Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win7 notebook hit by "Microsoft Support" scam, possible Rootki


  • Please log in to reply

#1
HALlives

HALlives

    Member

  • Member
  • PipPip
  • 59 posts

Hi All 

A friend was caught by a "Microsoft Support" scam a couple of days ago; they downloaded GoToAssist 3.1x, and Citrix Online Launcher, on her HP Elitebook running Win7 Pro 64Bit on a Crucial MX300 SSD. 

I booted into Safe Mode, went to Uninstall/change a program and deleted the GoToAssist, but the Citrix Online Launcher can't be deleted; when I try I get the following error message, "The Windows Installer Service could not be accessed..." 

 

When booted into Windows the "Microsoft Alert" scammer window immediately appears on the Desktop, not in a browser, so I'm assuming there's a rootkit/bootkit in the system. 

Does anyone have any idea how to deal with this short of nuking the drive?

 

There's stuff in there my friend would rather not lose if at all possible... yeah, she didn't back-up on a regular basis... yeah, we've already had a serious conversation about this. 

 

I'm located in California, and can only work on this in my evenings, so please excuse any extended silence if we're in different time zones. 

 

Thanking you in advance. 


  • 0

Advertisements


#2
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Hi! My name is zep516 and Welcome to Geekstogo!
I'll do the best I can to resolve your computer issue
Please make sure to carefully read any instruction that I give you. If you're not sure, or if something unexpected happens, don't continue Stop and ask! Never be afraid to ask questions! :)

The windows installer service will not run in the safe mode. I need a set of log reports from you.

Everything gets download to the desktop and tools are "Run as administrator."

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

  • 0

#3
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-02-2017
Ran by Barb (administrator) on BARB-PC (12-02-2017 18:54:30)
Running from C:\Users\Barb\Desktop
Loaded Profiles: Barb (Available Profiles: Barb)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ESET) C:\Program Files\ESET\ESET Smart Security\ekrn.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\SA3\HP-NB-AIO\CxUtilSvc.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe
(DEVGURU Co., LTD.) C:\Program Files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
() C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe
(Synaptics Incorporated) C:\Windows\System32\valWBFPolicyService.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(ESET) C:\Program Files\ESET\ESET Smart Security\egui.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Conexant) C:\Windows\System32\MicTray64.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Bubbles.scr [899584 2010-11-20] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-12-27] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-12-27] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-12-27] (Microsoft Corporation)
Startup: C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Funny.exe [2016-12-11] ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{7C27814A-EDAF-44EB-9A93-BF72FBD7C0A7}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2016-12-13] (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-07-27] (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL [2016-12-27] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2016-12-27] (Microsoft Corporation)
BHO-x32: No Name -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> No File
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [2016-12-12] (Microsoft Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-07-27] (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL [2016-12-27] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-12-27] (Microsoft Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-07-27] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-07-27] (Google Inc.)
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2016-12-27] (Microsoft Corporation)

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1224194.dll [2016-02-19] (Adobe Systems, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.68 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2015-08-24] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2015-08-24] (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-12-27] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2016-12-27] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-4070142805-2248021825-1571207387-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Barb\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2017-02-08] (Citrix Online)

Chrome:
=======
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default [2017-02-12]
CHR Extension: (Google Slides) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-07-09]
CHR Extension: (Google Docs) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-07-09]
CHR Extension: (Google Drive) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-07-09]
CHR Extension: (YouTube) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-07-09]
CHR Extension: (Adobe Acrobat) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2017-02-03]
CHR Extension: (Google Sheets) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-07-09]
CHR Extension: (Google Docs Offline) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-07-10]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-24]
CHR Extension: (Gmail) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-07-09]
CHR Extension: (Chrome Media Router) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-02]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [3042032 2016-12-13] (Microsoft Corporation)
R2 CxUtilSvc; C:\Program Files\Conexant\SA3\HP-NB-AIO\CxUtilSvc.exe [135288 2015-08-08] (Conexant Systems, Inc.)
R2 ekrn; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2770312 2016-12-03] (ESET)
S2 iBtSiva; C:\Program Files (x86)\Intel\Bluetooth\ibtsiva.exe [150632 2015-10-08] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [356336 2016-05-15] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [881152 2015-05-22] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [207648 2016-01-07] (Intel Corporation)
R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [155088 2016-12-14] (Malwarebytes Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268192 2015-12-02] ()
R2 ss_conn_service; C:\Program Files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe [754784 2016-01-08] (DEVGURU Co., LTD.)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [246376 2015-11-18] (Synaptics Incorporated)
R2 UsbClientService; C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe [248840 2016-03-17] () [File not signed]
R2 valWBFPolicyService; C:\Windows\system32\valWBFPolicyService.exe [76296 2015-11-17] (Synaptics Incorporated)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3832224 2015-12-02] (Intel® Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 btmaux; C:\Windows\System32\DRIVERS\btmaux.sys [141800 2015-07-28] (Motorola Solutions, Inc.)
R3 btmhsf; C:\Windows\System32\DRIVERS\btmhsf.sys [1445688 2014-11-20] (Motorola Solutions, Inc.)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [502256 2015-09-29] (Intel Corporation)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [262792 2016-12-03] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [197248 2016-12-03] (ESET)
R2 ekbdflt; C:\Windows\System32\DRIVERS\ekbdflt.sys [153216 2016-12-03] (ESET)
R1 epfw; C:\Windows\System32\DRIVERS\epfw.sys [208520 2016-12-03] (ESET)
R1 EpfwLWF; C:\Windows\System32\DRIVERS\EpfwLWF.sys [61568 2016-12-03] (ESET)
R0 epfwwfp; C:\Windows\System32\DRIVERS\epfwwfp.sys [84616 2016-12-03] (ESET)
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [77408 2016-12-14] ()
R3 iaLPSS2_GPIO2; C:\Windows\System32\DRIVERS\iaLPSS2_GPIO2.sys [91944 2015-06-02] (Intel Corporation)
R3 iaLPSS2_I2C; C:\Windows\System32\DRIVERS\iaLPSS2_I2C.sys [166184 2015-06-02] (Intel Corporation)
R3 ibtusb; C:\Windows\System32\DRIVERS\ibtusb.sys [96496 2015-09-10] (Intel Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [180264 2015-12-24] (Intel Corporation)
R3 NETwNs64; C:\Windows\System32\DRIVERS\Netwsw02.sys [3422472 2016-01-01] (Intel Corporation)
S3 pmxdrv; C:\Windows\system32\drivers\pmxdrv.sys [31152 2016-07-09] ()
S3 RTSPER; C:\Windows\System32\DRIVERS\RtsPer.sys [769752 2015-12-18] (Realsil Semiconductor Corporation)
U5 RTSUER; C:\Windows\System32\Drivers\RTSUER.sys [413912 2015-12-22] (Realsil Semiconductor Corporation)
R3 rtsuvc; C:\Windows\System32\DRIVERS\rtsuvc.sys [3092224 2015-12-03] (Realtek Semiconductor Corp.)
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [42600 2015-11-18] (Synaptics Incorporated)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-12 18:54 - 2017-02-12 18:54 - 00014651 _____ C:\Users\Barb\Desktop\FRST.txt
2017-02-12 18:54 - 2017-02-12 18:54 - 00000000 ____D C:\FRST
2017-02-12 18:52 - 2017-02-12 18:52 - 02421248 _____ (Farbar) C:\Users\Barb\Desktop\FRST64.exe
2017-02-08 20:03 - 2017-02-12 17:39 - 00435362 _____ C:\Windows\ntbtlog.txt
2017-02-08 13:48 - 2017-02-08 13:48 - 00000000 ____D C:\Windows\pss
2017-02-08 13:47 - 2017-02-08 13:47 - 00000000 ____D C:\Users\Barb\Documents\MY TECHNICIAN 1-866-552-0810
2017-02-08 13:04 - 2017-02-08 13:04 - 00000000 ____D C:\Users\Barb\AppData\Local\Citrix
2017-02-08 13:04 - 2017-02-08 13:04 - 00000000 ____D C:\Program Files (x86)\Citrix
2017-02-04 13:41 - 2017-02-04 13:41 - 00000000 __RHD C:\MSOCache
2017-01-14 22:03 - 2017-01-14 22:03 - 00010264 _____ C:\Users\Barb\Downloads\Statement_201612.pdf
2017-01-14 22:03 - 2017-01-14 22:03 - 00010264 _____ C:\Users\Barb\Downloads\Statement_201612 (1).pdf
2017-01-14 22:03 - 2017-01-14 22:03 - 00009878 _____ C:\Users\Barb\Downloads\Statement_201512.pdf

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-12 18:51 - 2009-07-13 21:13 - 00781790 _____ C:\Windows\system32\PerfStringBackup.INI
2017-02-12 18:51 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2017-02-12 18:47 - 2016-07-10 11:25 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2017-02-12 18:47 - 2016-07-09 15:23 - 00000000 __SHD C:\Users\Barb\IntelGraphicsProfiles
2017-02-12 18:46 - 2016-07-09 16:43 - 00000000 ____D C:\ProgramData\Synaptics
2017-02-12 18:46 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-02-08 18:30 - 2016-07-26 19:16 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2017-02-08 14:18 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2017-02-08 14:01 - 2009-07-13 20:45 - 00022096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-02-08 14:01 - 2009-07-13 20:45 - 00022096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-02-08 13:50 - 2016-12-27 17:36 - 00000000 ____D C:\Users\Barb\AppData\Local\LogMeIn Rescue Applet
2017-02-02 09:30 - 2016-07-19 12:34 - 00000000 ____D C:\Users\Barb\AppData\Local\CrashDumps
2017-02-02 09:10 - 2016-07-09 16:07 - 00002202 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-02-02 09:10 - 2016-07-09 16:07 - 00002190 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-01-23 18:27 - 2016-12-27 17:41 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-01-23 18:26 - 2016-12-27 17:39 - 00000000 ____D C:\Program Files\Microsoft Office 15
2017-01-23 17:56 - 2017-01-04 11:48 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-01-15 20:33 - 2016-07-17 12:33 - 00000000 ____D C:\Users\Barb\AppData\Roaming\VERIZON

==================== Files in the root of some directories =======

2016-07-09 16:47 - 2016-07-09 16:47 - 0000000 _____ () C:\Users\Barb\AppData\Local\AtStart.txt
2016-07-09 16:47 - 2016-07-09 16:47 - 0000000 _____ () C:\Users\Barb\AppData\Local\DSwitch.txt
2016-07-09 16:47 - 2016-07-09 16:47 - 0000000 _____ () C:\Users\Barb\AppData\Local\QSwitch.txt
2016-07-10 16:31 - 2016-07-10 16:31 - 0000057 _____ () C:\ProgramData\Ament.ini

Some files in TEMP:
====================
2016-11-14 11:15 - 2016-11-14 11:15 - 2612600 _____ (Microsoft Corporation) C:\Users\Barb\AppData\Local\Temp\DefaultPack.EXE
2016-12-07 19:13 - 2016-03-17 16:08 - 1748144 _____ (SAMSUNG Electornics Co., Ltd.) C:\Users\Barb\AppData\Local\Temp\LiveUpdater.exe
2016-07-17 12:33 - 2016-07-17 12:33 - 14582976 _____ (Samsung Electronics Co., Ltd.) C:\Users\Barb\AppData\Local\Temp\SAMSUNG_USB_Driver_for_Mobile_Phones.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-02-08 14:10

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-02-2017
Ran by Barb (12-02-2017 18:54:51)
Running from C:\Users\Barb\Desktop
Windows 7 Professional Service Pack 1 (X64) (2016-07-09 21:58:31)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-4070142805-2248021825-1571207387-500 - Administrator - Disabled)
Barb (S-1-5-21-4070142805-2248021825-1571207387-1000 - Administrator - Enabled) => C:\Users\Barb
Guest (S-1-5-21-4070142805-2248021825-1571207387-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-4070142805-2248021825-1571207387-1003 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: ESET Smart Security 9.0.408.0 (Enabled - Up to date) {EC1D6F37-E411-475A-DF50-12FF7FE4AC70}
AS: ESET Smart Security 9.0.408.0 (Enabled - Up to date) {577C8ED3-C22B-48D4-E5E0-298D0463E6CD}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall (Enabled) {D426EE12-AE7E-4602-F40F-BBCA8137EB0B}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat 5.0 (HKLM-x32\...\Adobe Acrobat 5.0) (Version: 5.0 - Adobe Systems, Inc.)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.023.20056 - Adobe Systems Incorporated)
Adobe Flash Player 24 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 24.0.0.194 - Adobe Systems Incorporated)
Adobe PageMaker 7.0 (HKLM-x32\...\Adobe PageMaker 7.0) (Version: 7.0 - Adobe Systems, Inc.)
Adobe Shockwave Player 12.2 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.2.4.194 - Adobe Systems, Inc.)
Alcor Micro Smart Card Reader Driver (HKLM-x32\...\SZCCID) (Version: 1.7.44.0 - Alcor Micro Corp.)
Alcor Micro Smart Card Reader Driver (x32 Version: 1.7.44.0 - Alcor Micro Corp.) Hidden
Atmel I2C-HID maXTouch driver (HKLM-x32\...\InstallShield_{D38217B4-7002-471C-9B23-BB206429370A}) (Version: 1.0.0.2 - Atmel Corp.)
Atmel I2C-HID maXTouch driver (Version: 1.0.0.2 - Atmel Corp.) Hidden
Bang & Olufsen Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.65.148.0 - Conexant Systems)
Citrix Online Launcher (HKLM-x32\...\{48947098-A67C-46D4-90C5-9F2F6F0F96FE}) (Version: 1.0.449 - Citrix)
ESET Smart Security (HKLM\...\{BA1050B5-E274-4693-8A67-CAF5576A07F1}) (Version: 9.0.381.0 - ESET, spol. s r.o.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 56.0.2924.87 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.8231.2252 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
HP Dropbox Plugin (HKLM-x32\...\{3E261474-8DF2-463B-984E-0B6396F58D1C}) (Version: 36.0.39.57346 - HP)
HP Google Drive Plugin (HKLM-x32\...\{9469285B-AB76-434A-8533-2EE643318F2E}) (Version: 36.0.39.57346 - HP)
HP OfficeJet Pro 8720 Basic Device Software (HKLM\...\{98A7C54D-74EB-461C-8124-E78BF938401F}) (Version: 38.1.1881.57490 - HP Inc.)
HP OfficeJet Pro 8720 Help (HKLM-x32\...\{18E5A98E-E857-4087-AF73-4E6B9AB0A140}) (Version: 38.0.0 - HP)
HP Quick Launch Buttons (HKLM-x32\...\{34D2AB40-150D-475D-AE32-BD23FB5EE355}) (Version: 6.50.17.1 - Hewlett-Packard Company)
HP Universal Camera Driver (HKLM-x32\...\{E399A5B3-ED53-4DEA-AF04-8011E1EB1EAC}) (Version: 10.0.10240.11156 - Realtek Semiconductor Corp.)
I.R.I.S. OCR (HKLM-x32\...\{093C645A-294E-41E4-904C-DDF13DC47A27}) (Version: 12.3.6.12 - HP)
Intel® Chipset Device Software (x32 Version: 10.1.1.11 - Intel® Corporation) Hidden
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.0.0.1177 - Intel Corporation)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 20.4 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 20.19.15.4457 - Intel Corporation)
Intel® Serial IO (HKLM\...\{9FD91C5C-44AE-4D9D-85BE-AE52816B0294}) (Version: 30.61.1519.7 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 4.0.4.51 - Intel Corporation)
Intel® Wireless Bluetooth®(patch version 18.1.1536.2042) (HKLM\...\{302600C1-6BDF-4FD1-1508-148929CC1385}) (Version: 18.1.1508.0538 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{f6a1d9e5-6ef0-4bdb-8637-4241ffee4179}) (Version: 18.32.1 - Intel Corporation)
Malwarebytes Anti-Exploit version 1.9.1.1291 (HKLM\...\Malwarebytes Anti-Exploit_is1) (Version: 1.9.1.1291 - Malwarebytes)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 - en-us (HKLM\...\ProPlusRetail - en-us) (Version: 15.0.4893.1002 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
NXPProximityInstaller (HKLM-x32\...\NXPProximityInstaller) (Version: 3.10020.10439.40 - NXP Semiconductors)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4893.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4893.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4893.1002 - Microsoft Corporation) Hidden
QLBCASL (x32 Version: 6.40.17.2 - Hewlett-Packard) Hidden
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.370.119 - Realtek Semiconduct Corp.)
Samsung USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.59.0 - Samsung Electronics Co., Ltd.)
Snagit 11 (HKLM-x32\...\{90D0FC4B-D653-4F49-BB97-A48C74A52E71}) (Version: 11.4.3 - TechSmith Corporation)
SUABnR (HKLM-x32\...\InstallShield_{2485354C-6B65-4978-BB91-CCE61442377B}) (Version: 1.1.0.13103_1 - Samsung Electronics Co., Ltd.)
SUABnR (x32 Version: 1.1.0.13103_1 - Samsung Electronics Co., Ltd.) Hidden
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 19.0.19.18 - Synaptics Incorporated)
Synaptics WBF Fingerprint Reader (HKLM\...\{0A3B3699-C474-4173-B105-C3B9464F61C0}) (Version: 4.5.324.0 - Synaptics)
Synology Assistant (remove only) (HKLM-x32\...\Synology Assistant) (Version:  - )
ThumbsPlus 10 (HKLM-x32\...\ThumbsPlus 10) (Version:  - Cerious Software)
ThumbsPlus 10 (x32 Version: 10.1.0.4011 - Cerious Software Inc.) Hidden
Verizon Wireless Software Upgrade Assistant - Samsung(ar) (HKLM-x32\...\{D549825F-FB85-49F6-8075-79847871C246}) (Version: 2.16.1101 - Samsung Electronics Co., Ltd.)
Verizon Wireless Software Utility Application for Android - Samsung (HKLM-x32\...\{EDB7BFB3-9B55-4A70-920F-35226A4E4A12}) (Version: 2.16.0504 - Samsung Electronics Co., Ltd.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1B251480-BCE2-487D-B310-52D9887444E6} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-11-01] (Microsoft Corporation)
Task: {329F6AA2-80A7-4680-98C0-3CA086F9269C} - System32\Tasks\TechSmith Updater => C:\Program Files (x86)\Common Files\TechSmith Shared\Updater\TSCUpdClt.exe [2013-10-04] (TechSmith Corporation)
Task: {34D2B29D-8B51-4700-97A3-450A76EDEFF2} - System32\Tasks\{C3921B5B-160A-4419-8B2F-D47A88C31E39} => pcalua.exe -a "C:\EliteBook 850 G3\850 G3 Drivers\Networking\HP It4120 Snapdragon X5 LTE Drivers v1.0.1.53 Rev.A.exe" -d "C:\EliteBook 850 G3\850 G3 Drivers\Networking"
Task: {801A6E1D-2C47-48BD-BCFB-BFE03BA606F2} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-01-12] (Adobe Systems Incorporated)
Task: {84CC1865-774C-422C-A065-8D1B0393F5B6} - System32\Tasks\{1346ADC4-9572-4089-A8A4-B0EE90368685} => pcalua.exe -a "C:\EliteBook 850 G3\850 G3 Drivers\Firmware\HP Ultraslim Docking Station Displayport Hub.exe" -d "C:\EliteBook 850 G3\850 G3 Drivers\Firmware"
Task: {9041B7BE-A5F4-4A2E-96B5-BC0D80EE71A2} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2016-12-27] (Microsoft Corporation)
Task: {9A05A1EE-9390-42AF-A554-E3193A7E22A5} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-12-19] (Adobe Systems Incorporated)
Task: {9AFCD27A-8420-4984-B521-9A7021E978DD} - System32\Tasks\{6B35F718-257C-418D-A944-03E0917F6AB4} => pcalua.exe -a "C:\EliteBook 850 G3\850 G3 Drivers\Networking\HP hs3110hs3114 Mobile Broadband Drivers.exe" -d "C:\EliteBook 850 G3\850 G3 Drivers\Networking"
Task: {A5C05730-98A6-4AB4-95D3-63BE60FF32B7} - System32\Tasks\Microsoft\Windows\Conexant\MicTray => C:\Windows\System32\MicTray64.exe [2015-12-24] (Conexant)
Task: {BC6A1B5D-AF46-4E91-890B-00DD552F793E} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2016-12-27] (Microsoft Corporation)
Task: {CD9EBDDB-0E0D-4F10-88F3-449FF45886C0} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-07-09] (Google Inc.)
Task: {D577B661-52EC-42C7-821A-6730A098807E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-07-09] (Google Inc.)
Task: {F0C4053A-0DCE-4EED-B463-2B71D475078E} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-11-01] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-12-27 17:39 - 2016-05-24 08:51 - 00116416 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2016-03-17 21:41 - 2016-03-17 21:41 - 00248840 _____ () C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe
2016-12-27 17:41 - 2016-12-27 17:41 - 08909504 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2016-05-15 19:13 - 2016-05-15 19:13 - 00384496 _____ () C:\Windows\system32\igfxTray.exe
2016-01-07 00:48 - 2016-01-07 00:48 - 01243936 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Software\Classes\.exe:  =>  <===== ATTENTION
HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Software\Classes\.scr:  =>  <===== ATTENTION

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 18:34 - 2009-06-10 13:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acrobat Assistant.lnk => C:\Windows\pss\Acrobat Assistant.lnk.CommonStartup
MSCONFIG\startupreg: BTMTrayAgent => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
MSCONFIG\startupreg: HP OfficeJet Pro 8720 (NET) => "C:\Program Files\HP\HP OfficeJet Pro 8720\Bin\ScanToPCActivationApp.exe" -deviceID "CN63OAK0NB:NW" -scfn "HP OfficeJet Pro 8720 (NET)" -AutoStart 1
MSCONFIG\startupreg: IMSS => "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe" 60
MSCONFIG\startupreg: Malwarebytes Anti-Exploit => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
MSCONFIG\startupreg: QlbCtrl.exe => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
MSCONFIG\startupreg: RtsCM => RTSCM64.EXE
MSCONFIG\startupreg: SmartAudio => C:\Program Files\Conexant\SA3\HP-NB-AIO\SACpl.exe /sa3 /nv:3.0+ /uid:HP-NB-AIO /s /dne
MSCONFIG\startupreg: USB3MON => "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{5C9B44A5-E106-4C56-BC8A-30E2861775EC}] => C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [{DAEFD7EC-46D8-4F3F-9345-2F952AAA36EB}] => C:\Users\Barb\AppData\Local\Temp\7zS687B\HP.EasyStart.exe
FirewallRules: [{78A18A2E-79A8-4F20-AFFA-EA328E48EDB9}] => C:\Program Files\HP\HP OfficeJet Pro 8720\bin\FaxApplications.exe
FirewallRules: [{BCC3FAFD-511A-42D0-9A56-AC7DA245AADC}] => C:\Program Files\HP\HP OfficeJet Pro 8720\bin\DigitalWizards.exe
FirewallRules: [{6290E48D-78B7-4D83-BB51-6779AC7BD844}] => C:\Program Files\HP\HP OfficeJet Pro 8720\bin\SendAFax.exe
FirewallRules: [{5FC1E9A2-A8B3-420A-B8F8-1CFB2904361C}] => C:\Program Files\HP\HP OfficeJet Pro 8720\bin\FaxPrinterUtility.exe
FirewallRules: [{9DB12D56-50FB-44DC-B9AA-118876AD7F34}] => C:\Program Files\HP\HP OfficeJet Pro 8720\Bin\DeviceSetup.exe
FirewallRules: [{5D4AD945-83AF-407E-BD5B-5DB03CC182E2}] => LPort=5357
FirewallRules: [{7E99E77A-B139-4415-A064-F90DCD29FE65}] => C:\Program Files\HP\HP OfficeJet Pro 8720\Bin\HPNetworkCommunicatorCom.exe
FirewallRules: [{F99D218D-8DA6-474B-958B-163E9FAB2EF1}] => LPort=8298
FirewallRules: [{20B64AF9-4AFF-4DF9-B686-A3CB306A7371}] => C:\Users\Barb\AppData\Local\Temp\7zS74A0\HPDiagnosticCoreUI.exe
FirewallRules: [{10DDAD1F-B946-484A-82D8-36B0D37CEF64}] => C:\Users\Barb\AppData\Local\Temp\7zS74A0\HPDiagnosticCoreUI.exe
FirewallRules: [{004FED7C-3B95-48E1-B846-0C1B546E7835}] => C:\Users\Barb\AppData\Local\Temp\7zS2CA9\HPDiagnosticCoreUI.exe
FirewallRules: [{09E439D5-DC7C-4339-B157-03AFF3CF2C1A}] => C:\Users\Barb\AppData\Local\Temp\7zS2CA9\HPDiagnosticCoreUI.exe
FirewallRules: [{6BCB3917-E1F7-4CA5-B6EA-6147665B181B}] => C:\Users\Barb\AppData\Local\Temp\7zS3158\HPDiagnosticCoreUI.exe
FirewallRules: [{77F9EE16-C28E-45BC-93A1-6FFE512C32CB}] => C:\Users\Barb\AppData\Local\Temp\7zS3158\HPDiagnosticCoreUI.exe
FirewallRules: [{88778187-50B7-4876-A9B8-A471D5A28BAF}] => C:\Users\Barb\AppData\Local\Temp\7zS71CA\HPDiagnosticCoreUI.exe
FirewallRules: [{BC6CE3E3-60D9-4D0D-A7AD-2B9151B57392}] => C:\Users\Barb\AppData\Local\Temp\7zS71CA\HPDiagnosticCoreUI.exe
FirewallRules: [{7D86D843-5DEF-44FE-873D-EF3F7D00A109}] => C:\Users\Barb\AppData\Local\Temp\7zS0757\HPDiagnosticCoreUI.exe
FirewallRules: [{CD675C95-54A0-46E3-8E97-04495DBA6FEB}] => C:\Users\Barb\AppData\Local\Temp\7zS0757\HPDiagnosticCoreUI.exe
FirewallRules: [{2CFAED44-BEFB-4CB4-9D9B-0BB6D7DCE148}] => C:\Users\Barb\AppData\Local\Temp\7zS0AE7\HPDiagnosticCoreUI.exe
FirewallRules: [{8932F823-2E73-497D-94D6-4163B50501AA}] => C:\Users\Barb\AppData\Local\Temp\7zS0AE7\HPDiagnosticCoreUI.exe
FirewallRules: [{731E6EBF-D79B-46B3-B7A1-87841398EA08}] => C:\Users\Barb\AppData\Local\Temp\7zS1351\HPDiagnosticCoreUI.exe
FirewallRules: [{1684108B-719B-4E54-BAF3-37C6630A3F44}] => C:\Users\Barb\AppData\Local\Temp\7zS1351\HPDiagnosticCoreUI.exe
FirewallRules: [{5C0F846F-AD8A-4220-824F-353589FB5BFF}] => C:\Program Files\Microsoft Office 15\root\Office15\outlook.exe
FirewallRules: [{26313091-0915-4409-9E61-3EEEC8649643}] => C:\Program Files\Microsoft Office 15\root\Office15\Lync.exe
FirewallRules: [{2B40B7FC-9EF6-4F65-BAEE-691A1735160D}] => C:\Program Files\Microsoft Office 15\root\Office15\Lync.exe
FirewallRules: [{B7C2BE75-CECD-4E6C-8A50-E5F8F87DB39C}] => C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exe
FirewallRules: [{CD476273-BEA4-4E05-9F2B-1BE9960823E1}] => C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exe
FirewallRules: [{ADB0E7B2-CB97-4E10-B7E7-63459D909F83}] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

15-11-2016 19:21:53 Scheduled Checkpoint
03-12-2016 14:02:10 Windows Update
03-12-2016 14:14:11 Windows Update
13-12-2016 22:39:26 Windows Update
08-02-2017 14:17:37 Scheduled Checkpoint

==================== Faulty Device Manager Devices =============

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (02/12/2017 06:47:00 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/12/2017 06:41:48 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.

Error: (02/12/2017 06:41:47 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.

Error: (02/12/2017 06:41:47 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.

Error: (02/12/2017 06:41:45 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/12/2017 05:41:04 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/12/2017 05:39:16 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.

Error: (02/12/2017 05:39:15 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.

Error: (02/12/2017 05:39:15 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.

Error: (02/08/2017 08:34:02 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.

System errors:
=============
Error: (02/12/2017 06:47:00 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (02/12/2017 06:41:45 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (02/12/2017 05:52:16 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/12/2017 05:47:25 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server:
{000C101C-0000-0000-C000-000000000046}

Error: (02/12/2017 05:39:22 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/12/2017 05:39:22 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/12/2017 05:39:22 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/12/2017 05:39:22 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/12/2017 05:39:22 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/12/2017 05:39:22 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

==================== Memory info ===========================

Processor: Intel® Core™ i7-6600U CPU @ 2.60GHz
Percentage of memory in use: 34%
Total physical RAM: 8072.59 MB
Available physical RAM: 5247.95 MB
Total Virtual: 16143.37 MB
Available Virtual: 13387.97 MB

==================== Drives ================================

Drive c: (DRIVE_C) (Fixed) (Total:698.54 GB) (Free:564.74 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 698.6 GB) (Disk ID: FF382DB0)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=698.5 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-02-2017
Ran by Barb (12-02-2017 18:54:51)
Running from C:\Users\Barb\Desktop
Windows 7 Professional Service Pack 1 (X64) (2016-07-09 21:58:31)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-4070142805-2248021825-1571207387-500 - Administrator - Disabled)
Barb (S-1-5-21-4070142805-2248021825-1571207387-1000 - Administrator - Enabled) => C:\Users\Barb
Guest (S-1-5-21-4070142805-2248021825-1571207387-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-4070142805-2248021825-1571207387-1003 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: ESET Smart Security 9.0.408.0 (Enabled - Up to date) {EC1D6F37-E411-475A-DF50-12FF7FE4AC70}
AS: ESET Smart Security 9.0.408.0 (Enabled - Up to date) {577C8ED3-C22B-48D4-E5E0-298D0463E6CD}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall (Enabled) {D426EE12-AE7E-4602-F40F-BBCA8137EB0B}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat 5.0 (HKLM-x32\...\Adobe Acrobat 5.0) (Version: 5.0 - Adobe Systems, Inc.)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.023.20056 - Adobe Systems Incorporated)
Adobe Flash Player 24 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 24.0.0.194 - Adobe Systems Incorporated)
Adobe PageMaker 7.0 (HKLM-x32\...\Adobe PageMaker 7.0) (Version: 7.0 - Adobe Systems, Inc.)
Adobe Shockwave Player 12.2 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.2.4.194 - Adobe Systems, Inc.)
Alcor Micro Smart Card Reader Driver (HKLM-x32\...\SZCCID) (Version: 1.7.44.0 - Alcor Micro Corp.)
Alcor Micro Smart Card Reader Driver (x32 Version: 1.7.44.0 - Alcor Micro Corp.) Hidden
Atmel I2C-HID maXTouch driver (HKLM-x32\...\InstallShield_{D38217B4-7002-471C-9B23-BB206429370A}) (Version: 1.0.0.2 - Atmel Corp.)
Atmel I2C-HID maXTouch driver (Version: 1.0.0.2 - Atmel Corp.) Hidden
Bang & Olufsen Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.65.148.0 - Conexant Systems)
Citrix Online Launcher (HKLM-x32\...\{48947098-A67C-46D4-90C5-9F2F6F0F96FE}) (Version: 1.0.449 - Citrix)
ESET Smart Security (HKLM\...\{BA1050B5-E274-4693-8A67-CAF5576A07F1}) (Version: 9.0.381.0 - ESET, spol. s r.o.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 56.0.2924.87 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.8231.2252 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
HP Dropbox Plugin (HKLM-x32\...\{3E261474-8DF2-463B-984E-0B6396F58D1C}) (Version: 36.0.39.57346 - HP)
HP Google Drive Plugin (HKLM-x32\...\{9469285B-AB76-434A-8533-2EE643318F2E}) (Version: 36.0.39.57346 - HP)
HP OfficeJet Pro 8720 Basic Device Software (HKLM\...\{98A7C54D-74EB-461C-8124-E78BF938401F}) (Version: 38.1.1881.57490 - HP Inc.)
HP OfficeJet Pro 8720 Help (HKLM-x32\...\{18E5A98E-E857-4087-AF73-4E6B9AB0A140}) (Version: 38.0.0 - HP)
HP Quick Launch Buttons (HKLM-x32\...\{34D2AB40-150D-475D-AE32-BD23FB5EE355}) (Version: 6.50.17.1 - Hewlett-Packard Company)
HP Universal Camera Driver (HKLM-x32\...\{E399A5B3-ED53-4DEA-AF04-8011E1EB1EAC}) (Version: 10.0.10240.11156 - Realtek Semiconductor Corp.)
I.R.I.S. OCR (HKLM-x32\...\{093C645A-294E-41E4-904C-DDF13DC47A27}) (Version: 12.3.6.12 - HP)
Intel® Chipset Device Software (x32 Version: 10.1.1.11 - Intel® Corporation) Hidden
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.0.0.1177 - Intel Corporation)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 20.4 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 20.19.15.4457 - Intel Corporation)
Intel® Serial IO (HKLM\...\{9FD91C5C-44AE-4D9D-85BE-AE52816B0294}) (Version: 30.61.1519.7 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 4.0.4.51 - Intel Corporation)
Intel® Wireless Bluetooth®(patch version 18.1.1536.2042) (HKLM\...\{302600C1-6BDF-4FD1-1508-148929CC1385}) (Version: 18.1.1508.0538 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{f6a1d9e5-6ef0-4bdb-8637-4241ffee4179}) (Version: 18.32.1 - Intel Corporation)
Malwarebytes Anti-Exploit version 1.9.1.1291 (HKLM\...\Malwarebytes Anti-Exploit_is1) (Version: 1.9.1.1291 - Malwarebytes)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 - en-us (HKLM\...\ProPlusRetail - en-us) (Version: 15.0.4893.1002 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
NXPProximityInstaller (HKLM-x32\...\NXPProximityInstaller) (Version: 3.10020.10439.40 - NXP Semiconductors)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4893.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4893.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4893.1002 - Microsoft Corporation) Hidden
QLBCASL (x32 Version: 6.40.17.2 - Hewlett-Packard) Hidden
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.370.119 - Realtek Semiconduct Corp.)
Samsung USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.59.0 - Samsung Electronics Co., Ltd.)
Snagit 11 (HKLM-x32\...\{90D0FC4B-D653-4F49-BB97-A48C74A52E71}) (Version: 11.4.3 - TechSmith Corporation)
SUABnR (HKLM-x32\...\InstallShield_{2485354C-6B65-4978-BB91-CCE61442377B}) (Version: 1.1.0.13103_1 - Samsung Electronics Co., Ltd.)
SUABnR (x32 Version: 1.1.0.13103_1 - Samsung Electronics Co., Ltd.) Hidden
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 19.0.19.18 - Synaptics Incorporated)
Synaptics WBF Fingerprint Reader (HKLM\...\{0A3B3699-C474-4173-B105-C3B9464F61C0}) (Version: 4.5.324.0 - Synaptics)
Synology Assistant (remove only) (HKLM-x32\...\Synology Assistant) (Version:  - )
ThumbsPlus 10 (HKLM-x32\...\ThumbsPlus 10) (Version:  - Cerious Software)
ThumbsPlus 10 (x32 Version: 10.1.0.4011 - Cerious Software Inc.) Hidden
Verizon Wireless Software Upgrade Assistant - Samsung(ar) (HKLM-x32\...\{D549825F-FB85-49F6-8075-79847871C246}) (Version: 2.16.1101 - Samsung Electronics Co., Ltd.)
Verizon Wireless Software Utility Application for Android - Samsung (HKLM-x32\...\{EDB7BFB3-9B55-4A70-920F-35226A4E4A12}) (Version: 2.16.0504 - Samsung Electronics Co., Ltd.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1B251480-BCE2-487D-B310-52D9887444E6} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-11-01] (Microsoft Corporation)
Task: {329F6AA2-80A7-4680-98C0-3CA086F9269C} - System32\Tasks\TechSmith Updater => C:\Program Files (x86)\Common Files\TechSmith Shared\Updater\TSCUpdClt.exe [2013-10-04] (TechSmith Corporation)
Task: {34D2B29D-8B51-4700-97A3-450A76EDEFF2} - System32\Tasks\{C3921B5B-160A-4419-8B2F-D47A88C31E39} => pcalua.exe -a "C:\EliteBook 850 G3\850 G3 Drivers\Networking\HP It4120 Snapdragon X5 LTE Drivers v1.0.1.53 Rev.A.exe" -d "C:\EliteBook 850 G3\850 G3 Drivers\Networking"
Task: {801A6E1D-2C47-48BD-BCFB-BFE03BA606F2} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-01-12] (Adobe Systems Incorporated)
Task: {84CC1865-774C-422C-A065-8D1B0393F5B6} - System32\Tasks\{1346ADC4-9572-4089-A8A4-B0EE90368685} => pcalua.exe -a "C:\EliteBook 850 G3\850 G3 Drivers\Firmware\HP Ultraslim Docking Station Displayport Hub.exe" -d "C:\EliteBook 850 G3\850 G3 Drivers\Firmware"
Task: {9041B7BE-A5F4-4A2E-96B5-BC0D80EE71A2} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2016-12-27] (Microsoft Corporation)
Task: {9A05A1EE-9390-42AF-A554-E3193A7E22A5} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-12-19] (Adobe Systems Incorporated)
Task: {9AFCD27A-8420-4984-B521-9A7021E978DD} - System32\Tasks\{6B35F718-257C-418D-A944-03E0917F6AB4} => pcalua.exe -a "C:\EliteBook 850 G3\850 G3 Drivers\Networking\HP hs3110hs3114 Mobile Broadband Drivers.exe" -d "C:\EliteBook 850 G3\850 G3 Drivers\Networking"
Task: {A5C05730-98A6-4AB4-95D3-63BE60FF32B7} - System32\Tasks\Microsoft\Windows\Conexant\MicTray => C:\Windows\System32\MicTray64.exe [2015-12-24] (Conexant)
Task: {BC6A1B5D-AF46-4E91-890B-00DD552F793E} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2016-12-27] (Microsoft Corporation)
Task: {CD9EBDDB-0E0D-4F10-88F3-449FF45886C0} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-07-09] (Google Inc.)
Task: {D577B661-52EC-42C7-821A-6730A098807E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-07-09] (Google Inc.)
Task: {F0C4053A-0DCE-4EED-B463-2B71D475078E} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-11-01] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-12-27 17:39 - 2016-05-24 08:51 - 00116416 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2016-03-17 21:41 - 2016-03-17 21:41 - 00248840 _____ () C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe
2016-12-27 17:41 - 2016-12-27 17:41 - 08909504 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2016-05-15 19:13 - 2016-05-15 19:13 - 00384496 _____ () C:\Windows\system32\igfxTray.exe
2016-01-07 00:48 - 2016-01-07 00:48 - 01243936 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Software\Classes\.exe:  =>  <===== ATTENTION
HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Software\Classes\.scr:  =>  <===== ATTENTION

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 18:34 - 2009-06-10 13:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acrobat Assistant.lnk => C:\Windows\pss\Acrobat Assistant.lnk.CommonStartup
MSCONFIG\startupreg: BTMTrayAgent => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
MSCONFIG\startupreg: HP OfficeJet Pro 8720 (NET) => "C:\Program Files\HP\HP OfficeJet Pro 8720\Bin\ScanToPCActivationApp.exe" -deviceID "CN63OAK0NB:NW" -scfn "HP OfficeJet Pro 8720 (NET)" -AutoStart 1
MSCONFIG\startupreg: IMSS => "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe" 60
MSCONFIG\startupreg: Malwarebytes Anti-Exploit => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
MSCONFIG\startupreg: QlbCtrl.exe => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
MSCONFIG\startupreg: RtsCM => RTSCM64.EXE
MSCONFIG\startupreg: SmartAudio => C:\Program Files\Conexant\SA3\HP-NB-AIO\SACpl.exe /sa3 /nv:3.0+ /uid:HP-NB-AIO /s /dne
MSCONFIG\startupreg: USB3MON => "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{5C9B44A5-E106-4C56-BC8A-30E2861775EC}] => C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [{DAEFD7EC-46D8-4F3F-9345-2F952AAA36EB}] => C:\Users\Barb\AppData\Local\Temp\7zS687B\HP.EasyStart.exe
FirewallRules: [{78A18A2E-79A8-4F20-AFFA-EA328E48EDB9}] => C:\Program Files\HP\HP OfficeJet Pro 8720\bin\FaxApplications.exe
FirewallRules: [{BCC3FAFD-511A-42D0-9A56-AC7DA245AADC}] => C:\Program Files\HP\HP OfficeJet Pro 8720\bin\DigitalWizards.exe
FirewallRules: [{6290E48D-78B7-4D83-BB51-6779AC7BD844}] => C:\Program Files\HP\HP OfficeJet Pro 8720\bin\SendAFax.exe
FirewallRules: [{5FC1E9A2-A8B3-420A-B8F8-1CFB2904361C}] => C:\Program Files\HP\HP OfficeJet Pro 8720\bin\FaxPrinterUtility.exe
FirewallRules: [{9DB12D56-50FB-44DC-B9AA-118876AD7F34}] => C:\Program Files\HP\HP OfficeJet Pro 8720\Bin\DeviceSetup.exe
FirewallRules: [{5D4AD945-83AF-407E-BD5B-5DB03CC182E2}] => LPort=5357
FirewallRules: [{7E99E77A-B139-4415-A064-F90DCD29FE65}] => C:\Program Files\HP\HP OfficeJet Pro 8720\Bin\HPNetworkCommunicatorCom.exe
FirewallRules: [{F99D218D-8DA6-474B-958B-163E9FAB2EF1}] => LPort=8298
FirewallRules: [{20B64AF9-4AFF-4DF9-B686-A3CB306A7371}] => C:\Users\Barb\AppData\Local\Temp\7zS74A0\HPDiagnosticCoreUI.exe
FirewallRules: [{10DDAD1F-B946-484A-82D8-36B0D37CEF64}] => C:\Users\Barb\AppData\Local\Temp\7zS74A0\HPDiagnosticCoreUI.exe
FirewallRules: [{004FED7C-3B95-48E1-B846-0C1B546E7835}] => C:\Users\Barb\AppData\Local\Temp\7zS2CA9\HPDiagnosticCoreUI.exe
FirewallRules: [{09E439D5-DC7C-4339-B157-03AFF3CF2C1A}] => C:\Users\Barb\AppData\Local\Temp\7zS2CA9\HPDiagnosticCoreUI.exe
FirewallRules: [{6BCB3917-E1F7-4CA5-B6EA-6147665B181B}] => C:\Users\Barb\AppData\Local\Temp\7zS3158\HPDiagnosticCoreUI.exe
FirewallRules: [{77F9EE16-C28E-45BC-93A1-6FFE512C32CB}] => C:\Users\Barb\AppData\Local\Temp\7zS3158\HPDiagnosticCoreUI.exe
FirewallRules: [{88778187-50B7-4876-A9B8-A471D5A28BAF}] => C:\Users\Barb\AppData\Local\Temp\7zS71CA\HPDiagnosticCoreUI.exe
FirewallRules: [{BC6CE3E3-60D9-4D0D-A7AD-2B9151B57392}] => C:\Users\Barb\AppData\Local\Temp\7zS71CA\HPDiagnosticCoreUI.exe
FirewallRules: [{7D86D843-5DEF-44FE-873D-EF3F7D00A109}] => C:\Users\Barb\AppData\Local\Temp\7zS0757\HPDiagnosticCoreUI.exe
FirewallRules: [{CD675C95-54A0-46E3-8E97-04495DBA6FEB}] => C:\Users\Barb\AppData\Local\Temp\7zS0757\HPDiagnosticCoreUI.exe
FirewallRules: [{2CFAED44-BEFB-4CB4-9D9B-0BB6D7DCE148}] => C:\Users\Barb\AppData\Local\Temp\7zS0AE7\HPDiagnosticCoreUI.exe
FirewallRules: [{8932F823-2E73-497D-94D6-4163B50501AA}] => C:\Users\Barb\AppData\Local\Temp\7zS0AE7\HPDiagnosticCoreUI.exe
FirewallRules: [{731E6EBF-D79B-46B3-B7A1-87841398EA08}] => C:\Users\Barb\AppData\Local\Temp\7zS1351\HPDiagnosticCoreUI.exe
FirewallRules: [{1684108B-719B-4E54-BAF3-37C6630A3F44}] => C:\Users\Barb\AppData\Local\Temp\7zS1351\HPDiagnosticCoreUI.exe
FirewallRules: [{5C0F846F-AD8A-4220-824F-353589FB5BFF}] => C:\Program Files\Microsoft Office 15\root\Office15\outlook.exe
FirewallRules: [{26313091-0915-4409-9E61-3EEEC8649643}] => C:\Program Files\Microsoft Office 15\root\Office15\Lync.exe
FirewallRules: [{2B40B7FC-9EF6-4F65-BAEE-691A1735160D}] => C:\Program Files\Microsoft Office 15\root\Office15\Lync.exe
FirewallRules: [{B7C2BE75-CECD-4E6C-8A50-E5F8F87DB39C}] => C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exe
FirewallRules: [{CD476273-BEA4-4E05-9F2B-1BE9960823E1}] => C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exe
FirewallRules: [{ADB0E7B2-CB97-4E10-B7E7-63459D909F83}] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

15-11-2016 19:21:53 Scheduled Checkpoint
03-12-2016 14:02:10 Windows Update
03-12-2016 14:14:11 Windows Update
13-12-2016 22:39:26 Windows Update
08-02-2017 14:17:37 Scheduled Checkpoint

==================== Faulty Device Manager Devices =============

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (02/12/2017 06:47:00 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/12/2017 06:41:48 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.

Error: (02/12/2017 06:41:47 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.

Error: (02/12/2017 06:41:47 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.

Error: (02/12/2017 06:41:45 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/12/2017 05:41:04 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/12/2017 05:39:16 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.

Error: (02/12/2017 05:39:15 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.

Error: (02/12/2017 05:39:15 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.

Error: (02/08/2017 08:34:02 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.

System errors:
=============
Error: (02/12/2017 06:47:00 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (02/12/2017 06:41:45 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (02/12/2017 05:52:16 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/12/2017 05:47:25 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server:
{000C101C-0000-0000-C000-000000000046}

Error: (02/12/2017 05:39:22 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/12/2017 05:39:22 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/12/2017 05:39:22 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/12/2017 05:39:22 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/12/2017 05:39:22 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

Error: (02/12/2017 05:39:22 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
The dependency service or group failed to start.

==================== Memory info ===========================

Processor: Intel® Core™ i7-6600U CPU @ 2.60GHz
Percentage of memory in use: 34%
Total physical RAM: 8072.59 MB
Available physical RAM: 5247.95 MB
Total Virtual: 16143.37 MB
Available Virtual: 13387.97 MB

==================== Drives ================================

Drive c: (DRIVE_C) (Fixed) (Total:698.54 GB) (Free:564.74 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 698.6 GB) (Disk ID: FF382DB0)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=698.5 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================


  • 0

#4
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Hi Zep... those b******s have definitely messed with the machine, it's shutting down every 10 minutes!

I hope the above info gives you a clue as to how to deal with this.

Thanks again. 


  • 0

#5
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Hello,

Not seeing much here.

A few items to fix

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Open notepad (Start =>All Programs => Accessories => Notepad).
Copy/Paste the contents of the code box below into Notepad.

start
CloseProcesses:
CreateRestorePoint:
BHO-x32: No Name -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"
HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Software\Classes\.exe:  =>  <===== ATTENTION
HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Software\Classes\.scr:  =>  <===== ATTENTION
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state Off
CMD: ipconfig /flushdns
CMD: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
RemoveProxy:
hosts:
Emptytemp:
  • Click Format and ensure Wordwrap is unchecked.
  • Save as Fixlist.txt to your Desktop (Must be in this location)
  • Run FRST/FRST64 and press the Fix button just once and wait.
  • If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
  • The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

Next
You have Malwarebytes installed can you please run it and do this first
make sure that in Malwarebytes Anti-Malware the option to “Scan for rootkits” is checked under “Settings” > “Detection and Protection” before you start the “Scan”.
  • 0

#6
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Fix result of Farbar Recovery Scan Tool (x64) Version: 12-02-2017
Ran by Barb (12-02-2017 19:57:19) Run:1
Running from C:\Users\Barb\Desktop
Loaded Profiles: Barb (Available Profiles: Barb)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
CloseProcesses:
CreateRestorePoint:
BHO-x32: No Name -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"
HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Software\Classes\.exe:  =>  <===== ATTENTION
HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Software\Classes\.scr:  =>  <===== ATTENTION
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state Off
CMD: ipconfig /flushdns
CMD: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
RemoveProxy:
hosts:
Emptytemp:
*****************

Processes closed successfully.
Restore point was successfully created.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} => key removed successfully
HKCR\Wow6432Node\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} => key not found.
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj => key removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => key removed successfully
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => key removed successfully
HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Software\Classes\.exe => key removed successfully
HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Software\Classes\.scr => key removed successfully

========= netsh advfirewall reset =========

Ok.

========= End of CMD: =========

========= netsh advfirewall set allprofiles state Off =========

Ok.

========= End of CMD: =========

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

========= for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1" =========

========= End of CMD: =========

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully

========= End of RemoveProxy: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 45007522 B
Java, Flash, Steam htmlcache => 30817 B
Windows/system/drivers => 79983481 B
Edge => 0 B
Chrome => 794425065 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 66356 B
systemprofile32 => 66356 B
LocalService => 66228 B
NetworkService => 76198 B
Barb => 3408502546 B

RecycleBin => 431744714 B
EmptyTemp: => 4.4 GB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 19:57:57 ====

 

Machine shutting down, will post below.


  • 0

#7
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Is the machine over heating possibly ?
  • 0

#8
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Hi Zep 

 

As I said above, the machine is shutting down every 10 mins or so, so didn't want to say online too long. 

 

I ran the Malwarebytes with Rootkit enabled, but it didn't find anything. 

 

The machine's not overheating, the "Windows Alert" scammer windows warns the machine will shut down in 10mins, and gives the number to call... 866-552-0810! 

 

That number is also on the Taskbar... "My Technician-1-866-552-0810."


  • 0

#9
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Let me get back to you on this, I don't see anything in the log. This may be a new variant. These are usually easily removed.
  • 0

#10
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Thanks Zep... I have to log-off for tonight, I have to be up at 4am in California to get to the office, so I'll check back Monday evening... thanks again. 


  • 0

Advertisements


#11
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Does it shut down in safe mode ?

Yes have to call it a nite myself

Thanks
Joe :)
  • 0

#12
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Hello,

Did someone create this file,
2017-02-08 13:47 - 2017-02-08 13:47 - 00000000 ____D C:\Users\Barb\Documents\MY TECHNICIAN 1-866-552-0810

That number seems to belong to a legit tech support service, see link

http://webcarellc.com/

I'll go back over the logs got in late today.
  • 0

#13
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Does it shut down in safe mode ?

Yes have to call it a nite myself

Thanks
Joe :)

Sorry Joe... I'm not sure what you're asking. 

 

When I run the notebook I'm running it in full Windows, I can boot into Safe Mode... should I be working in Safe Mode instead of full Windows? 

 

Thanks 

Paul 


  • 0

#14
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
I was just wondering if the computer shuts down in Safe mode ? You said in normal mode it shuts down every 10 mins.

Did you or someone else create this file for reference ---> C:\Users\Barb\Documents\MY TECHNICIAN 1-866-552-0810
  • 0

#15
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Hi Joe 

 

Yes, February 8th was the day my friend got hit. 

 

I'm trying to paste photos I took with my cell phone of the "Microsoft Alert" window and taskbar on the notebook, but for some reason I can't paste into this window. 

 

I've attached them instead... don't worry, this is all being done on MY system, NOT from the infected notebook. 

 

Could they hijack the number somehow? 

 

Thanks 

Paul 

Attached Thumbnails

  • Scammer Window.jpg
  • Scammer Taskbar.jpg

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP