the internet either as to how to temporarily disable it.  Can you help me with that?

Thanks.



#14 SeatedWithHim

SeatedWithHim
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 07 June 2017 - 11:16 PM

One more question, it seems that Kaspersky has a lot of different areas of protection.  Which ones of these need to be disabled?  Thanks.



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,670 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:07:19 AM

Posted 08 June 2017 - 12:25 PM

See #2 here.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users