Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked Computer (browsers, programs, settings, opened/changed overnight)


  • This topic is locked This topic is locked
12 replies to this topic

#1 ky234vell

ky234vell

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 20 June 2017 - 07:45 AM

Haven't experienced any performance issues with this laptop, but two or three times over the past couple months I've awoken to find opened browser and program windows.  This morning, all three browsers were opened and the settings tab was opened to the change privacy options page.  Thinking it's about time for a professional to look under the hood, hope you guys can help, thanks in advance.

 

 

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-06-2017 01
Ran by ------- (administrator) on -----_LAPTOP (20-06-2017 07:56:16)
Running from C:\Users\-------\Downloads
Loaded Profiles: ------ (Available Profiles: -------)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Intel Corporation) C:\Windows\System32\ibtsiva.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDService.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
() C:\Program Files\CyberLink\Shared files\RichVideo64.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Toshiba Corporation) C:\Program Files\TOSHIBA\Teco\TecoService.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
() C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Teco\TecoResident.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe
(TOSHIBA Corporation) C:\Program Files (x86)\Toshiba\System Setting\TssSrv.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
() C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1705.1301.0_x64__8wekyb3d8bbwe\Calculator.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
(Microsoft Corporation) C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [3363544 2016-01-04] (ELAN Microelectronics Corp.)
HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe [401912 2016-12-02] ()
HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [914648 2014-03-05] (Conexant Systems, Inc.)
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SACpl.exe [1830104 2014-01-14] (Conexant Systems, Inc.)
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [180016 2015-06-08] (TOSHIBA Corporation)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2556768 2013-10-08] (TOSHIBA Corporation)
HKLM\...\Run: [TSSSrv] => C:\Program Files (x86)\TOSHIBA\System Setting\TSSSrv.exe [296008 2013-10-21] (TOSHIBA Corporation)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2017-04-27] (Microsoft Corporation)
HKLM-x32\...\Run: [TSVU] => c:\Program Files\TOSHIBA\TOSHIBA Smart View Utility\TosSmartViewLauncher.exe [516976 2015-06-09] (TOSHIBA)
HKU\S-1-5-18\...\RunOnce: [Application Restart #0] => C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [371928 2016-07-16] (Microsoft Corporation)
GroupPolicy: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75
Tcpip\..\Interfaces\{9cba78b3-3dd4-4a30-a5ee-3b6fc54304e5}: [DhcpNameServer] 75.75.76.76 75.75.75.75
Tcpip\..\Interfaces\{eae2e2e9-1e1b-474f-805d-b3f70a728be7}: [DhcpNameServer] 10.1.10.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://toshiba13.msn.com/?pc=TNJB
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://toshiba13.msn.com/?pc=TNJB
HKU\S-1-5-21-588070663-632014205-3186377163-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.analyticalwest.com/
HKU\S-1-5-21-588070663-632014205-3186377163-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://toshiba13.msn.com/?pc=TNJB
SearchScopes: HKLM -> {d4fee3d1-1014-4db8-a824-573bf9ab51c7} URL = 
SearchScopes: HKU\S-1-5-21-588070663-632014205-3186377163-1001 -> DefaultScope {DD782124-4D14-11E5-8263-D07E357A9562} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-db8bdf00&q={searchTerms}
SearchScopes: HKU\S-1-5-21-588070663-632014205-3186377163-1001 -> {d4fee3d1-1014-4db8-a824-573bf9ab51c7} URL = hxxp://www.bing.com/search?FORM=U220DF&PC=U220&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-588070663-632014205-3186377163-1001 -> {DD782124-4D14-11E5-8263-D07E357A9562} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-db8bdf00&q={searchTerms}
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2017-06-19] (Microsoft Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2017-06-19] (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-588070663-632014205-3186377163-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-06-19] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-06-19] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-06-19] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-06-19] (Microsoft Corporation)
 
FireFox:
========
FF DefaultProfile: ike5mbm6.default
FF DefaultProfile: 36k8xlaq.default
FF ProfilePath: C:\Users\----\AppData\Roaming\Mozilla\Firefox\Profiles\ike5mbm6.default [2017-06-20]
FF ProfilePath: C:\Users\----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default [2017-05-22]
FF Extension: (Czech (CZ) Language Pack) - C:\Users\----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-cs@bluegriffon.org.xpi [2017-05-22] [not signed]
FF Extension: (Deutsch (DE) Language Pack) - C:\Users\-----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-de@bluegriffon.org.xpi [2017-05-22] [not signed]
FF Extension: (English (US) Language Pack) - C:\Users\----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-en-US@bluegriffon.org.xpi [2017-05-22] [not signed]
FF Extension: (Español (España) Language Pack) - C:\Users\-----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-es-ES@bluegriffon.org.xpi [2017-05-22] [not signed]
FF Extension: (Finnish Language Pack) - C:\Users\-----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-fi@bluegriffon.org.xpi [2017-05-22] [not signed]
FF Extension: (Français Language Pack) - C:\Users\-----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-fr@bluegriffon.org.xpi [2017-05-22] [not signed]
FF Extension: (Galego (España) Language Pack) - C:\Users\-----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-gl@bluegriffon.org.xpi [2017-05-22] [not signed]
FF Extension: (Hebrew (IL) Language Pack) - C:\Users\-----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-he@bluegriffon.org.xpi [2017-05-22] [not signed]
FF Extension: (Magyar (HU) Language Pack) - C:\Users\-----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-hu@bluegriffon.org.xpi [2017-05-22] [not signed]
FF Extension: (Italiano (IT) Language Pack) - C:\Users\-----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-it@bluegriffon.org.xpi [2017-05-22] [not signed]
FF Extension: (Japanese Language Pack) - C:\Users\-----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-ja@bluegriffon.org.xpi [2017-05-22] [not signed]
FF Extension: (Korean (KR) Language Pack) - C:\Users\-----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-ko@bluegriffon.org.xpi [2017-05-22] [not signed]
FF Extension: (Nederlands (NL) Language Pack) - C:\Users\-----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-nl@bluegriffon.org.xpi [2017-05-22] [not signed]
FF Extension: (Polski Language Pack) - C:\Users\-----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-pl@bluegriffon.org.xpi [2017-05-22] [not signed]
FF Extension: (Russian (RU) Language Pack) - C:\Users\-----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-ru@bluegriffon.org.xpi [2017-05-22] [not signed]
FF Extension: (Slovenski jezik Language Pack) - C:\Users\-----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-sl@bluegriffon.org.xpi [2017-05-22] [not signed]
FF Extension: (?????? (sr) Language Pack) - C:\Users\-----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-sr@bluegriffon.org.xpi [2017-05-22] [not signed]
FF Extension: (Svenska (SE) Language Pack) - C:\Users\-----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-sv-SE@bluegriffon.org.xpi [2017-05-22] [not signed]
FF Extension: (Chinese Simplified (zh-CN) Language Pack) - C:\Users\-----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-zh-CN@bluegriffon.org.xpi [2017-05-22] [not signed]
FF Extension: (Traditional Chinese (zh-TW) Language Pack) - C:\Users\-----\AppData\Roaming\Disruptive Innovations SARL\BlueGriffon\Profiles\36k8xlaq.default\Extensions\langpack-zh-TW@bluegriffon.org.xpi [2017-05-22] [not signed]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_26_0_0_131.dll [2017-06-19] ()
FF Plugin: @mcafee.com/MSC,version=10 -> C:\Program Files\mcafee\msc\npMcSnFFPl64.dll [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_26_0_0_131.dll [2017-06-19] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2014-03-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2014-03-06] (Intel Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> C:\Program Files (x86)\McAfee\msc\npMcSnFFPl.dll [No File]
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-05-26] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-29] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-29] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2017-03-28] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxps://www.google.com/
CHR StartupUrls: Default -> "hxxps://www.google.com/"
CHR Profile: C:\Users\-----\AppData\Local\Google\Chrome\User Data\Default [2017-06-20]
CHR Extension: (Google Slides) - C:\Users\-----\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-04-10]
CHR Extension: (Google Docs) - C:\Users\-----\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-04-10]
CHR Extension: (Google Drive) - C:\Users\-----\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-04-10]
CHR Extension: (YouTube) - C:\Users\-----\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-04-10]
CHR Extension: (Google Sheets) - C:\Users\-----\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-04-10]
CHR Extension: (Google Docs Offline) - C:\Users\-----\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-04-10]
CHR Extension: (Norton Identity Safe) - C:\Users\-----\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2017-04-10]
CHR Extension: (Broken Link Checker) - C:\Users\-----\AppData\Local\Google\Chrome\User Data\Default\Extensions\nibppfobembgfmejpjaaeocbogeonhch [2017-06-11]
CHR Extension: (Chrome Web Store Payments) - C:\Users\-----\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-04-10]
CHR Extension: (Gmail) - C:\Users\-----\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-04-10]
CHR Extension: (Chrome Media Router) - C:\Users\-----\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-12]
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx <not found>
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [4122816 2017-06-10] (Microsoft Corporation)
R3 dts_apo_service; C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_service.exe [19960 2015-05-27] ()
R2 ETDService; C:\Program Files\Elantech\ETDService.exe [156384 2016-01-04] (ELAN Microelectronics Corp.)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 igfxCUIService2.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [373752 2016-12-02] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2014-03-06] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2014-03-06] (Intel Corporation)
S3 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390632 2012-04-24] ()
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347320 2017-04-27] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103712 2017-04-27] (Microsoft Corporation)
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 ETDSMBus; C:\WINDOWS\System32\drivers\ETDSMBus.sys [40016 2016-01-04] (ELAN Microelectronic Corp.)
R3 ibtusb; C:\WINDOWS\system32\DRIVERS\ibtusb.sys [230144 2016-11-11] (Intel Corporation)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [251832 2017-05-12] (Malwarebytes)
R3 MEIx64; C:\WINDOWS\system32\DRIVERS\TeeDriverx64.sys [100312 2014-03-06] (Intel Corporation)
R1 MpKsl55bd219c; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{9E650955-E131-46C9-967E-F17AB1F2FCFC}\MpKsl55bd219c.sys [44928 2017-06-19] (Microsoft Corporation)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 NETwNb64; C:\WINDOWS\System32\drivers\Netwbw02.sys [3485696 2016-07-16] (Intel Corporation)
R3 RSP2STOR; C:\WINDOWS\system32\DRIVERS\RtsP2Stor.sys [310528 2015-06-05] (Realtek Semiconductor Corp.)
R3 Thotkey; C:\WINDOWS\System32\drivers\Thotkey.sys [54424 2015-07-29] (Toshiba Corporation)
S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
S3 NPF; system32\drivers\NPF.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-20 07:56 - 2017-06-20 07:57 - 00020731 _____ C:\Users\-----\Downloads\FRST.txt
2017-06-20 07:55 - 2017-06-20 07:56 - 00000000 ____D C:\FRST
2017-06-20 07:54 - 2017-06-20 07:55 - 02439680 _____ (Farbar) C:\Users\-----\Downloads\FRST64.exe
2017-06-19 16:31 - 2017-06-19 16:31 - 00000304 _____ C:\Users\-----\Desktop\impo.txt
2017-06-14 06:31 - 2017-06-14 06:31 - 00000121 _____ C:\Users\-----\Desktop\transition.txt
2017-06-10 22:30 - 2017-06-10 22:30 - 02186265 _____ C:\Users\-----\Downloads\organizing-data-with-tables.zip
2017-06-10 04:20 - 2017-06-14 04:23 - 00001617 _____ C:\Users\-----\Desktop\firstpage.html
2017-06-10 04:01 - 2017-06-10 04:21 - 00000657 _____ C:\Users\-----\Desktop\style1.css
2017-05-30 22:53 - 2017-05-30 22:53 - 00000938 _____ C:\Users\-----\Desktop\Sublime Text 3.lnk
2017-05-30 22:51 - 2017-05-30 22:51 - 00000000 ____D C:\Users\-----\AppData\Roaming\Sublime Text 3
2017-05-30 22:51 - 2017-05-30 22:51 - 00000000 ____D C:\Users\-----\AppData\Local\Sublime Text 3
2017-05-30 22:50 - 2017-05-30 22:50 - 00000938 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sublime Text 3.lnk
2017-05-30 22:50 - 2017-05-30 22:50 - 00000000 ____D C:\Program Files\Sublime Text 3
2017-05-30 18:47 - 2017-05-31 16:22 - 00000102 _____ C:\Users\-----\Desktop\shopby css.txt
2017-05-29 23:59 - 2017-05-29 23:59 - 00000301 _____ C:\Users\-----\Desktop\url management example.txt
2017-05-29 21:51 - 2017-05-29 21:55 - 00000000 ____D C:\Users\-----\AppData\Local\paint.net
2017-05-29 21:51 - 2017-05-29 21:51 - 00001115 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\paint.net.lnk
2017-05-29 21:51 - 2017-05-29 21:51 - 00001103 _____ C:\Users\Public\Desktop\paint.net.lnk
2017-05-29 21:51 - 2017-05-29 21:51 - 00000000 ____D C:\Program Files\paint.net
2017-05-28 00:58 - 2017-05-28 00:58 - 00000000 ____D C:\Users\-----\AppData\Local\ElevatedDiagnostics
2017-05-26 00:07 - 2017-05-26 00:08 - 00000011 _____ C:\Users\-----\Desktop\vendor-sku.txt
2017-05-22 13:37 - 2017-05-22 13:37 - 00000000 ____D C:\Users\-----\AppData\Roaming\Disruptive Innovations SARL
2017-05-22 13:37 - 2017-05-22 13:37 - 00000000 ____D C:\Users\-----\AppData\Local\Disruptive Innovations SARL
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-06-20 07:37 - 2017-05-13 06:34 - 00000000 ____D C:\Users\-----\AppData\LocalLow\Mozilla
2017-06-20 07:32 - 2016-07-16 07:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-06-20 07:32 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-06-20 07:31 - 2015-01-22 02:20 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2017-06-20 01:12 - 2016-12-22 17:00 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-06-19 19:25 - 2017-04-27 00:12 - 00000000 ____D C:\Users\-----\Desktop\TimeSheets
2017-06-19 08:40 - 2016-07-16 07:47 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-06-19 08:27 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2017-06-19 08:27 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\system32\Macromed
2017-06-14 04:01 - 2015-08-29 19:19 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-06-14 03:58 - 2016-07-16 07:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-06-14 03:58 - 2015-08-29 19:19 - 133627792 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-06-11 06:22 - 2015-08-29 21:22 - 00000000 __SHD C:\Users\-----\IntelGraphicsProfiles
2017-06-11 06:21 - 2016-12-22 17:05 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2017-06-11 05:47 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\system32\NDF
2017-06-09 04:27 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\system32\appraiser
2017-06-08 03:32 - 2017-04-12 00:21 - 00000000 ____D C:\Users\-----\Desktop\AW Product Photos
2017-06-03 02:36 - 2016-07-16 07:49 - 00835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-06-03 02:36 - 2016-07-16 07:49 - 00177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2017-06-03 00:43 - 2015-12-01 11:16 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-06-03 00:43 - 2015-12-01 11:16 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-05-31 15:53 - 2015-08-30 12:01 - 00565416 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2017-05-30 20:15 - 2017-04-11 13:51 - 00000000 ____D C:\AdwCleaner
2017-05-30 17:56 - 2014-11-18 00:19 - 00000000 ____D C:\ProgramData\CyberLink
2017-05-30 17:56 - 2014-11-18 00:19 - 00000000 ____D C:\Program Files (x86)\CyberLink
2017-05-30 17:56 - 2014-11-18 00:00 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2017-05-30 17:48 - 2015-07-09 20:12 - 00000000 ____D C:\Users\-----\AppData\Local\Packages
2017-05-30 17:00 - 2014-11-18 00:17 - 00000000 __SHD C:\WINDOWS\SysWOW64\AI_RecycleBin
2017-05-30 17:00 - 2014-11-18 00:17 - 00000000 ____D C:\ProgramData\regid.2009-07.com.mymusiccloud
2017-05-30 16:56 - 2015-01-22 02:18 - 00000000 ____D C:\ProgramData\Skype
2017-05-30 16:10 - 2015-08-29 21:07 - 01075974 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-05-30 16:06 - 2016-12-22 17:38 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-05-30 16:05 - 2016-07-16 02:04 - 00524288 _____ C:\WINDOWS\system32\config\BBI
2017-05-30 16:05 - 2015-11-24 13:08 - 00000000 ____D C:\ProgramData\Norton
 
==================== Files in the root of some directories =======
 
2016-01-04 13:10 - 2016-01-04 13:10 - 0000045 _____ () C:\Users\-----\AppData\Roaming\WB.CFG
2017-04-11 14:04 - 2017-04-11 14:04 - 0271274 _____ () C:\Users\-----\AppData\Local\ars.cache
2017-04-11 14:04 - 2017-04-11 14:04 - 0716823 _____ () C:\Users\-----\AppData\Local\census.cache
2017-04-11 02:09 - 2017-04-11 02:09 - 0000036 _____ () C:\Users\-----\AppData\Local\housecall.guid.cache
2017-05-12 08:35 - 2017-05-12 09:31 - 0007593 _____ () C:\Users\-----\AppData\Local\Resmon.ResmonCfg
2017-04-11 02:18 - 2017-04-11 13:51 - 0000010 _____ () C:\Users\-----\AppData\Local\sponge.last.runtime.cache
2015-09-04 15:10 - 2015-09-04 15:10 - 0000293 _____ () C:\ProgramData\ECap-1.0.1.4b-080724.ini
2015-09-04 15:10 - 2015-09-04 15:10 - 0000024 _____ () C:\ProgramData\GenePccMon.ini
2014-11-18 00:18 - 2014-11-18 00:18 - 0000123 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.64.bc
2016-01-05 11:15 - 2016-01-05 11:16 - 0028906 _____ () C:\ProgramData\SMRResults501.dat
 
Files to move or delete:
====================
C:\ProgramData\SMRResults501.dat
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-06-08 03:03
 

==================== End of FRST.txt ============================         

Attached Files



BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:30 AM

Posted 20 June 2017 - 09:50 AM

ky234vell:

 
:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum.  My name is Phil.  May I address you by your first name?
 
I will be assisting you with your computer issues.  I will endeavor to respond within a reasonable time, normally 48 hours after your last post.
 
In future, I would ask that you please copy and paste the contents of all requested log files directly into your replies.  I know that the instructions do say to attach the "Addition.txt" file, but it is much faster for me to analyze the logs when that are copied and pasted into your replies.  Please do not use "code" or "quote" boxes.  Thank you for your anticipated cooperation.
 
I will need some time to review your FRST logs.  That could take a day or two.
 
PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues.  It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.
 
Thank you and have a great day.
 
Regards,
-Phil

Graduate of the Bleeping Computer Malware Removal Study Hall


#3 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:30 AM

Posted 20 June 2017 - 11:20 AM

ky234vell:

Thank you for your patience while I analyzed your FRST logs.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I can only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post(s), unless otherwise instructed. Please do not use code or quote boxes.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

:step1: Please run a FRST fix for me.

NOTICE: This FRST "fixlist" script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

Start::
CreateRestorePoint:
CloseProcesses:
GroupPolicy: Restriction <======= ATTENTION
SearchScopes: HKLM -> {d4fee3d1-1014-4db8-a824-573bf9ab51c7} URL = 
Toolbar: HKU\S-1-5-21-588070663-632014205-3186377163-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found
FF Plugin: @mcafee.com/MSC,version=10 -> C:\Program Files\mcafee\msc\npMcSnFFPl64.dll [No File]
FF Plugin-x32: @mcafee.com/MSC,version=10 -> C:\Program Files (x86)\McAfee\msc\npMcSnFFPl.dll [No File]
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx <not found>
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S3 NPF; system32\drivers\NPF.sys [X]
2016-01-04 13:10 - 2016-01-04 13:10 - 0000045 _____ () C:\Users\-----\AppData\Roaming\WB.CFG
2016-01-05 11:15 - 2016-01-05 11:16 - 0028906 _____ () C:\ProgramData\SMRResults501.dat
Task: {26B0F658-1882-4EA7-9B5E-0F6AB4041827} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {2971DB2B-E228-4010-A59D-D2BDB3C65A4A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {85214D99-603C-4F0F-AD3D-3E4F1C99DF15} - System32\Tasks\McAfee Remediation (Upgrade) => C:\Program Files\Common Files\AV\McAfee Anti-Virus and Anti-Spyware\upgrade.exe [2015-06-01] (McAfee, Inc.)
Task: {9067AB08-E73A-4EE2-9DE7-2B03D46E29EE} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {9422AF4B-7661-4A94-BECE-8A16FFAFED05} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {ADD58D48-90D1-472E-8506-C2297C654DCE} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {C805F7F7-81A7-44F8-904D-50C1F0976F58} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {CCCE9664-647E-4C3A-920A-EF87134B2DA5} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {D6778ABD-92EA-428A-9B36-838B20F5000E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {EC8D2146-39BF-44D8-912A-15E8B65EB307} - \WPD\SqmUpload_S-1-5-21-588070663-632014205-3186377163-1001 -> No File <==== ATTENTION
FirewallRules: [{E9B2FE60-4AD0-468C-8E06-ABA0E1E86D5D}] => (Allow) C:\Users\-----\AppData\Local\Temp\7zSA3B6.tmp\SymNRT.exe
FirewallRules: [{595FDAB6-8C7B-4F75-B771-83C5AC2C56E3}] => (Allow) C:\Users\-----\AppData\Local\Temp\7zSA3B6.tmp\SymNRT.exe
End::
  • Please highlight the entire contents of the code box above, from the "Start::" line to the "End::" line, including both of those lines, right click, and select "Copy", which will copy the "fix" script into the Windows clipboard.
  • Right click FRST/FRST64.exe, and select "Run as Administrator".
  • Press Fix button once and wait.
  • Please reboot the computer, if requested.
  • A log file called "fixlog.txt" will be saved in the same folder as the FRST program is located.
  • Please copy and paste the contents of the "fixlog.txt" file into your next reply.

.


Thank you and have a great day.

Regards,
-Phil
 


Graduate of the Bleeping Computer Malware Removal Study Hall


#4 ky234vell

ky234vell
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 20 June 2017 - 11:53 AM

Thank you for the steadfast reply Phil, my name is Kyle by the way.  Okay here is the fixlog:

 

 

 

 

 Fix result of Farbar Recovery Scan Tool (x64) Version: 18-06-2017 01

Ran by ----- (20-06-2017 12:40:13) Run:1
Running from C:\Users\-----\Downloads
Loaded Profiles: ----- (Available Profiles: -----)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
 
CreateRestorePoint:
CloseProcesses:
GroupPolicy: Restriction <======= ATTENTION
SearchScopes: HKLM -> {d4fee3d1-1014-4db8-a824-573bf9ab51c7} URL = 
Toolbar: HKU\S-1-5-21-588070663-632014205-3186377163-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found
FF Plugin: @mcafee.com/MSC,version=10 -> C:\Program Files\mcafee\msc\npMcSnFFPl64.dll [No File]
FF Plugin-x32: @mcafee.com/MSC,version=10 -> C:\Program Files (x86)\McAfee\msc\npMcSnFFPl.dll [No File]
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx <not found>
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S3 NPF; system32\drivers\NPF.sys [X]
2016-01-04 13:10 - 2016-01-04 13:10 - 0000045 _____ () C:\Users\-----\AppData\Roaming\WB.CFG
2016-01-05 11:15 - 2016-01-05 11:16 - 0028906 _____ () C:\ProgramData\SMRResults501.dat
Task: {26B0F658-1882-4EA7-9B5E-0F6AB4041827} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {2971DB2B-E228-4010-A59D-D2BDB3C65A4A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {85214D99-603C-4F0F-AD3D-3E4F1C99DF15} - System32\Tasks\McAfee Remediation (Upgrade) => C:\Program Files\Common Files\AV\McAfee Anti-Virus and Anti-Spyware\upgrade.exe [2015-06-01] (McAfee, Inc.)
Task: {9067AB08-E73A-4EE2-9DE7-2B03D46E29EE} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {9422AF4B-7661-4A94-BECE-8A16FFAFED05} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {ADD58D48-90D1-472E-8506-C2297C654DCE} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {C805F7F7-81A7-44F8-904D-50C1F0976F58} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {CCCE9664-647E-4C3A-920A-EF87134B2DA5} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {D6778ABD-92EA-428A-9B36-838B20F5000E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {EC8D2146-39BF-44D8-912A-15E8B65EB307} - \WPD\SqmUpload_S-1-5-21-588070663-632014205-3186377163-1001 -> No File <==== ATTENTION
FirewallRules: [{E9B2FE60-4AD0-468C-8E06-ABA0E1E86D5D}] => (Allow) C:\Users\-----\AppData\Local\Temp\7zSA3B6.tmp\SymNRT.exe
FirewallRules: [{595FDAB6-8C7B-4F75-B771-83C5AC2C56E3}] => (Allow) C:\Users\-----\AppData\Local\Temp\7zSA3B6.tmp\SymNRT.exe
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{d4fee3d1-1014-4db8-a824-573bf9ab51c7} => key removed successfully
HKLM\Software\Classes\CLSID\{d4fee3d1-1014-4db8-a824-573bf9ab51c7} => key not found. 
HKU\S-1-5-21-588070663-632014205-3186377163-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value removed successfully
HKLM\Software\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => key removed successfully
HKLM\Software\Wow6432Node\Mozilla\Thunderbird\Extensions\\msktbird@mcafee.com => value removed successfully
HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10 => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@mcafee.com/MSC,version=10 => key removed successfully
HKLM\SOFTWARE\Google\Chrome\Extensions\fheoggkfdfchfphceeifdbepaooicaho => key removed successfully
HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\fheoggkfdfchfphceeifdbepaooicaho => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif => key removed successfully
HKLM\System\CurrentControlSet\Services\ibtsiva => key removed successfully
ibtsiva => service removed successfully
HKLM\System\CurrentControlSet\Services\NPF => key removed successfully
NPF => service removed successfully
"C:\Users\-----\AppData\Roaming\WB.CFG" => not found.
C:\ProgramData\SMRResults501.dat => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{26B0F658-1882-4EA7-9B5E-0F6AB4041827} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{26B0F658-1882-4EA7-9B5E-0F6AB4041827} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2971DB2B-E228-4010-A59D-D2BDB3C65A4A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2971DB2B-E228-4010-A59D-D2BDB3C65A4A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{85214D99-603C-4F0F-AD3D-3E4F1C99DF15} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{85214D99-603C-4F0F-AD3D-3E4F1C99DF15} => key removed successfully
C:\WINDOWS\System32\Tasks\McAfee Remediation (Upgrade) => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\McAfee Remediation (Upgrade) => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9067AB08-E73A-4EE2-9DE7-2B03D46E29EE} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9067AB08-E73A-4EE2-9DE7-2B03D46E29EE} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{9422AF4B-7661-4A94-BECE-8A16FFAFED05} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9422AF4B-7661-4A94-BECE-8A16FFAFED05} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{ADD58D48-90D1-472E-8506-C2297C654DCE} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{ADD58D48-90D1-472E-8506-C2297C654DCE} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C805F7F7-81A7-44F8-904D-50C1F0976F58} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C805F7F7-81A7-44F8-904D-50C1F0976F58} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{CCCE9664-647E-4C3A-920A-EF87134B2DA5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CCCE9664-647E-4C3A-920A-EF87134B2DA5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D6778ABD-92EA-428A-9B36-838B20F5000E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D6778ABD-92EA-428A-9B36-838B20F5000E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EC8D2146-39BF-44D8-912A-15E8B65EB307} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EC8D2146-39BF-44D8-912A-15E8B65EB307} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WPD\SqmUpload_S-1-5-21-588070663-632014205-3186377163-1001 => key removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E9B2FE60-4AD0-468C-8E06-ABA0E1E86D5D} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{595FDAB6-8C7B-4F75-B771-83C5AC2C56E3} => value removed successfully
 
 
The system needed a reboot.
 
==== End of Fixlog 12:40:31 ====


#5 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:30 AM

Posted 20 June 2017 - 12:10 PM

Kyle:
 
Thank you for the "fixlog.txt" results and for permission to address you by your first name.  The "fixlog.txt" file looks good.  You were quick to reply! :thumbup2:
 
OK, since you wanted a good look under the hood, let's move on to some standard anti-malware scans.  FRST does not identify every threat, so we need to employ a small "arsenal" of scanners to try and detect everything.
 
.
 
:step1:ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Download esetsmartinstaller_enu.exe and save it to your Desktop.
  • Double click the icon.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Then select: "Enable detection of potentially unwanted applications" - Yes.
  • Click Advanced settings.
  • Check the following items.

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK.
  • Click Start.
  • ESET will then download updates and begin scanning your computer.
  • If no threats are found simply click Uninstall application on close and hit Finish.
  • If threats are found click List of found threats.
  • Click Export to text file.
  • Save the file on your Desktop as ESET.txt.
  • Click Back.
  • Check Uninstall application on close and Delete quarantined files.
  • Click Finish.
  • Close the ESET Online Scanner window.
  • Copy and paste the contents of ESET.txt into your reply, if any threats were detected.

Don't forget to re-enable your antivirus when finished!

.

:step2: I notice that your Malwarebytes is out of date. Please run a Malwarebytes Anti-Malware scan for me by downloading and installing the latest version of Malwarebytes.

  • Please download Malwarebytes to your Desktop.
  • Double-click mb3-setup-{version}.exe and follow the prompts to install the program.
  • Then click Finish.
  • Next, please go to "Settings", "Protection", and turn on "Scan for rootkits", if it is not "On."
  • Ensure that under "Potential Threat Protetion", both switches are set to "Always Detect PUPs/PUMs (recommended).
  • Then scroll to the bottom of that page and ensure that "Automatic Quarantine" is turned "On."
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If an update of the definitions is available, it will be downloaded and installed before the scan commences.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.

The Scan log is available through History ->Application logs. Please copy and paste the contents of the log into your next reply.

.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#6 ky234vell

ky234vell
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 20 June 2017 - 09:58 PM

Hello again Phil,

 

Ran both scanners and came up empty, both found zero threats.


Edited by ky234vell, 20 June 2017 - 10:00 PM.


#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:30 AM

Posted 21 June 2017 - 07:05 AM

Kyle:
 
That is great news that those scans came up clean! :thumbup2:
 
Let's run two more scans just to make sure that there is no adware or browser hijackers lurking in your computer.
 
.
 
:step1: Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Vista/Windows 7/8/10 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait for it to complete the update.
  • Click on I Agree button.
  • Click on the Scan button.
  • AdwCleaner will begin its scan ... please be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, then make sure that you uncheck it before running the "Clean" process.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
  • After the scan has finished ...
  • Uncheck any PUP and adware applications that you want to keep.
  • Then click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Please copy and paste the contents of that logfile into your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

.

:step2: Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Please copy and paste the contents of JRT.txt into your next message.

.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#8 ky234vell

ky234vell
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 21 June 2017 - 08:12 AM

Good Morning Phil,

 

Once again, both scans found zero threats.



#9 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:30 AM

Posted 21 June 2017 - 08:39 AM

Good morning to you, Kyle.  Once again, that is great news! :thumbup2:

 

I am not seeing any malware now on your computer.  How is it working for you?  Are there any issues?  If so, please describe them in detail so that I can chase them down for you.

 

If there are no issues, then I will proceed, in my next post, to clean up the anti-malware scanning tools that I asked you to download and run.

 

Please let me know.

 

Thank you and have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#10 ky234vell

ky234vell
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 21 June 2017 - 08:57 AM

Everything seems to be running smoothly.  My only real symptom was that unwanted activity overnight on just a handful of occasions, so it's hard to tell.  What do you suppose that was by the way?  This actually isn't even my laptop, it's my employer's, so i'd like to inform him of whatever the issue.



#11 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:30 AM

Posted 21 June 2017 - 09:31 AM

Kyle:
 
I am really glad to hear that everything is running smoothly now with the laptop. :thumbup2:
 
I did find some malware entries in the FRST log that could have accounted for what you saw.  I removed those entries with the FRST "fixlist" script, so I presume, and I hope, that they are gone for good!
 
OK, let's clean up your employer's laptop of the anti-malware scanning tools that I had you download and run for me.
 
.

:step1: We will now remove the tools we used during this fix using Delfix.

bwebb7v.jpgDownload Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click the Run button.

When the tool is finished, a log will open in notepad. Please copy and paste the log in your next reply.

.

:step2: . . . Some Final Advice . . .

The most common cause of an infected machine is the Trojan Horse, or programs which appear to be legitimate but which contain malicious payloads, or which are simply malicious in and of themselves. No antivirus, firewall, host-based intrusion prevention system (HIPS), or other security software can fully protect you against this kind of attack. The best way to project yourself is not to run email attachments from untrusted sources, and avoid software downloaded from the internet wherever possible. Remember, when you run an application, you are giving that application permission to do to your machine anything you can do to the machine, including create, modify, or destroy files or other data. In the Windows (and most other systems' such as Unix) security model, applications don't have privileges, users do.

The second most common cause of infection is out of date software. Leaving your system unpatched leaves holes through which attackers can execute code on your behalf without your consent. This goes for far more than common targets such as Windows and Internet Explorer. Most recent threats target other third party software, such as Adobe's Adobe Reader, Shockwave Player, or Flash Player, or Oracle's Java browser plugins. You can check your system for out of date software manually, or by using automated tools such as Secunia's Personal Software Inspector. This goes doubly for security applications such as antivirus and other antimalware products based on definition lists, where out-of-date lists mean no detection of newer malware.

Finally, occasionally you will be forced to run some potentially infected binary, or attackers will use a hole which is unpatched by software vendors, so a last line of defense is needed. That means turning on a firewall (Windows Firewall included with Windows Vista or later is fine) and leaving it on, and using and keeping up-to-date an antivirus solution such as Bitdefender. Antiviral solutions don't even have to cost money; later versions of Windows Defender provide perfectly acceptable protection for free. If for some reason you don't like Windows Defender, there are other free products available as well:

  • Avira (shows nag screen to purchase full product when updating, home use only)
  • Bitdefender Free (home use only)

That should be fine for the majority of users. However, if you absolutely want additional protection, consider one or more of the following products:

If you want more information on methods malware uses to infect your computer, consider browsing our How did I get infected? topic.

.

It has been a pleasure assisting you and I hope that you will avoid any further infections in the future. Your most important protection step is to ALWAYS HAVE MORE THAN ONE RECENT BACKUP OF YOUR ENTIRE SYSTEM on an external drive that is only connected to your computer long enough to backup or restore. I do system images weekly. With the free backup software out there (Easeus ToDo Backup Home, Macrium Reflect, etc.), and the very reasonable prices for external USB hard drives, there is no reason to not have a backup.

Please copy and paste the contents of the Delfix log into your next reply. If that looks good, then we can conclude your topic.

On behalf of the Bleeping Computer Community, thank you for choosing BC to assist you with your computer issues, stay safe out there in cyberspace, and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#12 ky234vell

ky234vell
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 21 June 2017 - 10:54 AM

Thank you for the time and energy Phil, I really appreciate it.

 

 

# DelFix v1.013 - Logfile created 21/06/2017 at 11:50:24
# Updated 17/04/2016 by Xplode
# Username : ------ - ------_LAPTOP
# Operating System : Windows 10 Home  (64 bits)
 
~ Removing disinfection tools ...
 
Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\TDSSKiller.3.1.0.15_19.04.2017_16.09.12_log.txt
Deleted : C:\Users\------\Desktop\JRT.txt
Deleted : C:\Users\------\Downloads\Addition.txt
Deleted : C:\Users\------\Downloads\AdwCleaner.exe
Deleted : C:\Users\------\Downloads\esetsmartinstaller_enu.exe
Deleted : C:\Users\------\Downloads\Fixlog.txt
Deleted : C:\Users\------\Downloads\FRST.txt
Deleted : C:\Users\------\Downloads\FRST64.exe
Deleted : C:\Users\------\Downloads\JRT.exe
 
~ Creating registry backup ... OK
 
~ Cleaning system restore ...
 
Deleted : RP #18 [Removed Skype™ 6.18 | 05/30/2017 20:56:16]
Deleted : RP #20 [Windows Update | 06/09/2017 08:26:38]
Deleted : RP #21 [Windows Update | 06/14/2017 07:49:23]
Deleted : RP #22 [Windows Update | 06/14/2017 07:50:36]
Deleted : RP #25 [JRT Pre-Junkware Removal | 06/21/2017 13:03:07]
 
New restore point created !
 
########## - EOF - ##########


#13 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:01:30 AM

Posted 21 June 2017 - 12:02 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Graduate of the Bleeping Computer Malware Removal Study Hall





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users