Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Error Hard Drive Safety Delete


  • Please log in to reply

#1
bytesize

bytesize

    Member

  • Member
  • PipPip
  • 33 posts

Friends FF browser got redirected to a page with message from Microsoft with a telephone number and various buttons to click for help. The message was "error hard drive safety delete". After numerous attempts at clicking and trying to close window called me. Closed the page using task manager and switched off internet access, he then ran a full scan with McAfee Antivirus Plus with no results found.

 

The computer is now with me, I ran a Malwarebytes Premium scan and nothing was found. Any help is much appreciated, thanks for your time and effort.

 

Here are the requested logs

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 05-03-2017
Ran by Eddie (administrator) on DELL (08-03-2017 14:43:38)
Running from C:\Users\Eddie\Desktop
Loaded Profiles: Eddie (Available Profiles: Eddie)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(OSBASE) C:\Windows\System32\ddmgr.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
(Dell Computer Corporation) C:\dell\DBRM\Reminder\DbrmTrayicon.exe
() C:\Windows\System32\flvga_tray.exe
(Intel Security, Inc.) C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe
(Realtek) C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\RtlService.exe
(Realtek Semiconductor Corp.) C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\VSCore_15_6\mcapexe.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\CSP\2.3.290.0\McCSPServiceHost.exe
(McAfee, Inc.) C:\Program Files\McAfee\MQS\QcShm.exe
(McAfee, Inc.) C:\Program Files\McAfee\MQS\QcShm.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(McAfee, Inc.) C:\Program Files\McAfee\VirusScan\mcods.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Platform\Core\mchost.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Intel Security) C:\Program Files\Common Files\McAfee\ClientAnalytics\Legacy\McClientAnalytics.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [DBRMTray] => C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [227328 2011-03-08] (Dell Computer Corporation)
HKLM\...\Run: [flvga_tray64] => C:\Windows\system32\flvga_tray.exe [419328 2015-12-07] ()
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{CCEB5E90-4E48-420A-A652-21003662E153}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{DEF3CE53-0BEA-4FEB-BCF9-3A58AEA0EBF4}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKU\S-1-5-21-3631865646-3207491450-1134192123-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.co.uk/
HKU\S-1-5-21-3631865646-3207491450-1134192123-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
BHO: McAfee WebAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2017-02-22] (McAfee, Inc.)
BHO-x32: McAfee WebAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2017-02-22] (McAfee, Inc.)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2017-02-22] (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2017-02-22] (McAfee, Inc.)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll [2017-02-10] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll [2017-02-10] (McAfee, Inc.)

FireFox:
========
FF ProfilePath: C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\g6p9p80w.default [2017-03-08]
FF NewTab: Mozilla\Firefox\Profiles\g6p9p80w.default -> www.google.co.uk
FF Homepage: Mozilla\Firefox\Profiles\g6p9p80w.default -> hxxps://www.google.co.uk/
FF Extension: (Firefox Hotfix) - C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\g6p9p80w.default\Extensions\[email protected] [2016-09-01]
FF Extension: (Adblock Plus) - C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\g6p9p80w.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-23]
FF Extension: (SHA-1 deprecation staged rollout) - C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\g6p9p80w.default\features\{4a7d69c6-f473-4e1a-b5b5-a8e3908b36e6}\[email protected] [2017-03-03]
FF Extension: (McAfee WebAdvisor) - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi [2016-05-24]
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_24_0_0_221.dll [2017-03-07] ()
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2017-02-10] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_221.dll [2017-03-07] ()
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [2017-02-10] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - hxxp://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 ClientAnalyticsService; C:\Program Files\Common Files\McAfee\ClientAnalytics\Legacy\McClientAnalytics.exe [1747800 2017-02-16] (Intel Security)
R2 ddmgr; C:\Windows\system32\ddmgr.exe [1659040 2015-12-07] (OSBASE)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [641520 2016-12-09] (McAfee, Inc.)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
R2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [188352 2017-02-22] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\Common Files\McAfee\VSCore_15_6\McApExe.exe [989632 2017-01-23] (McAfee, Inc.)
R2 McBootDelayStartSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [641520 2016-12-09] (McAfee, Inc.)
R2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\2.3.290.0\\McCSPServiceHost.exe [2054080 2017-02-04] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [641520 2016-12-09] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [641520 2016-12-09] (McAfee, Inc.)
R3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [1342904 2017-02-01] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [641520 2016-12-09] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [641520 2016-12-09] (McAfee, Inc.)
R3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [241040 2016-11-14] (McAfee, Inc.)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [383032 2016-11-14] (McAfee, Inc.)
R3 mfevtp; C:\Windows\system32\mfevtps.exe [342768 2016-11-14] (McAfee, Inc.)
R2 ModuleCoreService; C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe [1465840 2016-12-22] (McAfee, Inc.)
R2 PEFService; C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe [1104304 2016-11-15] (Intel Security, Inc.)
R2 RealtekDU; C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\RtlService.exe [36864 2010-04-16] (Realtek) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 klvssbrigde64; "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 16.0.1\x64\vssbridge64.exe" [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [88456 2016-11-18] (McAfee, Inc.)
R4 ddkmd; C:\Windows\system32\drivers\ddkmd.sys [254456 2015-12-07] (OSBASE) [File not signed]
R0 ddkmdldr; C:\Windows\System32\drivers\ddkmdldr.sys [16888 2015-12-07] (OSBASE) [File not signed]
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77408 2017-02-24] ()
S3 FLxHCIv; C:\Windows\System32\Drivers\FLxHCIv.sys [194184 2015-12-07] ()
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [216704 2016-08-02] (McAfee, Inc.)
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [186304 2017-03-08] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [111544 2017-03-08] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [43968 2017-03-08] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [251840 2017-03-08] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [82208 2017-03-08] (Malwarebytes)
R3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [484576 2016-11-18] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [366320 2016-11-18] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [518184 2016-11-18] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [916432 2016-11-18] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [498152 2016-10-24] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [109336 2016-10-24] (McAfee, Inc.)
R3 mfeplk; C:\Windows\System32\drivers\mfeplk.sys [110248 2016-11-18] (McAfee, Inc.)
R3 mfesapsn; C:\Program Files (x86)\McAfee\SiteAdvisor\x64\mfesapsn.sys [46240 2016-06-06] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [254800 2016-11-18] (McAfee, Inc.)
R3 RTL8192cu; C:\Windows\System32\DRIVERS\rtwlanu.sys [1043560 2016-03-22] (Realtek Semiconductor Corporation                           )
S3 usbohci; C:\Windows\system32\drivers\usbohci.sys [25600 2013-07-01] (Microsoft Corporation) [File not signed]
S3 usbuhci; C:\Windows\system32\drivers\usbuhci.sys [30720 2013-07-01] (Microsoft Corporation) [File not signed]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-08 14:43 - 2017-03-08 14:44 - 00012594 _____ C:\Users\Eddie\Desktop\FRST.txt
2017-03-08 14:43 - 2017-03-08 14:43 - 00000000 ____D C:\FRST
2017-03-08 14:41 - 2017-03-08 14:41 - 02423808 _____ (Farbar) C:\Users\Eddie\Desktop\FRST64.exe
2017-03-08 13:11 - 2017-03-08 13:13 - 00082208 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-03-08 13:11 - 2017-03-08 13:11 - 00251840 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-03-08 13:11 - 2017-03-08 13:11 - 00186304 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-03-08 13:11 - 2017-03-08 13:11 - 00111544 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-03-08 13:11 - 2017-03-08 13:11 - 00043968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-03-08 13:11 - 2017-03-08 13:11 - 00001869 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-03-08 13:11 - 2017-03-08 13:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-03-08 13:11 - 2017-03-08 13:11 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-03-08 13:11 - 2017-03-08 13:11 - 00000000 ____D C:\Program Files\Malwarebytes
2017-03-08 13:11 - 2017-02-24 06:23 - 00077408 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-03-08 13:06 - 2017-03-08 13:08 - 57131432 _____ (Malwarebytes ) C:\Users\Eddie\Downloads\mb3-setup-consumer-3.0.6.1469-1075.exe
2017-03-07 23:39 - 2017-03-07 23:39 - 00002162 _____ C:\Users\Public\Desktop\REALTEK 11n USB Wireless LAN Utility.lnk
2017-03-07 23:39 - 2017-03-07 23:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\REALTEK 11n USB Wireless LAN Utility
2017-03-07 23:39 - 2017-03-07 23:39 - 00000000 ____D C:\Program Files (x86)\Cisco
2017-03-07 23:38 - 2017-03-07 23:38 - 00000000 ____D C:\Program Files (x86)\REALTEK
2017-03-07 23:38 - 2016-03-22 06:15 - 01043560 _____ (Realtek Semiconductor Corporation ) C:\Windows\system32\Drivers\RTWlanU.sys
2017-03-07 23:38 - 2011-11-25 09:15 - 00165888 _____ C:\Windows\SysWOW64\ihvwapi.dll
2017-03-07 23:38 - 2011-11-25 09:15 - 00072704 _____ (TODO: <Company name>) C:\Windows\SysWOW64\ihvwapiui.dll
2017-03-07 23:38 - 2011-08-17 09:10 - 01097728 _____ (The OpenSSL Project, hxxp://www.openssl.org/) C:\Windows\SysWOW64\libeay32.dll
2017-03-07 23:38 - 2010-12-01 09:31 - 00451072 _____ C:\Windows\SysWOW64\ISSRemoveSP.exe
2017-03-07 23:38 - 2009-04-02 10:27 - 00188416 _____ (Realtek Semiconductor Corp. ) C:\Windows\SysWOW64\RTLExtUI.dll
2017-03-07 23:38 - 2009-03-31 14:31 - 00380928 _____ (Realtek) C:\Windows\RtlUI2.exe
2017-03-07 23:38 - 2009-01-05 20:31 - 00000901 _____ C:\Windows\RtlUI2.exe.manifest
2017-03-07 23:38 - 2008-07-01 12:31 - 00614400 _____ (Realtek Semiconductor Corp. ) C:\Windows\SysWOW64\Rtlihvs.dll
2017-03-07 17:45 - 2017-03-08 14:43 - 00003860 _____ C:\Windows\System32\Tasks\Intel Security DAT Reputation (AMCore) periodic endpoint safety pulse
2017-03-07 17:45 - 2017-03-07 23:47 - 00004034 _____ C:\Windows\System32\Tasks\Intel Security DAT Reputation (AMCore) Post DAT update endpoint safety pulse

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-08 14:39 - 2016-11-18 15:24 - 00000000 ____D C:\Users\Eddie\AppData\LocalLow\Mozilla
2017-03-08 13:56 - 2009-07-14 04:45 - 00021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-03-08 13:56 - 2009-07-14 04:45 - 00021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-03-08 13:42 - 2016-05-08 12:28 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-03-08 13:42 - 2014-06-25 18:59 - 00000000 ____D C:\Users\Eddie\AppData\Local\Adobe
2017-03-08 13:42 - 2014-02-13 14:01 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-03-08 13:02 - 2014-02-21 13:51 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2017-03-08 13:02 - 2009-07-14 05:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-03-07 23:47 - 2013-10-31 10:02 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-03-07 23:47 - 2013-10-31 10:02 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-03-07 23:47 - 2013-10-31 10:02 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-03-07 23:47 - 2013-10-31 10:02 - 00000000 ____D C:\Windows\system32\Macromed
2017-03-07 23:39 - 2009-07-14 03:20 - 00000000 ____D C:\Windows\inf
2017-03-07 23:38 - 2013-10-31 10:04 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2017-03-07 17:48 - 2017-01-16 10:41 - 00000000 ____D C:\Program Files\Common Files\McAfee
2017-03-07 17:47 - 2017-01-16 10:46 - 00003068 _____ C:\Windows\System32\Tasks\McAfeeLogon
2017-03-07 17:47 - 2017-01-16 10:46 - 00000000 ____D C:\Windows\System32\Tasks\McAfee
2017-02-24 12:33 - 2016-03-12 12:56 - 00000000 ____D C:\Users\Eddie\Desktop\home insurance
2017-02-23 20:49 - 2014-02-13 15:34 - 00000000 ____D C:\Windows\system32\MRT
2017-02-23 20:47 - 2014-02-13 15:34 - 138020592 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-02-19 16:46 - 2014-04-26 11:10 - 00000000 ____D C:\ProgramData\McAfee
2017-02-16 22:12 - 2017-01-16 10:44 - 00000000 ____D C:\Program Files (x86)\McAfee
2017-02-08 13:44 - 2017-01-16 10:44 - 00003348 _____ C:\Windows\System32\Tasks\McAfee Remediation (Prepare)

==================== Files in the root of some directories =======

2014-10-29 16:15 - 2014-10-29 16:15 - 0004096 ____H () C:\Users\Eddie\AppData\Local\keyfile3.drm
2016-05-26 15:42 - 2016-05-26 15:42 - 0000017 _____ () C:\Users\Eddie\AppData\Local\resmon.resmoncfg

Some files in TEMP:
====================
2016-10-17 13:09 - 2016-10-17 13:09 - 0243320 _____ (McAfee, Inc.) C:\Users\Eddie\AppData\Local\Temp\McCSPInstall.dll
2007-08-31 11:12 - 2007-08-31 11:12 - 0460248 ____R (Macrovision Corporation) C:\Users\Eddie\AppData\Local\Temp\_is321D.exe
2007-09-01 05:12 - 2007-09-01 05:12 - 0460248 ____R (Macrovision Corporation) C:\Users\Eddie\AppData\Local\Temp\_is32C4.exe
2007-06-22 00:10 - 2007-06-22 00:10 - 0455600 ____R (Macrovision Corporation) C:\Users\Eddie\AppData\Local\Temp\_is3A47.exe
2006-05-25 02:10 - 2006-05-25 02:10 - 0455600 ____R (Macrovision Corporation) C:\Users\Eddie\AppData\Local\Temp\_is4E83.exe
2007-06-22 18:10 - 2007-06-22 18:10 - 0455600 ____R (Macrovision Corporation) C:\Users\Eddie\AppData\Local\Temp\_isA0E1.exe
2006-05-25 02:10 - 2006-05-25 02:10 - 0455600 ____R (Macrovision Corporation) C:\Users\Eddie\AppData\Local\Temp\_isA70D.exe
2014-04-29 11:54 - 2014-02-13 13:39 - 0455600 _____ (Macrovision Corporation) C:\Users\Eddie\AppData\Local\Temp\_isB1B1.exe
2006-05-25 11:10 - 2006-05-25 11:10 - 0455600 ____R (Macrovision Corporation) C:\Users\Eddie\AppData\Local\Temp\_isBF1B.exe
2007-08-31 11:12 - 2007-08-31 11:12 - 0460248 ____R (Macrovision Corporation) C:\Users\Eddie\AppData\Local\Temp\_isC383.exe
2006-05-25 20:10 - 2006-05-25 20:10 - 0455600 ____R (Macrovision Corporation) C:\Users\Eddie\AppData\Local\Temp\_isC6F.exe
2007-06-22 00:10 - 2007-06-22 00:10 - 0455600 ____R (Macrovision Corporation) C:\Users\Eddie\AppData\Local\Temp\_isE4D8.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-03-04 16:02

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 05-03-2017
Ran by Eddie (08-03-2017 14:44:34)
Running from C:\Users\Eddie\Desktop
Windows 7 Professional Service Pack 1 (X64) (2014-02-13 13:15:41)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3631865646-3207491450-1134192123-500 - Administrator - Disabled)
Eddie (S-1-5-21-3631865646-3207491450-1134192123-1000 - Administrator - Enabled) => C:\Users\Eddie
Guest (S-1-5-21-3631865646-3207491450-1134192123-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3631865646-3207491450-1134192123-1002 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AV: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {8BCDACFA-D264-3528-5EF8-E94FD0BC1FBC}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {30AC4D1E-F45E-3AA6-6448-D23DAB3B5501}
FW: McAfee Firewall (Enabled) {B3F62DDF-980B-3470-75A7-407A2E6F58C7}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

ABBYY FineReader 6.0 Sprint (HKLM-x32\...\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}) (Version: 6.00.1395.4512 - ABBYY Software House)
Adobe Flash Player 21 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 21.0.0.242 - Adobe Systems Incorporated)
Adobe Flash Player 24 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 24.0.0.221 - Adobe Systems Incorporated)
Adobe Reader X (10.1.16) MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}) (Version: 10.1.16 - Adobe Systems Incorporated)
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{51C7AD07-C3F6-4635-8E8A-231306D810FE}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}) (Version: 1.1.6 - Cisco Systems, Inc.)
Conexant SmartAudio HD (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.50.8.0 - Conexant)
Dell Backup and Recovery Manager (HKLM\...\{50B4B603-A4C6-4739-AE96-6C76A0F8A388}) (Version: 1.3.1 - Dell Inc.)
Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc)
Epson Easy Photo Print 2 (HKLM-x32\...\{87C2248A-C7DD-49ED-9BCD-B312A9D0819E}) (Version: 2.1.0.0 - SEIKO EPSON CORPORATION)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - )
Epson Stylus SX210_SX410_TX210_TX410 Manual (HKLM-x32\...\Epson Stylus SX210_SX410_TX210_TX410 User’s Guide) (Version:  - )
EPSON SX410 Series Printer Uninstall (HKLM\...\EPSON SX410 Series) (Version:  - SEIKO EPSON Corporation)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.0.1351 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.2932 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.1.0.1006 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.4.220 - Intel Corporation)
Intel® Trusted Connect Service Client (HKLM\...\{6199B534-A1B6-46ED-873B-97B0ECF8F81E}) (Version: 1.23.216.0 - Intel Corporation)
Malwarebytes version 3.0.6.1469 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.6.1469 - Malwarebytes)
McAfee AntiVirus Plus (HKLM-x32\...\MSC) (Version: 14.0.12000 - McAfee, Inc.)
McAfee WebAdvisor (HKLM-x32\...\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}) (Version: 4.0.235 - McAfee, Inc.)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM-x32\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Mozilla Firefox 52.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 52.0 (x86 en-US)) (Version: 52.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 52.0.0.6270 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
REALTEK Wireless LAN Driver and Utility (HKLM-x32\...\{9C049499-055C-4a0c-A916-1F65424F45EB}) (Version: 1.00.0180 - REALTEK Semiconductor Corp.)
Serif DrawPlus Starter Edition (HKLM-x32\...\{33311EA4-0ECA-4E7F-83E5-8A92CD760152}) (Version: 2.0.2.010 - Serif (Europe) Ltd)
Sky Go Desktop (HKU\S-1-5-21-3631865646-3207491450-1134192123-1000\...\2508210495.go.sky.com) (Version:  - go.sky.com)
Thin2000 USB Display Adapter (HKLM\...\{BA661C83-7D34-4DF8-A31F-2139C1D72B1C}) (Version: 1.1.316.0 - Fresco Logic)
TP-LINK Wireless Client Utility (HKLM-x32\...\{7A2A107B-9695-423F-9462-8F17C178BD35}) (Version: 7.0 - TP-LINK)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {111F0BE2-0A83-4C7C-BFEA-D4BB74E544F2} - System32\Tasks\Intel Security DAT Reputation (AMCore) Post DAT update endpoint safety pulse => C:\Program Files\Common Files\McAfee\AMContent\scanners\x86_64\datrep\1.50.1291.1\mcdatrep.exe [2017-03-07] (McAfee, Inc.)
Task: {1D2D26FB-13D4-4BFC-AB85-BAA99BFC91E1} - System32\Tasks\McAfeeLogon => C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe [2016-12-09] (McAfee, Inc.)
Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification -> No File <==== ATTENTION
Task: {494E53E0-BC60-4C5E-B015-F0D9424AD6D1} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask -> No File <==== ATTENTION
Task: {5B5ED4BE-5DB4-4A2E-AFF3-C397C1C5D548} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline -> No File <==== ATTENTION
Task: {67C59A98-0975-4C0D-BC85-5E23C19BED38} - System32\Tasks\Kaspersky_Upgrade_Launcher_{278ADC42-419D-4547-A6CA-5B74BE0AD901} => C:\Program Files\Common Files\AV\Kaspersky Lab\upgrade_launcher.exe [2015-11-12] (AO Kaspersky Lab)
Task: {98BCA78A-EE43-420F-A0B2-6EAE8F33EA59} - System32\Tasks\Intel Security DAT Reputation (AMCore) periodic endpoint safety pulse => C:\Program Files\Common Files\McAfee\AMContent\scanners\x86_64\datrep\1.50.1291.1\mcdatrep.exe [2017-03-07] (McAfee, Inc.)
Task: {A7469D09-1756-4C58-8109-EAAEFD252DE6} - System32\Tasks\McAfee\McAfee Idle Detection Task
Task: {AAD65EB1-4F5A-42A1-916C-EFADBC50DA10} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-04-22] (Adobe Systems Incorporated)
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {AF8E5E99-F05E-47E6-A2F8-9AA00F82A837} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-03-07] (Adobe Systems Incorporated)
Task: {CEE64558-E1A7-4D9D-80A7-2001912BE5B5} - \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector -> No File <==== ATTENTION
Task: {EE53A167-6087-475B-A68D-3CDDED69B013} - \Microsoft\Windows\Setup\UpgradeTriggers\UpgradeReminderTask -> No File <==== ATTENTION
Task: {F84BC511-0AC6-4B17-BE8C-931497A561AD} - System32\Tasks\McAfee Remediation (Prepare) => C:\Program Files\Common Files\AV\McAfee Anti-Virus And Anti-Spyware\upgrade.exe [2016-12-15] (McAfee, Inc.)
Task: {FA2BC0A6-8D4B-458A-85C8-2B8C72487513} - \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector -> No File <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Users\Eddie\AppData\Roaming\Microsoft\Windows\Network Shortcuts\My Web Sites on MSN\target.lnk -> hxxp://www.msnusers.co

==================== Loaded Modules (Whitelisted) ==============

2015-12-07 08:15 - 2015-12-07 08:15 - 00419328 _____ () C:\Windows\System32\flvga_tray.exe
2017-03-08 13:11 - 2017-02-24 06:23 - 02264352 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll
2017-03-08 13:11 - 2017-02-24 06:23 - 02264528 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2017-03-07 23:38 - 2011-07-14 11:32 - 00446464 _____ () C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\EnumDevLib.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ModuleCoreService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcapexe => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McNaiAnn => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfemms => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeplk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeplk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ModuleCoreService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 02:34 - 2009-06-10 21:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3631865646-3207491450-1134192123-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Eddie\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: AVP16.0.0 => 2
MSCONFIG\Services: cphs => 3
MSCONFIG\Services: EPSON_EB_RPCV4_01 => 2
MSCONFIG\Services: EPSON_PM_RPCV4_01 => 2
MSCONFIG\Services: IAStorDataMgrSvc => 2
MSCONFIG\Services: Intel® Capability Licensing Service Interface => 2
MSCONFIG\Services: LMS => 2
MSCONFIG\Services: MozillaMaintenance => 3
MSCONFIG\Services: UNS => 2
MSCONFIG\Services: vssbrigde64 => 3
MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
MSCONFIG\startupreg: DBRMTray => C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe
MSCONFIG\startupreg: EPSON SX410 Series => C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIFCE.EXE /FU "C:\Windows\TEMP\E_SB404.tmp" /EF "HKCU"
MSCONFIG\startupreg: HotKeysCmds => C:\Windows\system32\hkcmd.exe
MSCONFIG\startupreg: IAStorIcon => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" 60
MSCONFIG\startupreg: IgfxTray => C:\Windows\system32\igfxtray.exe
MSCONFIG\startupreg: IMSS => "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"
MSCONFIG\startupreg: Persistence => C:\Windows\system32\igfxpers.exe
MSCONFIG\startupreg: USB3MON => "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{7D497B30-B5B9-4B2E-BE52-80A1B31BA62E}] => (Allow) C:\Program Files (x86)\EpsonNet\EpsonNet Setup\tool09\ENEasyApp.exe
FirewallRules: [{741EA72A-428C-464E-8EDE-FA3CE458D6B5}] => (Allow) C:\Program Files (x86)\EpsonNet\EpsonNet Setup\tool09\ENEasyApp.exe
FirewallRules: [TCP Query User{58FD11C6-2A37-4D57-87A6-BDCBF04C94FB}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Block) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [UDP Query User{529B52EC-1C0F-4449-8B2A-30B76E57F48A}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Block) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [{259FBEE8-38E4-4B2D-880C-7DDA44A60B3F}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{6ADB7F32-8035-4E9D-8F13-8A0D35A450E3}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{79A9EB39-E084-4A2E-81D1-1519ED7022E2}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{C3895048-7F66-4ED2-B368-03D40A184BA9}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{C72581D8-45A9-454D-A58B-F8E44843E8E1}] => (Allow) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
FirewallRules: [{AEF1CD72-353D-4232-9533-7C169C1658D8}] => (Allow) C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
FirewallRules: [{DCAD6A22-D1D5-4C9A-882C-0EC3F69CA2ED}] => (Allow) C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
FirewallRules: [{A641E685-FBDA-4457-B76A-F693DDFB306A}] => (Allow) LPort=1542
FirewallRules: [{F053692C-CE7B-4213-9DA2-5B5AE9FCBFC6}] => (Allow) LPort=1542
FirewallRules: [{61C25B7E-A460-403B-AE0C-36F3976788A5}] => (Allow) LPort=53
FirewallRules: [{5DC8B8B7-D95F-4370-AB76-84457A612EE0}] => (Allow) C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{9B633C90-3460-47A4-875D-80B09EA0E462}] => (Allow) C:\Program Files (x86)\REALTEK\11n USB Wireless LAN Utility\RTLDHCP.exe
FirewallRules: [{2CA0D1DA-1161-45DF-AAA6-34B705B2D7BF}] => (Allow) LPort=67
FirewallRules: [{F7ABF902-A19E-4514-A9E1-AC3EEFECC7B3}] => (Allow) LPort=68
FirewallRules: [{8780A08B-79DF-49D6-92CC-08ACF7E935BF}] => (Allow) LPort=53
FirewallRules: [{50E4E72F-6D4C-454E-B7C9-2516355F068C}] => (Allow) LPort=53

==================== Restore Points =========================

19-01-2017 16:54:21 Scheduled Checkpoint
27-01-2017 15:57:30 Scheduled Checkpoint
04-02-2017 14:06:54 Scheduled Checkpoint
16-02-2017 21:23:51 Scheduled Checkpoint
23-02-2017 20:46:20 Windows Update
03-03-2017 14:09:01 Scheduled Checkpoint
07-03-2017 23:37:52 Installed REALTEK 11n USB Wireless LAN Driver and Utility

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/08/2017 01:04:15 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (03/07/2017 11:42:39 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (03/07/2017 11:37:47 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (03/07/2017 11:32:46 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (03/07/2017 05:53:13 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (03/07/2017 05:48:05 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: McApExe.exe, version: 6.0.3031.0, time stamp: 0x58861172
Faulting module name: McVsoShl.dll, version: 19.0.3060.0, time stamp: 0x585329df
Exception code: 0xc0000005
Fault offset: 0x000000000007eb40
Faulting process id: 0xdf8
Faulting application start time: 0x01d2976af82e85ea
Faulting application path: C:\Program Files\Common Files\McAfee\VSCore_15_6\McApExe.exe
Faulting module path: C:\Program Files\McAfee\VirusScan\McVsoShl.dll
Report Id: 37023b6d-035e-11e7-af16-a41f72783b6a

Error: (03/07/2017 05:39:04 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (03/07/2017 04:51:02 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: McApExe.exe, version: 6.0.3030.0, time stamp: 0x587fe339
Faulting module name: McVsoShl.dll, version: 19.0.3060.0, time stamp: 0x585329df
Exception code: 0xc0000005
Fault offset: 0x000000000007eb40
Faulting process id: 0xcac
Faulting application start time: 0x01d29762fefba5fc
Faulting application path: C:\Program Files\Common Files\McAfee\VSCore_15_6\McApExe.exe
Faulting module path: C:\Program Files\McAfee\VirusScan\McVsoShl.dll
Report Id: 3eb640f9-0356-11e7-b7bd-a41f72783b6a

Error: (03/07/2017 04:42:45 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: McApExe.exe, version: 6.0.3030.0, time stamp: 0x587fe339
Faulting module name: McVsoShl.dll, version: 19.0.3060.0, time stamp: 0x585329df
Exception code: 0xc0000005
Fault offset: 0x000000000007eb40
Faulting process id: 0x59c
Faulting application start time: 0x01d29761d8695c14
Faulting application path: C:\Program Files\Common Files\McAfee\VSCore_15_6\McApExe.exe
Faulting module path: C:\Program Files\McAfee\VirusScan\McVsoShl.dll
Report Id: 16c60cc8-0355-11e7-b7bd-a41f72783b6a

Error: (03/07/2017 04:41:50 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.


System errors:
=============
Error: (03/08/2017 01:02:28 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has failed to start.

Module Path: C:\Windows\system32\Rtlihvs.dll
Error Code: 126

Error: (03/07/2017 11:40:57 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has failed to start.

Module Path: C:\Windows\system32\Rtlihvs.dll
Error Code: 126

Error: (03/07/2017 11:39:23 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The RealtekDU service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (03/07/2017 11:39:13 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has failed to start.

Module Path: C:\Windows\system32\Rtlihvs.dll
Error Code: 126

Error: (03/07/2017 11:39:07 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has failed to start.

Module Path: C:\Windows\system32\Rtlihvs.dll
Error Code: 126

Error: (03/07/2017 05:49:06 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the McAfee AP Service service, but this action failed with the following error:
An instance of the service is already running.

Error: (03/07/2017 05:48:55 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The McAfee Platform Services service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (03/07/2017 05:48:55 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the McAfee Platform Services service to connect.

Error: (03/07/2017 05:48:55 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The McAfee Platform Services service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (03/07/2017 05:48:55 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the McAfee Platform Services service to connect.


CodeIntegrity:
===================================
  Date: 2014-10-15 11:03:39.847
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-15 11:03:39.847
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-15 11:03:39.847
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-15 11:03:39.832
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-15 11:03:39.832
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-15 11:03:39.832
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-14 15:14:28.469
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-14 15:14:28.469
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-14 15:14:28.469
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-14 15:14:28.454
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Pentium® CPU G2020 @ 2.90GHz
Percentage of memory in use: 45%
Total physical RAM: 3967.55 MB
Available physical RAM: 2165.64 MB
Total Virtual: 7933.28 MB
Available Virtual: 5397.99 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:456.5 GB) (Free:403.79 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 465.8 GB) (Disk ID: 2566B9A3)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=9.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=456.5 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

 


  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,002 posts
  • MVP

I don't see any malware (other than that sorry McAfee).  Generally there is none.  It's just a hijacked webpage trying to run a scam.  Closing it with Task Manager is the way to go.  If you fire up Firefox you don't see anything do you?

 

It could use a new Realtek wireless driver.  

 

Wouldn't hurt to run sfc and see if it finds anything that needs fixing.

 

 
Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.
 
Reboot. 
 
Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator.  Then type (with an Enter after each line).
sfc  /scannow
 
(This will check your critical system files. Does this finish without complaint?  IF it says it couldn't fix everything then:
 
Copy the next two lines:
 

findstr  /c:"[SR]"  \windows\logs\cbs\cbs.log  >  \windows\logs\cbs\junk.txt 

notepad \windows\logs\cbs\junk.txt 
 
Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue.  Right click and Paste or Edit then Paste and the copied line should appear.
Hit Enter. Copy and paste the text from notepad or if it is too big, just attach the file.)
 
 
1. Please download the Event Viewer Tool by Vino Rosso
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:
 
* System
4. Under 'Select type to list', select:
* Error
* Warning
 
 
Then use the 'Number of events' as follows:
 
 
1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.
 
 
Please post the Output log in your next reply then repeat but select Application.  (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.)
 
 
We can also run aswMBR to make sure no rootkit is hiding:
 

 
 
Download aswMBR.exe  to your desktop.
The link is a direct download so the page won't change.
 
Right click the aswMBR.exe and select Run As Administrator to run it
Wait until the AV Scan shows up at the bottom left.
Change AV Scan: from Quick Scan to  C:\
Click the "Scan" button to start scan
If it asks you to allow the Avast engine to download then say Yes.  It will take a while to finish.  
On completion of the scan (Note if the Fix button is enabled and tell me but do not push any buttons) click save log, save it to your desktop and post in your next reply
 
If it crashes then try it again but uncheck Trace Disk IO Calls before hitting Scan.
 
You can also try Rogue Killer:

 
  • Download RogueKiller  and save it on your desktop.  
  • Quit all programs 
  • Start RogueKiller.exe. 
  • Wait until Prescan has finished ...  
  • Click on Scan
  • Wait for the end of the scan.  
  • Send me the RKreport.txt located on your desktop.
  •  
    The instructions are for an earlier version but you should be able to figure it out.
     
     
     

    • 0

    #3
    bytesize

    bytesize

      Member

    • Topic Starter
    • Member
    • PipPip
    • 33 posts

    Hi RKinner thanks for your reply, have done as you asked and posted results, hope i have done everything correctly. Let me know if you need anything else.

     

    Ran sfc /scannow

     

    Result - Windows Resource Protection did not find any integrity violations

     

    Ran Event Viewer

     

    Here are logs -

     

    Vino's Event Viewer v01c run on Windows 2008 in English
    Report run at 09/03/2017 22:25:08

    Note: All dates below are in the format dd/mm/yyyy

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - Critical Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - Error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'System' Date/Time: 09/03/2017 21:01:47
    Type: Error Category: 0
    Event: 7000 Source: Service Control Manager
    The McAfee Platform Services service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.

    Log: 'System' Date/Time: 09/03/2017 21:01:47
    Type: Error Category: 0
    Event: 7009 Source: Service Control Manager
    A timeout was reached (30000 milliseconds) while waiting for the McAfee Platform Services service to connect.

    Log: 'System' Date/Time: 09/03/2017 21:01:46
    Type: Error Category: 0
    Event: 7000 Source: Service Control Manager
    The McAfee Platform Services service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.

    Log: 'System' Date/Time: 09/03/2017 21:01:46
    Type: Error Category: 0
    Event: 7009 Source: Service Control Manager
    A timeout was reached (30000 milliseconds) while waiting for the McAfee Platform Services service to connect.

    Log: 'System' Date/Time: 09/03/2017 21:01:46
    Type: Error Category: 0
    Event: 10005 Source: Microsoft-Windows-DistributedCOM
    DCOM got error "1053" attempting to start the service mcpltsvc with arguments "" in order to run the server: {20966775-18A4-4299-B8E3-772C336B52A7}

    Log: 'System' Date/Time: 09/03/2017 21:00:43
    Type: Error Category: 0
    Event: 10010 Source: Microsoft-Windows-DistributedCOM
    The server {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 09/03/2017 19:37:38
    Type: Error Category: 0
    Event: 10000 Source: Microsoft-Windows-WLAN-AutoConfig
    WLAN Extensibility Module has failed to start.  Module Path: C:\Windows\system32\Rtlihvs.dll Error Code: 126

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - Warning Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'System' Date/Time: 09/03/2017 20:43:53
    Type: Warning Category: 0
    Event: 1014 Source: Microsoft-Windows-DNS-Client
    Name resolution for the name isatap.home timed out after none of the configured DNS servers responded.

    Log: 'System' Date/Time: 09/03/2017 19:37:50
    Type: Warning Category: 212
    Event: 219 Source: Microsoft-Windows-Kernel-PnP
    The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.01#058F63626420&1#.

    Log: 'System' Date/Time: 09/03/2017 19:37:32
    Type: Warning Category: 0
    Event: 1 Source: RTL8167
    Realtek PCIe GBE Family Controller is disconnected from network.

    Vino's Event Viewer v01c run on Windows 2008 in English
    Report run at 09/03/2017 22:28:35

    Note: All dates below are in the format dd/mm/yyyy

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - Critical Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - Error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'Application' Date/Time: 09/03/2017 19:39:24
    Type: Error Category: 0
    Event: 10 Source: Microsoft-Windows-WMI
    Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - Warning Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     

    Ran aswMBR scan completed, fix button was not highlighted after scan but fixMBR button, here is log -

     

    aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
    Run date: 2017-03-09 22:32:45
    -----------------------------
    22:32:45.374    OS Version: Windows x64 6.1.7601 Service Pack 1
    22:32:45.374    Number of processors: 2 586 0x3A09
    22:32:45.375    ComputerName: DELL  UserName:
    22:32:46.714    Initialize success
    22:32:46.860    VM: initialized successfully
    22:32:46.861    VM: Intel CPU supported
    22:32:53.743    VM: supported disk I/O iaStor.sys
    22:34:21.650    AVAST engine defs: 17030301
    22:35:34.112    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    22:35:34.112    Disk 0 Vendor: WDC_WD50 19.0 Size: 476940MB BusType: 3
    22:35:34.236    VM: Disk 0 MBR read successfully
    22:35:34.236    Disk 0 MBR scan
    22:35:34.252    Disk 0 Windows VISTA default MBR code
    22:35:34.611    Disk 0 Partition 1 00     DE   Dell Utility DELL 4.1       39 MB offset 63
    22:35:34.642    Disk 0 Partition 2 80 (A) 07      HPFS/NTFS NTFS         9442 MB offset 81920
    22:35:34.642    Disk 0 Boot: NTFS     code=1
    22:35:34.673    Disk 0 Partition 3 00     07      HPFS/NTFS NTFS       467457 MB offset 19419136
    22:35:34.782    Disk 0 scanning C:\Windows\system32\drivers
    22:35:47.418    Service scanning
    22:36:13.673    Modules scanning
    22:36:13.673    Disk 0 trace - called modules:
    22:36:13.689    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
    22:36:13.705    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800465f060]
    22:36:13.705    3 CLASSPNP.SYS[fffff88001a0143f] -> nt!IofCallDriver -> [0xfffffa8004142590]
    22:36:13.720    5 ACPI.sys[fffff88000f777a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004147050]
    22:36:14.500    AVAST engine scan C:\
    00:14:12.918    Disk 0 statistics 27680383/0/22550 @ 2.88 MB/s
    00:14:12.918    Scan finished successfully
    00:20:01.532    Disk 0 MBR has been saved successfully to "C:\Users\Eddie\Desktop\MBR.dat"
    00:20:01.532    The log file has been saved successfully to "C:\Users\Eddie\Desktop\aswMBR.txt"

    Finally ran RogueKiller here are results -

     

    RogueKiller V12.9.9.0 (x64) [Feb 27 2017] (Free) by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.co...ad/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Eddie [Administrator]
    Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
    Mode : Scan -- Date : 03/10/2017 10:11:17 (Duration : 00:12:08)

    ¤¤¤ Processes : 0 ¤¤¤

    ¤¤¤ Registry : 5 ¤¤¤
    [PUP.Conduit|PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Conduit -> Found
    [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3631865646-3207491450-1134192123-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen -> Found
    [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3631865646-3207491450-1134192123-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen -> Found
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3631865646-3207491450-1134192123-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3631865646-3207491450-1134192123-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

    ¤¤¤ Tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ WMI : 0 ¤¤¤

    ¤¤¤ Hosts File : 0 ¤¤¤

    ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: WDC WD5000AAKX-75U6AA0 +++++
    --- User ---
    [MBR] c80890467043d2749ec3f5f7bc06753f
    [BSP] 44f6af57b099753a3796870d24ca9ca6 : HP MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
    1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 9442 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 19419136 | Size: 467457 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    User = LL1 ... OK
    User = LL2 ... OK

    +++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++
    Error reading User MBR! ([15] The device is not ready. )
    Error reading LL1 MBR! NOT VALID!
    Error reading LL2 MBR! ([32] The request is not supported. )

    +++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++
    Error reading User MBR! ([15] The device is not ready. )
    Error reading LL1 MBR! NOT VALID!
    Error reading LL2 MBR! ([32] The request is not supported. )

    +++++ PhysicalDrive3: Generic- SM/xD Picture USB Device +++++
    Error reading User MBR! ([15] The device is not ready. )
    Error reading LL1 MBR! NOT VALID!
    Error reading LL2 MBR! ([32] The request is not supported. )

    +++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++
    Error reading User MBR! ([15] The device is not ready. )
    Error reading LL1 MBR! NOT VALID!
    Error reading LL2 MBR! ([32] The request is not supported. )

     


    • 0

    #4
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 20,002 posts
    • MVP

    The only thing I see is what Rogue Killer flagged and that's just a PUP and probably just a residual:

     

    [PUP.Conduit|PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Conduit -> Found

     

     

    You are still getting an error from Realtek

     

     

    Log: 'System' Date/Time: 09/03/2017 19:37:38
    Type: Error Category: 0
    Event: 10000 Source: Microsoft-Windows-WLAN-AutoConfig
    WLAN Extensibility Module has failed to start.  Module Path: C:\Windows\system32\Rtlihvs.dll Error Code: 126

     

     

    Apparently you can just remove the registry entry which calls for it and things work OK.

     

    https://answers.micr...69-4ed541985de2

     

    Log: 'System' Date/Time: 09/03/2017 19:37:38
    Type: Error Category: 0
    Event: 10000 Source: Microsoft-Windows-WLAN-AutoConfig
    WLAN Extensibility Module has failed to start.  Module Path: C:\Windows\system32\Rtlihvs.dll Error Code: 126

     

     

    A bunch of errors from McAfee (the rest of the System Errors).  Consider replacing McAfee with any other anti-virus.  I use the free Avast.  Note that McAfee's uninstall is about as poor as their uninstall and you have to run their uninstaller tool to get rid of it.  

     

     
    Click on Download then choose the free version.
     
    Download the McAfee Removal tool
    (If you think you might want to reinstall McAfee later then follow the instructions here to save your license info:
    Uninstall McAfee, run the McAfee uninstall tool, reboot.
    Install Avast.
     
    If you want a really good anti-virus scan let Avast do a boot-time scan:
     
    It takes like 6 hours so I usually let it run at night.
     
    Open Avast, Scan, Scan for Viruses, Change the Quick Scan (in the box in the center of the page) to Boot-time Scan.  Then at the bottom of the page click on Scan Settings.
    Set Areas to Scan: to All Harddisks
    Make sure both boxes are checked and click on the gray box to the right of the orange ones.  It should turn orange.  Change where it says "Fix Automatically" to "Move to
    Chest."  OK.  Now click on Start and then close Avast.  Mute your speakers so it doesn't wake you up when Windows boots.
     
    When you reboot you will see the scan start.  It will tell you where it saves its log.  Usually it's C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt but it might change so verify the location.   This is a hidden location so you will need to tell Windows to let you see it:
     
     
    Copy and paste the text from the log to a Reply when done.
     
     
     

     

    This one is easy:

     

    Log: 'System' Date/Time: 09/03/2017 19:37:50
    Type: Warning Category: 212
    Event: 219 Source: Microsoft-Windows-Kernel-PnP
    The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.01#058F63626420&1#.
     

     

     

     

    Search for

    services.msc

    hit Enter

    find  Windows Driver Foundation - User-mode Driver Framework

    right click and select Properties then change Startup Type: from Manual to Automatic.

     

    As is this one:

     

    Log: 'Application' Date/Time: 09/03/2017 19:39:24
    Type: Error Category: 0
    Event: 10 Source: Microsoft-Windows-WMI
    Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

     

     

     

     

    • 0

    #5
    bytesize

    bytesize

      Member

    • Topic Starter
    • Member
    • PipPip
    • 33 posts

    Hi

     

    went to the link you provided for Realtek error and read through it. Searched through the registry for instances of Rtlihvs.dll to stop realtek error found entry under ControlSet001 & CurrentControlSet and deleted both was that the correct procedure.

     

    Had to uninstall Malwarebytes when installing Avast to allow full protection mode. The instructions you gave for running Boot-time scan seemed slightly different but I think I managed here is log

     

    03/10/2017 15:04
    Scan of C:

    Scan of *STARTUP

    Number of searched folders: 27350
    Number of tested files: 501859
    Number of infected files: 0


    • 0

    #6
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 20,002 posts
    • MVP

    Correct tho probably doing it for Current Control Set would have been good enough.

     

    Looks like Avast is happy with the PC.  Avast must have updated again. Seems like every time they do it the boot-time scan procedure changes.  Looks like you got it tho. 

     

    Let's see what errors we have now:

     

     
    Right click on Computer and select Manage.  Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.
     
    Reboot. 
     
     
    1. Please download the Event Viewer Tool by Vino Rosso (if you don't already have it)
    and save it to your Desktop:
    2. Right-click VEW.exe and Run AS Administrator
    3. Under 'Select log to query', select:
     
    * System
    4. Under 'Select type to list', select:
    * Error
    * Warning
     
     
    Then use the 'Number of events' as follows:
     
     
    1. Click the radio button for 'Number of events'
    Type 20 in the 1 to 20 box
    Then click the Run button.
    Notepad will open with the output log.
     
     
    Please post the Output log in your next reply then repeat but select Application.  (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.).  If you decide to leave Avast on it:
    They have  started using their info popup to try and get you to upgrade so I go into Settings, General, Popups and change the first two to 1 second.
     
    I don't like their Browser Cleanup so I turn it off:
    Settings, Tools, Browser Cleanup (click on the white space to the right of On.)
     
     
    The registration is good for 12-14 months then you will need to register again.  They will, of course, try to talk you into buying the product but you can always register again for another year free tho it may not be the default.
     

    • 0

    #7
    bytesize

    bytesize

      Member

    • Topic Starter
    • Member
    • PipPip
    • 33 posts

    Do you recommend any other software to run along with Avast Free edition.

     

    Here are the new logs

     

    Vino's Event Viewer v01c run on Windows 2008 in English
    Report run at 11/03/2017 00:09:27

    Note: All dates below are in the format dd/mm/yyyy

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - Critical Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - Error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - Warning Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'System' Date/Time: 11/03/2017 00:08:08
    Type: Warning Category: 0
    Event: 1 Source: RTL8167
    Realtek PCIe GBE Family Controller is disconnected from network.

    Log: 'System' Date/Time: 11/03/2017 00:07:34
    Type: Warning Category: 0
    Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
    WLAN AutoConfig service has successfully stopped.

    Vino's Event Viewer v01c run on Windows 2008 in English
    Report run at 11/03/2017 00:12:00

    Note: All dates below are in the format dd/mm/yyyy

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - Critical Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - Error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - Warning Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'Application' Date/Time: 11/03/2017 00:07:30
    Type: Warning Category: 0
    Event: 1530 Source: Microsoft-Windows-User Profiles Service
    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   1 user registry handles leaked from \Registry\User\S-1-5-21-3631865646-3207491450-1134192123-1000:
    Process 1328 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-3631865646-3207491450-1134192123-1000


     


    • 0

    #8
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 20,002 posts
    • MVP

    I like CryptoPrevent

     
     
    The free version does not update on its own so you should check for updated versions once in a while. When you install it the default is NONE which is kind of worthless so change it to Standard or default. If you have problems after installing CryptoPrevent you can just uninstall it.

     

    You might try MalwareBytes again.  I have it on my PC but it had Avast first.

     

    I do not like Spybot S&D or SuperAntiSpyware or CCleaner.  

     

    I think we can clean up:

     

     
    To delete the Quarantine Folder used by FRST create a fixlist.txt file with just the following line:
     
    DeleteQuarantine:
     
    Save the fixlist.txt to the same folder as FRST then run FRST and hit Fix.  You can easily delete any other folders and logs.
     
    If we installed Speccy it needs to be uninstalled.  Process Explorer, VEW, AdwCleaner, JRT  and their logs and Speccy's log can just be deleted.
     
    Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.  Flash is now the most malware targeted program so it must be kept up to date.  Be careful with Adobe.  They are fond of offering optional downloads like yahoo or Ask toolbars or that worthless McAfee Security Scan.  Go slow and uncheck the optional stuff.
     
    Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program.  There is an exploit out there now that can use it to get on your PC.  For Adobe Reader:  Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript.  OK Close program.  It's the same for Foxit reader except you uncheck Enable Javascript Actions. 
     
     
    If you use Chrome/Firefox/IE then get the AdBlock Plus Add-on.  Go to adblockplus.org with each browser and get the add-on.  (It's actually a program for IE)
     
    If Chrome/Firefox is slow loading make sure it only has the current Java add-on.  Then download and run Speedy Fox.
    http://www.crystalidea.com/speedyfox.  Close Chrome/Firefox/Skpe. Hit Optimize.   You can run it any time that Chrome/Firefox seems slow starting..
     
    If you are a Facebook user get the FB Purity extension for your browser:
    This will stop all of the suggested pages and ads so that Facebook loads much quicker.
     
     
    Be warned:  If you use Limewire, utorrent or any of the other P2P programs you will probably be coming back to the Malware Removal forum.  If you must use P2P then submit any files you get to http://virustotal.combeforeyou open them.
     
    Due to a recent rise in the number of Crytolocker infections I am now recommending you install:
     
     
     
    If you have a router, log on to it today and change the default password!  If using a Wireless router you really should be using encryption on the link.  Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business.  See http://www.king5.com...0637284.htmlandhttp://www.seattlepi...ted-1344185.php for why encryption is important.  If you don't know how, visit the router maker's website.  They all have detailed step by step instructions or a wizard you can download.
     
    Special note on Java.  Old Java versions should be removed after first clearing the Java Cache by following the instructions in:
    Then remove the old versions by going to Control Panel, Programs and Features and Uninstall all Java programs which are not Java Version 7 update 25 or better.  These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE.  Get the latest version from Java.com.  They will usually attempt to foist some garbage like the Ask toolbar, Yahoo toolbar or McAfee Security Scan on you as part of the download.  Just uncheck the garbage before the download (or install) starts.  If you use a 64-bit browser and want the 64-bit version of Java you need to use it to visit java.com.
    Due to multiple security problems with Java we are now recommending that it not be installed unless you absolutely know you need it.  IF that is the case then go to Control Panel, Java, Security and slide it up to the highest level.  OK.
     
     
    My help is free but if you wish to show your appreciation, please donate to Kwiaht instead of me. It's an Orcas Island environmental organization that I volunteered with: http://www.kwiaht.org/donate.htm
    (The name means something like "clean place" in one of the local native-American dialects)
     
    Ron

    • 0

    #9
    bytesize

    bytesize

      Member

    • Topic Starter
    • Member
    • PipPip
    • 33 posts

    Hi

     

    managed to get things cleaned up, thanks for all your help. Not sure if there was something missing in your post after - Due to a recent rise in the number of Crytolocker infections I am now recommending you install:-

    or you were just meaning router password.

     

    Might try MalwareBytes again.

     

    Thanks


    • 0

    #10
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 20,002 posts
    • MVP

    I think I had already told you about Cryptolocker so meant to remove the whole paragraph but left a bit of it.


    • 0






    Similar Topics

    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users

    As Featured On:

    Microsoft Yahoo BBC MSN PC Magazine Washington Post HP