Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Is my computer infected

Started by Laura B , Apr 09 2017 08:02 AM

  • This topic is locked This topic is locked

#1
Laura B
Posted 09 April 2017 - 08:02 AM

Laura B

    Member

  • Member
  • PipPip
  • 29 posts

Hi, I'm not sure if my issues are due to it being infected but I do get odd popups and explorer windows just open at startup without me prompting them. Computer is very slow. Window updates fail so tried the Windows Update Tool but that would never finish and freeze. Also tried the Memory diagnostic, but that also would never finish and just freeze at 2%. I have uninstalled many applications in the hopes that I would hit on whatever was causing the issues which has helped some as the computer is not as slow as it was but Windows updates still fail.

 

This is my mother's laptop that I bought for her. She uses Pogo.com to play games (even at my recommendation not to use this site), so she may have downloaded something from there. She has also used BigFishGames.com which is another concern.  Also, she gets the worst spam mail I have EVER seen and refuses to get a new email account, so she may have clicked on something from her email.

 

Any help you can provide will be appreciated.

 

Here's my FRST64 text.  It is 64bit - I've triple checked and that it what it says.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by Sandra (administrator) on DESKTOP-54QQMJU (09-04-2017 09:40:05)
Running from C:\Users\Sandra\Desktop
Loaded Profiles: Sandra (Available Profiles: Sandra)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
() C:\Program Files (x86)\TOSHIBA\PasswordUtility\GFNEXSrv.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\utilities\ibtsiva.exe
() C:\Program Files (x86)\TOSHIBA\TOSHIBA System Driver\TOSTABSYSSVC.exe
(TOSHIBA) C:\Program Files (x86)\TOSHIBA\TOSHIBA System Driver\RMService.exe
() C:\Program Files (x86)\Amazon\Amazon Assistant\amazonAssistantService.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Toshiba Corporation) C:\Program Files\TOSHIBA\Teco\TecoService.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
() C:\Program Files\CyberLink\Shared files\RichVideo64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(SweetLabs, Inc) C:\Users\Sandra\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\System32\mshta.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Teco\TecoResident.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\System Setting\TCrdMain_Win8.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
(Microsoft Corporation) C:\Windows\System32\browser_broker.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(IS AppCloud Software) C:\Program Files (x86)\TOSHIBA\AppPlace\toshibaappplace.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [180016 2015-06-08] (TOSHIBA Corporation)
HKLM\...\Run: [TCrdMain] => C:\Program Files\Toshiba\System Setting\TCrdMain_Win8.exe [559920 2015-10-09] (TOSHIBA Corporation)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3937448 2015-07-21] (Synaptics Incorporated)
HKLM-x32\...\Run: [TSVU] => c:\Program Files\TOSHIBA\TOSHIBA Smart View Utility\TosSmartViewLauncher.exe [516976 2015-06-09] (TOSHIBA)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-12-12] (Oracle Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{11f57b55-9876-4f4f-b433-0e2dd713e57f}: [DhcpNameServer] 75.75.75.75 75.75.76.76
 
Internet Explorer:
==================
HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.amazon.com/
HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://toshiba15.msn.com/?pc=TBTE
SearchScopes: HKU\S-1-5-21-2191857059-2474734211-1668879694-1001 -> DefaultScope {1D23DF1D-8157-4A53-9915-AE873D865552} URL =
SearchScopes: HKU\S-1-5-21-2191857059-2474734211-1668879694-1001 -> {1D23DF1D-8157-4A53-9915-AE873D865552} URL =
SearchScopes: HKU\S-1-5-21-2191857059-2474734211-1668879694-1001 -> {4DF21410-DFEA-4394-8E99-6710E9C0D664} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_121\bin\ssv.dll [2017-01-25] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-01-25] (Oracle Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\ssv.dll [2017-01-25] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-01-25] (Oracle Corporation)
 
FireFox:
========
FF DefaultProfile: me0t2yz8.default
FF ProfilePath: C:\Users\Sandra\AppData\Roaming\Mozilla\Firefox\Profiles\me0t2yz8.default [2017-02-06]
FF Extension: (Toshiba Defaults) - C:\Users\Sandra\AppData\Roaming\Mozilla\Firefox\Profiles\me0t2yz8.default\Extensions\[email protected] [2016-04-28]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_25_0_0_127.dll [2017-04-08] ()
FF Plugin: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-01-25] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-01-25] (Oracle Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_127.dll [2017-04-08] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.68 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-01-25] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-01-25] (Oracle Corporation)
 
Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [hikeppggmbhdgodhakicedaejpleoigm] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Amazon Assistant Service; C:\Program Files (x86)\Amazon\Amazon Assistant\amazonAssistantService.exe [102064 2017-02-28] ()
R2 GFNEXSrv; C:\Program Files (x86)\TOSHIBA\PasswordUtility\GFNEXSrv.exe [163168 2013-03-27] ()
R2 ibtsiva; C:\Program Files (x86)\Intel\Bluetooth\utilities\ibtsiva.exe [150256 2015-06-09] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [373728 2016-02-05] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [881152 2015-05-22] (Intel® Corporation)
S3 Intel® WiDi SAM; C:\Program Files (x86)\Intel Corporation\Intel WiDi\Intel® Software Asset Manager\bin\IntelSoftwareAssetManagerService.exe [19088 2015-06-24] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [223008 2015-06-24] (Intel Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268192 2015-08-13] ()
R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [389896 2014-04-14] ()
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [294616 2015-05-22] (Realtek Semiconductor)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [237736 2015-07-21] (Synaptics Incorporated)
R2 TOSRMService; C:\Program Files (x86)\TOSHIBA\TOSHIBA System Driver\RMService.exe [330032 2015-11-20] (TOSHIBA)
R2 TOSTABSYSSVC; C:\Program Files (x86)\TOSHIBA\TOSHIBA System Driver\TOSTABSYSSVC.exe [240432 2015-10-26] ()
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3831712 2015-08-13] (Intel® Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AX88179; C:\Windows\System32\drivers\ax88179_178a.sys [70656 2015-10-30] (ASIX Electronics Corp.)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [255728 2015-06-09] (Intel Corporation)
R3 NETwNb64; C:\Windows\System32\drivers\Netwbw02.sys [4103920 2015-08-23] (Intel Corporation)
R2 PEGAGFN; C:\Program Files (x86)\TOSHIBA\PasswordUtility\PEGAGFN.sys [14344 2009-09-11] (PEGATRON)
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [301784 2015-06-01] (Realtek Semiconductor Corp.)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [33960 2015-07-21] (Synaptics Incorporated)
S3 SWDUMon; C:\Windows\system32\DRIVERS\SWDUMon.sys [13920 2017-01-28] ()
R3 Thotkey; C:\Windows\System32\drivers\Thotkey.sys [45728 2015-08-07] (Toshiba Corporation)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
R3 WirelessKeyboardFilter; C:\Windows\System32\drivers\WirelessKeyboardFilter.sys [49896 2016-07-22] (Microsoft Corporation)
S3 TDEIO; \??\C:\Users\Public\Temp\COMP035\tdeio64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 

==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-04-09 09:40 - 2017-04-09 09:40 - 00011909 _____ C:\Users\Sandra\Desktop\FRST.txt
2017-04-08 15:19 - 2017-04-09 09:38 - 02424832 _____ (Farbar) C:\Users\Sandra\Desktop\FRST64.exe
2017-04-08 15:08 - 2017-04-09 09:40 - 00000000 ____D C:\FRST
2017-04-08 15:01 - 2017-04-08 15:01 - 00165671 _____ C:\Users\Sandra\Downloads\latestwu (1).diagcab
2017-04-08 13:45 - 2017-04-08 13:45 - 00000000 ____D C:\Users\Sandra\AppData\Roaming\WinBatch
2017-04-08 13:21 - 2017-04-08 13:21 - 00000000 ____D C:\Users\Sandra\AppData\Local\ElevatedDiagnostics
2017-04-08 12:09 - 2017-04-08 12:09 - 00165671 _____ C:\Users\Sandra\Downloads\latestwu.diagcab
2017-04-08 12:05 - 2017-04-08 12:05 - 06847064 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2017-04-08 12:03 - 2017-04-08 12:03 - 00002242 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AmazonAssistant.lnk
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-04-09 09:25 - 2015-10-30 03:24 - 00000000 ____D C:\Windows\AppReadiness
2017-04-09 09:24 - 2016-04-28 19:57 - 00004170 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{371674DC-0141-498B-8E1E-FF471ED932E5}
2017-04-09 09:20 - 2016-04-28 17:18 - 00000000 ____D C:\Users\Sandra\AppData\Local\App Place for Toshiba
2017-04-08 15:17 - 2015-10-30 03:11 - 00000000 ____D C:\Windows\CbsTemp
2017-04-08 15:05 - 2016-01-11 15:10 - 00879220 _____ C:\Windows\system32\PerfStringBackup.INI
2017-04-08 15:05 - 2015-10-30 03:21 - 00000000 ____D C:\Windows\INF
2017-04-08 14:58 - 2016-04-28 17:18 - 00000000 __SHD C:\Users\Sandra\IntelGraphicsProfiles
2017-04-08 14:58 - 2016-04-28 17:14 - 00000180 _____ C:\Windows\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2017-04-08 14:57 - 2016-01-11 15:04 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-04-08 14:26 - 2015-10-30 02:28 - 00786432 ___SH C:\Windows\system32\config\BBI
2017-04-08 14:01 - 2015-10-30 03:24 - 00000000 ____D C:\Windows\system32\NDF
2017-04-08 13:57 - 2015-10-30 03:24 - 00000000 ___HD C:\Program Files\WindowsApps
2017-04-08 12:05 - 2016-05-28 15:02 - 00004386 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-04-08 12:05 - 2015-10-30 03:24 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-04-08 12:05 - 2015-10-30 03:24 - 00000000 ____D C:\Windows\system32\Macromed
2017-04-08 12:03 - 2016-01-11 15:50 - 00000000 ____D C:\Program Files (x86)\Amazon
2017-04-08 12:01 - 2016-01-11 14:57 - 00203432 _____ C:\Windows\system32\FNTCACHE.DAT
2017-04-08 10:45 - 2016-04-28 17:18 - 00000000 ____D C:\Users\Sandra\AppData\Local\Packages
2017-04-08 10:43 - 2017-01-31 12:24 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-04-08 10:34 - 2016-06-17 13:19 - 00000000 ____D C:\Users\Sandra\AppData\Local\Google
2017-04-08 10:34 - 2016-06-17 13:19 - 00000000 ____D C:\Program Files (x86)\Google
2017-04-08 10:33 - 2017-01-25 09:21 - 00000000 ____D C:\Users\Sandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pogo Games
2017-04-08 10:32 - 2017-02-10 14:13 - 00000000 ____D C:\Users\Sandra\AppData\Roaming\Awem
2017-04-08 10:32 - 2016-04-28 17:16 - 00000000 ____D C:\Users\Sandra\AppData\Local\Host App Service
2017-04-08 10:28 - 2017-01-21 16:10 - 00003292 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task v2
2017-04-08 10:28 - 2016-04-28 17:23 - 00002381 _____ C:\Users\Sandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-04-08 10:28 - 2016-04-28 17:23 - 00000000 ___RD C:\Users\Sandra\OneDrive
2017-04-07 18:06 - 2016-04-28 17:43 - 00532136 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
 
==================== Files in the root of some directories =======
 
2016-01-11 15:28 - 2016-01-11 15:28 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
Some files in TEMP:
====================
2015-11-18 19:15 - 2015-11-18 19:15 - 43338880 _____ () C:\Users\Sandra\AppData\Local\Temp\Firefox Setup 42.0-2-Toshiba-001-US.exe
2017-01-25 13:42 - 2017-01-25 13:42 - 0739904 _____ (Oracle Corporation) C:\Users\Sandra\AppData\Local\Temp\jre-8u121-windows-au.exe
2015-07-23 09:53 - 2015-07-23 09:53 - 0120336 _____ (McAfee, Inc.) C:\Users\Sandra\AppData\Local\Temp\McCSPInstall.dll
2016-04-28 17:37 - 2015-07-23 09:53 - 0162120 _____ (McAfee Inc.) C:\Users\Sandra\AppData\Local\Temp\mccspuninstall.exe
2016-08-06 11:50 - 2016-08-06 11:51 - 58422624 _____ (SweetLabs,Inc.) C:\Users\Sandra\AppData\Local\Temp\oct14C5.tmp.exe
2017-01-21 16:10 - 2017-01-21 16:11 - 58523704 _____ (SweetLabs,Inc.) C:\Users\Sandra\AppData\Local\Temp\oct51E5.tmp.exe
2016-04-28 17:22 - 2016-04-28 17:23 - 57318568 _____ (SweetLabs,Inc.) C:\Users\Sandra\AppData\Local\Temp\octE9C7.tmp.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-02-10 11:37
 
==================== End of FRST.txt ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Sandra (09-04-2017 09:42:18)
Running from C:\Users\Sandra\Desktop
Windows 10 Home Version 1511 (X64) (2016-04-28 21:14:24)
Boot Mode: Normal
==========================================================
 

==================== Accounts: =============================
 
Administrator (S-1-5-21-2191857059-2474734211-1668879694-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-2191857059-2474734211-1668879694-503 - Limited - Disabled)
Guest (S-1-5-21-2191857059-2474734211-1668879694-501 - Limited - Disabled)
Sandra (S-1-5-21-2191857059-2474734211-1668879694-1001 - Administrator - Enabled) => C:\Users\Sandra
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Flash Player 25 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 25.0.0.127 - Adobe Systems Incorporated)
Amazon Assistant (HKLM-x32\...\{5437E77B-E4B5-45E7-BD33-95C3F0AA6602}) (Version: 10.17.0228 - Amazon) <==== ATTENTION
App Explorer (HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\...\Host App Service) (Version: 0.272.1.354 - SweetLabs)
App Place for Toshiba (HKLM-x32\...\App Place for Toshiba) (Version: 6.5.4 - IS AppCloud Software)
Bluetooth® Link (HKLM\...\{936D21BF-3344-4B20-BC4C-3B67580C19F5}) (Version: 4.3.04 - Toshiba Corporation)
CyberLink PhotoDirector 5 (HKLM-x32\...\InstallShield_{5A454EC5-217A-42a5-8CE1-2DDEC4E70E01}) (Version: 5.0.6312.0 - CyberLink Corp.)
CyberLink PhotoDirector 5 (Version: 5.0.6312.0 - CyberLink Corp.) Hidden
CyberLink PowerDirector 12 (HKLM-x32\...\InstallShield_{E1646825-D391-42A0-93AA-27FA810DA093}) (Version: 12.0.4425.0 - CyberLink Corp.)
CyberLink PowerDirector 12 (Version: 12.0.4425.0 - CyberLink Corp.) Hidden
Intel® Chipset Device Software (x32 Version: 10.1.1.7 - Intel® Corporation) Hidden
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.0.0.1153 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 20.19.15.4360 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 14.5.0.1081 - Intel Corporation)
Intel® WiDi (HKLM\...\{5DD8D7E4-87F1-4134-AD28-4228FB1A03BA}) (Version: 6.0.44.0 - Intel Corporation)
Intel® WiDi Software Asset Manager (x32 Version: 1.1.383 - Intel Corporation) Hidden
Intel® Wireless Bluetooth® (HKLM-x32\...\{DC5673D2-228D-45BC-B9BB-9610CE67DFC0}) (Version: 17.1.1524.1353 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{4c8b7360-62a2-4339-b745-41323055d0bb}) (Version: 18.20.0 - Intel Corporation)
Java 8 Update 121 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180121F0}) (Version: 8.0.1210.13 - Oracle Corporation)
Java 8 Update 121 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180121F0}) (Version: 8.0.1210.13 - Oracle Corporation)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4693.1005 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\...\OneDriveSetup.exe) (Version: 17.3.6798.0207 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.10130.29089 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7548 - Realtek Semiconductor Corp.)
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Skype™ 7.24 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.24.104 - Skype Technologies S.A.)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 19.0.16.3 - Synaptics Incorporated)
TOSHIBA Application Installer (HKLM\...\{21A63CA3-75C0-4E56-B602-B7CD2EF6B621}) (Version: 9.0.2.8 - Toshiba Corporation)
TOSHIBA Audio Enhancement (HKLM\...\{1515F5E3-29EA-4CD1-A981-032D88880F09}) (Version: 3.0.2.0 - Toshiba Corporation)
TOSHIBA Display Utility (HKLM\...\{0B39C39A-3ECE-4582-9C91-842D22819A24}) (Version: 2.0.1.0 - Toshiba Corporation)
TOSHIBA eco Utility (HKLM\...\{72EFCFA8-3923-451D-AF52-7CE9D87BC2A1}) (Version: 3.0.4.6401 - Toshiba Corporation)
TOSHIBA Password Utility (HKLM-x32\...\InstallShield_{78931270-BC9E-441A-A52B-73ECD4ACFAB5}) (Version: 4.17.000 - Toshiba Corporation)
TOSHIBA Service Station (HKLM\...\{B1F241E1-90BF-4201-8977-A0DF85A38EBB}) (Version: 2.6.16.0 - Toshiba Corporation)
TOSHIBA System Driver (HKLM-x32\...\{1E6A96A1-2BAB-43EF-8087-30437593C66C}) (Version: 2.02.0002.02 - Toshiba Corporation)
TOSHIBA System Settings (HKLM\...\{B040D5C9-C9AA-430A-A44E-696656012E61}) (Version: 3.0.7.6401 - Toshiba Corporation)
TOSHIBA User Guide (HKLM-x32\...\{3384E1D9-3F18-4A98-8655-180FEF0DFC02}) (Version: 1.00.03 - TOSHIBA)
TOSHIBARegistration (HKLM-x32\...\{5AF550B4-BB67-4E7E-82F1-2C4300279050}) (Version: 1.0.1.2 - TOSHIBA)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 

==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {1C1A4E80-52EC-44A4-8BB0-6357AFE8E217} - System32\Tasks\IntelWiDi-Upgrade-91ba0caa-28a7-4f47-8d08-f71b4b10fbec-Logon => C:\Program Files (x86)\Intel Corporation\Intel WiDi\Intel® Software Asset Manager\bin\IntelSoftwareAssetManagerService.exe [2015-06-24] (Intel Corporation)
Task: {2A8F894E-49F5-4A8A-AAF5-B61862D70FA0} - System32\Tasks\App Explorer => C:\Users\Sandra\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe [2016-09-14] (SweetLabs, Inc)
Task: {2C03B881-DA1D-4347-B836-516655647892} - System32\Tasks\TOSHIBA\Service Station => C:\Program Files\TOSHIBA\Toshiba Service Station\ToshibaServiceStation.exe [2014-04-03] (TOSHIBA Corporation)
Task: {5AE5D4CD-1594-4296-820D-AFE22BFF9510} - System32\Tasks\BTSchedulerTask => C:\Program Files (x86)\TOSHIBA\Toshiba Bluetooth Device Profile Utility\TosBt_NotificationScheduler.exe [2015-07-08] (Toshiba Corporation)
Task: {61240B7C-AD8E-4E4E-8AFA-9ECFF797928F} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [2015-06-26] (Realtek Semiconductor)
Task: {6EDDB437-51A6-4989-85BD-A4B8EACBA017} - System32\Tasks\IS AppCloud Software\App Place for Toshiba-Reminder => C:\Program Files (x86)\Toshiba\AppPlace\toshibaappplace.exe [2016-06-08] (IS AppCloud Software)
Task: {8F5D78ED-85C5-40FF-950B-DD7E4C43B9CB} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-04-08] (Adobe Systems Incorporated)
Task: {C5B91370-9ED5-47CC-9467-625F6E08D957} - System32\Tasks\IntelWiDi-Upgrade-91ba0caa-28a7-4f47-8d08-f71b4b10fbec => C:\Program Files (x86)\Intel Corporation\Intel WiDi\Intel® Software Asset Manager\bin\IntelSoftwareAssetManagerService.exe [2015-06-24] (Intel Corporation)
Task: {D4F68BE9-99E5-4487-9DC6-2F7504B4735E} - System32\Tasks\Intel\Intel Telemetry 2 => C:\Program Files\Intel\Telemetry 2.0\lrio.exe [2015-06-05] (Intel Corporation)
Task: {DC8D0774-6611-46DC-9D3D-AB9969087CBA} - System32\Tasks\Resolution+ Setting Task => C:\Program Files\Toshiba\TOSHIBA Smart View Utility\Plugins\ResolutionPlus\TosRegPermissionChg.exe [2015-06-12] (TOSHIBA Corporation)
Task: {EAC0CB5E-8648-450A-BEBD-995007FF3F20} - System32\Tasks\IS AppCloud Software\App Place for Toshiba => C:\Program Files (x86)\Toshiba\AppPlace\toshibaappplace.exe [2016-06-08] (IS AppCloud Software)
Task: {F757D498-34A0-4726-9322-2ACEE241D990} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 

==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
Shortcut: C:\Users\Sandra\Desktop\Amazon.lnk -> hxxp://www.amazon.com/?tag=tais2-desktop-2
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-10-30 03:18 - 2015-10-30 03:18 - 00185856 _____ () C:\Windows\SYSTEM32\ism32k.dll
2013-03-27 16:53 - 2013-03-27 16:53 - 00163168 _____ () C:\Program Files (x86)\TOSHIBA\PasswordUtility\GFNEXSrv.exe
2015-10-26 21:16 - 2015-10-26 21:16 - 00240432 _____ () C:\Program Files (x86)\TOSHIBA\TOSHIBA System Driver\TOSTABSYSSVC.exe
2017-02-28 15:19 - 2017-02-28 15:19 - 00102064 _____ () C:\Program Files (x86)\Amazon\Amazon Assistant\amazonAssistantService.exe
2017-02-28 15:20 - 2017-02-28 15:20 - 00141488 _____ () C:\Program Files (x86)\Amazon\Amazon Assistant\aaLoader64.dll
2016-01-11 16:08 - 2014-04-14 22:59 - 00389896 _____ () C:\Program Files\CyberLink\Shared files\RichVideo64.exe
2016-04-29 09:16 - 2016-03-29 06:20 - 02656952 _____ () C:\Windows\system32\CoreUIComponents.dll
2016-04-29 09:16 - 2016-03-29 06:20 - 02656952 _____ () C:\Windows\System32\CoreUIComponents.dll
2015-08-06 03:28 - 2016-02-05 17:19 - 00402912 _____ () C:\Windows\system32\igfxTray.exe
2016-04-29 09:13 - 2015-12-07 00:14 - 00093696 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Windows.UI.Shell.SharedUtilities.dll
2016-05-16 09:25 - 2016-04-23 00:25 - 00472064 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\QuickActions.dll
2012-07-18 22:38 - 2012-07-18 22:38 - 00020904 _____ () C:\Program Files\TOSHIBA\System Setting\SmoothView.dll
2016-06-17 13:20 - 2016-05-27 23:59 - 07992832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-06-17 13:20 - 2016-05-27 23:53 - 00591360 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-06-17 13:20 - 2016-05-27 23:54 - 02483200 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-06-17 13:20 - 2016-05-27 23:56 - 04089856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2016-06-08 08:03 - 2016-06-08 08:04 - 00236032 _____ () C:\Program Files (x86)\Toshiba\AppPlace\node_modules\appcloud-native-utils\anu.node
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 

==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 

==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 

==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE trusted site: HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\...\amazon.com -> amazon.com
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2015-10-30 03:24 - 2015-10-30 03:21 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 

==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\Services: lfsvc => 3
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{E1B882A5-8F08-4C17-AE01-B40231EEEE42}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [{DA961266-BA8B-4B27-8A98-A7FB2814AEC5}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\WiDiApp.exe
FirewallRules: [{E9D9DEC6-37E6-407C-B642-D3839CE8C14A}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\WiDiAppOld.exe
FirewallRules: [{5DB8DD83-A660-445A-A48B-4EFCE0C77438}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\Next\WirelessDisplay.exe
FirewallRules: [{DA12B274-32BC-4E08-A3DA-42CBC76AE0B0}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\SmartAgentTest.exe
FirewallRules: [{53034AAE-6B08-4A3A-9CAF-ABB09B4D3797}] => (Allow) C:\Program Files (x86)\Spotify\Spotify.exe
FirewallRules: [{2E594F02-A8EA-49A9-933D-B72266063A5D}] => (Allow) C:\Program Files (x86)\Spotify\Spotify.exe
FirewallRules: [{C94050D5-A3CC-4C04-8E0E-86958C90458F}] => (Allow) C:\Program Files (x86)\Spotify\SpotifyWebHelper.exe
FirewallRules: [{63B76D16-A50A-4587-9390-32FFD85571E6}] => (Allow) C:\Program Files (x86)\Spotify\SpotifyWebHelper.exe
FirewallRules: [{760DF00C-DE52-4E26-99F9-42CB4F1B7E06}] => (Allow) C:\Program Files (x86)\Spotify\SpotifyCrashService.exe
FirewallRules: [{2AF4B332-644E-4FE1-BC27-554C7371A604}] => (Allow) C:\Program Files (x86)\Spotify\SpotifyCrashService.exe
FirewallRules: [{8FA6D637-28A1-4F11-BEC8-8EECC6420CC0}] => (Allow) c:\Program Files\CyberLink\PowerDirector12\PDR10.EXE
FirewallRules: [{18EE0BD6-A37D-4FD7-A54F-02F854360975}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{89205917-ED2C-4A1D-964E-4DAD9729C57E}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{404069D8-093E-4F04-9E88-8BC16F3689A1}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{3C115245-FAC3-4328-8A01-7C7DE51E48F0}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
 
==================== Restore Points =========================
 
09-02-2017 10:50:41 Scheduled Checkpoint
16-02-2017 15:07:43 Scheduled Checkpoint
08-04-2017 11:11:33 Windows Update
08-04-2017 11:12:00 Windows Update
 
==================== Faulty Device Manager Devices =============
 

==================== Event log errors: =========================
 
Application errors:
==================
Error: (04/08/2017 11:12:42 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
.
 
Error: (04/08/2017 11:11:40 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
.
 
Error: (04/08/2017 10:24:39 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-54QQMJU)
Description: Activation of app Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (04/08/2017 10:23:44 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SearchUI.exe, version: 10.0.10586.420, time stamp: 0x57491ba1
Faulting module name: Windows.UI.Xaml.dll, version: 10.0.10586.306, time stamp: 0x571af9f6
Exception code: 0xc000027b
Fault offset: 0x0000000000281f52
Faulting process id: 0x18b4
Faulting application start time: 0x01d283afb0c6c9eb
Faulting application path: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
Faulting module path: C:\Windows\System32\Windows.UI.Xaml.dll
Report Id: 35e0f646-c313-495e-84ef-c02c2a8e817d
Faulting package full name: Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: CortanaUI
 
Error: (04/08/2017 10:23:40 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program GamesManager.exe version 2.15.2.971 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
 
Process ID: 574
 
Start Time: 01d283c57922dbc9
 
Termination Time: 5
 
Application Path: C:\Users\Sandra\AppData\Local\GamesManager\GamesManager.exe
 
Report Id: e832d225-1c66-11e7-9c34-34de1ac1dcb0
 
Faulting package full name:
 
Faulting package-relative application ID:
 
Error: (02/16/2017 03:07:49 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
.
 
Error: (02/16/2017 02:51:59 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: GoldenTrails3TheGuardian'sCreed_PE.ifn, version: 0.0.0.0, time stamp: 0x50c19d45
Faulting module name: windows.storage.dll, version: 10.0.10586.306, time stamp: 0x571af5bf
Exception code: 0x4000001f
Fault offset: 0x00282dff
Faulting process id: 0x11fc
Faulting application start time: 0x01d283c96b50f85a
Faulting application path: c:\games\Pogo Games\Golden Trails 3 The Guardian's Creed Premium Edition\GoldenTrails3TheGuardian'sCreed_PE.ifn
Faulting module path: C:\Windows\SYSTEM32\windows.storage.dll
Report Id: 64634039-ed51-4b7b-b9c9-b5968d64705c
Faulting package full name:
Faulting package-relative application ID:
 
Error: (02/10/2017 02:01:21 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iWinInstaller.exe, version: 0.0.0.0, time stamp: 0x586a3833
Faulting module name: iWinInstaller.exe, version: 0.0.0.0, time stamp: 0x586a3833
Exception code: 0xc0000005
Fault offset: 0x00008a40
Faulting process id: 0x2610
Faulting application start time: 0x01d283c77f8afa7f
Faulting application path: C:\Users\Sandra\AppData\Local\GamesManager\iWinInstaller.exe
Faulting module path: C:\Users\Sandra\AppData\Local\GamesManager\iWinInstaller.exe
Report Id: 7b3403ed-4571-46c0-8ed0-ca70e42e2f82
Faulting package full name:
Faulting package-relative application ID:
 
Error: (02/10/2017 01:41:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.10586.420, time stamp: 0x57491c15
Faulting module name: KERNELBASE.dll, version: 10.0.10586.306, time stamp: 0x571af331
Exception code: 0xc0020001
Fault offset: 0x0000000000071f28
Faulting process id: 0x2238
Faulting application start time: 0x01d283b2559087cd
Faulting application path: C:\Program Files\Internet Explorer\iexplore.exe
Faulting module path: C:\Windows\system32\KERNELBASE.dll
Report Id: 2ddbb2fa-ac73-4c57-af7e-452cba57e87f
Faulting package full name:
Faulting package-relative application ID:
 
Error: (02/09/2017 10:50:42 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
.
 

System errors:
=============
Error: (04/08/2017 03:34:46 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (04/08/2017 02:25:56 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Sync Host_4b006 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.
 
Error: (04/08/2017 02:25:56 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (04/08/2017 01:51:42 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-54QQMJU)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{C2F03A33-21F5-47FA-B4BB-156362A2F239}
 and APPID
{316CDED5-E4AE-4B15-9113-7055D84DCC97}
 to the user DESKTOP-54QQMJU\Sandra SID (S-1-5-21-2191857059-2474734211-1668879694-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.WindowsStore_11602.1.26.0_x64__8wekyb3d8bbwe SID (S-1-15-2-1609473798-1231923017-684268153-4268514328-882773646-2760585773-1760938157). This security permission can be modified using the Component Services administrative tool.
 
Error: (04/08/2017 01:35:55 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Sync Host_24c17 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.
 
Error: (04/08/2017 01:35:55 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (04/08/2017 01:34:24 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-54QQMJU)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}
 and APPID
{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}
 to the user DESKTOP-54QQMJU\Sandra SID (S-1-5-21-2191857059-2474734211-1668879694-1001) from address LocalHost (Using LRPC) running in the application container windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (04/08/2017 01:34:15 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Windows Defender Network Inspection Service service depends on the Windows Defender Network Inspection System Driver service which failed to start because of the following error:
The dependency service or group failed to start.
 
Error: (04/08/2017 01:34:15 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Windows Defender Network Inspection System Driver service depends on the Base Filtering Engine service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
 
Error: (04/08/2017 01:33:16 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Windows Defender Network Inspection Service service depends on the Windows Defender Network Inspection System Driver service which failed to start because of the following error:
The dependency service or group failed to start.
 

CodeIntegrity:
===================================
  Date: 2017-02-12 04:06:01.484
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-06-22 08:58:08.749
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-06-19 14:54:35.531
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-06-19 12:39:09.451
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-06-02 19:06:41.363
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-05-28 14:12:51.376
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-05-26 16:46:14.840
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-05-16 09:53:23.532
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-05-08 13:08:08.715
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-04-29 15:14:24.072
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 

==================== Memory info ===========================
 
Processor: Intel® Core™ i3-5015U CPU @ 2.10GHz
Percentage of memory in use: 39%
Total physical RAM: 6058.26 MB
Available physical RAM: 3667.8 MB
Total Virtual: 7018.26 MB
Available Virtual: 4430.78 MB
 
==================== Drives ================================
 
Drive c: (TIS0008500E) (Fixed) (Total:465.04 GB) (Free:426.09 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
==================== End of Addition.txt ============================
 

 

 


  • 0

Advertisements

#2
zep516
Posted 10 April 2017 - 12:25 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,093 posts
Hi! My name is zep516 and Welcome to Geekstogo!
I'll do the best I can to resolve your computer issue
Please make sure to carefully read any instruction that I give you. If you're not sure, or if something unexpected happens, don't continue Stop and ask! Never be afraid to ask questions! :)

First
Programs to uninstall
Amazon Assistant

You had a successful Windows update here below:
08-04-2017 11:12:00 Windows Update
Is it not updating now ?

Next
A few items to fix
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Open notepad (Start =>All Programs => Accessories => Notepad).
Copy/Paste the contents of the code box below into Notepad.
start
CloseProcesses:
CreateRestorePoint:
HKLM\...\Run: [] => [X]
HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.amazon.com/
HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://toshiba15.msn.com/?pc=TBTE
SearchScopes: HKU\S-1-5-21-2191857059-2474734211-1668879694-1001 -> DefaultScope {1D23DF1D-8157-4A53-9915-AE873D865552} URL =
SearchScopes: HKU\S-1-5-21-2191857059-2474734211-1668879694-1001 -> {1D23DF1D-8157-4A53-9915-AE873D865552} URL =
SearchScopes: HKU\S-1-5-21-2191857059-2474734211-1668879694-1001 -> {4DF21410-DFEA-4394-8E99-6710E9C0D664} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_sy
S3 TDEIO; \??\C:\Users\Public\Temp\COMP035\tdeio64.sys [X]
2015-07-23 09:53 - 2015-07-23 09:53 - 0120336 _____ (McAfee, Inc.) C:\Users\Sandra\AppData\Local\Temp\McCSPInstall.dll
2016-04-28 17:37 - 2015-07-23 09:53 - 0162120 _____ (McAfee Inc.) C:\Users\Sandra\AppData\Local\Temp\mccspuninstall.exe
2016-08-06 11:50 - 2016-08-06 11:51 - 58422624 _____ (SweetLabs,Inc.) C:\Users\Sandra\AppData\Local\Temp\oct14C5.tmp.exe
2017-01-21 16:10 - 2017-01-21 16:11 - 58523704 _____ (SweetLabs,Inc.) C:\Users\Sandra\AppData\Local\Temp\oct51E5.tmp.exe
2016-04-28 17:22 - 2016-04-28 17:23 - 57318568 _____ (SweetLabs,Inc.) C:\Users\Sandra\AppData\Local\Temp\octE9C7.tmp.exe
CMD: bitsadmin /reset /allusers
CMD: netsh winsock reset catalog
CMD: ipconfig /flushdns
RemoveProxy:
hosts:
Emptytemp:
  • Click Format and ensure Wordwrap is unchecked.
  • Save as Fixlist.txt to your Desktop (Must be in this location)
  • Run FRST/FRST64 and press the Fix button just once and wait.
  • If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
  • The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
  • Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.
    Next
    Please download adwCleaner to your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the logfile button and the log will open in Notepad.
    The contents of the AdwCleaner log file may be confusing. Unless you see a program name that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished and the PC has rebooted.
  • Please post the content of that log file with your next answer.
  • The report will be saved in the C:\AdwCleaner folder.

    Next
  • Please download Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts. See Here how to disable you security protection (Anti Virus)
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

    Next
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete , make sure that that all Threats are selected, and click Remove Selected.
  • Reboot your computer if prompted.
  • Posting the Malwarebytes log.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the Scan Log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • post that saved log to your next reply.
  • In your next reply post;
  • The AdwCleaner [C1].txt Log
  • The JRT.txt Log
  • Malwarebytes log
  • Fixlog.txt

    Thanks
    Joe :)



  • 0

#3
Laura B
Posted 14 April 2017 - 03:27 PM

Laura B

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts

I followed all the instrx and here are the logs.  Most of the Windows updates have now been done. Still one or two that failed.  Also, I was not able to paste (tried both right click and ctrl/v) the logs to this reply in Windows Edge, but finally was able to do so when using Explorer.  Cannot figure out what setting is preventing the paste function.

 

# AdwCleaner v6.045 - Logfile created 14/04/2017 at 15:28:54
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-14.1 [Local]
# Operating System : Windows 10 Home  (X64)
# Username : Sandra - DESKTOP-54QQMJU
# Running from : C:\Users\Sandra\Downloads\adwcleaner_6.045.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support

 

***** [ Services ] *****

[-] Service deleted: swdumon

***** [ Folders ] *****

[-] Folder deleted: C:\Users\Sandra\AppData\Local\slimware utilities inc
[-] Folder deleted: C:\Users\Sandra\AppData\Local\YSearchUtil
[-] Folder deleted: C:\Users\Sandra\AppData\Local\Host App Service
[-] Folder deleted: C:\Users\Sandra\AppData\Local\Downloaded Installers
[#] Folder deleted on reboot: C:\Users\Sandra\AppData\Local\SlimWare Utilities Inc
[-] Folder deleted: C:\Users\Sandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pogo Games
[-] Folder deleted: C:\ProgramData\iwin games
[#] Folder deleted on reboot: C:\ProgramData\Application Data\iwin games
[-] Folder deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\YSearchUtil
[#] Folder deleted on reboot: C:\Users\Sandra\AppData\Local\Host App Service
[-] Folder deleted: C:\Users\Default\AppData\Local\Host App Service
[-] Folder deleted: C:\Users\Public\Pokki
[-] Folder deleted: C:\Users\Public\App Explorer

***** [ Files ] *****

[-] File deleted: C:\Users\Sandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\App Explorer.lnk
[-] File deleted: C:\Windows\SysNative\drivers\swdumon.sys
[-] File deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\App Explorer.lnk

***** [ DLL ] *****

 

***** [ WMI ] *****

 

***** [ Shortcuts ] *****

 

***** [ Scheduled Tasks ] *****

[-] Task deleted: App Explorer

***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\Classes\Amazon1ButtonBrowserHelper.Amazon1ButtonBHO
[-] Key deleted: HKLM\SOFTWARE\Classes\Amazon1ButtonRuntime.Amazon1ButtonRuntime
[-] Key deleted: HKLM\SOFTWARE\Classes\Amazon1ButtonRuntime.AmazonRuntimeServer
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Amazon1ButtonBrowserHelper.Amazon1ButtonBHO
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Amazon1ButtonRuntime.Amazon1ButtonRuntime
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Amazon1ButtonRuntime.AmazonRuntimeServer
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{BAC72C85-CEC6-4B86-AF06-FA20C259FAB8}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{6557DB6C-EFE1-45AC-92A6-FBB1554B7502}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{EB2BEAEF-150C-4DE4-9D09-F16403C22769}
[-] Key deleted: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BAC72C85-CEC6-4B86-AF06-FA20C259FAB8}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BAC72C85-CEC6-4B86-AF06-FA20C259FAB8}
[-] Key deleted: HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\Software\PogoDGC
[-] Key deleted: HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\Software\Host App Service
[-] Key deleted: HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service
[#] Key deleted on reboot: HKCU\Software\PogoDGC
[#] Key deleted on reboot: HKCU\Software\Host App Service
[-] Key deleted: HKLM\SOFTWARE\SLIMWARE UTILITIES, INC.
[-] Key deleted: HKLM\SOFTWARE\SlimWare Utilities Inc
[-] Key deleted: HKLM\SOFTWARE\PogoDGC
[#] Key deleted on reboot: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B6DCCCD3-520D-4485-B642-FCC136CE12C3}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverUpdate
[#] Key deleted on reboot: [x64] HKCU\Software\PogoDGC
[#] Key deleted on reboot: [x64] HKCU\Software\Host App Service
[-] Key deleted: [x64] HKLM\SOFTWARE\PogoDGC
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3DCCCD6BD02558446B24CF1C63EC213C
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3DCCCD6BD02558446B24CF1C63EC213C
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\amazonbrowserapp.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\analytics.app.amazonbrowserapp.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\akz.imgfarm.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\amazonbrowserapp.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\analytics.app.amazonbrowserapp.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\hp.myway.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\imgfarm.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\staticimgfarm.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ttdetect.staticimgfarm.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\amazonbrowserapp.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\analytics.app.amazonbrowserapp.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\akz.imgfarm.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\amazonbrowserapp.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\analytics.app.amazonbrowserapp.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\hp.myway.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\imgfarm.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\staticimgfarm.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ttdetect.staticimgfarm.com

***** [ Web browsers ] *****

 

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [6621 Bytes] - [14/04/2017 15:28:54]
C:\AdwCleaner\AdwCleaner[S0].txt - [6385 Bytes] - [14/04/2017 15:23:33]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [6767 Bytes] ##########

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 10 Home x64
Ran by Sandra (Administrator) on Fri 04/14/2017 at 15:52:35.06
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

File System: 0

 

Registry: 0

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 04/14/2017 at 15:58:10.98
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/14/17
Scan Time: 4:06 PM
Logfile: Malwarebytes log.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.103
Update Package Version: 1.0.1730
License: Trial

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: DESKTOP-54QQMJU\Sandra

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 336571
Time Elapsed: 8 min, 40 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 1
Adware.WinYahoo, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\hikeppggmbhdgodhakicedaejpleoigm, Quarantined, [5038], [387360],1.0.1730

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

(end)

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Sandra (14-04-2017 15:04:12) Run:1
Running from C:\Users\Sandra\Desktop
Loaded Profiles: Sandra (Available Profiles: Sandra)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
CloseProcesses:
CreateRestorePoint:
HKLM\...\Run: [] => [X]
HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.amazon.com/
HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://toshiba15.msn.com/?pc=TBTE
SearchScopes: HKU\S-1-5-21-2191857059-2474734211-1668879694-1001 -> DefaultScope {1D23DF1D-8157-4A53-9915-AE873D865552} URL =
SearchScopes: HKU\S-1-5-21-2191857059-2474734211-1668879694-1001 -> {1D23DF1D-8157-4A53-9915-AE873D865552} URL =
SearchScopes: HKU\S-1-5-21-2191857059-2474734211-1668879694-1001 -> {4DF21410-DFEA-4394-8E99-6710E9C0D664} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_sy
S3 TDEIO; \??\C:\Users\Public\Temp\COMP035\tdeio64.sys [X]
2015-07-23 09:53 - 2015-07-23 09:53 - 0120336 _____ (McAfee, Inc.) C:\Users\Sandra\AppData\Local\Temp\McCSPInstall.dll
2016-04-28 17:37 - 2015-07-23 09:53 - 0162120 _____ (McAfee Inc.) C:\Users\Sandra\AppData\Local\Temp\mccspuninstall.exe
2016-08-06 11:50 - 2016-08-06 11:51 - 58422624 _____ (SweetLabs,Inc.) C:\Users\Sandra\AppData\Local\Temp\oct14C5.tmp.exe
2017-01-21 16:10 - 2017-01-21 16:11 - 58523704 _____ (SweetLabs,Inc.) C:\Users\Sandra\AppData\Local\Temp\oct51E5.tmp.exe
2016-04-28 17:22 - 2016-04-28 17:23 - 57318568 _____ (SweetLabs,Inc.) C:\Users\Sandra\AppData\Local\Temp\octE9C7.tmp.exe
CMD: bitsadmin /reset /allusers
CMD: netsh winsock reset catalog
CMD: ipconfig /flushdns
RemoveProxy:
hosts:
Emptytemp:
*****************

Processes closed successfully.
Restore point was successfully created.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1D23DF1D-8157-4A53-9915-AE873D865552} => key removed successfully
HKCR\CLSID\{1D23DF1D-8157-4A53-9915-AE873D865552} => key not found.
HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{4DF21410-DFEA-4394-8E99-6710E9C0D664} => key removed successfully
HKCR\CLSID\{4DF21410-DFEA-4394-8E99-6710E9C0D664} => key not found.
HKLM\System\CurrentControlSet\Services\TDEIO => key removed successfully
TDEIO => service removed successfully
C:\Users\Sandra\AppData\Local\Temp\McCSPInstall.dll => moved successfully
C:\Users\Sandra\AppData\Local\Temp\mccspuninstall.exe => moved successfully
C:\Users\Sandra\AppData\Local\Temp\oct14C5.tmp.exe => moved successfully
C:\Users\Sandra\AppData\Local\Temp\oct51E5.tmp.exe => moved successfully
C:\Users\Sandra\AppData\Local\Temp\octE9C7.tmp.exe => moved successfully

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.8.10586 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

========= netsh winsock reset catalog =========

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-2191857059-2474734211-1668879694-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully

========= End of RemoveProxy: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 32768 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 21179906 B
Java, Flash, Steam htmlcache => 15574 B
Windows/system/drivers => 24188373 B
Edge => 65982900 B
Chrome => 0 B
Firefox => 375739578 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 7925888 B
systemprofile32 => 128 B
LocalService => 7292 B
NetworkService => 5166 B
Sandra => 419450242 B

RecycleBin => 155501 B
EmptyTemp: => 872.3 MB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 15:07:37 ====


  • 0

#4
zep516
Posted 14 April 2017 - 07:47 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,093 posts
Hello,

That paste issue maybe the result of this forum other users appear to also have paste issues at times.

Run the computer a day or so and let me know what issues remain, your log files are looking good :)

Thanks
Joe
  • 0

#5
zep516
Posted 25 April 2017 - 06:35 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,093 posts
You usually get infected because your security settings are too low.

Here are a number of recommendations that will help tighten them, and which will contribute to making you a less likely victim:

Safe Computing Practices please read Here


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Thanks
Joe :)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP