Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lost control of system restart in Windows 10, can't Safe Mode, Memory BSOD


  • This topic is locked This topic is locked
20 replies to this topic

#1 Oceanfield

Oceanfield

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 15 June 2017 - 07:30 PM

I was recently the victim of credit card theft stemming from online bill pay, so presumably my computer is infected. A week ago, I installed Avast's free virus protection software. Previously, I was only using Windows Defender which was updated regularly and never found anything malicious. I set Avast up to take over security operations, did a scan and found nothing. However, over the past few days, strange things have been happening to my computer that lead me to believe it is still infected somehow.

 

Issues I'm having:

 

Every time I restart my computer, it turns off and on just fine, but I am met by the same notifications every single time it boots up. These include a prompted review of my privacy settings before I can update to the Windows 10 Creator update coming soon, some patch updates for Blizzard video games I play, an update for Razer Synapse, all of which I have completed dozens of times over by now. Additionally, every time I open Firefox, I open to a page asking if I would like to restore to a previous session from a few days ago.

 

I have also tried altering my startup processes to disable Blizzard Launcher, iCloud, Plex, Razer Synapse, etc. and every time my computer restarts, they are turned back on. It seems like my computer just keeps rolling back to a previous point in time.

 

I am also unable to reboot into Safe Mode. I've tried F8 at restart. I've tried shift+Restart. My computer just always bypasses and goes through the regular boot sequence with the ASUS screen followed by my admin user login screen.

 

And as of about 30 minutes prior to this post, I am now getting MEMORY_MANAGEMENT BSOD's. I can't run chkdsk or memory diagnostics because of the same restart issues.

 

Things I've tried:

 

I followed a friend's link to a one-stop-shop computer cleaning solution via Lawrence Technology Systems. This included a Junkware Removal Tool, cCleaner, TDSKiller, ADW Cleaner, and Malware Bytes. I completed all but one of these and found nothing. The one that could not complete was the TDSKiller. It actually does literally nothing when it is executed. I tried changing the name of the file, per suggestions online. Still nothing. So I found another rootkit scanner called Malware Bytes Anti-Rootkit Beta, but it could not perform a scan because of a DDA Driver not being installed due to error. It prompts a restart and installation of the driver to allow for a scan. I click okay, but again, my computer restarts and goes directly back to square one as if I did nothing.

 

I also tried an Avast boot-time scan, and it gets bypassed by the same restart procedure. Avast Full System Scans also stop at 0% and says the scan failed and the system needs to be restarted. I cannot uninstall Avast because it requires a Safe Mode extraction with Avastclear.

 

Where do I begin to try to fix this issue? Your help would be much appreciated! Thanks



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 16 June 2017 - 08:48 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Lets start by checking your system.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===


Please post the logs.

Wait for further instructions.

#3 Oceanfield

Oceanfield
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 16 June 2017 - 04:54 PM

I downloaded Farbar Recovery Scan Tool (64 bit) to my desktop from the link provided. I double clicked it to run it and Windows Defender tried to stop it, so I selected 'Run Anyway' on the dialog box that had popped up, and a second dialogue box pops up titled 'AutoIt Error' with the message "Unable to open the script file."



#4 Oceanfield

Oceanfield
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 16 June 2017 - 04:57 PM

I am now operating on the Google Chrome browser since my Firefox is acting strange. Unfortunately Chrome is out of date and when I try to run the updated Chrome Setup, it again does nothing; double click followed by no action whatsoever. It seems no new item can be executed on my computer.



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 17 June 2017 - 09:03 AM




Try this.

Rename the Farbar program you have downloaded, and name it Svchost.exe Execute it.

Post the logs if you can.

If not successful download this tool and follow these instructions.
Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

#6 Oceanfield

Oceanfield
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 17 June 2017 - 10:05 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-06-2017 01
Ran by Jared (administrator) on MODERNISM-PC (17-06-2017 22:00:09)
Running from D:\Downloads
Loaded Profiles: Jared (Available Profiles: Jared)
Platform: Windows 10 Pro Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(DTS, Inc) C:\Program Files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe
(Razer Inc.) C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe
(Razer Inc.) C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKServer.exe
() C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe
(Plex, Inc.) C:\Program Files (x86)\Plex\Plex Media Server\Plex Update Service.exe
(Hi-Rez Studios) D:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
() C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
(AVAST Software s.r.o.) C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe
(Advanced Micro Devices, Inc.) C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgentUserBroker.exe
(Apple, Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\secd.exe
() C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1705.1301.0_x64__8wekyb3d8bbwe\Calculator.exe
() C:\Program Files\WindowsApps\Microsoft.Windows.Photos_17.425.10010.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.17.420.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Farbar) D:\Downloads\Svchost.exe.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6827664 2016-05-05] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_DTS] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1215632 2016-05-05] (Realtek Semiconductor)
HKLM\...\Run: [iTunesHelper] => D:\Program Files HDD (x86)\iTunes\iTunesHelper.exe [176440 2016-11-01] (Apple Inc.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [213824 2017-06-07] (AVAST Software)
HKLM-x32\...\Run: [Raptr] => C:\Program Files (x86)\Raptr Inc\Raptr\raptrstub.exe [58584 2017-05-30] (Raptr, Inc)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Razer Synapse] => C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [596640 2017-04-13] (Razer Inc.)
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <====== ATTENTION
HKU\S-1-5-21-989411530-4077684960-1681588511-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9288408 2016-12-06] (Piriform Ltd)
HKU\S-1-5-21-989411530-4077684960-1681588511-1001\...\Run: [Steam] => D:\Program Files HDD (x86)\Steam\steam.exe [3042592 2017-06-08] (Valve Corporation)
HKU\S-1-5-21-989411530-4077684960-1681588511-1001\...\Run: [Battle.net] => C:\Program Files (x86)\Battle.net\Battle.net Launcher.exe [3229160 2017-03-24] (Blizzard Entertainment)
HKU\S-1-5-21-989411530-4077684960-1681588511-1001\...\Run: [Plex Media Server] => C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe [13159912 2017-02-01] (Plex, Inc.)
HKU\S-1-5-21-989411530-4077684960-1681588511-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [67384 2016-10-06] (Apple Inc.)
HKU\S-1-5-21-989411530-4077684960-1681588511-1001\...\Run: [iCloudDrive] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe [110392 2016-10-06] (Apple Inc.)
HKU\S-1-5-21-989411530-4077684960-1681588511-1001\...\Run: [iCloudPhotos] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudPhotos.exe [356664 2016-10-06] (Apple Inc.)
HKU\S-1-5-21-989411530-4077684960-1681588511-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\Ribbons.scr [151040 2016-07-16] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [Plex Media Server] => C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe [13159912 2017-02-01] (Plex, Inc.)
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-06-07] (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{337dd074-e207-4099-9cec-fe6f7b22269c}: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{b023608e-de75-419d-b65c-a8e8f7794aaa}: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{d21eaafe-1048-471b-8865-5569886104fe}: [DhcpNameServer] 192.168.2.1

Internet Explorer:
==================

FireFox:
========
FF DefaultProfile: p91r4jzt.default
FF ProfilePath: C:\Users\Jared\AppData\Roaming\Mozilla\Firefox\Profiles\p91r4jzt.default [2017-06-17]
FF Homepage: Mozilla\Firefox\Profiles\p91r4jzt.default -> google.com
FF Extension: (AdBlocker Ultimate) - C:\Users\Jared\AppData\Roaming\Mozilla\Firefox\Profiles\p91r4jzt.default\Extensions\adblockultimate@adblockultimate.net.xpi [2016-12-28]
FF Extension: (Easy Screenshot) - C:\Users\Jared\AppData\Roaming\Mozilla\Firefox\Profiles\p91r4jzt.default\Extensions\easyscreenshot@mozillaonline.com.xpi [2017-04-25]
FF Extension: (Avast Online Security) - C:\Users\Jared\AppData\Roaming\Mozilla\Firefox\Profiles\p91r4jzt.default\Extensions\wrc@avast.com.xpi [2017-06-08]
FF Extension: (Always on Top) - C:\Users\Jared\AppData\Roaming\Mozilla\Firefox\Profiles\p91r4jzt.default\Extensions\{E6C93316-271E-4b3d-8D7E-FE11B4350AEB}.xpi [2016-09-10]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_25_0_0_171.dll [2017-05-09] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50906.0\npctrl.dll [2017-03-09] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_171.dll [2017-05-09] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-08-08] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-08-08] (Intel Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50906.0\npctrl.dll [2017-03-09] ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-05-05] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-05-05] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-04-04] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\np-mswmp.dll [2007-04-10] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2017-04-04] (Adobe Systems Inc.)

Chrome:
=======
CHR Profile: C:\Users\Jared\AppData\Local\Google\Chrome\User Data\Default [2017-06-11]
CHR Extension: (Google Slides) - C:\Users\Jared\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-05-05]
CHR Extension: (Google Docs) - C:\Users\Jared\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-05-05]
CHR Extension: (Google Drive) - C:\Users\Jared\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-05-05]
CHR Extension: (YouTube) - C:\Users\Jared\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-05-05]
CHR Extension: (Google Sheets) - C:\Users\Jared\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-05-05]
CHR Extension: (Google Docs Offline) - C:\Users\Jared\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-05-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jared\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-04-23]
CHR Extension: (Gmail) - C:\Users\Jared\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-05-05]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
S4 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe [920736 2016-05-05] ()
S4 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe [951936 2016-05-05] (ASUSTeK Computer Inc.)
S4 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe [149120 2016-05-05] (ASUSTeK Computer Inc.)
S4 AsusFanControlService; C:\Program Files (x86)\ASUS\AsusFanControlService\1.01.08\AsusFanControlService.exe [324608 2016-05-05] (ASUSTeK Computer Inc.) [File not signed]
R3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7346208 2017-06-07] (AVAST Software s.r.o.)
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [263304 2017-06-07] (AVAST Software)
S4 CorsairSSDToolBox; C:\Program Files (x86)\Corsair SSD Toolbox\CSSDTService.exe [2171344 2016-03-07] (Corsair)
R2 DTSAudioSvc; C:\Program Files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe [233328 2016-05-05] (DTS, Inc)
S3 EasyAntiCheat; C:\WINDOWS\SysWOW64\EasyAntiCheat.exe [382504 2017-05-07] (EasyAntiCheat Ltd)
S3 ESRV_SVC_WILLAMETTE; C:\Program Files\Intel\SUR\WILLAMETTE\ESRV\esrv_svc.exe [416408 2016-03-09] ()
U2 HiPatchService; D:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [9728 2017-05-11] (Hi-Rez Studios) [File not signed]
S4 ICCS; C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [160768 2011-05-27] (Intel Corporation) [File not signed]
S4 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S4 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
S4 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-08-08] (Intel Corporation)
R2 PlexUpdateService; C:\Program Files (x86)\Plex\Plex Media Server\Plex Update Service.exe [1919976 2017-02-01] (Plex, Inc.)
R2 Razer Chroma SDK Server; C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKServer.exe [401024 2017-05-02] (Razer Inc.)
R2 Razer Chroma SDK Service; C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe [178312 2017-05-02] (Razer Inc.)
R2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [189264 2016-09-24] ()
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [2889896 2016-09-15] (Microsoft Corporation)
R2 SystemUsageReportSvc_WILLAMETTE; C:\Program Files (x86)\Intel Driver Update Utility\SUR\SurSvc.exe [118424 2016-03-09] ()
S3 USER_ESRV_SVC_WILLAMETTE; C:\Program Files\Intel\SUR\WILLAMETTE\ESRV\esrv_svc.exe [416408 2016-03-09] ()
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347320 2017-04-27] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103712 2017-04-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 AiChargerPlus; C:\Windows\SysWow64\drivers\AiChargerPlus.sys [14848 2012-04-19] (ASUSTek Computer Inc.)
S0 amdkmafd; C:\WINDOWS\System32\drivers\amdkmafd.sys [49448 2016-08-18] (Advanced Micro Devices, Inc.)
R3 amdkmdag; C:\WINDOWS\System32\DriverStore\FileRepository\c0313676.inf_amd64_96bbc33bec5c7fae\atikmdag.sys [36558208 2017-05-16] (Advanced Micro Devices, Inc.)
R3 amdkmdap; C:\WINDOWS\System32\DriverStore\FileRepository\c0313676.inf_amd64_96bbc33bec5c7fae\atikmpag.sys [528760 2017-05-16] (Advanced Micro Devices, Inc.)
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2016-05-05] ()
R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2016-05-05] ()
R1 aswbidsdriver; C:\WINDOWS\system32\drivers\aswbidsdrivera.sys [311808 2017-06-07] (AVAST Software s.r.o.)
R0 aswbidsh; C:\WINDOWS\system32\drivers\aswbidsha.sys [190256 2017-06-07] (AVAST Software s.r.o.)
R0 aswblog; C:\WINDOWS\system32\drivers\aswbloga.sys [334576 2017-06-07] (AVAST Software s.r.o.)
R0 aswbuniv; C:\WINDOWS\system32\drivers\aswbuniva.sys [49016 2017-06-07] (AVAST Software s.r.o.)
S3 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [38296 2017-06-07] (AVAST Software)
R1 aswKbd; C:\WINDOWS\system32\drivers\aswKbd.sys [32600 2017-06-07] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [128648 2017-06-07] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr2.sys [101152 2017-06-07] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\drivers\aswRvrt.sys [75704 2017-06-07] (AVAST Software)
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [1007160 2017-06-07] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [569192 2017-06-07] (AVAST Software)
R2 aswStm; C:\WINDOWS\system32\drivers\aswStm.sys [158880 2017-06-07] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\drivers\aswVmm.sys [339696 2017-06-07] (AVAST Software)
R3 AtiHDAudioService; C:\WINDOWS\system32\drivers\AtihdWT6.sys [101376 2016-07-24] (Advanced Micro Devices)
R3 MEIx64; C:\WINDOWS\system32\DRIVERS\TeeDriverx64.sys [99288 2013-08-08] (Intel Corporation)
R3 mt7612US; C:\WINDOWS\System32\drivers\mt7612US.sys [377864 2015-12-09] (MediaTek Inc.)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 rzendpt; C:\WINDOWS\System32\drivers\rzendpt.sys [51736 2016-06-23] (Razer Inc)
R2 rzpmgrk; C:\WINDOWS\system32\drivers\rzpmgrk.sys [44144 2016-09-16] (Razer, Inc.)
