Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Cpu Usage 100%, Memory hovering 60%-80% same with Disk. Sister Scammed


  • This topic is locked This topic is locked

#1
xxjermeyxx

xxjermeyxx

    Member

  • Member
  • PipPip
  • 14 posts

Let me start off by saying this really just happened. So, my Sister asked me to help with her new laptop because it was saying something about being hacked (It was one of those dumb javascript browser hijacks with a phone number to call). Well, she called the number and apparently paid the man 150 usd, and let him "Fix her computer" by getting her to install remote access software (something called Pocketcloud wyse I assume). When she finally handed the computer off to me it had been multiple hours of him "fixing it" the first thing I noticed was a notedoc with all of her information + multiple command prompts (like...tons) pinging Microsoft, I instantly restarted the computer. I have no idea of what took place in the hours before I got there, but it's obvious he did something to the computer to cause the problems in the title. I scanned the pc with Mbam, Mbar, Rogue Killer and Super Anti Spyware and they all came back completely clean (and all she uses is internet explorer sooo..). My first reaction is to burn it with fire, but hopefully you guys can help, I am completely out of my league here. And yes, I'm making sure she changes her information ASAP. Oh, I also noticed something called "Toaster.Exe" when running Rogue Killer and google said it's often linked to malware. Also the laptop is windows 8.


Edited by xxjermeyxx, 12 January 2015 - 09:43 PM.

  • 0

Advertisements


#2
LiquidTension

LiquidTension

    Instructor

  • GeekU Moderator
  • 1,064 posts

Hello xxjermeyxx, welcome to Geeks to Go Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. :)
 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
  • Please do not post logs using the CODEQUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
  • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.  
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
  • Topics are locked if no response is made after 4 days. Please inform me if you require additional time to complete my instructions.
  • Ensure you are following this topic. Click etYzdbu.png at the top of the page. 
     

======================================================
 
Please run the following diagnostic scans so I can ascertain the state of your computer.
 
STEP 1

xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

  • Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
  • Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
  • Right-Click FRST.exe / FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
     

STEP 2
YARWD1t.png.pagespeed.ce.nvhmVeYDe3.png TDSSKiller Scan

  • Please download TDSSKiller and save the file to your Desktop.
  • Right-Click TDSSKiller.exe and select xAVOiBNU.jpg.pagespeed.ic.H5HC6LkiJX.jpg Run as administrator to run the programme.
  • Click Change parameters. Place a checkmark next to Detect TDLFS file system and Verify file digital signatures.
  • ​Click Start Scan. Do not use the computer during the scan.
  • If objects are found, change the action to skip.
  • Click Continue and close the window.
  • A log will be created and saved to the root directory (usually C:\). Attach the file in your next reply.
     

======================================================
 
STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • FRST.txt
  • Addition.txt
  • TDSSKiller log (attached)

  • 0

#3
xxjermeyxx

xxjermeyxx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-01-2015 02
Ran by Judy (administrator) on JUDYSPC on 13-01-2015 01:31:51
Running from C:\Users\Judy\Downloads
Loaded Profile: Judy (Available profiles: Judy)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Waves Audio Ltd.) C:\Program Files\Realtek\Audio\HDA\WavesSysSvc64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Windows ® Win 7 DDK provider) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AdminService.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Dell Inc.) C:\Program Files (x86)\Dell\My Dell Client Framework\Dell.ClientFramework.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17477_none_fa2b7d3b9b36c7b4\TiWorker.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\ng\ngservice.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Qualcomm®Atheros®) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
() C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\ActivateDesktop.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Aviata Inc) C:\Program Files (x86)\Dell Product Registration\prodreg.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\DBRUpd.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell Backup and Recovery\Toaster.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
() C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7634648 2014-07-02] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1387224 2014-06-30] (Realtek Semiconductor)
HKLM\...\Run: [QuickSet] => c:\Program Files\Dell\QuickSet\QuickSet.exe [3775816 2014-02-27] (Dell Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5225064 2015-01-13] (AVAST Software)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe [134784 2014-02-26] ( (Qualcomm®Atheros®))
HKU\S-1-5-21-1053173477-2516257368-127646272-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7394584 2014-12-12] (Piriform Ltd)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1053173477-2516257368-127646272-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://dell13.msn.com/?pc=DCJB
HKU\S-1-5-21-1053173477-2516257368-127646272-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dell13.msn.com/?pc=DCJB
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1053173477-2516257368-127646272-1001 -> DefaultScope {4EAA66C3-2AD8-43FD-818E-6197E4040679} URL =
SearchScopes: HKU\S-1-5-21-1053173477-2516257368-127646272-1001 -> {4EAA66C3-2AD8-43FD-818E-6197E4040679} URL =
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{FFE2BB90-2B0E-4AB5-8510-60D3AB42CDA3}: [NameServer] 8.8.8.8,8.8.4.4

FireFox:
========
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-01-13]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-01-13]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 0264361421114391mcinstcleanup; C:\Users\Judy\AppData\Local\Temp\026436~1.EXE [850120 2013-12-13] (McAfee, Inc.)
R2 AtherosSvc; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exe [319104 2014-02-26] (Windows ® Win 7 DDK provider)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2015-01-13] (AVAST Software)
S2 Dell Data Services; C:\Program Files\Dell\Dell Data Services\DDSSvc.exe [45936 2014-11-13] (Dell)
S2 Dell Foundation Services; C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe [73072 2014-11-10] (Dell)
S3 DellProdRegManager; C:\Program Files (x86)\Dell Product Registration\regmgrsvc.exe [293440 2014-04-01] (Aviata, Inc.)
R2 My Dell Client Framework; C:\Program Files (x86)\Dell\My Dell Client Framework\Dell.ClientFramework.exe [168960 2014-01-10] (Dell Inc.) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [290520 2014-01-08] (Realtek Semiconductor)
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe [1921768 2014-07-02] (SoftThinks SAS)
R2 WavesSysSvc; C:\Program Files\Realtek\Audio\HDA\WavesSysSvc64.exe [497664 2014-04-06] (Waves Audio Ltd.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-21] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-21] (Microsoft Corporation)
S3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
S4 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [X]
S2 mfevtp; "C:\Windows\system32\mfevtps.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2015-01-13] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [87912 2015-01-13] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2015-01-13] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2015-01-13] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2015-01-13] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2015-01-13] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2015-01-13] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2015-01-13] ()
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3892224 2014-03-07] (Qualcomm Atheros Communications, Inc.)
R3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2014-02-26] (Qualcomm Atheros)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)
R3 DellRbtn; C:\Windows\System32\drivers\DellRbtn.sys [10752 2013-01-24] (OSR Open Systems Resources, Inc.)
R3 iaioi2c; C:\Windows\System32\drivers\iaioi2ce.sys [67584 2013-11-11] (Intel Corporation)
S3 RTLU3E8023-W8-64; C:\Windows\system32\DRIVERS\rtu30x64w8.sys [92376 2013-10-09] (Realtek                                            )
S3 SensorsHIDClassDriver; C:\Windows\system32\DRIVERS\WUDFRd.sys [227840 2014-11-06] (Microsoft Corporation)
S3 SensorsServiceDriver; C:\Windows\system32\DRIVERS\WUDFRd.sys [227840 2014-11-06] (Microsoft Corporation)
R3 ST_ACCEL; C:\Windows\system32\DRIVERS\ST_Accel.sys [83968 2013-11-21] (STMicroelectronics)
R3 SynRMIHID; C:\Windows\system32\DRIVERS\SynRMIHID.sys [42224 2014-03-10] (Synaptics Incorporated)
R3 TXEIx64; C:\Windows\System32\drivers\TXEIx64.sys [88592 2014-01-16] (Intel Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-21] (Microsoft Corporation)
S0 cfwids; system32\drivers\cfwids.sys [X]
S0 mfeapfk; system32\drivers\mfeapfk.sys [X]
R0 mfeavfk; system32\drivers\mfeavfk.sys [X]
S0 mfeelamk; system32\drivers\mfeelamk.sys [X]
S0 mfefirek; system32\drivers\mfefirek.sys [X]
R0 mfehidk; system32\drivers\mfehidk.sys [X]
R0 mfewfpk; system32\drivers\mfewfpk.sys [X]
S3 PCDSRVC{D3412D80-CF3B4A27-06020200}_0; \??\c:\program files\my dell\pcdsrvc_x64.pkms [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-13 01:31 - 2015-01-13 01:31 - 00011037 _____ () C:\Users\Judy\Downloads\FRST.txt
2015-01-13 01:31 - 2015-01-13 01:31 - 00000000 ____D () C:\FRST
2015-01-13 01:28 - 2015-01-13 01:28 - 02124288 _____ (Farbar) C:\Users\Judy\Downloads\FRST64.exe
2015-01-13 01:24 - 2015-01-13 01:24 - 00000000 ___RD () C:\Users\Judy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices
2015-01-13 01:11 - 2015-01-13 01:11 - 00001982 _____ () C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2015-01-13 01:11 - 2015-01-13 01:11 - 00000000 ____D () C:\Users\Judy\AppData\Roaming\AVAST Software
2015-01-13 01:11 - 2015-01-13 01:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2015-01-13 01:10 - 2015-01-13 01:11 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
2015-01-13 01:10 - 2015-01-13 01:10 - 01050432 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys.1421133057593
2015-01-13 01:10 - 2015-01-13 01:10 - 01050432 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2015-01-13 01:10 - 2015-01-13 01:10 - 00436624 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2015-01-13 01:10 - 2015-01-13 01:10 - 00364512 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2015-01-13 01:10 - 2015-01-13 01:10 - 00267632 _____ () C:\Windows\system32\Drivers\aswVmm.sys
2015-01-13 01:10 - 2015-01-13 01:10 - 00116728 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2015-01-13 01:10 - 2015-01-13 01:10 - 00093568 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2015-01-13 01:10 - 2015-01-13 01:10 - 00087912 _____ (AVAST Software) C:\Windows\system32\Drivers\aswmonflt.sys
2015-01-13 01:10 - 2015-01-13 01:10 - 00083280 _____ (AVAST Software) C:\Windows\system32\Drivers\aswmonflt.sys.1421133059640
2015-01-13 01:10 - 2015-01-13 01:10 - 00065776 _____ () C:\Windows\system32\Drivers\aswRvrt.sys
2015-01-13 01:10 - 2015-01-13 01:10 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2015-01-13 01:10 - 2015-01-13 01:10 - 00029208 _____ () C:\Windows\system32\Drivers\aswHwid.sys
2015-01-13 01:08 - 2015-01-13 01:08 - 00000000 ____D () C:\Program Files\AVAST Software
2015-01-13 01:07 - 2015-01-13 01:08 - 00000000 ____D () C:\ProgramData\AVAST Software
2015-01-13 00:52 - 2014-12-31 05:14 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-01-12 20:22 - 2015-01-12 20:22 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2015-01-12 20:12 - 2015-01-12 20:12 - 00037624 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-01-12 20:12 - 2015-01-12 20:12 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-01-12 19:13 - 2015-01-12 19:13 - 00002770 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2015-01-12 19:13 - 2015-01-12 19:13 - 00000836 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2015-01-12 19:13 - 2015-01-12 19:13 - 00000000 ____D () C:\Program Files\CCleaner
2015-01-12 18:51 - 2015-01-12 19:19 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-01-12 18:48 - 2015-01-12 18:48 - 00000000 ____D () C:\Users\Judy\Desktop\New folder
2015-01-12 18:35 - 2015-01-12 18:51 - 00135384 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-12 18:35 - 2015-01-12 18:51 - 00096472 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-12 18:35 - 2015-01-12 18:35 - 00001116 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-12 18:35 - 2015-01-12 18:35 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-12 18:35 - 2015-01-12 18:35 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-12 18:35 - 2015-01-12 18:35 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-12 18:35 - 2014-11-21 06:14 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-12 18:35 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-12 07:54 - 2015-01-12 07:54 - 00000000 ____D () C:\ProgramData\AMMYY
2015-01-12 07:49 - 2015-01-12 07:49 - 00002263 _____ () C:\Users\Judy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\(Trial version) Quicktechno.lnk
2015-01-12 07:49 - 2015-01-12 07:49 - 00002263 _____ () C:\Users\Judy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\(Trial version) Quicktechno (2).lnk
2014-12-21 06:39 - 2014-11-26 15:10 - 00714720 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-12-21 06:39 - 2014-11-26 15:10 - 00106976 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-12-21 06:34 - 2014-12-21 06:34 - 00000000 ____D () C:\Windows\system32\appraiser
2014-12-15 17:33 - 2014-10-30 16:37 - 00129536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\poqexec.exe
2014-12-15 17:33 - 2014-10-30 16:34 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\poqexec.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-13 01:29 - 2014-11-06 15:06 - 00000000 ____D () C:\Program Files (x86)\Dell Backup and Recovery
2015-01-13 01:29 - 2014-11-06 14:52 - 01835494 _____ () C:\Windows\WindowsUpdate.log
2015-01-13 01:28 - 2014-11-20 10:11 - 00003596 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1053173477-2516257368-127646272-1001
2015-01-13 01:04 - 2014-11-20 12:58 - 00000000 ____D () C:\Users\Judy\AppData\Roaming\DropboxOEM
2015-01-13 01:00 - 2014-11-26 07:12 - 00000000 ____D () C:\Users\Judy\AppData\Local\CrashDumps
2015-01-13 01:00 - 2014-11-06 13:03 - 00000000 ____D () C:\Windows\Panther
2015-01-13 01:00 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\system32\sru
2015-01-13 00:54 - 2014-11-26 14:30 - 00000000 ____D () C:\ProgramData\softthinks
2015-01-13 00:50 - 2014-11-20 10:11 - 00003918 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{2C586433-0591-4B63-82A4-6CAC836FDE99}
2015-01-12 20:46 - 2014-11-28 20:14 - 00000000 ____D () C:\Users\Judy\AppData\Roaming\Skype
2015-01-12 20:46 - 2014-11-28 20:14 - 00000000 ____D () C:\ProgramData\Skype
2015-01-12 20:24 - 2013-08-22 09:36 - 00000000 ___HD () C:\Windows\ELAMBKUP
2015-01-12 20:06 - 2014-11-06 15:09 - 00000000 ____D () C:\ProgramData\McAfee
2015-01-12 19:59 - 2014-11-06 15:09 - 00000000 ____D () C:\Program Files\Common Files\McAfee
2015-01-12 19:30 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\AppReadiness
2015-01-12 18:18 - 2014-03-18 03:53 - 00863592 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-12 18:14 - 2013-08-22 07:25 - 00262144 ___SH () C:\Windows\system32\config\ELAM
2015-01-12 18:12 - 2013-08-22 08:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-12 18:11 - 2013-08-22 07:25 - 00262144 ___SH () C:\Windows\system32\config\BBI
2014-12-21 06:43 - 2014-11-06 15:06 - 00000000 ____D () C:\Program Files (x86)\Dell Update
2014-12-21 06:43 - 2014-11-06 15:05 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell
2014-12-21 06:34 - 2014-12-05 16:23 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-12-21 06:34 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\system32\sr-Latn-RS
2014-12-21 06:34 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\system32\sr-Latn-CS
2014-12-21 06:34 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-12-21 06:34 - 2013-08-22 09:20 - 00000000 ____D () C:\Windows\CbsTemp
2014-12-18 15:46 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\system32\NDF
2014-12-18 09:30 - 2014-11-06 15:05 - 00000000 ____D () C:\ProgramData\PCDr
2014-12-17 18:46 - 2014-12-05 13:41 - 00000000 ____D () C:\Windows\system32\MRT
2014-12-17 18:44 - 2014-12-05 13:41 - 112710672 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

Some content of TEMP:
====================
C:\Users\Judy\AppData\Local\Temp\0264361421114391mcinst.exe
C:\Users\Judy\AppData\Local\Temp\dllnt_dump.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-01-12 19:29

==================== End Of Log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-01-2015 02
Ran by Judy at 2015-01-13 01:34:50
Running from C:\Users\Judy\Downloads
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 10.0.2208 - AVAST Software)
CCleaner (HKLM\...\CCleaner) (Version: 5.01 - Piriform)
Dell Backup and Recovery (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 1.7.5.60 - Dell Inc.)
Dell Data Services (HKLM\...\{90F9BFC9-A2A9-403F-9A40-1063FAD035BA}) (Version: 1.1.6.0 - Dell Inc.)
Dell Digital Delivery (HKLM-x32\...\{D850CB7E-72BC-4510-BA4F-48932BFAB295}) (Version: 2.9.901.0 - Dell Products, LP)
Dell Foundation Services (HKLM\...\{0D2426EF-A4D1-403B-B78B-2897D6AD3021}) (Version: 1.1.333.0 - Dell Inc.)
Dell Product Registration (HKLM-x32\...\{17FFE63C-6734-4950-B488-134B5A2505F7}) (Version: 2.04.0280 - Aviata Inc.)
Dell Touchpad (HKLM\...\SynTPDeinstKey) (Version: 18.1.2.3 - Synaptics Incorporated)
Dell Update (HKLM-x32\...\{D9D0E75C-F791-402A-98E2-A2F43E7B0CE3}) (Version: 1.1.1054.0 - Dell Inc.)
Dell WLAN and Bluetooth Client Installation (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Dell Inc.)
DSC/AA Factory Installer (Version: 3.5.6426.22 - PC-Doctor, Inc.) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3408 - Intel Corporation)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
My Dell (HKLM\...\PC-Doctor for Windows) (Version: 3.5.6426.22 - PC-Doctor, Inc.)
My Dell Client Framework (HKLM-x32\...\InstallShield_{05F1B866-2372-4E82-9AA8-C64FB11CEF8B}) (Version: 1.0.0.3 - Dell)
My Dell Client Framework (x32 Version: 1.0.0.3 - Dell) Hidden
OpenOffice 4.1.1 (HKLM-x32\...\{9395F41D-0F80-432E-9A59-B8E477E7E163}) (Version: 4.11.9775 - Apache Software Foundation)
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.318 - Qualcomm Atheros Communications)
Quickset64 (HKLM\...\{87CF757E-C1F1-4D22-865C-00C6950B5258}) (Version: 11.1.21 - Dell Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7283 - Realtek Semiconductor Corp.)
ST Microelectronics 3 Axis Digital Accelerometer Solution (HKLM-x32\...\{9C24F411-9CA7-4A8A-91F3-F08A4A38EB31}) (Version: 4.11.0052 - ST Microelectronics)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points  =========================

23-11-2014 06:05:34 Windows Update
26-11-2014 12:04:24 Windows Update
28-11-2014 19:08:15 Installed Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
28-11-2014 19:09:37 Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
03-12-2014 13:22:13 Windows Update
08-12-2014 04:04:01 Windows Modules Installer
17-12-2014 18:39:42 Windows Modules Installer
21-12-2014 06:30:30 Windows Update
12-01-2015 19:16:21 Removed Amazon 1Button App

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 07:25 - 2013-08-22 07:25 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {22CDF6A6-DE48-4652-8395-59D847E63387} - System32\Tasks\Dell\Dell Product Registration => C:\Program Files (x86)\Dell Product Registration\prodreg.exe [2014-04-01] (Aviata Inc)
Task: {24CCA0AB-9DE2-47DC-9E0D-CE5859EA943D} - System32\Tasks\PCDoctorBackgroundMonitorTask => C:\Program Files\My Dell\uaclauncher.exe [2014-01-10] (PC-Doctor, Inc.)
Task: {3913081E-EF24-44B2-BF35-4A90679AB7B9} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-12-12] (Piriform Ltd)
Task: {4A52583A-560E-4391-AD95-3B0B82273A94} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2015-01-13] (AVAST Software)
Task: {4BDA971C-1FD8-4E65-BC7E-AD82385393CD} - System32\Tasks\SystemToolsDailyTest => uaclauncher.exe
Task: {A5B8818D-90D7-43DA-9DB0-5FAA50A751AD} - System32\Tasks\Dell\Dell Product Registration Update => C:\Program Files (x86)\Dell Product Registration\prodreg.exe [2014-04-01] (Aviata Inc)
Task: {B50A300B-27F1-4B44-8C81-E46F12B7B400} - System32\Tasks\RtHDVBg_PushButton => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2014-06-30] (Realtek Semiconductor)
Task: {BDE10C78-FF35-4BF4-B69D-D80C2D148D6A} - System32\Tasks\Synaptics TouchPad Enhancements => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2014-03-10] (Synaptics Incorporated)
Task: {EBB6EA56-2454-4F46-A982-2ECB7A396448} - System32\Tasks\PCDEventLauncherTask => C:\Program Files\My Dell\sessionchecker.exe [2014-01-10] (PC-Doctor, Inc.)
Task: {FF9F3BEC-BCEB-4BE5-B6BC-710407934D8D} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [2014-12-17] (Microsoft Corporation)

==================== Loaded Modules (whitelisted) =============

2014-01-10 16:53 - 2014-01-10 16:53 - 00016384 _____ () C:\Program Files (x86)\Dell\My Dell Client Framework\Dell.ClientFramework.Interfaces.dll
2014-01-10 16:53 - 2014-01-10 16:53 - 00081408 _____ () C:\Program Files (x86)\Dell\My Dell Client Framework\Dell.ClientFramework.Objects.dll
2014-01-10 16:53 - 2014-01-10 16:53 - 00815616 _____ () C:\Program Files (x86)\Dell\My Dell Client Framework\Dell.ClientFramework.Resources.dll
2014-01-10 17:24 - 2014-01-10 17:24 - 00052736 _____ () C:\Program Files (x86)\Dell\My Dell Client Framework\Dell.Client.Pulse.Agent.Plugins.SelfUpdate.dll
2014-01-10 17:24 - 2014-01-10 17:24 - 00019968 _____ () C:\Program Files (x86)\Dell\My Dell Client Framework\Dell.Client.Pulse.Agent.Common.dll
2014-11-06 15:08 - 2014-06-04 17:02 - 00020256 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayIcon.dll
2014-11-06 15:08 - 2014-06-04 17:02 - 00019744 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayNotBackuped.dll
2014-11-06 15:08 - 2014-06-04 17:03 - 00035104 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRShellExtension.dll
2014-02-26 02:46 - 2014-02-26 02:46 - 00011264 _____ () C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Modules\ActivateDesktopDebugger\ActivateDesktopDebugger.dll
2014-02-26 02:43 - 2014-02-26 02:43 - 00086016 _____ () C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Modules\Map\MAP.dll
2014-02-26 02:50 - 2014-02-26 02:50 - 00012928 _____ () C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\ActivateDesktop.exe
2014-11-06 15:08 - 2014-07-02 23:55 - 00487144 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe
2015-01-13 01:10 - 2015-01-13 01:10 - 02909696 _____ () C:\Program Files\AVAST Software\Avast\defs\15011201\algo.dll
2015-01-13 01:10 - 2015-01-13 01:10 - 38562088 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2014-11-06 15:08 - 2014-07-30 19:37 - 01906464 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Restore\STRestoreAPI.dll
2014-11-06 15:08 - 2012-11-26 01:19 - 01153384 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Restore\libxml2.dll
2014-11-06 15:06 - 2012-11-26 01:19 - 00117608 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Restore\zlib1.dll

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\iaioi2ce.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

HKLM\...\StartupApproved\Run: => "mcpltui_exe"

========================= Accounts: ==========================

Administrator (S-1-5-21-1053173477-2516257368-127646272-500 - Administrator - Disabled)
Guest (S-1-5-21-1053173477-2516257368-127646272-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1053173477-2516257368-127646272-1003 - Limited - Enabled)
Judy (S-1-5-21-1053173477-2516257368-127646272-1001 - Administrator - Enabled) => C:\Users\Judy

==================== Faulty Device Manager Devices =============

Name: HID Sensor Collection
Description: HID Sensor Collection
Class Guid: {5175d334-c371-4806-b3ba-71fd53c9258d}
Manufacturer: Microsoft
Service: SensorsHIDClassDriver
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation.

==================== Event log errors: =========================

Application errors:
==================
Error: (01/12/2015 07:48:06 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80070005

Error: (01/12/2015 07:41:06 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest.

Error: (01/12/2015 07:31:26 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest2" on line C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest.

Error: (01/12/2015 06:24:41 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Skype.exe version 6.22.0.107 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 12d8

Start Time: 01d02ec5bca0c994

Termination Time: 4294967295

Application Path: C:\Program Files (x86)\Skype\Phone\Skype.exe

Report Id: 903083c4-9aba-11e4-825e-4cbb583ad087

Faulting package full name:

Faulting package-relative application ID:

Error: (01/12/2015 06:13:15 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

Error: (01/12/2015 06:10:49 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Skype.exe version 6.22.0.107 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 10f0

Start Time: 01d01d1b62e1e3ff

Termination Time: 4294967295

Application Path: C:\Program Files (x86)\Skype\Phone\Skype.exe

Report Id: 9daada32-9ab8-11e4-825d-4cbb583ad087

Faulting package full name:

Faulting package-relative application ID:

Error: (01/12/2015 06:10:07 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program mmc.exe version 6.3.9600.16384 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 839c

Start Time: 01d02e6fa8dc5214

Termination Time: 4294967295

Application Path: C:\Windows\system32\mmc.exe

Report Id: 75ab3658-9ab8-11e4-825d-4cbb583ad087

Faulting package full name:

Faulting package-relative application ID:

Error: (01/12/2015 08:00:32 AM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2006) (User: NT AUTHORITY)
Description: There was an error with the Windows Location Provider database

Error: (01/12/2015 06:51:42 AM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80070005

Error: (01/11/2015 06:56:10 AM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80070005

System errors:
=============
Error: (01/12/2015 08:48:32 PM) (Source: DCOM) (EventID: 10010) (User: Judyspc)
Description: {4545DEA0-2DFC-4906-A728-6D986BA399A9}

Error: (01/12/2015 08:48:32 PM) (Source: DCOM) (EventID: 10010) (User: Judyspc)
Description: {4545DEA0-2DFC-4906-A728-6D986BA399A9}

Error: (01/12/2015 08:48:32 PM) (Source: DCOM) (EventID: 10010) (User: Judyspc)
Description: {4545DEA0-2DFC-4906-A728-6D986BA399A9}

Error: (01/12/2015 08:48:31 PM) (Source: DCOM) (EventID: 10010) (User: Judyspc)
Description: {4545DEA0-2DFC-4906-A728-6D986BA399A9}

Error: (01/12/2015 08:01:09 PM) (Source: DCOM) (EventID: 10010) (User: Judyspc)
Description: {209500FC-6B45-4693-8871-6296C4843751}

Error: (01/12/2015 08:00:38 PM) (Source: DCOM) (EventID: 10010) (User: Judyspc)
Description: {209500FC-6B45-4693-8871-6296C4843751}

Error: (01/12/2015 07:30:14 PM) (Source: DCOM) (EventID: 10010) (User: Judyspc)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

Error: (01/12/2015 07:30:15 PM) (Source: DCOM) (EventID: 10010) (User: Judyspc)
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

Error: (12/21/2014 06:43:37 AM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {209500FC-6B45-4693-8871-6296C4843751}

Error: (12/17/2014 06:56:12 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 252.

Microsoft Office Sessions:
=========================
Error: (01/12/2015 07:48:06 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80070005

Error: (01/12/2015 07:41:06 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifestC:\Users\Judy\AppData\Local\Temp\nshA51E.tmp\PIPInstaller_PLT-G_.exe

Error: (01/12/2015 07:31:26 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifestC:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifestC:\Program Files\CCleaner\CCleaner.exe

Error: (01/12/2015 06:24:41 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Skype.exe6.22.0.10712d801d02ec5bca0c9944294967295C:\Program Files (x86)\Skype\Phone\Skype.exe903083c4-9aba-11e4-825e-4cbb583ad087

Error: (01/12/2015 06:13:15 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

Error: (01/12/2015 06:10:49 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Skype.exe6.22.0.10710f001d01d1b62e1e3ff4294967295C:\Program Files (x86)\Skype\Phone\Skype.exe9daada32-9ab8-11e4-825d-4cbb583ad087

Error: (01/12/2015 06:10:07 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: mmc.exe6.3.9600.16384839c01d02e6fa8dc52144294967295C:\Windows\system32\mmc.exe75ab3658-9ab8-11e4-825d-4cbb583ad087

Error: (01/12/2015 08:00:32 AM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2006) (User: NT AUTHORITY)
Description: -2147024883

Error: (01/12/2015 06:51:42 AM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80070005

Error: (01/11/2015 06:56:10 AM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80070005

CodeIntegrity Errors:
===================================
  Date: 2014-11-20 10:09:38.250
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Processor: Intel® Celeron® CPU N2830 @ 2.16GHz
Percentage of memory in use: 88%
Total physical RAM: 3979.2 MB
Available physical RAM: 471.38 MB
Total Pagefile: 4827.2 MB
Available Pagefile: 3158.75 MB
Total Virtual: 131072 MB
Available Virtual: 131071.81 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:456.98 GB) (Free:414.29 GB) NTFS
Drive d: (ESP) (Fixed) (Total:0.48 GB) (Free:0.43 GB) FAT32
Drive x: (WINRETOOLS) (Fixed) (Total:0.73 GB) (Free:0.45 GB) NTFS
Drive y: (PBR Image) (Fixed) (Total:7.39 GB) (Free:0.73 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: FA22D922)

Partition: GPT Partition Type.

==================== End Of Log ============================

Attached Files


Edited by xxjermeyxx, 13 January 2015 - 01:48 AM.

  • 0

#4
xxjermeyxx

xxjermeyxx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

I'm starting to wonder if possibly the issue couldn't just be from the laptops low specs (or at least a large part of the issue) and maybe the person was just fishing for more information on the remote desktop, I'm not going to lie and say I honestly know too much about all of this. Something I forgot to add though is I did notice a "installation.exe" in her downloads and she said it wasn't from her. So I suppose that could have been the remote desktop software installer or something the person put on himself, I deleted that earlier though (not sure if that matters). 


  • 0

#5
LiquidTension

LiquidTension

    Instructor

  • GeekU Moderator
  • 1,064 posts

Hello, 
 

I'm starting to wonder if possibly the issue couldn't just be from the laptops low specs (or at least a large part of the issue)

Possibly. I'm not seeing any malware, so we're more than likely dealing with something non-malware related; whether that be software or hardware related is difficult to say right now. 
 
Lets run a few more scans to double-check the machine appears clean. 
 
STEP 1
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    start
    CreateRestorePoint:
    2015-01-12 07:54 - 2015-01-12 07:54 - 00000000 ____D () C:\ProgramData\AMMYY
    2015-01-12 07:49 - 2015-01-12 07:49 - 00002263 _____ () C:\Users\Judy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\(Trial version) Quicktechno.lnk
    2015-01-12 07:49 - 2015-01-12 07:49 - 00002263 _____ () C:\Users\Judy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\(Trial version) Quicktechno (2).lnk
    CMD: ipconfig /flushdns
    EmptyTemp:
    end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
     

STEP 2
UT4k1jk.png McAfee Removal Tool

  • Please download the McAfee Removal Tool and save the file to your Desktop
  • Right-Click MCPR.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. This will remove the remnants left when McAfee was uninstalled. 
     

STEP 3
BY4dvz9.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
  • Click Scan
  • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Close AdwCleaner (accept any prompts). 
  • Copy the contents of the log and paste in your next reply.
     

STEP 4
GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Open Malwarebytes Anti-Malware and click Update Now.
  • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 
     

STEP 5
GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

  • Please download ESET Online Scan and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Double-click esetsmartinstaller_enu.exe to run the programme. 
  • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
  • Agree to the Terms of Use once more and click Start. Allow components to download.
  • Place a checkmark next to Enable detection of potentially unwanted applications.
  • Click Advanced settings. Place a checkmark next to:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked.
  • Click Start.
  • Wait for the scan to finish. Please be patient as this can take some time.
  • Upon completion, click esetListThreats.png. If no threats were found, skip the next two bullet points. 
  • Click esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
  • Push the Back button.
  • Place a checkmark next to xKN1w2nv.png.pagespeed.ic.JWqIaEgZi7.png and click SzOC1p0.png.pagespeed.ce.OWDP45O6oG.png.
  • Re-enable your anti-virus software.
  • Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 6
xpfNZP4A.png.pagespeed.ic.bp5cRl1pJg.jpg Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Fixlog.txt
  • Did the McAfee Removal Tool run successfully? 
  • AdwCleaner[R0].txt
  • MBAM log
  • ESET log

  • 0

#6
xxjermeyxx

xxjermeyxx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-01-2015 02
Ran by Judy at 2015-01-13 12:08:46 Run:1
Running from C:\Users\Judy\Downloads
Loaded Profile: Judy (Available profiles: Judy)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CreateRestorePoint:
2015-01-12 07:54 - 2015-01-12 07:54 - 00000000 ____D () C:\ProgramData\AMMYY
2015-01-12 07:49 - 2015-01-12 07:49 - 00002263 _____ () C:\Users\Judy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\(Trial version) Quicktechno.lnk
2015-01-12 07:49 - 2015-01-12 07:49 - 00002263 _____ () C:\Users\Judy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\(Trial version) Quicktechno (2).lnk
CMD: ipconfig /flushdns
EmptyTemp:
end
*****************

Restore point was successfully created.
C:\ProgramData\AMMYY => Moved successfully.
C:\Users\Judy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\(Trial version) Quicktechno.lnk => Moved successfully.
C:\Users\Judy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\(Trial version) Quicktechno (2).lnk => Moved successfully.

=========  ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

EmptyTemp: => Removed 287.6 MB temporary data.

The system needed a reboot.

==== End of Fixlog 12:10:02 ====


  • 0

#7
xxjermeyxx

xxjermeyxx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

# AdwCleaner v4.107 - Report created 13/01/2015 at 12:22:52
# Updated 07/01/2015 by Xplode
# Database : 2015-01-13.2 [Live]
# Operating System : Windows 8.1  (64 bits)
# Username : Judy - JUDYSPC
# Running from : C:\Users\Judy\Downloads\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17416

*************************

AdwCleaner[R0].txt - [543 octets] - [13/01/2015 12:22:52]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [602 octets] ##########


  • 0

#8
xxjermeyxx

xxjermeyxx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/13/2015
Scan Time: 12:29:32 PM
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.13.13
Rootkit Database: v2015.01.07.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Judy

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 318126
Time Elapsed: 22 min, 47 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)


  • 0

#9
xxjermeyxx

xxjermeyxx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application deleted - quarantined
 


  • 0

#10
xxjermeyxx

xxjermeyxx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

Oh I forgot to add the Mcafee tool ran fine so I believe that's everything.


  • 0

Advertisements


#11
LiquidTension

LiquidTension

    Instructor

  • GeekU Moderator
  • 1,064 posts

Hello, 

 

Those logs look good.

 

Please provide a follow up description of how your computer is performing. I don't imagine much has changed, but would still like an update.


  • 0

#12
xxjermeyxx

xxjermeyxx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

Yeah there hasn't really been any change honestly. I suppose this means the person was just fishing for more information or something while he had remote desktop.


  • 0

#13
LiquidTension

LiquidTension

    Instructor

  • GeekU Moderator
  • 1,064 posts

Hello, 
 

I suppose this means the person was just fishing for more information or something while he had remote desktop.

Most of the time spent is trying to persuade the victim that a) their computer is infected/damaged and b) they should purchase software/warranty. Perhaps the owner of the machine would benefit from reading the following articles:

We can look further into why you're experiencing the issues mentioned if you like. As I said, I don't believe these issues to be caused by malware. 
Lets start off with checking your hard drive and System Files. 
 
STEP 1
xfuv55DC.png.pagespeed.ic.utHP7dQtHY.jpg Creating System Restore Point (W8)

  • Press the windows key Windows_Logo_key.gif.pagespeed.ce.cUFoqr + on your keyboard at the same time. Type Restore in the search bar.
  • Click Create a restore point.
  • Click Create.
  • Enter a name and click Create.
  • Upon completion, close the window.
     

STEP 2
MgeHyNE.png CHKDSK

  • Note: If you have a Solid State Drive (SSD), do not run CHKDSK. Skip STEP 2, and proceed with STEP 3.
  • Click Start and type CMD in the Search Bar. Right-Click CMD.exe and select AVOiBNU.jpg Run as administrator.
  • In the command window type the following and press Enter on your keyboard.
    chkdsk c: /r
  • If you are prompted to schedule CHKDSK to run the next time the computer restarts, type y and press Enter on your keyboard.
  • Type Exit and press Enter on your keyboard.
  • Restart your computer. CHKDSK will automatically run.
  • Note: This process can take up to an hour
  • Press the Windows Key xpdKOQKY.png.pagespeed.ic.tmAgS1-k6q.png + r on your keyboard at the same time. Type eventvwr.msc and click OK.
  • Click Windows Logs.
  • Right-click Application and click Find.
    • If CHKDSK ran within Windows (you didn't have to restart the computer), type Chkdsk into the text field and click Find Next. The log should appear. Highlight the text, Copy and paste in your next reply.
    • If CHKDSK ran after a restart, type Winlogon (XP) / Wininit (Vista/7) / Chkdsk (8) into the text field and click Find Next. The log should appear. Highlight the text, Copy and paste in your next reply.
  • ​For instructions accompanied by screenshots, please refer to the following article
     

STEP 3
MgeHyNE.png System File Checker (SFC)

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    sfc /scannow
    findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >"%userprofile%\Desktop\sfcresults.txt"
    notepad %userprofile%\Desktop\sfcresults.txt
    del %0
  • Click Format. Ensure Wordwrap is unchecked
  • Click FileSave As and name the file querysfc.bat
  • Select All Files as the Save as type.
  • Save the file to your Desktop
  • Locate querysfc.bat lmRDSkT.png (W8/7/Vista) on your DesktopRight-click the icon and click AVOiBNU.jpg Run as administrator.
  • Upon completion, a log (sfcresults.txt) will open on your Desktop. Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 4
xpfNZP4A.png.pagespeed.ic.bp5cRl1pJg.jpg Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • CHKDSK results
  • sfcresults.txt

  • 0

#14
xxjermeyxx

xxjermeyxx

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts

I'll post the results later on tonight when I can ask to see it again.


  • 0

#15
LiquidTension

LiquidTension

    Instructor

  • GeekU Moderator
  • 1,064 posts

OK, sounds good.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP