Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe - multiple process running


  • This topic is locked This topic is locked
2 replies to this topic

#1 woch2331

woch2331

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:43 AM

Posted 13 September 2017 - 07:19 AM

Running several instances (10-14) of svchost.exe in Task Manager

 

Actions:

Malwarebytes

AdwCleaner

FRST64

 

System Information

******************************************

Windows 7 Professional
Service Pack 1

Intel i5 CPU
4GB RAM
64-bit Operating System

 

Malwarebytes.txt

******************************************

-Log Details-
Scan Date: 9/13/17
Scan Time: 6:32 AM
Log File: c792feca-986e-11e7-a469-70f395880f2e.json
Administrator: Yes

-Software Information-
Version: 3.2.2.2018
Components Version: 1.0.188
Update Package Version: 1.0.2792
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Debby-PC\Debby

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 306506
Threats Detected: 3
Threats Quarantined: 3
Time Elapsed: 5 min, 38 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 1
PUP.Optional.DriveTheLife, C:\PROGRAMDATA\DriveTheLife2012, Quarantined, [2447], [381097],1.0.2792

File: 2
PUP.Optional.DriveTheLife, C:\ProgramData\DriveTheLife2012\BackupList.dat, Quarantined, [2447], [381097],1.0.2792
PUP.Optional.BundleInstaller, C:\USERS\DEBBY\APPDATA\LOCAL\TEMP\VLC-2.1.3-WIN32.EXE, Quarantined, [20], [425688],1.0.2792

Physical Sector: 0
(No malicious items detected)

(end)

 

AdwCleaner[S0].txt

******************************************

# AdwCleaner 7.0.2.1 - Logfile created on Wed Sep 13 10:55:01 2017
# Updated on 2017/29/08 by Malwarebytes
# Database: 09-13-2017.1
# Running on Windows 7 Professional (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.Legacy, C:\Program Files (x86)\Downloaded Installers
PUP.Optional.Legacy, C:\Users\All Users\Documents\Downloaded Installers
PUP.Optional.Legacy, C:\Users\Public\Documents\Downloaded Installers
PUP.Optional.SlimCleanerPlus, C:\Users\Debby\AppData\Local\slimware utilities inc
PUP.Optional.SlimCleanerPlus, C:\Users\Debby\AppData\Local\SlimWare Utilities Inc

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.SlimCleanerPlus, [Key] - HKU\S-1-5-21-4116406913-743611772-3940053389-1000\Software\SlimWare Utilities Inc
PUP.Optional.SlimCleanerPlus, [Key] - HKCU\Software\SlimWare Utilities Inc
PUP.Optional.SlimCleanerPlus, [Key] - HKLM\SOFTWARE\SLIMWARE UTILITIES, INC.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

 

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt ##########

 

AdwCleaner[C0].txt

******************************************

# AdwCleaner 7.0.2.1 - Logfile created on Wed Sep 13 10:55:35 2017
# Updated on 2017/29/08 by Malwarebytes
# Running on Windows 7 Professional (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

Deleted: C:\Program Files (x86)\Downloaded Installers
Deleted: C:\Users\All Users\Documents\Downloaded Installers
Deleted: C:\Users\Public\Documents\Downloaded Installers
Deleted: C:\Users\Debby\AppData\Local\slimware utilities inc
Deleted: C:\Users\Debby\AppData\Local\SlimWare Utilities Inc

***** [ Files ] *****

No malicious files deleted.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

Deleted: [Key] - HKU\S-1-5-21-4116406913-743611772-3940053389-1000\Software\SlimWare Utilities Inc
Deleted: [Key] - HKCU\Software\SlimWare Utilities Inc
Deleted: [Key] - HKLM\SOFTWARE\SLIMWARE UTILITIES, INC.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0

 

*************************

C:/AdwCleaner/AdwCleaner[S0].txt - [1540 B] - [2017/9/13 10:55:1]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########

 

FRST.txt

******************************************

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-09-2017
Ran by Debby (administrator) on DEBBY-PC (13-09-2017 07:59:43)
Running from C:\Users\Debby\Desktop\Bleeping Computer
Loaded Profiles: Debby (Available Profiles: Debby)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(AVAST Software s.r.o.) C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2174760 2010-06-03] (Synaptics Incorporated)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [239856 2017-09-13] (AVAST Software)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\ScCertProp: wlnotify.dll [X]
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 75.75.76.76
Tcpip\..\Interfaces\{2D750708-667D-4C06-A200-E18A32FD7E64}: [DhcpNameServer] 75.75.75.75 75.75.76.76 75.75.76.76
Tcpip\..\Interfaces\{4602979B-EA54-4443-90A0-DC7C6B32F47D}: [DhcpNameServer] 75.75.75.75 75.75.76.76 75.75.76.76
Tcpip\..\Interfaces\{B2314C4F-AFF3-4B0D-90E6-08E859B49553}: [DhcpNameServer] 64.71.255.198 192.168.1.1
Tcpip\..\Interfaces\{E524E978-9BB7-4172-B32F-9708374E5D5D}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-4116406913-743611772-3940053389-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/
HKU\S-1-5-21-4116406913-743611772-3940053389-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
SearchScopes: HKU\S-1-5-21-4116406913-743611772-3940053389-1000 -> DefaultScope {3CA05710-833D-4F84-BB35-96D6DADEFF80} URL = hxxps://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-4116406913-743611772-3940053389-1000 -> {3CA05710-833D-4F84-BB35-96D6DADEFF80} URL = hxxps://www.google.com/search?q={searchTerms}
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2017-09-13] (AVAST Software)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2017-09-13] (AVAST Software)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
Toolbar: HKLM - avast! WebRep - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
DPF: HKLM-x32 {9A363F5D-20D7-49E6-97C7-BDE6625CD9E4} hxxps://s3.amazonaws.com/PNCGalleries/static/Scripts/Uploader8.cab
Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll [2008-03-06] (Belarc, Inc.)

