Jump to content


Photo

Programs Frequently "Not Resonding" and USB speed issues


  • Please log in to reply
26 replies to this topic

#1 TheWriterInBlack

TheWriterInBlack

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 18 April 2017 - 10:53 PM

Frequently many or all of the programs running on my system at a given time will lock up and I'll get "not responding" errors which will last for several minutes before they start responding again.  Task manager shows that I've got plenty of available memory left when this happens nor are the processors near their limits.

 

Attempting to close programs using the task manager, which for some reason generally doesn't freeze when other stuff does, fails because the tasks won't close until the program starts responding again.

 

The other problem is that the computer will often report "this device can perform faster" when I plug a USB 2 device (my phone, a thumb drive) into a port on the computer.  Apparently the computer will sometimes "think" the port is USB 1.1.

 

Logs:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/18/2017
Scan Time: 10:55 AM
Logfile: MBAM results.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2017.04.18.04
Rootkit Database: v2017.04.02.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: dburkhead

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 349213
Time Elapsed: 37 min, 45 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-04-2017 01
Ran by dburkhead (administrator) on DBHOME2 (18-04-2017 19:07:18)
Running from C:\Users\dburkhead\Desktop\Security
Loaded Profiles: dburkhead (Available Profiles: dburkhead & Backup)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.3\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.3\GoogleCrashHandler64.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\VS7Debug\mdm.exe
(Alcatel-Lucent) C:\Program Files\Common Files\Motive\pcCMService.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Alcatel-Lucent) C:\Program Files (x86)\Common Files\Motive\pcServiceHost.exe
(pdfforge GmbH) C:\Program Files (x86)\PDF Architect\HelperService.exe
(pdfforge GmbH) C:\Program Files (x86)\PDF Architect\ConversionService.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(WDC) C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
(Memeo) C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Alcatel-Lucent) C:\Program Files\ATT-SST\pcTrayApp.exe
(Graphic Tablet Company Shenzhen) C:\Program Files\TabletDriver\TabletDriver.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Alcatel-Lucent) C:\Program Files (x86)\Common Files\Motive\pcContextHookShim.exe
(Google Inc.) C:\Users\dburkhead\AppData\Local\Programs\Google\MusicManager\MusicManager.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
(WDC) C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
(Western Digital) C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
(Lenovo (Shenzhen) Electronic Co., Ltd.) C:\Program Files (x86)\Lenovo\FanSpeedControl\LenovoFSC.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(JME) C:\Program Files (x86)\jmesoft\hotkey.exe
() C:\Users\dburkhead\Documents\rsc-1.5\randomSIG.exe
(doubleTwist Corporation) C:\Program Files (x86)\doubleTwist\DoubleTwist.Light.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(doubleTwist Corporation) C:\Program Files (x86)\doubleTwist\Transcoder.server.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8060960 2009-08-05] (Realtek Semiconductor)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1353680 2016-11-14] (Microsoft Corporation)
HKLM\...\Run: [ATT-SST_McciTrayApp] => C:\Program Files\ATT-SST\pcTrayApp.exe [2794496 2013-05-07] (Alcatel-Lucent)
HKLM\...\Run: [TabletDriver] => C:\Program Files\TabletDriver\TabletDriver.exe [1132544 2015-02-02] (Graphic Tablet Company Shenzhen)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2017-01-19] (Apple Inc.)
HKLM-x32\...\Run: [LenovoFSC] => C:\Program Files (x86)\Lenovo\FanSpeedControl\LenovoFSC.exe [49152 2009-07-29] (Lenovo (Shenzhen) Electronic Co., Ltd.)
HKLM-x32\...\Run: [jmekey] => C:\Program Files (x86)\jmesoft\hotkey.exe [114688 2009-07-16] (JME)
HKLM-x32\...\Run: [UpdatePRCShortCut] => C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe [222504 2009-05-13] (CyberLink Corp.)
HKLM-x32\...\Run: [AppleSyncNotifier] => C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [67384 2017-01-13] (Apple Inc.)
HKLM-x32\...\Run: [ODT To Doc Converter Software.exe] => [X]
HKLM-x32\...\Run: [doubleTwist] => C:\Program Files (x86)\doubleTwist\doubleTwist.Light.exe [144384 2015-07-13] (doubleTwist Corporation)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\...\Run: [MobileDocuments] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\...\Run: [Google Update] => C:\Users\dburkhead\AppData\Local\Google\Update\1.3.33.3\GoogleUpdateCore.exe [599632 2017-04-11] (Google Inc.)
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\...\Run: [MusicManager] => C:\Users\dburkhead\AppData\Local\Programs\Google\MusicManager\MusicManager.exe [7643136 2015-11-17] (Google Inc.)
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [67384 2016-11-17] (Apple Inc.)
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [23818360 2017-03-16] (Google)
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\windows\system32\Bubbles.scr [899584 2010-11-20] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [KSS] => "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe" autorun
HKU\S-1-5-18\...\RunOnce: [WLStart] => C:\Program Files (x86)\Windows Live\Installer\wlstart.exe [768336 2009-07-26] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2017-03-21] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2017-03-21] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2017-03-21] (Google)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Acrobat Assistant.lnk [2011-05-17]
ShortcutTarget: Acrobat Assistant.lnk -> C:\Program Files (x86)\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Adobe Systems Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk [2013-12-17]
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WDDMStatus.lnk [2010-12-27]
ShortcutTarget: WDDMStatus.lnk -> C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe (WDC)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WDSmartWare.lnk [2010-12-27]
ShortcutTarget: WDSmartWare.lnk -> C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe (Western Digital)
Startup: C:\Users\dburkhead\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\randomSIG.lnk [2010-12-19]
ShortcutTarget: randomSIG.lnk -> C:\Users\dburkhead\Documents\rsc-1.5\randomSIG.exe ()
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk [2010-11-02]
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk [2010-11-02]
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{84667FC7-D29F-4796-9C8F-3593B6742831}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.coldservings.com/
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM-x32 -> DefaultScope {3d29c02b-bf3e-4d3b-8a7a-e0e7d0f6dbab} URL =
SearchScopes: HKU\.DEFAULT -> DefaultScope {3d29c02b-bf3e-4d3b-8a7a-e0e7d0f6dbab} URL =
BHO-x32: No Name -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> No File
BHO-x32: PDF Architect Helper -> {3A2D5EBA-F86D-4BD3-A177-019765996711} -> C:\Program Files (x86)\PDF Architect\PDFIEHelper.dll [2013-04-08] (pdfforge GmbH)
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)
Toolbar: HKLM-x32 - PDF Architect Toolbar - {25A3A431-30BB-47C8-AD6A-E1063801134F} - C:\Program Files (x86)\PDF Architect\PDFIEPlugin.dll [2013-04-08] (pdfforge GmbH)
Toolbar: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001 -> No Name - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} -  No File
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\dburkhead\AppData\Roaming\Mozilla\Firefox\Profiles\96zc1f1l.default-1462229122799 [2017-04-18]
FF Homepage: Mozilla\Firefox\Profiles\96zc1f1l.default-1462229122799 -> hxxp://www.coldservings.com/
FF Session Restore: Mozilla\Firefox\Profiles\96zc1f1l.default-1462229122799 -> is enabled.
FF Extension: (ADB Helper) - C:\Users\dburkhead\AppData\Roaming\Mozilla\Firefox\Profiles\96zc1f1l.default-1462229122799\Extensions\adbhelper@mozilla.org [2017-03-16]
FF Extension: (Valence) - C:\Users\dburkhead\AppData\Roaming\Mozilla\Firefox\Profiles\96zc1f1l.default-1462229122799\Extensions\fxdevtools-adapters@mozilla.org [2017-01-26]
FF Extension: (NoScript) - C:\Users\dburkhead\AppData\Roaming\Mozilla\Firefox\Profiles\96zc1f1l.default-1462229122799\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2017-03-29]
FF Extension: (Disable Prefetch) - C:\Users\dburkhead\AppData\Roaming\Mozilla\Firefox\Profiles\96zc1f1l.default-1462229122799\features\{22738a98-6656-45f4-951c-8d3e515d89f8}\disable-prefetch@mozilla.org.xpi [2017-04-05]
FF Extension: (Motive Extension) - C:\Program Files (x86)\Mozilla Firefox\extensions\mcciwbch@motive.com.xpi [2013-06-18] [not signed]
FF Extension: (Site Deployment Checker) - C:\Program Files (x86)\Mozilla Firefox\browser\features\deployment-checker@mozilla.org.xpi [2017-03-29] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{FFB96CC1-7EB3-449D-B827-DB661701C6BB}] - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker => not found
FF HKLM-x32\...\Firefox\Extensions: [FFPDFArchitectConverter@pdfarchitect.com] - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt
FF Extension: (PDF Architect Converter For Firefox) - C:\Program Files (x86)\PDF Architect\FFPDFArchitectExt [2014-03-18] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_25_0_0_148.dll [2017-04-12] ()
FF Plugin: @microsoft.com/GENUINE -> C:\windows\system32\Wat\npWatWeb.dll [2010-12-23] (Microsoft Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50906.0\npctrl.dll [2017-03-09] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_148.dll [2017-04-12] ()
FF Plugin-x32: @checkpoint.com/FFApi -> C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\npFFApi.dll [No File]
FF Plugin-x32: @java.com/DTPlugin,version=10.21.2 -> C:\windows\SysWOW64\npDeployJava1.dll [2013-04-19] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> C:\windows\system32\Wat\npWatWeb.dll [2010-12-23] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50906.0\npctrl.dll [2017-03-09] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2009-07-10] (Microsoft Corporation)
FF Plugin-x32: @Motive.com/NpMotive,version=1.0 -> C:\Program Files (x86)\Common Files\Motive\npMotive.dll [2013-05-07] (Alcatel-Lucent)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.3\npGoogleUpdate3.dll [2017-04-11] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.3\npGoogleUpdate3.dll [2017-04-11] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-04-04] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3910636834-3735429815-1665592217-1001: @citrixonline.com/appdetectorplugin -> C:\Users\dburkhead\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-10-20] (Citrix Online)
FF Plugin HKU\S-1-5-21-3910636834-3735429815-1665592217-1001: @nsroblox.roblox.com/launcher -> C:\Users\dburkhead\AppData\Local\Roblox\Versions\version-eecd9135a67340ab\\NPRobloxProxy.dll [2012-05-24] ( Roblox Corporation)
FF Plugin HKU\S-1-5-21-3910636834-3735429815-1665592217-1001: @tools.google.com/Google Update;version=3 -> C:\Users\dburkhead\AppData\Local\Google\Update\1.3.33.3\npGoogleUpdate3.dll [2017-04-11] (Google Inc.)
FF Plugin HKU\S-1-5-21-3910636834-3735429815-1665592217-1001: @tools.google.com/Google Update;version=9 -> C:\Users\dburkhead\AppData\Local\Google\Update\1.3.33.3\npGoogleUpdate3.dll [2017-04-11] (Google Inc.)
FF Plugin HKU\S-1-5-21-3910636834-3735429815-1665592217-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\dburkhead\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2011-07-22] (Unity Technologies ApS)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2017-04-04] (Adobe Systems Inc.)

Chrome:
=======
CHR Profile: C:\Users\dburkhead\AppData\Local\Google\Chrome\User Data\Default [2017-04-08]
CHR Extension: (Google Slides) - C:\Users\dburkhead\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-04-08]
CHR Extension: (Google Docs) - C:\Users\dburkhead\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-04-08]
CHR Extension: (Google Drive) - C:\Users\dburkhead\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-04-08]
CHR Extension: (YouTube) - C:\Users\dburkhead\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-04-08]
CHR Extension: (Google Sheets) - C:\Users\dburkhead\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-04-08]
CHR Extension: (Google Docs Offline) - C:\Users\dburkhead\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-04-08]
CHR Extension: (Chrome Web Store Payments) - C:\Users\dburkhead\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-04-08]
CHR Extension: (Gmail) - C:\Users\dburkhead\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-04-08]
CHR Extension: (Chrome Media Router) - C:\Users\dburkhead\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-08]
CHR HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [119864 2016-11-14] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [361816 2016-11-14] (Microsoft Corporation)
R2 pcCMService64; C:\Program Files\Common Files\Motive\pcCMService.exe [460288 2013-05-07] (Alcatel-Lucent) [File not signed]
R2 pcServiceHost; C:\Program Files (x86)\Common Files\Motive\pcServiceHost.exe [342528 2013-05-07] (Alcatel-Lucent) [File not signed]
R2 PDF Architect Helper Service; C:\Program Files (x86)\PDF Architect\HelperService.exe [1320496 2013-04-08] (pdfforge GmbH)
R2 PDF Architect Service; C:\Program Files (x86)\PDF Architect\ConversionService.exe [799280 2013-04-08] (pdfforge GmbH)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [235984 2016-11-24] (Safer-Networking Ltd.)
R2 WDDMService; C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [130048 2010-01-21] (WDC) [File not signed]
R2 WDSmartWareBackgroundService; C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [20480 2009-06-16] (Memeo) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [192216 2017-04-18] (Malwarebytes)
R3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
R0 MpFilter; C:\windows\System32\DRIVERS\MpFilter.sys [295000 2016-08-25] (Microsoft Corporation)
S3 MREMP50; C:\Program Files (x86)\Common Files\Motive\MREMP50.sys [21248 2013-05-07] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 MREMP50a64; C:\Program Files\Common Files\Motive\MREMP50a64.SYS [43008 2013-05-07] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\Program Files (x86)\Common Files\Motive\MRESP50.sys [20096 2013-05-07] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
R3 MRESP50a64; C:\Program Files\Common Files\Motive\MRESP50a64.SYS [40960 2013-05-07] (Printing Communications Assoc., Inc. (PCAUSA))
R3 NisDrv; C:\windows\System32\DRIVERS\NisDrvWFP.sys [135928 2016-08-25] (Microsoft Corporation)
S3 RTL8023x64; C:\windows\System32\DRIVERS\Rtnic64.sys [51712 2009-06-10] (Realtek Semiconductor Corporation                           )
R3 SuperIO; C:\windows\System32\DRIVERS\spio.sys [11848 2009-06-05] ()
R3 vmulti; C:\windows\System32\DRIVERS\vmulti.sys [10752 2014-09-16] (Windows ® Win 7 DDK provider)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-04-18 18:59 - 2017-04-18 19:07 - 00000000 ____D C:\FRST
2017-04-12 02:20 - 2017-03-27 14:13 - 00394448 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2017-04-12 02:20 - 2017-03-27 13:28 - 00346320 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2017-04-12 02:20 - 2017-03-25 15:39 - 20284416 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2017-04-12 02:20 - 2017-03-25 15:07 - 04604416 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2017-04-12 02:20 - 2017-03-25 15:06 - 13654016 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2017-04-12 02:20 - 2017-03-25 14:55 - 02767360 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2017-04-12 02:20 - 2017-03-25 14:52 - 02289152 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2017-04-12 02:20 - 2017-03-25 14:51 - 01313280 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2017-04-12 02:20 - 2017-03-25 14:48 - 00499200 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2017-04-12 02:20 - 2017-03-25 14:47 - 02055680 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2017-04-12 02:20 - 2017-03-25 14:47 - 00710144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2017-04-12 02:20 - 2017-03-25 14:47 - 00047616 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll
2017-04-12 02:20 - 2017-03-25 14:46 - 00693248 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2017-04-12 02:20 - 2017-03-25 14:46 - 00663552 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2017-04-12 02:20 - 2017-03-25 14:46 - 00620032 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2017-04-12 02:20 - 2017-03-25 14:46 - 00230400 _____ (Microsoft Corporation) C:\windows\SysWOW64\webcheck.dll
2017-04-12 02:20 - 2017-03-25 14:46 - 00168960 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2017-04-12 02:20 - 2017-03-25 14:46 - 00130048 _____ (Microsoft Corporation) C:\windows\SysWOW64\occache.dll
2017-04-12 02:20 - 2017-03-25 14:46 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll
2017-04-12 02:20 - 2017-03-25 14:46 - 00047104 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2017-04-12 02:20 - 2017-03-25 14:45 - 00416256 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2017-04-12 02:20 - 2017-03-25 14:45 - 00279040 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2017-04-12 02:20 - 2017-03-25 14:45 - 00115712 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2017-04-12 02:20 - 2017-03-25 14:45 - 00091136 _____ (Microsoft Corporation) C:\windows\SysWOW64\inseng.dll
2017-04-12 02:20 - 2017-03-25 14:45 - 00064000 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll
2017-04-12 02:20 - 2017-03-25 14:45 - 00062464 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2017-04-12 02:20 - 2017-03-25 14:45 - 00030720 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2017-04-12 02:20 - 2017-03-25 14:44 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2017-04-12 02:20 - 2017-03-25 14:44 - 00076288 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2017-04-12 02:20 - 2017-03-25 14:35 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2017-04-12 02:20 - 2017-03-25 14:35 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2017-04-12 02:20 - 2017-03-25 14:16 - 00066560 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2017-04-12 02:20 - 2017-03-25 14:14 - 00417792 _____ (Microsoft Corporation) C:\windows\system32\html.iec
2017-04-12 02:20 - 2017-03-25 14:14 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2017-04-12 02:20 - 2017-03-25 14:13 - 00576512 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2017-04-12 02:20 - 2017-03-25 14:13 - 00088064 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll
2017-04-12 02:20 - 2017-03-25 14:10 - 02898432 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2017-04-12 02:20 - 2017-03-25 14:04 - 00054784 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2017-04-12 02:20 - 2017-03-25 14:02 - 00034304 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2017-04-12 02:20 - 2017-03-25 13:57 - 00615936 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2017-04-12 02:20 - 2017-03-25 13:56 - 00817664 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2017-04-12 02:20 - 2017-03-25 13:56 - 00814080 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2017-04-12 02:20 - 2017-03-25 13:56 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2017-04-12 02:20 - 2017-03-25 13:56 - 00114688 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2017-04-12 02:20 - 2017-03-25 13:52 - 25746944 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2017-04-12 02:20 - 2017-03-25 13:45 - 00968704 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2017-04-12 02:20 - 2017-03-25 13:41 - 06045696 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2017-04-12 02:20 - 2017-03-25 13:41 - 00489984 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2017-04-12 02:20 - 2017-03-25 13:30 - 00077824 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2017-04-12 02:20 - 2017-03-25 13:29 - 00107520 _____ (Microsoft Corporation) C:\windows\system32\inseng.dll
2017-04-12 02:20 - 2017-03-25 13:24 - 00199680 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2017-04-12 02:20 - 2017-03-25 13:23 - 00092160 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2017-04-12 02:20 - 2017-03-25 13:20 - 00315392 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2017-04-12 02:20 - 2017-03-25 13:19 - 00341504 _____ (Microsoft Corporation) C:\windows\SysWOW64\html.iec
2017-04-12 02:20 - 2017-03-25 13:17 - 00152064 _____ (Microsoft Corporation) C:\windows\system32\occache.dll
2017-04-12 02:20 - 2017-03-25 13:06 - 00476160 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2017-04-12 02:20 - 2017-03-25 13:04 - 00262144 _____ (Microsoft Corporation) C:\windows\system32\webcheck.dll
2017-04-12 02:20 - 2017-03-25 13:00 - 00725504 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2017-04-12 02:20 - 2017-03-25 12:59 - 00806912 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2017-04-12 02:20 - 2017-03-25 12:57 - 02131456 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2017-04-12 02:20 - 2017-03-25 12:57 - 01359360 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2017-04-12 02:20 - 2017-03-25 12:28 - 15259136 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2017-04-12 02:20 - 2017-03-25 12:27 - 01155072 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll
2017-04-12 02:20 - 2017-03-25 12:24 - 03241472 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2017-04-12 02:20 - 2017-03-25 12:10 - 01546240 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2017-04-12 02:20 - 2017-03-25 12:01 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2017-04-12 02:20 - 2017-03-24 18:50 - 00405504 _____ (Microsoft Corporation) C:\windows\system32\gdi32.dll
2017-04-12 02:20 - 2017-03-24 18:42 - 00313344 _____ (Microsoft Corporation) C:\windows\SysWOW64\gdi32.dll
2017-04-12 02:20 - 2017-03-22 11:32 - 03165184 _____ (Microsoft Corporation) C:\windows\system32\wucltux.dll
2017-04-12 02:20 - 2017-03-22 11:32 - 00192512 _____ (Microsoft Corporation) C:\windows\system32\wuwebv.dll
2017-04-12 02:20 - 2017-03-22 11:32 - 00098816 _____ (Microsoft Corporation) C:\windows\system32\wudriver.dll
2017-04-12 02:20 - 2017-03-22 11:30 - 00091136 _____ (Microsoft Corporation) C:\windows\system32\WinSetupUI.dll
2017-04-12 02:20 - 2017-03-22 11:24 - 00174080 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuwebv.dll
2017-04-12 02:20 - 2017-03-22 11:17 - 02651136 _____ (Microsoft Corporation) C:\windows\system32\wuaueng.dll
2017-04-12 02:20 - 2017-03-22 11:15 - 00709120 _____ (Microsoft Corporation) C:\windows\system32\wuapi.dll
2017-04-12 02:20 - 2017-03-22 11:15 - 00140288 _____ (Microsoft Corporation) C:\windows\system32\wuauclt.exe
2017-04-12 02:20 - 2017-03-22 11:15 - 00037888 _____ (Microsoft Corporation) C:\windows\system32\wups2.dll
2017-04-12 02:20 - 2017-03-22 11:15 - 00037888 _____ (Microsoft Corporation) C:\windows\system32\wuapp.exe
2017-04-12 02:20 - 2017-03-22 11:15 - 00036864 _____ (Microsoft Corporation) C:\windows\system32\wups.dll
2017-04-12 02:20 - 2017-03-22 11:15 - 00012288 _____ (Microsoft Corporation) C:\windows\system32\wu.upgrade.ps.dll
2017-04-12 02:20 - 2017-03-22 11:05 - 00573440 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuapi.dll
2017-04-12 02:20 - 2017-03-22 11:05 - 00093696 _____ (Microsoft Corporation) C:\windows\SysWOW64\wudriver.dll
2017-04-12 02:20 - 2017-03-22 11:05 - 00035328 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuapp.exe
2017-04-12 02:20 - 2017-03-22 11:05 - 00030208 _____ (Microsoft Corporation) C:\windows\SysWOW64\wups.dll
2017-04-12 02:20 - 2017-03-14 11:34 - 00986344 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dxgkrnl.sys
2017-04-12 02:20 - 2017-03-14 11:34 - 00265448 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dxgmms1.sys
2017-04-12 02:20 - 2017-03-14 11:30 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\cdd.dll
2017-04-12 02:20 - 2017-03-10 12:35 - 00382696 _____ (Adobe Systems Incorporated) C:\windows\system32\atmfd.dll
2017-04-12 02:20 - 2017-03-10 12:31 - 00100864 _____ (Microsoft Corporation) C:\windows\system32\fontsub.dll
2017-04-12 02:20 - 2017-03-10 12:31 - 00046080 _____ (Adobe Systems) C:\windows\system32\atmlib.dll
2017-04-12 02:20 - 2017-03-10 12:31 - 00041472 _____ (Microsoft Corporation) C:\windows\system32\lpk.dll
2017-04-12 02:20 - 2017-03-10 12:31 - 00014336 _____ (Microsoft Corporation) C:\windows\system32\dciman32.dll
2017-04-12 02:20 - 2017-03-10 12:27 - 00308456 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\atmfd.dll
2017-04-12 02:20 - 2017-03-10 12:20 - 00025600 _____ (Microsoft Corporation) C:\windows\SysWOW64\lpk.dll
2017-04-12 02:20 - 2017-03-10 12:19 - 00070656 _____ (Microsoft Corporation) C:\windows\SysWOW64\fontsub.dll
2017-04-12 02:20 - 2017-03-10 12:19 - 00010240 _____ (Microsoft Corporation) C:\windows\SysWOW64\dciman32.dll
2017-04-12 02:20 - 2017-03-10 12:00 - 03219968 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2017-04-12 02:20 - 2017-03-10 11:53 - 00034304 _____ (Adobe Systems) C:\windows\SysWOW64\atmlib.dll
2017-04-12 02:20 - 2017-03-08 16:20 - 01133568 _____ (Microsoft Corporation) C:\windows\system32\cdosys.dll
2017-04-12 02:20 - 2017-03-08 16:10 - 00805376 _____ (Microsoft Corporation) C:\windows\SysWOW64\cdosys.dll
2017-04-12 02:20 - 2017-03-08 00:37 - 00631176 _____ (Microsoft Corporation) C:\windows\system32\winresume.efi
2017-04-12 02:20 - 2017-03-08 00:36 - 05548264 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2017-04-12 02:20 - 2017-03-08 00:36 - 00706792 _____ (Microsoft Corporation) C:\windows\system32\winload.efi
2017-04-12 02:20 - 2017-03-08 00:36 - 00154856 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecpkg.sys
2017-04-12 02:20 - 2017-03-08 00:36 - 00095464 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecdd.sys
2017-04-12 02:20 - 2017-03-08 00:34 - 01732864 _____ (Microsoft Corporation) C:\windows\system32\ntdll.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 02064384 _____ (Microsoft Corporation) C:\windows\system32\ole32.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 01460736 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 01212928 _____ (Microsoft Corporation) C:\windows\system32\rpcrt4.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 01163264 _____ (Microsoft Corporation) C:\windows\system32\kernel32.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00880640 _____ (Microsoft Corporation) C:\windows\system32\advapi32.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00730624 _____ (Microsoft Corporation) C:\windows\system32\kerberos.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00690688 _____ (Microsoft Corporation) C:\windows\system32\adtschema.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00503808 _____ (Microsoft Corporation) C:\windows\system32\srcore.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00463872 _____ (Microsoft Corporation) C:\windows\system32\certcli.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00419840 _____ (Microsoft Corporation) C:\windows\system32\KernelBase.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00362496 _____ (Microsoft Corporation) C:\windows\system32\wow64win.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00345600 _____ (Microsoft Corporation) C:\windows\system32\schannel.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00316928 _____ (Microsoft Corporation) C:\windows\system32\msv1_0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00312320 _____ (Microsoft Corporation) C:\windows\system32\ncrypt.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00243712 _____ (Microsoft Corporation) C:\windows\system32\wow64.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00215552 _____ (Microsoft Corporation) C:\windows\system32\winsrv.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00210432 _____ (Microsoft Corporation) C:\windows\system32\wdigest.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00190464 _____ (Microsoft Corporation) C:\windows\system32\rpchttp.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00146432 _____ (Microsoft Corporation) C:\windows\system32\msaudite.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00135680 _____ (Microsoft Corporation) C:\windows\system32\sspicli.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00123904 _____ (Microsoft Corporation) C:\windows\system32\bcrypt.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00086528 _____ (Microsoft Corporation) C:\windows\system32\TSpkg.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00063488 _____ (Microsoft Corporation) C:\windows\system32\setbcdlocale.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00060416 _____ (Microsoft Corporation) C:\windows\system32\msobjs.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00059904 _____ (Microsoft Corporation) C:\windows\system32\appidapi.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00050176 _____ (Microsoft Corporation) C:\windows\system32\srclient.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00044032 _____ (Microsoft Corporation) C:\windows\system32\csrsrv.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00043520 _____ (Microsoft Corporation) C:\windows\system32\cryptbase.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00034816 _____ (Microsoft Corporation) C:\windows\system32\appidsvc.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00028672 _____ (Microsoft Corporation) C:\windows\system32\sspisrv.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00028160 _____ (Microsoft Corporation) C:\windows\system32\secur32.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00022016 _____ (Microsoft Corporation) C:\windows\system32\credssp.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00016384 _____ (Microsoft Corporation) C:\windows\system32\ntvdm64.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00013312 _____ (Microsoft Corporation) C:\windows\system32\wow64cpu.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00006656 _____ (Microsoft Corporation) C:\windows\system32\apisetschema.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00006144 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00005120 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00004608 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00004608 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:33 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:26 - 04000488 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntkrnlpa.exe
2017-04-12 02:20 - 2017-03-08 00:26 - 03945192 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntoskrnl.exe
2017-04-12 02:20 - 2017-03-08 00:24 - 01314112 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntdll.dll
2017-04-12 02:20 - 2017-03-08 00:22 - 01416192 _____ (Microsoft Corporation) C:\windows\SysWOW64\ole32.dll
2017-04-12 02:20 - 2017-03-08 00:22 - 01114112 _____ (Microsoft Corporation) C:\windows\SysWOW64\kernel32.dll
2017-04-12 02:20 - 2017-03-08 00:22 - 00666112 _____ (Microsoft Corporation) C:\windows\SysWOW64\rpcrt4.dll
2017-04-12 02:20 - 2017-03-08 00:22 - 00553472 _____ (Microsoft Corporation) C:\windows\SysWOW64\kerberos.dll
2017-04-12 02:20 - 2017-03-08 00:22 - 00275456 _____ (Microsoft Corporation) C:\windows\SysWOW64\KernelBase.dll
2017-04-12 02:20 - 2017-03-08 00:22 - 00261120 _____ (Microsoft Corporation) C:\windows\SysWOW64\msv1_0.dll
2017-04-12 02:20 - 2017-03-08 00:22 - 00254464 _____ (Microsoft Corporation) C:\windows\SysWOW64\schannel.dll
2017-04-12 02:20 - 2017-03-08 00:22 - 00223232 _____ (Microsoft Corporation) C:\windows\SysWOW64\ncrypt.dll
2017-04-12 02:20 - 2017-03-08 00:22 - 00172032 _____ (Microsoft Corporation) C:\windows\SysWOW64\wdigest.dll
2017-04-12 02:20 - 2017-03-08 00:22 - 00146432 _____ (Microsoft Corporation) C:\windows\SysWOW64\msaudite.dll
2017-04-12 02:20 - 2017-03-08 00:22 - 00141312 _____ (Microsoft Corporation) C:\windows\SysWOW64\rpchttp.dll
2017-04-12 02:20 - 2017-03-08 00:22 - 00096768 _____ (Microsoft Corporation) C:\windows\SysWOW64\sspicli.dll
2017-04-12 02:20 - 2017-03-08 00:22 - 00082944 _____ (Microsoft Corporation) C:\windows\SysWOW64\bcrypt.dll
2017-04-12 02:20 - 2017-03-08 00:22 - 00065536 _____ (Microsoft Corporation) C:\windows\SysWOW64\TSpkg.dll
2017-04-12 02:20 - 2017-03-08 00:22 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\msobjs.dll
2017-04-12 02:20 - 2017-03-08 00:22 - 00043008 _____ (Microsoft Corporation) C:\windows\SysWOW64\srclient.dll
2017-04-12 02:20 - 2017-03-08 00:22 - 00022016 _____ (Microsoft Corporation) C:\windows\SysWOW64\secur32.dll
2017-04-12 02:20 - 2017-03-08 00:22 - 00017408 _____ (Microsoft Corporation) C:\windows\SysWOW64\credssp.dll
2017-04-12 02:20 - 2017-03-08 00:22 - 00005120 _____ (Microsoft Corporation) C:\windows\SysWOW64\wow32.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00690688 _____ (Microsoft Corporation) C:\windows\SysWOW64\adtschema.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00644096 _____ (Microsoft Corporation) C:\windows\SysWOW64\advapi32.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00342528 _____ (Microsoft Corporation) C:\windows\SysWOW64\certcli.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00050688 _____ (Microsoft Corporation) C:\windows\SysWOW64\appidapi.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00006656 _____ (Microsoft Corporation) C:\windows\SysWOW64\apisetschema.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00005120 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00004608 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:21 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2017-04-12 02:20 - 2017-03-08 00:03 - 00148480 _____ (Microsoft Corporation) C:\windows\system32\appidpolicyconverter.exe
2017-04-12 02:20 - 2017-03-08 00:03 - 00064000 _____ (Microsoft Corporation) C:\windows\system32\auditpol.exe
2017-04-12 02:20 - 2017-03-08 00:03 - 00062464 _____ (Microsoft Corporation) C:\windows\system32\Drivers\appid.sys
2017-04-12 02:20 - 2017-03-08 00:03 - 00017920 _____ (Microsoft Corporation) C:\windows\system32\appidcertstorecheck.exe
2017-04-12 02:20 - 2017-03-08 00:00 - 00338432 _____ (Microsoft Corporation) C:\windows\system32\conhost.exe
2017-04-12 02:20 - 2017-03-07 23:59 - 00296960 _____ (Microsoft Corporation) C:\windows\system32\rstrui.exe
2017-04-12 02:20 - 2017-03-07 23:57 - 00050176 _____ (Microsoft Corporation) C:\windows\SysWOW64\auditpol.exe
2017-04-12 02:20 - 2017-03-07 23:56 - 00291328 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb10.sys
2017-04-12 02:20 - 2017-03-07 23:56 - 00159744 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb.sys
2017-04-12 02:20 - 2017-03-07 23:56 - 00129536 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb20.sys
2017-04-12 02:20 - 2017-03-07 23:55 - 00112640 _____ (Microsoft Corporation) C:\windows\system32\smss.exe
2017-04-12 02:20 - 2017-03-07 23:55 - 00030720 _____ (Microsoft Corporation) C:\windows\system32\lsass.exe
2017-04-12 02:20 - 2017-03-07 23:54 - 00025600 _____ (Microsoft Corporation) C:\windows\SysWOW64\setup16.exe
2017-04-12 02:20 - 2017-03-07 23:54 - 00014336 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntvdm64.dll
2017-04-12 02:20 - 2017-03-07 23:54 - 00007680 _____ (Microsoft Corporation) C:\windows\SysWOW64\instnm.exe
2017-04-12 02:20 - 2017-03-07 23:54 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\user.exe
2017-04-12 02:20 - 2017-03-07 23:53 - 00036352 _____ (Microsoft Corporation) C:\windows\SysWOW64\cryptbase.dll
2017-04-12 02:20 - 2017-03-07 23:53 - 00006144 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2017-04-12 02:20 - 2017-03-07 23:53 - 00004608 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2017-04-12 02:20 - 2017-03-07 23:53 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2017-04-12 02:20 - 2017-03-07 23:53 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2017-04-12 02:20 - 2017-03-07 12:30 - 00085504 _____ (Microsoft Corporation) C:\windows\system32\asycfilt.dll
2017-04-12 02:20 - 2017-03-07 12:17 - 00067584 _____ (Microsoft Corporation) C:\windows\SysWOW64\asycfilt.dll
2017-04-12 02:20 - 2017-03-03 21:27 - 01574912 _____ (Microsoft Corporation) C:\windows\system32\quartz.dll
2017-04-12 02:20 - 2017-03-03 21:27 - 00093696 _____ (Microsoft Corporation) C:\windows\system32\mfmjpegdec.dll
2017-04-12 02:20 - 2017-03-03 21:14 - 01329664 _____ (Microsoft Corporation) C:\windows\SysWOW64\quartz.dll
2017-04-12 02:20 - 2017-03-03 21:14 - 00077312 _____ (Microsoft Corporation) C:\windows\SysWOW64\mfmjpegdec.dll
2017-04-12 02:20 - 2017-02-14 12:33 - 00757248 _____ (Microsoft Corporation) C:\windows\system32\win32spl.dll
2017-04-12 02:20 - 2017-02-14 12:19 - 00497664 _____ (Microsoft Corporation) C:\windows\SysWOW64\win32spl.dll
2017-04-12 02:20 - 2017-02-11 12:33 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\tzres.dll
2017-04-12 02:20 - 2017-02-11 12:16 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\tzres.dll
2017-04-12 02:20 - 2017-02-09 12:32 - 00769536 _____ (Microsoft Corporation) C:\windows\system32\samsrv.dll
2017-04-12 02:20 - 2017-02-09 12:32 - 00106496 _____ (Microsoft Corporation) C:\windows\system32\samlib.dll
2017-04-12 02:20 - 2017-02-09 12:14 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\samlib.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00994760 _____ (Microsoft Corporation) C:\windows\system32\ucrtbase.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00063840 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-crt-private-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00020832 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-crt-math-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00019808 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00017760 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-crt-string-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00017760 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00016224 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00015712 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-crt-convert-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00014176 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-crt-time-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00014176 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-core-localization-l1-2-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00013664 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00012640 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-crt-process-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00012640 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-crt-heap-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00012640 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-crt-conio-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00012128 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-crt-utility-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00012128 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-crt-locale-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00012128 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-crt-environment-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00012128 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00012128 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00011616 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-core-xstate-l2-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00011616 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00011616 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-core-file-l2-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:36 - 00011608 _____ (Microsoft Corporation) C:\windows\system32\api-ms-win-core-file-l1-2-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00922432 _____ (Microsoft Corporation) C:\windows\SysWOW64\ucrtbase.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00066400 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-crt-private-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00022368 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-crt-math-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00019808 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00017760 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00017760 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00016224 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00015712 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00014176 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-crt-time-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00014176 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-localization-l1-2-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00013664 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00012640 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00012640 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00012640 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00012128 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00012128 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00012128 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-crt-environment-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00012128 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-synch-l1-2-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00012128 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00011616 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00011616 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00011616 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll
2017-04-12 02:20 - 2017-01-18 11:35 - 00011616 _____ (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll
2017-04-08 18:18 - 2017-04-08 18:18 - 00002271 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-04-08 18:18 - 2017-04-08 18:18 - 00002259 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-04-02 15:36 - 2017-04-02 15:36 - 00000000 ____D C:\Users\dburkhead\Downloads\Worth the Pain [Explicit] - Letters from the Fire
2017-04-02 12:20 - 2017-04-02 12:24 - 105435161 _____ C:\Users\dburkhead\Downloads\Worth the Pain [Explicit] - Letters from the Fire.zip

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-04-18 18:26 - 2015-10-20 13:23 - 00000546 _____ C:\windows\Tasks\G2MUpdateTask-S-1-5-21-3910636834-3735429815-1665592217-1001.job
2017-04-18 17:38 - 2015-10-20 13:24 - 00000642 _____ C:\windows\Tasks\G2MUploadTask-S-1-5-21-3910636834-3735429815-1665592217-1001.job
2017-04-18 15:47 - 2017-02-18 21:58 - 00000000 ___RD C:\Users\dburkhead\Google Drive
2017-04-18 10:55 - 2016-11-16 21:24 - 00000000 ____D C:\Users\dburkhead\AppData\LocalLow\Mozilla
2017-04-18 10:55 - 2015-07-19 14:02 - 00192216 _____ (Malwarebytes) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2017-04-18 07:55 - 2009-07-14 00:45 - 00017952 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-04-18 07:55 - 2009-07-14 00:45 - 00017952 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0<

Attached Files



#2 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 865 posts

Posted 20 April 2017 - 08:55 AM

Hello TheWriterInBlack.
Welcome to SpywareInfo Forum.
I'm Android 8888 and I'll be helping you. Please ask questions if anything is unclear.


First we will try to rid your computer of malware and then we will deal with the USB ports issue.


I see you have User Accounts Control (UAC) disabled.
This is an important security feature which helps prevent malware and other unwanted software from being installed on your computer.
I strongly suggest you keep it enabled. See this link for instructions on how to enable it: How to Disable/Enable User Account Control
 
 

You have a P2P (Peer-to-Peer) file sharing program installed (Torrent). I highly recommend that you consider uninstalling it. P2P programs represent a security threat to the information on your system as they allow others to access your system. Please read the article below on the dangers of peer-2-peer programs and file sharing.

Risks of File-Sharing Technology

In many cases P2P programs also represent a risk of infection from the program itself, as some have installed adware/spyware, or other programs without consent. Even if the program itself is clean, many P2P networks are riddled with malware, and it's often the newest, most difficult to remove malware. There are many risks associated with P2P programs, none are worth the risks. If you don't uninstall the P2P software, we will continue to clean your system, but realize that it's likely only a matter of time before you are infected again.

I would recommend that you uninstall Torrent, however that choice is up to you. If you choose to remove this program, you can do so via Start > Control Panel > Programs and Features
If you wish to keep it, please do not use it until your computer is cleaned.
 


I see that you may previously ran ComboFix. This is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. It is intended by its creator to be used under the guidance and supervision of a Malware Removal Expert, not for unsupervised use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as an non-bootable system.
 
 

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Press the Windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and click the OK button.
Please copy the entire contents of the Quote box below. To do this highlight the contents of the box and right click on it and select Copy. Note: Do not include the word "Quote".
Paste this into the open Notepad.
 

Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
Hosts:
HKLM-x32\...\Run: [ODT To Doc Converter Software.exe] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM-x32 -> DefaultScope {3d29c02b-bf3e-4d3b-8a7a-e0e7d0f6dbab} URL =
SearchScopes: HKU\.DEFAULT -> DefaultScope {3d29c02b-bf3e-4d3b-8a7a-e0e7d0f6dbab} URL =
BHO-x32: No Name -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> No File
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
Toolbar: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
Toolbar: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001 -> No Name - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
FF HKLM-x32\...\Firefox\Extensions: [{FFB96CC1-7EB3-449D-B827-DB661701C6BB}] - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker => not found
FF Plugin-x32: @checkpoint.com/FFApi -> C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\npFFApi.dll [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\dburkhead\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-04-08]
CHR Extension: (Chrome Media Router) - C:\Users\dburkhead\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-08]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]
CustomCLSID: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\dburkhead\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\dburkhead\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\dburkhead\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\dburkhead\AppData\Local\Google\Update\1.3.32.8\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\dburkhead\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\dburkhead\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
Task: {0FDF812B-47C4-4839-8612-FAF78921F6EA} - System32\Tasks\{73EEBE9F-C944-4EF6-A89C-596C66C60AE5} => pcalua.exe -a C:\Users\dburkhead\Downloads\Security\HJT\HijackThis.exe -d C:\Users\dburkhead\Downloads\Security\HJT
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\Software\Classes\exefile: "%1" %* <===== ATTENTION
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\Software\Classes\.exe: exefile => "%1" %* <===== ATTENTION
End


Save the file as fixlist.txt in to the same place as FRST64. In your case it will be within the Security folder.
Right-click the FRST64 icon and select Run as administrator to start the tool.
Click the Fix button only once and wait.
When finished FRST will generate a log on the Desktop (fixlog.txt). Please post it to your reply.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.


Please download AdwCleaner by Xplode and save it to your Desktop.

  • Close all open programs and internet browsers.
  • Double-click on the icon to start the tool.
  • Click Yes to accept any security warnings that may appear.
  • Click I Agree on the disclaimer to accept the Terms of Use.
  • Click the Scan button to start the scan and wait for the process to complete.
  • Click the Logfile button and the report will open in Notepad.
  • NOTE: If you get an error message, it means that nothing was found. Exit from AdwCleaner.
  • Click on the Clean button and follow the prompts.
  • A log file will automatically open after the scan has finished and the PC has rebooted.
  • Please post the content of that log file in your next reply.
  • You can find the log file at C:\AdwCleaner[Cn].txt (n is a number, the highest number is the most recent).

 

 

 

You are running an outdated version of Malwarebytes. Please read the instructions below and make a clean install of Malwarebytes from version 2 to version 3.

Download MBAM-clean and save it to your computer Desktop.
 
Right-click on mbam-clean.exe icon and select Run as administrator to start the tool.
It will ask you to reboot the machine - please do so.
Run the MBAM-clean tool again and reboot when complete. NOTE: DO NOT miss this step.

If you have lost the activation licence key information it can be located here

Download Malwarebytes version 3 from here and save it to your Desktop or anywhere else on your system since you know where is located.

Double click on the installer and follow the prompts to install the program. If necessary select the blue Help tab for video instructions.

When the install completes and is updated do the following:

  • Open Malwarebytes;
  • On the left pane select Settings;
  • Then select the Protection tab;
  • Scroll down to Scan Options and ensure Scan for Rootkits and Scan within Archives are both on.
  • Go back to DashBoard and select the blue Scan Now tab.
  • When the scan completes deal with any found entries.
  • Select Export Summary and then Text File (*.txt). Give a name to the log and save it;
  • Please copy and paste the entire content of that log in your next reply.

 

 

 

Please download Farbar Service Scanner by Farbar and save it to your Desktop.

Right-click the file and select Run as administrator to start the tool;
Click Yes to accept the UAC warning that may appear;

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center / Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

 

 

To summarize please post the contents of:
fixlog.txt produced by FRST;
AdwCleaner clean log;
Malwarebytes log;
FSS.txt log.

Let me know if were able to turn on the User Account Control and tell me how is the computer running at this point. Are the programs still locking up?

Thank you.

 

Android 8888


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#3 TheWriterInBlack

TheWriterInBlack

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 20 April 2017 - 05:41 PM

I think I'll break my response into a couple of messages as I proceed through the recommendations.

 

User Account Control set to "Don't notify me when I change..."

 

utorrent uninstalled (I haven't used it in forever anyway)



#4 TheWriterInBlack

TheWriterInBlack

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 20 April 2017 - 06:02 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-04-2017
Ran by dburkhead (20-04-2017 18:45:53) Run:1
Running from C:\Users\dburkhead\Desktop\Security
Loaded Profiles: dburkhead & Backup (Available Profiles: dburkhead & Backup)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
Hosts:
HKLM-x32\...\Run: [ODT To Doc Converter Software.exe] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM-x32 -> DefaultScope {3d29c02b-bf3e-4d3b-8a7a-e0e7d0f6dbab} URL =
SearchScopes: HKU\.DEFAULT -> DefaultScope {3d29c02b-bf3e-4d3b-8a7a-e0e7d0f6dbab} URL =
BHO-x32: No Name -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> No File
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
Toolbar: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
Toolbar: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001 -> No Name - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
FF HKLM-x32\...\Firefox\Extensions: [{FFB96CC1-7EB3-449D-B827-DB661701C6BB}] - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker => not found
FF Plugin-x32: @checkpoint.com/FFApi -> C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\npFFApi.dll [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\dburkhead\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-04-08]
CHR Extension: (Chrome Media Router) - C:\Users\dburkhead\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-08]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]
CustomCLSID: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\dburkhead\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\dburkhead\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\dburkhead\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\dburkhead\AppData\Local\Google\Update\1.3.32.8\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\dburkhead\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\dburkhead\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
Task: {0FDF812B-47C4-4839-8612-FAF78921F6EA} - System32\Tasks\{73EEBE9F-C944-4EF6-A89C-596C66C60AE5} => pcalua.exe -a C:\Users\dburkhead\Downloads\Security\HJT\HijackThis.exe -d C:\Users\dburkhead\Downloads\Security\HJT
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\Software\Classes\exefile: "%1" %* <===== ATTENTION
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\Software\Classes\.exe: exefile => "%1" %* <===== ATTENTION
End
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ODT To Doc Converter Software.exe => value removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon => key removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Search Page => value removed successfully
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page => value removed successfully
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} => key removed successfully
HKCR\Wow6432Node\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB} => key removed successfully
HKCR\Wow6432Node\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => key not found.
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => value removed successfully
HKCR\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => key not found.
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} => value removed successfully
HKCR\CLSID\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} => key not found.
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB} => value removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@checkpoint.com/FFApi => key removed successfully
C:\Users\dburkhead\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\dburkhead\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKLM\System\CurrentControlSet\Services\WinDefend => key removed successfully
WinDefend => service removed successfully
HKLM\System\CurrentControlSet\Services\catchme => key removed successfully
catchme => service removed successfully
HKLM\System\CurrentControlSet\Services\MREMPR5 => key removed successfully
MREMPR5 => service removed successfully
HKLM\System\CurrentControlSet\Services\MRENDIS5 => key removed successfully
MRENDIS5 => service removed successfully
HKLM\System\CurrentControlSet\Services\RtsUIR => key removed successfully
RtsUIR => service removed successfully
HKLM\System\CurrentControlSet\Services\USBCCID => key removed successfully
USBCCID => service removed successfully
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856} => key removed successfully
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4} => key removed successfully
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247} => key removed successfully
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA} => key removed successfully
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2} => key removed successfully
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0FDF812B-47C4-4839-8612-FAF78921F6EA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0FDF812B-47C4-4839-8612-FAF78921F6EA} => key removed successfully
C:\windows\System32\Tasks\{73EEBE9F-C944-4EF6-A89C-596C66C60AE5} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{73EEBE9F-C944-4EF6-A89C-596C66C60AE5} => key removed successfully
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\Software\Classes\exefile => key removed successfully
HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\Software\Classes\.exe => key removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 39496192 B
Java, Flash, Steam htmlcache => 210394 B
Windows/system/drivers => 9153703 B
Edge => 0 B
Chrome => 13135662 B
Firefox => 415962352 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 66228 B
Public => 0 B
ProgramData => 0 B
systemprofile => 176825 B
systemprofile32 => 480252430 B
LocalService => 3629660 B
NetworkService => 216670734 B
dburkhead => 4097786085 B
Backup => 371443 B

RecycleBin => 6158492727 B
EmptyTemp: => 10.7 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 18:53:24 ====



#5 TheWriterInBlack

TheWriterInBlack

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 20 April 2017 - 07:52 PM

# AdwCleaner v6.045 - Logfile created 20/04/2017 at 19:07:49
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-19.2 [Server]
# Operating System : Windows 7 Home Premium Service Pack 1 (X64)
# Username : dburkhead - DBHOME2
# Running from : C:\Users\dburkhead\Desktop\Security\adwcleaner_6.045.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****

[-] Folder deleted: C:\Users\dburkhead\AppData\Local\Best Buy pc app
[-] Folder deleted: C:\ProgramData\Best Buy pc app
[#] Folder deleted on reboot: C:\ProgramData\Application Data\Best Buy pc app
[-] Folder deleted: C:\ProgramData\Ask
[#] Folder deleted on reboot: C:\ProgramData\Application Data\Ask
[-] Folder deleted: C:\Program Files (x86)\TidyNetwork
[-] Folder deleted: C:\windows\SysWOW64\config\systemprofile\AppData\LocalLow\GamingWonderland


***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****

[-] Task deleted: Best Buy pc app


***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Best Buy pc app
[#] Key deleted on reboot: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Best Buy pc app_is1
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{25A3A431-30BB-47C8-AD6A-E1063801134F}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{3CCC052E-BDEE-408A-BEA7-90914EF2964B}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{61F47056-E400-43D3-AF1E-AB7DFFD4C4AD}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{E2B98EEA-EE55-4E9B-A8C1-6E5288DF785A}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{D879A501-50A7-BEFC-A4C5-32DC6E0CB208}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25A3A431-30BB-47C8-AD6A-E1063801134F}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{25A3A431-30BB-47C8-AD6A-E1063801134F}
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{25A3A431-30BB-47C8-AD6A-E1063801134F}]
[-] Key deleted: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\Software\APN PIP
[-] Key deleted: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\Software\PIP
[-] Key deleted: HKU\S-1-5-21-3910636834-3735429815-1665592217-1001\Software\YahooPartnerToolbar
[#] Key deleted on reboot: HKCU\Software\APN PIP
[#] Key deleted on reboot: HKCU\Software\PIP
[#] Key deleted on reboot: HKCU\Software\YahooPartnerToolbar
[-] Key deleted: HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
[-] Key deleted: HKLM\SOFTWARE\PIP
[#] Key deleted on reboot: [x64] HKCU\Software\APN PIP
[#] Key deleted on reboot: [x64] HKCU\Software\PIP
[#] Key deleted on reboot: [x64] HKCU\Software\YahooPartnerToolbar


***** [ Web browsers ] *****

[-] [C:\Users\dburkhead\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\dburkhead\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [3257 Bytes] - [20/04/2017 19:07:49]
C:\AdwCleaner\AdwCleaner[S0].txt - [3260 Bytes] - [20/04/2017 19:07:06]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [3403 Bytes] ##########
 



#6 TheWriterInBlack

TheWriterInBlack

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 20 April 2017 - 08:22 PM

And Malwarebytes removed and updated.  Updated downloading.  Scanning now.



#7 TheWriterInBlack

TheWriterInBlack

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 20 April 2017 - 09:17 PM

And to finish up this round:

The new version of Malwarebytes found nothing.

 

Farbar Service Scanner Version: 27-01-2016
Ran by dburkhead (administrator) on 20-04-2017 at 22:13:06
Running from "C:\Users\dburkhead\Desktop\Security"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Action Center:
============

Action Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} key. The key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.



File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****



#8 TheWriterInBlack

TheWriterInBlack

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 20 April 2017 - 09:40 PM

And, it took me a bit to see because the problem is intermittent but the programs are still freezing.  Generally everything freezes all at once.  A typical example is FireFox, Thunderbird (both of which I have on pretty much constantly--except occasionally shutting down and restarting FireFox because there seems to be a memory leak), and Adobe Reader.  All three will freeze and start responding again together.  Strangely enough when other things are frozen if I have task manager working it's still functional but if I try to stop one of the processes (FIreFox say) the process won't actually stop until the programs start responding again.



#9 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 865 posts

Posted 21 April 2017 - 09:21 AM

Hello TheWriterInBlack.

There are some important Services not running or missing in your System such as Windows Firewall and Windows Defender. Most likely this was caused by an infection so before we try to fix them we need to ensure the computer is clean.

 

Please perform the following scan with ESET Online Scanner. This is a very thorough scan and it may take some time to complete depending on the number of system files and programs installed on your drive.

  • Click on this link to open ESET Online Scanner in a new window.
    • Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
    • Close all your programs and browsers.
    • Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
    • Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.
  • Check mark Download latest version of ESET Online Scanner and click the Accept button.
  • Click Yes to accept any security warnings that may appear.
  • Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
  • Then click Advanced settings and check mark the following options:
    • Enable detection of potentially unsafe applications
    • Clean threats automatically
  • Click the Scan button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats.
  • Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Note: If nothing is found, it will not produce a log.

Please re-enable your antivirus program.


Next,

Please perform the instructions in the following link and clear the history, cache and cookies of Firefox browser:
https://kb.wisc.edu/...ge.php?id=17504


Reset the Firefox browser:
https://support.mozi...es-fix-problems


Please post the ESET log (if it produced one) and let me know how is the computer running now.


Thank you.

 

Android 8888


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#10 TheWriterInBlack

TheWriterInBlack

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 22 April 2017 - 11:04 AM

Eset seems to have frozen somewhere between 2/3 and 3/4 of the way through--stuck on one file (a zip file containing Mp3 and jpg files) for about an hour.  I've aborted that run so that I could turn my antivirus back on to go online and report this result.  Unless I hear otherwise from you I'll try again later.



#11 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 865 posts

Posted 22 April 2017 - 04:18 PM

Hello TheWriterInBlack.

Okay, leave ESET for now and try the following tool.


Please download Sophos Virus Removal Tool and save it to your computer's Desktop.

  • Right-click the icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Next button.
  • Select 'I accept the terms in the license agreement', then click Next twice.
  • Click the Install button and wait until the installation is complete.
  • Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
  • Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • After it updates and a "Start Scanning" button appears in the lower right:
    • Disconnect from the Internet or physically unplug your Internet cable connection.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • Click the "Start Scanning" button in the lower right to start the scan.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • If any threats are found click Details, then View Log file (bottom left-hand corner).
  • Copy and paste its contents in your next reply and note any errors encountered.
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup.
  • Click Exit to close the program.
  • If no threats were found, please confirm that result.

Note: Whenever necessary, the log will be in the following location:

C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 

 

Please post the entire content of the SVRT log in your next reply and let me know how is the computer running at this point.

Thank you.


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#12 TheWriterInBlack

TheWriterInBlack

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 22 April 2017 - 04:24 PM

Okay, I'll set that up for an overnight run.  BTW, Eset had found and cleaned 7 infected files but in aborting it I either missed or prevented getting a log.



#13 TheWriterInBlack

TheWriterInBlack

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 23 April 2017 - 08:28 AM

Sophos virus removal tool completed successfully and found no threats (I presume the 7 that Eset found and cleaned were, then, the extent of it)

Antivirus turned back on.

I also cleared cache and cookies, and reset firefox as mentioned above.

Will now test system to see if the freezing problem recurs.



#14 TheWriterInBlack

TheWriterInBlack

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 23 April 2017 - 11:21 AM

And I have just had a freezing issue that lasted about two minutes so that problem is not resolved.  When it happened I had just made an update to my Wordpress blog (in case what I was doing is relevant).  Task Manager showed I was at 3.14 GB in memory usage but at only modest CPU usage.  One thing I note is that in processes I was seeing two instances of the Firefox process:  one at just over 500,000 kB and one at just under 300,000 kB.



#15 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 865 posts

Posted 23 April 2017 - 06:59 PM

Hello TheWriterInBlack.

 

Sophos virus removal tool completed successfully and found no threats

That's great.

 

Now please try the following tool.

 

NOTE: DO NOT remove any entries found. They are not all malicious any need to be carefully analyzed.

Download RogueKiller 32/64 Bits Installer (setup.exe) by Tigzy and save it to your Desktop.

  • Right click on the file setup.exe and select Run as administrator to install the tool.
  • Click Yes to accept any security warnings that may appear.
  • Choose the installation language and click OK.
  • Checkmark "Install 32 and 64 bits versions" and click Next. Follow the steps to install the tool.
  • Now close all programs and browsers.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • Right-click on the RogueKiller icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Scan tab and then click the Start Scan button.
  • Wait until the scan has finished. This may take some time consuming.
  • Once finished click on Open Report. It will open a new window.
  • Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your Desktop.
  • Close RogueKiller.

Please copy and paste the contents of RKlog.txt to your next reply for my review.

Thank you.

Android 8888


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#16 TheWriterInBlack

TheWriterInBlack

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 24 April 2017 - 12:46 AM

Ack! I stepper out for a bit while this was running and when I came back the program window was gone and now neither keyboard nor mouse respond!!!

#17 TheWriterInBlack

TheWriterInBlack

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 24 April 2017 - 07:02 AM

By switching to an old PS/2 keyboard (vs. the USB keyboard I'd had) and mouse and then forcing a power off so I could reboot, I was able to get access to the computer (previous reply sent using my phone).



#18 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 865 posts

Posted 24 April 2017 - 10:48 AM

Hello TheWriterInBlack.
 
Please download Malwarebytes Anti-Rootkit BETA and save it to your Desktop.

  • Right-click on the icon and select Run as administrator to start the extraction of the program;
  • Click Yes to accept the security warning that may appear;
  • Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction);
  • Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next;
  • Make sure all the check-boxes are checked, then click on the Scan button, and let it completes its scan (this can take a while);
  • Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
  • After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt;

Please open that text file and copy/paste its entire contents in your next reply and note any errors encountered.

 

Thank you.


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#19 TheWriterInBlack

TheWriterInBlack

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 24 April 2017 - 09:39 PM

"Scan finished.  No malware found!"



#20 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 865 posts

Posted 25 April 2017 - 06:42 AM

Hello TheWriterInBlack
 
 

"Scan finished.  No malware found!"

That's a good sign. It appears your computer is free of malware.

 

 

Now we will try to fix some Windows Services that are not working well and that can be the cause of some of the issues that you are having on your System.
 
 
NOTE: Before following to steps below, please disable your Antivirus software or any other real-time security software that you have enabled so it cannot interfere with the following repairs.

  • Download the portable version of Windows Repair All-In-One;
  • Move the file (archive) on your Desktop, and extract it there;
  • Now boot in Safe Mode with Networking;
  • Go in the tweaking.com_windows_repair_aio folder, then Tweaking.com - Windows Repair folder, right-click on Repair_Windows.exe and select Run as Administrator;
  • Click Yes to accept the User Account Control security warning;
  • On the top bar go to the Step 3: Optional tab and click the Open Check Disk At Next Boot;
  • It will open a window named "Check Disk (chkdsk) At Next Boot";
  • Click the Add To Next Boot button;
  • Close that window and click on Reboot to Safe Mode button; When starting up it will run the Check Disk your drive;
  • When the Check Disk is complete, and once in Safe Mode open Windows Repair All-In-One;
  • Go to the Step 4: Optional tab and select the Do It button to run System File Checker (SFC) on your system;
  • When the SFC is complete go to the +Repairs tab and click the Open Repairs button;
  • Let the Registry back up complete, and move on to the check-list window;
  • Leave all the items checked by default;
  • Click on the Start Repairs button and let the scan execute;
  • If you are being prompted with a Security Warning, allow it to go through;
  • Once the repairs are complete, it'll ask you to restart your computer, please do it;

 

 

Next and after restarting the computer in Normal Mode, please proceed as follow:

 

Right-click on the Farbar Service Scanner icon and select Run as administrator to start the tool.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center / Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

 

 

In your next reply please post the contents of FSS.txt and describe in detail how is the computer running and what issues are you having at this point.
 
Thank you.


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#21 TheWriterInBlack

TheWriterInBlack

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 25 April 2017 - 09:52 PM

As of this moment the USB keyboard is not working.  The external hard drive and my primary use thumb drive do not raise the "This device can perform faster" warning I've received before but that has been an intermittent.  An different thumb drive, plugged into a USB hub also seems to be working properly.

 

So far I have not had any "Not responding" freezes on software but, again, intermittent problem so it will take some time to see if that's really gone away.

 

The log:

Farbar Service Scanner Version: 27-01-2016
Ran by dburkhead (administrator) on 25-04-2017 at 22:43:40
Running from "C:\Users\dburkhead\Desktop\Security"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Action Center:
============

Action Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} key. The key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****



#22 TheWriterInBlack

TheWriterInBlack

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 25 April 2017 - 10:02 PM

And just had Firefox go "Not responding" for about three minutes.



#23 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 865 posts

Posted 26 April 2017 - 08:37 AM

Hello TheWriterInBlack.

 

Okay, let's deal with one issue at a time. First we will try to fix the Windows Services which are still not running and also the Firefox freezes and then we will deal with the USB port issue and the Keyboard.


Now, please perform the following instructions in the order listed:


Backup the Registry:

Please download ERUNT from here
ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
Right-click on erunt-setup.exe and select Run as administrator.
Click on Yes to accept the User Account Control security warning.
Select the language and click OK.
Click on Next to install ERUNT by following the prompts.

 

Start ERUNT either by right clicking on the Desktop icon or choosing to start the program at the end of the setup process.
Choose a location for the backup. You can leave it as it is by default.
Note: The default location is C:\Windows\ERDNT\Today's date which is acceptable.
Make sure that at least the first two check boxes are selected.
Click on OK.
Then click on YES to create the folder.
Note: if it is necessary to restore the Registry, open the backup folder and start ERDNT.exe



Open Notepad . Inside the notepad file copy and paste the code text below:
 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}]
"AutoStart"=""

Give the name ActionCenterIcon.reg to the file and save it to your computer's Desktop .
Right-click the ActionCenterIcon.reg file and Select Merge.

 

Restart the computer.

 

 

 

Open up an Elevated Command Prompt by clicking on Start > All Programs> Accessories. You will now see a shortcut labeled Command Prompt;
Right-click on it and select Run as administrator;
Click Yes to accept the User Account Control warning that may appear;
A Command Prompt window opens up to C:\Windows\System32>_

Type regsvr32 ActionCenter.dll and press <ENTER> (Note: There is a space between the number '32' and the 'A' letter).

Type Exit and hit Enter to close the Command Prompt window.

Restart the computer.



Next,

Read carefully the instructions in the following link, go to >>OPTION THREE<< and perform the steps 1 to 6.
https://www.sevenforums.com/tutorials/91738-windows-update-reset.html



Next,

Delete the old FSS.txt log.

Right-click the Farbar Service Scanner icon to start the tool.

Make sure the following options are checked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center / Action Center
  • Windows Update
  • Windows Defender
  • Other Services

Press "Scan".

It will create a log (FSS.txt) in the same location the tool is run.

Please copy and paste the contents of FSS.txt log to your next reply.

 

 

 

Next,

Read the instructions in the following link to clear the cache and cookies of Mozilla Firefox:
https://kb.wisc.edu/...ge.php?id=17504


Read the instructions in following link to reset Mozilla Firefox:
https://support.mozi...es-fix-problems


Now, try opening and close the Mozilla Firefox browser several times to see if it is still freezing.


In your next reply please post the contents of the new FSS.txt log and let me know if you had any issues when performing the instructions above.
How is the computer performing at this point? Does Firefox still freezing?


Thank you.

Android 8888


Edited by Android 8888, 26 April 2017 - 09:19 AM.

Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#24 TheWriterInBlack

TheWriterInBlack

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 26 April 2017 - 07:31 PM

Before I proceed I got to the step where in that command prompt I entered regsvr32 ActionCenter.dll

 

I got the following error:

 

"The module "ActionCenter.dll" was loaded but the entry-point DllRegisterServer was not found.  Make sure that "ActionCenter.dll" is a valid DLL or OCX file and then try again."

 

You didn't mention any error messages to ignore so I presume that this is a problem.



#25 Android 8888

Android 8888

    SWI Malware Tracker

  • Helper
  • PipPipPipPipPip
  • 865 posts

Posted Yesterday, 05:59 AM

Hello.
 

 

Before I proceed I got to the step where in that command prompt I entered regsvr32 ActionCenter.dll

Okay, skip this step, proceed to the next one and execute the remaining instructions until the end of post #23.

 

Thank you.


Android 8888
 

Website: http://android8888.comlu.com

 

Tavira - Here's where I live!

 

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.


#26 TheWriterInBlack

TheWriterInBlack

    Member

  • Full Member
  • Pip
  • 19 posts

Posted Yesterday, 07:56 PM

Farbar Service Scanner Version: 27-01-2016
Ran by dburkhead (administrator) on 27-04-2017 at 18:38:53
Running from "C:\Users\dburkhead\Desktop\Security"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Action Center:
============


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\windows\system32\wuaueng.dll".


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

 

As it stands I still get the Not Responding errors.  First thing is both FireFox and Thunderbird take a several minutes to open.  Perhaps that's normal on this vintage computer, I don't know.  However, while I'm running I can be typing--say a comment in FireFox, and it will just stop responding.  My Pandora feed (background music) will stop.  And neither Firefox nor Thunderbird will respond and will show "Not Responding" in the title bar.  Often Word will also fail to respond as will Acrobat Reader.  Those, between them, are the applications that I spend most of my time on and are generally running most of the time.  This freeze lasts for a few minutes, then things begin behaving again.

 

And I had an episode of "not responding" while preparing this response so it's still happening.



#27 TheWriterInBlack

TheWriterInBlack

    Member

  • Full Member
  • Pip
  • 19 posts

Posted Yesterday, 09:12 PM

And I've had two "not responding" freezes since writing the above.






3 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users


    Google (1)
Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!