I have been fighting this for months. these are the scans I took almost immediately after my most recent reset. I really am not sure how it is persisting. I used my bios to format disk and without connecting I still had symptoms. I am scared to reboot because it fully reinstalls. I feel like there are multiple triggers but this is the cleanest I can get it without help. please advise
RogueKiller V12.11.8.0 (x64) [Jul 24 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.co...ad/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : d [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 08/01/2017 13:43:55 (Duration : 00:16:26)
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 0 ¤¤¤
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ WMI : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000LPVX-75V0TT0 +++++
--- User ---
[MBR] e3e5247fec49aa8f7c5a6cfd1500eb6e
[BSP] 82bf2d08dea6517322e3ae1982c2b704 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 476588 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 31-07-2017
Ran by d (01-08-2017 13:47:49)
Running from C:\Users\d\AppData\Local\Microsoft\Windows\INetCache\IE\SYUMA8ML
Windows 8.1 (Update) (X64) (2017-08-01 15:32:17)
Boot Mode: Normal
==========================================================
==================== Accounts: =============================
Administrator (S-1-5-21-1767307679-248002309-4077378662-500 - Administrator - Disabled)
d (S-1-5-21-1767307679-248002309-4077378662-1001 - Administrator - Enabled) => C:\Users\d
Guest (S-1-5-21-1767307679-248002309-4077378662-501 - Limited - Disabled)
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: ESET NOD32 Antivirus (Enabled - Up to date) {EC1D6F37-E411-475A-DF50-12FF7FE4AC70}
AS: ESET NOD32 Antivirus (Enabled - Up to date) {577C8ED3-C22B-48D4-E5E0-298D0463E6CD}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
ESET NOD32 Antivirus (HKLM\...\{3B4AB7BA-0734-4547-9604-3FCC40873B3D}) (Version: 10.1.219.0 - ESET, spol. s r.o.)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.14.4264 - Intel Corporation)
RogueKiller version 12.11.8.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.11.8.0 - Adlice Software)
==================== Custom CLSID (Whitelisted): ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
CustomCLSID: HKU\S-1-5-21-1767307679-248002309-4077378662-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)
ContextMenuHandlers1: [ESET Smart Security - Context Menu Shell Extension] -> {B089FE88-FB52-11D3-BDF1-0050DA34150D} => C:\Program Files\ESET\ESET Security\shellExt.dll [2017-06-13] (ESET)
ContextMenuHandlers2: [ESET Smart Security - Context Menu Shell Extension] -> {B089FE88-FB52-11D3-BDF1-0050DA34150D} => C:\Program Files\ESET\ESET Security\shellExt.dll [2017-06-13] (ESET)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\Windows\system32\igfxDTCM.dll [2015-08-09] (Intel Corporation)
ContextMenuHandlers6: [ESET Smart Security - Context Menu Shell Extension] -> {B089FE88-FB52-11D3-BDF1-0050DA34150D} => C:\Program Files\ESET\ESET Security\shellExt.dll [2017-06-13] (ESET)
==================== Scheduled Tasks (Whitelisted) =============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
Task: {28D1C1B0-A927-4C9E-A857-A3F306AA078E} - System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser => %windir%\system32\rundll32.exe aepdu.dll,AePduRunUpdate -nolegacy
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
==================== Shortcuts & WMI ========================
(The entries could be listed to be restored or removed.)
==================== Loaded Modules (Whitelisted) ==============
2015-08-09 04:50 - 2015-08-09 04:50 - 000404376 _____ () C:\Windows\system32\igfxTray.exe
2017-08-01 13:43 - 2017-07-24 14:22 - 026543176 _____ () C:\Program Files\RogueKiller\RogueKiller64.exe
==================== Alternate Data Streams (Whitelisted) =========
==================== Safe Mode (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
==================== Association (Whitelisted) ===============
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
==================== Internet Explorer trusted/restricted ===============
(If an entry is included in the fixlist, it will be removed from the registry.)
==================== Hosts content: ===============================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2013-08-22 06:25 - 2013-08-22 06:25 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts
==================== Other Areas ============================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-1767307679-248002309-4077378662-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 192.168.42.129
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.
==================== MSCONFIG/TASK MANAGER disabled items ==
==================== FirewallRules (Whitelisted) ===============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== Restore Points =========================
01-08-2017 13:46:06 Windows Update
==================== Faulty Device Manager Devices =============
Name: Network Controller
Description: Network Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
Name: USB2.0-CRW
Description: USB2.0-CRW
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
Name: SM Bus Controller
Description: SM Bus Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
==================== Event log errors: =========================
Application errors:
==================
Error: (08/01/2017 01:36:01 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: tkuhjhng)
Description: Package winstore_1.0.0.0_neutral_neutral_cw5n1h2txyewy+Windows.Store was terminated because it took too long to suspend.
Error: (08/01/2017 06:52:07 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: tkuhjhng)
Description: Package winstore_1.0.0.0_neutral_neutral_cw5n1h2txyewy+Windows.Store was terminated because it took too long to suspend.
Error: (08/01/2017 08:51:38 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80072EE7
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c7c00280-b24d-4e82-89ca-4f1288eb1d9e;NotificationInterval=1440;Trigger=NetworkAvailable
Error: (08/01/2017 08:51:37 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=c7c00280-b24d-4e82-89ca-4f1288eb1d9e
Error: (08/01/2017 08:51:37 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0x80072EE7
Error: (08/01/2017 08:51:37 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=c7c00280-b24d-4e82-89ca-4f1288eb1d9e
Error: (08/01/2017 08:51:37 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0x80072EE7
Error: (08/01/2017 08:33:47 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80072EE7
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c7c00280-b24d-4e82-89ca-4f1288eb1d9e;NotificationInterval=1440;Trigger=TimerEvent
Error: (08/01/2017 08:33:47 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=c7c00280-b24d-4e82-89ca-4f1288eb1d9e
Error: (08/01/2017 08:33:47 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0x80072EE7
System errors:
=============
Error: (08/01/2017 01:33:40 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Intel® Content Protection HECI Service service terminated with the following error:
%%2147942659 = No more data is available.
Error: (08/01/2017 01:32:50 PM) (Source: DCOM) (EventID: 10010) (User: tkuhjhng)
Description: The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
Error: (08/01/2017 01:32:50 PM) (Source: DCOM) (EventID: 10010) (User: tkuhjhng)
Description: The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
Error: (08/01/2017 07:32:41 AM) (Source: DCOM) (EventID: 10010) (User: tkuhjhng)
Description: The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
Error: (08/01/2017 07:32:41 AM) (Source: DCOM) (EventID: 10010) (User: tkuhjhng)
Description: The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
Error: (08/01/2017 07:32:41 AM) (Source: DCOM) (EventID: 10010) (User: tkuhjhng)
Description: The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
Error: (08/01/2017 08:28:16 AM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {A47979D2-C419-11D9-A5B4-001185AD2B89} did not register with DCOM within the required timeout.
Error: (08/01/2017 08:26:16 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Network List Service service terminated with the following error:
The device is not ready.
Error: (08/01/2017 08:26:08 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The IP Helper service terminated with the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
Error: (08/01/2017 08:25:05 AM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!
==================== Memory info ===========================
Processor: Intel® Pentium® 3558U @ 1.70GHz
Percentage of memory in use: 31%
Total physical RAM: 8096.02 MB
Available physical RAM: 5509.65 MB
Total Virtual: 10016.02 MB
Available Virtual: 8262.23 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:465.42 GB) (Free:446.68 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 91BF7A00)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.4 GB) - (Type=07 NTFS)
==================== End of Addition.txt ============================
+++++ PhysicalDrive0: WDC WD5000LPVX-75V0TT0 +++++
--- User ---
[MBR] e3e5247fec49aa8f7c5a6cfd1500eb6e
[BSP] 82bf2d08dea6517322e3ae1982c2b704 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 476588 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
malwarebytes anti rootkit beta v1.09.3.1001 said I am clean