FireFox:
========
FF ProfilePath: C:\Users\Debby\AppData\Roaming\Mozilla\Firefox\Profiles\yal2n20l.default [2017-09-12]
FF Homepage: Mozilla\Firefox\Profiles\yal2n20l.default -> hxxps://www.google.com/
FF Extension: (No Name) - C:\Program Files\AVAST Software\Avast\WebRep\FF [2017-09-13] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-08-02] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-14] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-08-02] ()
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2014-01-06] (Google, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-14] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-04] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-04] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-09-12] (Adobe Systems Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7452288 2017-09-13] (AVAST Software s.r.o.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [275208 2017-09-13] (AVAST Software)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6058960 2017-08-21] (Malwarebytes)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 DGPNPSEV; E:\DriverGenius2012\DgService.exe [X]
S2 DTLService; E:\DriveTheLife\DTLService.exe [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 aswbidsdriver; C:\Windows\system32\drivers\aswbidsdrivera.sys [320528 2017-09-13] (AVAST Software s.r.o.)
R0 aswbidsh; C:\Windows\system32\drivers\aswbidsha.sys [198976 2017-09-13] (AVAST Software s.r.o.)
R0 aswblog; C:\Windows\system32\drivers\aswbloga.sys [343296 2017-09-13] (AVAST Software s.r.o.)
R0 aswbuniv; C:\Windows\system32\drivers\aswbuniva.sys [57736 2017-09-13] (AVAST Software s.r.o.)
S3 aswHdsKe; C:\Windows\system32\drivers\aswHdsKe.sys [105136 2017-09-13] (AVAST Software)
S3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [47016 2017-09-13] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [147784 2017-09-13] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [110376 2017-09-13] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\drivers\aswRvrt.sys [84416 2017-09-13] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1016384 2017-09-13] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [590880 2017-09-13] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [199312 2017-09-13] (AVAST Software)
R0 aswVmm; C:\Windows\system32\drivers\aswVmm.sys [361336 2017-09-13] (AVAST Software)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77440 2017-08-24] ()
S3 Linksys_adapter_H; C:\Windows\System32\DRIVERS\AE1200w764.sys [1254464 2011-03-28] (Broadcom Corporation)
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [192960 2017-09-13] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [101824 2017-09-13] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [45472 2017-09-13] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [253888 2017-09-13] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [84256 2017-09-13] (Malwarebytes)
R3 rismcx64; C:\Windows\System32\DRIVERS\rismcx64.sys [59008 2009-07-20] (RICOH Company, Ltd.)
S3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1803904 2010-06-03] ()
S3 cpuz135; \??\C:\Users\ADMINI~1\AppData\Local\Temp\cpuz135\cpuz135_x64.sys [X] <==== ATTENTION
S3 HWCore; \??\E:\DriveTheLife\hwcore.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-09-13 07:58 - 2017-09-13 07:59 - 000000000 ____D C:\FRST
2017-09-13 07:36 - 2017-09-13 07:47 - 000002283 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shortcut to Back Office Switchboard.lnk
2017-09-13 07:36 - 2017-09-13 07:47 - 000002271 _____ C:\Users\Public\Desktop\Back Office Switchboard.lnk
2017-09-13 07:35 - 2017-09-13 07:35 - 000000000 ____D C:\Program Files (x86)\NCRBackOffice
2017-09-13 07:21 - 2017-09-13 07:17 - 000105136 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHdsKe.sys
2017-09-13 07:13 - 2017-09-13 07:13 - 000000000 ____D C:\ProgramData\SWCUTemp
2017-09-13 07:12 - 2017-09-13 07:12 - 000000000 ____D C:\Users\Debby\AppData\Roaming\AVAST Software
2017-09-13 07:12 - 2017-09-13 07:12 - 000000000 ____D C:\Users\Debby\AppData\Local\CEF
2017-09-13 07:10 - 2017-09-13 07:10 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2017-09-13 07:09 - 2017-09-13 07:09 - 000003914 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2017-09-13 07:09 - 2017-09-13 07:08 - 000590880 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2017-09-13 07:09 - 2017-09-13 07:08 - 000361336 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2017-09-13 07:09 - 2017-09-13 07:08 - 000199312 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2017-09-13 07:09 - 2017-09-13 07:08 - 000147784 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2017-09-13 07:09 - 2017-09-13 07:08 - 000110376 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2017-09-13 07:09 - 2017-09-13 07:08 - 000084416 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2017-09-13 07:09 - 2017-09-13 07:08 - 000047016 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2017-09-13 07:09 - 2017-09-13 07:07 - 001016384 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2017-09-13 07:09 - 2017-09-13 07:06 - 000343296 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbloga.sys
2017-09-13 07:09 - 2017-09-13 07:06 - 000320528 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbidsdrivera.sys
2017-09-13 07:09 - 2017-09-13 07:06 - 000198976 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbidsha.sys
2017-09-13 07:09 - 2017-09-13 07:06 - 000057736 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbuniva.sys
2017-09-13 07:08 - 2017-09-13 07:08 - 000401488 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2017-09-13 07:08 - 2017-09-13 07:07 - 000992960 _____ (Microsoft Corporation) C:\Windows\system32\ucrtbase.dll
2017-09-13 07:08 - 2017-09-13 07:07 - 000921280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ucrtbase.dll
2017-09-13 07:05 - 2017-09-13 07:05 - 000000000 ____D C:\Users\Debby\Downloads\unpack
2017-09-13 07:04 - 2017-09-13 07:04 - 000070624 _____ C:\Users\Debby\Downloads\BackOfficeSwitchboardInstaller.exe
2017-09-13 07:02 - 2017-09-13 07:02 - 000000000 ____D C:\Program Files\AVAST Software
2017-09-13 07:01 - 2017-09-13 07:59 - 000000000 ____D C:\Users\Debby\Desktop\Bleeping Computer
2017-09-13 06:53 - 2017-09-13 06:55 - 000000000 ____D C:\AdwCleaner
2017-09-13 06:29 - 2017-09-13 07:23 - 000253888 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-09-13 06:29 - 2017-09-13 07:23 - 000101824 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-09-13 06:29 - 2017-09-13 07:23 - 000084256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-09-13 06:29 - 2017-09-13 07:23 - 000045472 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-09-13 06:29 - 2017-09-13 06:29 - 000192960 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-09-13 06:28 - 2017-09-13 06:28 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-09-13 06:28 - 2017-09-13 06:28 - 000000000 ____D C:\Program Files\Malwarebytes
2017-09-13 06:28 - 2017-08-24 11:27 - 000077440 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-09-13 06:22 - 2017-09-13 06:22 - 000000000 __SHD C:\Users\Debby\AppData\LocalLow\EmieUserList
2017-09-13 06:22 - 2017-09-13 06:22 - 000000000 __SHD C:\Users\Debby\AppData\LocalLow\EmieSiteList
2017-09-13 06:22 - 2017-09-13 06:22 - 000000000 __SHD C:\Users\Debby\AppData\LocalLow\EmieBrowserModeList
2017-09-12 22:19 - 2011-03-28 20:15 - 000095544 _____ (Broadcom Corporation) C:\Windows\system32\bcmwlcoi.dll
2017-09-12 22:19 - 2011-03-28 20:11 - 003900928 _____ (Broadcom Corporation) C:\Windows\system32\bcmihvsrv64.dll
2017-09-12 22:19 - 2011-03-28 20:11 - 003566592 _____ (Broadcom Corporation) C:\Windows\system32\bcmihvui64.dll
2017-09-12 22:19 - 2007-11-05 08:23 - 000240248 ____R (CACE Technologies) C:\Windows\SysWOW64\wpcap.dll
2017-09-12 22:19 - 2007-11-05 08:23 - 000040464 ____R (CACE Technologies) C:\Windows\system32\Drivers\npf.sys
2017-09-12 22:19 - 2007-11-05 08:22 - 000068224 ____R (CACE Technologies) C:\Windows\SysWOW64\WanPacket.dll
2017-09-12 22:19 - 2007-11-05 08:19 - 000053299 ____R C:\Windows\SysWOW64\pthreadVC.dll
2017-09-12 20:58 - 2017-09-12 20:58 - 000000000 ____D C:\Windows\system32\appmgmt
2017-09-12 20:58 - 2017-09-12 20:58 - 000000000 ____D C:\Users\Debby\Documents\Outlook Files

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-09-13 07:30 - 2009-07-14 00:45 - 000031904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-09-13 07:30 - 2009-07-14 00:45 - 000031904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-09-13 07:23 - 2009-07-14 01:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-09-13 07:20 - 2014-02-16 11:13 - 000000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2017-09-13 07:08 - 2014-02-06 07:40 - 000000000 ____D C:\ProgramData\AVAST Software
2017-09-13 07:04 - 2009-07-14 01:13 - 000785858 _____ C:\Windows\system32\PerfStringBackup.INI
2017-09-13 07:04 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\inf
2017-09-13 06:28 - 2014-02-06 08:33 - 000000000 ____D C:\ProgramData\Malwarebytes
2017-09-13 06:17 - 2009-07-13 22:34 - 000000478 _____ C:\Windows\win.ini
2017-09-13 02:07 - 2016-08-02 21:31 - 000000000 ____D C:\Windows\System32\Tasks\AVAST Software
2017-09-13 02:07 - 2014-02-06 08:43 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SlimComputer
2017-09-13 02:07 - 2014-02-06 08:43 - 000000000 ____D C:\Program Files (x86)\SlimComputer
2017-09-13 02:07 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\registration
2017-09-12 22:57 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\system32\NDF
2017-09-12 22:07 - 2014-02-05 20:17 - 000000000 ____D C:\Users\Debby
2017-09-12 21:41 - 2014-11-20 18:40 - 000000000 ____D C:\Users\Debby\AppData\Local\ElevatedDiagnostics
2017-09-12 20:56 - 2014-02-06 07:37 - 000000000 ____D C:\ProgramData\TEMP
2017-09-12 20:56 - 2014-02-06 07:37 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster
2017-09-12 20:56 - 2014-02-06 07:37 - 000000000 ____D C:\Program Files (x86)\SpywareBlaster

==================== Files in the root of some directories =======

2014-02-05 20:19 - 2014-02-05 20:19 - 000000000 _____ () C:\Users\Debby\AppData\Local\AtStart.txt
2014-02-05 20:19 - 2014-02-05 20:19 - 000000000 _____ () C:\Users\Debby\AppData\Local\DSwitch.txt
2014-02-05 20:19 - 2014-02-05 20:19 - 000000000 _____ () C:\Users\Debby\AppData\Local\QSwitch.txt

Some files in TEMP:
====================
2014-02-06 23:07 - 2013-02-02 08:40 - 000558696 _____ (Microsoft Corporation) C:\Users\Debby\AppData\Local\Temp\OfficeSetup.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-07-05 18:53

==================== End of FRST.txt ============================

 

addition.txt

******************************************

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-09-2017
Ran by Debby (13-09-2017 08:02:16)
Running from C:\Users\Debby\Desktop\Bleeping Computer
Windows 7 Professional Service Pack 1 (X64) (2014-02-06 00:17:25)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-4116406913-743611772-3940053389-500 - Administrator - Disabled)
Debby (S-1-5-21-4116406913-743611772-3940053389-1000 - Administrator - Enabled) => C:\Users\Debby
Guest (S-1-5-21-4116406913-743611772-3940053389-501 - Limited - Enabled)
HomeGroupUser$ (S-1-5-21-4116406913-743611772-3940053389-1002 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avast Antivirus (Enabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Enabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 22 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 22.0.0.210 - Adobe Systems Incorporated)
Adobe Flash Player 22 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 22.0.0.209 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.09) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)
Avast Free Antivirus (HKLM-x32\...\Avast Antivirus) (Version: 17.6.2310 - AVAST Software)
Back Office Switchboard (HKLM-x32\...\{AB2EA65B-ADB7-4C4D-AC60-6AF3B7E5144C}) (Version: 3.0.0 - NCR Corporation)
Belarc Advisor 7.2 (HKLM-x32\...\Belarc Advisor) (Version:  - )
doPDF 7.1 printer (HKLM\...\doPDF 7 printer_is1) (Version:  - Softland)
HP Quick Launch Buttons (HKLM-x32\...\{34D2AB40-150D-475D-AE32-BD23FB5EE355}) (Version: 6.50.17.1 - Hewlett-Packard Company)
HP Webcam Driver (HKLM-x32\...\{399C37FB-08AF-493B-BFED-20FBD85EDF7F}) (Version: 5.8.50009.6 - Sonix)
IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6300.0 - IDT)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 6.0.0.1179 - Intel Corporation)
LSI HDA Modem (HKLM\...\LSI Soft Modem) (Version: 2.2.97 - LSI Corporation)
Malwarebytes version 3.2.2.2018 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.2.2.2018 - Malwarebytes)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUSR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 28.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 28.0 (x86 en-US)) (Version: 28.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 28.0 - Mozilla)
NVIDIA Graphics Driver 296.67 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 296.67 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.12.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.12.0 - NVIDIA Corporation)
NVIDIA nView 136.28 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView) (Version: 136.28 - NVIDIA Corporation)
Picasa 3 (HKLM-x32\...\Picasa 3) (Version: 3.9 - Google, Inc.)
QLBCASL (HKLM-x32\...\{F1D7AC58-554A-4A58-B784-B61558B1449A}) (Version: 6.40.17.2 - Hewlett-Packard) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
SlimComputer (HKLM-x32\...\{574BF026-4487-4051-BCE5-83C4E40AAF6D}) (Version: 1.3.30878 - SlimWare Utilities, Inc.)
SpywareBlaster 5.5 (HKLM-x32\...\SpywareBlaster_is1) (Version: 5.5.0 - BrightFort LLC)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.0.24.0 - Synaptics Incorporated)
Validity WBF DDK (HKLM\...\{DA83578A-7DB2-4CF6-9453-CF24C7917AB8}) (Version: 4.3.301.0 - Validity Sensors, Inc.)
VLC media player 2.1.3 (HKLM-x32\...\VLC media player) (Version: 2.1.3 - VideoLAN)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-09-13] (AVAST Software)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-09-13] (AVAST Software)
ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-09-13] (AVAST Software)
ContextMenuHandlers3: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-09-13] (AVAST Software)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-08-21] (Malwarebytes)
ContextMenuHandlers5: [00nView] -> {1E9B04FB-F9E5-4718-997B-B8DA88302A48} => C:\Program Files\NVIDIA Corporation\nview\nvshell.dll [2012-03-22] ()
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2012-01-10] (Intel Corporation)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2012-04-23] (NVIDIA Corporation)
ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-09-13] (AVAST Software)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-08-21] (Malwarebytes)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {037E0333-C5D8-495E-B399-8FA36B4BA093} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-08-02] (Adobe Systems Incorporated)
Task: {48265259-5FE0-43A4-B4B3-CBAB7F825F49} - System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser => %windir%\system32\rundll32.exe aepdu.dll,AePduRunUpdate -nolegacy
Task: {6A1B0C3F-A656-4EF5-AFC7-3B6184263A49} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe
Task: {84B98332-D306-4560-B157-521D69C5BC42} - System32\Tasks\SlimComputer Run => C:\Program Files (x86)\SlimComputer\SlimComputer.exe [2013-07-10] (SlimWare Utilities, Inc.)
Task: {CB4EC487-32FC-4410-890B-D9F1B0D50466} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe [2017-09-13] (AVAST Software)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2017-09-13 06:28 - 2017-08-24 11:27 - 002264528 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2017-09-13 07:07 - 2017-09-13 07:07 - 000067408 _____ () C:\Program Files\AVAST Software\Avast\x64\module_lifetime.dll
2017-09-13 07:07 - 2017-09-13 07:07 - 000169832 _____ () c:\Program Files\AVAST Software\Avast\x64\vaarclient.dll
2017-09-13 07:07 - 2017-09-13 07:07 - 000824944 _____ () C:\Program Files\AVAST Software\Avast\x64\ffl2.dll
2017-09-13 07:07 - 2017-09-13 07:07 - 000286712 _____ () c:\Program Files\AVAST Software\Avast\x64\StreamBack.dll
2017-09-13 07:07 - 2017-09-13 07:07 - 000059040 _____ () C:\Program Files\AVAST Software\Avast\module_lifetime.dll
2017-09-13 07:07 - 2017-09-13 07:07 - 000167096 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2017-09-13 07:07 - 2017-09-13 07:07 - 000211904 _____ () C:\Program Files\AVAST Software\Avast\event_routing_rpc.dll
2017-09-13 07:07 - 2017-09-13 07:07 - 000241960 _____ () C:\Program Files\AVAST Software\Avast\tasks_core.dll
2017-09-13 07:07 - 2017-09-13 07:07 - 000149568 _____ () C:\Program Files\AVAST Software\Avast\network_notifications.dll
2017-09-13 07:17 - 2017-09-13 07:17 - 005901864 _____ () C:\Program Files\AVAST Software\Avast\defs\17091212\algo.dll
2017-09-13 07:07 - 2017-09-13 07:07 - 000685688 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2017-09-13 07:07 - 2017-09-13 07:07 - 000241448 _____ () C:\Program Files\AVAST Software\Avast\streamback.dll
2017-09-13 07:08 - 2017-09-13 07:08 - 067109376 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2017-09-13 07:06 - 2017-09-13 07:06 - 000233768 _____ () C:\Program Files\AVAST Software\Avast\gaming_mode_ui.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BsScanner => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BsScanner => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\008k.com -> 008k.com
IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\00hq.com -> 00hq.com
IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\0190-dialers.com -> 0190-dialers.com
IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\01i.info -> 01i.info
IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\0411dd.com -> 0411dd.com
IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\0511zfhl.com -> 0511zfhl.com
IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\05p.com -> 05p.com
IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\0632qyw.com -> 0632qyw.com
IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\0calories.net -> 0calories.net
IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\0cj.net -> 0cj.net
IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\0scan.com -> 0scan.com
IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\1-britney-spears-nude.com -> 1-britney-spears-nude.com
IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\1-domains-registrations.com -> 1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\1-se.com -> 1-se.com
IE restricted site: HKU\S-1-5-21-4116406913-743611772-3940053389-1000\...\1001movie.com -> 1001movie.com

There are 6091 more sites.

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2009-06-10 17:00 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4116406913-743611772-3940053389-1000\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: AESTFilters => 2
MSCONFIG\Services: AgereModemAudio => 2
MSCONFIG\startupreg: BCSSync => "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
MSCONFIG\startupreg: HotKeysCmds => C:\Windows\system32\hkcmd.exe
MSCONFIG\startupreg: IgfxTray => C:\Windows\system32\igfxtray.exe
MSCONFIG\startupreg: IMSS => "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"
MSCONFIG\startupreg: nwiz => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
MSCONFIG\startupreg: Persistence => C:\Windows\system32\igfxpers.exe
MSCONFIG\startupreg: QlbCtrl.exe => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
MSCONFIG\startupreg: SysTrayApp => C:\Program Files\IDT\WDM\sttray64.exe

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [TCP Query User{E05ED506-0DC5-47B9-9FE6-F39B6BB83E19}E:\drivethelife\drivethelife.exe] => (Allow) E:\drivethelife\drivethelife.exe
FirewallRules: [UDP Query User{9B224E3A-0DFE-4C7F-907B-096E8B52131D}E:\drivethelife\drivethelife.exe] => (Allow) E:\drivethelife\drivethelife.exe
FirewallRules: [{3099BE2E-9245-42BB-B91E-06B4DDC1547A}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\Lync.exe
FirewallRules: [{C33016E5-C0AB-4D71-A268-A822F9BEEC64}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exe

==================== Restore Points =========================

17-01-2015 04:00:19 Windows Update
18-01-2015 04:00:14 Windows Update
22-01-2015 07:28:18 Windows Update
25-07-2016 17:07:18 Windows Update
12-09-2017 20:58:12 Removed NPL ROES
12-09-2017 21:26:51 Removed SlimComputer
12-09-2017 22:53:24 avast! antivirus system restore point
13-09-2017 06:08:20 Windows Update
13-09-2017 07:10:06 Installed Back Office Switchboard
13-09-2017 07:34:07 Installed Back Office Switchboard

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (09/13/2017 07:24:40 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (09/13/2017 07:16:51 AM) (Source: MsiInstaller) (EventID: 11335) (User: Debby-PC)
Description: Product: Back Office Switchboard -- Error 1335. The cabinet file '_DFD382464C2DB88D8A85967048311C15' required for this installation is corrupt and cannot be used. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.

Error: (09/13/2017 07:16:50 AM) (Source: MsiInstaller) (EventID: 11335) (User: Debby-PC)
Description: Product: Back Office Switchboard -- Error 1335. The cabinet file '_DFD382464C2DB88D8A85967048311C15' required for this installation is corrupt and cannot be used. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.

Error: (09/13/2017 07:16:49 AM) (Source: MsiInstaller) (EventID: 11335) (User: Debby-PC)
Description: Product: Back Office Switchboard -- Error 1335. The cabinet file '_DFD382464C2DB88D8A85967048311C15' required for this installation is corrupt and cannot be used. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.

Error: (09/13/2017 07:16:48 AM) (Source: MsiInstaller) (EventID: 11335) (User: Debby-PC)
Description: Product: Back Office Switchboard -- Error 1335. The cabinet file '_DFD382464C2DB88D8A85967048311C15' required for this installation is corrupt and cannot be used. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.

Error: (09/13/2017 07:16:45 AM) (Source: MsiInstaller) (EventID: 11335) (User: Debby-PC)
Description: Product: Back Office Switchboard -- Error 1335. The cabinet file '_DFD382464C2DB88D8A85967048311C15' required for this installation is corrupt and cannot be used. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.

Error: (09/13/2017 07:16:45 AM) (Source: MsiInstaller) (EventID: 11335) (User: Debby-PC)
Description: Product: Back Office Switchboard -- Error 1335. The cabinet file '_DFD382464C2DB88D8A85967048311C15' required for this installation is corrupt and cannot be used. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.

Error: (09/13/2017 07:16:44 AM) (Source: MsiInstaller) (EventID: 11335) (User: Debby-PC)
Description: Product: Back Office Switchboard -- Error 1335. The cabinet file '_DFD382464C2DB88D8A85967048311C15' required for this installation is corrupt and cannot be used. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.

Error: (09/13/2017 06:58:47 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (09/13/2017 06:44:41 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

System errors:
=============
Error: (09/13/2017 07:23:14 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Ricoh xD-Picture Card Driver service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Error: (09/13/2017 07:23:14 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The rimsptsk service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Error: (09/13/2017 07:23:13 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The DTLService service failed to start due to the following error:
The system cannot find the file specified.

Error: (09/13/2017 07:23:13 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The DriverGenius PNP Service service failed to start due to the following error:
The system cannot find the file specified.

Error: (09/13/2017 07:20:36 AM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: The Windows Update service did not shut down properly after receiving a preshutdown control.

Error: (09/13/2017 06:57:14 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Ricoh xD-Picture Card Driver service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Error: (09/13/2017 06:57:13 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The rimsptsk service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Error: (09/13/2017 06:57:12 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The DTLService service failed to start due to the following error:
The system cannot find the file specified.

Error: (09/13/2017 06:57:12 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The DriverGenius PNP Service service failed to start due to the following error:
The system cannot find the file specified.

Error: (09/13/2017 06:56:22 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the MBAMService service.

CodeIntegrity:
===================================
  Date: 2012-11-22 17:45:56.997
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\DriveTheLife\hwcore.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2012-11-22 17:45:56.981
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\DriveTheLife\hwcore.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Processor: Intel® Core™ i5 CPU M 540 @ 2.53GHz
Percentage of memory in use: 81%
Total physical RAM: 3893.78 MB
Available physical RAM: 734.55 MB
Total Virtual: 7785.74 MB
Available Virtual: 4575.41 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.75 GB) (Free:184.94 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: AFA81CAA)
Partition 1: (Active) - (Size=142 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=232.7 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

 



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:43 AM

Posted 18 September 2017 - 07:20 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/657159 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:43 AM

Posted 23 September 2017 - 07:25 AM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users