Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor, Rootkit,


  • This topic is locked This topic is locked
20 replies to this topic

#1 tmedicine

tmedicine

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 25 August 2017 - 10:13 PM

  Hi, my laptop is currently running slow and i noticed some services were missing and a host file was added to my system, and anonymous user accounts and permissions were added and screwed up my own user accounts and permissions, and system security settings were messed up, they wouldn't let me access some stuff on my own computer, like system32 files and documents and settings files. I also noticed in my file explorer under network tab is another device I do not recognize and when i try to click on it, a password dialog box comes up, asking me to type in my credentials to access and connect to the device, I do not know the password for it, and it installed itself or accessed my computer somehow I can not explain, probably through a backdoor, like backdoor.rustock.b or something. It is really annoying and I am trying to get rid of it and it's hard, I tried rkill, hijackthis, services repair tool by ESET, Microsoft fixit, for security settings I fixed. I also reset user permissions back to default settings using the ‘Subinacl Tool’ from Microsoft. I am also currently running hitman PRO right now and all it found was a bunch of tracking cookies. Also I have Norton Security, and I tried denying the trust on the device in the network tab in file explorer and restricting it through Norton, it worked for 1 day, but the device came back the next day under file explorer in the network tab again. Also the services keep getting all messed up even though i ran the fix it in services repair in ESET and hijackthis, (mind you, I am not really that good with hijackthis.exe, so i didnt really tamper with too much or do too much with it either, I don't want to break my machine :P)

  Please I would like some guidance and some help on resolving this issue and cleaning my machine back to normal, I can produce any amount of logs and scans it will take. (Unless it will require me to reinstall windows through a disk, or do the virus removal process through USB stick, then it may take awhile as I don't currently have the disk or USB stick to do these tasks with at the moment.) Thank you, whoever is willing to take this task on, so much for your time and help. I will standby patiently for further instructions. :)

  



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:39 PM

Posted 26 August 2017 - 11:23 AM

Welcome :)

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure that under Optional Scans, there is a checkmark on Addition.txt.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also produce another log (Addition.txt ). Please attach this to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 tmedicine

tmedicine
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 26 August 2017 - 03:56 PM

  Hi, I tried pasting the logs twice now, and the tab on my browser keeps going unresponsive and crashes, it will not let me paste them here, can i somehow send you the files to attach to my reply for you to view?


Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-08-2017
Ran by wpg_t (26-08-2017 15:26:08)
Running from C:\Users\wpg_t\Downloads
Windows 10 Home Version 1703 (X64) (2017-06-10 03:41:07)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1289290483-1558043448-3844216220-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1289290483-1558043448-3844216220-503 - Limited - Disabled)
defaultuser0 (S-1-5-21-1289290483-1558043448-3844216220-1000 - Limited - Disabled) => C:\Users\defaultuser0
Guest (S-1-5-21-1289290483-1558043448-3844216220-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1289290483-1558043448-3844216220-1004 - Limited - Enabled)
wpg_t (S-1-5-21-1289290483-1558043448-3844216220-1001 - Administrator - Enabled) => C:\Users\wpg_t
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Norton Security (Enabled - Up to date) {30744133-1E94-7B35-F4A3-82A5AEF1CBAA}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton Security (Enabled - Up to date) {8B15A0D7-38AE-74BB-CE13-B9D7D5768117}
FW: Norton Security (Enabled) {084FC016-54FB-7A6D-DFFC-2B9050228CD1}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
. . (HKLM\...\{12B07FF1-29CB-45AC-B493-1DB88BE717BD}) (Version: 7.1 - Intel) Hidden
. . . (HKLM-x32\...\{C01175B6-6575-4526-A55B-2BC2F10BA083}) (Version: 2.7.2.4 - Intel) Hidden
12 Labours of Hercules III: Girl Power (HKLM-x32\...\WTA-dacca96a-1664-41a8-9e9d-fd217fe16ee3) (Version: 3.0.2.118 - WildTangent) Hidden
888poker (HKLM-x32\...\{8C4CF142-0807-473A-A0E5-08FE1CA14BBC}) (Version: 7.3.30037 - 888) Hidden
888poker (HKU\S-1-5-21-1289290483-1558043448-3844216220-1001\...\InstallShield_{8C4CF142-0807-473A-A0E5-08FE1CA14BBC}) (Version: 7.3.30037 - 888)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.7.157 - Adobe Systems, Inc.)
Apple Application Support (32-bit) (HKLM-x32\...\{D2FE6376-E549-4F63-A2C5-CA24DA035DE4}) (Version: 5.6 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{BB109E24-EE90-485B-A28B-ADDEFB40540B}) (Version: 5.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{0A596141-97D5-45FA-9281-98DFAF48D579}) (Version: 10.3.2.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{52D87F32-70E4-4348-8148-C0B9F35B1314}) (Version: 2.3.0.177 - Apple Inc.)
Azkend 2: The World Beneath (HKLM-x32\...\WTA-67ea271c-651b-47e8-b75d-7522891baf83) (Version: 2.2.0.98 - WildTangent) Hidden
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Building the Great Wall of China Collector's Edition (HKLM-x32\...\WTA-c57ce4dc-3ab8-45d1-a947-fb43a061687c) (Version: 3.0.2.48 - WildTangent) Hidden
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6514.5001 - Microsoft Corporation)
Coyote The Outlander (HKLM-x32\...\WTA-77804897-6c35-4541-988f-e54f7e66fddd) (Version: 3.0.2.59 - WildTangent) Hidden
CyberLink PhotoDirector (HKLM\...\{5A454EC5-217A-42a5-8CE1-2DDEC4E70E01}) (Version: 5.0.5.6713 - CyberLink Corp.) Hidden
CyberLink PhotoDirector (HKLM-x32\...\InstallShield_{5A454EC5-217A-42a5-8CE1-2DDEC4E70E01}) (Version: 5.0.5.6713 - CyberLink Corp.)
CyberLink Power Media Player 14 (HKLM-x32\...\{32C8E300-BDB4-4398-92C2-E9B7D8A233DB}) (Version: 14.0.4.6527 - CyberLink Corp.)
CyberLink PowerDirector 12 (HKLM\...\{E1646825-D391-42A0-93AA-27FA810DA093}) (Version: 12.0.4.4301 - CyberLink Corp.) Hidden
CyberLink PowerDirector 12 (HKLM-x32\...\InstallShield_{E1646825-D391-42A0-93AA-27FA810DA093}) (Version: 12.0.4.4301 - CyberLink Corp.)
CyberLink YouCam (HKLM-x32\...\{A9CEDD6E-4792-493e-BB35-D86D2E188A5A}) (Version: 6.0.1.4301 - CyberLink Corp.)
Delicious: Emily's Wonder Wedding Premium Edition (HKLM-x32\...\WTA-19c5145e-4d4d-421d-88ae-8d123b6dc5a7) (Version: 3.0.2.59 - WildTangent) Hidden
DisableMSDefender (HKLM\...\{74FE39A0-FB76-47CD-84BA-91E2BBB17EF2}) (Version: 1.0.0 - Hewlett-Packard Company) Hidden
Dropbox 25 GB (HKLM-x32\...\{597A58EC-42D6-4940-8739-FB94491B013C}) (Version: 1.0.8.2 - Dropbox, Inc.)
Energy Star (HKLM\...\{465CA2B6-98AF-4E77-BE22-A908C34BB9EC}) (Version: 1.0.9 - Hewlett-Packard Company)
Entwined: The Perfect Murder (HKLM-x32\...\WTA-87c3efb5-f3cf-4636-8758-486d54ee76e7) (Version: 3.0.2.59 - WildTangent) Hidden
Evernote v. 5.8.6 (HKLM-x32\...\{FEDC7C10-EF67-11E4-9B07-00505695D7B0}) (Version: 5.8.6.7519 - Evernote Corp.)
Facebook Gameroom 1.4.6373.26636 (HKLM-x32\...\{62E64CE0-AA1E-4F83-BC24-86D9AD6A1C30}) (Version: 1.4.6373.26636 - Facebook)
Family Vacation 2: Road Trip (HKLM-x32\...\WTA-f154b772-ac94-492c-b4be-96f384040bb2) (Version: 3.0.2.59 - WildTangent) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 60.0.3112.113 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
Home Makeover (HKLM-x32\...\WTA-6225436a-9408-40cb-a7e6-b81224a0ad2b) (Version: 3.0.2.59 - WildTangent) Hidden
HP 3D DriveGuard (HKLM-x32\...\{E8D0E2B8-B64B-44BC-8E01-00DDACBDF78A}) (Version: 6.0.28.1 - Hewlett-Packard Company)
HP CoolSense (HKLM-x32\...\{1504CF6F-8139-497F-86FC-46174B67CF7F}) (Version: 2.20.51 - Hewlett-Packard Company)
HP Documentation (HKLM\...\HP_Documentation) (Version:  - HP)
HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.8293.5264 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{61EB474B-67A6-47F4-B1B7-386851BAB3D0}) (Version: 8.0.29.6 - Hewlett-Packard Company)
HP Support Solutions Framework (HKLM-x32\...\{D7D5F438-26EF-45AB-AB89-C476FBCF8584}) (Version: 12.7.27.15 - Hewlett-Packard Company)
HP System Event Utility (HKLM-x32\...\{D17A3B70-B75E-4C49-83D6-C17DDF65B35F}) (Version: 1.3.4 - Hewlett-Packard Company)
HP Welcome (HKLM\...\HPWelcome) (Version: 1.0 - Hewlett-Packard Company)
HP Wireless Button Driver (HKLM-x32\...\{EFA01423-3857-468C-B7B6-F30AA08E50BC}) (Version: 1.1.5.1 - Hewlett-Packard)
IGT Slots: Paradise Garden (HKLM-x32\...\WTA-4a44fe6c-70cc-4bbf-9233-259e9bb93cc5) (Version: 3.0.2.59 - WildTangent) Hidden
Imperial Island: Birth of an Empire (HKLM-x32\...\WTA-9b121532-f676-41e9-a109-f2430a556ea3) (Version: 3.0.2.59 - WildTangent) Hidden
Insane Cold: Back to the Ice Age (HKLM-x32\...\WTA-8363e240-f55d-4f9a-8ea7-7d053bdb8b1a) (Version: 3.0.2.59 - WildTangent) Hidden
Intel® Chipset Device Software (HKLM-x32\...\{60c073df-e736-4210-9c3a-5fc2b651cef3}) (Version: 10.1.1.7 - Intel® Corporation) Hidden
Intel® Dynamic Platform and Thermal Framework (HKLM-x32\...\{654EE65D-FAA4-4EA6-8C07-DC94E6A304D4}) (Version: 8.1.10600.147 - Intel Corporation)
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.0.0.1158 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.15.4256 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 14.5.0.1081 - Intel Corporation)
Intel® Serial IO (HKLM\...\{9FD91C5C-44AE-4D9D-85BE-AE52816B0294}) (Version: 30.100.1519.7 - Intel Corporation)
Intel® Virtual Buttons (HKLM-x32\...\1992736F-C90A-481C-B21B-EE34CAD07387) (Version: 1.1.0.21 - Intel Corporation)
Intel® WiDi (HKLM\...\{76FAF7E1-52D0-49F7-A627-E78303F9C7EF}) (Version: 6.0.39.0 - Intel Corporation)
Intel® WiDi Software Asset Manager (HKLM-x32\...\{5B5CD20C-29F0-4857-A4FA-A4F4C716B019}) (Version: 1.1.347 - Intel Corporation) Hidden
Intel® Wireless Bluetooth® (HKLM-x32\...\{559FA847-377D-4926-80A3-ED9E014D363A}) (Version: 19.60.0 - Intel Corporation)
Intel® Driver Update Utility (HKLM-x32\...\{954190cd-c66c-4650-bd15-f3dd85f2ae15}) (Version: 2.7.2.4 - Intel)
Intel® PROSet/Wireless Software (HKLM-x32\...\{185db067-38cd-4521-a43e-c39b96ee1389}) (Version: 19.50.1 - Intel Corporation)
Intel® Software Guard Extensions Platform Software (HKLM\...\{10307C17-F7FD-405D-9F3B-0BF66EA43857}) (Version: 1.0.26920.1393 - Intel Corporation)
iTunes (HKLM\...\{02F95875-9527-49CC-B32F-970ADAEBD1EF}) (Version: 12.6.2.20 - Apple Inc.)
Jewel Match Snowscapes (HKLM-x32\...\WTA-67d3f75c-5d44-474f-a95f-9d65e67cf918) (Version: 3.0.2.118 - WildTangent) Hidden
Lightshot-5.4.0.10 (HKLM-x32\...\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1) (Version: 5.4.0.10 - Skillbrains)
Living Legends: Frozen Beauty Collector's Edition (HKLM-x32\...\WTA-a2eff268-4e46-47b3-9e5e-6ca5fe61ac8f) (Version: 3.0.2.59 - WildTangent) Hidden
Lost Lands: Dark Overlord Collector's Edition (HKLM-x32\...\WTA-549f68e3-4f4d-4ac9-bbcb-b5ba47fcbe48) (Version: 3.0.2.59 - WildTangent) Hidden
Lost Souls: Timeless Fables Collector's Edition (HKLM-x32\...\WTA-26de2b22-3277-458a-b917-dc722c8d9841) (Version: 3.0.2.59 - WildTangent) Hidden
Manor Memoirs Collector's Edition (HKLM-x32\...\WTA-21bc97b4-0c90-45d3-8814-ecb723921fab) (Version: 3.0.2.59 - WildTangent) Hidden
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4693.1005 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1289290483-1558043448-3844216220-1001\...\OneDriveSetup.exe) (Version: 17.3.6943.0625 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Mozilla Firefox 54.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 54.0.1 (x86 en-US)) (Version: 54.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 53.0.2 - Mozilla)
Mystery Expedition: Prisoners of Ice (HKLM-x32\...\WTA-3875334f-cb57-43ea-bae5-9a7b3f552db4) (Version: 3.0.2.59 - WildTangent) Hidden
Norton Security (HKLM-x32\...\NS) (Version: 22.10.0.85 - Symantec Corporation)
OpenOffice 4.1.3 (HKLM-x32\...\{EEA30AEB-8BA7-465B-85D4-098BB99733E7}) (Version: 4.13.9783 - Apache Software Foundation)
partypoker (HKLM-x32\...\PartyPoker) (Version:  - PartyGaming)
partypoker (HKU\S-1-5-21-1289290483-1558043448-3844216220-1001\...\PartyPoker) (Version:  - )
Plagiarii (HKLM-x32\...\WTA-6cfcf05a-eaf6-45cf-a4a3-72b5813c53b3) (Version: 3.0.2.59 - WildTangent) Hidden
Poker PlayNow.com (HKLM-x32\...\Poker PlayNow.com ) (Version:  - Boss Media AB)
PokerStars (HKLM-x32\...\PokerStars) (Version:  - PokerStars)
Polar Bowler 1st Frame (HKLM-x32\...\WTA-9622778b-ec27-4353-86b9-07f9274eba16) (Version: 3.0.2.59 - WildTangent) Hidden
Project64 version 2.3.0.210 (HKLM-x32\...\{BEB5FB69-4080-466F-96C4-F15DF271718B}_is1) (Version: 2.3.0.210 - )
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.10125.21277 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 10.1.505.2015 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7553 - Realtek Semiconductor Corp.)
Realtek PC Camera (HKLM-x32\...\{E399A5B3-ED53-4DEA-AF04-8011E1EB1EAC}) (Version: 10.0.14393.11233 - Realtek Semiconductor Corp.)
Runefall (HKLM-x32\...\WTA-28c029a8-f71e-4c9e-affc-f0a7018c0656) (Version: 3.0.2.126 - WildTangent) Hidden
RuneScape Launcher 2.2.4 (HKLM\...\RuneScape Launcher_is1) (Version: 2.2.4 - Jagex Ltd)
Super HUD (HKLM-x32\...\Super HUD) (Version:  - Poker Pro Labs)
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics ClickPad Driver (HKLM\...\SynTPDeinstKey) (Version: 19.0.12.107 - Synaptics Incorporated)
Update Installer for WildTangent Games App (HKLM-x32\...\{2FA94A64-C84E-49d1-97DD-7BF06C7BBFB2}.WildTangent Games App) (Version:  - WildTangent) Hidden
Vulkan Run Time Libraries 1.0.33.0 (HKLM\...\VulkanRT1.0.33.0) (Version: 1.0.33.0 - LunarG, Inc.)
WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.4.0 - WildTangent)
WildTangent Games App for HP (HKLM-x32\...\{70B446D1-E03B-4ab0-9B3C-0832142C9AA8}.WildTangent Games App-hp) (Version: 4.0.11.16 - WildTangent) Hidden
Windows 10 Update and Privacy Settings (HKLM\...\{293F2009-0145-450B-B4AA-063D43FB368C}) (Version: 1.0.13.0 - Microsoft Corporation)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files\Norton Security\Engine\22.10.0.85\buShell.dll [2017-07-14] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files\Norton Security\Engine\22.10.0.85\buShell.dll [2017-07-14] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files\Norton Security\Engine\22.10.0.85\buShell.dll [2017-07-14] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files\Norton Security\Engine\22.10.0.85\buShell.dll [2017-07-14] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files\Norton Security\Engine\22.10.0.85\buShell.dll [2017-07-14] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files\Norton Security\Engine\22.10.0.85\buShell.dll [2017-07-14] (Symantec Corporation)
ContextMenuHandlers1: [BUContextMenu] -> {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB} => C:\Program Files\Norton Security\Engine\22.10.0.85\buShell.dll [2017-07-14] (Symantec Corporation)
ContextMenuHandlers1: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files\Norton Security\Engine\22.10.0.85\NavShExt.dll [2017-07-14] (Symantec Corporation)
ContextMenuHandlers2: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files\Norton Security\Engine\22.10.0.85\NavShExt.dll [2017-07-14] (Symantec Corporation)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\WINDOWS\System32\DriverStore\FileRepository\ki123308.inf_amd64_c17fc06e1086d457\igfxDTCM.dll [2017-07-11] (Intel Corporation)
ContextMenuHandlers6: [BUContextMenu] -> {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB} => C:\Program Files\Norton Security\Engine\22.10.0.85\buShell.dll [2017-07-14] (Symantec Corporation)
ContextMenuHandlers6: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files\Norton Security\Engine\22.10.0.85\NavShExt.dll [2017-07-14] (Symantec Corporation)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {048EAF67-F11F-4B52-B50C-0F74DE319A59} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2017-08-03] (HP Inc.)
Task: {0522F7AD-33D7-48F0-AE00-E0A6161CBF7A} - System32\Tasks\Hewlett-Packard\HP CoolSense\HP CoolSense Start at Logon => C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [2015-05-21] (Hewlett-Packard Development Company, L.P.)
Task: {07A870E5-3DCC-4D87-90BB-312C7C7B1D08} - System32\Tasks\update-S-1-5-21-1289290483-1558043448-3844216220-1001 => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [2017-04-12] (TODO: <Company name>)
Task: {09498989-879D-49F0-981F-24D1AC185CA2} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-08-26] (Google Inc.)
Task: {13A0BA9C-FC29-4178-9515-40B78BA8B840} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-08-20] (Adobe Systems Incorporated)
Task: {1C54B05A-A09A-4180-AA3D-A3B945A80404} - System32\Tasks\Norton WSC Integration => C:\Program Files\Norton Security\Engine\22.10.0.85\WSCStub.exe [2017-07-14] (Symantec Corporation)
Task: {1ED87F11-F172-4313-80C1-C06F0B492636} - System32\Tasks\Norton Security\Norton Security Autofix => C:\Program Files\Norton Security\Engine\22.10.0.85\SymErr.exe [2017-07-14] (Symantec Corporation)
Task: {20E83525-C3DD-4F09-B075-646D3ED42A61} - System32\Tasks\YCMServiceAgent => C:\Program Files (x86)\CyberLink\YouCam6\YouCamService6.exe [2015-07-01] (CyberLink Corp.)
Task: {33C82AA0-8A2A-4D56-8394-12169F5DE0B3} - System32\Tasks\update-sys => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [2017-04-12] (TODO: <Company name>)
Task: {5B58D4E5-0DB1-4356-B5B0-666A23C9CC6A} - System32\Tasks\Norton Security\Norton Security Error Processor => C:\Program Files\Norton Security\Engine\22.10.0.85\SymErr.exe [2017-07-14] (Symantec Corporation)
Task: {5E9CE45F-F082-458C-A932-5B86DCF165B3} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe
Task: {61489C60-7BF4-4473-8D11-2CC3C406B482} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2017-02-14] (Apple Inc.)
Task: {650AA5D2-35E5-4209-A159-C0503FDAC99F} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2017-08-03] (HP Inc.)
Task: {88CB9ACB-07A1-4641-A213-15778E10B5D2} - System32\Tasks\S-1-5-21-1289290483-1558043448-3844216220-1001\DataSenseLiveTileTask => C:\WINDOWS\System32\DataUsageLiveTileTask.exe [2017-03-18] (Microsoft Corporation)
Task: {89247F2E-02B0-4D18-8CFB-3BC32882ACF8} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Report => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSFReport.exe [2017-06-22] (HP Inc.)
Task: {8D0F72F7-FDEB-458F-AB56-9441AAEF1EAE} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Active Health Launcher => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [2016-11-07] (HP Inc.)
Task: {9D3CFABA-C061-46AB-8A10-1617914D3FA6} - System32\Tasks\Hewlett-Packard\HP Active Health\HP Active Health Scan (HPSA) => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [2016-11-07] (HP Inc.)
Task: {A07770D3-5E8F-48D5-98B7-58CA13164341} - System32\Tasks\DropboxOEM => C:\Program Files (x86)\Dropbox\DropboxOEM\DropboxOEM.exe [2015-06-19] ()
Task: {C0821835-EC7A-4173-A807-095C774AD071} - System32\Tasks\IntelWiDi-Upgrade-91ba0caa-28a7-4f47-8d08-f71b4b10fbec => C:\Program Files (x86)\Intel Corporation\Intel WiDi\Intel® Software Asset Manager\bin\IntelSoftwareAssetManagerService.exe [2015-06-17] (Intel Corporation)
Task: {C08403F7-83CA-4DE4-B9AD-94A87C2C65DE} - System32\Tasks\IntelWiDi-Upgrade-91ba0caa-28a7-4f47-8d08-f71b4b10fbec-Logon => C:\Program Files (x86)\Intel Corporation\Intel WiDi\Intel® Software Asset Manager\bin\IntelSoftwareAssetManagerService.exe [2015-06-17] (Intel Corporation)
Task: {CF1AD8EA-FE92-4A04-B86F-553630350A64} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2016-12-07] (HP Inc.)
Task: {D739A576-EECD-4B7F-A895-9B7974949E68} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton Security\Upgrade.exe [2017-07-14] (Symantec Corporation)
Task: {DE44155B-BABF-4AFE-B23C-8C6F9CE22B06} - System32\Tasks\HPCeeScheduleForwpg_t => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2015-06-16] (Hewlett-Packard)
Task: {E24B2DC0-6443-4511-A519-58B6387FC02B} - System32\Tasks\Intel\Intel Telemetry 2 => C:\Program Files\Intel\Telemetry 2.0\lrio.exe [2016-03-17] (Intel Corporation)
Task: {E65FD85C-5277-4321-8405-BFA89CE8BB10} - System32\Tasks\Norton Security\Norton Security Error Analyzer => C:\Program Files\Norton Security\Engine\22.10.0.85\SymErr.exe [2017-07-14] (Symantec Corporation)
Task: {EBEA1712-8ACD-4A7B-AA6F-0FF5B21C0AFD} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2015-07-11] (Hewlett-Packard Company)
Task: {F02BFE2A-7AD4-4DAF-8441-9D07A4D4355F} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-08-26] (Google Inc.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\HPCeeScheduleForwpg_t.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
Task: C:\WINDOWS\Tasks\update-S-1-5-21-1289290483-1558043448-3844216220-1001.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
Task: C:\WINDOWS\Tasks\update-sys.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2017-07-13 20:50 - 2017-07-13 20:50 - 000092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2017-07-13 20:50 - 2017-07-13 20:50 - 001354040 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2015-11-11 23:40 - 2014-04-14 21:59 - 000389896 _____ () C:\Program Files\CyberLink\Shared files\RichVideo64.exe
2017-03-18 15:57 - 2017-03-18 15:57 - 000037376 _____ () C:\WINDOWS\system32\SpectrumSyncClient.dll
2017-03-18 15:58 - 2017-03-18 15:58 - 000138000 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll
2017-03-18 15:59 - 2017-03-18 21:31 - 001731072 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-08-23 04:17 - 2017-08-23 04:18 - 000074752 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.19.856.0_x64__kzf8qxf38zg5c\SkypeHost.exe
2017-08-23 04:17 - 2017-08-23 04:18 - 000203264 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.19.856.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2017-08-23 04:17 - 2017-08-23 04:18 - 036162048 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.19.856.0_x64__kzf8qxf38zg5c\SkyWrap.dll
2017-08-23 04:17 - 2017-08-23 04:18 - 002237952 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.19.856.0_x64__kzf8qxf38zg5c\skypert.dll
2017-08-26 14:55 - 2017-08-23 03:48 - 003824472 _____ () C:\Program Files (x86)\Google\Chrome\Application\60.0.3112.113\libglesv2.dll
2017-08-26 14:55 - 2017-08-23 03:48 - 000100184 _____ () C:\Program Files (x86)\Google\Chrome\Application\60.0.3112.113\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2015-07-10 06:04 - 2017-08-25 03:23 - 000000830 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1289290483-1558043448-3844216220-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\wpg_t\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\{76637270-8302-4060-a155-eb155258fa0a}.jpg
DNS Servers: 192.168.100.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run32: => "Lightshot"
HKU\S-1-5-21-1289290483-1558043448-3844216220-1001\...\StartupApproved\StartupFolder: => "Facebook Gameroom.lnk"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [ProximityUxHost-Sharing-Out-TCP-NoScope] => (Block) %SystemRoot%\system32\proximityuxhost.exe
FirewallRules: [{B9231A59-D588-4639-A1D9-0571AA2802E0}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{297EEBDB-72FF-441E-AE2A-9721FCB67978}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{09BE5F61-44F7-41C8-96F9-AF548A581007}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\Movie\PowerDVD Cinema\PowerDVDCinema.exe
FirewallRules: [{55474F31-EB44-4AEA-8268-B164204571EF}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\Movie\PowerDVDMovie.exe
FirewallRules: [{C2370389-3050-4D04-86D8-240D0A9D1F9A}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe
FirewallRules: [{C7BF5BC4-6FFA-4264-93BB-70ED669BD623}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe
FirewallRules: [{39697982-6385-46E5-A524-62D35EC0170E}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD.exe
FirewallRules: [{C67099C6-22EA-4D37-8327-E2FB272544AB}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{A3F3D05D-B657-4711-9EBB-D27D12BFBADF}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{025E197D-3ECF-43FC-9430-FC1A84D8C337}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\WiDiApp.exe
FirewallRules: [{C06A34E7-5D15-4DE2-8ECF-F8CD708E5842}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\WiDiAppOld.exe
FirewallRules: [{A75219D7-FF54-431E-BDCA-2742097A0119}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\Next\WirelessDisplay.exe
FirewallRules: [{F23E268B-C34A-425C-9058-C234333054EB}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\SmartAgentTest.exe
FirewallRules: [{639FD521-EF51-4C65-A0D3-84EEFB890482}] => (Allow) C:\Program Files\Intel Corporation\USB over IP\bin\UoipService.exe
FirewallRules: [{4DE0E5E0-5DFE-496C-8B98-70336BA2426C}] => (Allow) c:\Program Files\CyberLink\PowerDirector12\PDR10.EXE
FirewallRules: [{9E7147D6-AFF0-4F5F-9780-1F41D9F9E7D1}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{AC609EC7-F86E-4485-98C6-560AF400E775}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{3283BF34-B272-4048-9215-6377C88E9822}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{5A56843A-00E9-4C0C-83A2-2220BA7A2B6B}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{851ABE2E-904E-44C5-9866-097733F86AF4}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{6DF63741-C776-41C4-A589-C4E44D5AB274}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [{12687B70-4C0E-4DB8-9E93-8380A0137B21}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
12-08-2017 17:17:51 Installed iTunes
24-08-2017 03:27:52 Windows Modules Installer
25-08-2017 03:29:27 Norton_Power_Eraser_20170825032925998
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (08/26/2017 02:32:59 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: The Open Procedure for service "BITS" in DLL "C:\Windows\System32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
 
