Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans Win32/Bitrep.A & HTML/Brocoiner!rfn Take Control and Corrupt


  • Please log in to reply
6 replies to this topic

#1 jseaton2311

jseaton2311

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 26 December 2017 - 07:48 PM

I first noticed that I likely had a virus when I received a FATAL ERROR notice on my printer. I went to the manufacturer's website (Epson) and they remotely showed me all the problems I had. This included the following from the tech:
 
PROBLEMS:-
ERROR AND WARNINGS FOUND
BAD IP ADDRESSES ARE CONNECTED
MS SERVICES ARE STOPPED
NETWORK IS PUBLIC
DRIVERS ARE CORRUPTED
 
I feared that my computer was on the verge of crashing or worse, so I paid $100 on the spot for them to remotely clean it up--which they did. Now they want an additional $149 to finish the job (?). I have the feeling I'm being scalped and I would like to ask Bleeping Computer to help me finish the job. I believe I have more infections in my printer software and perhaps elsewhere. I probably should have come to BC directly, but things looked so bad that I felt I had to do something immediately.

Edited by hamluis, 26 December 2017 - 07:53 PM.
Moved from MRL to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Unworn_Kilt

Unworn_Kilt

  • Members
  • 237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:10:11 PM

Posted 27 December 2017 - 01:07 AM

Hi jseaton2311,

 

 

I'm sorry to hear about your situation. Some people just don't get with the Festive Spirit!

 

Please read the section in RED FIRST!

 

Do you have any idea of the name of the company involved please?

 

Are you able to advise me of what you saw to cause you to connect with the online "cleaning"

company?

 

Have a look at this link HERE and see if you can identify which one it may have been. Please also read the associated

Bleeping Computer Links for more information about such Scams.

 

The first thing you need to do is contact your bank or financial institution and advise them of the fraudulent charge.

Seriously consider cancelling the card with which you made the payment, plus, any other cards that may have had 

their information stored in your browser or on your PC. As you have disclosed your payment details to the Scammers

you need to consider them compromised. This also applies for all your passwords to sites that may have been on the 

computer, either stored or in a cache or similar.

 

I would also consider contacting Local Law Enforcement in your area and advising them of your situation.

 

I'll just dig up some more information and get back to you as soon as possible.

 

 

Regards,

 

 

 

KILT   :thumbup2:


PLEASE NOTE

 

I am only a Standard Member,  NOT a Trained Malware Removal Expert. If you have ANY concerns regarding any advice I may give, please contact a Member of Staff before making changes.

 

Thanks!

 

 

** Walk Softly and Carry a Big Stick **

 

 

 


#3 Unworn_Kilt

Unworn_Kilt

  • Members
  • 237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:10:11 PM

Posted 27 December 2017 - 02:17 AM

Now to do a little cleaning and take a look at your system...

 

 

 

 

 

Do Not Enclose Reports In Quotes or Delete or Insert Any Characters - No Redaction!

Please Post All Reports in Plain Text. Ensure You Include All Report Headers.

Please Press the Return Key 3 Times Between Reports.

Don't Attach them either.....Pleeeez!

 

 

Please make sure you have Backed Up your Files and Save any Work you have Open before proceeding!

You can find Free Back Up Software available on the Web.

(It's unlikely that anything I ask you to do will wipe your data, but better to be safe than sorry.)

 

 

Some Tools May Close Down Any Open Windows or Programs, Please Be Aware of This!

 

 

 

Remember that there is no such thing as a "Stupid Question." If you encounter ANY problems or difficulties along the way, STOP and Message Me!!

 

 

 

**Read All Notes Under Individual Instructions BEFORE Running the Tools.**

 

You might find it useful to print these instructions for reference.

 

 

 

 

 

​My apologies for the length of these instructions. I want to be thorough.

 

 

​To simplify the reporting process I suggest that you post back one or two logs at a time.

 

 

 

Download a copy of a program called RKill (Courtesy of Grinler at Bleeping Computer) which is available at the links below:

(This program attempts to stop any running malware processes so other tools may function efficiently, plus a few other things.)

 

Save it to your Desktop so you can easily locate it.

 

(If one won't run, download the other. Malware sometimes recognises RKill.exe and tries to interfere with it.)

 

 

RKill.exe                              <<== Try this first.

 

RKill as iExplore.exe         <<== Try this one if option one doesn't work.

 

  • Right Click RKill and Select "Run As Administrator."
  • Soon after a Black Box will appear while RKill Runs. (This is normal. RKill may appear to hang. It's just working.)
  • When RKill has finished it will Open a Report in Notepad.
  • RKill will also save a copy of its log to your Desktop called "RKill.log"
  • After RKill has run successfully Don't Restart your computer until the other tool(s) have run.
  • Please Copy and Paste the contents of the Report into your Next Reply.
  • If the RKill will not run in Normal Windows Mode, Restart in Safe Mode and Repeat the above Steps.

 

NOTES:

Please Ignore any warnings from about RKill containing Viruses or Trojans etc. If necessary, shut down or temporarily disable your Antivirus while RKill runs. Don't forget to Re-enable your Anti-Virus once RKill completes, unless I ask otherwise.

If RKill still won't run, please Post back here and advise me.(After trying both versions and Safe Mode.) Please note any Error messages or other useful information and Include it in your Reply.

 

 

Then.......

 

 

Please download Security Check (by screen317) from HERE & save it to your Desktop.

 

  • Right Click SecurityCheck and Select "Run As Administrator."
  • Follow the Prompts in the Black Box which opens on your screen.
  • When the program is complete a Notepad Document called Checkup.txt should open Automatically in Notepad.
  • Please Copy & Paste the Contents of Checkup.txt into your Next Reply.

 

Please Note the Following:

 

If you receive an "UNSUPPORTED OPERATING SYSTEM! ABORTED!," please Restart Windows and Security Check should Run Fine.

Should a problem persist, please Post Back Here and include any Error Messages & Other Useful Information.

 

Security Check may require you to permit "Dig.exe" to access the internet. Please allow access through your Firewall if necessary.

It is not uncommon for Security Check to generate "false positives" from  some Anti-Virus/Anti-Malware Programs. Please Ignore These if They Occur.

 

 

 

Then.......

 

 

 

Download Farbar Service Scanner onto your Desktop (FSS)  HERE

 

 

Please Ensure the following Options are Selected:

  • RpcSs and PlugPlay <= (May be greyed out.)
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
  • Other Services

(Please Don't Click the "Search Files" or "Export Service Buttons")

  • Click the Scan button to start scanning.
  • (FSS may take a short while to complete.)
  • When the Scan is Complete, a Report should Pop-Up in Notepad.
  • Please Copy and Paste the Contents into your Next Reply.

*(The Tool will create a log file called FSS.txt in the Folder the Tool is Run from.

That log will be saved. If there are any problems with the Pop-Up one, Copy from FSS.txt.)

 

 

​Then......

 

 

Download MiniToolBox(By FARBAR) to your Desktop:  HERE

 

Right Click the Blue\Black MiniToolBox Icon and Select "Run as Administrator."

(The Tool will show Version: 17-06-2016 in the title bar.)

 

Select the following Check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings (Make sure IE is closed first please.)
  • Report FF Proxy Settings
  • Reset FF Proxy Settings (Make sure Firefox is closed first please.)
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (DO NOT change any settings for this - Only "Problems" should be set by Default.)
  • List Users, Partitions and Memory size
  • List Minidump Files
  • List Restore Points

 

Click the "Go" Button.

 

  • Report should Pop-Up on your Screen in Notepad after a short wait.
  • Please Copy an Paste the Report Contents into your Next Reply.

(If you accidentally "kill" the Notepad Report, all is not lost, it should be saved on your Desktop as MTB.txt)

 

 

 

Then......

 

 

Download AdwCleaner(from Xplode.) to your Desktop:

(If you had to Reboot after Running the prior tool

re-run RKill - That was Step ​1

 

From here: AdwCleaner.exe

 

 

Save to your Desktop so you can easily locate it.

 

  • Before Starting Ensure You've Saved Anything You Have Open that you Wish to Keep!!
  • Right Click AdwCleaner.exe & Select "Run As Administrator"
  • Please Click on the Tools Menu. There should be 2 Tabs: Options & Advanced.
  • In Options under DeleteSelect Tracing Keys(Usually pre-selected,) and, under RESET select all Options on the Right Hand Side.
  • Do Not select any other Options with Square Boxes.
  • There should be Options for Mode and Debug. You can leave these at their Defaults. Press OK.
  • Next, you should see Two main Buttons, Scan and Logfiles. Please Press Scan.
  • AdwCleaner will Start to Update the Database if required. This may take a little while.
  • The Progress Bar will gradually move to the right as the scan progresses. It can take a while.
  • Next you should receive a Popup Notification advising of the Scan Result.
  • Select any Items AdwCleaner may have found for DeletionorDeselect anything you may wish to keep.
  • Under the Popup there will be a Log. Please Copy and Paste the Contents into your next Reply.
  • NextClick Clean. Even if nothing was detected. This will require you to reboot the machine. Please do so.
  • Once the computer has rebooted,second Log should appear. Please Paste into your Reply as well.

 

  • If you need to access Logs again, Open the Tool and Click the LogFiles Button. They are stored there.

 

The Logs can be a tad confusing at first. They all contain a number such as [S0] which is Log One. They are also accompanied by a date to the left side column. The lower the number in the square brackets, the earlier the Log. For example, I may have Logs; AdwCleaner[S0].txt (Earliest) to AdwCleaner[S27].txt (Most Recent.) Double Click a Log to Open it.

 

 

Next....

 

 

Download Malwarebytes Anti-Rootkit51a5f31352b88-icon_MBAR.png (MBAR) on to your Desktop.

 

From Here: Malwarebytes Anti-Rootkit

  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrative rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"
  • "system-log.txt"


NOTE. If you see This version requires you to completely exit the Anti Malware application message right click on the Malwarebytes Anti-Malware icon in the system tray and click on Exit.

 (My Thanks to Broni, Bleeping Computer Advisor for the use of the above, mostly pilfered without notice, MBAR Notes.

 

 

Please post back your results when you are done.

 

 

Then......

 

 

Download and run the ESET Free Online Virus Scanner from:  HERE

​(If you had to restart for any reason between running RKill and this step,

​Please re-run Rkill.)

 

  • Turn off your antivirus program. See here how to do this.
  • Accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Now click on Advanced Settings and make sure that the option Clean threats automatically is NOT checked, and select the following:
    • Enable detection of potentially unsafe applications
    • Enable detection of suspicious applications
    • Scan archives
    • Enable Anti-Stealth Technology
    • Click on the Change button and select only Operating Memory, Autostart Locations and drive(s) C:\ D:\ etc., to be scanned
    • Click Start to begin the Scan.
  • The ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan completes a list of found threats will open automatically (if any malicious files are found).
  • Push the SAVE to TEXT FILE button and save the file to your desktop using a unique name, such as ESETScan+Date.txt. Include the contents of this report in your next reply.
  • CLEAN any THREATS found.
  • ​Try to save the log after cleaning.
  • Click Back, then Finish to exit ESET Online Scanner.
  • Do NOT delete the ESET scanner at this stage please.

Please re-enable your antivirus when the scan is complete.

 

Let me know if you encounter any problems.

 

After you've finished the ESET Online scan:

  • Please ensure you've saved the Log File to your desktop.
  • Post the Log File contents in your Reply, assuming there was one.
  • Close down any other open programs.
  • Reboot.

 

Then....

 

 

 

Please download this tool and Run it if you accept the disclaimer below. Make sure you read the points below so you're ready.

 

There is a slight chance this program may cause problems with Windows 10 although,

I've used it many times with no ill effect. I need to make you aware of this. The decision to

run the tool (or not) is ultimately yours.

 

Download TFC:  HERE

 

 

  1. Download TFC from the download link above and save the file on your desktop.
  2. Close ALL running applications as TFC will terminate them before attempting to clean up the temporary files.
  3. Double-click on the TFC icon.
  4. When the program starts, click on the Start button.  TFC will terminate the Explorer process and all running applications and then begin the process of cleaning out all of your temp folders.
  5. When done, press OK to reboot your computer and finish the cleanup. The reboot may or may not be required.

Note 1: Depending on how much data is currently stored in the Temp folders, this process can take quite a while to remove all of the files, so please be patient.

Note 2: This program will not delete your Cookies or Browser History.

 

I'm going to have to take a break. Please post back the logs from the previous scans.

There won't be a log from TFC as far as I can recall.

 

 

 

​I'll look over your log file(s.)

 

Log back in to your thread for further instructions please.

 

We're in different time zones, so there may be a delay.

 

If I don't respond in 48 hours Please Personally Message Me.

If you don't hear back after 3 days, please post: HERE

 

I am a Volunteer and do my best to be here. This is sometimes interrupted by sleep, eating, outages.......

 

 

 

Cheers,

 

 

 

Kilt   :thumbup2: 


Edited by Unworn_Kilt, 27 December 2017 - 02:28 AM.

PLEASE NOTE

 

I am only a Standard Member,  NOT a Trained Malware Removal Expert. If you have ANY concerns regarding any advice I may give, please contact a Member of Staff before making changes.

 

Thanks!

 

 

** Walk Softly and Carry a Big Stick **

 

 

 


#4 jseaton2311

jseaton2311
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 29 December 2017 - 07:18 PM

Sorry for being late. I had to have a blood transfusion (nothing too serious), and I was in the hospital for 2 days. This is the third transfusion, but the doc took me off one of the blood thinners I was taking, so hopefully that will be the end of that. I already canceled my card and the company involved was Epson Tech Support. They found 3 different Trojans, but I think I am still having problems because I get an "Unauthorized changes blocked" warning from Windows Defender. I got the same warning on both downloads, however I was able to add it to add an allowed app. Here are the first 2 reports:

 

 

Rkill 2.9.1 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 12/29/2017 06:39:25 PM in x64 mode.
Windows Version: Windows 10 Home 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       localhost
 
Program finished at: 12/29/2017 06:39:42 PM
Execution time: 0 hours(s), 0 minute(s), and 16 seconds(s)
 
 

 Results of screen317's Security Check version 1.014 --- 12/23/15  
   x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Windows Defender   
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 Google Chrome (63.0.3239.84) 
 Google Chrome (SetupMetrics...) 
````````Process Check: objlist.exe by Laurent````````  
 Windows Defender MSMpEng.exe 
 Windows Defender MSASCuiL.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  % 
````````````````````End of Log`````````````````````` 
 
 


#5 jseaton2311

jseaton2311
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 29 December 2017 - 09:11 PM

Here are the next two:

 

MiniToolBox by Farbar  Version: 17-06-2016
Ran by jseaton2311 (administrator) on 29-12-2017 at 20:21:05
Running from "C:\Users\jseaton2311\Downloads"
Microsoft Windows 10 Home  (X64)
Model: HP Pavilion Notebook Manufacturer: HP
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
 
========================= FF Proxy Settings: ============================== 
 
"network.proxy.type", 0
 
"Reset FF Proxy Settings": Firefox Proxy settings were reset.
 
========================= Hosts content: =================================
127.0.0.1       localhost
========================= IP Configuration: ================================
 
Realtek RTL8188EE 802.11 bgn Wi-Fi Adapter = Wi-Fi (Connected)
Realtek PCIe FE Family Controller = Ethernet (Media disconnected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global
set interface interface="Ethernet (Kernel Debugger)" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Wi-Fi" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 1" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : DESKTOP-8D8FHO8
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
 
Ethernet adapter Ethernet:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
   Physical Address. . . . . . . . . : DC-4A-3E-DE-CA-B0
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Local Area Connection* 1:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 32-52-CB-F2-89-5B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Wi-Fi:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek RTL8188EE 802.11 bgn Wi-Fi Adapter
   Physical Address. . . . . . . . . : 30-52-CB-F2-89-5B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1cd5:2b8e:3cec:68f6%4(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.117(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, December 29, 2017 6:22:04 PM
   Lease Expires . . . . . . . . . . : Saturday, December 30, 2017 6:22:09 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 36721355
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-E9-BA-21-DC-4A-3E-DE-CA-B0
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter Local Area Connection* 10:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  TOWERS-PC-NETWO
Address:  192.168.1.1
 
Name:    google.com
Addresses:  2607:f8b0:4008:80f::200e
  172.217.3.78
 
 
Pinging google.com [172.217.3.78] with 32 bytes of data:
Reply from 172.217.3.78: bytes=32 time=18ms TTL=53
Reply from 172.217.3.78: bytes=32 time=14ms TTL=53
 
Ping statistics for 172.217.3.78:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 14ms, Maximum = 18ms, Average = 16ms
Server:  TOWERS-PC-NETWO
Address:  192.168.1.1
 
Name:    yahoo.com
Addresses:  2001:4998:44:204::100d
  2001:4998:58:2201::73
  2001:4998:c:e33::53
  98.139.180.180
  206.190.39.42
  98.138.252.38
 
 
Pinging yahoo.com [98.138.252.38] with 32 bytes of data:
Reply from 98.138.252.38: bytes=32 time=65ms TTL=51
Reply from 98.138.252.38: bytes=32 time=66ms TTL=51
 
Ping statistics for 98.138.252.38:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 65ms, Maximum = 66ms, Average = 65ms
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 11...dc 4a 3e de ca b0 ......Realtek PCIe FE Family Controller
  8...32 52 cb f2 89 5b ......Microsoft Wi-Fi Direct Virtual Adapter
  4...30 52 cb f2 89 5b ......Realtek RTL8188EE 802.11 bgn Wi-Fi Adapter
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.117     55
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.1.0    255.255.255.0         On-link     192.168.1.117    311
    192.168.1.117  255.255.255.255         On-link     192.168.1.117    311
    192.168.1.255  255.255.255.255         On-link     192.168.1.117    311
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.1.117    311
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.1.117    311
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
  4    311 fe80::/64                On-link
  4    311 fe80::1cd5:2b8e:3cec:68f6/128
                                    On-link
  1    331 ff00::/8                 On-link
  4    311 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\WINDOWS\SysWOW64\napinsp.dll [54784] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 04 C:\WINDOWS\SysWOW64\NLAapi.dll [63488] (Microsoft Corporation)
Catalog5 05 C:\WINDOWS\SysWOW64\mswsock.dll [334744] (Microsoft Corporation)
Catalog5 06 C:\WINDOWS\SysWOW64\winrnr.dll [24064] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\SysWOW64\mswsock.dll [334744] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\SysWOW64\mswsock.dll [334744] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\SysWOW64\mswsock.dll [334744] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\SysWOW64\mswsock.dll [334744] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\SysWOW64\mswsock.dll [334744] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\SysWOW64\mswsock.dll [334744] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\SysWOW64\mswsock.dll [334744] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\SysWOW64\mswsock.dll [334744] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\SysWOW64\mswsock.dll [334744] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\SysWOW64\mswsock.dll [334744] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\SysWOW64\mswsock.dll [334744] (Microsoft Corporation)
Catalog9 12 C:\WINDOWS\SysWOW64\mswsock.dll [334744] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\napinsp.dll [67072] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [84992] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [84992] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [79872] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [402992] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [31232] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [402992] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [402992] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [402992] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [402992] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [402992] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [402992] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [402992] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [402992] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [402992] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [402992] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [402992] (Microsoft Corporation)
x64-Catalog9 12 C:\Windows\System32\mswsock.dll [402992] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (12/29/2017 06:26:11 PM) (Source: Office 2016 Licensing Service) (User: )
Description: Subscription licensing service failed: -1073422302
 
Error: (12/29/2017 06:21:51 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 1219
 
Error: (12/29/2017 06:21:51 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 1219
 
Error: (12/29/2017 06:21:51 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (12/26/2017 07:11:27 PM) (Source: Application Error) (User: )
Description: Faulting application name: SecHealthUI.exe, version: 10.0.16299.15, time stamp: 0x59cda931
Faulting module name: Windows.UI.Xaml.dll, version: 10.0.16299.98, time stamp: 0x950216af
Exception code: 0xc000027b
Fault offset: 0x00000000006e7ae9
Faulting process id: 0xa14
Faulting application start time: 0xSecHealthUI.exe0
Faulting application path: SecHealthUI.exe1
Faulting module path: SecHealthUI.exe2
Report Id: SecHealthUI.exe3
Faulting package full name: SecHealthUI.exe4
Faulting package-relative application ID: SecHealthUI.exe5
 
Error: (12/25/2017 08:52:14 PM) (Source: Office 2016 Licensing Service) (User: )
Description: Subscription licensing service failed: -1073422302
 
Error: (12/25/2017 05:39:59 PM) (Source: Office 2016 Licensing Service) (User: )
Description: Subscription licensing service failed: -1073422302
 
Error: (12/24/2017 05:52:46 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 3687
 
Error: (12/24/2017 05:52:46 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 3687
 
Error: (12/24/2017 05:52:46 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
 
System errors:
=============
Error: (12/29/2017 06:25:16 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)UnavailableUnavailable
 
Error: (12/26/2017 03:10:24 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)UnavailableUnavailable
 
Error: (12/25/2017 05:39:19 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)UnavailableUnavailable
 
Error: (12/25/2017 05:36:11 PM) (Source: DCOM) (User: DESKTOP-8D8FHO8)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}DESKTOP-8D8FHO8jseaton2311S-1-5-21-1365922070-2075495082-815213236-1001LocalHost (Using LRPC)UnavailableUnavailable
 
Error: (12/24/2017 07:32:45 PM) (Source: DCOM) (User: DESKTOP-8D8FHO8)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}DESKTOP-8D8FHO8jseaton2311S-1-5-21-1365922070-2075495082-815213236-1001LocalHost (Using LRPC)UnavailableUnavailable
 
Error: (12/24/2017 07:18:12 PM) (Source: DCOM) (User: DESKTOP-8D8FHO8)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}DESKTOP-8D8FHO8jseaton2311S-1-5-21-1365922070-2075495082-815213236-1001LocalHost (Using LRPC)UnavailableUnavailable
 
Error: (12/24/2017 11:06:17 AM) (Source: Service Control Manager) (User: )
Description: The eapihdrv service failed to start due to the following error: 
%%1275 = This driver has been blocked from loading
 
 
Error: (12/24/2017 11:06:17 AM) (Source: Application Popup) (User: )
Description: \??\C:\Users\JSEATO~1\AppData\Local\Temp\ehdrv.sys
 
Error: (12/24/2017 11:06:17 AM) (Source: Service Control Manager) (User: )
Description: The eapihdrv service failed to start due to the following error: 
%%1275 = This driver has been blocked from loading
 
 
Error: (12/24/2017 11:06:17 AM) (Source: Application Popup) (User: )
Description: \??\C:\Users\JSEATO~1\AppData\Local\Temp\ehdrv.sys
 
 
Microsoft Office Sessions:
=========================
Error: (12/29/2017 06:26:11 PM) (Source: Office 2016 Licensing Service)(User: )
Description: Subscription licensing service failed: -1073422302
 
Error: (12/29/2017 06:21:51 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 1219
 
Error: (12/29/2017 06:21:51 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 1219
 
Error: (12/29/2017 06:21:51 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (12/26/2017 07:11:27 PM) (Source: Application Error)(User: )
Description: SecHealthUI.exe10.0.16299.1559cda931Windows.UI.Xaml.dll10.0.16299.98950216afc000027b00000000006e7ae9a1401d37e9c16a6124dC:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exeC:\Windows\System32\Windows.UI.Xaml.dll164c22ad-8f17-4891-b780-5fa0c247da47Microsoft.Windows.SecHealthUI_10.0.16299.15_neutral__cw5n1h2txyewySecHealthUI
 
Error: (12/25/2017 08:52:14 PM) (Source: Office 2016 Licensing Service)(User: )
Description: Subscription licensing service failed: -1073422302
 
Error: (12/25/2017 05:39:59 PM) (Source: Office 2016 Licensing Service)(User: )
Description: Subscription licensing service failed: -1073422302
 
Error: (12/24/2017 05:52:46 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 3687
 
Error: (12/24/2017 05:52:46 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 3687
 
Error: (12/24/2017 05:52:46 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
 
CodeIntegrity Errors:
===================================
  Date: 2017-11-19 17:20:25.944
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\InfusedApps\Applications\Microsoft.HEVCVideoExtension_1.0.2512.0_x64__8wekyb3d8bbwe\x86\hevcdecoder_store.dll because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2017-11-19 17:20:25.820
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\InfusedApps\Applications\Microsoft.HEVCVideoExtension_1.0.2512.0_x64__8wekyb3d8bbwe\x64\hevcdecoder_store.dll because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2017-11-19 17:20:25.693
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.HEVCVideoExtension_1.0.2512.0_x64__8wekyb3d8bbwe\x86\hevcdecoder_store.dll because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2017-11-19 17:20:25.571
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.HEVCVideoExtension_1.0.2512.0_x64__8wekyb3d8bbwe\x64\hevcdecoder_store.dll because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
=========================== Installed Programs ============================
 
µTorrent (HKCU\...\uTorrent) (Version: 3.5.0.44294 - BitTorrent Inc.)
123 Free Solitaire v10.3 (HKLM-x32\...\123 Free Solitaire_is1) (Version:  - TreeCardGames)
4K Video Downloader 4.3 (HKLM-x32\...\{D0CA3944-0FD5-40FF-97A1-FEDFFB5EE31F}) (Version: 4.3.2.2215 - Open Media LLC)
4K YouTube to MP3 3.3 (HKLM-x32\...\{00311B59-853E-4BF8-A5F8-2028B11E183D}) (Version: 3.3.0.1747 - Open Media LLC)
64 Bit HP CIO Components Installer (HKLM\...\{345F3F90-0505-4EDF-B7A9-5E3AC1AC6CE4}) (Version: 15.2.1 - Hewlett-Packard) Hidden
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.009.20050 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.3 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.3.1.201 - Adobe Systems, Inc.)
Advanced Uninstaller PRO - Version 12 (HKLM-x32\...\AU11_is1) (Version: 12.21.0.95 - Innovative Solutions)
Any Video Converter 6.2.0 (HKLM-x32\...\Any Video Converter) (Version: 6.2.0 - Anvsoft)
Avery Design & Print (HKLM-x32\...\Avery Design & Print 4.0.1) (Version: 4.0.1 - Avery Products Corporation)
AviSynth 2.6 (HKLM-x32\...\AviSynth) (Version: 2.6.0.6 - GPL Public release.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
BovadaPoker (HKLM-x32\...\{D7CA2DF8-95CE-4C80-9296-98E21219A1E5}}_is1) (Version:   - )
CDBurnerXP (HKLM-x32\...\{7E265513-8CDA-4631-B696-F40D983F3B07}_is1) (Version: 4.5.8.6795 - CDBurnerXP)
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{AF312B06-5C5C-468E-89B3-BE6DE2645722}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{0A4EF0E6-A912-4CDE-A7F3-6E56E7C13A2F}) (Version: 1.1.6 - Cisco Systems, Inc.)
ClipGrab 3.6.6 (HKLM-x32\...\{8A1033B0-EF33-4FB5-97A1-C47A7DCDD7E6}_is1) (Version:  - Philipp Schmieder Medien)
Computer Help (HKLM-x32\...\{36AC92D1-9EED-9168-306D-22925310FDF6}) (Version: 7.8.658 - LogMeIn, Inc.)
CyberLink YouCam (HKLM-x32\...\{A9CEDD6E-4792-493e-BB35-D86D2E188A5A}) (Version: 6.0.2.4508 - CyberLink Corp.)
DisableMSDefender (HKLM\...\{74FE39A0-FB76-47CD-84BA-91E2BBB17EF2}) (Version: 1.0.0 - Hewlett-Packard Company) Hidden
Dropbox 25 GB (HKLM-x32\...\{597A58EC-42D6-4940-8739-FB94491B013C}) (Version: 1.0.8.2 - Dropbox, Inc.)
Easy Photo Scan (HKLM-x32\...\{61D1B0E8-8651-4AF3-8E8F-3EA3C0C9E8F7}) (Version: 1.00.0003 - Seiko Epson Corporation)
Energy Star (HKLM\...\{465CA2B6-98AF-4E77-BE22-A908C34BB9EC}) (Version: 1.0.9 - Hewlett-Packard Company)
Epson Customer Research Participation (HKLM\...\{B26449A6-6007-4460-B4FE-C4776115BCEA}) (Version: 1.82.0000 - Seiko Epson Corporation)
Epson Event Manager (HKLM-x32\...\{0F13C24A-FFE2-4CD0-8E0B-DC804E0A0E0B}) (Version: 3.10.0035 - Seiko Epson Corporation)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EPSON XP-420 Series Printer Uninstall (HKLM\...\EPSON XP-420 Series) (Version:  - SEIKO EPSON Corporation)
Epson XP-420_424 User’s Guide version 1.0 (HKLM-x32\...\UsersGuideEpson XP-420_424 User’s Guide_is1) (Version: 1.0 - )
EpsonNet Print (HKLM\...\{DF5200AB-5AE6-4598-846B-8ABC3AE121B1}) (Version: 3.0.2.0 - SEIKO EPSON Corporation)
ffdshow v1.1.3572 [2010-09-13] (HKLM-x32\...\ffdshow_is1) (Version: 1.1.3572.0 - )
Freemake Video Converter version 4.1.10.0 (HKLM-x32\...\Freemake Video Converter_is1) (Version: 4.1.10.0 - Ellora Assets Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 63.0.3239.84 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.21.123 - Google Inc.) Hidden
GoTo Opener (HKLM-x32\...\{1F803452-798F-49FB-A5DD-9F527F7017E4}) (Version: 1.0.473 - LogMeIn, Inc.)
HP 3D DriveGuard (HKLM-x32\...\{E8D0E2B8-B64B-44BC-8E01-00DDACBDF78A}) (Version: 6.0.28.1 - Hewlett-Packard Company)
HP CoolSense (HKLM-x32\...\{1504CF6F-8139-497F-86FC-46174B67CF7F}) (Version: 2.20.51 - Hewlett-Packard Company)
HP Documentation (HKLM\...\HP_Documentation) (Version: 1.0.0.1 - HP)
HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.8305.5282 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{61EB474B-67A6-47F4-B1B7-386851BAB3D0}) (Version: 8.5.37.19 - Hewlett-Packard Company)
HP Support Solutions Framework (HKLM-x32\...\{D7D5F438-26EF-45AB-AB89-C476FBCF8584}) (Version: 12.8.47.1 - Hewlett-Packard Company)
HP System Event Utility (HKLM-x32\...\{1A13FE59-6F7E-44DC-9AA7-2D7B9E08C2D4}) (Version: 1.4.6 - Hewlett-Packard Company)
HP Welcome (HKLM\...\HPWelcome) (Version: 1.0 - Hewlett-Packard Company)
HP Wireless Button Driver (HKLM-x32\...\{AF4C5F64-4E6A-438B-9832-8BDEE0E7B43D}) (Version: 1.1.17.1 - HP)
Intel Collaborative Processor Performance Control (HKLM-x32\...\0E7DAF70-FB54-4B91-B192-7E771C25AEEB) (Version: 1.0.0.1018 - Intel Corporation)
Intel® Chipset Device Software (HKLM-x32\...\{c7f54569-0018-439c-809a-48046a4d4ebc}) (Version: 10.1.1.9 - Intel® Corporation) Hidden
Intel® Dynamic Platform and Thermal Framework (HKLM-x32\...\{654EE65D-FAA4-4EA6-8C07-DC94E6A304D4}) (Version: 8.1.10603.192 - Intel Corporation)
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.0.0.1163 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.15.4279 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 14.5.2.1088 - Intel Corporation)
Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.8730.2127 - Microsoft Corporation)
Microsoft OneDrive (HKCU\...\OneDriveSetup.exe) (Version: 17.3.7076.1026 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 (HKLM-x32\...\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}) (Version: 12.0.40660.0 - Microsoft Corporation)
Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.8730.2127 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component 64-bit Registration (HKLM\...\{90160000-00DD-0000-1000-0000000FF1CE}) (Version: 16.0.8730.2127 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.8730.2127 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0409-0000-0000000FF1CE}) (Version: 16.0.8730.2127 - Microsoft Corporation) Hidden
paint.net (HKLM\...\{F10AAD91-58DF-44EC-A647-810197141667}) (Version: 4.0.19 - dotPDN LLC)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.370.103 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.18.621.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7584 - Realtek Semiconductor Corp.)
REALTEK Wireless LAN Driver (HKLM-x32\...\{A5107464-AA9B-4177-8129-5FF2F42DD322}) (Version: 1.0.0.60 - REALTEK Semiconductor Corp.)
Smilebox (HKCU\...\Smilebox) (Version: 1.0.0.32538 - Smilebox, Inc.)
Software Updater (HKLM-x32\...\{B307472F-7BD9-4040-9255-CE6D6A1196A3}) (Version: 4.3.1 - SEIKO EPSON CORPORATION)
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.6 - VideoLAN)
 
========================= Memory info: ===================================
 
Percentage of memory in use: 63%
Total physical RAM: 6066.26 MB
Available physical RAM: 2186.92 MB
Total Virtual: 9950.26 MB
Available Virtual: 4566.07 MB
 
========================= Partitions: =====================================
 
1 Drive c: (Windows) (Fixed) (Total:903.83 GB) (Free:737.34 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:25.57 GB) (Free:2.47 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\DESKTOP-8D8FHO8
 
Administrator            DefaultAccount           Guest                    
jseaton2311              WDAGUtilityAccount       
 
========================= Minidump Files ==================================
 
No minidump file found
 
========================= Restore Points ==================================
 
12-12-2017 20:16:23 Windows Update
16-12-2017 20:37:40 Windows Update
19-12-2017 03:41:30 Restore Operation
23-12-2017 00:36:15 Windows Modules Installer
25-12-2017 00:16:03 TECH
 
**** End of log ****
 
 
 
# AdwCleaner 7.0.6.0 - Logfile created on Sat Dec 30 02:02:07 2017
# Updated on 2017/21/12 by Malwarebytes 
# Running on Windows 10 Home (X64)
# Mode: clean
 
***** [ Services ] *****
 
No malicious services deleted.
 
***** [ Folders ] *****
 
Deleted: C:\Program Files (x86)\Common Files\freemake shared
 
 
***** [ Files ] *****
 
No malicious files deleted.
 
***** [ DLL ] *****
 
No malicious DLLs cleaned.
 
***** [ WMI ] *****
 
No malicious WMI cleaned.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts cleaned.
 
***** [ Tasks ] *****
 
No malicious tasks deleted.
 
***** [ Registry ] *****
 
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\FMUpdater.dll
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\Toggling.dll
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\Newtonsoft.Json.dll
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\GAnalytics.dll
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\GoCartMonad.dll
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries deleted.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries deleted.
 
*************************
 
::Tracing keys deleted
::Winsock settings cleared
::Proxy settings cleared
::TCP/IP settings cleared
::Firewall rules cleared
::IPSec settings cleared
::BITS queue cleared
::IE policies deleted
::Chrome policies deleted
::Hosts file cleared
::Additional Actions: 0
 
 
 
*************************
 
C:/AdwCleaner/AdwCleaner[S0].txt - [2304 B] - [2017/12/30 1:51:3]
 
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########


#6 jseaton2311

jseaton2311
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 30 December 2017 - 03:25 PM

Here are the last reports:

 

Malwarebytes Anti-Rootkit BETA 1.10.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2017.12.30.04
  rootkit: v2017.10.14.01
 
Windows 10 x64 NTFS
Internet Explorer 11.125.16299.0
jseaton2311 :: DESKTOP-8D8FHO8 [administrator]
 
12/30/2017 11:31:21 AM
mbar-log-2017-12-30 (11-31-21).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 203076
Time elapsed: 25 minute(s), 3 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.10.3.1001
 
© Malwarebytes Corporation 2011-2012
 
OS version: 10.0.9200 Windows 10 x64
 
Account is Administrative
 
Internet Explorer version: 11.125.16299.0
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.195000 GHz
Memory total: 6360936448, free: 4134645760
 
Downloaded database version: v2017.12.15.06
Downloaded database version: v2017.11.28.01
=======================================
Initializing...
Driver version: 4.3.0.15
------------ Kernel report ------------
     12/15/2017 17:58:57
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\System32\drivers\ksecdd.sys
\SystemRoot\System32\drivers\werkernel.sys
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\System32\drivers\FLTMGR.SYS
\SystemRoot\System32\drivers\clipsp.sys
\SystemRoot\System32\drivers\cmimcext.sys
\SystemRoot\System32\drivers\ntosext.sys
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\cng.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\WppRecorder.sys
\SystemRoot\system32\drivers\SleepStudyHelper.sys
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\System32\drivers\tpm.sys
\SystemRoot\System32\drivers\intelpep.sys
\SystemRoot\system32\drivers\WindowsTrustedRT.sys
\SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\system32\drivers\CEA.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\iaStorA.sys
\SystemRoot\System32\drivers\storport.sys
\SystemRoot\System32\drivers\EhStorClass.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Wof.sys
\SystemRoot\System32\Drivers\NTFS.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\drivers\wfplwfs.sys
\SystemRoot\system32\DRIVERS\hpdskflt.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\volume.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\system32\drivers\iorate.sys
\SystemRoot\System32\drivers\IntelPcc.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\drivers\cdrom.sys
\SystemRoot\system32\drivers\filecrypt.sys
\SystemRoot\system32\drivers\tbs.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\vmbkmclr.sys
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\drivers\vwififlt.sys
\SystemRoot\System32\drivers\pacer.sys
\SystemRoot\system32\drivers\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\gpuenergydrv.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\bam.sys
\SystemRoot\system32\DRIVERS\ahcache.sys
\SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_9c1fb8f4db31c348\CompositeBus.sys
\SystemRoot\System32\drivers\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\System32\drivers\CAD.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\HDAudBus.sys
\SystemRoot\System32\drivers\portcls.sys
\SystemRoot\System32\drivers\drmk.sys
\SystemRoot\System32\drivers\ks.sys
\SystemRoot\System32\drivers\dptf_cpu.sys
\SystemRoot\System32\drivers\USBXHCI.SYS
\SystemRoot\system32\drivers\ucx01000.sys
\SystemRoot\System32\drivers\TeeDriverW8x64.sys
\SystemRoot\System32\drivers\rtwlane.sys
\SystemRoot\system32\DRIVERS\wdiwifi.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\System32\drivers\rt640x64.sys
\SystemRoot\System32\drivers\i8042prt.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\system32\DRIVERS\Smb_driver_Intel.sys
\SystemRoot\system32\DRIVERS\Accelerometer.sys
\SystemRoot\System32\drivers\WirelessButtonDriver64.sys
\SystemRoot\System32\drivers\HIDCLASS.SYS
\SystemRoot\System32\drivers\CmBatt.sys
\SystemRoot\System32\drivers\BATTC.SYS
\SystemRoot\System32\drivers\intelppm.sys
\SystemRoot\System32\drivers\acpipagr.sys
\SystemRoot\System32\drivers\wmiacpi.sys
\SystemRoot\System32\drivers\UEFI.sys
\SystemRoot\System32\drivers\NdisVirtualBus.sys
\SystemRoot\System32\drivers\swenum.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\drivers\UsbHub3.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\System32\drivers\hidusb.sys
\SystemRoot\System32\drivers\mouhid.sys
\SystemRoot\System32\drivers\usbccgp.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_iaStorA.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\win32kfull.sys
\SystemRoot\System32\win32kbase.sys
\SystemRoot\System32\drivers\dxgmms2.sys
\SystemRoot\System32\drivers\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\DRIVERS\esif_lf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\wcifs.sys
\SystemRoot\system32\drivers\cldflt.sys
\SystemRoot\system32\drivers\storqosflt.sys
\SystemRoot\system32\drivers\mmcss.sys
\SystemRoot\system32\drivers\mslldp.sys
\SystemRoot\system32\drivers\lltdio.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\rspndr.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\drivers\ndisuio.sys
\SystemRoot\System32\drivers\condrv.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\drivers\vwifimp.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\drivers\rassstp.sys
\SystemRoot\System32\DRIVERS\NDProxy.sys
\SystemRoot\System32\drivers\AgileVpn.sys
\SystemRoot\System32\drivers\rasl2tp.sys
\SystemRoot\System32\drivers\raspptp.sys
\SystemRoot\System32\DRIVERS\raspppoe.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\drivers\ndiswan.sys
\SystemRoot\System32\drivers\WSDPrint.sys
\SystemRoot\system32\DRIVERS\WSDScan.sys
\SystemRoot\System32\drivers\tunnel.sys
\SystemRoot\system32\drivers\wd\WdFilter.sys
\SystemRoot\system32\drivers\wd\WdNisDrv.sys
\SystemRoot\system32\DRIVERS\udfs.sys
\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DC5D56AC-DBD3-4D50-9DDD-D8CE4321CB15}\MpKsl7852c6c9.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\5641C29B.sys
----------- End -----------
Done!
 
Scan started
Database versions:
  main:    v2017.12.15.06
  rootkit: v2017.10.14.01
 
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffaf8fefa78060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffaf8fed7ca9d0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffaf8fefa78060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffaf8fed7cbb10, DeviceName: Unknown, DriverName: \Driver\hpdskflt\
DevicePointer: 0xffffaf8fec5d9520, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffaf8feb9ff060, DeviceName: \Device\0000002f\, DriverName: \Driver\iaStorA\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: 7DD9B68E
 
GPT Protective MBR Partition information:
 
    Partition 0 type is EFI-GPT (0xee)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1  Numsec = 4294967295
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
GPT Partition information:
 
    GPT Header Signature 4546492050415254
    GPT Header Revision 65536 Size 92 CRC 11443759
    GPT Header CurrentLba = 1 BackupLba 1953525167
    GPT Header FirstUsableLba 34  LastUsableLba 1953525134
    GPT Header Guid ba73b25b-2b1c-4539-a4dc-c8c17af8d8dd
    GPT Header Contains 128 partition entries starting at LBA 2
    GPT Header Partition entry size = 128
 
    Backup GPT header Signature 4546492050415254
    Backup GPT header Revision 65536 Size 92 CRC 11443759
    Backup GPT header CurrentLba = 1953525167 BackupLba 1
    Backup GPT header FirstUsableLba 34  LastUsableLba 1953525134
    Backup GPT header Guid ba73b25b-2b1c-4539-a4dc-c8c17af8d8dd
    Backup GPT header Contains 128 partition entries starting at LBA 1953525135
    Backup GPT header Partition entry size = 128
 
    Partition 0 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
    Partition ID 2e47b288-8b61-4f8e-9439-f6e04eecdd4a
    FirstLBA 2048  Last LBA 534527
    Attributes 0
    Partition Name                 EFI system partition
 
    GPT Partition 0 is bootable
    Partition 1 Type e3c9e316-b5c-4db8-817d-f92df0215ae
    Partition ID b65b5cc2-bbde-43b4-8eca-8ec3338b8ee
    FirstLBA 534528  Last LBA 796671
    Attributes 0
    Partition Name         Microsoft reserved partition
 
    Partition 2 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID efd180a5-14d1-4386-b5cc-b324bc946ff2
    FirstLBA 796672  Last LBA 1896264908
    Attributes 0
    Partition Name                 Basic data partition
 
    Partition 3 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
    Partition ID 23913fc3-1162-4b8c-bbeb-c5d252cf48aa
    FirstLBA 1896265728  Last LBA 1899888639
    Attributes 1
    Partition Name                                     
 
    Partition 4 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
    Partition ID 27067da9-ea5-4cd7-9fe5-9bd5fc9c5d9
    FirstLBA 1899888640  Last LBA 1953517567
    Attributes 1
    Partition Name                 Basic data partition
 
Disk Size: 1000204886016 bytes
Sector size: 512 bytes
 
Done!
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-8242577E12D2BFAA9F1FD067FB38279779EB23F3.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-8242577E12D2BFAA9F1FD067FB38279779EB23F3.bin.7C" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-8242577E12D2BFAA9F1FD067FB38279779EB23F3.bin.83" is compressed (flags = 1)
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.10.3.1001
 
© Malwarebytes Corporation 2011-2012
 
OS version: 10.0.9200 Windows 10 x64
 
Account is Administrative
 
Internet Explorer version: 11.125.16299.0
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.195000 GHz
Memory total: 6360936448, free: 3080937472
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.10.3.1001
 
© Malwarebytes Corporation 2011-2012
 
OS version: 10.0.9200 Windows 10 x64
 
Account is Administrative
 
Internet Explorer version: 11.125.16299.0
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.195000 GHz
Memory total: 6360936448, free: 2949525504
 
Downloaded database version: v2017.12.30.04
Downloaded database version: v2017.11.28.01
=======================================
Initializing...
Driver version: 4.3.0.15
------------ Kernel report ------------
     12/30/2017 11:31:11
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kd.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\System32\drivers\msrpc.sys
\SystemRoot\System32\drivers\ksecdd.sys
\SystemRoot\System32\drivers\werkernel.sys
\SystemRoot\System32\drivers\CLFS.SYS
\SystemRoot\System32\drivers\tm.sys
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\System32\drivers\FLTMGR.SYS
\SystemRoot\System32\drivers\clipsp.sys
\SystemRoot\System32\drivers\cmimcext.sys
\SystemRoot\System32\drivers\ntosext.sys
\SystemRoot\system32\CI.dll
\SystemRoot\System32\drivers\cng.sys
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\WppRecorder.sys
\SystemRoot\system32\drivers\SleepStudyHelper.sys
\SystemRoot\System32\Drivers\acpiex.sys
\SystemRoot\System32\drivers\ACPI.sys
\SystemRoot\System32\drivers\WMILIB.SYS
\SystemRoot\System32\drivers\msisadrv.sys
\SystemRoot\System32\drivers\pci.sys
\SystemRoot\System32\drivers\tpm.sys
\SystemRoot\System32\drivers\intelpep.sys
\SystemRoot\system32\drivers\WindowsTrustedRT.sys
\SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\drivers\vdrvroot.sys
\SystemRoot\system32\drivers\pdc.sys
\SystemRoot\system32\drivers\CEA.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\System32\drivers\spaceport.sys
\SystemRoot\System32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\System32\drivers\iaStorA.sys
\SystemRoot\System32\drivers\storport.sys
\SystemRoot\System32\drivers\EhStorClass.sys
\SystemRoot\System32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Wof.sys
\SystemRoot\System32\Drivers\NTFS.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\drivers\wfplwfs.sys
\SystemRoot\system32\DRIVERS\hpdskflt.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\System32\drivers\volume.sys
\SystemRoot\System32\drivers\volsnap.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\system32\drivers\iorate.sys
\SystemRoot\System32\drivers\IntelPcc.sys
\SystemRoot\System32\drivers\disk.sys
\SystemRoot\System32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\drivers\cdrom.sys
\SystemRoot\system32\drivers\filecrypt.sys
\SystemRoot\system32\drivers\tbs.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\BasicDisplay.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\vmbkmclr.sys
\SystemRoot\System32\drivers\BasicRender.sys
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\drivers\vwififlt.sys
\SystemRoot\System32\drivers\pacer.sys
\SystemRoot\system32\drivers\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\drivers\npsvctrig.sys
\SystemRoot\System32\drivers\mssmbios.sys
\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0A0B32D9-A750-4094-B9DB-7108CFACD085}\MpKsl0ed38cac.sys
\SystemRoot\System32\drivers\gpuenergydrv.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\bam.sys
\SystemRoot\system32\DRIVERS\ahcache.sys
\SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_9c1fb8f4db31c348\CompositeBus.sys
\SystemRoot\System32\drivers\kdnic.sys
\SystemRoot\System32\drivers\umbus.sys
\SystemRoot\System32\drivers\CAD.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\System32\drivers\HDAudBus.sys
\SystemRoot\System32\drivers\portcls.sys
\SystemRoot\System32\drivers\drmk.sys
\SystemRoot\System32\drivers\ks.sys
\SystemRoot\System32\drivers\dptf_cpu.sys
\SystemRoot\System32\drivers\USBXHCI.SYS
\SystemRoot\system32\drivers\ucx01000.sys
\SystemRoot\System32\drivers\TeeDriverW8x64.sys
\SystemRoot\System32\drivers\rtwlane.sys
\SystemRoot\system32\DRIVERS\wdiwifi.sys
\SystemRoot\System32\drivers\vwifibus.sys
\SystemRoot\System32\drivers\rt640x64.sys
\SystemRoot\System32\drivers\i8042prt.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\kbdclass.sys
\SystemRoot\System32\drivers\mouclass.sys
\SystemRoot\system32\DRIVERS\Smb_driver_Intel.sys
\SystemRoot\system32\DRIVERS\Accelerometer.sys
\SystemRoot\System32\drivers\WirelessButtonDriver64.sys
\SystemRoot\System32\drivers\HIDCLASS.SYS
\SystemRoot\System32\drivers\CmBatt.sys
\SystemRoot\System32\drivers\BATTC.SYS
\SystemRoot\System32\drivers\intelppm.sys
\SystemRoot\System32\drivers\acpipagr.sys
\SystemRoot\System32\drivers\wmiacpi.sys
\SystemRoot\System32\drivers\UEFI.sys
\SystemRoot\System32\drivers\NdisVirtualBus.sys
\SystemRoot\System32\drivers\swenum.sys
\SystemRoot\System32\drivers\rdpbus.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\drivers\UsbHub3.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\System32\drivers\hidusb.sys
\SystemRoot\System32\drivers\mouhid.sys
\SystemRoot\System32\drivers\usbccgp.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_iaStorA.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\win32kfull.sys
\SystemRoot\System32\win32kbase.sys
\SystemRoot\System32\drivers\dxgmms2.sys
\SystemRoot\System32\drivers\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\DRIVERS\esif_lf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\drivers\mmcss.sys
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\wcifs.sys
\SystemRoot\system32\drivers\cldflt.sys
\SystemRoot\system32\drivers\storqosflt.sys
\SystemRoot\system32\drivers\lltdio.sys
\SystemRoot\system32\drivers\mslldp.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\rspndr.sys
\SystemRoot\system32\drivers\ndisuio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\System32\drivers\condrv.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\drivers\vwifimp.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\drivers\Ndu.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\drivers\rassstp.sys
\SystemRoot\System32\DRIVERS\NDProxy.sys
\SystemRoot\System32\drivers\AgileVpn.sys
\SystemRoot\System32\drivers\rasl2tp.sys
\SystemRoot\System32\drivers\raspptp.sys
\SystemRoot\System32\DRIVERS\raspppoe.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\drivers\ndiswan.sys
\SystemRoot\System32\drivers\WSDPrint.sys
\SystemRoot\system32\DRIVERS\WSDScan.sys
\SystemRoot\System32\drivers\tunnel.sys
\SystemRoot\system32\drivers\wd\WdFilter.sys
\SystemRoot\system32\drivers\wd\WdNisDrv.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\13349241.sys
----------- End -----------
Done!
 
Scan started
Database versions:
  main:    v2017.12.30.04
  rootkit: v2017.10.14.01
 
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffcc03d9777060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffcc03d73f09d0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffcc03d9777060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffcc03d73f1b10, DeviceName: Unknown, DriverName: \Driver\hpdskflt\
DevicePointer: 0xffffcc03d6cb8900, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffcc03d6cb4060, DeviceName: \Device\0000002f\, DriverName: \Driver\iaStorA\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
This drive is a GPT Drive.
MBR Signature: 55AA
Disk Signature: 7DD9B68E
 
GPT Protective MBR Partition information:
 
    Partition 0 type is EFI-GPT (0xee)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1  Numsec = 4294967295
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
GPT Partition information:
 
    GPT Header Signature 4546492050415254
    GPT Header Revision 65536 Size 92 CRC 11443759
    GPT Header CurrentLba = 1 BackupLba 1953525167
    GPT Header FirstUsableLba 34  LastUsableLba 1953525134
    GPT Header Guid ba73b25b-2b1c-4539-a4dc-c8c17af8d8dd
    GPT Header Contains 128 partition entries starting at LBA 2
    GPT Header Partition entry size = 128
 
    Backup GPT header Signature 4546492050415254
    Backup GPT header Revision 65536 Size 92 CRC 11443759
    Backup GPT header CurrentLba = 1953525167 BackupLba 1
    Backup GPT header FirstUsableLba 34  LastUsableLba 1953525134
    Backup GPT header Guid ba73b25b-2b1c-4539-a4dc-c8c17af8d8dd
    Backup GPT header Contains 128 partition entries starting at LBA 1953525135
    Backup GPT header Partition entry size = 128
 
    Partition 0 Type c12a7328-f81f-11d2-ba4b-0a0c93ec93b
    Partition ID 2e47b288-8b61-4f8e-9439-f6e04eecdd4a
    FirstLBA 2048  Last LBA 534527
    Attributes 0
    Partition Name                 EFI system partition
 
    GPT Partition 0 is bootable
    Partition 1 Type e3c9e316-b5c-4db8-817d-f92df0215ae
    Partition ID b65b5cc2-bbde-43b4-8eca-8ec3338b8ee
    FirstLBA 534528  Last LBA 796671
    Attributes 0
    Partition Name         Microsoft reserved partition
 
    Partition 2 Type ebd0a0a2-b9e5-4433-87c0-68b6b72699c7
    Partition ID efd180a5-14d1-4386-b5cc-b324bc946ff2
    FirstLBA 796672  Last LBA 1896264908
    Attributes 0
    Partition Name                 Basic data partition
 
    Partition 3 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
    Partition ID 23913fc3-1162-4b8c-bbeb-c5d252cf48aa
    FirstLBA 1896265728  Last LBA 1899888639
    Attributes 1
    Partition Name                                     
 
    Partition 4 Type de94bba4-6d1-4d40-a16a-bfd5179d6ac
    Partition ID 27067da9-ea5-4cd7-9fe5-9bd5fc9c5d9
    FirstLBA 1899888640  Last LBA 1953517567
    Attributes 1
    Partition Name                 Basic data partition
 
Disk Size: 1000204886016 bytes
Sector size: 512 bytes
 
Done!
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-F11ED7115BA96055111F21F82123D7BA4F0E74B9.bin.83" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-F11ED7115BA96055111F21F82123D7BA4F0E74B9.bin.79" is compressed (flags = 1)
File "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-F11ED7115BA96055111F21F82123D7BA4F0E74B9.bin.7C" is compressed (flags = 1)
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.10.3.1001
 
© Malwarebytes Corporation 2011-2012
 
OS version: 10.0.9200 Windows 10 x64
 
Account is Administrative
 
Internet Explorer version: 11.125.16299.0
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.195000 GHz
Memory total: 6360936448, free: 2868912128
 
 
(RERUN RKILL)
 
Rkill 2.9.1 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 12/30/2017 12:28:19 PM in x64 mode.
Windows Version: Windows 10 Home 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 12/30/2017 12:30:26 PM
Execution time: 0 hours(s), 2 minute(s), and 7 seconds(s)
 
 
 
ESET found no malware and no report was generated.
 
 
TFC cleaned up, rebooted and no report file was generated. 
 
 

This concludes what you have asked me to do so far. 



#7 Unworn_Kilt

Unworn_Kilt

  • Members
  • 237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:10:11 PM

Posted 31 December 2017 - 06:05 AM

Hello,

 

Thank you for getting those results to me. 

 

I'll have a look over them as soon as possible.

 

It could take me a day or two as I am experiencing network outages here in Australia. My apologies.

 

Your system, at a glance, looks reasonably clean, but I need to look over things more thoroughly.

 

Thanks for your patience.

 

Regards,

 

 

Kilt   :thumbup2: 


PLEASE NOTE

 

I am only a Standard Member,  NOT a Trained Malware Removal Expert. If you have ANY concerns regarding any advice I may give, please contact a Member of Staff before making changes.

 

Thanks!

 

 

** Walk Softly and Carry a Big Stick **

 

 

 





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users