Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer freezes, cannot run any antivirus programs.


  • This topic is locked This topic is locked
81 replies to this topic

#1 JDRNole

JDRNole

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas
  • Local time:10:42 AM

Posted 16 February 2018 - 06:31 PM

Hello everyone,

 

I looked at many topics before posting and didn't see any that looked quite like my issue, so I decided to post.

 

Background: I have a computer that was built by me about 7 years ago on a budget.  It is a home desktop used for internet and gaming but I have not used it for gaming for about 4 years until about 6 months ago.  I have recently been preparing to complete some upgrades to make it a better gaming machine.  Somehow in one of the upgrades (or maybe one of the sites I was researching for my upgrades) my computer became infected.  It started 3 days ago. 

 

The Infection:  I walked away from my computer and when I came back the screen was black and asking for a boot disk, no matter what button I pressed it kept sending this text so I had to do a hard reboot.  When it came back up, it booted like normal but freezes after 2 to 3 minutes.  Also any antivirus program (or program in general) freezes.  I primarily use Windows Defender but when it began freezing I downloaded Malwarebytes which also freezes.  I tried to do Windows Defender Offline and it freezes, so I tried running Windows Defender Offline on a flash drive and I get an error (Error: Unable to detect a Windows system drive...Error Code: 0x8004cc01).

 

I am currently using my laptop to write this post, I'm not even sure if I can use the desktop.

 

My desktop:

Motherboard: Gigabyte GA-Z77X-UD3H

HD: Sandisk 100GB SSD

Processor: i5 - 3450 @ 3.10GHz  3.50GHz

Graphics: (not that it matters but...) GeForce GTX 550 Ti

Ram: 16GB

OS: Windows 10 Pro, version 1709

(Purposely made this computer with no disk drive)

 

Any help would be appreciated.  I haven't even made any of my upgrades yet.



BC AdBot (Login to Remove)

 


#2 JDRNole

JDRNole
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas
  • Local time:10:42 AM

Posted 16 February 2018 - 10:20 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12.02.2018
Ran by jdr50 (administrator) on DESKTOP-3MA08PM (16-02-2018 19:12:55)
Running from C:\Users\jdr50\Downloads
Loaded Profiles: jdr50 (Available Profiles: jdr50)
Platform: Windows 10 Pro Version 1709 16299.192 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerResearchParticipation\EPCP.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Rosetta Stone Ltd.) C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe
(Razer Inc.) C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKServer.exe
() C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
(Razer Inc.) C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe
(Skype Technologies) C:\Program Files (x86)\Skype\Updater\Updater.exe
(VIA Technologies, Inc.) C:\Windows\System32\ViakaraokeSrv.exe
(DEVGURU Co., LTD.) C:\Program Files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.18011-0\MsMpEng.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.18011-0\NisSrv.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\DRScanner\DRScanner.exe
(Microsoft Corporation) C:\Windows\System32\userinit.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8827.21855.0_x64__8wekyb3d8bbwe\HxTsr.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1803.279.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.7\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\x64\3\E_YATIMBE.EXE
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(© 2015 Microsoft Corporation) C:\Users\jdr50\AppData\Local\Microsoft\BingSvc\BingSvc.exe
(Razer Inc.) C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe
(Razer Inc) C:\Program Files (x86)\Razer\Razer_Kraken71Chroma_Driver\Drivers\SysAudio\Kraken71ChromaHelper.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\FAX Utility\FUFAXRCV.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\FAX Utility\FUFAXSTM.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [630168 2017-09-29] (Microsoft Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [1812536 2016-08-26] (NVIDIA Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [298296 2018-01-22] (Apple Inc.)
HKLM-x32\...\Run: [Razer Synapse] => C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [596640 2017-04-13] (Razer Inc.)
HKLM-x32\...\Run: [Kraken71ChromaHelper] => C:\Program Files (x86)\Razer\Razer_Kraken71Chroma_Driver\Drivers\SysAudio\Kraken71ChromaHelper.exe [1600320 2015-08-12] (Razer Inc)
HKLM-x32\...\Run: [FUFAXRCV] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe [653352 2017-03-02] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe [862248 2017-03-02] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [1087184 2016-01-20] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-407501635-1481613626-10938730-1001\...\Run: [GoogleChromeAutoLaunch_A40811CAB23FC3B20FEACC7AC0FF60AB] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1592664 2018-01-03] (Google Inc.)
HKU\S-1-5-21-407501635-1481613626-10938730-1001\...\Run: [EPLTarget\P0000000000000000] => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIMBE.EXE [298560 2013-12-16] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-407501635-1481613626-10938730-1001\...\Run: [BingSvc] => C:\Users\jdr50\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-12-13] (© 2015 Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
Tcpip\..\Interfaces\{876ee4e8-cb7d-40ea-85d6-375f775d39f2}: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
 
Internet Explorer:
==================
SearchScopes: HKU\S-1-5-21-407501635-1481613626-10938730-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=SK2EDF&PC=SK2E&q={searchTerms}&src=IE-SearchBox
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [2017-09-05] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-09-05] (Microsoft Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll [2017-08-15] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\GROOVEEX.DLL [2017-09-05] (Microsoft Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2017-07-18] (Microsoft Corporation)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\MSOSB.DLL [2017-07-18] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2015-11-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-07-12] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\NPSPWRAP.DLL [2015-11-09] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2017-10-27] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2017-10-27] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-15] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-15] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-11-04] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> msn.com
CHR NewTab: Default ->  Not-active:"chrome-extension://fcfenmboojpjinhpgggodefccipikbpd/newTab.html"
CHR DefaultSearchURL: Default -> hxxp://www.bing.com/search?FORM=__PARAM__DF&PC=__PARAM__&q={searchTerms}
CHR DefaultSearchKeyword: Default -> bing.com
CHR DefaultSuggestURL: Default -> hxxp://www.bing.com/osjson.aspx?FORM=__PARAM__DF&PC=__PARAM__&query={searchTerms}
CHR Profile: C:\Users\jdr50\AppData\Local\Google\Chrome\User Data\Default [2018-02-16]
CHR Extension: (Pop up blocker for Chrome™ - Poper Blocker) - C:\Users\jdr50\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkkbcggnhapdmkeljlodobbkopceiche [2017-12-31]
CHR Extension: (Honey) - C:\Users\jdr50\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmnlcjabgnpnenekpadlanbbkooimhnj [2018-02-05]
CHR Extension: (Adobe Acrobat) - C:\Users\jdr50\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2017-11-18]
CHR Extension: (Bing) - C:\Users\jdr50\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2017-11-06]
CHR Extension: (Chrome Web Store Payments) - C:\Users\jdr50\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-22]
CHR Extension: (Chrome Media Router) - C:\Users\jdr50\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-12-28]
CHR HKU\S-1-5-21-407501635-1481613626-10938730-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2018-01-05] (Apple Inc.)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [3058416 2017-09-05] (Microsoft Corporation)
R2 EpsonCustomerResearchParticipation; C:\Program Files\EPSON\EpsonCustomerResearchParticipation\EPCP.exe [676336 2015-06-25] (SEIKO EPSON CORPORATION)
R2 EpsonScanSvc; C:\WINDOWS\system32\EscSvc64.exe [144560 2012-05-16] (Seiko Epson Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
R2 Razer Chroma SDK Server; C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKServer.exe [401024 2017-05-08] (Razer Inc.)
R2 Razer Chroma SDK Service; C:\Program Files (x86)\Razer Chroma SDK\bin\RzSDKService.exe [178824 2017-05-08] (Razer Inc.)
R2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [189264 2016-09-24] ()
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [4329952 2017-12-09] (Microsoft Corporation)
R2 ss_conn_service; C:\Program Files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe [754784 2016-09-06] (DEVGURU Co., LTD.)
R2 VIAKaraokeService; C:\WINDOWS\system32\viakaraokesrv.exe [33240 2015-12-09] (VIA Technologies, Inc.)
R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18011-0\NisSrv.exe [356168 2018-01-21] (Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18011-0\MsMpEng.exe [105792 2018-01-21] (Microsoft Corporation)
R2 NVDisplay.ContainerLocalSystem; "C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe" -s NVDisplay.ContainerLocalSystem -f "C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\LocalSystem" -r -p 30000
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131712 2016-09-06] (Samsung Electronics Co., Ltd.)
R3 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [253880 2018-02-16] (Malwarebytes)
S3 npf; C:\WINDOWS\System32\drivers\npf.sys [36600 2014-08-18] (Riverbed Technology, Inc.)
R3 nvlddmkm; C:\WINDOWS\System32\DriverStore\FileRepository\nv_ref_pubwu.inf_amd64_2e7fa54192fe16d0\nvlddmkm.sys [16936048 2017-11-09] (NVIDIA Corporation)
R3 rzendpt; C:\WINDOWS\System32\drivers\rzendpt.sys [51736 2016-06-23] (Razer Inc)
S3 rzjstk; C:\WINDOWS\System32\drivers\rzjstk.sys [36568 2015-07-21] (Razer Inc)
S3 rzkeypadendpt; C:\WINDOWS\System32\drivers\rzkeypadendpt.sys [43736 2015-07-21] (Razer Inc)
R2 rzpmgrk; C:\WINDOWS\system32\drivers\rzpmgrk.sys [44144 2016-09-16] (Razer, Inc.)
R2 rzpnk; C:\WINDOWS\system32\drivers\rzpnk.sys [137840 2016-10-07] (Razer, Inc.)
S3 rzvkeyboard; C:\WINDOWS\System32\drivers\rzvkeyboard.sys [42200 2015-07-21] (Razer Inc)
S3 rzvmouse; C:\WINDOWS\System32\drivers\rzvmouse.sys [42200 2015-07-21] (Razer Inc)
S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [165504 2016-09-06] (Samsung Electronics Co., Ltd.)
S3 USBAAPL64; C:\WINDOWS\System32\Drivers\usbaapl64.sys [54784 2014-08-15] (Apple, Inc.) [File not signed]
S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [46072 2018-01-21] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [288848 2018-01-21] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [129616 2018-01-21] (Microsoft Corporation)
S3 xhcdrv; C:\WINDOWS\System32\drivers\xhcdrv.sys [301256 2013-01-02] (VIA Technologies, Inc.)
S1 MpKsl0cdc92fe; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DAAC59D8-FC0D-4C05-9E21-0220BF8A28DD}\MpKsl0cdc92fe.sys [X]
S1 MpKsl1c18941e; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DAAC59D8-FC0D-4C05-9E21-0220BF8A28DD}\MpKsl1c18941e.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-02-16 19:12 - 2018-02-16 19:13 - 000015028 _____ C:\Users\jdr50\Downloads\FRST.txt
2018-02-16 19:12 - 2018-02-16 19:12 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd
2018-02-16 19:12 - 2018-02-16 19:12 - 000000000 ____D C:\FRST
2018-02-16 19:08 - 2018-02-16 19:08 - 002405376 _____ (Farbar) C:\Users\jdr50\Downloads\FRST64.exe
2018-02-16 14:59 - 2018-02-16 14:59 - 000000000 ___HD C:\OneDriveTemp
2018-02-11 15:52 - 2018-02-16 19:12 - 000253880 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2018-02-11 15:52 - 2018-02-11 16:37 - 000002089 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-02-11 15:52 - 2018-02-11 15:52 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-02-11 15:52 - 2018-02-11 15:52 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-02-11 15:52 - 2017-11-29 09:11 - 000077432 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2018-02-11 15:51 - 2018-02-11 15:51 - 067136752 _____ (Malwarebytes ) C:\Users\jdr50\Downloads\mb3-setup-consumer-3.3.1.2183-1.0.262-1.0.3917.exe
2018-02-05 19:51 - 2018-02-05 19:51 - 000001816 _____ C:\Users\Public\Desktop\iTunes.lnk
2018-02-05 19:51 - 2018-02-05 19:51 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2018-02-05 19:51 - 2018-02-05 19:51 - 000000000 ____D C:\Program Files\iTunes
2018-02-05 19:51 - 2018-02-05 19:51 - 000000000 ____D C:\Program Files\iPod
2018-02-05 19:45 - 2018-02-05 19:45 - 000000000 ____D C:\WINDOWS\System32\Tasks\Apple
2018-02-05 19:45 - 2018-02-05 19:45 - 000000000 ____D C:\Program Files (x86)\Apple Software Update
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-02-16 19:12 - 2017-12-09 15:52 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2018-02-16 19:12 - 2017-12-09 15:46 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2018-02-16 19:12 - 2016-09-21 17:16 - 000000000 ____D C:\ProgramData\NVIDIA
2018-02-16 19:12 - 2015-11-09 10:02 - 000000000 ___RD C:\Users\jdr50\OneDrive
2018-02-16 19:06 - 2017-12-09 15:48 - 000000000 ____D C:\Users\jdr50
2018-02-16 14:30 - 2017-09-29 00:45 - 000786432 _____ C:\WINDOWS\system32\config\BBI
2018-02-16 14:01 - 2017-12-09 15:52 - 000004562 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
2018-02-11 16:37 - 2016-09-17 15:38 - 000750694 _____ C:\WINDOWS\ntbtlog.txt
2018-02-11 16:36 - 2016-09-17 15:38 - 000000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2018-02-11 15:52 - 2017-08-27 20:20 - 000000000 ____D C:\Program Files\Malwarebytes
2018-02-11 02:42 - 2017-05-26 20:32 - 000000000 ____D C:\Users\jdr50\AppData\Local\Battle.net
2018-02-10 10:04 - 2017-09-29 05:46 - 000000000 ____D C:\WINDOWS\DeliveryOptimization
2018-02-10 10:03 - 2017-09-29 05:46 - 000000000 ___HD C:\Program Files\WindowsApps
2018-02-10 10:03 - 2017-09-29 05:46 - 000000000 ____D C:\WINDOWS\AppReadiness
2018-02-06 18:48 - 2017-12-09 15:54 - 001082332 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2018-02-06 18:46 - 2017-09-29 05:37 - 000000000 ____D C:\WINDOWS\CbsTemp
2018-02-05 19:45 - 2016-05-09 16:47 - 000002535 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2018-02-05 18:49 - 2017-09-29 05:49 - 000835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2018-02-05 18:49 - 2017-09-29 05:49 - 000177648 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2018-01-29 22:02 - 2017-12-09 15:52 - 000003372 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-407501635-1481613626-10938730-1001
2018-01-29 22:02 - 2015-11-09 10:02 - 000002359 _____ C:\Users\jdr50\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2018-01-25 18:18 - 2015-11-09 10:34 - 000548000 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
 
Some files in TEMP:
====================
2018-02-11 15:03 - 2018-02-16 19:12 - 000619840 _____ () C:\Users\jdr50\AppData\Local\Temp\0Kraken71ChromaDevProps.dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2018-02-10 10:29
 


Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12.02.2018
Ran by jdr50 (16-02-2018 19:13:31)
Running from C:\Users\jdr50\Downloads
Windows 10 Pro Version 1709 16299.192 (X64) (2017-12-09 23:53:32)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-407501635-1481613626-10938730-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-407501635-1481613626-10938730-503 - Limited - Disabled)
Guest (S-1-5-21-407501635-1481613626-10938730-501 - Limited - Disabled)
jdr50 (S-1-5-21-407501635-1481613626-10938730-1001 - Administrator - Enabled) => C:\Users\jdr50
WDAGUtilityAccount (S-1-5-21-407501635-1481613626-10938730-504 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
µTorrent (HKU\S-1-5-21-407501635-1481613626-10938730-1001\...\uTorrent) (Version: 3.5.1.44332 - BitTorrent Inc.)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.009.20050 - Adobe Systems Incorporated)
Apple Application Support (32-bit) (HKLM-x32\...\{D4C80B0C-CF67-43A7-90C3-466853543B54}) (Version: 6.3 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{B2A2E8AF-BC48-4191-B2C4-3846A19835CA}) (Version: 6.3 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{AA7D90D2-2387-4FA5-A3AF-96811BE49BFD}) (Version: 11.0.5.14 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{19589375-5C58-4AFA-842F-8B34744CCEAD}) (Version: 2.5.0.1 - Apple Inc.)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Discord (HKU\S-1-5-21-407501635-1481613626-10938730-1001\...\Discord) (Version: 0.0.297 - Hammer & Chisel, Inc.)
Epson Customer Research Participation (HKLM\...\{B26449A6-6007-4460-B4FE-C4776115BCEA}) (Version: 1.80.0000 - Seiko Epson Corporation)
Epson Event Manager (HKLM-x32\...\{9F205E94-9E42-4486-A92A-DF3F6CB85444}) (Version: 3.10.0061 - Seiko Epson Corporation)
Epson FAX Utility (HKLM-x32\...\{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}) (Version: 2.04.00 - Seiko Epson Corporation)
Epson PC-FAX Driver (HKLM-x32\...\EPSON PC-FAX Driver 2) (Version:  - Seiko Epson Corporation)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
Epson Software Updater (HKLM-x32\...\{B55DB65D-EF6E-4E04-89D5-B03603BF681B}) (Version: 4.4.5 - SEIKO EPSON CORPORATION)
EPSON WF-2650 Series Printer Uninstall (HKLM\...\EPSON WF-2650 Series) (Version:  - SEIKO EPSON Corporation)
EpsonNet Print (HKLM\...\{15A0F113-BF2C-4C12-8AA8-42AE0D9AE1C9}) (Version: 3.1.2.0 - SEIKO EPSON Corporation)
Gear IconX (HKLM-x32\...\Gear IconX) (Version: 1.0.160920.51 - Samsung Electronics Co, Ltd.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 63.0.3239.132 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Hearthstone (HKLM-x32\...\Hearthstone) (Version:  - Blizzard Entertainment)
Heroes of the Storm (HKLM-x32\...\Heroes of the Storm) (Version:  - Blizzard Entertainment)
HouseCall for Home Networks (HKLM\...\DRScanner) (Version: 2.0.0.1138 - Trend Micro Inc.)
iTunes (HKLM\...\{1D7D1271-5258-4F5A-B8C1-7176BF398782}) (Version: 12.7.3.46 - Apple Inc.)
League of Legends (HKLM-x32\...\{79BF4901-1EC4-4726-B3C2-A7859706C6E7}) (Version: 3.0.1 - Riot Games) Hidden
League of Legends (HKLM-x32\...\League of Legends 3.0.1) (Version: 3.0.1 - Riot Games)
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Microsoft Office Professional Plus 2013 - en-us (HKLM\...\ProPlusRetail - en-us) (Version: 15.0.4981.1001 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-407501635-1481613626-10938730-1001\...\OneDriveSetup.exe) (Version: 17.3.7294.0108 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23918 (HKLM-x32\...\{dab68466-3a7d-41a8-a5cf-415e3ff8ef71}) (Version: 14.0.23918.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23918 (HKLM-x32\...\{2e085fd2-a3e4-4b39-8e10-6b8d35f55244}) (Version: 14.0.23918.0 - Microsoft Corporation)
NVIDIA 3D Vision Driver 388.13 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 388.13 - NVIDIA Corporation)
NVIDIA Graphics Driver 388.13 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 388.13 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.35.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.35.1 - NVIDIA Corporation)
NVIDIA PhysX (HKLM-x32\...\{8B922CF8-8A6C-41CE-A858-F1755D7F5D29}) (Version: 9.12.1031 - NVIDIA Corporation)
NVIDIA Update 10.4.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 10.4.0 - NVIDIA Corporation)
Office 15 Click-to-Run Extensibility Component (HKLM\...\{90150000-008C-0000-1000-0000000FF1CE}) (Version: 15.0.4981.1001 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (HKLM\...\{90150000-007E-0000-1000-0000000FF1CE}) (Version: 15.0.4981.1001 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (HKLM\...\{90150000-008C-0409-1000-0000000FF1CE}) (Version: 15.0.4981.1001 - Microsoft Corporation) Hidden
Overwatch (HKLM-x32\...\Overwatch) (Version:  - Blizzard Entertainment)
Razer Chroma SDK Core Components (HKLM-x32\...\Razer Chroma SDK) (Version: 2.2.4 - Razer Inc.)
Razer Synapse (HKLM-x32\...\{0D78BEE2-F8FF-4498-AF1A-3FF81CED8AC6}) (Version: 2.20.17.413 - Razer Inc.)
Rosetta Stone Language Training (HKLM-x32\...\{00384623-4937-4D7D-BDD9-23513D1C50AB}) (Version: 5.0.37.0 - Rosetta Stone, Ltd)
Rosetta Stone Ltd Services (HKLM-x32\...\{3165E4A6-D5DE-46B0-8597-D55E2B826B84}) (Version: 3.2.21 - Rosetta Stone Ltd.)
Samsung USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.62.0 - Samsung Electronics Co., Ltd.)
Skype™ 7.18 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.18.112 - Skype Technologies S.A.)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
Vulkan Run Time Libraries 1.0.61.0 (HKLM\...\VulkanRT1.0.61.0) (Version: 1.0.61.0 - LunarG, Inc.) Hidden
World of Warcraft (HKLM-x32\...\World of Warcraft) (Version:  - Blizzard Entertainment)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ShellIconOverlayIdentifiers: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-09-05] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-09-05] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-09-05] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-09-05] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-09-05] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-09-05] (Microsoft Corporation)
ContextMenuHandlers1: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18011-0\ShellExt.dll [2017-09-29] (Microsoft Corporation)
ContextMenuHandlers2: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18011-0\ShellExt.dll [2017-09-29] (Microsoft Corporation)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers4: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18011-0\ShellExt.dll [2017-09-29] (Microsoft Corporation)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\WINDOWS\system32\nvshext.dll [2017-10-27] (NVIDIA Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {13B1D73A-395A-42AA-922B-C08049A944D0} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-11-09] (Google Inc.)
Task: {1B1C42A7-1E9F-4321-A422-520F6665B29A} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2017-09-05] (Microsoft Corporation)
Task: {2712D633-7F28-4BBB-A86B-C0269C2B104C} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2017-03-14] (Microsoft Corporation)
Task: {29DA981C-7D68-4174-9B91-A073913FF30A} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18011-0\MpCmdRun.exe [2018-01-21] (Microsoft Corporation)
Task: {3AD75CFB-4959-45F9-A60F-AA3D3ED94B75} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18011-0\MpCmdRun.exe [2018-01-21] (Microsoft Corporation)
Task: {4447DB6F-D48B-4649-B538-2FA482B9976E} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2018-01-11] (Microsoft Corporation)
Task: {509F8EC9-758B-47B3-9747-35A28DA33E2F} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-11-09] (Google Inc.)
Task: {5B1A7B88-147B-499C-A755-41363C2B8F0E} - System32\Tasks\EPSON WF-2650 Series Update {3BD42527-A0D7-449B-B4EF-B2790777EAAB} => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSMBE.EXE [2013-11-22] (SEIKO EPSON CORPORATION)
Task: {627DD45D-9EEC-4822-BCCA-E5BDD0932103} - System32\Tasks\EPSON WF-2650 Series Update {44D2ED37-142C-4015-8048-0E9BBFFB77EE} => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSMBE.EXE [2013-11-22] (SEIKO EPSON CORPORATION)
Task: {727C388B-9436-49C7-A6B6-CFC6907F67DC} - System32\Tasks\EPSON WF-2650 Series Update {507231FC-7F0F-45F8-A483-05CB21B66C7E} => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSMBE.EXE [2013-11-22] (SEIKO EPSON CORPORATION)
Task: {7462949D-E227-40B4-8B3E-019DD030F19E} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-01-17] (Adobe Systems Incorporated)
Task: {75D8E5FA-69B4-470C-B4CA-BA0ECBDA18CF} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2017-03-14] (Microsoft Corporation)
Task: {7D2FCFBF-255E-4229-A36C-13DF4CDBC9C8} - System32\Tasks\EPSON WF-2650 Series Update {B3CBDBCD-FD95-4A19-8709-8C671A7053EF} => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSMBE.EXE [2013-11-22] (SEIKO EPSON CORPORATION)
Task: {96316DBF-4E54-46E9-BEE7-5212305FCCC2} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2017-10-12] (Apple Inc.)
Task: {A5316C9F-1FBE-4B04-9058-3591EC1BE755} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {B2B9DA12-85AB-4CD8-BAD2-00635CB35EC4} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18011-0\MpCmdRun.exe [2018-01-21] (Microsoft Corporation)
Task: {B57BA3A3-4C66-4D56-970C-187026868799} - System32\Tasks\DRScanner Startup => C:\Program Files (x86)\Trend Micro\DRScanner\DRScanner.exe [2017-08-25] (Trend Micro Inc.)
Task: {CA97508A-679F-438D-9722-98178503C60C} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2017-09-05] (Microsoft Corporation)
Task: {D81BFF3F-C4F0-4769-B186-20F3F5CCCA4B} - System32\Tasks\EPSON WF-2650 Series Update {D38EFDE7-3124-48DE-9890-164D396E54E3} => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSMBE.EXE [2013-11-22] (SEIKO EPSON CORPORATION)
Task: {EFDEAAAA-7756-4B74-8A3E-0D2CB1CEF165} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18011-0\MpCmdRun.exe [2018-01-21] (Microsoft Corporation)
Task: {F3DE631B-94D6-4C89-B544-37F30A16FEF2} - System32\Tasks\EPSON WF-2650 Series Update {E87B9DA2-FCF9-4AB5-B208-27BD489ECC18} => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSMBE.EXE [2013-11-22] (SEIKO EPSON CORPORATION)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
Task: C:\WINDOWS\Tasks\EPSON WF-2650 Series Update {3BD42527-A0D7-449B-B4EF-B2790777EAAB}.job => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSMBE.EXE:/EXE:{3BD42527-A0D7-449B-B4EF-B2790777EAAB} /F:UpdateWORKGROUP\DESKTOP-3MA08PM$ĊSearches for EPSON software updates, and notifies you when updates are available.If this task is disabled or stopped, your EPSON software will not be automatically kept up to date.Thi
Task: C:\WINDOWS\Tasks\EPSON WF-2650 Series Update {44D2ED37-142C-4015-8048-0E9BBFFB77EE}.job => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSMBE.EXE:/EXE:{44D2ED37-142C-4015-8048-0E9BBFFB77EE} /F:UpdateWORKGROUP\DESKTOP-3MA08PM$ĊSearches for EPSON software updates, and notifies you when updates are available.If this task is disabled or stopped, your EPSON software will not be automatically kept up to date.Thi
Task: C:\WINDOWS\Tasks\EPSON WF-2650 Series Update {507231FC-7F0F-45F8-A483-05CB21B66C7E}.job => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSMBE.EXE:/EXE:{507231FC-7F0F-45F8-A483-05CB21B66C7E} /F:UpdateWORKGROUP\DESKTOP-3MA08PM$ĊSearches for EPSON software updates, and notifies you when updates are available.If this task is disabled or stopped, your EPSON software will not be automatically kept up to date.Thi
Task: C:\WINDOWS\Tasks\EPSON WF-2650 Series Update {93AD537D-DEC7-4CF1-8D46-1A50860C56AF}.job => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSMBE.EXE:/EXE:{93AD537D-DEC7-4CF1-8D46-1A50860C56AF} /F:UpdateWORKGROUP\DESKTOP-3MA08PM$ĊSearches for EPSON software updates, and notifies you when updates are available.If this task is disabled or stopped, your EPSON software will not be automatically kept up to date.Thi
Task: C:\WINDOWS\Tasks\EPSON WF-2650 Series Update {B3CBDBCD-FD95-4A19-8709-8C671A7053EF}.job => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSMBE.EXE:/EXE:{B3CBDBCD-FD95-4A19-8709-8C671A7053EF} /F:UpdateWORKGROUP\DESKTOP-3MA08PM$ĊSearches for EPSON software updates, and notifies you when updates are available.If this task is disabled or stopped, your EPSON software will not be automatically kept up to date.Thi
Task: C:\WINDOWS\Tasks\EPSON WF-2650 Series Update {D38EFDE7-3124-48DE-9890-164D396E54E3}.job => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSMBE.EXE:/EXE:{D38EFDE7-3124-48DE-9890-164D396E54E3} /F:UpdateWORKGROUP\DESKTOP-3MA08PM$ĊSearches for EPSON software updates, and notifies you when updates are available.If this task is disabled or stopped, your EPSON software will not be automatically kept up to date.Thi
Task: C:\WINDOWS\Tasks\EPSON WF-2650 Series Update {E87B9DA2-FCF9-4AB5-B208-27BD489ECC18}.job => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YTSMBE.EXE:/EXE:{E87B9DA2-FCF9-4AB5-B208-27BD489ECC18} /F:UpdateWORKGROUP\DESKTOP-3MA08PM$ĊSearches for EPSON software updates, and notifies you when updates are available.If this task is disabled or stopped, your EPSON software will not be automatically kept up to date.Thi
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2017-09-29 05:41 - 2017-09-29 05:41 - 000184432 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll
2017-12-08 01:48 - 2017-12-08 01:48 - 000088888 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2018-01-05 00:13 - 2018-01-05 00:13 - 001356088 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2018-02-11 15:52 - 2017-11-29 09:11 - 002301384 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2015-11-09 10:29 - 2017-01-17 03:25 - 000117440 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2016-09-24 14:20 - 2016-09-24 14:21 - 000189264 _____ () C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
2017-03-20 16:29 - 2017-01-31 04:34 - 008909512 _____ () C:\Program Files\Microsoft Office 15\root\Office15\1033\GrooveIntlResource.dll
2017-12-09 09:40 - 2017-12-09 09:40 - 011044864 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-12-09 09:40 - 2017-12-09 09:40 - 001804288 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-12-09 09:40 - 2017-12-09 09:40 - 003657624 _____ () C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\ContentDeliveryManager.Background.dll
2017-12-09 09:40 - 2017-12-09 09:40 - 002470296 _____ () C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\ContentManagementSDK.dll
2017-12-28 09:39 - 2017-12-28 09:39 - 002945024 _____ () C:\Program Files\WindowsApps\Microsoft.People_10.3.3472.0_x64__8wekyb3d8bbwe\People.BackgroundTasks.dll
2017-12-28 09:39 - 2017-12-28 09:39 - 000130560 _____ () C:\Program Files\WindowsApps\Microsoft.People_10.3.3472.0_x64__8wekyb3d8bbwe\PeopleUtilRT.Windows.dll
2017-12-28 09:39 - 2017-12-28 09:39 - 007848448 _____ () C:\Program Files\WindowsApps\Microsoft.People_10.3.3472.0_x64__8wekyb3d8bbwe\Microsoft.People.NativeComponents.dll
2018-01-29 22:04 - 2018-01-29 22:04 - 000086528 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1803.279.0_x64__kzf8qxf38zg5c\SkypeHost.exe
2018-01-29 22:04 - 2018-01-29 22:04 - 000195072 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1803.279.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2018-01-29 22:04 - 2018-01-29 22:04 - 025135104 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1803.279.0_x64__kzf8qxf38zg5c\SkyWrap.dll
2018-01-29 22:04 - 2018-01-29 22:04 - 002542592 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1803.279.0_x64__kzf8qxf38zg5c\skypert.dll
2018-01-29 22:04 - 2018-01-29 22:04 - 000667136 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1803.279.0_x64__kzf8qxf38zg5c\RtmMvrUap.dll
2018-02-06 18:44 - 2018-02-06 18:44 - 000061952 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsStore_11801.1001.6.0_x64__8wekyb3d8bbwe\WinStoreTasksWrapper.dll
2018-01-22 03:15 - 2018-01-22 03:15 - 000088888 _____ () C:\Program Files\iTunes\zlib1.dll
2018-01-22 03:15 - 2018-01-22 03:15 - 001356088 _____ () C:\Program Files\iTunes\libxml2.dll
2017-08-24 15:22 - 2017-08-24 15:22 - 003068560 _____ () C:\Program Files (x86)\Trend Micro\DRScanner\sdk\DrsSDK.dll
2018-02-11 15:03 - 2018-02-16 19:12 - 000619840 _____ () C:\Users\jdr50\AppData\Local\Temp\0Kraken71ChromaDevProps.dll
2017-05-22 02:13 - 2017-05-22 02:13 - 000143824 _____ () C:\ProgramData\Razer\Synapse\CrashReporter\CrashRpt1402.dll
2017-04-06 22:37 - 2017-04-06 22:37 - 000298448 _____ () C:\ProgramData\Razer\Synapse\RzStats\RzStats.Manager.exe
2017-05-27 12:59 - 2016-10-07 23:13 - 050656768 _____ () C:\Users\jdr50\AppData\Local\razer\InGameEngine\cache\RzStats.Manager\cef\libcef.dll
2017-05-27 12:59 - 2016-10-07 23:13 - 001874944 _____ () C:\Users\jdr50\AppData\Local\razer\InGameEngine\cache\RzStats.Manager\cef\libglesv2.dll
2017-05-27 12:59 - 2016-10-07 23:13 - 000075264 _____ () C:\Users\jdr50\AppData\Local\razer\InGameEngine\cache\RzStats.Manager\cef\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2015-11-09 12:44 - 2015-11-09 12:43 - 000000824 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-407501635-1481613626-10938730-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\jdr50\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\img2.jpg
DNS Servers: 68.105.28.11 - 68.105.29.11
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [UDP Query User{28D16497-2081-46E7-B30D-D68F2BF0F032}D:\battle.net\battle.net\battle.net.9526\battle.net.exe] => (Allow) D:\battle.net\battle.net\battle.net.9526\battle.net.exe
FirewallRules: [TCP Query User{93A3082D-80EC-4197-8E6F-DAAC919C7183}D:\battle.net\battle.net\battle.net.9526\battle.net.exe] => (Allow) D:\battle.net\battle.net\battle.net.9526\battle.net.exe
FirewallRules: [UDP Query User{7CB9CD22-41EC-40E1-8E7F-7ED26DB0015A}D:\battle.net\heroes of the storm\versions\base59239\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base59239\heroesofthestorm_x64.exe
FirewallRules: [TCP Query User{0416F91B-1361-45DA-8C51-7FFF08243317}D:\battle.net\heroes of the storm\versions\base59239\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base59239\heroesofthestorm_x64.exe
FirewallRules: [UDP Query User{A50788AE-DA0A-42FA-A017-AAC1469B0DE6}C:\program files (x86)\trend micro\drscanner\sdk\nmap\nmap.exe] => (Allow) C:\program files (x86)\trend micro\drscanner\sdk\nmap\nmap.exe
FirewallRules: [TCP Query User{F354CB46-4090-4E6C-A42D-8F574A946126}C:\program files (x86)\trend micro\drscanner\sdk\nmap\nmap.exe] => (Allow) C:\program files (x86)\trend micro\drscanner\sdk\nmap\nmap.exe
FirewallRules: [UDP Query User{889C11C0-2D57-4D5E-BAE9-060DC104960C}C:\program files (x86)\trend micro\drscanner\drscanner.exe] => (Allow) C:\program files (x86)\trend micro\drscanner\drscanner.exe
FirewallRules: [TCP Query User{E6A43184-19B4-4B78-8B58-DDCB519F4581}C:\program files (x86)\trend micro\drscanner\drscanner.exe] => (Allow) C:\program files (x86)\trend micro\drscanner\drscanner.exe
FirewallRules: [UDP Query User{CE01ED8F-BF05-4F42-81E4-775EE8B0002A}D:\battle.net\battle.net\battle.net.9397\battle.net.exe] => (Allow) D:\battle.net\battle.net\battle.net.9397\battle.net.exe
FirewallRules: [TCP Query User{E2A3A7FD-EB79-4810-8BA1-751D95B21319}D:\battle.net\battle.net\battle.net.9397\battle.net.exe] => (Allow) D:\battle.net\battle.net\battle.net.9397\battle.net.exe
FirewallRules: [UDP Query User{D8DB90DF-592B-40F3-A4E3-B8E72BD602BC}D:\battle.net\heroes of the storm\versions\base57286\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base57286\heroesofthestorm_x64.exe
FirewallRules: [TCP Query User{8B66D7BB-59EA-41D6-85C8-1B198837F661}D:\battle.net\heroes of the storm\versions\base57286\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base57286\heroesofthestorm_x64.exe
FirewallRules: [UDP Query User{4D73FC68-B9DF-484C-9719-506EA6400C23}D:\battle.net\heroes of the storm\versions\base57062\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base57062\heroesofthestorm_x64.exe
FirewallRules: [TCP Query User{9C3482AD-2109-4267-8271-E2D0B5BB007D}D:\battle.net\heroes of the storm\versions\base57062\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base57062\heroesofthestorm_x64.exe
FirewallRules: [UDP Query User{C8F93ED3-EEC7-4271-9E5A-1F46A0CCFB91}D:\battle.net\battle.net\battle.net.9262\battle.net.exe] => (Allow) D:\battle.net\battle.net\battle.net.9262\battle.net.exe
FirewallRules: [TCP Query User{F221A21F-2632-4291-8AB5-95AFFF4EAA02}D:\battle.net\battle.net\battle.net.9262\battle.net.exe] => (Allow) D:\battle.net\battle.net\battle.net.9262\battle.net.exe
FirewallRules: [UDP Query User{DF336EB6-9EAA-473C-B29F-D3237B896661}D:\battle.net\heroes of the storm\versions\base56705\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base56705\heroesofthestorm_x64.exe
FirewallRules: [TCP Query User{D0CCFAFB-0F62-4033-AB06-D7EA0AF04F66}D:\battle.net\heroes of the storm\versions\base56705\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base56705\heroesofthestorm_x64.exe
FirewallRules: [UDP Query User{737792B3-F4DD-4BFC-815C-76E36498BF57}D:\battle.net\battle.net\battle.net.9093\battle.net.exe] => (Allow) D:\battle.net\battle.net\battle.net.9093\battle.net.exe
FirewallRules: [TCP Query User{AFDE9CB6-784C-4EF0-B17A-1F5B6AB749EE}D:\battle.net\battle.net\battle.net.9093\battle.net.exe] => (Allow) D:\battle.net\battle.net\battle.net.9093\battle.net.exe
FirewallRules: [UDP Query User{E80EEC8D-59BC-4500-A78D-B1F7B6786BEE}D:\battle.net\heroes of the storm\versions\base56361\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base56361\heroesofthestorm_x64.exe
FirewallRules: [TCP Query User{B8797C0B-0759-4E25-B869-30C6C4A70D9A}D:\battle.net\heroes of the storm\versions\base56361\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base56361\heroesofthestorm_x64.exe
FirewallRules: [UDP Query User{5B1DD4A2-4D2A-4CD8-A173-4CB439C77A0B}D:\battle.net\heroes of the storm\versions\base55844\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base55844\heroesofthestorm_x64.exe
FirewallRules: [TCP Query User{AB85CD9F-89D1-4EAE-8FD1-AD2D4CCC5547}D:\battle.net\heroes of the storm\versions\base55844\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base55844\heroesofthestorm_x64.exe
FirewallRules: [UDP Query User{AB572655-E46B-4352-B446-D26DD1E4E671}D:\battle.net\battle.net\battle.net.8941\battle.net.exe] => (Allow) D:\battle.net\battle.net\battle.net.8941\battle.net.exe
FirewallRules: [TCP Query User{19A23B03-AD05-44D5-AE85-02AABCA57188}D:\battle.net\battle.net\battle.net.8941\battle.net.exe] => (Allow) D:\battle.net\battle.net\battle.net.8941\battle.net.exe
FirewallRules: [UDP Query User{90580AAE-C96F-43A7-9347-B56D5789A477}D:\battle.net\heroes of the storm\versions\base54339\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base54339\heroesofthestorm_x64.exe
FirewallRules: [TCP Query User{31063301-37FA-433B-8D3F-F3A55B496590}D:\battle.net\heroes of the storm\versions\base54339\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base54339\heroesofthestorm_x64.exe
FirewallRules: [{053E0DA9-7B6F-4501-8CD4-321EF979E684}] => (Allow) D:\Steam\steamapps\common\PAYDAY 2\payday2_win32_release.exe
FirewallRules: [{EC07BE2D-40BF-469D-AB92-EDE1AEAC2C08}] => (Allow) D:\Steam\steamapps\common\PAYDAY 2\payday2_win32_release.exe
FirewallRules: [UDP Query User{10B14CBE-F284-4F1C-8695-6E9B2B32A63E}D:\battle.net\heroes of the storm\versions\base53965\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base53965\heroesofthestorm_x64.exe
FirewallRules: [TCP Query User{5CAE7DED-7B36-4A7C-AD72-4114D044FB39}D:\battle.net\heroes of the storm\versions\base53965\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base53965\heroesofthestorm_x64.exe
FirewallRules: [{73E3E964-3A9D-4570-9423-F14E0C25B948}] => (Allow) C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
FirewallRules: [{57AC3C91-8482-404C-9572-355853A8CC24}] => (Allow) C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
FirewallRules: [{286BAEBA-EED1-4EC6-B87B-BE3722200F62}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{73023F75-1294-44FB-94AB-D31C90142060}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{40AD4C8E-ED08-480A-8A2A-53C2678081AF}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{2C4343C2-4EC2-4917-A771-A094CDEDFEA1}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{B9181E33-1C7B-4340-A7BB-C0D5710F0ACC}] => (Allow) C:\Users\jdr50\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{70F580ED-6978-49D7-A728-D02C5A3FC5F4}] => (Allow) C:\Users\jdr50\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{25C84D2D-CA1B-4D9B-B9D1-3161CA8AFB8B}] => (Allow) C:\Users\jdr50\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{DA03841D-384F-4519-9384-082492C61B2C}] => (Allow) C:\Users\jdr50\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{871517F2-DD1D-4608-A682-DBEB37816E04}] => (Allow) C:\Users\jdr50\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{1FCE721E-1A70-49F6-8158-B9A18FF233ED}] => (Allow) C:\Users\jdr50\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{69321E16-6EB2-4F36-8423-025C937C9387}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{8CE63FF2-8ADF-4BC9-842C-26BB5DE97F50}] => (Allow) C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneLtdServices.exe
FirewallRules: [{1A595E4B-18DF-43F5-BFC0-25B4BD2B4E77}] => (Allow) C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneLtdServices.exe
FirewallRules: [{270DA1E0-6D02-4C79-A8D0-50AE5FC08C5B}] => (Allow) C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe
FirewallRules: [{B4BE5FE1-547F-49D2-B172-51B9939005FD}] => (Allow) C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe
FirewallRules: [{64352327-9F5B-4817-8AFD-870355547628}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\outlook.exe
FirewallRules: [{37537DF2-850E-4A98-A3E4-B5701D51975A}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\Lync.exe
FirewallRules: [{7141BBF5-8BBB-483C-A367-5DFF8192D596}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exe
FirewallRules: [{88DC3161-E1F3-45DE-8BCB-DBDBAB400742}] => (Allow) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
FirewallRules: [{A05C2476-518F-4788-98BC-6A3B811ED15A}] => (Allow) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
FirewallRules: [{5A47C5D7-00D5-47BE-8AC1-7E3CA14622EA}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\Lync.exe
FirewallRules: [{77475344-C0BD-4F4A-B0C0-D0F4CCA46902}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exe
FirewallRules: [TCP Query User{F6F39E06-682E-43A8-A647-4240706BCBE6}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Allow) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [UDP Query User{E026ECE9-102F-412E-B083-411953D06F29}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Allow) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [TCP Query User{0171F0D6-AFB4-4FC4-A32B-FB3CFD12CCB1}C:\users\jdr50\appdata\roaming\utorrent\updates\3.4.9_43388.exe] => (Block) C:\users\jdr50\appdata\roaming\utorrent\updates\3.4.9_43388.exe
FirewallRules: [UDP Query User{F8728592-57F1-4C6A-A6E1-27EFDCEB093D}C:\users\jdr50\appdata\roaming\utorrent\updates\3.4.9_43388.exe] => (Block) C:\users\jdr50\appdata\roaming\utorrent\updates\3.4.9_43388.exe
FirewallRules: [{14B7DEBB-AAB3-427D-AE68-D8F6C1C15FAE}] => (Allow) D:\Steam\Steam.exe
FirewallRules: [{0BFC7F4F-89EC-4AAB-8C45-9A8C93506185}] => (Allow) D:\Steam\Steam.exe
FirewallRules: [{B26D62BC-C41F-4625-B4F9-F70F4A5565A1}] => (Allow) D:\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{F0E3CDD5-BE9B-406B-8E39-0F780EAF069B}] => (Allow) D:\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{365E11BD-40DD-46D6-BB6E-FB86E0FA2895}] => (Allow) D:\Steam\steamapps\common\Gauntlet\binaries\gauntlet.exe
FirewallRules: [{5A3CBE90-F3A8-4E92-89BB-9FA21B61AB71}] => (Allow) D:\Steam\steamapps\common\Gauntlet\binaries\gauntlet.exe
FirewallRules: [TCP Query User{B535E9C7-1F84-4AAC-AC79-4CD4ACDB6EDF}D:\battle.net\heroes of the storm\versions\base53548\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base53548\heroesofthestorm_x64.exe
FirewallRules: [UDP Query User{9E824080-CDDE-4B37-9677-EADAD4EF37EB}D:\battle.net\heroes of the storm\versions\base53548\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base53548\heroesofthestorm_x64.exe
FirewallRules: [TCP Query User{F55DFA6E-D525-4152-9698-2BCF125D9FB0}D:\battle.net\battle.net\battle.net.8839\battle.net.exe] => (Allow) D:\battle.net\battle.net\battle.net.8839\battle.net.exe
FirewallRules: [UDP Query User{B7F0C0C2-7CAC-4025-9A21-1866511A08E5}D:\battle.net\battle.net\battle.net.8839\battle.net.exe] => (Allow) D:\battle.net\battle.net\battle.net.8839\battle.net.exe
FirewallRules: [TCP Query User{4134739C-5BE8-49CE-9B6F-44BD2AE0C0AC}D:\battle.net\hearthstone\hearthstone.exe] => (Allow) D:\battle.net\hearthstone\hearthstone.exe
FirewallRules: [UDP Query User{66351DC4-5523-42B3-BCD8-9E4913918653}D:\battle.net\hearthstone\hearthstone.exe] => (Allow) D:\battle.net\hearthstone\hearthstone.exe
FirewallRules: [TCP Query User{7204ECBE-6623-4A36-B9BD-D2605B0B5512}D:\battle.net\overwatch\overwatch.exe] => (Allow) D:\battle.net\overwatch\overwatch.exe
FirewallRules: [UDP Query User{D6F89702-E1CC-46B7-9D3B-5805B1FDC983}D:\battle.net\overwatch\overwatch.exe] => (Allow) D:\battle.net\overwatch\overwatch.exe
FirewallRules: [TCP Query User{5A008897-0BE5-43AC-86DF-5EA6BCE08CED}D:\battle.net\battle.net\battle.net.exe] => (Allow) D:\battle.net\battle.net\battle.net.exe
FirewallRules: [UDP Query User{86CFE155-220E-4DF0-8326-F39CC6FD2D7E}D:\battle.net\battle.net\battle.net.exe] => (Allow) D:\battle.net\battle.net\battle.net.exe
FirewallRules: [{3B3DFE37-6E34-4B74-AC11-482150046440}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
FirewallRules: [TCP Query User{7D23F1E7-3E37-4A17-890F-C17DC9EB94E4}D:\battle.net\heroes of the storm\versions\base60821\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base60821\heroesofthestorm_x64.exe
FirewallRules: [UDP Query User{8179E5E2-5EEB-4E0C-8B53-5DC42C964B56}D:\battle.net\heroes of the storm\versions\base60821\heroesofthestorm_x64.exe] => (Allow) D:\battle.net\heroes of the storm\versions\base60821\heroesofthestorm_x64.exe
FirewallRules: [{A706E34C-AFFF-4EC2-8903-A1AA3F2CB3A9}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{D943CD4A-26D7-4AED-9A28-95E02C8C8B49}] => (Allow) C:\Program Files\iTunes\iTunes.exe
 
==================== Restore Points =========================
 
ATTENTION: System Restore is disabled
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (02/11/2018 04:37:03 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 3.0.0.1284, time stamp: 0x5a15ab42
Faulting module name: Qt5Core.dll, version: 5.6.2.0, time stamp: 0x59a63e00
Exception code: 0xc0000005
Fault offset: 0x001a4d5b
Faulting process id: 0xf3c
Faulting application start time: 0x01d3a399997cd106
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll
Report Id: 3cfa008a-daa9-4c0f-a9fd-3a4169dccbd3
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (02/11/2018 04:36:52 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 3.0.0.1284, time stamp: 0x5a15ab42
Faulting module name: Qt5Core.dll, version: 5.6.2.0, time stamp: 0x59a63e00
Exception code: 0xc0000005
Fault offset: 0x001a4d5b
Faulting process id: 0xe70
Faulting application start time: 0x01d3a399934a1db2
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\Qt5Core.dll
Report Id: 40f3b917-d4a6-4b5a-af79-c9cb38ea6706
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (02/05/2018 09:56:48 PM) (Source: COM) (EventID: 10031) (User: )
Description: An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {41FD88F7-F295-4D39-91AC-A85F3149A05B} was rejected
 
Error: (02/05/2018 09:56:48 PM) (Source: COM) (EventID: 10031) (User: )
Description: An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {95CABCC9-BC57-4C12-B8DF-BA193232AA01} was rejected
 
Error: (02/05/2018 09:56:45 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNSCoreReceiveResponse: Unexpected conflict discarding   23 10.0.168.192.in-addr.arpa. PTR DESKTOP-3MA08PM.local.
 
Error: (02/05/2018 09:56:45 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNSCoreReceiveResponse: Received from 192.168.0.10:5353   25 10.0.168.192.in-addr.arpa. PTR DESKTOP-3MA08PM-2.local.
 
Error: (02/05/2018 09:56:43 PM) (Source: COM) (EventID: 10031) (User: )
Description: An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {95CABCC9-BC57-4C12-B8DF-BA193232AA01} was rejected
 
Error: (02/05/2018 08:37:09 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNSCoreReceiveResponse: Unexpected conflict discarding   23 10.0.168.192.in-addr.arpa. PTR DESKTOP-3MA08PM.local.
 
 
System errors:
=============
Error: (02/16/2018 07:12:35 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (02/16/2018 07:12:35 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (02/16/2018 07:12:35 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (02/16/2018 07:12:35 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (02/16/2018 07:06:50 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-3MA08PM)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user DESKTOP-3MA08PM\jdr50 SID (S-1-5-21-407501635-1481613626-10938730-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (02/16/2018 07:06:43 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (02/16/2018 07:06:43 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (02/16/2018 07:06:43 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
 
Windows Defender:
===================================
Date: 2018-01-27 10:29:00.271
Description: 
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {9EC9D859-1DEB-450B-A990-7ED694BC1788}
Scan Type: Antimalware
Scan Parameters: Quick Scan
 
Date: 2018-01-23 21:15:09.667
Description: 
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {692ACB43-7CE1-4B2B-888E-31DEADA5EA65}
Scan Type: Antimalware
Scan Parameters: Quick Scan
 
Date: 2017-12-30 01:46:28.967
Description: 
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {B0A0DA23-480A-478F-876B-781F181313B0}
Scan Type: Antimalware
Scan Parameters: Full Scan
 
Date: 2017-12-29 02:42:03.594
Description: 
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {4E7B14E2-F131-4760-BC49-37F9283DBBE3}
Scan Type: Antimalware
Scan Parameters: Full Scan
 
Date: 2017-12-11 22:22:34.809
Description: 
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {70928672-8248-4E49-AC70-921302E685EB}
Scan Type: Antimalware
Scan Parameters: Full Scan
 
Date: 2018-02-16 14:59:09.184
Description: 
Windows Defender Antivirus has encountered an error trying to download and configure Windows Defender Offline.
Error code: 0x8000000a
Error description: The data necessary to complete this operation is not yet available. 
 
Date: 2018-02-16 14:29:26.015
Description: 
Windows Defender Antivirus has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
Signatures Attempted: Current
Error Code: 0x80070003
Error description: The system cannot find the path specified. 
Signature version: 0.0.0.0;0.0.0.0
Engine version: 0.0.0.0
 
Date: 2018-02-11 16:36:38.001
Description: 
Windows Defender Antivirus Real-Time Protection feature has encountered an error and failed.
Feature: On Access
Error Code: 0x8007043c
Error description: This service cannot be started in Safe Mode 
Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
 
CodeIntegrity:
===================================
 
Date: 2018-02-16 19:12:36.806
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-02-16 19:12:36.799
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-02-16 19:12:34.100
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-02-16 19:12:34.098
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-02-16 19:06:44.086
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-02-16 19:06:44.076
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-02-16 19:06:39.152
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-02-16 19:06:39.149
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-3450 CPU @ 3.10GHz
Percentage of memory in use: 13%
Total physical RAM: 16345.86 MB
Available physical RAM: 14083.71 MB
Total Virtual: 18777.86 MB
Available Virtual: 16480.96 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:111.25 GB) (Free:45.57 GB) NTFS
Drive d: (My Book) (Fixed) (Total:1862.98 GB) (Free:899.82 GB) NTFS
 
\\?\Volume{423eb62e-0000-0000-0000-100000000000}\ (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS
\\?\Volume{423eb62e-0000-0000-0000-60d61b000000}\ () (Fixed) (Total:0.44 GB) (Free:0.04 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 111.8 GB) (Disk ID: 423EB62E)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=111.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=450 MB) - (Type=27)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 1863 GB) (Disk ID: 00021365)
Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================


#3 JDRNole

JDRNole
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas
  • Local time:10:42 AM

Posted 16 February 2018 - 10:25 PM

Literally took me about 4 hours to get Farbar to run and the computer not freeze.  I had to write this response on my laptop because the more I used it the quicker it froze.



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:42 AM

Posted 17 February 2018 - 03:55 PM

Greetings JDRNole and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me just a bit of time to review what you have posted.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 JDRNole

JDRNole
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas
  • Local time:10:42 AM

Posted 17 February 2018 - 04:32 PM

Thank you, Gary.  My name is Justin.  I will let you know that I am in the military and right now I'm on a 3 day weekend.  I will be around all day today, tomorrow, and Monday.  Past that I work 0730-1630 pacific time Monday-Friday.  I generally get home about 1730 or so.



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:42 AM

Posted 17 February 2018 - 06:32 PM

Thank you for your patience Justin. And thank you for your service to our country.

I should be at my computer for the next 4+ hours or so. Hopefully I will be able to reply quickly.

Please consider and do this.

===================================================

Peer to Peer (P2P) Warning

--------------------

Going over your logs I noticed that you have Peer 2 Peer (torrent) program(s) installed. It is pretty much certain that if you continue to use P2P programs, you will get infected again.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
I would recommend that you uninstall Peer 2 Peer programs, however that choice is up to you. If you choose to remove the program, you can do so via Start > Control Panel > Add/Remove Programs.

If you are still leaning toward using this program, please take a look at this information about CryptoLocker Ransomware, a type of Ransomware which can be delivered via P2P file transfers. The newest variation of Ransomware can make it impossible to recover the files this malicious software encrypts. In other words, you will probably lose most if not all of your valuable information, including pictures. In addition it has recently been reported that P2P downloads may be tracked resulting in your IP address being monitored by copyright authorities.

If you wish to keep it, please do not use it until we are completely done and your machine is determined to be clean and updated.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Boot your computer into Safe Mode with Networking
  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time
Start::
CreateRestorePoint:
CloseProcesses:
CHR NewTab: Default ->  Not-active:"chrome-extension://fcfenmboojpjinhpgggodefccipikbpd/newTab.html"
CHR HKU\S-1-5-21-407501635-1481613626-10938730-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
S1 MpKsl0cdc92fe; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DAAC59D8-FC0D-4C05-9E21-0220BF8A28DD}\MpKsl0cdc92fe.sys [X]
S1 MpKsl1c18941e; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DAAC59D8-FC0D-4C05-9E21-0220BF8A28DD}\MpKsl1c18941e.sys [X]
cmd: sfc /scannow
End::
  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Update on computer performance

Edited by Oh My!, 17 February 2018 - 06:33 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 JDRNole

JDRNole
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas
  • Local time:10:42 AM

Posted 17 February 2018 - 07:15 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 17.02.2018
Ran by jdr50 (17-02-2018 16:00:10) Run:1
Running from C:\Users\jdr50\Desktop
Loaded Profiles: jdr50 (Available Profiles: jdr50)
Boot Mode: Safe Mode (with Networking)
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
CHR NewTab: Default ->  Not-active:"chrome-extension://fcfenmboojpjinhpgggodefccipikbpd/newTab.html"
CHR HKU\S-1-5-21-407501635-1481613626-10938730-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
S1 MpKsl0cdc92fe; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DAAC59D8-FC0D-4C05-9E21-0220BF8A28DD}\MpKsl0cdc92fe.sys [X]
S1 MpKsl1c18941e; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DAAC59D8-FC0D-4C05-9E21-0220BF8A28DD}\MpKsl1c18941e.sys [X]
cmd: sfc /scannow
 
*****************
 
Error: Restore point can only be created in normal mode.
Processes closed successfully.
"Chrome NewTab" => removed successfully
"HKU\S-1-5-21-407501635-1481613626-10938730-1001\SOFTWARE\Google\Chrome\Extensions\fcfenmboojpjinhpgggodefccipikbpd" => removed successfully
"HKLM\System\CurrentControlSet\Services\MpKsl0cdc92fe" => removed successfully
MpKsl0cdc92fe => service removed successfully
"HKLM\System\CurrentControlSet\Services\MpKsl1c18941e" => removed successfully
MpKsl1c18941e => service removed successfully
 
========= sfc /scannow =========



#8 JDRNole

JDRNole
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas
  • Local time:10:42 AM

Posted 17 February 2018 - 07:22 PM

Update on computer performance:

I had to type this separately because it kept freezing on me while trying to post the log and type.  The computer still freezes every 2 to 3 mins.  When I say freeze I mean the mouse turns into the "thinking" blue circle, you cannot touch anything on the taskbar, and nothing works (Ctrl+Alt+Delete, nothing) except a hard reboot.

 

I literally had to find the FRST exe and drag it to the desktop, hard reboot, copy the cmd text you sent and put it in a .txt file then save that to the desktop, hard reboot, go back in to restart in safe mode, opened in safe mode once but didn't copy and past fast enough, went back into normal mode to restart in safe mode again, copied and pasted into FRST, it ran and created a fixlog but still froze, and finally I opened normally again and only had time to post the fix log before it froze again.

 

I do notice with all these restarts that it sometimes says "Wrong username and password combo" before I have even done anything.  I have to click ok before I can actually sign in.



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:42 AM

Posted 17 February 2018 - 10:29 PM

I apologize for the delay. I was not notified you had replied.

Do you have a Windows Installation disk?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 JDRNole

JDRNole
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas
  • Local time:10:42 AM

Posted 17 February 2018 - 11:14 PM

No, I built this computer without a disk drive.  Also I originally had Windows 7 and then they forced everyone to upgrade to Windows 10.  That happened automatically, I did not have a disk or anything.



#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:42 AM

Posted 18 February 2018 - 09:26 AM

OK.

Please disconnect your D: drive and any other attached devices and tell me if that makes any difference.
 

Drive d: (My Book) (Fixed) (Total:1862.98 GB) (Free:899.82 GB) NTFS


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 JDRNole

JDRNole
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas
  • Local time:10:42 AM

Posted 18 February 2018 - 01:56 PM

No difference. I am able to run the fix in safe mode but no scan at the end, and I can run a scan as long as there is no fix. Sometimes the freezing happens fast and sometimes it takes a while...I could keep trying till it works maybe.

Edited by JDRNole, 18 February 2018 - 01:57 PM.


#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:42 AM

Posted 18 February 2018 - 02:18 PM

OK, thanks.

Please do this.

===================================================

Windows Memory Diagnostic Tool

--------------------
  • Press the Windows Key + R at the same time
  • Type mdsched and press Enter
  • Select Restart now and check for problems
  • Allow the process to run and post any reported problems
===================================================

Core Temp

--------------------

NOTE: Many antivirus programs will flag this as malicious software but it is not. It can be safely downloaded and launched.
  • Disable your AntiVirus and AntiSpyware applications. Sometimes you can simply select that option after right clicking on the System Tray Program icon on the lower right corner of the screen
  • Please download Core Temp and save it to your desktop
  • If you receive a warning the file is malicious you can ignore the warning and download the file anyway
  • Unzip the folder onto your Desktop
  • Double click the unzipped folder then double click Core Temp.exe
  • Monitor the core temperature both at computer idle and while stressing your computer by launching videos, multiple programs, and high demand programs all at the same time
  • Please report the readings and especially the readings if your computer freezes or shuts down
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Results?

Edited by Oh My!, 18 February 2018 - 03:53 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 JDRNole

JDRNole
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas
  • Local time:10:42 AM

Posted 18 February 2018 - 07:56 PM

OK

 

Windows Memory Diagnostic Tool: No Errors reported

 

Core Temp: Temperatures were at 48 to 52 at startup, they dropped to 38 or so while idol, and I played a music video and they stayed around 38-42.  The music video froze, but the music kept going and Core Temp stayed around 42-45.  Finally an error message that has never come up before popped up and said "Microsoft Windows.  The application has stopped working.  (Something about you could wait for the program). Do you want to end process?"  Then a button to end process or cancel.  When I clicked end process my desktop photo disappeared.

 

The music played nearly the entire time everything started freezing, but it did stop playing eventually.



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:42 AM

Posted 18 February 2018 - 08:51 PM

Thank you for the detailed feedback.

I am certain this is not a malware issue. It is either hardware or software related.

Let's dig a little deeper and gather some information. Please see if you can do this.

===================================================

BSOD Inspector

--------------------
  • Download BSOD Inspector and save it to your Desktop
  • Right click on the icon and select Run as administrator
  • When completed a Notepad document will appear identifying the Filename and Location of the .zip file containing the reports
  • Please upload the file here.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Uploaded file

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users