R2 rzpnk; C:\Windows\system32\drivers\rzpnk.sys [130880 2015-12-14] (Razer, Inc.)
S3 semav6msr64; C:\WINDOWS\system32\drivers\semav6msr64.sys [21984 2016-03-09] ()
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
S3 xhunter1; C:\WINDOWS\xhunter1.sys [38368 2017-06-03] (Wellbia.com Co., Ltd.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-17 21:51 - 2017-06-17 22:00 - 00000000 ____D C:\FRST
2017-06-17 21:33 - 2017-06-17 21:34 - 00000000 _____ C:\WINDOWS\SysWOW64\last.dump
2017-06-12 02:01 - 2017-06-12 02:01 - 00000000 ____D C:\ProgramData\SWCUTemp
2017-06-07 07:56 - 2017-06-07 08:15 - 00004016 _____ C:\WINDOWS\System32\Tasks\SafeZone scheduled Autoupdate 1496840211
2017-06-07 07:56 - 2017-06-07 08:15 - 00001088 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2017-06-07 07:56 - 2017-06-07 07:56 - 00158880 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswstm.sys
2017-06-07 07:56 - 2017-06-07 07:56 - 00061304 _____ () C:\WINDOWS\system32\Drivers\lpsport.sys
2017-06-07 07:56 - 2017-06-07 07:56 - 00032600 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswKbd.sys
2017-06-07 07:56 - 2017-06-07 07:56 - 00003994 _____ C:\WINDOWS\System32\Tasks\Avast Emergency Update
2017-06-07 07:56 - 2017-06-07 07:56 - 00001979 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast Free Antivirus.lnk
2017-06-07 07:56 - 2017-06-07 07:56 - 00001967 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2017-06-07 07:56 - 2017-06-07 07:56 - 00001088 _____ C:\Users\Public\Desktop\Avast SafeZone Browser.lnk
2017-06-07 07:56 - 2017-06-07 07:56 - 00000000 ____D C:\Users\Jared\AppData\Roaming\AVAST Software
2017-06-07 07:56 - 2017-06-07 07:55 - 01007160 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys
2017-06-07 07:56 - 2017-06-07 07:55 - 00569192 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2017-06-07 07:56 - 2017-06-07 07:55 - 00400456 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2017-06-07 07:56 - 2017-06-07 07:55 - 00339696 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswVmm.sys
2017-06-07 07:56 - 2017-06-07 07:55 - 00334576 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbloga.sys
2017-06-07 07:56 - 2017-06-07 07:55 - 00311808 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbidsdrivera.sys
2017-06-07 07:56 - 2017-06-07 07:55 - 00190256 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbidsha.sys
2017-06-07 07:56 - 2017-06-07 07:55 - 00128648 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2017-06-07 07:56 - 2017-06-07 07:55 - 00101152 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr2.sys
2017-06-07 07:56 - 2017-06-07 07:55 - 00075704 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRvrt.sys
2017-06-07 07:56 - 2017-06-07 07:55 - 00049016 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbuniva.sys
2017-06-07 07:56 - 2017-06-07 07:55 - 00038296 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswHwid.sys
2017-06-07 07:55 - 2017-06-07 07:56 - 00000000 ____D C:\Program Files\AVAST Software
2017-06-07 07:54 - 2017-06-07 09:28 - 00000000 ____D C:\ProgramData\AVAST Software
2017-05-20 14:32 - 2017-05-20 16:14 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-17 21:48 - 2016-11-18 17:47 - 00000000 ____D C:\Users\Jared\AppData\LocalLow\Mozilla
2017-06-17 21:36 - 2016-09-23 10:22 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-06-17 21:34 - 2016-11-25 15:44 - 00000000 ___RD C:\Users\Jared\iCloudDrive
2017-06-17 21:32 - 2016-07-29 23:34 - 01927602 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-06-17 21:28 - 2016-07-30 17:12 - 00000000 ____D C:\Users\Jared\AppData\Local\Comms
2017-06-17 21:26 - 2016-09-23 10:27 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-06-17 21:26 - 2016-06-13 17:20 - 00000000 ____D C:\Program Files (x86)\Battle.net
2017-06-12 10:41 - 2016-06-13 17:20 - 00000000 ____D C:\Users\Jared\AppData\Local\Battle.net
2017-06-11 21:16 - 2016-09-23 10:23 - 00000000 ____D C:\Users\Jared
2017-06-11 21:14 - 2016-09-23 10:22 - 00065536 _____ C:\WINDOWS\system32\spu_storage.bin
2017-06-11 21:14 - 2016-07-16 01:04 - 00786432 _____ C:\WINDOWS\system32\config\BBI
2017-06-11 11:53 - 2016-05-05 23:37 - 00000000 ____D C:\Users\Jared\AppData\Roaming\vlc
2017-06-11 10:27 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-06-09 16:35 - 2016-06-13 18:26 - 00000000 ____D C:\Program Files (x86)\Overwatch
2017-06-08 18:54 - 2016-07-16 06:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-06-08 18:54 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\appraiser
2017-06-08 18:54 - 2016-07-16 06:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-06-03 22:28 - 2016-07-16 06:45 - 00000000 ____D C:\WINDOWS\INF
2017-06-03 22:09 - 2016-06-13 21:39 - 00000000 ____D C:\Users\Jared\AppData\Roaming\Raptr
2017-06-03 17:22 - 2017-03-08 22:27 - 00038368 _____ (Wellbia.com Co., Ltd.) C:\WINDOWS\xhunter1.sys
2017-06-01 20:55 - 2016-06-24 17:10 - 00028081 _____ C:\Users\Jared\Documents\Bill History since June 2013.txt
2017-05-30 20:33 - 2016-05-06 12:40 - 00565416 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2017-05-26 20:43 - 2017-03-08 22:27 - 00000000 ____D C:\Users\Jared\Documents\Black Desert
2017-05-25 21:51 - 2017-01-26 18:18 - 00003284 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task v2
2017-05-25 21:51 - 2016-07-30 06:03 - 00002405 _____ C:\Users\Jared\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-05-25 21:51 - 2016-07-30 06:03 - 00000000 ___RD C:\Users\Jared\OneDrive
2017-05-25 19:37 - 2016-05-05 23:51 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2017-05-22 16:12 - 2016-05-06 13:57 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-05-22 16:11 - 2016-05-06 13:57 - 132223576 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-05-20 16:14 - 2016-06-12 20:21 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

==================== Files in the root of some directories =======

2008-02-05 14:28 - 2008-02-05 14:28 - 0000051 _____ () C:\Users\Jared\AppData\Local\setup.txt
2016-07-14 18:03 - 2016-07-14 18:03 - 0000057 _____ () C:\ProgramData\Ament.ini

Some files in TEMP:
====================
2017-05-26 17:51 - 2017-06-03 17:22 - 0000088 _____ () C:\Users\Jared\AppData\Local\Temp\0713396e70beb54af75f27ba18621a28.dll
2017-05-26 17:51 - 2017-05-26 17:51 - 0000180 _____ () C:\Users\Jared\AppData\Local\Temp\6699d3ee8dd9cf775caae782c8f44f03.dll
2017-05-17 09:45 - 2017-04-17 17:36 - 0037376 _____ (Microsoft) C:\Users\Jared\AppData\Local\Temp\HiPatchSelfUpdateWindow.exe
2017-05-17 09:45 - 2017-04-17 14:23 - 0020480 _____ (Microsoft) C:\Users\Jared\AppData\Local\Temp\HiRezLauncherControls.dll

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-06-11 10:38

==================== End of FRST.txt ============================

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 18 June 2017 - 07:29 AM

Quote from your Addition.txt file.

Description: The file system structure on volume C: cannot be corrected.
Please run the chkdsk utility on the volume C:.


First please run the chkdsk utility on the volume C:.
Navigate to this page for more information.

Run this command from the DOS prompt
chkdsk /f C:

Let if finish.

Restart the computer normally when completed.

===

Then run this fix to clean some unwanted items.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR Extension: (Chrome Web Store Payments) - C:\Users\Jared\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-04-23]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
Task: {225265D1-531A-45A9-9AB6-D8B8F28AE124} - \Microsoft\Windows\Setup\GWXTriggers\Time-Weekend -> No File <==== ATTENTION
Task: {4DCADF34-4143-4776-89E7-5EE06EC826BE} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {544CB835-4F9E-4766-BF28-F1012395E410} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {70EB96EF-04DE-4201-A019-4A722ECC9662} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {79A0E4BA-F104-4F29-A78A-8C9322D980CE} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {84497EB2-8FD2-4F0A-AC5F-88C5E6ADE5A5} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {9CE85043-DD40-4DC8-8F4F-7E87BF740D6A} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {9DED525F-79A0-4393-A432-A6853F65588F} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {A0C7A597-0356-4B87-92F7-C6C9762ADB6F} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {A24E6441-9532-4DCA-BDC5-2094704E063D} - \Microsoft\Windows\Setup\gwx\rundetector -> No File <==== ATTENTION
Task: {A2B7DE9D-2714-4D7D-BFCF-DDA1900AD5DB} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {AD2D7F30-CABE-447D-9131-9635C84FA40C} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {CDCBA6F8-7CD5-4FEF-B8E4-BB5D9585FFA2} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {D4413B18-9C7D-49CF-82C8-068AB1CB1EB5} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {DF1B2DA4-054D-4DE3-8770-90ECD55233DA} - \WPD\SqmUpload_S-1-5-21-989411530-4077684960-1681588511-1001 -> No File <==== ATTENTION
Task: {E20DD25A-807F-4760-86D8-DDFB4F574BB6} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#8 Oceanfield

Oceanfield
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 18 June 2017 - 10:55 AM

chkdsk /f C:

 

When first run, it says I need to be in an elevated state, so I ran it as administrator.

 

It now says:

 

C:\WINDOWS\system32>chkdsk /f C:

The type of the file system is NTFS.

Cannot lock current drive.

 

Chkdsk cannot run because the volume is in use by another process. Would you like to schedule this volume to be checked the next time the system restarts? (Y/N)

 

I entered Y and closed command prompt, then restarted my computer. It went right through the same restart process and bypassed the chkdsk entirely. Off, on, login screen.



#9 Oceanfield

Oceanfield
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 18 June 2017 - 11:03 AM

Fix result of Farbar Recovery Scan Tool (x64) Version: 18-06-2017
Ran by Jared (18-06-2017 10:59:27) Run:1
Running from D:\Downloads
Loaded Profiles: Jared (Available Profiles: Jared)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jared\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-04-23]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
Task: {225265D1-531A-45A9-9AB6-D8B8F28AE124} - \Microsoft\Windows\Setup\GWXTriggers\Time-Weekend -> No File <==== ATTENTION
Task: {4DCADF34-4143-4776-89E7-5EE06EC826BE} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {544CB835-4F9E-4766-BF28-F1012395E410} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {70EB96EF-04DE-4201-A019-4A722ECC9662} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {79A0E4BA-F104-4F29-A78A-8C9322D980CE} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {84497EB2-8FD2-4F0A-AC5F-88C5E6ADE5A5} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {9CE85043-DD40-4DC8-8F4F-7E87BF740D6A} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {9DED525F-79A0-4393-A432-A6853F65588F} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {A0C7A597-0356-4B87-92F7-C6C9762ADB6F} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {A24E6441-9532-4DCA-BDC5-2094704E063D} - \Microsoft\Windows\Setup\gwx\rundetector -> No File <==== ATTENTION
Task: {A2B7DE9D-2714-4D7D-BFCF-DDA1900AD5DB} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {AD2D7F30-CABE-447D-9131-9635C84FA40C} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {CDCBA6F8-7CD5-4FEF-B8E4-BB5D9585FFA2} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {D4413B18-9C7D-49CF-82C8-068AB1CB1EB5} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {DF1B2DA4-054D-4DE3-8770-90ECD55233DA} - \WPD\SqmUpload_S-1-5-21-989411530-4077684960-1681588511-1001 -> No File <==== ATTENTION
Task: {E20DD25A-807F-4760-86D8-DDFB4F574BB6} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Users\Jared\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{225265D1-531A-45A9-9AB6-D8B8F28AE124} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{225265D1-531A-45A9-9AB6-D8B8F28AE124} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-Weekend => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4DCADF34-4143-4776-89E7-5EE06EC826BE} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4DCADF34-4143-4776-89E7-5EE06EC826BE} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{544CB835-4F9E-4766-BF28-F1012395E410} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{544CB835-4F9E-4766-BF28-F1012395E410} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{70EB96EF-04DE-4201-A019-4A722ECC9662} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{70EB96EF-04DE-4201-A019-4A722ECC9662} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{79A0E4BA-F104-4F29-A78A-8C9322D980CE} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{79A0E4BA-F104-4F29-A78A-8C9322D980CE} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{84497EB2-8FD2-4F0A-AC5F-88C5E6ADE5A5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{84497EB2-8FD2-4F0A-AC5F-88C5E6ADE5A5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9CE85043-DD40-4DC8-8F4F-7E87BF740D6A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9CE85043-DD40-4DC8-8F4F-7E87BF740D6A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9DED525F-79A0-4393-A432-A6853F65588F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9DED525F-79A0-4393-A432-A6853F65588F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A0C7A597-0356-4B87-92F7-C6C9762ADB6F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A0C7A597-0356-4B87-92F7-C6C9762ADB6F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A24E6441-9532-4DCA-BDC5-2094704E063D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A24E6441-9532-4DCA-BDC5-2094704E063D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\rundetector => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A2B7DE9D-2714-4D7D-BFCF-DDA1900AD5DB} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A2B7DE9D-2714-4D7D-BFCF-DDA1900AD5DB} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AD2D7F30-CABE-447D-9131-9635C84FA40C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD2D7F30-CABE-447D-9131-9635C84FA40C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CDCBA6F8-7CD5-4FEF-B8E4-BB5D9585FFA2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CDCBA6F8-7CD5-4FEF-B8E4-BB5D9585FFA2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D4413B18-9C7D-49CF-82C8-068AB1CB1EB5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D4413B18-9C7D-49CF-82C8-068AB1CB1EB5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DF1B2DA4-054D-4DE3-8770-90ECD55233DA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF1B2DA4-054D-4DE3-8770-90ECD55233DA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WPD\SqmUpload_S-1-5-21-989411530-4077684960-1681588511-1001 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{E20DD25A-807F-4760-86D8-DDFB4F574BB6} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E20DD25A-807F-4760-86D8-DDFB4F574BB6} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess => key removed successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 32768 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 92177584 B
Java, Flash, Steam htmlcache => 733001035 B
Windows/system/drivers => 7580234 B
Edge => 0 B
Chrome => 35090422 B
Firefox => 36058004 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 6656 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 3340 B
NetworkService => 64126 B
Jared => 80561112 B
 
RecycleBin => 0 B
EmptyTemp: => 939 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 10:59:41 ====


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 18 June 2017 - 01:33 PM

Is your hard drive a Solid state drive (SSD)?

How is the computer running"

#11 Oceanfield

Oceanfield
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 18 June 2017 - 02:18 PM

I have 2 hard drives, C: is a SSD with my OS, D: is a HDD.

 

The computer runs fairly well. I have access to most things. While playing video games, I randomly BSOD with a memory management error now though. I just can't seem to properly install or run certain things. And I have zero access to safe mode or any normal post-reboot functions. And any changes I make to the computer are immediately erased or rolled back when I do reboot. Things as simple as moving a file to the desktop are moved back to their original location upon reboot.

 

I am also getting a Security and Maintenance notification occasionally saying that I need to restart to repair drive errors. So I click restart, and it just turns off and on and doesn't fix anything.

 

I have considered just completely reformatting both drives and re-installing the OS, but I can't seem to boot from my bootable USB for Windows 8.1 or Windows 10. I tried to troubleshoot the boot sequence in the BIOS by re-ordering it to my USB drive first, and it doesn't seem to work. I am very amateur at all of this though, so I've just been poking around trying to see if I can get things to work.



#12 Oceanfield

Oceanfield
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 18 June 2017 - 02:24 PM

Windows Update also freezes up in the 'Checking for updates...' phase. Last successful check for updates was 6/11. Last update was 6/8.

Windows Defender is out of date, last updated on 6/6. When I try to update, it fails, saying 'The virus and spyware definitions didn't update because of an Internet or network connectivity problem.'

 

My internet has been working fine for everything else.



#13 Oceanfield

Oceanfield
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 18 June 2017 - 04:09 PM

If I were going to reformat and clean install Windows. How should I go about it? Is there a possibility my SSD could be re-infected by my HDD before I've had a chance to reformat the HDD? Should I reformat the HDD first?



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 19 June 2017 - 07:21 AM

We should try to repair these services before talking about a re-format..

Please Download Tweaking.com - Windows Repair from Here
  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    06 - Repair Windows Firewall
    07 - Repair Internet Explorer
    08 - Repair MDAC/MS Jet
    10 - Remove Policies Set By Infections
    13 - Repair Winsock & DNS Cache
    17 - Repair Windows Updates
    21 - Repair MSI (Windows Installer)
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.
===

Restart the computer normally.

How is the computer running now?

#15 Oceanfield

Oceanfield
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 19 June 2017 - 05:08 PM

Tweaking.com - Windows Repair v3.9.34
--------------------------------------------------------------------------------

System Variables
--------------------------------------------------------------------------------
OS: Windows 10 Pro
OS Architecture: 64-bit
OS Version: 10.0.14393.1198
OS Service Pack:
Computer Name: MODERNISM-PC
Windows Drive: C:\
Windows Path: C:\WINDOWS
Program Files: C:\Program Files
Program Files (x86): C:\Program Files (x86)
Current Profile: C:\Users\Jared
Current Profile SID: S-1-5-21-989411530-4077684960-1681588511-1001
Current Profile Classes: S-1-5-21-989411530-4077684960-1681588511-1001_Classes
Profiles Location: C:\Users
Profiles Location 2: C:\WINDOWS\ServiceProfiles
Local Settings AppData: C:\Users\Jared\AppData\Local
--------------------------------------------------------------------------------

System Information
--------------------------------------------------------------------------------
System Up Time: 0 Days 00:13:01

Process Count: 67
Commit Total: 2.29 GB
Commit Limit: 21.43 GB
Commit Peak: 2.46 GB
Handle Count: 32849
Kernel Total: 767.40 MB
Kernel Paged: 639.83 MB
Kernel Non Paged: 127.57 MB
System Cache: 4.01 GB
Thread Count: 1615
--------------------------------------------------------------------------------

Memory Before Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 15.94 GB
Memory Used: 2.31 GB(14.4992%)
Memory Avail.: 13.63 GB
--------------------------------------------------------------------------------

Cleaning Memory Before Starting Repairs...

Memory After Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 15.94 GB
Memory Used: 1.91 GB(11.9502%)
Memory Avail.: 14.04 GB
--------------------------------------------------------------------------------

Starting Repairs...
   Started at (6/19/2017 4:42:52 PM)

Setting Any Missing 'InstallDate' From Uninstall Sections Before Running Repair...
Total Missing 'InstallDate' Fixed: 96
 
01 - Reset Registry Permissions
   Restore Windows 7/8/10 Default Registry Permissions
   Start (6/19/2017 4:42:53 PM)


Decompressing & Updating Windows Permission File D:\Tweaking.com - Windows Repair\files\permissions\10\hku.7z
Done,  0.27 seconds.


Decompressing & Updating Windows Permission File D:\Tweaking.com - Windows Repair\files\permissions\10\hklm.7z
Done,  3.01 seconds.

   Running Repair Under System Account
   Done (6/19/2017 4:43:47 PM)

03 - Reset Service Permissions
   Start (6/19/2017 4:43:47 PM)

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (6/19/2017 4:44:06 PM)

04 - Register System Files
   Start (6/19/2017 4:44:06 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (6/19/2017 4:44:49 PM)

05 - Repair WMI
   Start (6/19/2017 4:44:49 PM)

   Starting Security Center So We Can Export The Security Info.

   Exporting Antivirus Info...
   Exporting 3rd Party Firewall Info...
   Running Repair Under Current User Account
   Done (6/19/2017 4:46:16 PM)

06 - Repair Windows Firewall
   Start (6/19/2017 4:46:16 PM)

Decompressing & Updating Windows Permission File D:\Tweaking.com - Windows Repair\files\permissions\10\services.7z
Done,  0.18 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (6/19/2017 4:46:55 PM)

07 - Repair Internet Explorer
   Start (6/19/2017 4:46:55 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (6/19/2017 4:47:22 PM)

08 - Repair MDAC/MS Jet
   Start (6/19/2017 4:47:22 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (6/19/2017 4:47:29 PM)

10 - Remove Policies Set By Infections
   Start (6/19/2017 4:47:29 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (6/19/2017 4:47:33 PM)

13 - Repair Network
   Start (6/19/2017 4:47:33 PM)

Decompressing & Updating Windows Permission File D:\Tweaking.com - Windows Repair\files\permissions\10\services.7z
Done,  0.17 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (6/19/2017 4:47:49 PM)

17 - Repair Windows Updates
   Start (6/19/2017 4:47:49 PM)

Decompressing & Updating Windows Permission File D:\Tweaking.com - Windows Repair\files\permissions\10\services.7z
Done,  0.18 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Setting Windows Updates Files That Are In Use To Be Removed At Next Boot.
   Done (6/19/2017 4:49:59 PM)

21 - Repair MSI (Windows Installer)
   Start (6/19/2017 4:49:59 PM)

Decompressing & Updating Windows Permission File D:\Tweaking.com - Windows Repair\files\permissions\10\services.7z
Done,  0.16 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (6/19/2017 4:50:12 PM)

26 - Restore Important Windows Services
   Start (6/19/2017 4:50:12 PM)

Decompressing & Updating Windows Permission File D:\Tweaking.com - Windows Repair\files\permissions\10\services.7z
Done,  0.17 seconds.

   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (6/19/2017 4:50:24 PM)

27 - Set Windows Services To Default Startup
   Start (6/19/2017 4:50:24 PM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (6/19/2017 4:50:35 PM)

Cleaning up empty logs...

All Selected Repairs Done.
   Done at (6/19/2017 4:50:35 PM)
   Total Repair Time: 00:07:45


...YOU MUST RESTART YOUR SYSTEM...
 

 

 

===

 

I've attached the 6 other logs to this post.

 

When trying to install the repair tool initially, it would not execute, so I downloaded the portable version to a USB drive and ran it from that.

 

I'll update this post soon after I've seen how it's running.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users