Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win7 notebook hit by "Microsoft Support" scam, possible Rootki

Started by HALlives , Feb 12 2017 08:08 PM

  • Please log in to reply

#46
zep516
Posted 15 February 2017 - 08:43 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,090 posts
Turn the power off, hold the power button down for 30 seconds see if it boots to windows. If it does not work the first time, power it down again and this time see if it will boot into safe mode.
  • 0

Advertisements

#47
HALlives
Posted 15 February 2017 - 08:49 PM

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

I can't boot into Safe Mode, the only options I have are Normal Start or Startup Repair.


  • 0

#48
zep516
Posted 15 February 2017 - 08:52 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,090 posts
Try either one or have you already done that ?
  • 0

#49
HALlives
Posted 15 February 2017 - 08:52 PM

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

When I start normally I get to the Starting Windows and the swirling dots, then after a few seconds I have a black screen and white cursor. 


  • 0

#50
HALlives
Posted 15 February 2017 - 08:53 PM

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Will Startup Repair risk losing data?


  • 0

#51
zep516
Posted 15 February 2017 - 08:54 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,090 posts
No. Try it.
  • 0

#52
HALlives
Posted 15 February 2017 - 09:16 PM

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Okay, the Repair worked, the system is back, but so is the Scammer window, and a copy of Office 2013, which the affected programs checker said would be deleted... so I'm confused! 


  • 0

#53
zep516
Posted 15 February 2017 - 09:34 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,090 posts
Lets put back the system the way it was since it did not clear the issue.

Rerun System Restore and choose the Undo option that appears in the System Restore window. The System Restore is undone and your system is re-restored to the way it was before you ran System Restore.
  • 0

#54
HALlives
Posted 15 February 2017 - 09:51 PM

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Question Joe... do you know anything about Chromebooks... specifically, can the Chrome OS be infected by Windows viruses/malware etc?

 

The notebook is restored. 


Edited by HALlives, 15 February 2017 - 09:52 PM.

  • 0

#55
zep516
Posted 15 February 2017 - 09:55 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,090 posts
I'm not certain about that Chrome OS being infected by windows.

Lets have a new set of logs and I'll have a set of instructions for you tomorrow evening.

Re-run Farbar Recovery Scan Tool (FRST/FRST64) you ran at the very beginning of this topic.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure you checkmark Addition.txt box.
  • Press Scan button.
  • Scan will create two logs, FRST.txt and Addition.txt in the same directory the tool is run. Please copy and paste them to your reply.

  • 0

Advertisements

#56
HALlives
Posted 15 February 2017 - 10:17 PM

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Okay, it's getting late so I need to sign-off, but I'll run the FRST64 scanner again and post the results tomorrow evening... thanks again! 


  • 0

#57
zep516
Posted 15 February 2017 - 10:18 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,090 posts
You're welcome.

Thanks
Joe :)
  • 0

#58
HALlives
Posted 16 February 2017 - 08:49 PM

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-02-2017 02
Ran by Barb (administrator) on BARB-PC (16-02-2017 18:43:54)
Running from C:\Users\Barb\Desktop
Loaded Profiles: Barb (Available Profiles: Barb)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(ESET) C:\Program Files\ESET\ESET Smart Security\ekrn.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\SA3\HP-NB-AIO\CxUtilSvc.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\ibtsiva.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe
(DEVGURU Co., LTD.) C:\Program Files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
() C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Windows\System32\valWBFPolicyService.exe
(Conexant) C:\Windows\System32\MicTray64.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(ESET) C:\Program Files\ESET\ESET Smart Security\egui.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Bubbles.scr [899584 2010-11-20] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-12-27] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-12-27] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-12-27] (Microsoft Corporation)
Startup: C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Funny.exe [2016-12-11] ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{7C27814A-EDAF-44EB-9A93-BF72FBD7C0A7}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2016-12-13] (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-07-27] (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL [2016-12-27] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2016-12-27] (Microsoft Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [2016-12-12] (Microsoft Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-07-27] (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL [2016-12-27] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-12-27] (Microsoft Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-07-27] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-07-27] (Google Inc.)
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2016-12-27] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1224194.dll [2016-02-19] (Adobe Systems, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.68 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2015-08-24] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2015-08-24] (Intel Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-12-27] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2016-12-27] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-4070142805-2248021825-1571207387-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Barb\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2017-02-08] (Citrix Online)
 
Chrome: 
=======
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default [2017-02-15]
CHR Extension: (Google Slides) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-07-09]
CHR Extension: (Google Docs) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-07-09]
CHR Extension: (Google Drive) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-07-09]
CHR Extension: (YouTube) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-07-09]
CHR Extension: (Google Sheets) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-07-09]
CHR Extension: (Google Docs Offline) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-07-10]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-02-15]
CHR Extension: (Gmail) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-07-09]
CHR Extension: (Chrome Media Router) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-15]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [3042032 2016-12-13] (Microsoft Corporation)
R2 CxUtilSvc; C:\Program Files\Conexant\SA3\HP-NB-AIO\CxUtilSvc.exe [135288 2015-08-08] (Conexant Systems, Inc.)
R2 ekrn; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2770312 2016-12-03] (ESET)
R2 iBtSiva; C:\Program Files (x86)\Intel\Bluetooth\ibtsiva.exe [150632 2015-10-08] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [356336 2016-05-15] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [881152 2015-05-22] (Intel® Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [207648 2016-01-07] (Intel Corporation)
R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [155088 2016-12-14] (Malwarebytes Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268192 2015-12-02] ()
R2 ss_conn_service; C:\Program Files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe [754784 2016-01-08] (DEVGURU Co., LTD.)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [246376 2015-11-18] (Synaptics Incorporated)
R2 UsbClientService; C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe [248840 2016-03-17] () [File not signed]
R2 valWBFPolicyService; C:\Windows\system32\valWBFPolicyService.exe [76296 2015-11-17] (Synaptics Incorporated)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3832224 2015-12-02] (Intel® Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 btmaux; C:\Windows\System32\DRIVERS\btmaux.sys [141800 2015-07-28] (Motorola Solutions, Inc.)
R3 btmhsf; C:\Windows\System32\DRIVERS\btmhsf.sys [1445688 2014-11-20] (Motorola Solutions, Inc.)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [502256 2015-09-29] (Intel Corporation)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [262792 2016-12-03] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [197248 2016-12-03] (ESET)
R2 ekbdflt; C:\Windows\System32\DRIVERS\ekbdflt.sys [153216 2016-12-03] (ESET)
R1 epfw; C:\Windows\System32\DRIVERS\epfw.sys [208520 2016-12-03] (ESET)
R1 EpfwLWF; C:\Windows\System32\DRIVERS\EpfwLWF.sys [61568 2016-12-03] (ESET)
R0 epfwwfp; C:\Windows\System32\DRIVERS\epfwwfp.sys [84616 2016-12-03] (ESET)
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [77408 2016-12-14] ()
R3 iaLPSS2_GPIO2; C:\Windows\System32\DRIVERS\iaLPSS2_GPIO2.sys [91944 2015-06-02] (Intel Corporation)
R3 iaLPSS2_I2C; C:\Windows\System32\DRIVERS\iaLPSS2_I2C.sys [166184 2015-06-02] (Intel Corporation)
R3 ibtusb; C:\Windows\System32\DRIVERS\ibtusb.sys [96496 2015-09-10] (Intel Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [180264 2015-12-24] (Intel Corporation)
R3 NETwNs64; C:\Windows\System32\DRIVERS\Netwsw02.sys [3422472 2016-01-01] (Intel Corporation)
S3 pmxdrv; C:\Windows\system32\drivers\pmxdrv.sys [31152 2016-07-09] ()
S3 RTSPER; C:\Windows\System32\DRIVERS\RtsPer.sys [769752 2015-12-18] (Realsil Semiconductor Corporation)
U5 RTSUER; C:\Windows\System32\Drivers\RTSUER.sys [413912 2015-12-22] (Realsil Semiconductor Corporation)
R3 rtsuvc; C:\Windows\System32\DRIVERS\rtsuvc.sys [3092224 2015-12-03] (Realtek Semiconductor Corp.)
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [42600 2015-11-18] (Synaptics Incorporated)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-02-16 18:43 - 2017-02-16 18:44 - 00013882 _____ C:\Users\Barb\Desktop\FRST.txt
2017-02-15 19:37 - 2017-02-15 19:41 - 00618138 _____ C:\TDSSKiller.3.1.0.12_15.02.2017_19.37.11_log.txt
2017-02-14 19:37 - 2017-02-14 19:37 - 06771840 _____ (ESET spol. s r.o.) C:\Users\Barb\Downloads\esetonlinescanner_enu.exe
2017-02-14 19:02 - 2017-02-14 19:02 - 00020867 _____ C:\Windows\system32\0
2017-02-14 18:45 - 2017-02-14 18:45 - 00087396 _____ C:\Users\Barb\Desktop\Startup Programs (BARB-PC) 2017-02-14 18.45.23.txt
2017-02-14 18:42 - 2017-02-14 18:42 - 00121623 _____ C:\Users\Barb\Downloads\Silent Runners.zip
2017-02-13 18:53 - 2017-02-13 18:53 - 00000954 _____ C:\Users\Barb\Desktop\Emisoft scan_170213-185218.txt
2017-02-13 18:48 - 2017-02-15 19:45 - 00000000 ____D C:\Users\Barb\Desktop\EEK
2017-02-13 18:46 - 2017-02-13 18:47 - 285741008 _____ C:\Users\Barb\Desktop\EmsisoftEmergencyKit.exe
2017-02-13 18:22 - 2017-02-16 18:43 - 00000000 ____D C:\Users\Barb\Desktop\FRST-OlderVersion
2017-02-12 18:54 - 2017-02-16 18:43 - 00000000 ____D C:\FRST
2017-02-12 18:52 - 2017-02-16 18:43 - 02422272 _____ (Farbar) C:\Users\Barb\Desktop\FRST64.exe
2017-02-08 20:03 - 2017-02-14 19:33 - 00859428 _____ C:\Windows\ntbtlog.txt
2017-02-08 13:48 - 2017-02-15 19:45 - 00000000 ____D C:\Windows\pss
2017-02-08 13:04 - 2017-02-15 19:45 - 00000000 ____D C:\Users\Barb\AppData\Local\Citrix
2017-02-08 13:04 - 2017-02-08 13:04 - 00000000 ____D C:\Program Files (x86)\Citrix
2017-02-04 13:41 - 2017-02-04 13:41 - 00000000 __RHD C:\MSOCache
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-02-16 18:42 - 2016-07-09 16:43 - 00000000 ____D C:\ProgramData\Synaptics
2017-02-16 18:42 - 2016-07-09 15:23 - 00000000 __SHD C:\Users\Barb\IntelGraphicsProfiles
2017-02-16 18:42 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-02-15 19:53 - 2009-07-13 20:45 - 00022096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-02-15 19:53 - 2009-07-13 20:45 - 00022096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-02-15 19:51 - 2009-07-13 21:13 - 00781790 _____ C:\Windows\system32\PerfStringBackup.INI
2017-02-15 19:51 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2017-02-15 19:50 - 2016-07-09 13:58 - 00000000 ____D C:\Users\Barb
2017-02-15 19:46 - 2016-07-10 11:25 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Exploit
2017-02-15 19:46 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2017-02-15 19:45 - 2016-12-27 17:41 - 00000000 ____D C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform
2017-02-15 19:45 - 2016-12-27 17:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2017-02-15 19:45 - 2016-07-26 19:16 - 00000000 ____D C:\Windows\system32\Macromed
2017-02-15 19:45 - 2016-07-10 11:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit
2017-02-15 19:45 - 2016-07-09 15:51 - 00000000 ___HD C:\Windows\system32\WLANProfiles
2017-02-15 19:45 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
2017-02-15 19:44 - 2016-12-27 17:36 - 00000000 ____D C:\Users\Barb\AppData\Local\LogMeIn Rescue Applet
2017-02-15 19:44 - 2016-07-26 19:16 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-02-15 19:44 - 2016-07-17 12:33 - 00000000 ____D C:\Users\Barb\AppData\Roaming\VERIZON
2017-02-15 19:44 - 2016-07-10 17:25 - 00000000 ____D C:\ProgramData\Adobe
2017-02-15 19:44 - 2016-07-09 16:05 - 00000000 ____D C:\Users\Barb\AppData\Local\Google
2017-02-15 19:44 - 2016-07-09 15:59 - 00000000 ____D C:\Users\Barb\AppData\Local\ESET
2017-02-15 19:44 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2017-02-15 19:44 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2017-02-15 19:43 - 2016-12-27 17:41 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2017-02-15 19:43 - 2016-07-10 17:25 - 00000000 ____D C:\Program Files (x86)\Adobe
2017-02-15 19:43 - 2016-07-10 14:40 - 00000000 ____D C:\Barbs Documents
2017-02-14 19:05 - 2016-08-10 21:58 - 00000000 ____D C:\Windows\system32\MRT
2017-02-14 19:04 - 2016-08-10 21:58 - 135657872 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-02-14 18:45 - 2013-04-26 08:23 - 00513136 _____ C:\Users\Barb\Desktop\Silent Runners.vbs
2017-02-13 19:45 - 2016-07-10 11:25 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2017-02-12 20:23 - 2016-07-10 11:26 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-02-08 18:30 - 2016-07-26 19:16 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2017-02-02 09:30 - 2016-07-19 12:34 - 00000000 ____D C:\Users\Barb\AppData\Local\CrashDumps
2017-02-02 09:10 - 2016-07-09 16:07 - 00002202 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-02-02 09:10 - 2016-07-09 16:07 - 00002190 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-01-23 18:27 - 2016-12-27 17:41 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-01-23 18:26 - 2016-12-27 17:39 - 00000000 ____D C:\Program Files\Microsoft Office 15
2017-01-23 17:56 - 2017-01-04 11:48 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
 
==================== Files in the root of some directories =======
 
2016-07-09 16:47 - 2016-07-09 16:47 - 0000000 _____ () C:\Users\Barb\AppData\Local\AtStart.txt
2016-07-09 16:47 - 2016-07-09 16:47 - 0000000 _____ () C:\Users\Barb\AppData\Local\DSwitch.txt
2016-07-09 16:47 - 2016-07-09 16:47 - 0000000 _____ () C:\Users\Barb\AppData\Local\QSwitch.txt
2016-07-10 16:31 - 2016-07-10 16:31 - 0000057 _____ () C:\ProgramData\Ament.ini
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-02-08 14:10
 
==================== End of FRST.txt ============================
 
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-02-2017 02
Ran by Barb (16-02-2017 18:44:12)
Running from C:\Users\Barb\Desktop
Windows 7 Professional Service Pack 1 (X64) (2016-07-09 21:58:31)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-4070142805-2248021825-1571207387-500 - Administrator - Disabled)
Barb (S-1-5-21-4070142805-2248021825-1571207387-1000 - Administrator - Enabled) => C:\Users\Barb
Guest (S-1-5-21-4070142805-2248021825-1571207387-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-4070142805-2248021825-1571207387-1003 - Limited - Enabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: ESET Smart Security 9.0.408.0 (Enabled - Up to date) {EC1D6F37-E411-475A-DF50-12FF7FE4AC70}
AS: ESET Smart Security 9.0.408.0 (Enabled - Up to date) {577C8ED3-C22B-48D4-E5E0-298D0463E6CD}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall (Enabled) {D426EE12-AE7E-4602-F40F-BBCA8137EB0B}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat 5.0 (HKLM-x32\...\Adobe Acrobat 5.0) (Version: 5.0 - Adobe Systems, Inc.)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.023.20056 - Adobe Systems Incorporated)
Adobe Flash Player 24 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 24.0.0.194 - Adobe Systems Incorporated)
Adobe PageMaker 7.0 (HKLM-x32\...\Adobe PageMaker 7.0) (Version: 7.0 - Adobe Systems, Inc.)
Adobe Shockwave Player 12.2 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.2.4.194 - Adobe Systems, Inc.)
Alcor Micro Smart Card Reader Driver (HKLM-x32\...\SZCCID) (Version: 1.7.44.0 - Alcor Micro Corp.)
Alcor Micro Smart Card Reader Driver (x32 Version: 1.7.44.0 - Alcor Micro Corp.) Hidden
Atmel I2C-HID maXTouch driver (HKLM-x32\...\InstallShield_{D38217B4-7002-471C-9B23-BB206429370A}) (Version: 1.0.0.2 - Atmel Corp.)
Atmel I2C-HID maXTouch driver (Version: 1.0.0.2 - Atmel Corp.) Hidden
Bang & Olufsen Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.65.148.0 - Conexant Systems)
Citrix Online Launcher (HKLM-x32\...\{48947098-A67C-46D4-90C5-9F2F6F0F96FE}) (Version: 1.0.449 - Citrix)
ESET Smart Security (HKLM\...\{BA1050B5-E274-4693-8A67-CAF5576A07F1}) (Version: 9.0.381.0 - ESET, spol. s r.o.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 56.0.2924.87 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.8231.2252 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
HP Dropbox Plugin (HKLM-x32\...\{3E261474-8DF2-463B-984E-0B6396F58D1C}) (Version: 36.0.39.57346 - HP)
HP Google Drive Plugin (HKLM-x32\...\{9469285B-AB76-434A-8533-2EE643318F2E}) (Version: 36.0.39.57346 - HP)
HP OfficeJet Pro 8720 Basic Device Software (HKLM\...\{98A7C54D-74EB-461C-8124-E78BF938401F}) (Version: 38.1.1881.57490 - HP Inc.)
HP OfficeJet Pro 8720 Help (HKLM-x32\...\{18E5A98E-E857-4087-AF73-4E6B9AB0A140}) (Version: 38.0.0 - HP)
HP Quick Launch Buttons (HKLM-x32\...\{34D2AB40-150D-475D-AE32-BD23FB5EE355}) (Version: 6.50.17.1 - Hewlett-Packard Company)
HP Universal Camera Driver (HKLM-x32\...\{E399A5B3-ED53-4DEA-AF04-8011E1EB1EAC}) (Version: 10.0.10240.11156 - Realtek Semiconductor Corp.)
I.R.I.S. OCR (HKLM-x32\...\{093C645A-294E-41E4-904C-DDF13DC47A27}) (Version: 12.3.6.12 - HP)
Intel® Chipset Device Software (x32 Version: 10.1.1.11 - Intel® Corporation) Hidden
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.0.0.1177 - Intel Corporation)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 20.4 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 20.19.15.4457 - Intel Corporation)
Intel® Serial IO (HKLM\...\{9FD91C5C-44AE-4D9D-85BE-AE52816B0294}) (Version: 30.61.1519.7 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 4.0.4.51 - Intel Corporation)
Intel® Wireless Bluetooth®(patch version 18.1.1536.2042) (HKLM\...\{302600C1-6BDF-4FD1-1508-148929CC1385}) (Version: 18.1.1508.0538 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{f6a1d9e5-6ef0-4bdb-8637-4241ffee4179}) (Version: 18.32.1 - Intel Corporation)
Malwarebytes Anti-Exploit version 1.9.1.1291 (HKLM\...\Malwarebytes Anti-Exploit_is1) (Version: 1.9.1.1291 - Malwarebytes)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 - en-us (HKLM\...\ProPlusRetail - en-us) (Version: 15.0.4893.1002 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
NXPProximityInstaller (HKLM-x32\...\NXPProximityInstaller) (Version: 3.10020.10439.40 - NXP Semiconductors)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4893.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4893.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4893.1002 - Microsoft Corporation) Hidden
QLBCASL (x32 Version: 6.40.17.2 - Hewlett-Packard) Hidden
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.370.119 - Realtek Semiconduct Corp.)
Samsung USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.59.0 - Samsung Electronics Co., Ltd.)
Snagit 11 (HKLM-x32\...\{90D0FC4B-D653-4F49-BB97-A48C74A52E71}) (Version: 11.4.3 - TechSmith Corporation)
SUABnR (HKLM-x32\...\InstallShield_{2485354C-6B65-4978-BB91-CCE61442377B}) (Version: 1.1.0.13103_1 - Samsung Electronics Co., Ltd.)
SUABnR (x32 Version: 1.1.0.13103_1 - Samsung Electronics Co., Ltd.) Hidden
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 19.0.19.18 - Synaptics Incorporated)
Synaptics WBF Fingerprint Reader (HKLM\...\{0A3B3699-C474-4173-B105-C3B9464F61C0}) (Version: 4.5.324.0 - Synaptics)
Synology Assistant (remove only) (HKLM-x32\...\Synology Assistant) (Version:  - )
ThumbsPlus 10 (HKLM-x32\...\ThumbsPlus 10) (Version:  - Cerious Software)
ThumbsPlus 10 (x32 Version: 10.1.0.4011 - Cerious Software Inc.) Hidden
Verizon Wireless Software Upgrade Assistant - Samsung(ar) (HKLM-x32\...\{D549825F-FB85-49F6-8075-79847871C246}) (Version: 2.16.1101 - Samsung Electronics Co., Ltd.)
Verizon Wireless Software Utility Application for Android - Samsung (HKLM-x32\...\{EDB7BFB3-9B55-4A70-920F-35226A4E4A12}) (Version: 2.16.0504 - Samsung Electronics Co., Ltd.)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {1B251480-BCE2-487D-B310-52D9887444E6} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-11-01] (Microsoft Corporation)
Task: {329F6AA2-80A7-4680-98C0-3CA086F9269C} - System32\Tasks\TechSmith Updater => C:\Program Files (x86)\Common Files\TechSmith Shared\Updater\TSCUpdClt.exe [2013-10-04] (TechSmith Corporation)
Task: {34D2B29D-8B51-4700-97A3-450A76EDEFF2} - System32\Tasks\{C3921B5B-160A-4419-8B2F-D47A88C31E39} => pcalua.exe -a "C:\EliteBook 850 G3\850 G3 Drivers\Networking\HP It4120 Snapdragon X5 LTE Drivers v1.0.1.53 Rev.A.exe" -d "C:\EliteBook 850 G3\850 G3 Drivers\Networking"
Task: {801A6E1D-2C47-48BD-BCFB-BFE03BA606F2} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-01-12] (Adobe Systems Incorporated)
Task: {84CC1865-774C-422C-A065-8D1B0393F5B6} - System32\Tasks\{1346ADC4-9572-4089-A8A4-B0EE90368685} => pcalua.exe -a "C:\EliteBook 850 G3\850 G3 Drivers\Firmware\HP Ultraslim Docking Station Displayport Hub.exe" -d "C:\EliteBook 850 G3\850 G3 Drivers\Firmware"
Task: {9041B7BE-A5F4-4A2E-96B5-BC0D80EE71A2} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2016-12-27] (Microsoft Corporation)
Task: {9A05A1EE-9390-42AF-A554-E3193A7E22A5} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-12-19] (Adobe Systems Incorporated)
Task: {9AFCD27A-8420-4984-B521-9A7021E978DD} - System32\Tasks\{6B35F718-257C-418D-A944-03E0917F6AB4} => pcalua.exe -a "C:\EliteBook 850 G3\850 G3 Drivers\Networking\HP hs3110hs3114 Mobile Broadband Drivers.exe" -d "C:\EliteBook 850 G3\850 G3 Drivers\Networking"
Task: {A5C05730-98A6-4AB4-95D3-63BE60FF32B7} - System32\Tasks\Microsoft\Windows\Conexant\MicTray => C:\Windows\System32\MicTray64.exe [2015-12-24] (Conexant)
Task: {BC6A1B5D-AF46-4E91-890B-00DD552F793E} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2016-12-27] (Microsoft Corporation)
Task: {CD9EBDDB-0E0D-4F10-88F3-449FF45886C0} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-07-09] (Google Inc.)
Task: {D577B661-52EC-42C7-821A-6730A098807E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-07-09] (Google Inc.)
Task: {F0C4053A-0DCE-4EED-B463-2B71D475078E} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-11-01] (Microsoft Corporation)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-12-27 17:39 - 2016-05-24 08:51 - 00116416 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2016-12-27 17:41 - 2016-12-27 17:41 - 08909504 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2016-03-17 21:41 - 2016-03-17 21:41 - 00248840 _____ () C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe
2016-05-15 19:13 - 2016-05-15 19:13 - 00384496 _____ () C:\Windows\system32\igfxTray.exe
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 18:34 - 2017-02-12 19:57 - 00000035 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is disabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acrobat Assistant.lnk => C:\Windows\pss\Acrobat Assistant.lnk.CommonStartup
MSCONFIG\startupreg: BTMTrayAgent => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
MSCONFIG\startupreg: HP OfficeJet Pro 8720 (NET) => "C:\Program Files\HP\HP OfficeJet Pro 8720\Bin\ScanToPCActivationApp.exe" -deviceID "CN63OAK0NB:NW" -scfn "HP OfficeJet Pro 8720 (NET)" -AutoStart 1
MSCONFIG\startupreg: IMSS => "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe" 60
MSCONFIG\startupreg: Malwarebytes Anti-Exploit => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
MSCONFIG\startupreg: QlbCtrl.exe => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
MSCONFIG\startupreg: RtsCM => RTSCM64.EXE
MSCONFIG\startupreg: SmartAudio => C:\Program Files\Conexant\SA3\HP-NB-AIO\SACpl.exe /sa3 /nv:3.0+ /uid:HP-NB-AIO /s /dne
MSCONFIG\startupreg: USB3MON => "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
 
==================== Restore Points =========================
 
13-12-2016 22:39:26 Windows Update
08-02-2017 14:17:37 Scheduled Checkpoint
12-02-2017 19:57:20 Restore Point Created by FRST
13-02-2017 18:22:38 Restore Point Created by FRST
14-02-2017 19:04:16 Windows Update
15-02-2017 18:27:20 Restore Operation
 
==================== Faulty Device Manager Devices =============
 
Name: 
Description: 
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (02/16/2017 06:42:51 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 
Error: (02/16/2017 06:42:51 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 
Error: (02/16/2017 06:42:50 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (02/15/2017 07:47:02 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (02/15/2017 07:42:24 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 
Error: (02/15/2017 07:42:24 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 
Error: (02/15/2017 07:42:24 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 
Error: (02/15/2017 07:42:20 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (02/15/2017 07:34:52 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (02/15/2017 07:33:05 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 
 
System errors:
=============
Error: (02/16/2017 06:42:50 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
cdrom
 
Error: (02/15/2017 07:47:01 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
cdrom
 
Error: (02/15/2017 07:42:20 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
cdrom
 
Error: (02/15/2017 07:41:46 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
The dependency service or group failed to start.
 
Error: (02/15/2017 07:41:46 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
The dependency service or group failed to start.
 
Error: (02/15/2017 07:41:46 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
The dependency service or group failed to start.
 
Error: (02/15/2017 07:41:46 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
The dependency service or group failed to start.
 
Error: (02/15/2017 07:41:46 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
The dependency service or group failed to start.
 
Error: (02/15/2017 07:41:46 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
The dependency service or group failed to start.
 
Error: (02/15/2017 07:41:37 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
The dependency service or group failed to start.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-6600U CPU @ 2.60GHz
Percentage of memory in use: 18%
Total physical RAM: 8072.59 MB
Available physical RAM: 6568.52 MB
Total Virtual: 16143.37 MB
Available Virtual: 14589.99 MB
 
==================== Drives ================================
 
Drive c: (DRIVE_C) (Fixed) (Total:698.54 GB) (Free:567.28 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 698.6 GB) (Disk ID: FF382DB0)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=698.5 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================

  • 0

#59
zep516
Posted 16 February 2017 - 08:56 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,090 posts
Thanks for those logs. I need time to look them over.

Please run Combofix. Don't fool around with combofix if you have any problems with it let me know.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

Please post the Log from Combofix

Combofix usuage guide
http://www.bleepingc...to-use-combofix


I'm guessing you will need to do this in safemode, because of the shut down issue.
  • 0

#60
zep516
Posted 16 February 2017 - 09:00 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,090 posts
C:\TDSSKiller.3.1.0.12_15.02.2017_19.37.11_log.txt

Post the log report, I see that you ran it.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP