Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

brocoiner miner found


  • This topic is locked This topic is locked
3 replies to this topic

#1 tns1

tns1

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 01 January 2018 - 03:43 PM

This network PC had a brocoiner miner trojan that msse found & cleaned. Looking further:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 01.01.2018
Ran by T (administrator) on S7010-7U (01-01-2018 12:26:20)
Running from C:\Users\T\Desktop
Loaded Profiles: T (Available Profiles: T & S & Administrator)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1353680 2016-11-14] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtDCpl64.exe [2908888 2013-08-15] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [163800 2016-07-30] (IvoSoft)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [290688 2012-10-24] (Intel Corporation)
HKLM\...\Policies\Explorer: [EnableQuickReboot] 1
HKU\S-1-5-21-985333384-1090755428-1817767589-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\System32\_GoldFish.scr [1995264 2006-10-04] (MRT www.Win2Farsi.com)
HKU\S-1-5-18\...\RunOnce: [SPReview] => "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"hxxp://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TP-LINK Wireless Configuration Utility.lnk [2017-06-23]
ShortcutTarget: TP-LINK Wireless Configuration Utility.lnk -> C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe ()
Startup: C:\Users\S\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2017-12-30]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office\Office15\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{15C7F5EB-74AF-420F-8AB0-AEE6272E45D0}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{2A5A459F-57FD-41E2-B513-4FE4C382F8ED}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{441E8077-EDC8-4563-8984-B0DCE9DCEF2E}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{A45F2E88-A792-4035-A9FB-4199616D3031}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2017-09-12] (Microsoft Corporation)
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2016-07-30] (IvoSoft)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2014-01-23] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2017-02-23] (Microsoft Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2017-08-24] (Microsoft Corporation)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2016-07-30] (IvoSoft)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2014-01-21] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2017-02-23] (Microsoft Corporation)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2016-07-30] (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2016-07-30] (IvoSoft)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2017-08-15] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: 7pqhsf3e.default
FF ProfilePath: C:\Users\T\AppData\Roaming\Mozilla\Firefox\Profiles\7pqhsf3e.default [2018-01-01]
FF Homepage: Mozilla\Firefox\Profiles\7pqhsf3e.default -> www.yahoo.com
FF Session Restore: Mozilla\Firefox\Profiles\7pqhsf3e.default -> is enabled.
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_28_0_0_126.dll [2017-12-16] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~3\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_28_0_0_126.dll [2017-12-16] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-07-19] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office15\NPSPWRAP.DLL [2014-01-21] (Microsoft Corporation)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2017-02-17] (SUPERAntiSpyware.com)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [329192 2016-06-02] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [119864 2016-11-14] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [361816 2016-11-14] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2016-06-24] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77432 2017-11-29] ()
R3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHD64.sys [2191832 2013-08-15] (Realtek Semiconductor Corp.)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193968 2018-01-01] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [110016 2018-01-01] (Malwarebytes)
R3 MBAMProtection; C:\Windows\System32\DRIVERS\mbam.sys [46008 2018-01-01] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253880 2018-01-01] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [84256 2018-01-01] (Malwarebytes)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [295000 2016-08-25] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [135928 2016-08-25] (Microsoft Corporation)
S3 RtlWlanu; C:\Windows\System32\DRIVERS\rtwlanu.sys [4620040 2016-01-04] (Realtek Semiconductor Corporation )
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-01 12:26 - 2018-01-01 12:27 - 000009913 _____ C:\Users\T\Desktop\FRST.txt
2018-01-01 12:26 - 2018-01-01 12:26 - 000000000 ____D C:\FRST
2018-01-01 12:25 - 2018-01-01 12:25 - 000001850 _____ C:\Users\T\Desktop\JRT.txt
2018-01-01 11:58 - 2018-01-01 12:17 - 000000000 ____D C:\AdwCleaner
2018-01-01 11:34 - 2018-01-01 12:22 - 000003188 _____ C:\Users\T\Desktop\Rkill.txt
2018-01-01 11:34 - 2018-01-01 12:19 - 000110016 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2018-01-01 11:34 - 2018-01-01 12:19 - 000084256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2018-01-01 11:34 - 2018-01-01 12:19 - 000046008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2018-01-01 11:34 - 2018-01-01 11:34 - 000193968 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2018-01-01 11:34 - 2018-01-01 11:34 - 000001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-01-01 11:34 - 2018-01-01 11:34 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-01-01 11:34 - 2018-01-01 11:34 - 000000000 ____D C:\Program Files\Malwarebytes
2018-01-01 11:34 - 2017-11-29 09:11 - 000077432 _____ C:\Windows\system32\Drivers\mbae64.sys
2018-01-01 11:33 - 2018-01-01 11:33 - 000000000 ____D C:\ProgramData\MB2Migration
2018-01-01 11:32 - 2018-01-01 11:32 - 002393088 _____ (Farbar) C:\Users\T\Desktop\FRST64.exe
2018-01-01 11:31 - 2018-01-01 11:31 - 008198432 _____ (Malwarebytes) C:\Users\T\Desktop\AdwCleaner.exe
2018-01-01 11:31 - 2018-01-01 11:31 - 001792640 _____ (Bleeping Computer, LLC) C:\Users\T\Desktop\rkill.exe
2018-01-01 11:31 - 2018-01-01 11:31 - 001790024 _____ (Malwarebytes) C:\Users\T\Desktop\JRT.exe
2017-12-20 19:48 - 2017-12-20 19:51 - 000000000 ____D C:\Users\S\Desktop\puzzle board
2017-12-13 08:19 - 2017-11-16 20:23 - 003222528 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2017-12-13 08:19 - 2017-11-14 17:27 - 000395968 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2017-12-13 08:19 - 2017-11-14 16:36 - 000347336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2017-12-13 08:19 - 2017-11-13 19:57 - 025731072 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2017-12-13 08:19 - 2017-11-13 19:43 - 002724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2017-12-13 08:19 - 2017-11-13 19:43 - 000004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2017-12-13 08:19 - 2017-11-13 19:32 - 002903552 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2017-12-13 08:19 - 2017-11-13 19:31 - 000066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2017-12-13 08:19 - 2017-11-13 19:31 - 000048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2017-12-13 08:19 - 2017-11-13 19:30 - 000577024 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2017-12-13 08:19 - 2017-11-13 19:30 - 000417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2017-12-13 08:19 - 2017-11-13 19:30 - 000088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2017-12-13 08:19 - 2017-11-13 19:25 - 005925888 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2017-12-13 08:19 - 2017-11-13 19:24 - 000054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2017-12-13 08:19 - 2017-11-13 19:24 - 000034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2017-12-13 08:19 - 2017-11-13 19:21 - 000615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2017-12-13 08:19 - 2017-11-13 19:20 - 000817152 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2017-12-13 08:19 - 2017-11-13 19:20 - 000814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2017-12-13 08:19 - 2017-11-13 19:20 - 000144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2017-12-13 08:19 - 2017-11-13 19:20 - 000116224 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2017-12-13 08:19 - 2017-11-13 19:15 - 000968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2017-12-13 08:19 - 2017-11-13 19:12 - 000489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2017-12-13 08:19 - 2017-11-13 19:06 - 000087552 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
2017-12-13 08:19 - 2017-11-13 19:06 - 000077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2017-12-13 08:19 - 2017-11-13 19:05 - 000107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2017-12-13 08:19 - 2017-11-13 19:03 - 000199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2017-12-13 08:19 - 2017-11-13 19:02 - 000092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2017-12-13 08:19 - 2017-11-13 19:00 - 000315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2017-12-13 08:19 - 2017-11-13 18:59 - 000152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2017-12-13 08:19 - 2017-11-13 18:51 - 000262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2017-12-13 08:19 - 2017-11-13 18:48 - 015267328 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2017-12-13 08:19 - 2017-11-13 18:48 - 000807936 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2017-12-13 08:19 - 2017-11-13 18:48 - 000726528 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2017-12-13 08:19 - 2017-11-13 18:47 - 001359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2017-12-13 08:19 - 2017-11-13 18:46 - 002134528 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2017-12-13 08:19 - 2017-11-13 18:39 - 003241472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2017-12-13 08:19 - 2017-11-13 18:27 - 001544192 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2017-12-13 08:19 - 2017-11-13 18:16 - 000800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2017-12-13 08:19 - 2017-11-13 17:37 - 013679616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2017-12-13 08:19 - 2017-11-13 17:15 - 000416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2017-12-13 08:19 - 2017-11-13 17:15 - 000279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2017-12-13 08:19 - 2017-11-13 17:15 - 000076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2017-12-13 08:19 - 2017-11-13 17:10 - 020269056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2017-12-13 08:19 - 2017-11-13 16:32 - 000499200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2017-12-13 08:19 - 2017-11-13 16:31 - 000064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2017-12-13 08:19 - 2017-11-07 12:56 - 002724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2017-12-13 08:19 - 2017-11-07 12:46 - 000341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2017-12-13 08:19 - 2017-11-07 12:46 - 000062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2017-12-13 08:19 - 2017-11-07 12:46 - 000047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2017-12-13 08:19 - 2017-11-07 12:44 - 002293760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2017-12-13 08:19 - 2017-11-07 12:41 - 000047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2017-12-13 08:19 - 2017-11-07 12:41 - 000030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2017-12-13 08:19 - 2017-11-07 12:40 - 000476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2017-12-13 08:19 - 2017-11-07 12:39 - 000662016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2017-12-13 08:19 - 2017-11-07 12:38 - 000620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2017-12-13 08:19 - 2017-11-07 12:38 - 000115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2017-12-13 08:19 - 2017-11-07 12:29 - 000060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2017-12-13 08:19 - 2017-11-07 12:28 - 000091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2017-12-13 08:19 - 2017-11-07 12:28 - 000073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2017-12-13 08:19 - 2017-11-07 12:27 - 004509696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2017-12-13 08:19 - 2017-11-07 12:26 - 000168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2017-12-13 08:19 - 2017-11-07 12:24 - 000130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2017-12-13 08:19 - 2017-11-07 12:19 - 000230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2017-12-13 08:19 - 2017-11-07 12:18 - 000694272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2017-12-13 08:19 - 2017-11-07 12:17 - 002058752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2017-12-13 08:19 - 2017-11-07 12:17 - 001155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2017-12-13 08:19 - 2017-11-07 12:04 - 002767872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2017-12-13 08:19 - 2017-11-07 12:01 - 001313280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2017-12-13 08:19 - 2017-11-07 11:58 - 000710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2017-12-13 08:19 - 2017-11-07 08:31 - 000002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2017-12-13 08:19 - 2017-11-07 08:13 - 000002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2017-12-13 08:19 - 2017-11-04 07:31 - 000194048 _____ (Microsoft Corporation) C:\Windows\system32\itircl.dll
2017-12-13 08:19 - 2017-11-04 07:31 - 000170496 _____ (Microsoft Corporation) C:\Windows\system32\itss.dll
2017-12-13 08:19 - 2017-11-04 07:10 - 000158720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\itircl.dll
2017-12-13 08:19 - 2017-11-04 07:10 - 000142336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\itss.dll
2017-12-13 08:19 - 2017-11-02 08:55 - 000281600 _____ (Microsoft Corporation) C:\Windows\system32\iprtrmgr.dll
2017-12-13 08:19 - 2017-11-02 08:55 - 000138240 _____ (Microsoft Corporation) C:\Windows\system32\rtm.dll
2017-12-13 08:19 - 2017-11-02 08:55 - 000097792 _____ (Microsoft Corporation) C:\Windows\system32\mprdim.dll
2017-12-13 08:19 - 2017-11-02 08:55 - 000009728 _____ (Microsoft Corporation) C:\Windows\system32\iprtprio.dll
2017-12-13 08:19 - 2017-11-02 07:11 - 000271360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iprtrmgr.dll
2017-12-13 08:19 - 2017-11-02 07:11 - 000115200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rtm.dll
2017-12-13 08:19 - 2017-11-02 07:11 - 000075264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mprdim.dll
2017-12-13 08:19 - 2017-11-02 06:56 - 000008192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iprtprio.dll
2017-12-13 08:19 - 2017-10-16 15:04 - 001001984 _____ (Microsoft Corporation) C:\Windows\system32\gpedit.dll
2017-12-13 08:19 - 2017-10-16 14:46 - 000953344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gpedit.dll
2017-12-13 08:19 - 2017-10-11 16:20 - 000317440 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdbss.sys

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-01 12:25 - 2009-07-13 21:13 - 000781790 _____ C:\Windows\system32\PerfStringBackup.INI
2018-01-01 12:25 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\inf
2018-01-01 12:22 - 2016-12-08 12:39 - 000000000 ____D C:\Users\T\AppData\LocalLow\Mozilla
2018-01-01 12:19 - 2016-06-23 14:06 - 000000000 __SHD C:\Users\T\IntelGraphicsProfiles
2018-01-01 12:19 - 2016-06-23 11:38 - 000253880 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-01-01 12:19 - 2009-07-13 21:08 - 000032602 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2018-01-01 12:19 - 2009-07-13 21:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-01-01 11:34 - 2016-06-23 11:37 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-01-01 11:33 - 2009-07-13 20:45 - 000020096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-01-01 11:33 - 2009-07-13 20:45 - 000020096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-01-01 11:32 - 2016-06-24 05:42 - 000000000 ____D C:\Users\T\AppData\Local\ClassicShell
2018-01-01 11:25 - 2016-06-16 21:27 - 000000000 _RSHD C:\Office Activation Technologies
2018-01-01 11:15 - 2016-12-01 08:48 - 000000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2018-01-01 11:15 - 2016-06-23 12:44 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-01-01 11:12 - 2016-06-24 06:50 - 000773912 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2018-01-01 11:05 - 2016-06-24 16:48 - 000000000 ____D C:\Users\S\AppData\Local\ClassicShell
2018-01-01 10:08 - 2016-11-19 09:20 - 000000000 ____D C:\Users\S\AppData\LocalLow\Mozilla
2018-01-01 09:05 - 2016-06-23 14:16 - 000000000 __SHD C:\Users\S\IntelGraphicsProfiles
2017-12-30 19:18 - 2016-11-18 13:15 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-12-19 09:38 - 2016-11-14 20:16 - 000000000 ____D C:\Users\S\Desktop\Now 2
2017-12-17 21:53 - 2017-04-05 20:24 - 000000000 ____D C:\Users\S\Desktop\Kitchen
2017-12-16 11:23 - 2017-08-18 06:31 - 000004324 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-12-16 11:23 - 2016-12-12 18:02 - 000803328 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-12-16 11:23 - 2016-12-12 18:02 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-12-16 11:23 - 2016-12-12 18:02 - 000000000 ____D C:\Windows\system32\Macromed
2017-12-16 11:23 - 2016-12-12 18:01 - 000000000 ____D C:\Users\S\AppData\Local\Adobe
2017-12-16 11:23 - 2016-06-17 00:11 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2017-12-13 13:45 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\rescache
2017-12-13 13:08 - 2009-07-13 20:45 - 000504800 _____ C:\Windows\system32\FNTCACHE.DAT
2017-12-13 13:06 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\SysWOW64\Setup
2017-12-13 13:06 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\system32\Setup
2017-12-13 08:23 - 2016-06-16 21:25 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2017-12-13 08:22 - 2016-06-16 22:29 - 000000000 ____D C:\Windows\system32\MRT
2017-12-13 08:20 - 2017-10-12 11:15 - 133326408 ____C (Microsoft Corporation) C:\Windows\system32\MRT-KB890830.exe
2017-12-13 08:20 - 2016-06-16 22:29 - 133326408 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-12-08 08:25 - 2009-07-13 18:34 - 000000478 _____ C:\Windows\win.ini
2017-12-02 21:07 - 2016-06-24 05:57 - 000000426 _____ C:\Windows\BRWMARK.INI

==================== Files in the root of some directories =======

2016-06-17 00:11 - 2001-05-24 11:59 - 000162304 _____ () C:\Program Files (x86)\UNWISE.EXE

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-12-29 00:32

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 01.01.2018
Ran by T (01-01-2018 12:27:45)
Running from C:\Users\T\Desktop
Windows 7 Ultimate Service Pack 1 (X64) (2016-06-17 05:16:38)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-985333384-1090755428-1817767589-500 - Administrator - Enabled) => C:\Users\Administrator
Guest (S-1-5-21-985333384-1090755428-1817767589-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-985333384-1090755428-1817767589-1004 - Limited - Enabled)
S (S-1-5-21-985333384-1090755428-1817767589-1002 - Administrator - Enabled) => C:\Users\S
T (S-1-5-21-985333384-1090755428-1817767589-1001 - Administrator - Enabled) => C:\Users\T

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {71A27EC9-3DA6-45FC-60A7-004F623C6189}
AS: Microsoft Security Essentials (Enabled - Up to date) {CAC39F2D-1B9C-4A72-5A17-3B3D19BB2B34}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 15.14 (x64) (HKLM\...\7-Zip) (Version: 15.14 - Igor Pavlov)
Adobe Flash Player 28 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 28.0.0.126 - Adobe Systems Incorporated)
Adobe Flash Player ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 9.0.124.0 - Adobe Systems Incorporated)
CCleaner (HKLM\...\CCleaner) (Version: 5.19 - Piriform)
Classic Shell (HKLM\...\{383BB30A-B4A7-4666-9A83-22CFA8640097}) (Version: 4.3.0 - IvoSoft)
Data Lifeguard Diagnostic for Windows 1.31 (HKLM-x32\...\{519C4DB6-B53B-4F5C-8297-89B2BE949FA5}_is1) (Version:  - Western Digital Corporation)
Dell System Detect (HKU\S-1-5-21-985333384-1090755428-1817767589-1001\...\58d94f3ce2c27db0) (Version: 7.6.0.4 - Dell)
HD Tune 2.55 (HKLM-x32\...\HD Tune_is1) (Version:  - EFD Software)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 18.1 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.4425 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.6.245 - Intel Corporation)
Intel-SA-00075 Detection and Mitigation Tool 1.0.2.116 (HKLM-x32\...\{35EDB1A1-56A4-4268-8643-142166FCBF39}) (Version: 1.0.2.116 - Intel Corporation)
K-Lite Codec Pack 4.7.0 (Standard) (HKLM-x32\...\KLiteCodecPack_is1) (Version: 4.7.0 - )
LibreOffice 5.1.4.2 (HKLM-x32\...\{D5D4AC5C-C757-4EB2-857C-B021DB22482C}) (Version: 5.1.4.2 - The Document Foundation)
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Microsoft .NET Framework 4.7 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.02053 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 (HKLM\...\Office15.PROPLUS) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.10.209.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50907.0 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Mozilla Firefox 57.0.3 (x64 en-US) (HKLM\...\Mozilla Firefox 57.0.3 (x64 en-US)) (Version: 57.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 57.0.3.6569 - Mozilla)
Mozilla Thunderbird 52.5.2 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 52.5.2 (x86 en-US)) (Version: 52.5.2 - Mozilla)
MRT Windows (HKLM-x32\...\MRT Windows) (Version:  - )
Outils de vérification linguistique 2013 de Microsoft Office - Français (HKLM\...\{90150000-001F-040C-1000-0000000FF1CE}) (Version: 15.0.4569.1506 - Microsoft Corporation) Hidden
OverDrive for Windows (HKLM-x32\...\{FF27E73D-C30A-4F32-B2D7-22069F01DDB9}) (Version: 3.6.0 - OverDrive, Inc.)
PDF reDirect (remove only) (HKLM-x32\...\PDF reDirect) (Version: v2.5.2 - EXP Systems LLC)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5985 - Realtek Semiconductor Corp.)
SketchUp 8 (HKLM-x32\...\{8EB62C87-AAA6-4850-A5BC-64155884B973}) (Version: 3.0.16846 - Trimble Navigation Limited)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1230 - SUPERAntiSpyware.com)
TP-LINK TL-WN823N Driver (HKLM-x32\...\{CE194A8D-C8DF-47EB-AB04-5A54CDC1C5BD}) (Version: 1.3.1 - TP-LINK)
TP-LINK Wireless Configuration Utility (HKLM-x32\...\{319D91C6-3D44-436C-9F79-36C0D22372DC}) (Version: 1.3.1 - TP-LINK)
TurboTax 2016 (HKLM-x32\...\TurboTax 2016) (Version: 2016.0 - Intuit, Inc)
Update for Skype for Business 2015 (KB4011284) 64-Bit Edition (HKLM\...\{90150000-0011-0000-1000-0000000FF1CE}_Office15.PROPLUS_{0CFCD910-8950-4626-80EB-AA0B64A186E8}) (Version:  - Microsoft)
Update for Skype for Business 2015 (KB4011284) 64-Bit Edition (HKLM\...\{90150000-00C1-0000-1000-0000000FF1CE}_Office15.PROPLUS_{0CFCD910-8950-4626-80EB-AA0B64A186E8}) (Version:  - Microsoft)
Update for Skype for Business 2015 (KB4011284) 64-Bit Edition (HKLM\...\{90150000-012B-0409-1000-0000000FF1CE}_Office15.PROPLUS_{0CFCD910-8950-4626-80EB-AA0B64A186E8}) (Version:  - Microsoft)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-985333384-1090755428-1817767589-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2016-07-30] (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2016-07-30] (IvoSoft)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2015-12-31] (Igor Pavlov)
ContextMenuHandlers1: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers2: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2015-12-31] (Igor Pavlov)
ContextMenuHandlers4: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\Windows\system32\igfxDTCM.dll [2016-06-02] (Intel Corporation)
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2015-12-31] (Igor Pavlov)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers6: [StartMenuExt] -> {E595F05F-903F-4318-8B0A-7F633B520D2B} => C:\Windows\system32\StartMenuHelper64.dll [2016-07-30] (IvoSoft)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {041C6467-F5D7-4C35-B2F7-01F871652FCC} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-23] (Microsoft Corporation)
Task: {07E7862A-5044-4F8E-8085-A7396A76B936} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-12-16] (Adobe Systems Incorporated)
Task: {18BB7C8B-AC1B-4C34-BFA3-F01FDA16F5FA} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => Command(1): %windir%\system32\GWX\GWXConfigManager.exe -> /RefreshConfigAndContent
Task: {18BB7C8B-AC1B-4C34-BFA3-F01FDA16F5FA} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => Command(2): C:\Windows\system32\GWX\GWXDetector.exe [2016-05-20] (Microsoft Corporation)
Task: {5148255D-8944-4BD5-9AD3-4AFB99C43A95} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => Command(1): %windir%\system32\GWX\GWXConfigManager.exe -> /RefreshConfig
Task: {5148255D-8944-4BD5-9AD3-4AFB99C43A95} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => Command(2): C:\Windows\system32\GWX\GWXDetector.exe [2016-05-20] (Microsoft Corporation)
Task: {59EC2727-57D8-4E31-891F-09BD5769AE81} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => Command(1): %windir%\system32\GWX\GWXConfigManager.exe -> /RefreshConfig
Task: {59EC2727-57D8-4E31-891F-09BD5769AE81} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => Command(2): %windir%\system32\GWX\GWXConfigManager.exe -> /RefreshContent
Task: {59EC2727-57D8-4E31-891F-09BD5769AE81} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => Command(3): C:\Windows\system32\GWX\GWXDetector.exe [2016-05-20] (Microsoft Corporation)
Task: {86C6C83E-08C7-4C3A-933C-5D4D360584FE} - System32\Tasks\KMSAutoNet => C:\ProgramData\KMSAutoS\KMSAuto Net.exe
Task: {87D957B0-DABD-4291-976C-6820998239B7} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-06-10] (Piriform Ltd)
Task: {91F8F37F-C4F1-40BF-8F92-F5E16DB83A6F} - System32\Tasks\{EF9774B6-47F2-436C-8F4B-D2767AD311D1} => C:\Windows\system32\pcalua.exe -a C:\PROGRA~2\UNWISE.EXE -c C:\PROGRA~2\INSTALL.LOG
Task: {C1909E30-D895-4EE7-96B7-0297F77B5719} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-23] (Microsoft Corporation)
Task: {DA859CFF-CC44-4064-8529-81C604E808AB} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => c:\Program Files\Microsoft Security Client\\MpCmdRun.exe [2016-11-14] (Microsoft Corporation)
Task: {DBF5ED52-3247-43A7-9DE8-F0902020E7BC} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => Command(1): %windir%\system32\GWX\GWXUXWorker.exe -> /ScheduleUpgradeReminderTime
Task: {DBF5ED52-3247-43A7-9DE8-F0902020E7BC} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => Command(2): C:\Windows\system32\GWX\GWXDetector.exe [2016-05-20] (Microsoft Corporation)
Task: {F9AEA1CE-31C6-47A1-8CEF-313B0A657492} - System32\Tasks\Microsoft\Windows\Windows Activation Technologies\OatTask => "%Systemdrive%\Office Activation Technologies\Install.cmd"

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2010-06-06 06:20 - 2010-06-06 06:20 - 000065344 _____ () C:\Windows\System32\PDFreDirectMon64.dll
2018-01-01 11:34 - 2017-11-29 09:11 - 002358728 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2018-01-01 11:34 - 2017-11-29 09:11 - 002301384 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2017-02-23 07:29 - 2017-02-23 07:29 - 008909512 _____ () C:\Program Files\Microsoft Office\Office15\1033\GrooveIntlResource.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-985333384-1090755428-1817767589-1001\...\dell.com -> dell.com

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 18:34 - 2017-11-30 08:49 - 000493130 _____ C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 localhost
0.0.0.0 fr.a2dfp.net
0.0.0.0 m.fr.a2dfp.net
0.0.0.0 mfr.a2dfp.net
0.0.0.0 ad.a8.net
0.0.0.0 asy.a8ww.net
0.0.0.0 static.a-ads.com
0.0.0.0 abcstats.com
0.0.0.0 a.abv.bg
0.0.0.0 adserver.abv.bg
0.0.0.0 adv.abv.bg
0.0.0.0 bimg.abv.bg
0.0.0.0 ca.abv.bg
0.0.0.0 track.acclaimnetwork.com
0.0.0.0 accuserveadsystem.com
0.0.0.0 www.accuserveadsystem.com
0.0.0.0 achmedia.com
0.0.0.0 csh.actiondesk.com
0.0.0.0 ads.activepower.net
0.0.0.0 ad.activesolutions.cz
0.0.0.0 app.activetrail.com
0.0.0.0 traffic.acwebconnecting.com
0.0.0.0 office.ad1.ru
0.0.0.0 cms.ad2click.nl
0.0.0.0 ad2games.com
0.0.0.0 content.ad20.net
0.0.0.0 core.ad20.net
0.0.0.0 banner.ad.nu
0.0.0.0 adadvisor.net
0.0.0.0 tag1.adaptiveads.com

There are 12989 more lines.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-985333384-1090755428-1817767589-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\T\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 0) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{F1C77C94-8828-41E6-944C-AD6D030B811E}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{7F685993-C8E2-43A7-A538-EC67E4571B6A}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{1FCB7ACE-06A5-4FD4-8401-F08BE95EFE88}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{376CBCE2-31E8-41CA-8E1B-F9A593FA4885}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{401C1B2E-37F1-4F31-842C-587C57E7E972}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{58BE2F95-2C6F-4878-BA2F-F258347F1936}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{CDCC9913-BCB0-4C97-99E4-FE353F6C4D94}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdater.exe
FirewallRules: [{90E7DD7E-259A-4C9A-8FA1-157A31A28885}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{46CF6395-2B6C-4425-9522-98AB68202235}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{6820118A-EFA1-4AE6-98B2-09B0783A22CC}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{A8E77F45-E073-4A21-91B2-720B70454E16}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{08909D1B-2DD4-4C58-9896-C1A83DA630C5}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{354E1260-4F01-4EE5-B493-4755E939670D}] => (Allow) C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\RTLDHCP.exe
FirewallRules: [{42EDFBEC-AB7C-4293-952C-8AC13D9F66AC}] => (Allow) C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\RTLDHCP.exe
FirewallRules: [{80B4D55D-2FC2-420A-A24F-0F89980C2D8E}] => (Allow) C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\RTLDHCP.exe
FirewallRules: [{9FD2B119-7D0D-4B8D-97E0-76C6B16098E4}] => (Allow) C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\RTLDHCP.exe
FirewallRules: [{BF7670AE-5B6C-47CA-BFCE-26BE9F6AFD16}] => (Allow) C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\RTLDHCP.exe
FirewallRules: [{2BF9FF46-5BC6-4154-845E-47F6369B3C51}] => (Allow) C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\RTLDHCP.exe

==================== Restore Points =========================

16-12-2017 08:41:03 Windows Update
20-12-2017 07:53:32 Windows Update
23-12-2017 09:50:27 Windows Update
27-12-2017 09:50:20 Windows Update
30-12-2017 19:31:10 Windows Update
01-01-2018 11:08:23 Windows Update
01-01-2018 11:19:27 Windows Update
01-01-2018 11:20:56 Windows Update
01-01-2018 12:23:40 JRT Pre-Junkware Removal

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (11/03/2017 07:55:40 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SearchIndexer.exe, version: 7.0.7601.23914, time stamp: 0x59b2b3bd
Faulting module name: StructuredQuery.dll, version: 7.0.7601.23451, time stamp: 0x573365bb
Exception code: 0xc0000005
Fault offset: 0x000000000003b319
Faulting process id: 0x8d4
Faulting application start time: 0x01d354b8a6c19717
Faulting application path: C:\Windows\system32\SearchIndexer.exe
Faulting module path: C:\Windows\System32\StructuredQuery.dll
Report Id: 703c3b1e-c0af-11e7-967d-b8ca3a95e8f6

Error: (10/31/2017 08:50:16 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_cbf5e994470a1a8f\MFC80U.DLL".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (10/31/2017 10:38:25 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_cbf5e994470a1a8f\MFC80U.DLL".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (10/17/2017 06:42:48 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_cbf5e994470a1a8f\MFC80U.DLL".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (10/16/2017 11:58:40 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_cbf5e994470a1a8f\MFC80U.DLL".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (10/15/2017 05:15:57 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: WINWORD.EXE, version: 15.0.4971.1002, time stamp: 0x59d36e92
Faulting module name: mso.dll, version: 15.0.4569.1506, time stamp: 0x52e0dcca
Exception code: 0xc0000005
Fault offset: 0x000000000068a937
Faulting process id: 0x1368
Faulting application start time: 0x01d346159335c00f
Faulting application path: C:\Program Files\Microsoft Office\Office15\WINWORD.EXE
Faulting module path: C:\Program Files\Common Files\Microsoft Shared\Office15\mso.dll
Report Id: 8fc0d2c7-b20f-11e7-92fc-b8ca3a95e8f6

Error: (10/11/2017 07:53:18 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: WINWORD.EXE, version: 15.0.4971.1000, time stamp: 0x59b79cf1
Faulting module name: mso.dll, version: 15.0.4569.1506, time stamp: 0x52e0dcca
Exception code: 0xc0000005
Fault offset: 0x000000000068a937
Faulting process id: 0x68c
Faulting application start time: 0x01d342b120c78d28
Faulting application path: C:\Program Files\Microsoft Office\Office15\WINWORD.EXE
Faulting module path: C:\Program Files\Common Files\Microsoft Shared\Office15\mso.dll
Report Id: e122fdca-af00-11e7-940c-b8ca3a95e8f6

Error: (08/27/2017 07:53:29 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program rundll32.exe version 6.1.7601.23755 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: d6c

Start Time: 01d31fb121933c86

Termination Time: 0

Application Path: C:\Windows\system32\rundll32.exe

Report Id: 703d55c1-8ba4-11e7-9377-b8ca3a95e8f6

Error: (07/01/2017 12:14:59 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: WINWORD.EXE, version: 15.0.4937.1000, time stamp: 0x591ab1c2
Faulting module name: mso.dll, version: 15.0.4569.1506, time stamp: 0x52e0dcca
Exception code: 0xc0000005
Fault offset: 0x000000000068a937
Faulting process id: 0x1210
Faulting application start time: 0x01d2f2a63769d030
Faulting application path: C:\Program Files\Microsoft Office\Office15\WINWORD.EXE
Faulting module path: C:\Program Files\Common Files\Microsoft Shared\Office15\mso.dll
Report Id: f4cc8de8-5e99-11e7-8e9b-b8ca3a95e8f6

Error: (06/26/2017 07:43:32 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_cbf5e994470a1a8f\MFC80U.DLL".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.


System errors:
=============
Error: (01/01/2018 12:17:54 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 70.

Error: (01/01/2018 12:17:54 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 70.

Error: (01/01/2018 12:17:52 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intuit Update Service v4 service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/01/2018 12:17:52 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (01/01/2018 12:17:52 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.

Error: (01/01/2018 12:17:52 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The SAS Core Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 1000 milliseconds: Restart the service.

Error: (01/01/2018 12:17:52 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel® HD Graphics Control Panel Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/01/2018 11:59:41 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 70.

Error: (01/01/2018 11:59:40 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 70.

Error: (01/01/2018 11:22:02 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070103: Dell Inc. - Bus Controllers and Ports, Display - Dell 1908FP(Analog).


==================== Memory info ===========================

Processor: Intel® Core™ i5-3470 CPU @ 3.20GHz
Percentage of memory in use: 32%
Total physical RAM: 8078.45 MB
Available physical RAM: 5470.62 MB
Total Virtual: 16155.09 MB
Available Virtual: 13895.93 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:297.99 GB) (Free:174.62 GB) NTFS
Drive d: (CA Landlord Rights CD) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: A718B14A)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=298 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:14 AM

Posted 02 January 2018 - 09:08 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
Task: {18BB7C8B-AC1B-4C34-BFA3-F01FDA16F5FA} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => Command(1): %windir%\system32\GWX\GWXConfigManager.exe -> /RefreshConfigAndContent
Task: {18BB7C8B-AC1B-4C34-BFA3-F01FDA16F5FA} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => Command(2): C:\Windows\system32\GWX\GWXDetector.exe [2016-05-20] (Microsoft Corporation)
Task: {5148255D-8944-4BD5-9AD3-4AFB99C43A95} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => Command(1): %windir%\system32\GWX\GWXConfigManager.exe -> /RefreshConfig
Task: {5148255D-8944-4BD5-9AD3-4AFB99C43A95} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => Command(2): C:\Windows\system32\GWX\GWXDetector.exe [2016-05-20] (Microsoft Corporation)
Task: {59EC2727-57D8-4E31-891F-09BD5769AE81} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => Command(1): %windir%\system32\GWX\GWXConfigManager.exe -> /RefreshConfig
Task: {59EC2727-57D8-4E31-891F-09BD5769AE81} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => Command(2): %windir%\system32\GWX\GWXConfigManager.exe -> /RefreshContent
Task: {59EC2727-57D8-4E31-891F-09BD5769AE81} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => Command(3): C:\Windows\system32\GWX\GWXDetector.exe [2016-05-20] (Microsoft Corporation)
Task: {DBF5ED52-3247-43A7-9DE8-F0902020E7BC} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => Command(1): %windir%\system32\GWX\GWXUXWorker.exe -> /ScheduleUpgradeReminderTime
Task: {DBF5ED52-3247-43A7-9DE8-F0902020E7BC} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => Command(2): C:\Windows\system32\GWX\GWXDetector.exe [2016-05-20] (Microsoft Corporation)

C:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent
C:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig
C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B
C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime
C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime
C:\Windows\system32\GWX

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Any remaining issues with this computer?

#3 tns1

tns1
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 02 January 2018 - 11:02 AM

Not having any obvious issues, thanks.

 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by T (02-01-2018 07:33:06) Run:1
Running from C:\Users\T\Desktop
Loaded Profiles: T (Available Profiles: T & S & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
Task: {18BB7C8B-AC1B-4C34-BFA3-F01FDA16F5FA} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => Command(1): %windir%\system32\GWX\GWXConfigManager.exe -> /RefreshConfigAndContent
Task: {18BB7C8B-AC1B-4C34-BFA3-F01FDA16F5FA} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => Command(2): C:\Windows\system32\GWX\GWXDetector.exe [2016-05-20] (Microsoft Corporation)
Task: {5148255D-8944-4BD5-9AD3-4AFB99C43A95} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => Command(1): %windir%\system32\GWX\GWXConfigManager.exe -> /RefreshConfig
Task: {5148255D-8944-4BD5-9AD3-4AFB99C43A95} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => Command(2): C:\Windows\system32\GWX\GWXDetector.exe [2016-05-20] (Microsoft Corporation)
Task: {59EC2727-57D8-4E31-891F-09BD5769AE81} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => Command(1): %windir%\system32\GWX\GWXConfigManager.exe -> /RefreshConfig
Task: {59EC2727-57D8-4E31-891F-09BD5769AE81} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => Command(2): %windir%\system32\GWX\GWXConfigManager.exe -> /RefreshContent
Task: {59EC2727-57D8-4E31-891F-09BD5769AE81} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => Command(3): C:\Windows\system32\GWX\GWXDetector.exe [2016-05-20] (Microsoft Corporation)
Task: {DBF5ED52-3247-43A7-9DE8-F0902020E7BC} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => Command(1): %windir%\system32\GWX\GWXUXWorker.exe -> /ScheduleUpgradeReminderTime
Task: {DBF5ED52-3247-43A7-9DE8-F0902020E7BC} - C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => Command(2): C:\Windows\system32\GWX\GWXDetector.exe [2016-05-20] (Microsoft Corporation)

C:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent
C:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig
C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B
C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime
C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime
C:\Windows\system32\GWX

End
*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => removed successfully
"HKLM\System\CurrentControlSet\Services\Synth3dVsc" => removed successfully
Synth3dVsc => service removed successfully
"HKLM\System\CurrentControlSet\Services\tsusbhub" => removed successfully
tsusbhub => service removed successfully
"HKLM\System\CurrentControlSet\Services\VGPU" => removed successfully
VGPU => service removed successfully
"HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui" => removed successfully
HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => key not found
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{18BB7C8B-AC1B-4C34-BFA3-F01FDA16F5FA} => could not remove key. ErrorCode1: 0x00000002
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{18BB7C8B-AC1B-4C34-BFA3-F01FDA16F5FA}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\TreeC:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => Command(1): %windir%\system32\GWX\GWXConfigManager.exe" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{18BB7C8B-AC1B-4C34-BFA3-F01FDA16F5FA}" => removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{18BB7C8B-AC1B-4C34-BFA3-F01FDA16F5FA} => key not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5148255D-8944-4BD5-9AD3-4AFB99C43A95}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5148255D-8944-4BD5-9AD3-4AFB99C43A95}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\TreeC:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => Command(1): %windir%\system32\GWX\GWXConfigManager.exe" => not found
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5148255D-8944-4BD5-9AD3-4AFB99C43A95} => key not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{59EC2727-57D8-4E31-891F-09BD5769AE81}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{59EC2727-57D8-4E31-891F-09BD5769AE81}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\TreeC:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => Command(1): %windir%\system32\GWX\GWXConfigManager.exe" => not found
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{59EC2727-57D8-4E31-891F-09BD5769AE81} => key not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\TreeC:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => Command(2): %windir%\system32\GWX\GWXConfigManager.exe" => not found
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{59EC2727-57D8-4E31-891F-09BD5769AE81} => key not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DBF5ED52-3247-43A7-9DE8-F0902020E7BC}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DBF5ED52-3247-43A7-9DE8-F0902020E7BC}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\TreeC:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => Command(1): %windir%\system32\GWX\GWXUXWorker.exe" => not found
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DBF5ED52-3247-43A7-9DE8-F0902020E7BC} => key not found
C:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => moved successfully
C:\Windows\System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => moved successfully
C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => moved successfully
C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => moved successfully
"C:\Windows\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime" => not found
C:\Windows\system32\GWX => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 14215338 B
Java, Flash, Steam htmlcache => 1738 B
Windows/system/drivers => 559889098 B
Edge => 0 B
Chrome => 0 B
Firefox => 34696008 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 3962940 B
T => 11276959 B
S => 6688270 B
Administrator => 86342411 B

RecycleBin => 17471664 B
EmptyTemp: => 700.5 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 07:33:54 ====



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:14 AM

Posted 02 January 2018 - 02:18 PM

Hi,

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users