Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Followed STICKY Steps, DDS Won't Run

This is a discussion on Followed STICKY Steps, DDS Won't Run within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hello again, Marlene. Sorry for the delay. Let me know what you find out from the vendor and your ISP.


 
 
Thread Tools Search this Thread
Old 09-26-2015, 12:44 PM   #21
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Marlene. Sorry for the delay. Let me know what you find out from the vendor and your ISP.

Press the Windows "logo" key and "R" key then copy/paste the following single-line command into the Run box and click OK:

cmd /c del /a/f/q "C:\Users\Marlene\AppData\LocalLow\GamingWonderlandEI\Installr\Cache\14C8F2A8.exe"

A DOS window will open and close again, this is normal.

------------------------------------------------------

Please run FRST64.exe again and post/attach the FRST.txt/Addition.txt logs as before. Thanks.

Make sure you tick the Addition.txt box before clicking 'Scan'.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Sponsored Links
Advertisement
 
Old 09-26-2015, 02:42 PM   #22
Registered Member
 
Join Date: Feb 2012
Posts: 120
OS: Windows 8.1



Hi chemist,

Homepage problems were on my ISP end.

Re gamehouse/realarcade game licenses, I don't know what happened, but I was able to work from the vendor's website to reactivate 4 of the 6, uninstall and reinstall one, and one is still stuck. They have lousy tech support so that might take a while. Not a concern.

Another thing I wanted to mention. I have been in the state of Windows updates available throughout this. I didn't think I should make them in the middle of this process, is that correct?

Also, in IE, I am regularly getting a red box at the bottom of the screen that Silverlight was blocked because it is out of date. I haven't updated that either.

FRST.TXT
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:23-09-2015
Ran by Marlene (administrator) on MARLENE-LT (26-09-2015 14:13:36)
Running from C:\Users\Marlene\Desktop
Loaded Profiles: Marlene (Available Profiles: Marlene)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Geeks to Go Forum
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Intel(R) Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(NovaStor Corporation) C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Online Games Manager\ogmservice.exe
(Intel(R) Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Dell Inc.) C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
() C:\Program Files\TrueColor\TrueColorALS.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
() C:\Program Files (x86)\Wyse\PocketCloud\PocketCloudService.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(DELL Inc.) C:\Program Files (x86)\Wyse\PocketCloud\WyseRemoteAccess.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.28.15\GoogleCrashHandler.exe
(NovaStor Corporation) C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\DR\x64\drdiag.exe
(Dell Inc.) C:\Program Files (x86)\Dell\My Dell Client Framework\Dell.ClientFramework.exe
(Microsoft Corporation) C:\Windows\System32\vdsldr.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.28.15\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(NovaStor Corporation) C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\BrYNSvc.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVault.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\DBRUpd.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell Backup and Recovery\Toaster.exe
() C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBRCrawler.exe
(Microsoft Corporation) C:\Windows\System32\WWAHost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\WWAHost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(PC-Doctor, Inc.) C:\Program Files\Dell\SupportAssist\imstrayicon.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
() C:\Program Files\WindowsApps\Microsoft.HelpAndTips_6.3.9654.20559_x64__8wekyb3d8bbwe\helpandtips.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ===========================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7506648 2013-12-27] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1374424 2014-01-09] (Realtek Semiconductor)
HKLM\...\Run: [QuickSet] => c:\Program Files\Dell\QuickSet\QuickSet.exe [5789512 2014-01-15] (Dell Inc.)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-30] (Intel Corporation)
HKLM\...\Run: [TrueColor UI] => C:\Program Files\TrueColor\TrueColorUI.exe [18785776 2014-04-30] (Entertainment Experience)
HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [139264 2013-04-05] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [4522496 2012-12-27] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrHelp] => C:\Program Files (x86)\Brother\Brother Help\BrotherHelp.exe [2009088 2013-01-18] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [597552 2015-08-04] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2046743383-725950789-427083996-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Ribbons.scr [132608 2014-10-28] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\Windows\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\Windows\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NovaBACKUP Tray Control.lnk [2015-04-07]
ShortcutTarget: NovaBACKUP Tray Control.lnk -> C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsCtrl.exe (NovaStor Corporation)
Startup: C:\Users\Marlene\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2015-01-24]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (No File)
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{A94707D1-B9C5-4C78-90A0-30C27B08E810}: [DhcpNameServer] 192.168.2.1
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2046743383-725950789-427083996-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.coastaccess.com/
HKU\S-1-5-21-2046743383-725950789-427083996-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://theanimalrescuesite.greatergood.com/clickToGive/ars/home
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\ssv.dll [2015-08-28] (Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\jp2ssv.dll [2015-08-28] (Oracle Corporation)
DPF: HKLM-x32 {55A2C0CD-3DE8-4264-9637-A0B40B05714E} hxxps://col430-sec.mail.live.com/mail/MailMigrationCabFileHolder.aspx?n=1866628936
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
FireFox:
========
FF ProfilePath: C:\Users\Marlene\AppData\Roaming\Mozilla\Firefox\Profiles\7ivj3nqa.default
FF DefaultSearchEngine: Google
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-12-18] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-12-18] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.60.2 -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\dtplugin\npDeployJava1.dll [2015-08-28] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.60.2 -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\plugin2\npjp2.dll [2015-08-28] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-17] (Google Inc.)
FF Plugin HKU\S-1-5-21-2046743383-725950789-427083996-1001: @citrixonline.com/appdetectorplugin -> C:\Users\Marlene\AppData\Local\Citrix\Plugins\104\npappdetector.dll No File
Chrome:
=======
CHR Profile: C:\Users\Marlene\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Marlene\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-09-12]
CHR Extension: (Google Docs) - C:\Users\Marlene\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-09-12]
CHR Extension: (Google Drive) - C:\Users\Marlene\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-09-12]
CHR Extension: (YouTube) - C:\Users\Marlene\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-12]
CHR Extension: (Google Search) - C:\Users\Marlene\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-09-12]
CHR Extension: (Google Sheets) - C:\Users\Marlene\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-09-12]
CHR Extension: (Google Docs Offline) - C:\Users\Marlene\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-12]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Marlene\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-09-12]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Marlene\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-09-12]
CHR Extension: (Gmail) - C:\Users\Marlene\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-09-12]
==================== Services (Whitelisted) ========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 Backup Client Agent Service; C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\ManagementServer.Agent.Service.exe [1063176 2014-12-16] (NovaStor Corporation)
R3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [282112 2012-10-26] (Brother Industries, Ltd.) [File not signed]
R2 DellDataVault; C:\Program Files\Dell\DellDataVault\DellDataVault.exe [2573520 2015-05-22] (Dell Inc.)
R2 DellDataVaultWiz; C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe [201936 2015-05-22] (Dell Inc.)
S3 DellProdRegManager; C:\Program Files (x86)\Dell Product Registration\regmgrsvc.exe [278568 2014-10-31] (Aviata, Inc.)
R2 Disaster Recovery Imaging; C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\DR\x64\drdiag.exe [7702792 2014-12-16] (NovaStor Corporation)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-30] (Intel Corporation)
R2 Intel(R) Capability Licensing Service Interface; c:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel(R) Corporation) [File not signed]
S3 Intel(R) Capability Licensing Service TCP IP Interface; c:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel(R) Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-12-18] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 My Dell Client Framework; C:\Program Files (x86)\Dell\My Dell Client Framework\Dell.ClientFramework.exe [168960 2014-01-10] (Dell Inc.) [File not signed]
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [284912 2014-01-08] ()
R2 nsService; C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\nsService.exe [703088 2014-12-16] (NovaStor Corporation)
R2 ogmservice; C:\Program Files (x86)\Online Games Manager\ogmservice.exe [581568 2014-03-27] (RealNetworks, Inc.)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [290520 2014-01-08] (Realtek Semiconductor)
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe [1915920 2014-04-04] (SoftThinks SAS)
R2 SupportAssistAgent; C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [20648 2015-06-11] (Dell Inc.)
R2 TrueColorALS; C:\Program Files\TrueColor\TrueColorALS.exe [89072 2014-04-30] ()
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)
R2 WysePocketCloud; C:\Program Files (x86)\Wyse\PocketCloud\PocketCloudService.exe [16176 2013-08-22] ()
R2 WyseRemoteAccess; C:\Program Files (x86)\Wyse\PocketCloud\WyseRemoteAccess.exe [1785344 2013-08-19] (DELL Inc.) [File not signed]
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3674864 2014-01-08] (Intel® Corporation)
S3 McAWFwk; c:\PROGRA~1\COMMON~1\mcafee\actwiz\mcawfwk.exe [X]
===================== Drivers (Whitelisted) ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)
R3 btmaux; C:\Windows\system32\DRIVERS\btmaux.sys [140600 2013-07-22] (Motorola Solutions, Inc.)
R3 btmhsf; C:\Windows\system32\DRIVERS\btmhsf.sys [1408824 2013-10-18] (Motorola Solutions, Inc.)
R3 DDDriver; C:\Windows\system32\drivers\DDDriver64Dcsa.sys [23760 2015-01-30] (Dell Computer Corporation)
R3 DellProf; C:\Windows\system32\drivers\DellProf.sys [24240 2015-05-22] (Dell Computer Corporation)
R3 DellRbtn; C:\Windows\System32\drivers\DellRbtn.sys [10752 2013-01-24] (OSR Open Systems Resources, Inc.)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [142280 2013-10-19] (Intel Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [113880 2015-09-26] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-06-18] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\System32\drivers\TeeDriverx64.sys [100824 2013-12-18] (Intel Corporation)
R3 NETwNb64; C:\Windows\system32\DRIVERS\Netwbw02.sys [3610592 2014-02-06] (Intel Corporation)
R0 PxHlpa64; C:\Windows\System32\drivers\PxHlpa64.sys [56336 2013-10-16] (Corel Corporation)
R3 SynRMIHID; C:\Windows\system32\DRIVERS\SynRMIHID.sys [41200 2014-01-16] (Synaptics Incorporated)
R2 vstor2-mntapi10-shared; C:\Program Files (x86)\NovaStor\NovaStor NovaBACKUP\vmware\vstor2\vstor2-mntapi10-shared.sys [33392 2014-12-15] (VMware, Inc.)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44024 2015-02-03] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [264000 2015-02-03] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)
R3 PCDSRVC{3B54B31B-D06B6431-06020200}_0; \??\c:\program files\dell\supportassist\pcdsrvc_x64.pkms [X]
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-09-26 14:13 - 2015-09-26 14:14 - 00019313 _____ C:\Users\Marlene\Desktop\FRST.txt
2015-09-24 23:40 - 2015-07-05 03:08 - 00300704 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-09-24 22:27 - 2015-09-24 22:27 - 00000314 _____ C:\Users\Marlene\Desktop\eset20150924cd.txt
2015-09-24 17:00 - 2015-09-24 17:00 - 07430720 _____ (McAfee, Inc.) C:\Users\Marlene\Downloads\MCPR uninstall macafee.exe
2015-09-24 01:38 - 2015-09-25 02:04 - 00000000 ____D C:\ProgramData\Trymedia
2015-09-20 23:21 - 2015-09-20 23:21 - 00000000 ____D C:\Program Files (x86)\ESET
2015-09-19 11:33 - 2015-09-21 20:26 - 00002210 _____ C:\Users\Marlene\Desktop\stateofpc.txt
2015-09-18 20:45 - 2015-09-26 13:55 - 00113880 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-09-18 20:45 - 2015-09-18 20:45 - 00001116 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-09-18 20:45 - 2015-09-18 20:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-09-18 20:45 - 2015-09-18 20:45 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-09-18 20:45 - 2015-09-18 20:45 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-09-18 20:45 - 2015-06-18 08:42 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-09-18 20:45 - 2015-06-18 08:41 - 00109272 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-09-18 20:45 - 2015-06-18 08:41 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-09-18 20:43 - 2015-09-18 20:43 - 24345872 _____ (Malwarebytes Corporation ) C:\Users\Marlene\Desktop\mbam-setup-2.1.8.1057.exe
2015-09-15 23:57 - 2015-09-26 14:10 - 00000000 ____D C:\Users\Marlene\Desktop\FRST-OlderVersion
2015-09-15 20:55 - 2015-09-15 20:55 - 00015329 _____ C:\Users\Marlene\Documents\tammys os list.xlsx
2015-09-14 20:03 - 2015-09-14 20:04 - 00034594 _____ C:\Users\Marlene\Desktop\Addition1.txt
2015-09-14 20:02 - 2015-09-26 14:13 - 00000000 ____D C:\FRST
2015-09-14 20:02 - 2015-09-14 20:04 - 00033578 _____ C:\Users\Marlene\Desktop\FRST1.txt
2015-09-13 22:15 - 2015-09-26 14:10 - 02192384 _____ (Farbar) C:\Users\Marlene\Desktop\FRST64.exe
2015-09-13 22:10 - 2015-09-13 22:10 - 00002344 _____ C:\Users\Marlene\Desktop\AdwCleaner[C1].txt
2015-09-13 22:05 - 2015-09-13 22:06 - 00000000 ____D C:\AdwCleaner
2015-09-12 22:25 - 2015-09-24 21:07 - 00002205 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-09-12 22:25 - 2015-09-12 22:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-09-12 14:32 - 2015-09-12 16:27 - 00004812 _____ C:\Users\Marlene\Desktop\sept 8 problem.txt
2015-09-11 22:33 - 2015-09-11 22:33 - 00271360 _____ C:\Users\Marlene\Desktop\20150911_exportbackup.pst
2015-09-11 22:02 - 2015-09-11 22:02 - 00307278 _____ C:\Users\Marlene\Documents\IEfavorites.htm
2015-09-09 14:21 - 2015-09-09 14:21 - 00000000 ____D C:\Users\Marlene\.oracle_jre_usage
2015-08-28 20:42 - 2015-08-28 20:42 - 00000000 ____D C:\Users\Marlene\AppData\Roaming\Sun
2015-08-28 20:42 - 2015-08-28 20:42 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-08-28 20:42 - 2015-08-28 20:41 - 00097888 ____N (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-08-28 20:41 - 2015-08-28 20:42 - 00000000 ____D C:\ProgramData\Oracle
2015-08-28 20:41 - 2015-08-28 20:41 - 00000000 ____D C:\Program Files (x86)\Java
2015-08-28 19:02 - 2015-08-28 19:02 - 00000000 ____D C:\Users\Marlene\AppData\Roaming\URSE Games
2015-08-28 18:57 - 2015-08-28 18:58 - 00000000 ____D C:\Program Files (x86)\Season Match
2015-08-28 18:57 - 2015-08-28 18:57 - 00000000 ____D C:\Users\Marlene\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Season Match
2015-08-28 18:57 - 2015-08-28 18:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Season Match
2015-08-27 16:54 - 2015-08-27 16:54 - 11851433 ____N C:\Users\Marlene\Documents\ancientstones.htm
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-09-26 14:05 - 2015-08-11 17:50 - 00000928 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-09-26 14:00 - 2014-09-13 04:07 - 01633822 _____ C:\Windows\WindowsUpdate.log
2015-09-26 14:00 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\system32\sru
2015-09-26 13:57 - 2015-02-22 20:37 - 00055280 _____ C:\Windows\BRRBCOM.INI
2015-09-26 03:37 - 2015-01-24 01:32 - 00000000 ____D C:\ProgramData\TEMP
2015-09-25 13:39 - 2015-01-24 02:28 - 00000000 ____D C:\Users\Marlene\Desktop\My Games
2015-09-25 12:54 - 2015-01-09 15:56 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2046743383-725950789-427083996-1001
2015-09-25 02:07 - 2015-01-31 21:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GameHouse
2015-09-25 02:07 - 2015-01-31 21:19 - 00000000 ____D C:\GameHouse Games
2015-09-25 02:04 - 2015-01-31 21:00 - 00000000 ____D C:\Users\Marlene\AppData\Local\com.gamehouse.acid
2015-09-25 01:36 - 2015-01-09 15:51 - 00000000 ____D C:\Users\Marlene\AppData\Local\VirtualStore
2015-09-25 01:14 - 2014-03-18 02:53 - 00865408 _____ C:\Windows\system32\PerfStringBackup.INI
2015-09-24 23:08 - 2013-08-22 07:46 - 00035564 _____ C:\Windows\setupact.log
2015-09-24 17:26 - 2014-09-13 04:18 - 00000000 ____D C:\Program Files (x86)\Dell Backup and Recovery
2015-09-24 17:19 - 2015-01-09 15:52 - 00000000 ___DO C:\Users\Marlene\OneDrive
2015-09-24 17:18 - 2014-03-18 02:44 - 00097012 _____ C:\Windows\PFRO.log
2015-09-24 17:18 - 2013-08-22 07:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-09-24 17:18 - 2013-08-22 06:25 - 00524288 ___SH C:\Windows\system32\config\BBI
2015-09-24 17:11 - 2013-08-22 08:36 - 00000000 ___HD C:\Windows\ELAMBKUP
2015-09-24 17:11 - 2013-08-22 06:25 - 00262144 ___SH C:\Windows\system32\config\ELAM
2015-09-24 17:09 - 2015-04-08 01:18 - 00000000 ____D C:\Users\marpe_000
2015-09-24 17:09 - 2015-03-10 22:07 - 00000000 ____D C:\Users\MarlenePenry.MARLENE-LT
2015-09-24 17:09 - 2015-03-09 16:04 - 00000000 ____D C:\Users\MarlenePenry
2015-09-24 17:09 - 2015-03-08 00:31 - 00000000 ____D C:\Users\MarPen
2015-09-23 11:50 - 2015-04-07 22:33 - 00004736 ____H C:\ProgramData\nsActivation.act
2015-09-17 23:00 - 2015-08-11 17:50 - 00003900 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-09-17 23:00 - 2015-08-11 17:50 - 00003664 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-09-17 23:00 - 2015-08-11 17:50 - 00000924 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-09-17 22:44 - 2015-01-09 15:50 - 00000000 ____D C:\Users\Marlene
2015-09-12 22:25 - 2015-06-02 18:11 - 00000000 ____D C:\Program Files (x86)\Google
2015-09-12 22:25 - 2015-06-02 18:10 - 00000000 ____D C:\Users\Marlene\AppData\Local\Google
2015-09-11 22:01 - 2015-01-23 14:27 - 00003104 _____ C:\Windows\System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-2046743383-725950789-427083996-1001
2015-09-09 16:01 - 2015-01-25 20:18 - 00000000 ___RD C:\Users\Marlene\Documents\MAP
2015-09-08 13:37 - 2015-02-13 16:29 - 00000000 ____D C:\Users\Marlene\AppData\Local\Citrix
2015-09-08 12:31 - 2015-01-15 02:28 - 00000000 ____D C:\ProgramData\softthinks
2015-09-06 14:51 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\system32\NDF
2015-09-02 13:02 - 2015-02-13 17:16 - 00000269 ____N C:\Users\Marlene\Desktop\Dell Contact Number.txt
2015-08-31 12:18 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\rescache
2015-08-28 19:00 - 2015-04-11 13:44 - 00220672 ____N (Microsoft Corporation) C:\Windows\SysWOW64\dplayx.dll
2015-08-28 19:00 - 2015-04-11 13:44 - 00046592 ____N (Microsoft Corporation) C:\Windows\SysWOW64\dpwsockx.dll
2015-08-28 19:00 - 2015-04-11 13:42 - 00030720 ____N (Microsoft Corporation) C:\Windows\SysWOW64\dplaysvr.exe
2015-08-28 19:00 - 2015-04-11 13:42 - 00024576 ____N (Microsoft Corporation) C:\Windows\SysWOW64\dpmodemx.dll
2015-08-28 19:00 - 2013-08-22 08:20 - 00000000 ____D C:\Windows\CbsTemp
2015-08-28 19:00 - 2013-08-22 04:22 - 00461312 ____N (Microsoft Corporation) C:\Windows\system32\dpnet.dll
2015-08-28 19:00 - 2013-08-22 04:22 - 00034304 ____N (Microsoft Corporation) C:\Windows\system32\dpnsvr.exe
2015-08-28 19:00 - 2013-08-22 04:17 - 00066560 ____N (Microsoft Corporation) C:\Windows\system32\dpnathlp.dll
2015-08-28 19:00 - 2013-08-22 04:17 - 00009216 ____N (Microsoft Corporation) C:\Windows\system32\dpnhupnp.dll
2015-08-28 19:00 - 2013-08-22 04:17 - 00009216 ____N (Microsoft Corporation) C:\Windows\system32\dpnhpast.dll
2015-08-28 19:00 - 2013-08-21 20:56 - 00377856 ____N (Microsoft Corporation) C:\Windows\SysWOW64\dpnet.dll
2015-08-28 19:00 - 2013-08-21 20:56 - 00033792 ____N (Microsoft Corporation) C:\Windows\SysWOW64\dpnsvr.exe
2015-08-28 19:00 - 2013-08-21 20:51 - 00059904 ____N (Microsoft Corporation) C:\Windows\SysWOW64\dpnathlp.dll
2015-08-28 19:00 - 2013-08-21 20:51 - 00009216 ____N (Microsoft Corporation) C:\Windows\SysWOW64\dpnhupnp.dll
2015-08-28 19:00 - 2013-08-21 20:51 - 00009216 ____N (Microsoft Corporation) C:\Windows\SysWOW64\dpnhpast.dll
2015-08-28 18:57 - 2015-01-24 02:34 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
==================== Files in the root of some directories =======
2015-02-24 19:14 - 2015-02-24 19:14 - 0026946 ____N () C:\Users\Marlene\AppData\Roaming\Comma Separated Values (Windows).ADR
2015-04-07 22:34 - 2015-04-07 22:34 - 0000053 __RSH () C:\ProgramData\1.16.5.lic
2014-09-13 03:58 - 2014-09-13 03:58 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-04-07 22:33 - 2015-09-23 11:50 - 0004736 ____H () C:\ProgramData\nsActivation.act
Some files in TEMP:
====================
C:\Users\Marlene\AppData\Local\Temp\McCSPInstall.dll
C:\Users\Marlene\AppData\Local\Temp\mccspuninstall.exe

==================== Bamital & volsnap =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-09-25 12:54
==================== End of FRST.txt ============================
Attached Files
File Type: txt Addition2.txt (36.9 KB, 27 views)
mapste is offline  
Old 09-27-2015, 12:59 PM   #23
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Marlene. Glad you got most of your other issues resolved.

Not sure about the 'black box' popups. You may have to seek help in one of our other forums.

As far as the USB drive, did you try the 'scan and fix it' option?

Yes, it is probably better to wait to install Windows Updates until I tell you to do so. Thanks.

And Silverlight will get updated when you install the latest Windows Updates.

As I understand you, you want to get rid of all traces of Citrix, correct?

If so, you can uninstall Citrix Online Launcher from Programs and Features.

If you still see a Citrix file after this fix, let me know the filepath.

------------------------------------------------------
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe
  • If asked to change 'Encoding:' to 'Unicode:', please agree and save it.

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    AlternateDataStreams: C:\ProgramData\TEMP:2CB9631F
    AlternateDataStreams: C:\ProgramData\TEMP:38FF076E
    AlternateDataStreams: C:\ProgramData\TEMP:7BB584AA
    AlternateDataStreams: C:\ProgramData\TEMP:CE707633
    Startup: C:\Users\Marlene\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2015-01-24]
    ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (No File)
    FF Plugin HKU\S-1-5-21-2046743383-725950789-427083996-1001: @citrixonline.com/appdetectorplugin -> C:\Users\Marlene\AppData\Local\Citrix\Plugins\104\npappdetector.dll No File
    S3 McAWFwk; c:\PROGRA~1\COMMON~1\mcafee\actwiz\mcawfwk.exe [X]
    c:\PROGRA~1\COMMON~1\mcafee
    2015-09-08 13:37 - 2015-02-13 16:29 - 00000000 ____D C:\Users\Marlene\AppData\Local\Citrix
    C:\Program Files (x86)\Citrix
    EmptyTemp:
    end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Sponsored Links
Advertisement
 
Old 09-27-2015, 06:24 PM   #24
Registered Member
 
Join Date: Feb 2012
Posts: 120
OS: Windows 8.1



Hi chemist,

Re. USB drive -- scanned with Eset, Windows Defender, and Malwarebytes. None of them found a problem, so its problem isn't malware. Still gets error in plain blue box (not a Window) when I insert it. Is there still such a thing as the old DOS command SCANDISK /FIX?

Re. Citrix, I think the original problem I started with when Dell couldn't use their remote access software was a failed install of Citrix with pieces left scattered, so Programs and Features does not list Citrix. At the start of our process here I did a search for Citrix on C drive and found 5 folders, some empty, some with files. Throughout our process here, 2 folders were deleted. Another one was an empty folder, which I was able to delete. Another folder had 3 temp files, which I was able to delete. All that was left was one folder with a file that I was not allowed to delete. I just did another search on C, and this last run of FRST moved it into C:\FRST\Quarantine. If I can get rid of that, all files are gone, and fixlog appears to show that a plugin is gone, too.

Fixlog.txt:
Fix result of Farbar Recovery Scan Tool (x64) Version:23-09-2015
Ran by Marlene (2015-09-27 17:47:12) Run:2
Running from C:\Users\Marlene\Desktop
Loaded Profiles: Marlene & (Available Profiles: Marlene)
Boot Mode: Normal
==============================================
fixlist content:
*****************
start
createrestorepoint:
AlternateDataStreams: C:\ProgramData\TEMP:2CB9631F
AlternateDataStreams: C:\ProgramData\TEMP:38FF076E
AlternateDataStreams: C:\ProgramData\TEMP:7BB584AA
AlternateDataStreams: C:\ProgramData\TEMP:CE707633
Startup: C:\Users\Marlene\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2015-01-24]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (No File)
FF Plugin HKU\S-1-5-21-2046743383-725950789-427083996-1001: @citrixonline.com/appdetectorplugin -> C:\Users\Marlene\AppData\Local\Citrix\Plugins\104\npappdetector.dll No File
S3 McAWFwk; c:\PROGRA~1\COMMON~1\mcafee\actwiz\mcawfwk.exe [X]
c:\PROGRA~1\COMMON~1\mcafee
2015-09-08 13:37 - 2015-02-13 16:29 - 00000000 ____D C:\Users\Marlene\AppData\Local\Citrix
C:\Program Files (x86)\Citrix
EmptyTemp:
end
*****************
Restore point was successfully created.
C:\ProgramData\TEMP => ":2CB9631F" ADS removed successfully.
C:\ProgramData\TEMP => ":38FF076E" ADS removed successfully.
C:\ProgramData\TEMP => ":7BB584AA" ADS removed successfully.
C:\ProgramData\TEMP => ":CE707633" ADS removed successfully.
C:\Users\Marlene\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk => moved successfully
C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE => not found.
"HKU\S-1-5-21-2046743383-725950789-427083996-1001\Software\MozillaPlugins\@citrixonline.com/appdetectorplugin" => key removed successfully
C:\Users\Marlene\AppData\Local\Citrix\Plugins\104\npappdetector.dll => not found.
McAWFwk => service removed successfully
"c:\PROGRA~1\COMMON~1\mcafee" => File/Folder not found.
C:\Users\Marlene\AppData\Local\Citrix => moved successfully
"C:\Program Files (x86)\Citrix" => File/Folder not found.
EmptyTemp: => 297.8 MB temporary data Removed.

The system needed a reboot..
==== End of Fixlog 17:48:55 ====
mapste is offline  
Old 09-27-2015, 07:15 PM   #25
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Marlene. Everything in C:\FRST\Quarantine will get deleted when we uninstall FRST below.

You can scan/fix the USB drive for errors:

Navigate to and right-click your USB drive > Properties > Tools > Check Now... > Select both the 'Automatically fix file system errors' and 'Scan for and attempt recovery of bad sectors' check boxes and then click 'Start'.

Or reformat it:

Navigate to and right-click your USB drive > Format...

------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

------------------------------------------------------
  • Press the Windows "logo" key and "R" key then type cleanmgr into the Run box and click OK.
  • Select your hard drive(usually C:\) then click 'OK'.
  • You should see the scanning screenshot for a few seconds.
  • Click 'Clean up system files'
  • If prompted by UAC, then click 'Yes'.
  • Select your hard drive(usually C:\) then click 'OK'.
  • Click on the 'More Options' tab, and click on the 'Clean up' button under the 'System Restore and Shadow Copies' section.
  • Click/tap on the Delete button in the confirm deletion window.
This will remove all but the most recent Restore Point.

------------------------------------------------------

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.
  • Run AdwCleaner and select Uninstall
  • Confirm by clicking Yes
------------------------------------------------------

Press the Windows "logo" key and "R" key then copy/paste the following single-line command into the Run box and click OK:

cmd /c rd /s /q "C:\FRST"

A DOS window will open and close again, this is normal.

------------------------------------------------------

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

Keep MBAM, update and run a Quick Scan weekly.

Empty your Recycle Bin if it does not do so automatically.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

------------------------------------------------------

Make sure you backup your system, so possible reformatting in the future isn't necessary:

What happened to Backup and Restore? - Windows Help

Backup and Recovery of Windows 8 & Windows 8.1 - Tip-of-the-Day - KeithMayer.com - Site Home - TechNet Blogs

------------------------------------------------------

SPYWARE PREVENTION
In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read this well written article: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide for Windows 8 here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 09-28-2015, 01:47 PM   #26
Registered Member
 
Join Date: Feb 2012
Posts: 120
OS: Windows 8.1



Thank you chemist.

I'm not going to be able to get to this until tomorrow. Can we please keep this thread open?

Marlene
mapste is offline  
Old 09-28-2015, 04:20 PM   #27
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



That's fine. Let me know.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 09-29-2015, 05:05 PM   #28
Registered Member
 
Join Date: Feb 2012
Posts: 120
OS: Windows 8.1



Hi chemist,

I'm afraid I didn't get too far.

I ran cleanmgr, although the prompts and action weren't quite the same as you said -- it did a lot of scanning calculating the amount of space that would be saved and gave me a list of all types of files I could delete, like downloads, old windows updates, temp files, etc. I unchecked all but temporary internet files, then went to More Options and clicked Cleanup. It didn't say anything about System Restore and Shadow Copies but an explanatory box did come up saying it would delete all but the last restore point, so I got the correct final result.

I reinstalled McAfee for now (ugh) until I talk to Dell.

Then I got stuck. I don't have an exe for Adwcleaner on my hard drive anymore, just txt files and Quarantined files. Should I download it again? Clear the quarantine files?

Don't know what happened. I'm sure I haven't uninstalled or deleted anything we've used.

Marlene
mapste is offline  
Old 09-29-2015, 05:53 PM   #29
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Marlene. No worries. You can just right-click this folder and delete it:

C:\AdwCleaner
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 09-29-2015, 08:07 PM   #30
Registered Member
 
Join Date: Feb 2012
Posts: 120
OS: Windows 8.1



OK, I got a few steps further! The only thing on my Control Panel to uninstall was Eset, so I did that. Then I just deleted everything from my desktop. I'm left with a C:\FRST folder with that Quarantined Citrix file in it. Somewhere along the line I thought you said the FRST uninstall would clear that. Was I supposed to run FRST to uninstall it? Oops.

Do you recommend I buy MBAM Premium?

Marlene
mapste is offline  
Old 09-29-2015, 08:09 PM   #31
Registered Member
 
Join Date: Feb 2012
Posts: 120
OS: Windows 8.1



I did run the CMD line for FRST before I did the deletes.
mapste is offline  
Old 09-30-2015, 03:33 AM   #32
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Marlene. Up to you whether or not to buy MBAM. I think it is worth the money though.

As far as FRST, did you run this command in the Run box:

cmd /c rd /s /q "C:\FRST"

If you did, and it's still there, just right-click and delete that folder. Let me know.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 09-30-2015, 02:29 PM   #33
Registered Member
 
Join Date: Feb 2012
Posts: 120
OS: Windows 8.1



Hi chemist,

Yes I ran the CMD file in the order of your instructions, but I just ran it again. C:FRST\Quarantine is still there. I tried to delete the folder manually.

The same Citrix file I could never get deleted myself, which FRST put in quarantine, is still there:
C:\FRST\Quarantine\C\Users\Marlene\Appdata\Local\Citrix\GoToAssist Corporate\1084\GoToAssist_Corporate_Customer.exe

Tried to delete the file, came up with the message "You'll need to provide administrator permission to delete this file." I'll never understand this -- it's my computer, why am I not the administrator?

When I went into the folder and tried to delete it, I noticed there was another file still left in the FRST\ Quarantine folder:
C:\FRST\Quarantine\C:\Windows\System32\Tasks\PocketCloudUpdater.xBAD


Went to the xBAD file and was able to delete it and the empty folders above it manually.That was obviously a mistake since now when I try to delete the FRST folder, it says it needs permission from MARLENE_LT\Marlene (that's my PC name and my user name) to make changes to this folder and perform this action, but it also says it can't find the xBAD file. Should I retrieve it from the Recycle Bin?
mapste is offline  
Old 09-30-2015, 05:18 PM   #34
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Try deleting the C:\FRST folder in Safe Mode. Let me know.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 09-30-2015, 08:22 PM   #35
Registered Member
 
Join Date: Feb 2012
Posts: 120
OS: Windows 8.1



I forget how to do that -- something I have to do when I reboot....
mapste is offline  
Old 10-01-2015, 09:06 AM   #36
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



5 Ways To Boot Into Safe Mode In Windows 8.1
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 10-02-2015, 11:30 PM   #37
Registered Member
 
Join Date: Feb 2012
Posts: 120
OS: Windows 8.1



Hi chemist,

Results of Safe Mode:
Delete C:\FRST - Folder Access Denied, Require Permission from Administrators to make changes to this folder

Tried to go directly to the file:
File Access Denied -- Require Permission from Marlene-LT\Marlene to make changes to this file.

The problems with the .xBAD file are gone.

While we try to figure this out, should I go ahead with the next steps? (Empty Recycle Bin, Apply Windows Updates)

Marlene
mapste is offline  
Old 10-03-2015, 01:55 AM   #38
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Marlene. Deleting that C:\FRST folder should be easy, even in Normal Mode. Not sure why it's being so resistant to deletion.

Try restoring that xBAD file from the Recycle Bin.

Then again, from Safe Mode...

Press the Windows "logo" key and "R" key then copy/paste(or type) the following single-line command into the Run box and click OK(careful with the spaces):

cmd /c rd /s /q "C:\FRST"

A DOS window will open and close again, this is normal.

If the C:\FRST folder still remains, navigate to it manually, right-click it and select 'Delete'.

Follow the rest of the previous instructions, regardless. Let me know.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 10-04-2015, 12:30 AM   #39
Registered Member
 
Join Date: Feb 2012
Posts: 120
OS: Windows 8.1



YEE-HAW! C:\FRST is gone!

I've finished your steps. Emptied Recycle bin and applied all Windows updates. I did a data backup a few days ago. I will definitely be looking for new av/security software, especially since McAfee has not run my daily scheduled scan ever since I reinstalled it over two days ago.

Chemist, you have been incredibly brilliant, helpful, and patient!

I'd ask one more thing before we close the thread. Since what sent me here was when Dell couldn't connect their remote software to me, I'd like to have them try that out now. Can I get back to you on that? I probably won't get to it until Monday.

Marlene
mapste is offline  
Old 10-04-2015, 01:33 AM   #40
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Marlene. You're very welcome! Yes, let me know what happens. Monday is fine.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Suspected malware after Minecraft mods - dds.scr won't run.
Hi, My son downloaded and installed Minecraft mods including unwittingly some other nasties. I have uninstalled what I could find but I now suspect malware. I downloaded dds.scr but it opens in Notepad. I don't know what a script blocker is. Please advise. Thanks.
happydaze29 Virus/Trojan/Spyware Help 32 08-01-2015 11:40 AM
Urgent help needed to remove multiple virus :win64/patched.A and Trojan.
Dear tech guru, I got hit by the FBI virus a day and a half ago and later more viruses came in unexpected. Here are the details of my computer and the viruses. I have already backed up my system, and ran the tdsskiller and otl. I would like to completely get rid of the viruses. Your help is...
deesw8 Resolved HJT Threads 52 11-05-2012 09:56 AM
Rogue XP Antispyware 2012
Hi, My computer has apparently gotten the XP Antispyware 2012 virus. There are constant pop-ups that tell me that my computer is infected or that my privacy is being intruded. I always x out of these pop-ups but they keep coming back. In addition, there seems to be a fake Windows security center...
12Pineapple34 Resolved HJT Threads 20 01-19-2012 05:50 AM
bad image error and norton 360
Hi, My initial problem was trying to get rid of the "Bad Image" error message that has been popping up on literally every file and folder on my PC (Windows XP). Situation has gone from bad to worse as i installed norton 360 5.0. Now nothing works, unable to connect to the internet, unable to...
royalmc Resolved HJT Threads 25 04-07-2011 07:36 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 02:49 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts