Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't start workstation service anymore on Windows 7 PC - Virus?


  • This topic is locked This topic is locked
42 replies to this topic

#1 sander66

sander66

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 17 July 2017 - 07:18 PM

NOTE: I am getting an error whenever trying to post the content of "additions.txt"  "you don't have permission to do that"

 

Hi,

 

I have been working on an issue with my Windows 7 PC here:

https://www.bleepingcomputer.com/forums/t/651481/can-no-longer-boot-blue-screen-repairs-so-far-did-not-work/page-2#entry4286453

 

My PC is up-to-date with the latest Windows updates and generally well maintained. This PC has the Comcast Norton security Suite. The PC sits behind a ZyXEL USG40 "router" with various protection.

 

What happened:

1.) After login on after a windows update ( I believe), I had no more network connection. Could not determine easy cause. Therefore, I rebooted. Afterwards the PC blue screened every time when booting up.

2.) I have been working on this thread with jwoods301 to get it to boot again.

https://www.bleepingcomputer.com/forums/t/651481/can-no-longer-boot-blue-screen-repairs-so-far-did-not-work/page-2#entry4286453

 

However, several services do not start anymore. I believe the root cause is the workstation service that I can't start anymore.

"The Workstation service depends the following service: MRxSmb20. This service might not be installed.

 

I have executed additional steps such as sfc /scannow and tweaking.com repair.

The workstation service uses under logon tab the "Network Service" user account. Is this expected?

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-07-2017
Ran by xxr(administrator) on MAT(17-07-2017 18:56:10)
Running from C:\Users\xxr\Downloads
Loaded Profiles: xxr(Available Profiles: xxr& yy)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Schneider Electric) C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\22.9.4.8\n360.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Schneider Electric) C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\22.9.4.8\n360.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Creative Technology Ltd) C:\Windows\SysWOW64\Ctxfihlp.exe
(Creative Technology Ltd) C:\Windows\SysWOW64\CTxfispi.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Schneider Electric) C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Farbar) C:\Users\xxr\Downloads\FRST64(1).exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [303928 2017-05-09] (Apple Inc.)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [67896 2017-05-09] (Apple Inc.)
HKLM-x32\...\Run: [Display] => C:\Program Files (x86)\APC\PowerChute Personal Edition\DataCollectionLauncher.exe [284024 2012-01-24] (Schneider Electric)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-03-15] (Oracle Corporation)
HKLM-x32\...\Run: [CTxfiHlp] => CTXFIHLP.EXE*
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] => "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
HKU\S-1-5-21-2236860208-1521800549-1683809822-1000\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-03-30] (Google Inc.)
HKU\S-1-5-21-2236860208-1521800549-1683809822-1000\...\Run: [HP Officejet Pro 8600 (NET)] => C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe [2573416 2012-10-17] (Hewlett-Packard Co.)
HKU\S-1-5-21-2236860208-1521800549-1683809822-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [11264 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [CTAutoUpdate] => C:\Program Files (x86)\Creative\Shared Files\Software Update\AutoUpdate.exe [623416 2009-06-19] (Creative Technology Ltd)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\APC UPS Status.lnk [2014-08-23]
ShortcutTarget: APC UPS Status.lnk -> C:\Program Files (x86)\APC\PowerChute Personal Edition\Display.exe (Schneider Electric)
GroupPolicy: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 10.0.0.99
Tcpip\..\Interfaces\{DA45C731-7BD5-4CA0-823A-1E4175549757}: [DhcpNameServer] 10.0.0.99

Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2236860208-1521800549-1683809822-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2236860208-1521800549-1683809822-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://online.wsj.com/home-page
SearchScopes: HKLM -> {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = hxxp://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2236860208-1521800549-1683809822-1000 -> {49606DC7-976D-4030-A74E-9FB5C842FA68} URL =
SearchScopes: HKU\S-1-5-21-2236860208-1521800549-1683809822-1000 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxps://nortonsafe.search.ask.com/web?q={searchTerms}&o=APN11913&l=dis&prt=NSBU&chn=1122&geo=US&ver=22.9.4.8&locale=en_US&guid=15E56D4A-BF51-4999-B458-EEFA59A6A12F&doi=2016-09-01&gct=kwd&qsrc=2869
BHO: McAfee Phishing Filter -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> c:\PROGRA~1\mcafee\msk\MSKAPB~1.DLL => No File
BHO: Norton Identity Safety -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security Suite\Engine\22.9.4.8\coIEPlg.dll [2017-05-26] (Symantec Corporation)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-22] (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll => No File
BHO-x32: McAfee Phishing Filter -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> c:\progra~1\mcafee\msk\mskapbho.dll => No File
BHO-x32: Norton Identity Safety -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security Suite\Engine32\22.9.4.8\coIEPlg.dll [2017-05-26] (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Security Suite\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\ssv.dll [2017-05-07] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files (x86)\Windows Live\Companion\companioncore.dll [2010-11-10] (Microsoft Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-22] (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\jp2ssv.dll [2017-05-07] (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-22] (Google Inc.)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\22.9.4.8\coIEPlg.dll [2017-05-26] (Symantec Corporation)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine32\22.9.4.8\coIEPlg.dll [2017-05-26] (Symantec Corporation)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-22] (Google Inc.)
Toolbar: HKU\S-1-5-21-2236860208-1521800549-1683809822-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-22] (Google Inc.)
Toolbar: HKU\S-1-5-21-2236860208-1521800549-1683809822-1000 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\22.9.4.8\coIEPlg.dll [2017-05-26] (Symantec Corporation)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {D4B68B83-8710-488B-A692-D74B50BA558E} hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} hxxps://akamaicdn.webex.com/client/WBXclient-T29L10NSP11EP3-4862/webex/ieatgpc1.cab
DPF: HKLM-x32 {F6ACF75C-C32C-447B-9BEF-46B766368D29} hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15116/CTPID.cab

FireFox:
========
FF DefaultProfile: t2bhdv9u.default-1498332560689
FF ProfilePath: C:\Users\xxr\AppData\Roaming\Mozilla\Firefox\Profiles\t2bhdv9u.default-1498332560689 [2017-07-17]
FF Extension: (Adblock Plus) - C:\Users\xxr\AppData\Roaming\Mozilla\Firefox\Profiles\t2bhdv9u.default-1498332560689\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2017-06-25]
FF HKLM\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFAddon
FF Extension: (Norton Security Toolbar) - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFAddon [2017-06-07]
FF HKLM-x32\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFAddon
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_26_0_0_137.dll [2017-07-11] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_26_0_0_137.dll [2017-07-11] ()
FF Plugin-x32: @canon.com/MycameraPlugin -> C:\Program Files (x86)\Canon\MyCamera Download Plugin\NPCIG.dll [2008-10-15] (CANON INC.)
FF Plugin-x32: @java.com/DTPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\dtplugin\npDeployJava1.dll [2017-05-07] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.131.2 -> C:\Program Files (x86)\Java\jre1.8.0_131\bin\plugin2\npjp2.dll [2017-05-07] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-12-11] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-12-11] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-04-04] (Adobe Systems Inc.)
FF Plugin-x32: Web Components -> C:\Program Files (x86)\Web Components\npWebVideoPlugin.dll [2015-08-18] ()
FF Plugin HKU\S-1-5-21-2236860208-1521800549-1683809822-1000: tdameritrade.com/thinkorswim -> C:\Program Files (x86)\thinkTDA\npthinkorswim.dll [2013-07-18] (TD Ameritrade)
FF Plugin HKU\S-1-5-21-2236860208-1521800549-1683809822-1000: tdameritrade.com/tossc -> C:\Program Files (x86)\thinkTDA\nptossc.dll [2013-07-18] (TD Ameritrade)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.9.4.8\Exts\Chrome.crx [2017-06-08]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.9.4.8\Exts\Chrome.crx [2017-06-08]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 APC Data Service; C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe [21880 2012-01-24] (Schneider Electric)
R2 APC UPS Service; C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe [705912 2012-01-24] (Schneider Electric)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2017-04-03] (Apple Inc.)
S3 Creative Audio Engine Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2017-07-13] (Creative Labs) [File not signed]
R2 CTAudSvcService; C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe [286720 2010-02-12] (Creative Technology Ltd) [File not signed]
R2 MSSQL$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [69964448 2015-04-03] (Microsoft Corporation)
R2 N360; C:\Program Files (x86)\Norton Security Suite\Engine\22.9.4.8\N360.exe [326160 2017-05-26] (Symantec Corporation)
R2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [459832 2016-12-11] (NVIDIA Corporation)
S4 SQLAgent$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [441512 2015-04-03] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AtiHDAudioService; C:\Windows\System32\drivers\AtihdW76.sys [94720 2013-12-19] (Advanced Micro Devices) [File not signed]
R1 BHDrvx64; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\BASHDefs\20170712.001\BHDrvx64.sys [1862816 2017-06-28] (Symantec Corporation)
R1 ccSet_N360; C:\Windows\system32\drivers\N360x64\1609040.008\ccSetx64.sys [174232 2017-05-11] (Symantec Corporation)
U5 CSC; C:\Windows\System32\Drivers\CSC.sys [514560 2010-11-20] (Microsoft Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [508032 2017-06-28] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [158336 2017-06-28] (Symantec Corporation)
R1 IDSVia64; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\IPSDefs\20170714.001\IDSvia64.sys [1056408 2017-07-11] (Symantec Corporation)
S3 keycrypt; no ImagePath
U5 mrxsmb; C:\Windows\System32\Drivers\mrxsmb.sys [159744 2017-06-12] (Microsoft Corporation)
U5 mrxsmb10; C:\Windows\System32\Drivers\mrxsmb10.sys [291328 2017-06-12] (Microsoft Corporation)
U5 mrxsmb20; C:\Windows\System32\Drivers\mrxsmb20.sys [129536 2017-06-12] (Microsoft Corporation)
R3 SRTSP; C:\Windows\System32\Drivers\N360x64\1609040.008\SRTSP64.SYS [770712 2017-05-11] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\N360x64\1609040.008\SRTSPX64.SYS [49304 2017-05-11] (Symantec Corporation)
R0 SymEFASI; C:\Windows\System32\drivers\N360x64\1609040.008\SYMEFASI64.SYS [1714328 2017-05-11] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [102608 2017-05-21] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\N360x64\1609040.008\Ironx64.SYS [291480 2017-05-11] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\N360x64\1609040.008\SYMNETS.SYS [567496 2017-05-11] (Symantec Corporation)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [52736 2012-04-25] (Apple, Inc.) [File not signed]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-07-17 18:55 - 2017-07-17 18:55 - 02435584 _____ (Farbar) C:\Users\xxr\Downloads\FRST64(1).exe
2017-07-16 16:56 - 2017-07-16 16:56 - 00000000 ____D C:\Windows\System32\Tasks\Remediation
2017-07-16 15:46 - 2017-07-16 15:46 - 00000207 _____ C:\Windows\tweaking.com-regbackup-MATTERHORN-Windows-7-Professional-(64-bit).dat
2017-07-16 15:46 - 2017-07-16 15:46 - 00000000 ____D C:\RegBackup
2017-07-16 14:55 - 2017-07-16 14:55 - 00000000 ____D C:\Users\xxr\Downloads\tweaking.com_windows_repair_aio
2017-07-16 14:54 - 2017-07-16 14:54 - 33265949 _____ C:\Users\xxr\Downloads\tweaking.com_windows_repair_aio.zip
2017-07-16 14:47 - 2017-07-17 18:56 - 00021047 _____ C:\Users\xxr\Downloads\FRST.txt
2017-07-16 14:47 - 2017-07-16 14:47 - 00043869 _____ C:\Users\xxr\Downloads\Addition.txt
2017-07-16 14:46 - 2017-07-17 18:56 - 00000000 ____D C:\FRST
2017-07-16 14:46 - 2017-07-16 14:46 - 02435584 _____ (Farbar) C:\Users\xxr\Downloads\FRST64.exe
2017-07-15 12:54 - 2017-07-16 13:52 - 00001080 _____ C:\Windows\system32\settingsbkup.sfm
2017-07-15 12:54 - 2017-07-16 13:52 - 00001080 _____ C:\Windows\system32\settings.sfm
2017-07-13 22:31 - 2017-07-17 09:04 - 00062308 _____ C:\Windows\system32\BMXState-{00000002-00000000-00000000-00001102-0000000B-00441102}.rfx
2017-07-13 22:31 - 2017-07-17 09:04 - 00000820 _____ C:\Windows\system32\DVCState-{00000002-00000000-00000000-00001102-0000000B-00441102}.rfx
2017-07-13 20:46 - 2017-07-13 20:46 - 00466520 _____ (Creative Labs) C:\Windows\system32\wrap_oal.dll
2017-07-13 20:46 - 2017-07-13 20:46 - 00445016 _____ (Creative Labs) C:\Windows\SysWOW64\wrap_oal.dll
2017-07-13 20:46 - 2017-07-13 20:46 - 00123480 _____ (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\system32\OpenAL32.dll
2017-07-13 20:46 - 2017-07-13 20:46 - 00109144 _____ (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\SysWOW64\OpenAL32.dll
2017-07-13 20:46 - 2017-07-13 20:46 - 00000000 ____D C:\Program Files (x86)\OpenAL
2017-07-12 06:29 - 2017-06-29 23:15 - 00394448 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2017-07-12 06:29 - 2017-06-29 22:32 - 00346312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2017-07-12 06:29 - 2017-06-29 21:57 - 02319872 _____ (Microsoft Corporation) C:\Windows\system32\tquery.dll
2017-07-12 06:29 - 2017-06-29 21:57 - 02222080 _____ (Microsoft Corporation) C:\Windows\system32\mssrch.dll
2017-07-12 06:29 - 2017-06-29 21:57 - 02058240 _____ (Microsoft Corporation) C:\Windows\system32\Query.dll
2017-07-12 06:29 - 2017-06-29 21:57 - 00778240 _____ (Microsoft Corporation) C:\Windows\system32\mssvp.dll
2017-07-12 06:29 - 2017-06-29 21:57 - 00491520 _____ (Microsoft Corporation) C:\Windows\system32\mssph.dll
2017-07-12 06:29 - 2017-06-29 21:57 - 00288256 _____ (Microsoft Corporation) C:\Windows\system32\mssphtb.dll
2017-07-12 06:29 - 2017-06-29 21:57 - 00115200 _____ (Microsoft Corporation) C:\Windows\system32\mssitlb.dll
2017-07-12 06:29 - 2017-06-29 21:57 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\mssprxy.dll
2017-07-12 06:29 - 2017-06-29 21:57 - 00075264 _____ (Microsoft Corporation) C:\Windows\system32\msscntrs.dll
2017-07-12 06:29 - 2017-06-29 21:57 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\msshooks.dll
2017-07-12 06:29 - 2017-06-29 21:40 - 00591872 _____ (Microsoft Corporation) C:\Windows\system32\SearchIndexer.exe
2017-07-12 06:29 - 2017-06-29 21:40 - 00249856 _____ (Microsoft Corporation) C:\Windows\system32\SearchProtocolHost.exe
2017-07-12 06:29 - 2017-06-29 21:39 - 01549312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tquery.dll
2017-07-12 06:29 - 2017-06-29 21:39 - 00113664 _____ (Microsoft Corporation) C:\Windows\system32\SearchFilterHost.exe
2017-07-12 06:29 - 2017-06-29 21:38 - 01400320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mssrch.dll
2017-07-12 06:29 - 2017-06-29 21:38 - 01363968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Query.dll
2017-07-12 06:29 - 2017-06-29 21:38 - 00666624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mssvp.dll
2017-07-12 06:29 - 2017-06-29 21:38 - 00337408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mssph.dll
2017-07-12 06:29 - 2017-06-29 21:38 - 00197120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mssphtb.dll
2017-07-12 06:29 - 2017-06-29 21:38 - 00104448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mssitlb.dll
2017-07-12 06:29 - 2017-06-29 21:38 - 00059392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msscntrs.dll
2017-07-12 06:29 - 2017-06-29 21:38 - 00034816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mssprxy.dll
2017-07-12 06:29 - 2017-06-29 21:27 - 00427520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SearchIndexer.exe
2017-07-12 06:29 - 2017-06-29 21:27 - 00164352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SearchProtocolHost.exe
2017-07-12 06:29 - 2017-06-29 21:26 - 00086528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SearchFilterHost.exe
2017-07-12 06:29 - 2017-06-29 21:26 - 00009728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msshooks.dll
2017-07-12 06:29 - 2017-06-29 01:27 - 25734656 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2017-07-12 06:29 - 2017-06-29 01:19 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2017-07-12 06:29 - 2017-06-29 01:18 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2017-07-12 06:29 - 2017-06-29 01:04 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2017-07-12 06:29 - 2017-06-29 01:03 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2017-07-12 06:29 - 2017-06-29 01:03 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2017-07-12 06:29 - 2017-06-29 01:02 - 02899456 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2017-07-12 06:29 - 2017-06-29 01:02 - 00576512 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2017-07-12 06:29 - 2017-06-29 01:02 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2017-07-12 06:29 - 2017-06-29 00:55 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2017-07-12 06:29 - 2017-06-29 00:54 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2017-07-12 06:29 - 2017-06-29 00:51 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2017-07-12 06:29 - 2017-06-29 00:50 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2017-07-12 06:29 - 2017-06-29 00:50 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2017-07-12 06:29 - 2017-06-29 00:50 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2017-07-12 06:29 - 2017-06-29 00:50 - 00116224 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2017-07-12 06:29 - 2017-06-29 00:44 - 05975552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2017-07-12 06:29 - 2017-06-29 00:43 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2017-07-12 06:29 - 2017-06-29 00:39 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2017-07-12 06:29 - 2017-06-29 00:35 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2017-07-12 06:29 - 2017-06-29 00:31 - 00087552 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
2017-07-12 06:29 - 2017-06-29 00:31 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2017-07-12 06:29 - 2017-06-29 00:30 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2017-07-12 06:29 - 2017-06-29 00:27 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2017-07-12 06:29 - 2017-06-29 00:26 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2017-07-12 06:29 - 2017-06-29 00:23 - 20270592 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2017-07-12 06:29 - 2017-06-29 00:23 - 00499200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2017-07-12 06:29 - 2017-06-29 00:23 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2017-07-12 06:29 - 2017-06-29 00:23 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2017-07-12 06:29 - 2017-06-29 00:23 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2017-07-12 06:29 - 2017-06-29 00:22 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2017-07-12 06:29 - 2017-06-29 00:22 - 00152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2017-07-12 06:29 - 2017-06-29 00:22 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2017-07-12 06:29 - 2017-06-29 00:19 - 02290176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2017-07-12 06:29 - 2017-06-29 00:17 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2017-07-12 06:29 - 2017-06-29 00:16 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2017-07-12 06:29 - 2017-06-29 00:14 - 00476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2017-07-12 06:29 - 2017-06-29 00:13 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2017-07-12 06:29 - 2017-06-29 00:13 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2017-07-12 06:29 - 2017-06-29 00:13 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2017-07-12 06:29 - 2017-06-29 00:11 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2017-07-12 06:29 - 2017-06-29 00:09 - 00806912 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2017-07-12 06:29 - 2017-06-29 00:09 - 00725504 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2017-07-12 06:29 - 2017-06-29 00:08 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2017-07-12 06:29 - 2017-06-29 00:07 - 02132992 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2017-07-12 06:29 - 2017-06-29 00:05 - 00416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2017-07-12 06:29 - 2017-06-29 00:01 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2017-07-12 06:29 - 2017-06-29 00:00 - 00091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2017-07-12 06:29 - 2017-06-29 00:00 - 00073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2017-07-12 06:29 - 2017-06-28 23:58 - 15253504 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2017-07-12 06:29 - 2017-06-28 23:58 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2017-07-12 06:29 - 2017-06-28 23:56 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2017-07-12 06:29 - 2017-06-28 23:56 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2017-07-12 06:29 - 2017-06-28 23:54 - 00130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2017-07-12 06:29 - 2017-06-28 23:53 - 03240960 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2017-07-12 06:29 - 2017-06-28 23:52 - 04549632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2017-07-12 06:29 - 2017-06-28 23:48 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2017-07-12 06:29 - 2017-06-28 23:47 - 00693248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2017-07-12 06:29 - 2017-06-28 23:46 - 02057216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2017-07-12 06:29 - 2017-06-28 23:46 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2017-07-12 06:29 - 2017-06-28 23:43 - 13663744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2017-07-12 06:29 - 2017-06-28 23:41 - 01545728 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2017-07-12 06:29 - 2017-06-28 23:29 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2017-07-12 06:29 - 2017-06-28 23:28 - 02767872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2017-07-12 06:29 - 2017-06-28 23:24 - 01314816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2017-07-12 06:29 - 2017-06-28 23:23 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2017-07-12 06:29 - 2017-06-22 09:58 - 03223040 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2017-07-12 06:29 - 2017-06-15 15:23 - 00753664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\http.sys
2017-07-12 06:29 - 2017-06-12 17:54 - 00370920 _____ (Microsoft Corporation) C:\Windows\system32\clfs.sys
2017-07-12 06:29 - 2017-06-12 17:54 - 00154856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2017-07-12 06:29 - 2017-06-12 17:54 - 00095464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2017-07-12 06:29 - 2017-06-12 17:49 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 01363456 _____ (Microsoft Corporation) C:\Windows\system32\wdc.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 01212928 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 00731648 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 00594432 _____ (Microsoft Corporation) C:\Windows\system32\wvc.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 00475136 _____ (Microsoft Corporation) C:\Windows\system32\sysmon.ocx
2017-07-12 06:29 - 2017-06-12 17:49 - 00463872 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 00345600 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 00312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 00123904 _____ (Microsoft Corporation) C:\Windows\system32\bcrypt.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 00058880 _____ (Microsoft Corporation) C:\Windows\system32\pdhui.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2017-07-12 06:29 - 2017-06-12 17:49 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2017-07-12 06:29 - 2017-06-12 17:29 - 01227264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdc.dll
2017-07-12 06:29 - 2017-06-12 17:29 - 00666112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2017-07-12 06:29 - 2017-06-12 17:29 - 00444928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wvc.dll
2017-07-12 06:29 - 2017-06-12 17:29 - 00390144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sysmon.ocx
2017-07-12 06:29 - 2017-06-12 17:29 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2017-07-12 06:29 - 2017-06-12 17:29 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2017-07-12 06:29 - 2017-06-12 17:29 - 00082944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\bcrypt.dll
2017-07-12 06:29 - 2017-06-12 17:29 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2017-07-12 06:29 - 2017-06-12 17:28 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2017-07-12 06:29 - 2017-06-12 17:28 - 00554496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2017-07-12 06:29 - 2017-06-12 17:28 - 00342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2017-07-12 06:29 - 2017-06-12 17:28 - 00261120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2017-07-12 06:29 - 2017-06-12 17:28 - 00254464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2017-07-12 06:29 - 2017-06-12 17:28 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2017-07-12 06:29 - 2017-06-12 17:28 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2017-07-12 06:29 - 2017-06-12 17:28 - 00141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2017-07-12 06:29 - 2017-06-12 17:28 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2017-07-12 06:29 - 2017-06-12 17:28 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pdhui.dll
2017-07-12 06:29 - 2017-06-12 17:28 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2017-07-12 06:29 - 2017-06-12 17:28 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2017-07-12 06:29 - 2017-06-12 17:19 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2017-07-12 06:29 - 2017-06-12 17:14 - 00379392 _____ (Microsoft Corporation) C:\Windows\system32\msinfo32.exe
2017-07-12 06:29 - 2017-06-12 17:14 - 00172544 _____ (Microsoft Corporation) C:\Windows\system32\perfmon.exe
2017-07-12 06:29 - 2017-06-12 17:14 - 00103936 _____ (Microsoft Corporation) C:\Windows\system32\resmon.exe
2017-07-12 06:29 - 2017-06-12 17:12 - 00291328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2017-07-12 06:29 - 2017-06-12 17:12 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2017-07-12 06:29 - 2017-06-12 17:12 - 00129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2017-07-12 06:29 - 2017-06-12 17:11 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2017-07-12 06:29 - 2017-06-12 17:09 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2017-07-12 06:29 - 2017-06-12 17:06 - 00303616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msinfo32.exe
2017-07-12 06:29 - 2017-06-12 17:06 - 00157184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\perfmon.exe
2017-07-12 06:29 - 2017-06-12 17:06 - 00103424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\resmon.exe
2017-07-12 06:29 - 2017-06-12 17:05 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2017-07-12 06:29 - 2017-06-10 10:59 - 00313856 _____ (Microsoft Corporation) C:\Windows\system32\Wldap32.dll
2017-07-12 06:29 - 2017-06-10 10:39 - 00271360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Wldap32.dll
2017-07-12 06:29 - 2017-06-09 10:33 - 01680616 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
2017-07-12 06:29 - 2017-06-06 10:30 - 01867264 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll
2017-07-12 06:29 - 2017-06-06 10:12 - 01499648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ExplorerFrame.dll
2017-07-12 06:29 - 2017-05-29 23:56 - 01895656 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2017-07-12 06:29 - 2017-05-29 23:56 - 00377576 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2017-07-12 06:29 - 2017-05-29 23:56 - 00287976 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS
2017-07-12 06:29 - 2017-05-20 23:24 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2017-07-12 06:29 - 2017-05-20 23:06 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2017-07-12 06:29 - 2017-05-16 10:35 - 00986856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2017-07-12 06:29 - 2017-05-16 10:35 - 00265448 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgmms1.sys
2017-07-12 06:29 - 2017-05-16 10:30 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\cdd.dll
2017-07-12 06:29 - 2017-05-03 10:34 - 00094952 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2017-07-12 06:29 - 2017-05-03 10:29 - 01206272 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2017-07-12 06:29 - 2017-05-03 08:05 - 01555968 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2017-07-12 06:29 - 2017-05-03 08:05 - 00620544 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2017-07-12 06:29 - 2017-05-03 08:05 - 00535552 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2017-07-12 06:29 - 2017-05-03 08:05 - 00325632 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2017-07-12 06:29 - 2017-05-03 08:05 - 00311296 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2017-07-12 06:29 - 2017-05-03 08:05 - 00217088 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2017-07-12 06:29 - 2017-05-03 08:05 - 00127488 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2017-07-12 06:29 - 2017-03-22 21:06 - 01691136 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2017-07-01 20:27 - 2017-07-01 20:27 - 00243282 _____ C:\Users\xxr\Downloads\D457058_IPL1.pdf
2017-06-24 14:44 - 2017-06-24 14:44 - 00243117 _____ C:\Users\xxr\Downloads\creditReport_1498333467061.pdf

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-07-17 18:53 - 2016-11-20 11:47 - 00000000 ____D C:\Users\xxr\AppData\LocalLow\Mozilla
2017-07-17 09:04 - 2011-05-04 04:11 - 00062308 _____ C:\Windows\system32\BMXStateBkp-{00000002-00000000-00000000-00001102-0000000B-00441102}.rfx
2017-07-16 18:18 - 2009-07-13 23:45 - 00014256 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-07-16 18:18 - 2009-07-13 23:45 - 00014256 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-07-16 18:16 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\NDF
2017-07-16 16:16 - 2009-07-14 00:13 - 00864188 _____ C:\Windows\system32\PerfStringBackup.INI
2017-07-16 16:16 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2017-07-16 16:11 - 2014-10-02 18:11 - 00000000 ____D C:\ProgramData\NVIDIA
2017-07-16 16:11 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-07-16 16:10 - 2014-08-24 11:45 - 00075870 _____ C:\Windows\SysWOW64\PCPELog.txt
2017-07-16 16:03 - 2011-05-07 18:50 - 00112968 _____ C:\Users\xxr\AppData\Local\GDIPFONTCACHEV1.DAT
2017-07-16 15:59 - 2009-07-13 23:45 - 00421376 _____ C:\Windows\system32\FNTCACHE.DAT
2017-07-16 15:53 - 2009-07-13 21:34 - 00000546 _____ C:\Windows\win.ini
2017-07-16 15:52 - 2011-05-07 19:06 - 00876106 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2017-07-16 15:33 - 2014-04-22 18:57 - 00000000 ____D C:\Users\dub_cm_auto
2017-07-16 14:21 - 2012-04-01 11:05 - 00003938 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{AAC791B0-9E3F-432B-B3DD-BEF35FD485FF}
2017-07-15 08:37 - 2011-05-04 03:10 - 00000000 ____D C:\ProgramData\Creative
2017-07-14 07:14 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2017-07-13 20:49 - 2011-11-27 17:28 - 00000000 ____D C:\Users\xxr\AppData\Local\ElevatedDiagnostics
2017-07-13 20:48 - 2011-05-04 01:13 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2017-07-13 20:48 - 2011-05-04 01:13 - 00000000 ___HD C:\Program Files (x86)\Creative Installation Information
2017-07-13 20:48 - 2011-05-04 01:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Creative
2017-07-13 20:48 - 2011-05-04 01:13 - 00000000 ____D C:\Program Files\Creative
2017-07-13 20:47 - 2011-05-04 01:13 - 00000000 ____D C:\Program Files (x86)\Creative
2017-07-13 20:33 - 2015-11-01 19:03 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-07-12 06:46 - 2015-04-15 07:44 - 00000000 ____D C:\Windows\system32\appraiser
2017-07-12 06:35 - 2013-07-13 09:30 - 00000000 ____D C:\Windows\system32\MRT
2017-07-12 06:33 - 2011-05-14 08:34 - 135225752 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-07-11 07:33 - 2016-02-17 19:38 - 00004312 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-07-11 07:33 - 2014-08-20 18:11 - 00803328 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-07-11 07:33 - 2014-08-20 18:11 - 00144896 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-07-11 07:33 - 2011-05-18 20:12 - 00000000 ____D C:\Windows\system32\Macromed
2017-07-11 07:33 - 2011-05-04 01:16 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-06-30 07:28 - 2017-05-20 10:24 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-06-30 07:28 - 2015-09-20 12:55 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service

==================== Files in the root of some directories =======

2011-07-18 07:41 - 2012-03-08 19:48 - 0007608 _____ () C:\Users\xxr\AppData\Local\Resmon.ResmonCfg
2014-03-08 12:26 - 2014-03-08 12:26 - 0000057 _____ () C:\ProgramData\Ament.ini
2011-05-14 13:09 - 2011-05-14 13:09 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
2012-01-29 13:10 - 2013-03-17 17:20 - 0000629 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc

Files to move or delete:
====================
C:\Users\xxr\en_res.dll
C:\Users\xxr\es_res.dll
C:\Users\xxr\fr_res.dll
C:\Users\xxr\grm_res.dll
C:\Users\xxr\it_res.dll
C:\Users\xxr\jp_res.dll
C:\Users\xxr\mfc80u.dll
C:\Users\xxr\msvcr80.dll
C:\Users\xxr\PCPE Setup.exe
C:\Users\xxr\pt_res.dll
C:\Users\xxr\ResourceReader.dll
C:\Users\xxr\ru_res.dll
C:\Users\xxr\zh_res.dll


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-07-13 22:24

==================== End of FRST.txt ============================


Edited by sander66, 17 July 2017 - 07:22 PM.


BC AdBot (Login to Remove)

 


#2 sander66

sander66
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 17 July 2017 - 08:08 PM

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-07-2017
Ran by xxr (17-07-2017 18:56:43)
Running from C:\Users\xxr\Downloads
Windows 7 Professional Service Pack 1 (X64) (2011-05-07 23:50:24)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2236860208-1521800549-1683809822-500 - Administrator - Disabled)
yy (S-1-5-21-2236860208-1521800549-1683809822-1001 - Limited - Enabled) => C:\Users\yy
Guest (S-1-5-21-2236860208-1521800549-1683809822-501 - Limited - Disabled)
xxr (S-1-5-21-2236860208-1521800549-1683809822-1000 - Administrator - Enabled) => C:\Users\xxr
Kom(S-1-5-21-2236860208-1521800549-1683809822-1002 - Administrator - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Norton Security Suite (Disabled - Up to date) {30744133-1E94-7B35-F4A3-82A5AEF1CBAA}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton Security Suite (Disabled - Up to date) {8B15A0D7-38AE-74BB-CE13-B9D7D5768117}
FW: Norton Security Suite (Enabled) {084FC016-54FB-7A6D-DFFC-2B9050228CD1}

==================== Installed Programs ======================

 

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 17.009.20058 - Adobe Systems Incorporated)
Adobe Flash Player 26 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 26.0.0.137 - Adobe Systems Incorporated)
Adobe Flash Player 26 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 26.0.0.137 - Adobe Systems Incorporated)
Ansel (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Ansel) (Version: 376.33 - NVIDIA Corporation) Hidden
Apple Application Support (32-bit) (HKLM-x32\...\{E92BB800-BCC5-4C25-8102-AC2C3B7C7C1E}) (Version: 5.5 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{9C912B1E-06DD-43EF-BB2B-45CB2C88BAAE}) (Version: 5.5 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{0A596141-97D5-45FA-9281-98DFAF48D579}) (Version: 10.3.2.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{52D87F32-70E4-4348-8148-C0B9F35B1314}) (Version: 2.3.0.177 - Apple Inc.)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
CANON iMAGE GATEWAY MyCamera Download Plugin (HKLM-x32\...\MyCamera Download Plugin) (Version: 3.1.1.2 - Canon Inc.)
CANON iMAGE GATEWAY Task for ZoomBrowser EX (HKLM-x32\...\CANON iMAGE GATEWAY Task) (Version: 1.9.0.9 - Canon Inc.)
Canon MOV Decoder (HKLM-x32\...\Canon MOV Decoder) (Version: 1.8.0.7 - Canon Inc.)
Canon MOV Encoder (HKLM-x32\...\Canon MOV Encoder) (Version: 1.7.0.3 - Canon Inc.)
Canon MovieEdit Task for ZoomBrowser EX (HKLM-x32\...\MovieEditTask) (Version: 3.8.0.5 - Canon Inc.)
Canon Utilities EOS Video Snapshot Task for ZoomBrowser EX (HKLM-x32\...\EOS Video Snapshot Task) (Version: 1.0.0.10 - Canon Inc.)
Canon Utilities ZoomBrowser EX (HKLM-x32\...\ZoomBrowser EX) (Version: 6.7.2.33 - Canon Inc.)
Canon ZoomBrowser EX Memory Card Utility (HKLM-x32\...\ZoomBrowser EX Memory Card Utility) (Version: 1.5.1.10 - Canon Inc.)
Cisco WebEx Meetings (HKLM-x32\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)

Consumer In-Home Service Agreement (HKLM-x32\...\{F47C37A4-7189-430A-B81D-739FF8A7A554}) (Version: 2.0.0 - Dell Inc.)
Creative Audio Control Panel (HKLM-x32\...\AudioCS) (Version: 3.00 - Creative Technology Limited)
Creative Software AutoUpdate (HKLM-x32\...\Creative Software AutoUpdate) (Version: 1.40 - Creative Technology Limited)
Creative Sound Blaster Properties x64 Edition (HKLM-x32\...\Creative Sound Blaster Properties x64 Edition) (Version: 1.02 - Creative Technology Limited)
Crystal Reports for Visual Studio (HKLM-x32\...\{AC41D924-8C68-4BD5-A7A1-0AE4176C31A6}) (Version: 12.51.0.240 - SAP) Hidden
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc)
Dell System Detect (HKU\S-1-5-21-2236860208-1521800549-1683809822-1000\...\73f463568823ebbe) (Version: 6.3.0.6 - Dell)
DetectorTools (HKLM-x32\...\{E8F0431A-A158-49F6-96AC-7C1380D9AF21}) (Version: 1.11.87 - Escort)
GDR 5520 for SQL Server 2008 (KB2977321) (64-bit) (HKLM\...\KB2977321) (Version: 10.3.5520.0 - Microsoft Corporation)
GDR 5538 for SQL Server 2008 (KB3045305) (64-bit) (HKLM\...\KB3045305) (Version: 10.3.5538.0 - Microsoft Corporation)
Google Toolbar for Internet Explorer (HKLM-x32\...\{18455581-E099-4BA8-BC6B-F34B2F06600C}) (Version: 1.0.0 - Google Inc.) Hidden
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.8231.2252 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
HP FWUpdateEDO2 (HKLM-x32\...\{415FA9AD-DA10-4ABE-97B6-5051D4795C90}) (Version: 1.2.0.0 - Hewlett-Packard)
HP Officejet Pro 8600 Basic Device Software (HKLM\...\{791A06E2-340F-43B0-8FAB-62D151339362}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP Support Solutions Framework (HKLM-x32\...\{FC3C2B77-6800-48C6-A15D-9D1031130C16}) (Version: 11.51.0049 - Hewlett-Packard Company)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
HPDiagnosticAlert (HKLM-x32\...\{B6465A32-8BE9-4B38-ADC5-4B4BDDC10B0D}) (Version: 1.00.0001 - Microsoft) Hidden
I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 9.6.0.1014 - Intel Corporation)
Internet Explorer (HKLM-x32\...\{AA31EA7B-7917-4000-949B-38E91F848A25}) (Version: 8 - Microsoft Corporation) Hidden
iTunes (HKLM\...\{F0C7385A-9D20-45F3-8101-05D383885180}) (Version: 12.6.1.25 - Apple Inc.)

Java 8 Update 131 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180131F0}) (Version: 8.0.1310.11 - Oracle Corporation)
Junk Mail filter update (HKLM-x32\...\{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}) (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Logitech Harmony Remote Software 7 (HKLM-x32\...\{5C6F884D-680C-448B-B4C9-22296EE1B206}) (Version: 7.7.0.0 - Logitech)
Mesh Runtime (HKLM-x32\...\{8C6D6116-B724-4810-8F2D-D047E6B7D68E}) (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Messenger Companion (HKLM-x32\...\{50816F92-1652-4A7C-B9BC-48F682742C4B}) (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

Microsoft  File Transfer Manager (HKLM-x32\...\{4C8169AB-B6C1-413B-81B6-73B77127D82F}) (Version: 5.00.34 - Microsoft)
Microsoft .NET Framework 4 Multi-Targeting Pack (HKLM-x32\...\{CFEF48A8-BFB8-3EAC-8BA5-DE4F8AA267CE}) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4.7 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.02053 - Microsoft Corporation)
Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools (HKLM-x32\...\{40416836-56CC-4C0E-A6AF-5C34BADCE483}) (Version: 2.0.50217.0 - Microsoft Corporation)
Microsoft ASP.NET MVC 2 (HKLM-x32\...\{DD8FF2F3-0D97-4CF3-AF78-FA0E1B242244}) (Version: 2.0.60926.0 - Microsoft Corporation)
Microsoft Help Viewer 1.1 (HKLM\...\Microsoft Help Viewer 1.1) (Version: 1.1.40219 - Microsoft Corporation)
Microsoft Money Plus (HKLM-x32\...\Money2008b) (Version: 17 - Microsoft)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUSR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50907.0 - Microsoft Corporation)
Microsoft Silverlight 3 SDK (HKLM-x32\...\{2012098D-EEE9-4769-8DD3-B038050854D4}) (Version: 3.0.40818.0 - Microsoft Corporation)
Microsoft Silverlight 4 SDK (HKLM-x32\...\{05855322-BE43-41FE-B583-D3AE0C326D58}) (Version: 4.0.50826.0 - Microsoft Corporation)

Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft SQL Server 2008 (64-bit) (HKLM\...\Microsoft SQL Server 10 Release) (Version:  - Microsoft Corporation)
Microsoft SQL Server 2008 Browser (HKLM-x32\...\{C688457E-03FD-4941-923B-A27F4D42A7DD}) (Version: 10.3.5500.0 - Microsoft Corporation)
Microsoft SQL Server 2008 Native Client (HKLM\...\{2738C4AA-420E-4E13-ADEF-B5AB250E3EF1}) (Version: 10.3.5500.0 - Microsoft Corporation)
Microsoft SQL Server 2008 R2 Data-Tier Application Framework (HKLM-x32\...\{BC537AE0-88AF-47ED-B762-33B0D62B5188}) (Version: 10.50.1750.9 - Microsoft Corporation)
Microsoft SQL Server 2008 R2 Data-Tier Application Project (HKLM-x32\...\{7A56D81D-6406-40E7-9184-8AC1769C4D69}) (Version: 10.50.1750.9 - Microsoft Corporation)
Microsoft SQL Server 2008 R2 Management Objects (HKLM-x32\...\{77F1F8AD-51B8-4490-AEEC-BF480073E0FC}) (Version: 10.50.1750.9 - Microsoft Corporation)
Microsoft SQL Server 2008 R2 Management Objects (x64) (HKLM\...\{EAEBF166-B06A-4D7F-BAF7-6615303D5C7C}) (Version: 10.50.1750.9 - Microsoft Corporation)
Microsoft SQL Server 2008 R2 Transact-SQL Language Service (HKLM-x32\...\{09C52940-A4D1-4409-A7CC-1AAE630CF578}) (Version: 10.50.1750.9 - Microsoft Corporation)
Microsoft SQL Server 2008 Setup Support Files  (HKLM\...\{F43ADE73-2880-4A95-B995-4FE386ECF667}) (Version: 10.3.5538.0 - Microsoft Corporation)
Microsoft SQL Server Compact 3.5 SP2 ENU (HKLM-x32\...\{3A9FC03D-C685-4831-94CF-4EDFD3749497}) (Version: 3.5.8080.0 - Microsoft Corporation)
Microsoft SQL Server Compact 3.5 SP2 x64 ENU (HKLM\...\{D4AD39AD-091E-4D33-BB2B-59F6FCB8ADC3}) (Version: 3.5.8080.0 - Microsoft Corporation)
Microsoft SQL Server Database Publishing Wizard 1.4 (HKLM-x32\...\{ACE28263-76A4-4BF5-B6F4-8BD719595969}) (Version: 10.1.2512.8 - Microsoft Corporation)
Microsoft SQL Server System CLR Types (HKLM-x32\...\{877B76B2-F83F-4F5A-B28D-3F398641ADB6}) (Version: 10.50.1750.9 - Microsoft Corporation)
Microsoft SQL Server System CLR Types (x64) (HKLM\...\{1E6ED082-E32D-4B2B-8B6A-70B094815135}) (Version: 10.50.1750.9 - Microsoft Corporation)
Microsoft SQL Server VSS Writer (HKLM\...\{0826F9E4-787E-481D-83E0-BC6A57B056D5}) (Version: 10.3.5500.0 - Microsoft Corporation)

Microsoft Sync Framework Runtime v1.0 SP1 (x64) (HKLM\...\{8438EC02-B8A9-462D-AC72-1B521349C001}) (Version: 1.0.3010.0 - Microsoft Corporation)
Microsoft Sync Framework SDK v1.0 SP1 (HKLM-x32\...\{0E3DFC64-CC49-4BE2-8C9C-58EF129675DB}) (Version: 1.0.3010.0 - Microsoft Corporation)
Microsoft Sync Framework Services v1.0 SP1 (x64) (HKLM\...\{034106B5-54B7-467F-B477-5B7DBB492624}) (Version: 1.0.3010.0 - Microsoft Corporation)
Microsoft Sync Services for ADO.NET v2.0 SP1 (x64) (HKLM\...\{1D1CEEF8-3741-45BD-8E77-963E1DEBDDD3}) (Version: 2.0.3010.0 - Microsoft Corporation)

Microsoft Visio Professional 2010 (HKLM-x32\...\Office14.VISIOR) (Version: 14.0.7015.1000 - Microsoft Corporation)

 

 

 

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM-x32\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable - KB2467175 (HKLM-x32\...\{a0fe116e-9a8a-466f-aee0-625cb7c207e3}) (Version: 8.0.51011 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{052bac4a-6f79-46d4-a024-1ce1b4f73cd4}) (Version: 8.0.58299 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{820B6609-4C97-3A2B-B644-573B06A0F0CC}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974 (HKLM-x32\...\{B7E38540-E355-3503-AFD7-635B2F2F76E1}) (Version: 9.0.30729.4974 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Designtime - 10.0.30319 (HKLM\...\{F5079164-1DB9-3BDA-853B-F78AF67CE071}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Runtime - 10.0.40219 (HKLM\...\{1C7C8AAF-A16D-32E8-89E5-F6D165DE0BCE}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Runtime - 10.0.40219 (HKLM-x32\...\{5D9ED403-94DE-3BA0-B1D6-71F4BDA412E6}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual F# 2.0 Runtime (HKLM-x32\...\{85467CBC-7A39-33C9-8940-D72D9269B84F}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools (HKLM-x32\...\{14DD7530-CCD2-3798-B37D-3839ED6A441C}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Professional - ENU (HKLM-x32\...\Microsoft Visual Studio 2010 Professional - ENU) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual Studio 2010 Service Pack 1 (HKLM-x32\...\Microsoft Visual Studio 2010 Service Pack 1) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft Visual Studio Macro Tools (HKLM-x32\...\Microsoft Visual Studio Macro Tools) (Version: 9.0.30729 - Microsoft Corporation)

Mozilla Firefox 54.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 54.0.1 (x86 en-US)) (Version: 54.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 54.0.1.6388 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Norton Security Suite (HKLM-x32\...\N360) (Version: 22.9.4.8 - Symantec Corporation)
NVIDIA 3D Vision Driver 376.33 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 376.33 - NVIDIA Corporation)
NVIDIA Graphics Driver 376.33 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 376.33 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.34.17 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.17 - NVIDIA Corporation)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
PDFill FREE PDF Tools (HKLM\...\{735A3951-E139-4E4A-AFAE-BA25E9FF5E6A}) (Version: 11.0 - PlotSoft LLC)
PowerChute Personal Edition 3.0.2 (HKLM-x32\...\{8ED262EE-FC73-47A9-BB86-D92223246881}) (Version: 3.0.2 - Schneider Electric)
Remote Control USB Driver (HKLM-x32\...\{8471021C-F529-43DE-84DF-3612E10F58C4}) (Version: 2.3.2.317 - )
Secure Online Account Numbers (HKLM-x32\...\{3E7F5E50-6956-4446-87BF-F422A8736B7F}) (Version: 2.0.2.0 - Discover) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-0057-0000-0000-0000000FF1CE}_Office14.VISIOR_{359ADBEC-068A-4CC9-9174-77AB8EDB867A}) (Version:  - Microsoft)
Service Pack 3 for SQL Server 2008 (KB2546951) (64-bit) (HKLM\...\KB2546951) (Version: 10.3.5500.0 - Microsoft Corporation)
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Skype™ 7.23 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.23.105 - Skype Technologies S.A.)
SmartView 3.2 (HKLM-x32\...\{84BADC50-D914-48D1-897F-BF2D8A5FCD1A}) (Version: 3.2.1 - Fluke)
Sql Server Customer Experience Improvement Program (HKLM\...\{2F14965D-567B-4E59-ADEB-0A2CC1E3ADDF}) (Version: 10.3.5500.0 - Microsoft Corporation) Hidden
thinkorswim from TD AMERITRADE (HKLM-x32\...\thinkorswim from TD AMERITRADE) (Version:  - TD AMERITRADE, Inc.)
TurboTax 2010 (HKLM-x32\...\TurboTax 2010) (Version:  - Intuit, Inc)
TurboTax 2011 (HKLM-x32\...\TurboTax 2011) (Version:  - Intuit, Inc)
TurboTax 2012 (HKLM-x32\...\TurboTax 2012) (Version: 2012.0 - Intuit, Inc)
Visual Studio 2010 Prerequisites - English (HKLM\...\{662014D2-0450-37ED-ABAE-157C88127BEB}) (Version: 10.0.40219 - Microsoft Corporation)
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU (HKLM-x32\...\{112C23F2-C036-4D40-BED4-0CB47BF5555C}) (Version: 4.0.8080.0 - Microsoft Corporation)
Vulkan Run Time Libraries 1.0.26.0 (HKLM\...\VulkanRT1.0.26.0) (Version: 1.0.26.0 - LunarG, Inc.)
WCF RIA Services V1.0 SP1 (HKLM-x32\...\{D9E6001A-5DC3-4620-AF7A-80B6CD48645D}) (Version: 4.1.60114.0 - Microsoft Corporation)
Web Components (HKLM-x32\...\{03B13AF8-9625-478A-AF0E-205337B9415A}_is1) (Version:  - )
Web Deployment Tool (HKLM\...\{0F37D969-1260-419E-B308-EF7D29ABDE20}) (Version: 1.1.0618 - Microsoft Corporation)
WhoCrashed 5.02 (HKLM\...\WhoCrashed_is1) (Version:  - Resplendence Software Projects Sp.)
Windows Driver Package - ESCORT Inc. (WinUSB) MyDeviceClass  (03/01/2016 ) (HKLM\...\7A36AB60EC45A6FC8EE1F96C601E6EDA899B99A1) (Version: 03/01/2016  - ESCORT Inc.)
Windows Driver Package - ESCORT, Inc. (usbser) Ports  (04/24/2013 1.0.0.0) (HKLM\...\81CF09C262F2AF50FED94F55B77F731D76C948F2) (Version: 04/24/2013 1.0.0.0 - ESCORT, Inc.)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
 

 

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Security Suite\Engine\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Security Suite\Engine\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security Suite\Engine\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Security Suite\Engine32\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Security Suite\Engine32\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security Suite\Engine32\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ContextMenuHandlers01: [BUContextMenu] -> {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB} => C:\Program Files (x86)\Norton Security Suite\Engine\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ContextMenuHandlers01: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files (x86)\Norton Security Suite\Engine\22.9.4.8\NavShExt.dll [2017-05-26] (Symantec Corporation)
ContextMenuHandlers02: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files (x86)\Norton Security Suite\Engine\22.9.4.8\NavShExt.dll [2017-05-26] (Symantec Corporation)
ContextMenuHandlers04: [MSSE] -> {0365FE2C-F183-4091-AC82-BFC39FB75C49} =>  -> No File
ContextMenuHandlers05: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} =>  -> No File
ContextMenuHandlers05: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2016-12-11] (NVIDIA Corporation)
ContextMenuHandlers06: [BUContextMenu] -> {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB} => C:\Program Files (x86)\Norton Security Suite\Engine\22.9.4.8\buShell.dll [2017-05-11] (Symantec Corporation)
ContextMenuHandlers06: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files (x86)\Norton Security Suite\Engine\22.9.4.8\NavShExt.dll [2017-05-26] (Symantec Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {06B7429C-5579-4B6D-A00B-206DC117826B} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)
Task: {07867758-F262-42B3-86F2-726C4EECBB7C} - System32\Tasks\Norton 360\Norton Security Suite Error Analyzer => C:\Program Files (x86)\Norton Security Suite\Engine\22.9.4.8\SymErr.exe [2017-05-11] (Symantec Corporation)
Task: {0FA1A7B4-F512-4CF1-AD98-57A799F7B2F0} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-04-25] (Adobe Systems Incorporated)
Task: {32D590F6-DE47-4920-8DA2-822E4C574954} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton Security Suite\Upgrade.exe [2017-05-26] (Symantec Corporation)
Task: {503B583E-7DD1-4870-9E94-A8194558EE3C} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2017-02-14] (Apple Inc.)
Task: {59D79C23-C922-44EF-B5FC-7C79D14E2743} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)
Task: {5DDDF1E0-6A33-4975-831D-E5F0D42B8184} - System32\Tasks\{B9F6463C-7F24-4DA1-990D-77497CC1739E} => "c:\program files\internet explorer\iexplore.exe" hxxp://ui.skype.com/ui/0/6.6.0.106/en/abandoninstall?page=tsProgressBar
Task: {5F958617-FF51-42B9-B2EE-10A5889770AE} - System32\Tasks\{731C1560-56C2-45E8-9301-25669A6AD718} => C:\Program Files (x86)\Skype\\Phone\Skype.exe [2016-04-29] (Skype Technologies S.A.)
Task: {75A8DDFF-C691-4117-820B-A3A490CBE0AC} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-07-11] (Adobe Systems Incorporated)
Task: {9CF39690-F29C-4936-9539-CAC6EBBDE704} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton Security Suite\Engine\22.9.4.8\WSCStub.exe [2017-05-26] (Symantec Corporation)
Task: {CC7686F2-00E9-4AF0-AA75-8A58788D393F} - System32\Tasks\Norton 360\Norton Security Suite Error Processor => C:\Program Files (x86)\Norton Security Suite\Engine\22.9.4.8\SymErr.exe [2017-05-11] (Symantec Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2014-10-02 18:08 - 2016-12-11 13:47 - 00134712 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2017-05-09 00:44 - 2017-05-09 00:44 - 01354040 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2016-09-01 18:12 - 2016-09-01 18:12 - 00092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2013-09-05 01:17 - 2013-09-05 01:17 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:23 - 2010-10-20 15:23 - 08801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2017-05-09 03:05 - 2017-05-09 03:05 - 01354040 _____ () C:\Program Files\iTunes\libxml2.dll
2017-05-09 03:05 - 2017-05-09 03:05 - 00092472 _____ () C:\Program Files\iTunes\zlib1.dll
2017-05-11 08:14 - 2017-05-11 08:14 - 00170496 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\2c9be31a5dbee621ab9fa7b3d8bb865d\IsdiInterop.ni.dll
2011-05-04 01:17 - 2010-03-03 20:08 - 00058880 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll
2011-05-14 11:18 - 2011-05-14 11:18 - 00854016 _____ () C:\Windows\assembly\GAC_32\System.Data.SQLite\1.0.61.0__db937bc2d44ff139\System.Data.SQLite.dll
2011-05-14 11:18 - 2011-05-14 11:18 - 00476520 _____ () C:\Windows\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll
2010-07-07 12:33 - 2010-07-07 12:33 - 00002560 _____ () C:\Windows\SysWOW64\CTXFIRES.DLL
2011-05-04 03:10 - 2010-01-27 14:34 - 00178688 ____N () C:\Windows\SysWOW64\APOMngr.DLL
2013-09-05 01:14 - 2013-09-05 01:14 - 04300456 _____ () C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf
2015-11-11 03:42 - 2015-11-11 03:42 - 01045672 _____ () C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll
2010-10-20 15:45 - 2010-10-20 15:45 - 08801120 _____ () C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

 

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WSService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SamSs => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv2 => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srvnet => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WSService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-2236860208-1521800549-1683809822-1000\...\citibank.com -> hxxps://online.citibank.com
IE trusted site: HKU\S-1-5-21-2236860208-1521800549-1683809822-1000\...\dell.com -> dell.com
IE trusted site: HKU\S-1-5-21-2236860208-1521800549-1683809822-1000\...\hewitt.com -> hxxps://beplb01.portal.hewitt.com

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2017-07-16 15:53 - 00000855 _____ C:\Windows\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2236860208-1521800549-1683809822-1000\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 10.0.0.99
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

 

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{CE55F6B6-8377-444D-B570-87D6A2F6A7D4}] => (Allow) c:\Program Files (x86)\Dell\VideoStage\VideoStage.exe
FirewallRules: [{D1D95E4D-8EAB-47BC-B756-3A194607BE6B}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{32C1F390-062E-4B6E-BD17-2379EA558B8C}] => (Allow) LPort=2869
FirewallRules: [{7DF30686-C442-4BA7-BAF3-4F7938183861}] => (Allow) LPort=1900
FirewallRules: [{9D596F05-1AB6-40EF-89A7-C76E240E27D9}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{AE7BDBC1-7DA2-440E-AB2D-1D35751339F4}] => (Allow) C:\Program Files (x86)\Windows Live\Mesh\MOE.exe
FirewallRules: [{E4E90465-BB35-4995-9D15-312D19439740}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdater.exe
FirewallRules: [{7BB6283A-61A9-4BA7-BC0F-254AA92BEBAE}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
FirewallRules: [{AEF09993-D567-4758-B12F-43223A6FD157}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
FirewallRules: [{497DCD8D-4AC2-451D-81B9-53EFA72E8ECB}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
FirewallRules: [{BAC90AF6-BFA3-4716-95FE-54F1618EFC26}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
FirewallRules: [{05F0FFD4-08A3-4062-994D-254B237BC543}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
FirewallRules: [{5EABBEC4-F02A-4E58-A9C5-2DD4A159815E}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{78994DA1-41A5-4D46-A4C4-307EBFDC2A79}] => (Allow) C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe
FirewallRules: [{9B85BF13-73AF-4042-B631-27EE5BD8BF1D}] => (Allow) C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe
FirewallRules: [{617282F9-96D8-4CBC-A3AD-0F3CAB4280FD}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdater.exe
FirewallRules: [{704F059D-43B1-4995-809D-09F91E7895FF}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{75744EC2-7F81-4A03-AE1E-950EACA4F3B8}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{F1AECA55-3142-4AF9-9DE0-0F895AEBE204}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{D30080FB-D2B0-45C8-954F-B3FB9FFC28A7}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{EC3969B6-4936-49D1-B975-E83F783A5613}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{5E4C3DF0-8153-4D0B-84FD-2B1F37DF5C6F}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8600\bin\FaxApplications.exe
FirewallRules: [{E4C15EAE-7DF0-4929-A1D7-C8B7BB17B3F7}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8600\bin\DigitalWizards.exe
FirewallRules: [{751DB488-936B-4171-9B8B-7BA54E333DE3}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8600\bin\SendAFax.exe
FirewallRules: [{A58D9632-C9BF-4A17-AAB6-BFF17D3602EF}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8600\Bin\DeviceSetup.exe
FirewallRules: [{9875173E-04BE-4068-B96D-8CB762816E6F}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe
FirewallRules: [{A76BF383-9501-4B79-93DB-D4573EDCC50C}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicatorCom.exe
FirewallRules: [{6C6689DB-D56C-4D5C-95CA-A156EB842709}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{4015CB69-AECD-45FB-91C1-29A2FD1DB7CB}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{6AE24869-B844-46EB-9B06-24FC768728B0}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{1C98F54B-0031-4339-89E1-C5FA6FA1F8E4}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{D1AA83A3-7F6A-4B20-8B81-1D067D21AB66}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{2F570422-5F66-437F-8AEE-5D216172808F}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{7AF43272-608E-43F2-8828-076092D40623}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{2580E3D8-560C-4797-B193-68F917B4031C}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{AD579C76-CD22-49A1-B1D3-79673662BF35}] => (Allow) C:\Program Files\iTunes\iTunes.exe
DomainProfile\AuthorizedApplications: [C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe] => Enabled:Logitech Harmony Remote Software 7
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe] => Enabled:Logitech Harmony Remote Software 7

 

==================== Restore Points =========================

03-07-2017 10:04:15 Windows Backup
10-07-2017 06:14:50 Windows Backup
12-07-2017 06:30:24 Windows Update
13-07-2017 19:52:45 Restore Operation
13-07-2017 20:46:52 Installed Creative Audio Control Panel
13-07-2017 20:48:37 Installed Creative Software AutoUpdate

==================== Faulty Device Manager Devices =============

Name: AntiLog32
Description: AntiLog32
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: AntiLog32
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Sadp Driver (NPF)
Description: Sadp Driver (NPF)
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: NPF
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 

==================== Event log errors: =========================

Application errors:
==================
Error: (07/17/2017 06:51:37 AM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: The backup did not complete because of an error writing to the backup location \\PORT2\MAT_backup\diff\. The error is: A device attached to the system is not functioning. (0x8007001F).

Error: (07/16/2017 04:02:45 PM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (07/16/2017 04:02:45 PM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (07/16/2017 03:56:25 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3009) (User: MAT)
Description: Installing the performance counter strings for service .NET CLR Networking 4.0.0.0 () failed. The first DWORD in the Data section contains the error code.

Error: (07/16/2017 03:56:25 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3009) (User: MAT)
Description: Installing the performance counter strings for service .NET Data Provider for Oracle () failed. The first DWORD in the Data section contains the error code.

Error: (07/16/2017 03:52:38 PM) (Source: WinMgmt) (EventID: 4) (User: )
Description: Error 0x8004100a encountered when trying to load MOF C:\PROGRAM FILES (X86)\MICROSOFT SQL SERVER\100\SHARED\SQLMGMPROVIDERXPSP2UP.MOF while recovering .MOF file marked with autorecover.

Error: (07/16/2017 03:46:53 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\wbem\wmiprvse.exe; Description = Tweaking.com - Windows Repair; Error = 0x8007043c).

Error: (07/16/2017 02:23:01 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "c:\program files (x86)\eset\eset online scanner\ESETSmartInstaller.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.


System errors:
=============
Error: (07/17/2017 06:48:54 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Server service depends on the Server SMB 1.xxx Driver service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (07/17/2017 06:48:54 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Server SMB 1.xxx Driver service depends on the Server SMB 2.xxx Driver service which failed to start because of the following error:
The dependency service does not exist or has been marked for deletion.

Error: (07/17/2017 06:48:54 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Workstation service which failed to start because of the following error:
The dependency service does not exist or has been marked for deletion.

Error: (07/17/2017 06:48:54 PM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: The Server SMB 2.xxx Driver service depends the following service: srvnet. This service might not be installed.

Error: (07/17/2017 06:48:54 PM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: The Workstation service depends the following service: MRxSmb20. This service might not be installed.

Error: (07/17/2017 06:48:54 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Server service depends on the Server SMB 1.xxx Driver service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (07/17/2017 06:48:54 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Server SMB 1.xxx Driver service depends on the Server SMB 2.xxx Driver service which failed to start because of the following error:
The dependency service does not exist or has been marked for deletion.

Error: (07/17/2017 06:48:54 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Workstation service which failed to start because of the following error:
The dependency service does not exist or has been marked for deletion.

Error: (07/17/2017 06:48:54 PM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: The Server SMB 2.xxx Driver service depends the following service: srvnet. This service might not be installed.

Error: (07/17/2017 06:48:54 PM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: The Workstation service depends the following service: MRxSmb20. This service might not be installed.


CodeIntegrity:
===================================
  Date: 2014-03-02 21:48:22.499
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-03-02 21:48:22.328
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-03-02 21:46:09.381
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-03-02 21:46:09.248
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-03-02 21:40:13.797
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-03-02 21:40:13.641
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-03-02 21:31:35.396
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-03-02 21:31:35.240
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-03-02 21:25:25.137
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-03-02 21:25:24.981
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\atikmpag.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: Intel® Core™ i7 CPU 930 @ 2.80GHz
Percentage of memory in use: 17%
Total physical RAM: 16374.93 MB
Available physical RAM: 13510.3 MB
Total Virtual: 32748.04 MB
Available Virtual: 28657.32 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:918.76 GB) (Free:693.85 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: CB59CF06)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=12.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=918.8 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================


Edited by sander66, 17 July 2017 - 08:22 PM.


#3 sander66

sander66
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 17 July 2017 - 08:23 PM

Microsoft Team Foundation Server 2010 Object Model - ENU (HKLM\...\Microsoft Team Foundation Server 2010 Object Model - ENU) (Version: 10.0.40219 - Microsoft Corporation)



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:18 AM

Posted 17 July 2017 - 09:07 PM

Welcome :)

 

No sign of malware in those logos.

 

Lets check your registry:

 

 

  • Highlight the entire content of the quote box below.

Start::  
HKLM-x32\...\Run: [] => [X]
FirewallRules: [{32C1F390-062E-4B6E-BD17-2379EA558B8C}] => (Allow) LPort=2869
FirewallRules: [{7DF30686-C442-4BA7-BAF3-4F7938183861}] => (Allow) LPort=1900
GroupPolicy: Restriction <==== ATTENTION
BHO: McAfee Phishing Filter -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> c:\PROGRA~1\mcafee\msk\MSKAPB~1.DLL => No File
BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll => No File
BHO-x32: McAfee Phishing Filter -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> c:\progra~1\mcafee\msk\mskapbho.dll => No File
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Security Suite\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
ContextMenuHandlers04: [MSSE] -> {0365FE2C-F183-4091-AC82-BFC39FB75C49} =>  -> No File
ContextMenuHandlers05: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} =>  -> No File
C:\Users\xxr\en_res.dll
C:\Users\xxr\es_res.dll
C:\Users\xxr\fr_res.dll
C:\Users\xxr\grm_res.dll
C:\Users\xxr\it_res.dll
C:\Users\xxr\jp_res.dll
C:\Users\xxr\mfc80u.dll
C:\Users\xxr\msvcr80.dll
C:\Users\xxr\PCPE Setup.exe
C:\Users\xxr\pt_res.dll
C:\Users\xxr\ResourceReader.dll
C:\Users\xxr\ru_res.dll
C:\Users\xxr\zh_res.dll
2011-07-18 07:41 - 2012-03-08 19:48 - 0007608 _____ () C:\Users\xxr\AppData\Local\Resmon.ResmonCfg
2014-03-08 12:26 - 2014-03-08 12:26 - 0000057 _____ () C:\ProgramData\Ament.ini
2011-05-14 13:09 - 2011-05-14 13:09 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
2012-01-29 13:10 - 2013-03-17 17:20 - 0000629 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
Reg: Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb" /s
Reg: Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" /s
Reg: Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb20" /s
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 sander66

sander66
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 18 July 2017 - 07:09 AM

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-07-2017
Ran by xxr (18-07-2017 06:46:31) Run:1
Running from C:\Users\xxr\Downloads
Loaded Profiles: xxr (Available Profiles: xxr & chregeli)
Boot Mode: Normal
==============================================

fixlist content:
*****************
 
HKLM-x32\...\Run: [] => [X]
FirewallRules: [{32C1F390-062E-4B6E-BD17-2379EA558B8C}] => (Allow) LPort=2869
FirewallRules: [{7DF30686-C442-4BA7-BAF3-4F7938183861}] => (Allow) LPort=1900
GroupPolicy: Restriction <==== ATTENTION
BHO: McAfee Phishing Filter -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> c:\PROGRA~1\mcafee\msk\MSKAPB~1.DLL => No File
BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll => No File
BHO-x32: McAfee Phishing Filter -> {27B4851A-3207-45A2-B947-BE8AFE6163AB} -> c:\progra~1\mcafee\msk\mskapbho.dll => No File
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Security Suite\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
ContextMenuHandlers04: [MSSE] -> {0365FE2C-F183-4091-AC82-BFC39FB75C49} =>  -> No File
ContextMenuHandlers05: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} =>  -> No File
C:\Users\xxr\en_res.dll
C:\Users\xxr\es_res.dll
C:\Users\xxr\fr_res.dll
C:\Users\xxr\grm_res.dll
C:\Users\xxr\it_res.dll
C:\Users\xxr\jp_res.dll
C:\Users\xxr\mfc80u.dll
C:\Users\xxr\msvcr80.dll
C:\Users\xxr\PCPE Setup.exe
C:\Users\xxr\pt_res.dll
C:\Users\xxr\ResourceReader.dll
C:\Users\xxr\ru_res.dll
C:\Users\xxr\zh_res.dll
2011-07-18 07:41 - 2012-03-08 19:48 - 0007608 _____ () C:\Users\xxr\AppData\Local\Resmon.ResmonCfg
2014-03-08 12:26 - 2014-03-08 12:26 - 0000057 _____ () C:\ProgramData\Ament.ini
2011-05-14 13:09 - 2011-05-14 13:09 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
2012-01-29 13:10 - 2013-03-17 17:20 - 0000629 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
Reg: Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb" /s
Reg: Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" /s
Reg: Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb20" /s

*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{32C1F390-062E-4B6E-BD17-2379EA558B8C} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7DF30686-C442-4BA7-BAF3-4F7938183861} => value removed successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB} => key removed successfully
HKLM\Software\Classes\CLSID\{27B4851A-3207-45A2-B947-BE8AFE6163AB} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => key removed successfully
HKLM\Software\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key removed successfully
HKLM\Software\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB} => key removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{27B4851A-3207-45A2-B947-BE8AFE6163AB} => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C} => key removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C} => key removed successfully
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\MSSE => key removed successfully
HKLM\Software\Classes\CLSID\{0365FE2C-F183-4091-AC82-BFC39FB75C49} => key not found.
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\ACE => key removed successfully
HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000} => key removed successfully
"C:\Users\xxr\en_res.dll" => not found.
"C:\Users\xxr\es_res.dll" => not found.
"C:\Users\xxr\fr_res.dll" => not found.
"C:\Users\xxr\grm_res.dll" => not found.
"C:\Users\xxr\it_res.dll" => not found.
"C:\Users\xxr\jp_res.dll" => not found.
"C:\Users\xxr\mfc80u.dll" => not found.
"C:\Users\xxr\msvcr80.dll" => not found.
"C:\Users\xxr\PCPE Setup.exe" => not found.
"C:\Users\xxr\pt_res.dll" => not found.
"C:\Users\xxr\ResourceReader.dll" => not found.
"C:\Users\xxr\ru_res.dll" => not found.
"C:\Users\xxr\zh_res.dll" => not found.
"C:\Users\xxr\AppData\Local\Resmon.ResmonCfg" => not found.
C:\ProgramData\Ament.ini => moved successfully
C:\ProgramData\ezsidmv.dat => moved successfully
C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc => moved successfully

========= Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb" /s =========


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb\Enum
    0    REG_SZ    Root\LEGACY_MRXSMB\0000
    Count    REG_DWORD    0x1
    NextInstance    REG_DWORD    0x1



========= End of Reg: =========


========= Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" /s =========


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10\Enum
    0    REG_SZ    Root\LEGACY_MRXSMB10\0000
    Count    REG_DWORD    0x1
    NextInstance    REG_DWORD    0x1



========= End of Reg: =========


========= Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb20" /s =========


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb20\Enum
    0    REG_SZ    Root\LEGACY_MRXSMB20\0000
    Count    REG_DWORD    0x1
    NextInstance    REG_DWORD    0x1



========= End of Reg: =========



The system needed a reboot.

==== End of Fixlog 06:46:35 ====



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:18 AM

Posted 18 July 2017 - 08:09 AM

Some how these services are corrupted.

 

Download the enclosed .zip file. [attachment=196176:WorkStationFix.zip] Extract its contents to the ill computer's desktop. Once done, open the folder, right click the RunMe.bat file and select "Run as Administrator". If the computer does not restart, please manually restart the computer.

 

Test and let me know the outcome.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 sander66

sander66
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 18 July 2017 - 08:27 AM

Patient is healing - much better!

For example I can connect to other file shares again on the network.

 

I have a couple of remaining event log errors:

The Server SMB 2.xxx Driver service depends the following service: srvnet. This service might not be installed.

 

The Server SMB 1.xxx Driver service depends on the Server SMB 2.xxx Driver service which failed to start because of the following error:
The dependency service does not exist or has been marked for deletion.

 

The Server service depends on the Server SMB 1.xxx Driver service which failed to start because of the following error:
The dependency service or group failed to start.

 

The Computer Browser service depends on the Server service which failed to start because of the following error:
The dependency service or group failed to start.

 

The Server SMB 2.xxx Driver service depends the following service: srvnet. This service might not be installed.

 

 

and (probably unrelated - might have had this for a long tiem)

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}
 and APPID
{344ED43D-D086-4961-86A6-1106F4ACAD9B}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:18 AM

Posted 18 July 2017 - 11:32 AM

Open FRST as you did before.

Type the following in the edit box on FRST, after "Search:".

srvnet*

It then should look like:

Search: srvnet*

Click Search Files button and post the log (Search.txt) it makes on the USB drive in your next reply.

 

Lets make sure the registry is also fix.

 

 

Download the enclosed .zip file. [attachment=196187:srvnetFix.zip] Extract its contents to the ill computer's desktop. Once done, open the folder, right click the RunMe.bat file and select "Run as Administrator". If the computer does not restart, please manually restart the computer.

 

Test and let me know the outcome.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:18 AM

Posted 18 July 2017 - 11:44 AM

Lets also fix the browser error.

 

Download the enclosed .zip file. [attachment=196188:BrowserFix.zip] Extract its contents to the ill computer's desktop. Once done, open the folder, right click the RunMe.bat file and select "Run as Administrator". If the computer does not restart, please manually restart the computer.

 

Test and let me know the outcome.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 sander66

sander66
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 18 July 2017 - 01:04 PM

Getting better every time.

 

Here are my remaining system errors:

 

The Sadp Driver (NPF) service failed to start due to the following error:
The system cannot find the file specified.

 

Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.

 

One warning:

WLAN AutoConfig service has successfully stopped.

 

warnings in applications log:

The content source <csc://{S-1-5-21-2236860208-1521800549-1683809822-1000}/> cannot be accessed.

Context:  Application, SystemIndex Catalog

Details:
    The object was not found.  (HRESULT : 0x80041201) (0x80041201)
 

 

 

the search log

 

Farbar Recovery Scan Tool (x64) Version: 15-07-2017
Ran by xxr(18-07-2017 12:57:48)
Running from C:\Users\xxr\Downloads
Boot Mode: Normal

================== Search Files: "srvnet*" =============

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7601.23762_none_624d9494400eca32\srvnet.sys
[2017-05-10 07:07][2017-04-05 09:55] 0168960 _____ (Microsoft Corporation) 42EDAB3E3E8E25C7093674936C2DB4BD [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7601.23689_none_623ef4dc4018b64e\srvnet.sys
[2017-03-14 19:14][2017-02-11 10:58] 0168960 _____ (Microsoft Corporation) 3F20CD2A11872284BD667DAD6D4801CC [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7601.23517_none_6288a1d63fe1c2e2\srvnet.sys
[2016-09-14 20:58][2016-08-12 11:26] 0168960 _____ (Microsoft Corporation) 9C12C78AD36C23D925711A4640228225 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7601.23491_none_622c1ed440280d39\srvnet.sys
[2016-09-14 20:57][2016-07-01 09:56] 0168960 _____ (Microsoft Corporation) CB06B3D4659D744131E691B7B4CE6B2D [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7601.23452_none_62585ece4006b6cc\srvnet.sys
[2016-06-15 20:01][2016-05-12 09:58] 0168960 _____ (Microsoft Corporation) 63B5845D9379262083655D5C6AB8DFC5 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7601.21717_none_6288d3323fe189ee\srvnet.sys
[2011-06-18 14:06][2011-04-28 21:53] 0168448 _____ (Microsoft Corporation) 497BC12BDA57CACB29A6B63C3069A0F5 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7601.21666_none_6251c166400aff25\srvnet.sys
[2011-05-08 09:38][2011-02-22 22:31] 0167936 _____ (Microsoft Corporation) B3293EB86DE13312DF227D13C54E3B6B [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7601.17608_none_620b069d26bae78a\srvnet.sys
[2011-06-18 14:06][2011-04-28 22:05] 0168448 _____ (Microsoft Corporation) 27E461F0BE5BFF5FC737328F749538C3 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7601.17565_none_61c7245126ee4604\srvnet.sys
[2011-05-08 09:38][2011-02-22 23:55] 0167936 _____ (Microsoft Corporation) 3F847C9DC87299516F7DC82FB6572865 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7601.17514_none_61fc33a326c6a0f8\srvnet.sys
[2011-05-21 13:09][2010-11-20 04:27] 0167936 _____ (Microsoft Corporation) 2BA8F3250828CCDB4204ECF2C6F40B6A [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7600.20956_none_6076363242dc746f\srvnet.sys
[2011-06-18 14:06][2011-04-28 22:06] 0161792 _____ (Microsoft Corporation) 19E0B9883EE4DB831CD5DD781CBD6498 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7600.20907_none_60ad461842b30211\srvnet.sys
[2011-05-08 09:38][2011-02-22 22:48] 0161792 _____ (Microsoft Corporation) 55BE8EE4C3EC8081E68A8C21BFF94256 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7600.20789_none_6058c38042f219f9\srvnet.sys
[2011-05-04 04:00][2011-05-04 04:00] 0161792 _____ (Microsoft Corporation) 3EBBD18201CF162E537217D7C51047F6 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7600.20740_none_607b009642d9c626\srvnet.sys
[2011-05-04 04:00][2011-05-04 04:00] 0162304 _____ (Microsoft Corporation) A2FF8C218D5B62D693658F91B7FBB514 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7600.20591_none_6045ed78430170e4\srvnet.sys
[2011-05-04 04:00][2011-05-04 04:00] 0162304 _____ (Microsoft Corporation) 47A7DCDDEA3FC3099A126EB603FEC7A3 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7600.16806_none_6022a903299648f0\srvnet.sys
[2011-06-18 14:06][2011-04-28 22:12] 0161792 _____ (Microsoft Corporation) 0AF6E19D39C70844C5CAA8FB0183C36E [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7600.16765_none_5fe0c74b29c7da18\srvnet.sys
[2011-05-08 09:38][2011-02-23 00:15] 0161792 _____ (Microsoft Corporation) CB69EDEB069A49577592835659CD0E46 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7600.16664_none_5fdfc51b29c8c39a\srvnet.sys
[2011-05-04 04:00][2011-05-04 04:00] 0161792 _____ (Microsoft Corporation) 5A663FD67049267BC5C3F3279E631FFB [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7600.16619_none_601ad629299bb698\srvnet.sys
[2011-05-04 04:00][2011-05-04 04:00] 0162304 _____ (Microsoft Corporation) FBD09635227A8026C0F7790F604343C6 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7600.16481_none_5fc7209929dbb529\srvnet.sys
[2011-05-04 04:00][2011-05-04 04:00] 0162304 _____ (Microsoft Corporation) CCE32BB223E9FF55D241099A858FA889 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-smbserver-common_31bf3856ad364e35_6.1.7600.16385_none_5fcb1fdb29d81d5e\srvnet.sys
[2009-07-13 18:24][2009-07-13 18:24] 0162816 _____ (Microsoft Corporation) 26E84D3649019C3244622E654DFCD75B [File is digitally signed]

C:\Windows\System32\drivers\srvnet.sys
[2017-05-10 07:07][2017-04-05 09:55] 0168960 _____ (Microsoft Corporation) 42EDAB3E3E8E25C7093674936C2DB4BD [File is digitally signed]

====== End of Search ======


Edited by sander66, 18 July 2017 - 01:22 PM.


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:18 AM

Posted 18 July 2017 - 03:50 PM

Lets check the registry on these entries.

 

  • Highlight the entire content of the quote box below.

Start::  
Reg: Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF" /s
Reg: Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPnPHost" /s
Reg: Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF" /s
Reg: Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PnPHost" /s
Reg: Reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProfileList" /s
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
 

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 sander66

sander66
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 18 July 2017 - 03:53 PM

Remaining event log items after reboot:

 

The Sadp Driver (NPF) service failed to start due to the following error:
The system cannot find the file specified.

 

The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}
 and APPID
{344ED43D-D086-4961-86A6-1106F4ACAD9B}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

 

and the search warning

The content source <csc://{S-1-5-21-2236860208-1521800549-1683809822-1000}/> cannot be accessed.

Context:  Application, SystemIndex Catalog

Details:
    The object was not found.  (HRESULT : 0x80041201) (0x80041201)
 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-07-2017
Ran by xxr (18-07-2017 15:53:05) Run:2
Running from C:\Users\xxr\Desktop
Loaded Profiles: xxr (Available Profiles: xxr & chregeli)
Boot Mode: Normal
==============================================

fixlist content:
*****************
 
Reg: Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF" /s
Reg: Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPnPHost" /s
Reg: Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF" /s
Reg: Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PnPHost" /s
Reg: Reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProfileList" /s

*****************


========= Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF" /s =========


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF
    Type    REG_DWORD    0x1
    Start    REG_DWORD    0x2
    ErrorControl    REG_DWORD    0x1
    ImagePath    REG_EXPAND_SZ    \??\C:\Windows\SysWOW64\drivers\npf64.sys
    DisplayName    REG_SZ    Sadp Driver (NPF)
    WOW64    REG_DWORD    0x1
    TimestampMode    REG_DWORD    0x0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NPF\Enum
    0    REG_SZ    Root\LEGACY_NPF\0000
    Count    REG_DWORD    0x1
    NextInstance    REG_DWORD    0x1
    INITSTARTFAILED    REG_DWORD    0x1



========= End of Reg: =========


========= Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPnPHost" /s =========


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPnPHost
    DisplayName    REG_SZ    @%systemroot%\system32\upnphost.dll,-213
    ImagePath    REG_EXPAND_SZ    %SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation
    Description    REG_SZ    @%systemroot%\system32\upnphost.dll,-214
    ObjectName    REG_SZ    NT AUTHORITY\LocalService
    ErrorControl    REG_DWORD    0x1
    Start    REG_DWORD    0x3
    Type    REG_DWORD    0x20
    DependOnService    REG_MULTI_SZ    SSDPSRV\0HTTP
    ServiceSidType    REG_DWORD    0x1
    RequiredPrivileges    REG_MULTI_SZ    SeChangeNotifyPrivilege\0SeCreateGlobalPrivilege
    FailureActions    REG_BINARY    8051010000000000000000000300000014000000010000006400000001000000640000000000000000000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPnPHost\Parameters
    ServiceDll    REG_EXPAND_SZ    %SystemRoot%\System32\upnphost.dll
    ServiceDllUnloadOnStop    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPnPHost\Security
    Security    REG_BINARY    01000480C4000000D400000000000000140000000200B0000700000000002800FF010F00010600000000000550000000B589FB381984C2CB5C6C236D5700776EC002648700001800FF010F000102000000000005200000002002000000001400FF010F0001010000000000051200000000001800FF010F0001020000000000052000000025020000000014009D00020001010000000000050400000000001400FD01020001010000000000051300000000001400FD01020001010000000000051400000001020000000000052000000020020000010100000000000512000000



========= End of Reg: =========


========= Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF" /s =========


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF
    NextInstance    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF\0000
    Service    REG_SZ    NPF
    Legacy    REG_DWORD    0x1
    ConfigFlags    REG_DWORD    0x0
    Class    REG_SZ    LegacyDriver
    ClassGUID    REG_SZ    {8ECC055D-047F-11D1-A537-0000F8753ED1}
    DeviceDesc    REG_SZ    Sadp Driver (NPF)
    Capabilities    REG_DWORD    0x0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF\0000\Control



========= End of Reg: =========


========= Reg Query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PnPHost" /s =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg Query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProfileList" /s =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


==== End of Fixlog 15:53:06 ====


Edited by sander66, 18 July 2017 - 05:21 PM.


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:18 AM

Posted 19 July 2017 - 02:28 AM

Open FRST as you did before.

Type the following in the edit box on FRST, after "Search:".

upnphost.dll;npf64.sys

It then should look like:

Search: upnphost.dll;npf64.sys

Click Search Files button and post the log (Search.txt) it makes on the USB drive in your next reply


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 sander66

sander66
  • Topic Starter

  • Members
  • 77 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 19 July 2017 - 06:57 AM

Farbar Recovery Scan Tool (x64) Version: 18-07-2017
Ran by xxr (19-07-2017 06:54:31)
Running from C:\Users\xxr\Downloads
Boot Mode: Normal

================== Search Files: "upnphost.dll;npf64.sys" =============

C:\Windows\winsxs\wow64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_6.1.7600.16385_none_2831d06e8295c671\upnphost.dll
[2009-07-13 18:55][2009-07-13 20:16] 0266752 _____ (Microsoft Corporation) 833FBB672460EFCE8011D262175FAD33 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_6.1.7600.16385_none_1ddd261c4e350476\upnphost.dll
[2009-07-13 19:11][2009-07-13 20:41] 0353792 _____ (Microsoft Corporation) D47EC6A8E81633DD18D2436B19BAF6DE [File is digitally signed]

C:\Windows\SysWOW64\upnphost.dll
[2009-07-13 18:55][2009-07-13 20:16] 0266752 _____ (Microsoft Corporation) 833FBB672460EFCE8011D262175FAD33 [File is digitally signed]

C:\Windows\System32\upnphost.dll
[2009-07-13 19:11][2009-07-13 20:41] 0353792 _____ (Microsoft Corporation) D47EC6A8E81633DD18D2436B19BAF6DE [File is digitally signed]

C:\Windows\erdnt\cache86\upnphost.dll
[2013-02-23 10:59][2009-07-13 20:16] 0266752 _____ (Microsoft Corporation) 833FBB672460EFCE8011D262175FAD33 [File is digitally signed]

====== End of Search ======



#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:18 AM

Posted 19 July 2017 - 11:23 AM

The Service NPF is related to Wincap which is not installed in the computer, so I will remove the entry.

 

Lets fix the rest:

 

Download the enclosed .zip file. [attachment=196202:upnphost.zip] Extract its contents to the ill computer's desktop. Once done, open the folder, right click the RunMe.bat file and select "Run as Administrator". If the computer does not restart, please manually restart the computer.

 

Test and let me know the outcome.


Edited by JSntgRvr, 19 July 2017 - 11:33 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users