Error: (08/26/2017 02:31:18 PM) (Source: HP Active Health) (EventID: 2800) (User: )
Description: Agent SystemState threw an exception: System.InvalidOperationException: Cannot load Counter Name data because an invalid index '' was read from the registry.
   at System.Diagnostics.PerformanceCounterLib.GetStringTable(Boolean isHelp)
   at System.Diagnostics.PerformanceCounterLib.get_NameTable()
   at System.Diagnostics.PerformanceCounterLib.get_CategoryTable()
   at System.Diagnostics.PerformanceCounterLib.CounterExists(String category, String counter, Boolean& categoryExists)
   at System.Diagnostics.PerformanceCounterLib.CounterExists(String machine, String category, String counter)
   at System.Diagnostics.PerformanceCounter.InitializeImpl()
   at System.Diagnostics.PerformanceCounter..ctor(String categoryName, String counterName, String instanceName, Boolean readOnly)
   at System.Diagnostics.PerformanceCounter..ctor(String categoryName, String counterName, String instanceName)
   at HP.ActiveHealth.Agents.SystemState.SystemStateAgent.CpuUsage()
   at HP.ActiveHealth.Agents.SystemState.SystemStateAgent.FetchValues()
   at HP.ActiveHealth.Agents.SystemState.SystemStateAgent.CollectNewDataClasses(FileInfo agentStateFile, IDataClassCollector dataClassColector)
   at HP.ActiveHealth.API.DataGeneration.AgentRunner.QueryAgentDelegate(Object agentObj)
 
Error: (08/26/2017 02:31:06 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: The Open Procedure for service "aspnet_state" in DLL "C:\Windows\System32\aspnet_counters.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
 
Error: (08/26/2017 02:31:06 PM) (Source: Perflib) (EventID: 1023) (User: )
Description: Windows cannot load the extensible counter DLL ASP.NET_64_2.0.50727. The first four bytes (DWORD) of the Data section contains the Windows error code.
 
Error: (08/26/2017 02:31:06 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: The Open Procedure for service "ASP.NET_4.0.30319" in DLL "C:\Windows\System32\aspnet_counters.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
 
Error: (08/26/2017 02:31:06 PM) (Source: Perflib) (EventID: 1023) (User: )
Description: Windows cannot load the extensible counter DLL ASP.NET_2.0.50727. The first four bytes (DWORD) of the Data section contains the Windows error code.
 
Error: (08/26/2017 02:31:06 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: The Open Procedure for service "ASP.NET" in DLL "C:\Windows\System32\aspnet_counters.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.
 
Error: (08/26/2017 02:27:54 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-N7I39C5)
Description: Activation of app Microsoft.Windows.Photos_8wekyb3d8bbwe!App failed with error: -2147023170 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (08/26/2017 01:43:36 AM) (Source: HP Active Health) (EventID: 2800) (User: )
Description: Agent SystemState threw an exception: System.InvalidOperationException: Cannot load Counter Name data because an invalid index '' was read from the registry.
   at System.Diagnostics.PerformanceCounterLib.GetStringTable(Boolean isHelp)
   at System.Diagnostics.PerformanceCounterLib.get_NameTable()
   at System.Diagnostics.PerformanceCounterLib.get_CategoryTable()
   at System.Diagnostics.PerformanceCounterLib.CounterExists(String category, String counter, Boolean& categoryExists)
   at System.Diagnostics.PerformanceCounterLib.CounterExists(String machine, String category, String counter)
   at System.Diagnostics.PerformanceCounter.InitializeImpl()
   at System.Diagnostics.PerformanceCounter..ctor(String categoryName, String counterName, String instanceName, Boolean readOnly)
   at System.Diagnostics.PerformanceCounter..ctor(String categoryName, String counterName, String instanceName)
   at HP.ActiveHealth.Agents.SystemState.SystemStateAgent.CpuUsage()
   at HP.ActiveHealth.Agents.SystemState.SystemStateAgent.FetchValues()
   at HP.ActiveHealth.Agents.SystemState.SystemStateAgent.CollectNewDataClasses(FileInfo agentStateFile, IDataClassCollector dataClassColector)
   at HP.ActiveHealth.API.DataGeneration.AgentRunner.QueryAgentDelegate(Object agentObj)
 
Error: (08/26/2017 01:29:26 AM) (Source: ESENT) (EventID: 455) (User: )
Description: svchost (4336) SRUJet: Error -1811 (0xfffff8ed) occurred while opening logfile C:\WINDOWS\system32\SRU\SRU01E2B.log.
 
 
System errors:
=============
Error: (08/26/2017 02:27:54 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (08/26/2017 01:35:19 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (08/26/2017 01:35:19 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (08/26/2017 01:35:05 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The User Energy Server Service queencreek service terminated with the following error: 
%%497
 
Error: (08/26/2017 01:35:05 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Energy Server Service queencreek service terminated with the following error: 
The stream is not a tiny stream.
 
Error: (08/26/2017 01:33:03 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Downloaded Maps Manager service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (08/26/2017 01:30:57 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The vds service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.
 
Error: (08/26/2017 01:30:57 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the vds service to connect.
 
Error: (08/26/2017 01:30:25 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The WiaRpc service terminated with the following service-specific error: 
The RPC server is unavailable.
 
Error: (08/26/2017 01:30:20 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The WEPHOSTSVC service terminated with the following error: 
An exception occurred in the service when handling the control request.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i3-6100U CPU @ 2.30GHz
Percentage of memory in use: 66%
Total physical RAM: 3993.41 MB
Available physical RAM: 1321.04 MB
Total Virtual: 5721.41 MB
Available Virtual: 3098.49 MB
 
==================== Drives ================================
 
Drive c: (Windows) (Fixed) (Total:444.74 GB) (Free:367.66 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: A50E1C7D)
 
Partition: GPT.
 
==================== End of Addition.txt ============================


#4 tmedicine

tmedicine
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 26 August 2017 - 04:00 PM

  Turns out it allowed me to paste the addition log in plain text, now i just need to forward the FRST log on here somehow.



#5 tmedicine

tmedicine
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 26 August 2017 - 04:37 PM

ok i have uploaded the FRST in a files attached to this reply thank you

Attached Files



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:39 PM

Posted 26 August 2017 - 05:24 PM

  • Highlight the entire content of the quote box below.

Start::
CMD: Del /q C:\WINDOWS\system32\default_error_stack*.txt
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
Please copy and paste its contents in your next reply.

Please download Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.
  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8/10 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:
65MBhLLb.png
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this
adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 tmedicine

tmedicine
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 26 August 2017 - 05:52 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-08-2017
Ran by wpg_t (26-08-2017 17:38:51) Run:2
Running from C:\Users\wpg_t\Downloads
Loaded Profiles: wpg_t (Available Profiles: defaultuser0 & wpg_t)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
 
CMD: Del /q C:\WINDOWS\system32\default_error_stack*.txt
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
 
*****************
 
 
========= Del /q C:\WINDOWS\system32\default_error_stack*.txt =========
 
 
========= End of CMD: =========
 
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => key removed successfully
HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => key not found. 
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
 
========= RemoveProxy: =========
 
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-1289290483-1558043448-3844216220-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-1289290483-1558043448-3844216220-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
 
 
========= End of RemoveProxy: =========
 
 
========= netsh advfirewall reset =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= netsh advfirewall set allprofiles state ON =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
========= netsh winsock reset catalog =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
========= netsh int ip reset C:\resettcpip.txt =========
 
Resetting Compartment Forwarding, OK!
Resetting Compartment, OK!
Resetting Control Protocol, OK!
Resetting Echo Sequence Request, OK!
Resetting Global, OK!
Resetting Interface, OK!
Resetting Anycast Address, OK!
Resetting Multicast Address, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Potential, OK!
Resetting Prefix Policy, OK!
Resetting Proxy Neighbor, OK!
Resetting Route, OK!
Resetting Site Prefix, OK!
Resetting Subinterface, OK!
Resetting Wakeup Pattern, OK!
Resetting Resolve Neighbor, OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
========= FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i" =========
 
Failed to clear log Intel-SST-CFD-HDA/IntelSST. The instance name passed was not recognized as valid by a WMI data provider.
Failed to clear log Microsoft-Windows-LiveId/Analytic. Access is denied.
Failed to clear log Microsoft-Windows-LiveId/Operational. Access is denied.
Failed to clear log Microsoft-Windows-USBVideo/Analytic. The instance name passed was not recognized as valid by a WMI data provider.
 
========= End of CMD: =========
 
 
========= Bitsadmin /Reset /Allusers =========
 
 
BITSADMIN version 3.0
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
0 out of 0 jobs canceled.
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 7364608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 5304176 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 653987 B
Edge => 22401888 B
Chrome => 75985096 B
Firefox => 41965 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 19836 B
LocalService => 822 B
NetworkService => 0 B
defaultuser0 => 0 B
wpg_t => 7024325 B
 
RecycleBin => 0 B
EmptyTemp: => 113.3 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 17:48:00 ====

should i reboot my system before running the JRT.exe tool? or disregard the reboot and just continue to the JRT.exe tool step?



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:39 PM

Posted 26 August 2017 - 07:29 PM

Go ahead!

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 tmedicine

tmedicine
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 26 August 2017 - 07:33 PM

OK, perfect i just did the reboot, and now I am running the JRT.exe tool.



#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:39 PM

Posted 26 August 2017 - 07:51 PM

:thumbup2:


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 tmedicine

tmedicine
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 26 August 2017 - 08:07 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 10 Home x64 
Ran by wpg_t (Administrator) on 2017-08-26 at 19:28:41.85
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 4 
 
Successfully deleted: C:\WINDOWS\system32\Tasks\update-S-1-5-21-1289290483-1558043448-3844216220-1001 (Task)
Successfully deleted: C:\WINDOWS\system32\Tasks\update-sys (Task)
Successfully deleted: C:\WINDOWS\Tasks\update-S-1-5-21-1289290483-1558043448-3844216220-1001.job (Task) 
Successfully deleted: C:\WINDOWS\Tasks\update-sys.job (Task) 
 
Deleted the following from C:\Users\wpg_t\AppData\Roaming\Mozilla\Firefox\Profiles\t85y7iey.default\prefs.js
user_pref(browser.startup.homepage, hxxp://hp.myway.com/downspeedtest/ttab02/index.html?coId=e77d3131b97e4a5eb017d212b79a4a5e&subId&ln=en&n=783a12c2&ptb=936C6609-2D49-41D4-
user_pref(extensions.toolbar.mindspark._dqMembers_.BUTTON_STRUCTURE, [{\b\:224180039,\c\:\mindspark.magnify\,\p\:\L.0\},{\b\:224180040,\c\:\mindspark.enterse
user_pref(extensions.toolbar.mindspark._dqMembers_.browser.startup.homepage.prev, hxxp://hp.myway.com/convertpdfsnow/ttab02/index.html?coId=c58194749f0e4285b87dfdc226507324
user_pref(extensions.toolbar.mindspark._dqMembers_.browser.startup.homepage.savedPrev, true);
user_pref(extensions.toolbar.mindspark._dqMembers_.browser.startup.homepage.tb, hxxp://hp.myway.com/downspeedtest/ttab02/index.html?coId=e77d3131b97e4a5eb017d212b79a4a5e&su
user_pref(extensions.toolbar.mindspark._dqMembers_.browser.startup.page.savedPrev, 1);
user_pref(extensions.toolbar.mindspark._dqMembers_.browser.startup.page.tb, 1);
user_pref(extensions.toolbar.mindspark._dqMembers_.browser.version.last, 54.0);
user_pref(extensions.toolbar.mindspark._dqMembers_.coId, e77d3131b97e4a5eb017d212b79a4a5e);
user_pref(extensions.toolbar.mindspark._dqMembers_.firefoxSearchExtensionEnabled, true);
user_pref(extensions.toolbar.mindspark._dqMembers_.firstKnownVersion, 7.800.11.14321);
user_pref(extensions.toolbar.mindspark._dqMembers_.homepage, hxxp://hp.myway.com/downspeedtest/ttab02/index.html?coId=e77d3131b97e4a5eb017d212b79a4a5e&subId&ln=en&n=783a12c
user_pref(extensions.toolbar.mindspark._dqMembers_.hp.guardType, HPR);
user_pref(extensions.toolbar.mindspark._dqMembers_.initialized, true);
user_pref(extensions.toolbar.mindspark._dqMembers_.installType, XPI);
user_pref(extensions.toolbar.mindspark._dqMembers_.installation.dlpCountryCode, CA);
user_pref(extensions.toolbar.mindspark._dqMembers_.installation.installDate, 2017071810);
user_pref(extensions.toolbar.mindspark._dqMembers_.installation.partnerId, ^BXM^xdm007^TTAB02^ca);
user_pref(extensions.toolbar.mindspark._dqMembers_.installation.pixelUrl, hxxp://www.downspeedtest.com/install_pixels.jhtml?partner=^BXM^xdm007^TTAB02^ca&coId=e77d3131b97e4
user_pref(extensions.toolbar.mindspark._dqMembers_.installation.success, true);
user_pref(extensions.toolbar.mindspark._dqMembers_.installation.toolbarDataSource, [\COOKIE\,\COOKIE\,\COOKIE\,\COOKIE\,\COOKIE\,\LOCAL_STORAGE\]);
user_pref(extensions.toolbar.mindspark._dqMembers_.installation.toolbarId, 936C6609-2D49-41D4-BA1D-F44ED67064AE);
user_pref(extensions.toolbar.mindspark._dqMembers_.lastActivePing, 1503478624852);
user_pref(extensions.toolbar.mindspark._dqMembers_.lastKnownVersion, 7.800.11.14321);
user_pref(extensions.toolbar.mindspark._dqMembers_.lssState, {\previousLocales\:[\en-US\,\en\],\supportedLocales\:[\de\,\es\,\pt\,\ja\,\en\],\defaultLoca
user_pref(extensions.toolbar.mindspark._dqMembers_.options.defaultSearch, false);
user_pref(extensions.toolbar.mindspark._dqMembers_.options.homePageEnabled, true);
user_pref(extensions.toolbar.mindspark._dqMembers_.options.keywordEnabled, false);
user_pref(extensions.toolbar.mindspark._dqMembers_.options.tabEnabled, true);
user_pref(extensions.toolbar.mindspark._dqMembers_.partnerPixelFired, true);
user_pref(extensions.toolbar.mindspark._dqMembers_.productDeliveryOption.language, en);
user_pref(extensions.toolbar.mindspark._dqMembers_.productDeliveryOption.newTabURL, hxxp://hp.myway.com/downspeedtest/ttab02/index.html?p2=${partnerID}&n=${installDateHex}&
user_pref(extensions.toolbar.mindspark._dqMembers_.productDeliveryOption.type, ToolTab);
user_pref(extensions.toolbar.mindspark._dqMembers_.successUrl, hxxp://downspeedtest.dl.tb.ask.com/installComplete.jhtml);
user_pref(extensions.toolbar.mindspark._dqMembers_.toolbarCollapsed, false);
user_pref(extensions.toolbar.mindspark._dqMembers_.uninstallSurveyUrl, hxxp://downspeedtest.dl.myway.com/uninstall.jhtml?surveyUrl=hxxp%3A%2F%2Fwww.research.net%2Fr%2FHYSCV
user_pref(extensions.toolbar.mindspark._dqMembers_.uninstallTasks, {\prefBranchesToDelete\:[\extensions.toolbar.mindspark._dqMembers_.\],\filesToDelete\:[\C:\\\\User
user_pref(extensions.toolbar.mindspark._jqMembers_.BUTTON_STRUCTURE, [{\b\:233011947,\c\:\mindspark.magnify\,\p\:\L.0\},{\b\:233011948,\c\:\mindspark.enterse
user_pref(extensions.toolbar.mindspark._jqMembers_.browser.startup.homepage.prev, hxxp://www.msn.com/?pc=U270&ocid=U270DHP&osmkt=en-ca);
user_pref(extensions.toolbar.mindspark._jqMembers_.browser.startup.homepage.savedPrev, true);
user_pref(extensions.toolbar.mindspark._jqMembers_.browser.startup.homepage.tb, hxxp://hp.myway.com/convertpdfsnow/ttab02/index.html?coId=c58194749f0e4285b87dfdc226507324&s
user_pref(extensions.toolbar.mindspark._jqMembers_.browser.startup.page.savedPrev, 1);
user_pref(extensions.toolbar.mindspark._jqMembers_.browser.startup.page.tb, 1);
user_pref(extensions.toolbar.mindspark._jqMembers_.browser.version.last, 54.0);
user_pref(extensions.toolbar.mindspark._jqMembers_.coId, c58194749f0e4285b87dfdc226507324);
user_pref(extensions.toolbar.mindspark._jqMembers_.firefoxSearchExtensionEnabled, true);
user_pref(extensions.toolbar.mindspark._jqMembers_.firstKnownVersion, 7.800.11.14189);
user_pref(extensions.toolbar.mindspark._jqMembers_.homepage, hxxp://hp.myway.com/convertpdfsnow/ttab02/index.html?coId=c58194749f0e4285b87dfdc226507324&subId&ln=en&n=783a12
user_pref(extensions.toolbar.mindspark._jqMembers_.hp.enabled, true);
user_pref(extensions.toolbar.mindspark._jqMembers_.hp.guardType, HPR);
user_pref(extensions.toolbar.mindspark._jqMembers_.initialized, true);
user_pref(extensions.toolbar.mindspark._jqMembers_.installType, XPI);
user_pref(extensions.toolbar.mindspark._jqMembers_.installation.dlpCountryCode, CA);
user_pref(extensions.toolbar.mindspark._jqMembers_.installation.installDate, 2017071810);
user_pref(extensions.toolbar.mindspark._jqMembers_.installation.partnerId, ^CQA^xdm117^TTAB02^ca);
user_pref(extensions.toolbar.mindspark._jqMembers_.installation.pixelUrl, hxxp://www.convertpdfsnow.com/install_pixels.jhtml?partner=^CQA^xdm117^TTAB02^ca&coId=c58194749f0e
user_pref(extensions.toolbar.mindspark._jqMembers_.installation.success, true);
user_pref(extensions.toolbar.mindspark._jqMembers_.installation.toolbarDataSource, [\COOKIE\,\COOKIE\,\COOKIE\,\COOKIE\,\COOKIE\,\LOCAL_STORAGE\]);
user_pref(extensions.toolbar.mindspark._jqMembers_.installation.toolbarId, C1321113-0DB3-426F-AE38-A2ADA4D5364F);
user_pref(extensions.toolbar.mindspark._jqMembers_.lastActivePing, 1503478624918);
user_pref(extensions.toolbar.mindspark._jqMembers_.lastKnownVersion, 7.800.11.14189);
user_pref(extensions.toolbar.mindspark._jqMembers_.lssState, {\previousLocales\:[\en-US\,\en\],\supportedLocales\:[\de\,\es\,\pt\,\ja\,\en\],\defaultLoca
user_pref(extensions.toolbar.mindspark._jqMembers_.options.defaultSearch, false);
user_pref(extensions.toolbar.mindspark._jqMembers_.options.homePageEnabled, true);
user_pref(extensions.toolbar.mindspark._jqMembers_.options.keywordEnabled, false);
user_pref(extensions.toolbar.mindspark._jqMembers_.options.tabEnabled, true);
user_pref(extensions.toolbar.mindspark._jqMembers_.partnerPixelFired, true);
user_pref(extensions.toolbar.mindspark._jqMembers_.productDeliveryOption.language, en);
user_pref(extensions.toolbar.mindspark._jqMembers_.productDeliveryOption.newTabURL, hxxp://hp.myway.com/convertpdfsnow/ttab02/index.html?p2=${partnerID}&n=${installDateHex}
user_pref(extensions.toolbar.mindspark._jqMembers_.productDeliveryOption.type, ToolTab);
user_pref(extensions.toolbar.mindspark._jqMembers_.successUrl, hxxp://convertpdfsnow.dl.tb.ask.com/installComplete.jhtml);
user_pref(extensions.toolbar.mindspark._jqMembers_.toolbarCollapsed, false);
user_pref(extensions.toolbar.mindspark._jqMembers_.uninstallSurveyUrl, hxxp://convertpdfsnow.dl.myway.com/uninstall.jhtml?surveyUrl=hxxp%3A%2F%2Fwww.research.net%2Fr%2FHYSC
user_pref(extensions.toolbar.mindspark._jqMembers_.uninstallTasks, {\prefBranchesToDelete\:[\extensions.toolbar.mindspark._jqMembers_.\],\filesToDelete\:[\C:\\\\User
user_pref(extensions.toolbar.mindspark.hp.enabled, false);
user_pref(extensions.toolbar.mindspark.lastInstalled, downspeedtest@mindspark.com);
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 2017-08-26 at 19:51:54.92
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#12 tmedicine

tmedicine
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 26 August 2017 - 08:31 PM

# AdwCleaner 7.0.1.0 - Logfile created on Sun Aug 27 01:22:53 2017
# Updated on 2017/05/08 by Malwarebytes 
# Database: 08-25-2017.1
# Running on Windows 10 Home (X64)
# Mode: scan
 
***** [ Services ] *****
 
No malicious services found.
 
***** [ Folders ] *****
 
No malicious folders found.
 
***** [ Files ] *****
 
No malicious files found.
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
***** [ WMI ] *****
 
No malicious WMI found.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts found.
 
***** [ Tasks ] *****
 
No malicious tasks found.
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries.
 
*************************
 
C:/AdwCleaner/AdwCleaner[C0].txt - [1992 B] - [2017/8/25 8:23:3]
C:/AdwCleaner/AdwCleaner[S0].txt - [1785 B] - [2017/8/25 8:14:25]
C:/AdwCleaner/AdwCleaner[S1].txt - [1078 B] - [2017/8/25 9:56:2]
C:/AdwCleaner/AdwCleaner[S2].txt - [1144 B] - [2017/8/26 0:4:33]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt ##########


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:39 PM

Posted 26 August 2017 - 08:32 PM

How is the computer doing?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 tmedicine

tmedicine
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 26 August 2017 - 08:41 PM

it seems to be working a lot better now, the intrusive computer that was on my network in the network tab on my file explorer is GONE!, thank you! :), also is there any more information i should do like change passwords ect.?



#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:39 PM

Posted 26 August 2017 - 08:52 PM

If you believe that your computer was hacked, that should be the first steps, changing passwords.

 

I am glad things got better, congratulations.

 

Use this program to remove tools and quarantined items:

 

Please download DelFix by Xplode and save to your Desktop.

  • Double-click on delfix.exe to run the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator.
  • Put a check mark next to these items:
    - Remove disinfection tools
    - Create registry backup
    delfix.jpg
    .
  • Click the "Run" button.
  • When the tool has finished, it will create and open a log report (DelFix.txt)

 

Always have your antivirus active and updated.

 

 

Best regards. :)


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users