Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win7 notebook hit by "Microsoft Support" scam, possible Rootki


  • Please log in to reply

#16
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Hello,

Run this on the infected computer

A few items to fix
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Open notepad (Start =>All Programs => Accessories => Notepad).
Copy/Paste the contents of the code box below into Notepad.
start
CloseProcesses:
CreateRestorePoint:
Startup: C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Funny.exe 
2017-02-08 13:47 - 2017-02-08 13:47 - 00000000 ____D C:\Users\Barb\Documents\MY TECHNICIAN 1-866-552-0810
Emptytemp:
  • Click Format and ensure Wordwrap is unchecked.
  • Save as Fixlist.txt to your Desktop (Must be in this location)
  • Run FRST/FRST64 and press the Fix button just once and wait.
  • If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
  • The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.
  • 0

Advertisements


#17
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

There you go...

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 14-02-2017
Ran by Barb (13-02-2017 18:22:37) Run:2
Running from C:\Users\Barb\Desktop
Loaded Profiles: Barb (Available Profiles: Barb)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
CloseProcesses:
CreateRestorePoint:
Startup: C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Funny.exe
2017-02-08 13:47 - 2017-02-08 13:47 - 00000000 ____D C:\Users\Barb\Documents\MY TECHNICIAN 1-866-552-0810
Emptytemp:
*****************

Processes closed successfully.
Restore point was successfully created.
Startup: C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Funny.exe => not found.
C:\Users\Barb\Documents\MY TECHNICIAN 1-866-552-0810 => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 3614881 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 32528 B
Edge => 0 B
Chrome => 0 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 0 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 0 B
Barb => 13223136 B

RecycleBin => 0 B
EmptyTemp: => 24.1 MB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 18:22:44 ====


  • 0

#18
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Lets try another scan,
  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double click on the EmsisoftEmergencyKit.exe icon, click Run then Extract
  • Double click the Start Emsisoft Emergency Kit icon that will appear after extraction
  • Click Yes to update the program
  • Once the update is completed click the Back button
  • Click on 2. Scan (not Quick Scan or Smart Scan Click Yes to detect Potentially Unwanted Programs (PUPs)
  • Patiently wait for the thorough scan to complete, this can be a lengthy process
  • Once completed click Quarantine selected objects (if computer is clean you will not have this option) then click OK
  • Click View Report
  • paste the report to your reply
  • Close the program then click Close

  • 0

#19
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

That didn't take long at all...

 

Emsisoft Emergency Kit - Version 12.0
Last update: 2/13/2017 6:49:56 PM
User account: Barb-PC\Barb
Computer name: BARB-PC
OS version: Windows 7x64 Service Pack 1

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Direct disk access: Off

Scan start: 2/13/2017 6:52:18 PM

Scanned 73834
Found 0

Scan end: 2/13/2017 6:53:03 PM
Scan time: 0:00:45


  • 0

#20
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Silent%20Runners.png Scan with SilentRunners

Please download SilentRunners and save the file to your desktop.
the link will open an a bunch of text in a new window, please right-click on it and choose Save link as.
  • Doule-click on the Silent%20Runners.png icon to start the tool.
  • When prompted for Supplementary scan please click Yes.
  • It will run very silently in the backgroud.
  • Upon completion you will be promted again. Click OK.
  • Logfile named Startup Programs ("PC name") "date" will be saved to your desktop.
Please include the content of this logfile in your next reply.
  • 0

#21
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

There's no option to "Save link as" when I right click.


  • 0

#22
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Hello,

What about save page as or save target as, or anything like that. I use Firefox and mine says "Save Page as" Browsers may vary.
  • 0

#23
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

IE11 and Chrome are installed on the notebook. 

 

The only "Save as" option I get is as a Text File in Chrome. 

 

What am I supposed to be saving it as? 


  • 0

#24
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
It should auto save as silent runners, save to the desktop.

Still have trouble

Click here--> http://www.silentrun...ent Runners.zip choose Save file, save to desktop, then right click on zip folder and extract to desktop. Follow instructions in post 20.
  • 0

#25
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Great, thanks for the link, but it's getting late here and I have stuff to do before I hit the sack so I'll have to sign off. 

 

I'll run this on the notebook as soon as I get home tomorrow evening. 

 

Thanks again for all the help. 


  • 0

Advertisements


#26
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
You're welcome hang in there.

Thanks
Joe :)
  • 0

#27
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Hi Joe... When I boot the infected notebook into Safe Mode with Networking the Scammer Window doesn't appear, and the notebook doesn't shut down after 10 minutes, but the "My Tech..." crap is still on the Taskbar. 
 
Should I re-run the FRST64 etc scans in Safe Mode? 

  • 0

#28
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
No. Scans in safe mode will not show anything.

Do you have the silent runners log ?

Also on the infected computer right click on the task bar and start the task manager, show processes for all users, does anything odd show in the process list or related to the problem.
  • 0

#29
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
"Silent Runners.vbs", revision 69.2, http://www.silentrunners.org/
Operating System: Microsoft Windows 7 Professional Service Pack 1 (64-bit)
Output limited to non-default values, except where indicated by "{++}"
 
 
Startup items buried in registry:
---------------------------------
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
 
{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\(Default) = Skype for Business Click to Call BHO
  -> {HKLM...CLSID} = Skype for Business Browser Helper
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [MS]
  -> {HKLM...Wow...CLSID} = Skype for Business Browser Helper
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [MS]
 
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
  -> {HKLM...CLSID} = Google Toolbar Helper
                   \InProcServer32\(Default) = C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [Google Inc.]
  -> {HKLM...Wow...CLSID} = Google Toolbar Helper
                         \InProcServer32\(Default) = C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [Google Inc.]
 
{B4F3A835-0E21-4959-BA22-42B3008E02FF}\(Default) = URLRedirectionBHO
  -> {HKLM...CLSID} = Office Document Cache Handler
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL [MS]
  -> {HKLM...Wow...CLSID} = Office Document Cache Handler
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL [MS]
 
{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\(Default) = (no title provided)
  -> {HKLM...CLSID} = Microsoft SkyDrive Pro Browser Helper
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [MS]
  -> {HKLM...Wow...CLSID} = Microsoft SkyDrive Pro Browser Helper
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [MS]
 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
 
{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\(Default) = Skype for Business Click to Call BHO
  -> {HKLM...CLSID} = Skype for Business Browser Helper
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [MS]
  -> {HKLM...Wow...CLSID} = Skype for Business Browser Helper
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [MS]
 
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
  -> {HKLM...CLSID} = Google Toolbar Helper
                   \InProcServer32\(Default) = C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [Google Inc.]
  -> {HKLM...Wow...CLSID} = Google Toolbar Helper
                         \InProcServer32\(Default) = C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [Google Inc.]
 
{B4F3A835-0E21-4959-BA22-42B3008E02FF}\(Default) = URLRedirectionBHO
  -> {HKLM...CLSID} = Office Document Cache Handler
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL [MS]
  -> {HKLM...Wow...CLSID} = Office Document Cache Handler
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL [MS]
 
{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\(Default) = (no title provided)
  -> {HKLM...CLSID} = Microsoft SkyDrive Pro Browser Helper
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [MS]
  -> {HKLM...Wow...CLSID} = Microsoft SkyDrive Pro Browser Helper
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [MS]
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\
 
 SkyDrivePro1 (ErrorConflict)\(Default) = {8BA85C75-763B-4103-94EB-9470F12FE0F7}
  -> {HKLM...CLSID} = Microsoft SkyDrive Pro Icon Overlay 1 (ErrorConflict)
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [MS]
 
 SkyDrivePro2 (SyncInProgress)\(Default) = {CD55129A-B1A1-438E-A425-CEBC7DC684EE}
  -> {HKLM...CLSID} = Microsoft SkyDrive Pro Icon Overlay 2 (SyncInProgress)
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [MS]
 
 SkyDrivePro3 (InSync)\(Default) = {E768CD3B-BDDC-436D-9C13-E1B39CA257B1}
  -> {HKLM...CLSID} = Microsoft SkyDrive Pro Icon Overlay 3 (InSync)
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [MS]
 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\
 
 SkyDrivePro1 (ErrorConflict)\(Default) = {8BA85C75-763B-4103-94EB-9470F12FE0F7}
  -> {HKLM...Wow...CLSID} = Microsoft SkyDrive Pro Icon Overlay 1 (ErrorConflict)
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [MS]
 
 SkyDrivePro2 (SyncInProgress)\(Default) = {CD55129A-B1A1-438E-A425-CEBC7DC684EE}
  -> {HKLM...Wow...CLSID} = Microsoft SkyDrive Pro Icon Overlay 2 (SyncInProgress)
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [MS]
 
 SkyDrivePro3 (InSync)\(Default) = {E768CD3B-BDDC-436D-9C13-E1B39CA257B1}
  -> {HKLM...Wow...CLSID} = Microsoft SkyDrive Pro Icon Overlay 3 (InSync)
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [MS]
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
 
{9D843851-50AA-46EE-829A-784DEBA4716C} = Bluetooth Property Page Extension
  -> {HKLM...CLSID} = CPropertySheetExtension Object
                   \InProcServer32\(Default) = C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll [Motorola Solutions, Inc.]
 
{B8DA2B41-7468-4E82-B62C-CB4A0C9158FE} = Bluetooth Context Menu Extension
  -> {HKLM...CLSID} = CContextMenuHandler Object
                   \InProcServer32\(Default) = C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll [Motorola Solutions, Inc.]
 
{0A7D34C2-E9DA-48A1-9E34-0CDFC2DE3B44} = Bluetooth Send To Wizard
  -> {HKLM...CLSID} = Send To Bluetooth
                   \InProcServer32\(Default) = C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll [Motorola Solutions, Inc.]
 
{B089FE88-FB52-11D3-BDF1-0050DA34150D} = ESET Smart Security - Context Menu Shell Extension
  -> {HKLM...CLSID} = ESET Smart Security - Context Menu Shell Extension
                   \InProcServer32\(Default) = C:\Program Files\ESET\ESET Smart Security\shellExt.dll [ESET]
 
{2F603045-309F-11CF-9774-0020AFD0CFF6} = Synaptics Control Panel
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = C:\Program Files\Synaptics\SynTP\SynTPCpl.dll [Synaptics Incorporated]
 
{5F327514-6C5E-4d60-8F16-D07FA08A78ED} = Auto Update Property Sheet Extension
  -> {HKLM...CLSID} = Auto Update Property Sheet Extension
                   \InProcServer32\(Default) = C:\Windows\system32\wuaucpl.cpl [file not found]
 
{CF74B903-3389-469c-B3B6-0204D204FCBD} = SnagIt Shell Extension
  -> {HKLM...CLSID} = SnagItShellExt Class
                   \InProcServer32\(Default) = C:\Program Files (x86)\TechSmith\Snagit 11\DLLx64\SnagitShellExt64.dll [TechSmith Corporation]
 
{8BA85C75-763B-4103-94EB-9470F12FE0F7} = Microsoft SkyDrive Pro Icon Overlay 1 (ErrorConflict)
  -> {HKLM...CLSID} = Microsoft SkyDrive Pro Icon Overlay 1 (ErrorConflict)
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [MS]
 
{CD55129A-B1A1-438E-A425-CEBC7DC684EE} = Microsoft SkyDrive Pro Icon Overlay 2 (SyncInProgress)
  -> {HKLM...CLSID} = Microsoft SkyDrive Pro Icon Overlay 2 (SyncInProgress)
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [MS]
 
{E768CD3B-BDDC-436D-9C13-E1B39CA257B1} = Microsoft SkyDrive Pro Icon Overlay 3 (InSync)
  -> {HKLM...CLSID} = Microsoft SkyDrive Pro Icon Overlay 3 (InSync)
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [MS]
 
{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} = Microsoft SkyDrive Pro Browser Helper
  -> {HKLM...CLSID} = Microsoft SkyDrive Pro Browser Helper
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [MS]
 
{0875DCB6-C686-4243-9432-ADCCF0B9F2D7} = Microsoft OneNote Namespace Extension for Windows Desktop Search
  -> {HKLM...CLSID} = Microsoft OneNote Namespace Extension for Windows Desktop Search
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\ONFILTER.DLL [MS]
 
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} = Microsoft Office Metadata Handler
  -> {HKLM...CLSID} = Microsoft Office Metadata Handler
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office15\msoshext.dll [MS]
 
{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} = Microsoft Office Thumbnail Handler
  -> {HKLM...CLSID} = Microsoft Office Thumbnail Handler
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office15\msoshext.dll [MS]
 
{506F4668-F13E-4AA1-BB04-B43203AB3CC0} = {506F4668-F13E-4AA1-BB04-B43203AB3CC0}
  -> {HKLM...CLSID} = ImageExtractorShellExt Class
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\VISSHE.DLL [MS]
 
{D66DC78C-4F61-447F-942B-3FB6980118CF} = {D66DC78C-4F61-447F-942B-3FB6980118CF}
  -> {HKLM...CLSID} = CInfoTipShellExt Class
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\VISSHE.DLL [MS]
 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
 
{B089FE88-FB52-11D3-BDF1-0050DA34150D} = ESET Smart Security - Context Menu Shell Extension
  -> {HKLM...Wow...CLSID} = ESET Smart Security - Context Menu Shell Extension
                         \InProcServer32\(Default) = C:\Program Files\ESET\ESET Smart Security\x86\shellExt.dll [ESET]
 
{CF74B903-3389-469c-B3B6-0204D204FCBD} = SnagIt Shell Extension
  -> {HKLM...Wow...CLSID} = SnagItShellExt Class
                         \InProcServer32\(Default) = C:\Program Files (x86)\TechSmith\Snagit 11\SnagitShellExt.dll [TechSmith Corporation]
 
{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} = Microsoft Office Metadata Handler
  -> {HKLM...Wow...CLSID} = Microsoft Office Metadata Handler
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office15\msoshext.dll [MS]
 
{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} = Microsoft Office Thumbnail Handler
  -> {HKLM...Wow...CLSID} = Microsoft Office Thumbnail Handler
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office15\msoshext.dll [MS]
 
{506F4668-F13E-4AA1-BB04-B43203AB3CC0} = {506F4668-F13E-4AA1-BB04-B43203AB3CC0}
  -> {HKLM...Wow...CLSID} = ImageExtractorShellExt Class
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\Office15\VISSHE.DLL [MS]
 
{D66DC78C-4F61-447F-942B-3FB6980118CF} = {D66DC78C-4F61-447F-942B-3FB6980118CF}
  -> {HKLM...Wow...CLSID} = CInfoTipShellExt Class
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\Office15\VISSHE.DLL [MS]
 
{0875DCB6-C686-4243-9432-ADCCF0B9F2D7} = Microsoft OneNote Namespace Extension for Windows Desktop Search
  -> {HKLM...Wow...CLSID} = Microsoft OneNote Namespace Extension for Windows Desktop Search
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\Office15\ONFILTER.DLL [MS]
 
{8BA85C75-763B-4103-94EB-9470F12FE0F7} = Microsoft SkyDrive Pro Icon Overlay 1 (ErrorConflict)
  -> {HKLM...Wow...CLSID} = Microsoft SkyDrive Pro Icon Overlay 1 (ErrorConflict)
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [MS]
 
{CD55129A-B1A1-438E-A425-CEBC7DC684EE} = Microsoft SkyDrive Pro Icon Overlay 2 (SyncInProgress)
  -> {HKLM...Wow...CLSID} = Microsoft SkyDrive Pro Icon Overlay 2 (SyncInProgress)
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [MS]
 
{E768CD3B-BDDC-436D-9C13-E1B39CA257B1} = Microsoft SkyDrive Pro Icon Overlay 3 (InSync)
  -> {HKLM...Wow...CLSID} = Microsoft SkyDrive Pro Icon Overlay 3 (InSync)
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [MS]
 
{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} = Microsoft SkyDrive Pro Browser Helper
  -> {HKLM...Wow...CLSID} = Microsoft SkyDrive Pro Browser Helper
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [MS]
 
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
 
ESET Smart Security - Context Menu Shell Extension\(Default) = {B089FE88-FB52-11D3-BDF1-0050DA34150D}
  -> {HKLM...CLSID} = ESET Smart Security - Context Menu Shell Extension
                   \InProcServer32\(Default) = C:\Program Files\ESET\ESET Smart Security\shellExt.dll [ESET]
  -> {HKLM...Wow...CLSID} = ESET Smart Security - Context Menu Shell Extension
                         \InProcServer32\(Default) = C:\Program Files\ESET\ESET Smart Security\x86\shellExt.dll [ESET]
 
SnagItMainShellExt\(Default) = {CF74B903-3389-469c-B3B6-0204D204FCBD}
  -> {HKLM...CLSID} = SnagItShellExt Class
                   \InProcServer32\(Default) = C:\Program Files (x86)\TechSmith\Snagit 11\DLLx64\SnagitShellExt64.dll [TechSmith Corporation]
  -> {HKLM...Wow...CLSID} = SnagItShellExt Class
                         \InProcServer32\(Default) = C:\Program Files (x86)\TechSmith\Snagit 11\SnagitShellExt.dll [TechSmith Corporation]
 
HKLM\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\
 
{9B5F5829-A529-4B12-814A-E81BCB8D93FC}\(Default) = (no title provided)
  -> {HKLM...CLSID} = TheDeskTopContextMenu Class
                   \InProcServer32\(Default) = C:\Windows\system32\igfxDTCM.dll [Intel Corporation]
 
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
 
MBAMShlExt\(Default) = {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
  -> {HKLM...CLSID} = MBAMShlExt Class
                   \InProcServer32\(Default) = C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamext.dll [Malwarebytes]
 
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
 
SnagItMainShellExt\(Default) = {CF74B903-3389-469c-B3B6-0204D204FCBD}
  -> {HKLM...CLSID} = SnagItShellExt Class
                   \InProcServer32\(Default) = C:\Program Files (x86)\TechSmith\Snagit 11\DLLx64\SnagitShellExt64.dll [TechSmith Corporation]
  -> {HKLM...Wow...CLSID} = SnagItShellExt Class
                         \InProcServer32\(Default) = C:\Program Files (x86)\TechSmith\Snagit 11\SnagitShellExt.dll [TechSmith Corporation]
 
HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\
 
igfxDTCM\(Default) = {9B5F5829-A529-4B12-814A-E81BCB8D93FC}
  -> {HKLM...CLSID} = TheDeskTopContextMenu Class
                   \InProcServer32\(Default) = C:\Windows\system32\igfxDTCM.dll [Intel Corporation]
 
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
 
ESET Smart Security - Context Menu Shell Extension\(Default) = {B089FE88-FB52-11D3-BDF1-0050DA34150D}
  -> {HKLM...CLSID} = ESET Smart Security - Context Menu Shell Extension
                   \InProcServer32\(Default) = C:\Program Files\ESET\ESET Smart Security\shellExt.dll [ESET]
  -> {HKLM...Wow...CLSID} = ESET Smart Security - Context Menu Shell Extension
                         \InProcServer32\(Default) = C:\Program Files\ESET\ESET Smart Security\x86\shellExt.dll [ESET]
 
MBAMShlExt\(Default) = {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
  -> {HKLM...CLSID} = MBAMShlExt Class
                   \InProcServer32\(Default) = C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamext.dll [Malwarebytes]
 
 
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
 
Note: detected settings may not have any effect.
 
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
 
DisableOSUpgrade = (REG_DWORD) dword:0x00000001
{unrecognized setting}
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
 
ConsentPromptBehaviorAdmin = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}
 
EnableLUA = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}
 
PromptOnSecureDesktop = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Switch to the secure desktop when prompting for elevation}
 
 
Active Desktop and Wallpaper:
-----------------------------
 
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
 
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
Wallpaper = C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
 
 
Enabled Screen Saver:
---------------------
 
HKCU\Control Panel\Desktop\
SCRNSAVE.EXE = C:\Windows\system32\Bubbles.scr [MS]
 
 
Windows Portable Device AutoPlay Handlers
-----------------------------------------
 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
 
MSPlayCDAudioOnArrival\
Provider = @wmploc.dll,-6502
InvokeProgID = WMP.AudioCD
InvokeVerb = play
HKLM\SOFTWARE\Classes\WMP.AudioCD\shell\play\command\(Default) = "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L" [MS]
 
MSPlayDVDMovieOnArrival\
Provider = @wmploc.dll,-6502
InvokeProgID = WMP.DVD
InvokeVerb = play
HKLM\SOFTWARE\Classes\WMP.DVD\shell\play\command\(Default) = "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L" [MS]
 
MSPlaySuperVideoCDMovieOnArrival\
Provider = @wmploc.dll,-6502
InvokeProgID = WMP.VCD
InvokeVerb = play
HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L" [MS]
 
MSPlayVideoCDMovieOnArrival\
Provider = @wmploc.dll,-6502
InvokeProgID = WMP.VCD
InvokeVerb = play
HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L" [MS]
 
MSWMPBurnCDOnArrival\
Provider = @wmploc.dll,-6502
InvokeProgID = WMP.BurnCD
InvokeVerb = Burn
HKLM\SOFTWARE\Classes\WMP.BurnCD\shell\Burn\Command\(Default) = "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /Task:CDWrite /Device:"%L" [MS]
 
WIA_{6E902B1E-B72C-49E5-A3AD-CB54D2FF06D5}\
Provider = ThumbsPlus
CLSID = {A55803CC-4D53-404c-8557-FD63DBA95D24}
InitCmdLine = /WiaCmd;C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe /StiDevice:%1 /StiEvent:%2;
  -> {HKLM...CLSID} = WPDShextAutoplay
                   \LocalServer32\(Default) = C:\Windows\system32\WPDShextAutoplay.exe [MS]
 
 
Startup items in "Barb" & "All Users" startup folders:
------------------------------------------------------
 
C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup {++}
<<!>> Funny.exe [null data]
 
 
Non-disabled Scheduled Tasks: {++}
-----------------------------
 
C:\Windows\System32\Tasks
Adobe Acrobat Update Task ->  launches: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [Adobe Systems Incorporated]
Adobe Flash Player Updater ->  launches: C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [Adobe Systems Incorporated]
GoogleUpdateTaskMachineCore ->  launches: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c [Google Inc.]
GoogleUpdateTaskMachineUA ->  launches: C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler [Google Inc.]
TechSmith Updater ->  launches: C:\Program Files (x86)\Common Files\TechSmith Shared\Updater\TSCUpdClt.exe all [null data]
{1346ADC4-9572-4089-A8A4-B0EE90368685} ->  launches: C:\Windows\system32\pcalua.exe -a "C:\EliteBook 850 G3\850 G3 Drivers\Firmware\HP Ultraslim Docking Station Displayport Hub.exe" -d "C:\EliteBook 850 G3\850 G3 Drivers\Firmware" [MS]
{6B35F718-257C-418D-A944-03E0917F6AB4} ->  launches: C:\Windows\system32\pcalua.exe -a "C:\EliteBook 850 G3\850 G3 Drivers\Networking\HP hs3110hs3114 Mobile Broadband Drivers.exe" -d "C:\EliteBook 850 G3\850 G3 Drivers\Networking" [MS]
{C3921B5B-160A-4419-8B2F-D47A88C31E39} ->  launches: C:\Windows\system32\pcalua.exe -a "C:\EliteBook 850 G3\850 G3 Drivers\Networking\HP It4120 Snapdragon X5 LTE Drivers v1.0.1.53 Rev.A.exe" -d "C:\EliteBook 850 G3\850 G3 Drivers\Networking" [MS]
 
C:\Windows\System32\Tasks\Microsoft\Office
Office Automatic Updates ->  launches: C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe /update SCHEDULEDTASK displaylevel=False [MS]
Office ClickToRun Service Monitor ->  launches: C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe /WatchService [MS]
OfficeTelemetryAgentFallBack ->  launches: C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe scan upload mininterval:2880 [MS]
OfficeTelemetryAgentLogOn ->  launches: C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe scan upload [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client
AD RMS Rights Policy Template Management (Manual) ->  launches: {BF5CB148-7C77-4d8a-A53E-D81C70CF743C}
  -> {HKLM...CLSID} = AD RMS Rights Policy Template Management (Manual) Task Handler
                   \InProcServer32\(Default) = C:\Windows\system32\msdrm.dll [MS]
  -> {HKLM...Wow...CLSID} = AD RMS Rights Policy Template Management (Manual) Task Handler
                         \InProcServer32\(Default) = C:\Windows\system32\msdrm.dll [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience
AitAgent ->  launches: aitagent [MS]
Microsoft Compatibility Appraiser ->  launches: %windir%\system32\compattel\DiagTrackRunner.exe /UploadEtlFilesOnly [MS]
ProgramDataUpdater ->  launches: %windir%\system32\compattelrunner.exe -maintenance [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Autochk
Proxy ->  launches: %windir%\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth
UninstallDeviceTask ->  launches: BthUdTask.exe $(Arg0) [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient
SystemTask ->  launches: {58fb76b9-ac85-4e55-ac04-427593b1d060}
  -> {HKLM...CLSID} = Certificate Services Client Task Handler
                   \InProcServer32\(Default) = C:\Windows\system32\dimsjob.dll [MS]
  -> {HKLM...Wow...CLSID} = Certificate Services Client Task Handler
                         \InProcServer32\(Default) = C:\Windows\system32\dimsjob.dll [MS]
UserTask ->  launches: {58fb76b9-ac85-4e55-ac04-427593b1d060}
  -> {HKLM...CLSID} = Certificate Services Client Task Handler
                   \InProcServer32\(Default) = C:\Windows\system32\dimsjob.dll [MS]
  -> {HKLM...Wow...CLSID} = Certificate Services Client Task Handler
                         \InProcServer32\(Default) = C:\Windows\system32\dimsjob.dll [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Conexant
MicTray ->  launches: "C:\Windows\System32\MicTray64.exe" [Conexant]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program
Consolidator ->  launches: %SystemRoot%\System32\wsqmcons.exe [MS]
KernelCeipTask -> (HIDDEN!) launches: {e7ed314f-2816-4c26-aeb5-54a34d02404c}
  -> {HKLM...CLSID} = KernelCeipCustomHandler
                   \InProcServer32\(Default) = C:\Windows\System32\kernelceip.dll [MS]
UsbCeip -> (HIDDEN!) launches: {c27f6b1d-fe0b-45e4-9257-38799fa69bc8}
  -> {HKLM...CLSID} = UsbCeip
                   \InProcServer32\(Default) = C:\Windows\System32\usbceip.dll [MS]
  -> {HKLM...Wow...CLSID} = UsbCeip
                         \InProcServer32\(Default) = C:\Windows\System32\usbceip.dll [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Defrag
ScheduledDefrag ->  launches: %windir%\system32\defrag.exe -c [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Diagnosis
Scheduled -> (HIDDEN!) launches: {c1f85ef8-bcc2-4606-bb39-70c523715eb3}
  -> {HKLM...CLSID} = ScheduledDiagnosticCustomHandler
                   \InProcServer32\(Default) = C:\Windows\System32\sdiagschd.dll [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Location
Notifications ->  launches: %windir%\System32\LocationNotifications.exe [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance
WinSAT ->  launches: {A9A33436-678B-4C9C-A211-7CC38785E79D}
  -> {HKLM...CLSID} = WinSAT Task Manger Task
                   \InProcServer32\(Default) = C:\Windows\system32\WinSATAPI.dll [MS]
  -> {HKLM...Wow...CLSID} = WinSAT Task Manger Task
                         \InProcServer32\(Default) = C:\Windows\system32\WinSATAPI.dll [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Media Center
ActivateWindowsSearch ->  launches: %SystemRoot%\ehome\ehPrivJob.exe /DoActivateWindowsSearch [MS]
ConfigureInternetTimeService ->  launches: %SystemRoot%\ehome\ehPrivJob.exe /DoConfigureInternetTimeService [MS]
DispatchRecoveryTasks ->  launches: %SystemRoot%\ehome\ehPrivJob.exe /DoRecoveryTasks $(Arg0) [MS]
ehDRMInit ->  launches: %SystemRoot%\ehome\ehPrivJob.exe /DRMInit [MS]
InstallPlayReady ->  launches: %SystemRoot%\ehome\ehPrivJob.exe /InstallPlayReady $(Arg0) [MS]
mcupdate ->  launches: %SystemRoot%\ehome\mcupdate $(Arg0) [MS]
MediaCenterRecoveryTask ->  launches: %SystemRoot%\ehome\mcupdate.exe -MediaCenterRecoveryTask [MS]
ObjectStoreRecoveryTask ->  launches: %SystemRoot%\ehome\mcupdate.exe -ObjectStoreRecoveryTask [MS]
OCURActivate ->  launches: %SystemRoot%\ehome\ehPrivJob.exe /OCURActivate [MS]
OCURDiscovery ->  launches: %SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery $(Arg0) [MS]
PBDADiscovery ->  launches: %SystemRoot%\ehome\ehPrivJob.exe /PBDADiscovery [MS]
PBDADiscoveryW1 ->  launches: %SystemRoot%\ehome\ehPrivJob.exe /wait:7 /PBDADiscovery [MS]
PBDADiscoveryW2 ->  launches: %SystemRoot%\ehome\ehPrivJob.exe /wait:90 /PBDADiscovery [MS]
PvrRecoveryTask ->  launches: %SystemRoot%\ehome\mcupdate.exe -PvrRecoveryTask [MS]
PvrScheduleTask ->  launches: %SystemRoot%\ehome\mcupdate.exe -PvrSchedule [MS]
RegisterSearch ->  launches: %SystemRoot%\ehome\ehPrivJob.exe /DoRegisterSearch $(Arg0) [MS]
ReindexSearchRoot ->  launches: %SystemRoot%\ehome\ehPrivJob.exe /DoReindexSearchRoot [MS]
SqlLiteRecoveryTask ->  launches: %SystemRoot%\ehome\mcupdate.exe -SqlLiteRecoveryTask [MS]
UpdateRecordPath ->  launches: %SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0) [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic
CorruptionDetector -> (HIDDEN!) launches: {190BA3F6-0205-4f46-B589-95C6822899D2}
  -> {HKLM...CLSID} = MemoryDiagnosticCustomHandler
                   \InProcServer32\(Default) = C:\Windows\System32\memdiag.dll [MS]
DecompressionFailureDetector -> (HIDDEN!) launches: {190BA3F6-0205-4f46-B589-95C6822899D2}
  -> {HKLM...CLSID} = MemoryDiagnosticCustomHandler
                   \InProcServer32\(Default) = C:\Windows\System32\memdiag.dll [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC
HotStart ->  launches: {06DA0625-9701-43da-BFD7-FBEEA2180A1E}
  -> {HKLM...CLSID} = HotStart User Agent
                   \InProcServer32\(Default) = C:\Windows\System32\HotStartUserAgent.dll [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\MUI
LPRemove ->  launches: %windir%\system32\lpremove.exe [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia
SystemSoundsService ->  launches: {2DEA658F-54C1-4227-AF9B-260AB5FC3543}
  -> {HKLM...CLSID} = Microsoft PlaySoundService Class
                   \InProcServer32\(Default) = C:\Windows\System32\PlaySndSrv.dll [MS]
  -> {HKLM...Wow...CLSID} = Microsoft PlaySoundService Class
                         \InProcServer32\(Default) = C:\Windows\System32\PlaySndSrv.dll [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\NetTrace
GatherNetworkInfo ->  launches: %windir%\system32\gatherNetworkInfo.vbs [null data]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Power Efficiency Diagnostics
AnalyzeSystem ->  launches: %SystemRoot%\System32\powercfg.exe -energy -auto [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\RAC
RacTask -> (HIDDEN!) launches: {42060D27-CA53-41f5-96E4-B1E8169308A6}
  -> {HKLM...CLSID} = ReliabilityAnalysisCustomHandler
                   \InProcServer32\(Default) = C:\Windows\system32\RacEngn.dll [MS]
  -> {HKLM...Wow...CLSID} = ReliabilityAnalysisCustomHandler
                         \InProcServer32\(Default) = C:\Windows\system32\RacEngn.dll [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Ras
MobilityManager ->  launches: {c463a0fc-794f-4fdf-9201-01938ceacafa}
  -> {HKLM...CLSID} = RasMobilityManager
                   \InProcServer32\(Default) = C:\Windows\system32\rasmbmgr.dll [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Registry
RegIdleBackup -> (HIDDEN!) launches: {ca767aa8-9157-4604-b64b-40747123d5f2}
  -> {HKLM...CLSID} = RegistryIdleBackupHandler
                   \InProcServer32\(Default) = C:\Windows\System32\regidle.dll [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance
RemoteAssistanceTask -> (HIDDEN!) launches: %windir%\system32\RAServer.exe /offerraupdate [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\SideShow
GadgetManager ->  launches: {FF87090D-4A9A-4f47-879B-29A80C355D61}
  -> {HKLM...CLSID} = GadgetsManager Class
                   \InProcServer32\(Default) = C:\Windows\System32\AuxiliaryDisplayServices.dll [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore
SR ->  launches: %windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Task Manager
Interactive -> (HIDDEN!) launches: {855fec53-d2e4-4999-9e87-3414e9cf0ff4}
  -> {HKLM...CLSID} = RunTask
                   \InProcServer32\(Default) = C:\Windows\system32\wdc.dll [MS]
  -> {HKLM...Wow...CLSID} = RunTask
                         \InProcServer32\(Default) = C:\Windows\system32\wdc.dll [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip
IpAddressConflict1 ->  launches: %windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem [MS]
IpAddressConflict2 ->  launches: %windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework
MsCtfMonitor -> (HIDDEN!) launches: {01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}
  -> {HKLM...CLSID} = MsCtfMonitor task handler
                   \InProcServer32\(Default) = C:\Windows\system32\MsCtfMonitor.dll [MS]
  -> {HKLM...Wow...CLSID} = MsCtfMonitor task handler
                         \InProcServer32\(Default) = C:\Windows\system32\MsCtfMonitor.dll [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Time Synchronization
SynchronizeTime ->  launches: %windir%\system32\sc.exe start w32time task_started [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\UPnP
UPnPHostConfig ->  launches: sc.exe config upnphost start= auto [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\WDI
ResolutionHost -> (HIDDEN!) launches: {900be39d-6be8-461a-bc4d-b0fa71f5ecb1}
  -> {HKLM...CLSID} = DiagnosticInfrastructureCustomHandler
                   \InProcServer32\(Default) = C:\Windows\System32\wdi.dll [MS]
  -> {HKLM...Wow...CLSID} = DiagnosticInfrastructureCustomHandler
                         \InProcServer32\(Default) = C:\Windows\System32\wdi.dll [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Windows Activation Technologies
ValidationTask -> (HIDDEN!) launches: %SystemRoot%\system32\Wat\WatAdminSvc.exe /run [MS]
ValidationTaskDeadline -> (HIDDEN!) launches: %SystemRoot%\system32\schtasks.exe /run /I /TN "\Microsoft\Windows\Windows Activation Technologies\ValidationTask" [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting
QueueReporting ->  launches: %windir%\system32\wermgr.exe -queuereporting [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Windows Filtering Platform
BfeOnServiceStartTypeChange -> (HIDDEN!) launches: %windir%\system32\rundll32.exe bfe.dll,BfeOnServiceStartTypeChange [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Windows Media Sharing
UpdateLibrary ->  launches: "%ProgramFiles%\Windows Media Player\wmpnscfg.exe" [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\WindowsBackup
ConfigNotification ->  launches: %systemroot%\System32\sdclt.exe /CONFIGNOTIFICATION [MS]
 
C:\Windows\System32\Tasks\Microsoft\Windows\Wininet
CacheTask ->  launches: {0358b920-0ac7-461f-98f4-58e32cd89148}
  -> {HKLM...CLSID} = Wininet Cache task object
                   \InProcServer32\(Default) = C:\Windows\system32\wininet.dll [MS]
  -> {HKLM...Wow...CLSID} = Wininet Cache task object
                         \InProcServer32\(Default) = C:\Windows\system32\wininet.dll [MS]
 
 
Winsock2 Service Provider DLLs:
-------------------------------
 
Namespace Service Providers
 
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = %SystemRoot%\system32\NLAapi.dll [MS]
000000000002\LibraryPath = %SystemRoot%\system32\napinsp.dll [MS]
000000000003\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]
000000000004\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]
000000000005\LibraryPath = %SystemRoot%\System32\mswsock.dll [MS]
000000000006\LibraryPath = %SystemRoot%\System32\winrnr.dll [MS]
000000000007\LibraryPath = %SystemRoot%\system32\wshbth.dll [MS]
 
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\ {++}
000000000001\LibraryPath = %SystemRoot%\system32\NLAapi.dll [MS]
000000000002\LibraryPath = %SystemRoot%\system32\napinsp.dll [MS]
000000000003\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]
000000000004\LibraryPath = %SystemRoot%\system32\pnrpnsp.dll [MS]
000000000005\LibraryPath = %SystemRoot%\System32\mswsock.dll [MS]
000000000006\LibraryPath = %SystemRoot%\System32\winrnr.dll [MS]
000000000007\LibraryPath = %SystemRoot%\system32\wshbth.dll [MS]
 
Transport Service Providers
 
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 11
 
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries64\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 11
 
 
Toolbars, Explorer Bars, Extensions:
------------------------------------
 
Toolbars
 
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = (no title provided)
  -> {HKLM...CLSID} = Google Toolbar
                   \InProcServer32\(Default) = C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [Google Inc.]
 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = (no title provided)
  -> {HKLM...Wow...CLSID} = Google Toolbar
                         \InProcServer32\(Default) = C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [Google Inc.]
 
Extensions (Tools menu items, main toolbar menu buttons)
 
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
ButtonText = Send to OneNote
MenuText = Se&nd to OneNote
CLSIDExtension = {48E73304-E1D6-4330-914C-F5F514E3486C}
  -> {HKLM...CLSID} = Send to OneNote from Internet Explorer button
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\ONBttnIE.dll [MS]
 
{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\
ButtonText = Skype for Business Click to Call
MenuText = Skype for Business Click to Call
CLSIDExtension = {31D09BA0-12F5-4CCE-BE8A-2923E76605DA}
  -> {HKLM...CLSID} = Skype for Business Browser Helper
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [MS]
 
{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\
ButtonText = OneNote Lin&ked Notes
MenuText = OneNote Lin&ked Notes
CLSIDExtension = {FFFDC614-B694-4AE6-AB38-5D6374584B52}
  -> {HKLM...CLSID} = Linked Notes button
                   \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\ONBttnIELinkedNotes.dll [MS]
 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
ButtonText = Send to OneNote
MenuText = Se&nd to OneNote
CLSIDExtension = {48E73304-E1D6-4330-914C-F5F514E3486C}
  -> {HKLM...Wow...CLSID} = Send to OneNote from Internet Explorer button
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\Office15\ONBttnIE.dll [MS]
 
{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\
ButtonText = Skype for Business Click to Call
MenuText = Skype for Business Click to Call
CLSIDExtension = {31D09BA0-12F5-4CCE-BE8A-2923E76605DA}
  -> {HKLM...Wow...CLSID} = Skype for Business Browser Helper
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [MS]
 
{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\
ButtonText = OneNote Lin&ked Notes
MenuText = OneNote Lin&ked Notes
CLSIDExtension = {FFFDC614-B694-4AE6-AB38-5D6374584B52}
  -> {HKLM...Wow...CLSID} = Linked Notes button
                         \InProcServer32\(Default) = C:\Program Files\Microsoft Office 15\root\Office15\ONBttnIELinkedNotes.dll [MS]
 
 
Miscellaneous IE Hijack Points
------------------------------
 
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> InPrivate = res://ieframe.dll/inprivate_win7.htm [MS]
<<H>> Compat = res://mshtml.dll/compat.htm [MS]
 
 
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
 
Adobe Acrobat Update Service, AdobeARMservice, "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" [Adobe Systems Incorporated]
Bluetooth Device Monitor, Bluetooth Device Monitor, "C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe" [Motorola Solutions, Inc.]
Bluetooth Media Service, Bluetooth Media Service, "C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe" [Motorola Solutions, Inc.]
Bluetooth OBEX Service, Bluetooth OBEX Service, "C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe" [Motorola Solutions, Inc.]
CxUtilSvc, CxUtilSvc, "C:\Program Files\Conexant\SA3\HP-NB-AIO\CxUtilSvc.exe" [Conexant Systems, Inc.]
Diagnostics Tracking Service, DiagTrack, C:\Windows\System32\svchost.exe -k utcsvc {C:\Windows\system32\diagtrack.dll [MS]}
ESET Service, ekrn, "C:\Program Files\ESET\ESET Smart Security\ekrn.exe" [ESET]
Intel Bluetooth Service, iBtSiva, "C:\Program Files (x86)\Intel\Bluetooth\ibtsiva.exe" [Intel Corporation]
Intel® Dynamic Application Loader Host Interface Service, jhi_service, "C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe" [Intel Corporation]
Intel® HD Graphics Control Panel Service, igfxCUIService2.0.0.0, C:\Windows\system32\igfxCUIService.exe [Intel Corporation]
Intel® Management and Security Application Local Management Service, LMS, "C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe" [Intel Corporation]
Intel® PROSet/Wireless Event Log, EvtEng, "C:\Program Files\Intel\WiFi\bin\EvtEng.exe" [Intel® Corporation]
Intel® PROSet/Wireless Registry Service, RegSrvc, "C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe" [Intel® Corporation]
Intel® PROSet/Wireless Zero Configuration Service, ZeroConfigService, "C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe" [Intel® Corporation]
Malwarebytes Anti-Exploit Service, MbaeSvc, "C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe" [Malwarebytes Corporation]
Microsoft Office ClickToRun Service, ClickToRunSvc, "C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe" /service [MS]
SAMSUNG Mobile Connectivity Service, ss_conn_service, "C:\Program Files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe" [DEVGURU Co., LTD.]
Synaptics FP WBF Policy Service, valWBFPolicyService, C:\Windows\system32\valWBFPolicyService.exe [Synaptics Incorporated]
SynTPEnh Caller Service, SynTPEnhService, "C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe" [Synaptics Incorporated]
UsbClientService, UsbClientService, C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe [null data]
 
 
Keyboard Driver Filters:
------------------------
 
HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
<<!>> UpperFilters = <<!>> SynTP [Synaptics Incorporated],<<!>> ekbdflt [ESET],kbdclass [MS]
 
 
Print Monitors:
---------------
 
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
HP 7B12 Status Monitor\Driver = hpinksts7B12LM.dll [HP Inc.]
HP Discovery Port Monitor (HP OfficeJet Pro 8720)\Driver = HPDiscoPM7B12.dll [HP Inc.]
 
 
---------- (launch time: 2017-02-14 18:45:23)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
 
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points, use the -supp parameter or answer "No" at the
  first message box and "Yes" at the second message box.
---------- (total run time: 24 seconds, including 8 seconds for message boxes)

  • 0

#30
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Do this next so I also have a list of things running.

go to start search and type:- cmd, right click on the returned cmd.exe and select "run as administrator" at the prompt type or (copy paste) the text in the code box into the command prompt hit enter
echo > 0 & tasklist /v >> 0 & net start >> 0 & notepad 0
(press enter)

Post the notepad outcome here please (all of it).
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP