Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win7 notebook hit by "Microsoft Support" scam, possible Rootki


  • Please log in to reply

#76
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Yes, the Scammer window is gone, but the "My Technician..." crap is still on the taskbar. 

 

The notebook is shutting down, rebooting, booting into Safe Mode, and booting into Windows as if nothing is wrong. 


  • 0

Advertisements


#77
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Need to get off for the evening 11:30 here.

Lets run some basic adware scans, post the log reports.

I'll look at the combofix issue and try an determine what occurred.

Here's the scans to run....

Next

Please download adwCleaner to your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the logfile button and the log will open in Notepad.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished and the PC has rebooted.
  • Please post the content of that log file with your next answer.
  • The report will be saved in the C:\AdwCleaner folder.

    Next

    Please download Junkware Removal Tool to your Desktop.
    Please close your security software to avoid potential conflicts. See Here how to disable you security protection (Anti Virus)
    Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
    The tool will open and start scanning your system.
    Please be patient as this can take a while to complete, depending on your system's specifications.
    On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
    Please post the contents of JRT.txt into your reply.

  • 0

#78
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Thanks, will post results tomorrow evening! 


  • 0

#79
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
# AdwCleaner v6.043 - Logfile created 17/02/2017 at 17:23:48
# Updated on 27/01/2017 by Malwarebytes
# Database : 2017-02-13.1 [Server]
# Operating System : Windows 7 Professional Service Pack 1 (X64)
# Username : Barb - BARB-PC
# Running from : C:\Users\Barb\Desktop\adwcleaner_6.043.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
[-] Folder deleted: C:\Users\Barb\AppData\Local\PackageAware
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\couponxplorer.dl.myway.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\howtosimplified.dl.myway.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\mapsgalaxy.dl.myway.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\myway.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\onlinemapfinder.dl.myway.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\totalrecipesearch.dl.myway.com
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.Protector
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.Protector.1
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\protector_dll.Protector
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\protector_dll.Protector.1
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\staticimgfarm.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\ttdetect.staticimgfarm.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\staticimgfarm.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\ttdetect.staticimgfarm.com
 
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [2606 Bytes] - [17/02/2017 17:23:48]
C:\AdwCleaner\AdwCleaner[S0].txt - [2732 Bytes] - [17/02/2017 17:22:40]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [2752 Bytes] ##########
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.0 (12.05.2016)
Operating System: Windows 7 Professional x64 
Ran by Barb (Administrator) on Fri 02/17/2017 at 17:30:01.77
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 8 
 
Successfully deleted: C:\Users\Barb\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\367N0GMT (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Barb\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5ABQ6DWC (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Barb\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q09O921B (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Barb\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y77006E8 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\367N0GMT (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5ABQ6DWC (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q09O921B (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y77006E8 (Temporary Internet Files Folder) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 02/17/2017 at 17:31:17.53
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

  • 0

#80
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Thanks,

I need a new set of FRST logs to determine what happened to Combofix.
  • 0

#81
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Here you go... 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-02-2017
Ran by Barb (administrator) on BARB-PC (17-02-2017 17:43:30)
Running from C:\Users\Barb\Desktop
Loaded Profiles: Barb (Available Profiles: Barb)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(ESET) C:\Program Files\ESET\ESET Smart Security\ekrn.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\SA3\HP-NB-AIO\CxUtilSvc.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\ibtsiva.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe
(DEVGURU Co., LTD.) C:\Program Files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
() C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe
(Synaptics Incorporated) C:\Windows\System32\valWBFPolicyService.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(ESET) C:\Program Files\ESET\ESET Smart Security\egui.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Conexant) C:\Windows\System32\MicTray64.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Bubbles.scr [899584 2010-11-20] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-12-27] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-12-27] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-12-27] (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{7C27814A-EDAF-44EB-9A93-BF72FBD7C0A7}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2016-12-13] (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-07-27] (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL [2016-12-27] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2016-12-27] (Microsoft Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [2016-12-12] (Microsoft Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-07-27] (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL [2016-12-27] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-12-27] (Microsoft Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-07-27] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-07-27] (Google Inc.)
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2016-12-27] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1224194.dll [2016-02-19] (Adobe Systems, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.68 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2015-08-24] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2015-08-24] (Intel Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-12-27] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2016-12-27] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-4070142805-2248021825-1571207387-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Barb\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2017-02-08] (Citrix Online)
 
Chrome: 
=======
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default [2017-02-17]
CHR Extension: (Google Slides) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-07-09]
CHR Extension: (Google Docs) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-07-09]
CHR Extension: (Google Drive) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-07-09]
CHR Extension: (YouTube) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-07-09]
CHR Extension: (Google Sheets) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-07-09]
CHR Extension: (Google Docs Offline) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-07-10]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-02-15]
CHR Extension: (Gmail) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-07-09]
CHR Extension: (Chrome Media Router) - C:\Users\Barb\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-15]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [3042032 2016-12-13] (Microsoft Corporation)
R2 CxUtilSvc; C:\Program Files\Conexant\SA3\HP-NB-AIO\CxUtilSvc.exe [135288 2015-08-08] (Conexant Systems, Inc.)
R2 ekrn; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2770312 2016-12-03] (ESET)
R2 iBtSiva; C:\Program Files (x86)\Intel\Bluetooth\ibtsiva.exe [150632 2015-10-08] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [356336 2016-05-15] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [881152 2015-05-22] (Intel® Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [207648 2016-01-07] (Intel Corporation)
R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [155088 2016-12-14] (Malwarebytes Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268192 2015-12-02] ()
R2 ss_conn_service; C:\Program Files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe [754784 2016-01-08] (DEVGURU Co., LTD.)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [246376 2015-11-18] (Synaptics Incorporated)
R2 UsbClientService; C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe [248840 2016-03-17] () [File not signed]
R2 valWBFPolicyService; C:\Windows\system32\valWBFPolicyService.exe [76296 2015-11-17] (Synaptics Incorporated)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3832224 2015-12-02] (Intel® Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 btmaux; C:\Windows\System32\DRIVERS\btmaux.sys [141800 2015-07-28] (Motorola Solutions, Inc.)
R3 btmhsf; C:\Windows\System32\DRIVERS\btmhsf.sys [1445688 2014-11-20] (Motorola Solutions, Inc.)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [502256 2015-09-29] (Intel Corporation)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [262792 2016-12-03] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [197248 2016-12-03] (ESET)
R2 ekbdflt; C:\Windows\System32\DRIVERS\ekbdflt.sys [153216 2016-12-03] (ESET)
R1 epfw; C:\Windows\System32\DRIVERS\epfw.sys [208520 2016-12-03] (ESET)
R1 EpfwLWF; C:\Windows\System32\DRIVERS\EpfwLWF.sys [61568 2016-12-03] (ESET)
R0 epfwwfp; C:\Windows\System32\DRIVERS\epfwwfp.sys [84616 2016-12-03] (ESET)
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [77408 2016-12-14] ()
R3 iaLPSS2_GPIO2; C:\Windows\System32\DRIVERS\iaLPSS2_GPIO2.sys [91944 2015-06-02] (Intel Corporation)
R3 iaLPSS2_I2C; C:\Windows\System32\DRIVERS\iaLPSS2_I2C.sys [166184 2015-06-02] (Intel Corporation)
R3 ibtusb; C:\Windows\System32\DRIVERS\ibtusb.sys [96496 2015-09-10] (Intel Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [180264 2015-12-24] (Intel Corporation)
R3 NETwNs64; C:\Windows\System32\DRIVERS\Netwsw02.sys [3422472 2016-01-01] (Intel Corporation)
S3 pmxdrv; C:\Windows\system32\drivers\pmxdrv.sys [31152 2016-07-09] ()
S3 RTSPER; C:\Windows\System32\DRIVERS\RtsPer.sys [769752 2015-12-18] (Realsil Semiconductor Corporation)
U5 RTSUER; C:\Windows\System32\Drivers\RTSUER.sys [413912 2015-12-22] (Realsil Semiconductor Corporation)
R3 rtsuvc; C:\Windows\System32\DRIVERS\rtsuvc.sys [3092224 2015-12-03] (Realtek Semiconductor Corp.)
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [42600 2015-11-18] (Synaptics Incorporated)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-02-17 17:43 - 2017-02-17 17:43 - 00013767 _____ C:\Users\Barb\Desktop\FRST.txt
2017-02-17 17:32 - 2017-02-17 17:32 - 00001869 _____ C:\Users\Barb\Desktop\JRT log file.txt
2017-02-17 17:28 - 2017-02-17 17:28 - 01663040 _____ (Malwarebytes) C:\Users\Barb\Desktop\JRT.exe
2017-02-17 17:25 - 2017-02-17 17:25 - 00002855 _____ C:\Users\Barb\Desktop\AdwCleaner log file.txt
2017-02-17 17:21 - 2017-02-17 17:23 - 00000000 ____D C:\AdwCleaner
2017-02-17 17:21 - 2017-02-17 17:21 - 04015056 _____ C:\Users\Barb\Desktop\adwcleaner_6.043.exe
2017-02-16 19:17 - 2017-02-16 20:02 - 00000000 ___SD C:\32788R22FWJFW
2017-02-16 19:17 - 2017-02-16 19:26 - 00000000 ____D C:\Qoobox
2017-02-16 19:17 - 2017-02-16 19:17 - 00000000 ____D C:\Windows\erdnt
2017-02-15 19:37 - 2017-02-15 19:41 - 00618138 _____ C:\TDSSKiller.3.1.0.12_15.02.2017_19.37.11_log.txt
2017-02-14 19:37 - 2017-02-14 19:37 - 06771840 _____ (ESET spol. s r.o.) C:\Users\Barb\Downloads\esetonlinescanner_enu.exe
2017-02-14 19:02 - 2017-02-14 19:02 - 00020867 _____ C:\Windows\system32\0
2017-02-14 18:45 - 2017-02-14 18:45 - 00087396 _____ C:\Users\Barb\Desktop\Startup Programs (BARB-PC) 2017-02-14 18.45.23.txt
2017-02-14 18:42 - 2017-02-14 18:42 - 00121623 _____ C:\Users\Barb\Downloads\Silent Runners.zip
2017-02-13 18:53 - 2017-02-13 18:53 - 00000954 _____ C:\Users\Barb\Desktop\Emisoft scan_170213-185218.txt
2017-02-13 18:48 - 2017-02-15 19:45 - 00000000 ____D C:\Users\Barb\Desktop\EEK
2017-02-13 18:46 - 2017-02-13 18:47 - 285741008 _____ C:\Users\Barb\Desktop\EmsisoftEmergencyKit.exe
2017-02-13 18:22 - 2017-02-17 17:43 - 00000000 ____D C:\Users\Barb\Desktop\FRST-OlderVersion
2017-02-12 18:54 - 2017-02-17 17:43 - 00000000 ____D C:\FRST
2017-02-12 18:52 - 2017-02-17 17:43 - 02422272 _____ (Farbar) C:\Users\Barb\Desktop\FRST64.exe
2017-02-08 20:03 - 2017-02-16 20:25 - 01527154 _____ C:\Windows\ntbtlog.txt
2017-02-08 13:48 - 2017-02-16 19:48 - 00000000 ____D C:\Windows\pss
2017-02-08 13:04 - 2017-02-15 19:45 - 00000000 ____D C:\Users\Barb\AppData\Local\Citrix
2017-02-08 13:04 - 2017-02-08 13:04 - 00000000 ____D C:\Program Files (x86)\Citrix
2017-02-04 13:41 - 2017-02-04 13:41 - 00000000 __RHD C:\MSOCache
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-02-17 17:42 - 2016-07-09 16:43 - 00000000 ____D C:\ProgramData\Synaptics
2017-02-17 17:42 - 2016-07-09 15:23 - 00000000 __SHD C:\Users\Barb\IntelGraphicsProfiles
2017-02-17 17:42 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-02-17 17:39 - 2009-07-13 20:45 - 00022096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-02-17 17:39 - 2009-07-13 20:45 - 00022096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-02-17 17:38 - 2009-07-13 21:13 - 00781790 _____ C:\Windows\system32\PerfStringBackup.INI
2017-02-17 17:38 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2017-02-17 17:30 - 2016-07-26 19:16 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2017-02-16 20:41 - 2016-07-10 11:26 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-02-16 20:02 - 2016-07-10 11:25 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2017-02-15 19:50 - 2016-07-09 13:58 - 00000000 ____D C:\Users\Barb
2017-02-15 19:46 - 2016-07-10 11:25 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Exploit
2017-02-15 19:46 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\rescache
2017-02-15 19:45 - 2016-12-27 17:41 - 00000000 ____D C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform
2017-02-15 19:45 - 2016-12-27 17:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2017-02-15 19:45 - 2016-07-26 19:16 - 00000000 ____D C:\Windows\system32\Macromed
2017-02-15 19:45 - 2016-07-10 11:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit
2017-02-15 19:45 - 2016-07-09 15:51 - 00000000 ___HD C:\Windows\system32\WLANProfiles
2017-02-15 19:45 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\servicing
2017-02-15 19:44 - 2016-12-27 17:36 - 00000000 ____D C:\Users\Barb\AppData\Local\LogMeIn Rescue Applet
2017-02-15 19:44 - 2016-07-26 19:16 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-02-15 19:44 - 2016-07-17 12:33 - 00000000 ____D C:\Users\Barb\AppData\Roaming\VERIZON
2017-02-15 19:44 - 2016-07-10 17:25 - 00000000 ____D C:\ProgramData\Adobe
2017-02-15 19:44 - 2016-07-09 16:05 - 00000000 ____D C:\Users\Barb\AppData\Local\Google
2017-02-15 19:44 - 2016-07-09 15:59 - 00000000 ____D C:\Users\Barb\AppData\Local\ESET
2017-02-15 19:44 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2017-02-15 19:44 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2017-02-15 19:43 - 2016-12-27 17:41 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2017-02-15 19:43 - 2016-07-10 17:25 - 00000000 ____D C:\Program Files (x86)\Adobe
2017-02-15 19:43 - 2016-07-10 14:40 - 00000000 ____D C:\Barbs Documents
2017-02-14 19:05 - 2016-08-10 21:58 - 00000000 ____D C:\Windows\system32\MRT
2017-02-14 19:04 - 2016-08-10 21:58 - 135657872 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-02-14 18:45 - 2013-04-26 08:23 - 00513136 _____ C:\Users\Barb\Desktop\Silent Runners.vbs
2017-02-02 09:30 - 2016-07-19 12:34 - 00000000 ____D C:\Users\Barb\AppData\Local\CrashDumps
2017-02-02 09:10 - 2016-07-09 16:07 - 00002202 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-02-02 09:10 - 2016-07-09 16:07 - 00002190 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-01-23 18:27 - 2016-12-27 17:41 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-01-23 18:26 - 2016-12-27 17:39 - 00000000 ____D C:\Program Files\Microsoft Office 15
2017-01-23 17:56 - 2017-01-04 11:48 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
 
==================== Files in the root of some directories =======
 
2016-07-09 16:47 - 2016-07-09 16:47 - 0000000 _____ () C:\Users\Barb\AppData\Local\AtStart.txt
2016-07-09 16:47 - 2016-07-09 16:47 - 0000000 _____ () C:\Users\Barb\AppData\Local\DSwitch.txt
2016-07-09 16:47 - 2016-07-09 16:47 - 0000000 _____ () C:\Users\Barb\AppData\Local\QSwitch.txt
2016-07-10 16:31 - 2016-07-10 16:31 - 0000057 _____ () C:\ProgramData\Ament.ini
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-02-08 14:10
 
==================== End of FRST.txt ============================
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 18-02-2017
Ran by Barb (17-02-2017 17:43:48)
Running from C:\Users\Barb\Desktop
Windows 7 Professional Service Pack 1 (X64) (2016-07-09 21:58:31)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-4070142805-2248021825-1571207387-500 - Administrator - Disabled)
Barb (S-1-5-21-4070142805-2248021825-1571207387-1000 - Administrator - Enabled) => C:\Users\Barb
Guest (S-1-5-21-4070142805-2248021825-1571207387-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-4070142805-2248021825-1571207387-1003 - Limited - Enabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: ESET Smart Security 9.0.408.0 (Enabled - Up to date) {EC1D6F37-E411-475A-DF50-12FF7FE4AC70}
AS: ESET Smart Security 9.0.408.0 (Enabled - Up to date) {577C8ED3-C22B-48D4-E5E0-298D0463E6CD}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall (Enabled) {D426EE12-AE7E-4602-F40F-BBCA8137EB0B}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat 5.0 (HKLM-x32\...\Adobe Acrobat 5.0) (Version: 5.0 - Adobe Systems, Inc.)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.023.20056 - Adobe Systems Incorporated)
Adobe Flash Player 24 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 24.0.0.194 - Adobe Systems Incorporated)
Adobe PageMaker 7.0 (HKLM-x32\...\Adobe PageMaker 7.0) (Version: 7.0 - Adobe Systems, Inc.)
Adobe Shockwave Player 12.2 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.2.4.194 - Adobe Systems, Inc.)
Alcor Micro Smart Card Reader Driver (HKLM-x32\...\SZCCID) (Version: 1.7.44.0 - Alcor Micro Corp.)
Alcor Micro Smart Card Reader Driver (x32 Version: 1.7.44.0 - Alcor Micro Corp.) Hidden
Atmel I2C-HID maXTouch driver (HKLM-x32\...\InstallShield_{D38217B4-7002-471C-9B23-BB206429370A}) (Version: 1.0.0.2 - Atmel Corp.)
Atmel I2C-HID maXTouch driver (Version: 1.0.0.2 - Atmel Corp.) Hidden
Bang & Olufsen Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.65.148.0 - Conexant Systems)
Citrix Online Launcher (HKLM-x32\...\{48947098-A67C-46D4-90C5-9F2F6F0F96FE}) (Version: 1.0.449 - Citrix)
ESET Smart Security (HKLM\...\{BA1050B5-E274-4693-8A67-CAF5576A07F1}) (Version: 9.0.381.0 - ESET, spol. s r.o.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 56.0.2924.87 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.8231.2252 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
HP Dropbox Plugin (HKLM-x32\...\{3E261474-8DF2-463B-984E-0B6396F58D1C}) (Version: 36.0.39.57346 - HP)
HP Google Drive Plugin (HKLM-x32\...\{9469285B-AB76-434A-8533-2EE643318F2E}) (Version: 36.0.39.57346 - HP)
HP OfficeJet Pro 8720 Basic Device Software (HKLM\...\{98A7C54D-74EB-461C-8124-E78BF938401F}) (Version: 38.1.1881.57490 - HP Inc.)
HP OfficeJet Pro 8720 Help (HKLM-x32\...\{18E5A98E-E857-4087-AF73-4E6B9AB0A140}) (Version: 38.0.0 - HP)
HP Quick Launch Buttons (HKLM-x32\...\{34D2AB40-150D-475D-AE32-BD23FB5EE355}) (Version: 6.50.17.1 - Hewlett-Packard Company)
HP Universal Camera Driver (HKLM-x32\...\{E399A5B3-ED53-4DEA-AF04-8011E1EB1EAC}) (Version: 10.0.10240.11156 - Realtek Semiconductor Corp.)
I.R.I.S. OCR (HKLM-x32\...\{093C645A-294E-41E4-904C-DDF13DC47A27}) (Version: 12.3.6.12 - HP)
Intel® Chipset Device Software (x32 Version: 10.1.1.11 - Intel® Corporation) Hidden
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.0.0.1177 - Intel Corporation)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 20.4 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 20.19.15.4457 - Intel Corporation)
Intel® Serial IO (HKLM\...\{9FD91C5C-44AE-4D9D-85BE-AE52816B0294}) (Version: 30.61.1519.7 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 4.0.4.51 - Intel Corporation)
Intel® Wireless Bluetooth®(patch version 18.1.1536.2042) (HKLM\...\{302600C1-6BDF-4FD1-1508-148929CC1385}) (Version: 18.1.1508.0538 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{f6a1d9e5-6ef0-4bdb-8637-4241ffee4179}) (Version: 18.32.1 - Intel Corporation)
Malwarebytes Anti-Exploit version 1.9.1.1291 (HKLM\...\Malwarebytes Anti-Exploit_is1) (Version: 1.9.1.1291 - Malwarebytes)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 - en-us (HKLM\...\ProPlusRetail - en-us) (Version: 15.0.4893.1002 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
NXPProximityInstaller (HKLM-x32\...\NXPProximityInstaller) (Version: 3.10020.10439.40 - NXP Semiconductors)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4893.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4893.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4893.1002 - Microsoft Corporation) Hidden
QLBCASL (x32 Version: 6.40.17.2 - Hewlett-Packard) Hidden
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.370.119 - Realtek Semiconduct Corp.)
Samsung USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.59.0 - Samsung Electronics Co., Ltd.)
Snagit 11 (HKLM-x32\...\{90D0FC4B-D653-4F49-BB97-A48C74A52E71}) (Version: 11.4.3 - TechSmith Corporation)
SUABnR (HKLM-x32\...\InstallShield_{2485354C-6B65-4978-BB91-CCE61442377B}) (Version: 1.1.0.13103_1 - Samsung Electronics Co., Ltd.)
SUABnR (x32 Version: 1.1.0.13103_1 - Samsung Electronics Co., Ltd.) Hidden
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 19.0.19.18 - Synaptics Incorporated)
Synaptics WBF Fingerprint Reader (HKLM\...\{0A3B3699-C474-4173-B105-C3B9464F61C0}) (Version: 4.5.324.0 - Synaptics)
Synology Assistant (remove only) (HKLM-x32\...\Synology Assistant) (Version:  - )
ThumbsPlus 10 (HKLM-x32\...\ThumbsPlus 10) (Version:  - Cerious Software)
ThumbsPlus 10 (x32 Version: 10.1.0.4011 - Cerious Software Inc.) Hidden
Verizon Wireless Software Upgrade Assistant - Samsung(ar) (HKLM-x32\...\{D549825F-FB85-49F6-8075-79847871C246}) (Version: 2.16.1101 - Samsung Electronics Co., Ltd.)
Verizon Wireless Software Utility Application for Android - Samsung (HKLM-x32\...\{EDB7BFB3-9B55-4A70-920F-35226A4E4A12}) (Version: 2.16.0504 - Samsung Electronics Co., Ltd.)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {1B251480-BCE2-487D-B310-52D9887444E6} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-11-01] (Microsoft Corporation)
Task: {329F6AA2-80A7-4680-98C0-3CA086F9269C} - System32\Tasks\TechSmith Updater => C:\Program Files (x86)\Common Files\TechSmith Shared\Updater\TSCUpdClt.exe [2013-10-04] (TechSmith Corporation)
Task: {34D2B29D-8B51-4700-97A3-450A76EDEFF2} - System32\Tasks\{C3921B5B-160A-4419-8B2F-D47A88C31E39} => pcalua.exe -a "C:\EliteBook 850 G3\850 G3 Drivers\Networking\HP It4120 Snapdragon X5 LTE Drivers v1.0.1.53 Rev.A.exe" -d "C:\EliteBook 850 G3\850 G3 Drivers\Networking"
Task: {801A6E1D-2C47-48BD-BCFB-BFE03BA606F2} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-01-12] (Adobe Systems Incorporated)
Task: {84CC1865-774C-422C-A065-8D1B0393F5B6} - System32\Tasks\{1346ADC4-9572-4089-A8A4-B0EE90368685} => pcalua.exe -a "C:\EliteBook 850 G3\850 G3 Drivers\Firmware\HP Ultraslim Docking Station Displayport Hub.exe" -d "C:\EliteBook 850 G3\850 G3 Drivers\Firmware"
Task: {9041B7BE-A5F4-4A2E-96B5-BC0D80EE71A2} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2016-12-27] (Microsoft Corporation)
Task: {9A05A1EE-9390-42AF-A554-E3193A7E22A5} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-12-19] (Adobe Systems Incorporated)
Task: {9AFCD27A-8420-4984-B521-9A7021E978DD} - System32\Tasks\{6B35F718-257C-418D-A944-03E0917F6AB4} => pcalua.exe -a "C:\EliteBook 850 G3\850 G3 Drivers\Networking\HP hs3110hs3114 Mobile Broadband Drivers.exe" -d "C:\EliteBook 850 G3\850 G3 Drivers\Networking"
Task: {A5C05730-98A6-4AB4-95D3-63BE60FF32B7} - System32\Tasks\Microsoft\Windows\Conexant\MicTray => C:\Windows\System32\MicTray64.exe [2015-12-24] (Conexant)
Task: {BC6A1B5D-AF46-4E91-890B-00DD552F793E} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2016-12-27] (Microsoft Corporation)
Task: {CD9EBDDB-0E0D-4F10-88F3-449FF45886C0} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-07-09] (Google Inc.)
Task: {D577B661-52EC-42C7-821A-6730A098807E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-07-09] (Google Inc.)
Task: {F0C4053A-0DCE-4EED-B463-2B71D475078E} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-11-01] (Microsoft Corporation)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-12-27 17:39 - 2016-05-24 08:51 - 00116416 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2016-03-17 21:41 - 2016-03-17 21:41 - 00248840 _____ () C:\Program Files (x86)\Synology\Assistant\UsbClientService.exe
2016-12-27 17:41 - 2016-12-27 17:41 - 08909504 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2016-05-15 19:13 - 2016-05-15 19:13 - 00384496 _____ () C:\Windows\system32\igfxTray.exe
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 18:34 - 2017-02-12 19:57 - 00000035 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-4070142805-2248021825-1571207387-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Barb\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is disabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acrobat Assistant.lnk => C:\Windows\pss\Acrobat Assistant.lnk.CommonStartup
MSCONFIG\startupfolder: C:^Users^Barb^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Funny.exe => C:\Windows\pss\Funny.exe.Startup
MSCONFIG\startupreg: BTMTrayAgent => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
MSCONFIG\startupreg: HP OfficeJet Pro 8720 (NET) => "C:\Program Files\HP\HP OfficeJet Pro 8720\Bin\ScanToPCActivationApp.exe" -deviceID "CN63OAK0NB:NW" -scfn "HP OfficeJet Pro 8720 (NET)" -AutoStart 1
MSCONFIG\startupreg: IMSS => "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe" 60
MSCONFIG\startupreg: Malwarebytes Anti-Exploit => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
MSCONFIG\startupreg: QlbCtrl.exe => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
MSCONFIG\startupreg: RtsCM => RTSCM64.EXE
MSCONFIG\startupreg: SmartAudio => C:\Program Files\Conexant\SA3\HP-NB-AIO\SACpl.exe /sa3 /nv:3.0+ /uid:HP-NB-AIO /s /dne
MSCONFIG\startupreg: USB3MON => "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
 
==================== Restore Points =========================
 
08-02-2017 14:17:37 Scheduled Checkpoint
12-02-2017 19:57:20 Restore Point Created by FRST
13-02-2017 18:22:38 Restore Point Created by FRST
14-02-2017 19:04:16 Windows Update
15-02-2017 18:27:20 Restore Operation
17-02-2017 17:30:02 JRT Pre-Junkware Removal
 
==================== Faulty Device Manager Devices =============
 
Name: 
Description: 
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (02/17/2017 05:42:16 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (02/17/2017 05:34:04 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (02/17/2017 05:30:07 PM) (Source: VSS) (EventID: 12305) (User: )
Description: Volume Shadow Copy Service error: Volume/disk not connected or not found.
Error context: DeviceIoControl(\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 - 0000000000000148,0x00530190,0000000000000000,0,00000000003CC040,4096,[0]).
 
 
Operation:
   Query Shadow Copies
 
Error: (02/17/2017 05:24:31 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (02/17/2017 05:20:02 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (02/16/2017 08:40:22 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
Error: (02/16/2017 08:27:31 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 
Error: (02/16/2017 08:27:30 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 
Error: (02/16/2017 08:27:30 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\ThumbsPlus 10\Bin\Thumbs10.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
 
Error: (02/16/2017 08:27:17 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
 
 
System errors:
=============
Error: (02/17/2017 05:42:16 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
cdrom
 
Error: (02/17/2017 05:34:05 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
cdrom
 
Error: (02/17/2017 05:24:31 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
cdrom
 
Error: (02/17/2017 05:24:11 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.
 
Module Path: C:\Windows\System32\IWMSSvc.dll
 
Error: (02/17/2017 05:24:11 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.
 
Module Path: C:\Windows\System32\IWMSSvc.dll
 
Error: (02/17/2017 05:24:11 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.
 
Module Path: C:\Windows\System32\IWMSSvc.dll
 
Error: (02/17/2017 05:24:10 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.
 
Module Path: C:\Windows\System32\IWMSSvc.dll
 
Error: (02/17/2017 05:23:50 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error: 
An instance of the service is already running.
 
Error: (02/17/2017 05:23:21 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Modules Installer service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
 
Error: (02/17/2017 05:23:21 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Software Protection service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-6600U CPU @ 2.60GHz
Percentage of memory in use: 18%
Total physical RAM: 8072.59 MB
Available physical RAM: 6547.39 MB
Total Virtual: 16143.37 MB
Available Virtual: 14563.07 MB
 
==================== Drives ================================
 
Drive c: (DRIVE_C) (Fixed) (Total:698.54 GB) (Free:573.11 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 698.6 GB) (Disk ID: FF382DB0)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=698.5 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================

  • 0

#82
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
A few items to fix

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Open notepad (Start =>All Programs => Accessories => Notepad).
Copy/Paste the contents of the code box below into Notepad.

start
CloseProcesses:
CreateRestorePoint:
2016-07-09 16:47 - 2016-07-09 16:47 - 0000000 _____ () C:\Users\Barb\AppData\Local\AtStart.txt
2016-07-09 16:47 - 2016-07-09 16:47 - 0000000 _____ () C:\Users\Barb\AppData\Local\DSwitch.txt
2016-07-09 16:47 - 2016-07-09 16:47 - 0000000 _____ () C:\Users\Barb\AppData\Local\QSwitch.txt
2017-02-16 19:17 - 2017-02-16 19:26 - 00000000 ____D C:\Qoobox
2017-02-16 19:17 - 2017-02-16 20:02 - 00000000 ___SD C:\32788R22FWJFW
Emptytemp:
  • Click Format and ensure Wordwrap is unchecked.
  • Save as Fixlist.txt to your Desktop (Must be in this location)
  • Run FRST/FRST64 and press the Fix button just once and wait.
  • If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
  • The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

  • 0

#83
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Fix result of Farbar Recovery Scan Tool (x64) Version: 18-02-2017
Ran by Barb (17-02-2017 18:01:46) Run:3
Running from C:\Users\Barb\Desktop
Loaded Profiles: Barb (Available Profiles: Barb)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
CloseProcesses:
CreateRestorePoint:
2016-07-09 16:47 - 2016-07-09 16:47 - 0000000 _____ () C:\Users\Barb\AppData\Local\AtStart.txt
2016-07-09 16:47 - 2016-07-09 16:47 - 0000000 _____ () C:\Users\Barb\AppData\Local\DSwitch.txt
2016-07-09 16:47 - 2016-07-09 16:47 - 0000000 _____ () C:\Users\Barb\AppData\Local\QSwitch.txt
2017-02-16 19:17 - 2017-02-16 19:26 - 00000000 ____D C:\Qoobox
2017-02-16 19:17 - 2017-02-16 20:02 - 00000000 ___SD C:\32788R22FWJFW
Emptytemp:
*****************
 
Processes closed successfully.
Restore point was successfully created.
C:\Users\Barb\AppData\Local\AtStart.txt => moved successfully
C:\Users\Barb\AppData\Local\DSwitch.txt => moved successfully
C:\Users\Barb\AppData\Local\QSwitch.txt => moved successfully
C:\Qoobox => moved successfully
C:\32788R22FWJFW => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 7793814 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 2558156 B
Edge => 0 B
Chrome => 64283828 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 0 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 0 B
Barb => 3937400 B
 
RecycleBin => 49716 B
EmptyTemp: => 83 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 18:01:52 ====

  • 0

#84
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
I'd like to run combofix again, Combofix needs to be on the desktop, it's best to run it in normal mode.
  • 0

#85
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Okay, again I have a blue "Administrator" screen and an error message telling me the product has expired and asking if I want to run it in Reduced Functionality mode. 

 

I'm running in Full Windows. 


  • 0

Advertisements


#86
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Others have had that issue, not sure how to resolve it
https://www.bleeping...updated-lately/

Lets skip it for now, that was a fresh download of Combofix correct ?
  • 0

#87
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Yes, a fresh download from the 1st of the 3 links you sent me originally. 


  • 0

#88
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Originally I thought the issue was safe mode. I don't want to fool with Combofix or force it.

Run a bitdefender scan, post the log/ report even if it does not find anything

https://www.bitdefen...nline/free.html

Should run quickly
  • 0

#89
HALlives

HALlives

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

Please follow the link you sent me. 

 

There are 2 "Start Scanner" buttons on the page. 

 

The top one doesn't appear to do anything. 

 

The bottom one is blocked in Chrome, says it a facebook page or redirection. 


  • 0

#90
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Top scan ran for me

You’re Good To Go! No Active Viruses Found.
Keep your computer clean with Bitdefender Internet Security!


Those were the results.

Skip it if it's an issue, I'm running out of ideas.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP