TechSpot

Possible infection of bootrec / mbr

By PhilipMoore62
Sep 5, 2015
  1. After posting to bookwyrm in free trouble shooting. He advised that as far as he is concerned the virus attack that I first mentioned in previous post mave corrupted my bios/ueif mbr configuration.
    Can you help?
     
  2. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. PhilipMoore62

    PhilipMoore62 TS Booster Topic Starter Posts: 303

    Thanks for the reply I will reply sometime tomorrow
     
  4. Broni

    Broni Malware Annihilator Posts: 52,911   +344

  5. PhilipMoore62

    PhilipMoore62 TS Booster Topic Starter Posts: 303

    Just a quick update. The issue I'm having seems to be with my UEIF settings as when I attempt to logon with the Harddrive/UEIF configuration I get the message when states "No Bootable device"

    However when changing the configuration to boot from any other alternate AND using the Legacy setting being enabled the computer boots fine without issue.

    I'm currently writing this on the OS that has this issue.

    Following is the requested post from FRST.
    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:04-09-2015
    Ran by Philip (administrator) on PHILIP-PC (05-09-2015 15:45:20)
    Running from C:\Users\Philip\Downloads
    Loaded Profiles: Philip (Available Profiles: Philip)
    Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
    Internet Explorer Version 8 (Default browser: FF)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (Windows (R) Win 7 DDK provider) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
    (Microsoft Corporation) C:\Windows\System32\rundll32.exe
    (Qualcomm®Atheros®) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
    (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    (Microsoft Corporation) C:\Users\Philip\Downloads\dotNetFx40_Full_x86_x64.exe
    (Microsoft Corporation) C:\248a575184350bd1a619eb6b29\Setup.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\wusa.exe


    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [134784 2014-02-25] (Qualcomm®Atheros®)
    HKU\S-1-5-21-3686608022-1110692643-3377733670-1000\...\Run: [GoogleChromeAutoLaunch_A2B3EDA80A4C0AFF3796BF2C7D65C8C6] => "C:\Users\Philip\AppData\Local\Chromium\Application\chrome.exe" --auto-launch-at-startup --profile-directory="Default" --restore-last-session

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    Tcpip\Parameters: [DhcpNameServer] 216.228.160.4 216.228.160.3
    Tcpip\..\Interfaces\{728AF2CB-3B7D-467A-9B09-A7942DD77908}: [DhcpNameServer] 216.228.160.4 216.228.160.3

    Internet Explorer:
    ==================
    HKU\S-1-5-21-3686608022-1110692643-3377733670-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://us.yhs4.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_bimmed_15_36_ssg01&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0A0C0ByDyB0DtDyCyBtB0EzyzytDtDyBtN0D0Tzu0StCtAyEtAtN1L2XzutAtFtCtBtFyDtFtCtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyD0CyB0B0FyByBtG0FtDtCyDtGyE0B0FtCtGzyyE0C0CtGyDtCzyyEzzyCyC0F0AyD0CtA2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCtB0FyBzz0BtAyEtGtCtByE0BtGyEyDyCtDtGzy0F0EyCtGtByD0AzyyEzy0CtCzztD0Fzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzuzyyEtA%26cr%3D1781368651%26a%3Dwncy_bimmed_15_36_ssg01%26os%3DWindows%2B7%2BUltimate
    HKU\S-1-5-21-3686608022-1110692643-3377733670-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
    SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://us.yhs4.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_bimmed_15_36_ssg01&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0A0C0ByDyB0DtDyCyBtB0EzyzytDtDyBtN0D0Tzu0StCtAyEtAtN1L2XzutAtFtCtBtFyDtFtCtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyD0CyB0B0FyByBtG0FtDtCyDtGyE0B0FtCtGzyyE0C0CtGyDtCzyyEzzyCyC0F0AyD0CtA2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCtB0FyBzz0BtAyEtGtCtByE0BtGyEyDyCtDtGzy0F0EyCtGtByD0AzyyEzy0CtCzztD0Fzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzuzyyEtA%26cr%3D1781368651%26a%3Dwncy_bimmed_15_36_ssg01%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
    SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://us.yhs4.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_bimmed_15_36_ssg01&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0A0C0ByDyB0DtDyCyBtB0EzyzytDtDyBtN0D0Tzu0StCtAyEtAtN1L2XzutAtFtCtBtFyDtFtCtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyD0CyB0B0FyByBtG0FtDtCyDtGyE0B0FtCtGzyyE0C0CtGyDtCzyyEzzyCyC0F0AyD0CtA2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCtB0FyBzz0BtAyEtGtCtByE0BtGyEyDyCtDtGzy0F0EyCtGtByD0AzyyEzy0CtCzztD0Fzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzuzyyEtA%26cr%3D1781368651%26a%3Dwncy_bimmed_15_36_ssg01%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
    SearchScopes: HKU\S-1-5-21-3686608022-1110692643-3377733670-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://us.yhs4.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_bimmed_15_36_ssg01&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0A0C0ByDyB0DtDyCyBtB0EzyzytDtDyBtN0D0Tzu0StCtAyEtAtN1L2XzutAtFtCtBtFyDtFtCtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyD0CyB0B0FyByBtG0FtDtCyDtGyE0B0FtCtGzyyE0C0CtGyDtCzyyEzzyCyC0F0AyD0CtA2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCtB0FyBzz0BtAyEtGtCtByE0BtGyEyDyCtDtGzy0F0EyCtGtByD0AzyyEzy0CtCzztD0Fzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzuzyyEtA%26cr%3D1781368651%26a%3Dwncy_bimmed_15_36_ssg01%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
    SearchScopes: HKU\S-1-5-21-3686608022-1110692643-3377733670-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://us.yhs4.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_bimmed_15_36_ssg01&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0A0C0ByDyB0DtDyCyBtB0EzyzytDtDyBtN0D0Tzu0StCtAyEtAtN1L2XzutAtFtCtBtFyDtFtCtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyD0CyB0B0FyByBtG0FtDtCyDtGyE0B0FtCtGzyyE0C0CtGyDtCzyyEzzyCyC0F0AyD0CtA2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCtB0FyBzz0BtAyEtGtCtByE0BtGyEyDyCtDtGzy0F0EyCtGtByD0AzyyEzy0CtCzztD0Fzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzuzyyEtA%26cr%3D1781368651%26a%3Dwncy_bimmed_15_36_ssg01%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
    Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
    Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
    Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
    Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
    StartMenuInternet: IEXPLORE.EXE - iexplore.exe

    FireFox:
    ========
    FF ProfilePath: C:\Users\Philip\AppData\Roaming\Mozilla\Firefox\Profiles\mqeue6ue.default

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [319104 2014-02-25] (Windows (R) Win 7 DDK provider) [File not signed]
    S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\TXE Components\TCS\SocketHeciServer.exe [822232 2013-07-01] (Intel(R) Corporation)
    R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R3 BTATH_LWFLT; C:\Windows\System32\DRIVERS\btath_lwflt.sys [77464 2014-02-25] (Qualcomm Atheros)
    S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
    S3 TXEIx64; C:\Windows\System32\DRIVERS\TXEIx64.sys [88592 2014-01-15] (Intel Corporation)
    S3 VGPU; System32\drivers\rdvgkmd.sys [X]

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2015-09-05 15:46 - 2015-09-05 15:46 - 00000041 _____ C:\Users\Philip\AppData\Roaming\WB.CFG
    2015-09-05 15:45 - 2015-09-05 15:46 - 01654272 _____ C:\Users\Philip\Downloads\AdwCleaner.exe
    2015-09-05 15:45 - 2015-09-05 15:45 - 00007838 _____ C:\Users\Philip\Downloads\FRST.txt
    2015-09-05 15:45 - 2015-09-05 15:45 - 00000000 ____D C:\FRST
    2015-09-05 15:44 - 2015-09-05 15:44 - 02188800 _____ (Farbar) C:\Users\Philip\Downloads\FRST64.exe
    2015-09-05 15:41 - 2015-09-05 15:41 - 00000000 ___HT C:\Windows\wusa.lock
    2015-09-05 15:41 - 2015-09-05 15:41 - 00000000 ____D C:\065435139c6af5e4c08f16648de09b
    2015-09-05 15:41 - 2013-10-14 18:00 - 00028368 _____ (Microsoft Corporation) C:\Windows\system32\IEUDINIT.EXE
    2015-09-05 15:40 - 2015-09-05 15:40 - 00000000 ____D C:\248a575184350bd1a619eb6b29
    2015-09-05 15:39 - 2015-09-05 15:39 - 50449456 _____ (Microsoft Corporation) C:\Users\Philip\Downloads\dotNetFx40_Full_x86_x64.exe
    2015-09-05 15:33 - 2015-09-05 15:39 - 00000000 ____D C:\Users\Philip\AppData\Local\Mozilla
    2015-09-05 15:33 - 2015-09-05 15:33 - 00001179 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
    2015-09-05 15:33 - 2015-09-05 15:33 - 00001167 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
    2015-09-05 15:33 - 2015-09-05 15:33 - 00000000 ____D C:\Users\Philip\AppData\Roaming\Mozilla
    2015-09-05 15:33 - 2015-09-05 15:33 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2015-09-05 15:33 - 2015-09-05 15:33 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2015-09-05 15:28 - 2015-09-05 15:41 - 00012036 _____ C:\Windows\IE11_main.log
    2015-09-05 15:25 - 2015-09-05 15:25 - 00000000 ___RD C:\Users\Philip\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices
    2015-09-05 15:21 - 2015-09-05 15:21 - 00000000 ____D C:\TDSSKiller_Quarantine
    2015-09-05 14:47 - 2015-09-05 14:48 - 04404952 _____ (Kaspersky Lab ZAO) C:\Users\Philip\Downloads\tdsskiller.exe
    2015-09-05 14:47 - 2015-09-05 14:47 - 00002030 _____ C:\Users\Philip\Desktop\Secure Chromium.lnk
    2015-09-05 14:47 - 2015-09-05 14:47 - 00000000 ____D C:\Users\Philip\AppData\Local\Chromium
    2015-09-05 14:46 - 2015-09-05 15:46 - 00000336 _____ C:\Windows\Tasks\UpdateTask.job
    2015-09-05 14:46 - 2015-09-05 15:46 - 00000000 ____D C:\Users\Philip\AppData\Local\{C9AAFFF6-ED02-934E-809A-B6A6A4F24A3E}
    2015-09-05 14:46 - 2015-09-05 14:46 - 01200163 _____ C:\Users\Philip\Downloads\7zip.exe
    2015-09-05 14:46 - 2015-09-05 14:46 - 00003280 _____ C:\Windows\System32\Tasks\UpdateTask
    2015-09-05 14:45 - 2015-09-05 14:45 - 00883800 _____ (Software ) C:\Users\Philip\Downloads\zipinstall.exe
    2015-09-05 14:37 - 2015-09-05 14:37 - 00000000 ____D C:\Users\Philip\AppData\Roaming\Atheros
    2015-09-05 14:37 - 2015-09-05 14:37 - 00000000 ____D C:\Users\Philip\AppData\Local\BMExplorer
    2015-09-05 14:37 - 2015-09-05 14:37 - 00000000 ____D C:\ProgramData\Atheros
    2015-09-05 14:18 - 2015-09-05 14:19 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BT Program
    2015-09-05 14:18 - 2015-09-05 14:19 - 00000000 ____D C:\Program Files (x86)\Bluetooth Suite
    2015-09-05 14:18 - 2015-09-05 14:18 - 00000000 ____D C:\Program Files\Common Files\QCA_Bluetooth
    2015-09-05 13:47 - 2015-09-05 13:47 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_btath_hcrp_01009.Wdf
    2015-09-05 13:35 - 2015-09-05 14:37 - 00000000 ____D C:\Users\Philip\Documents\Bluetooth Folder
    2015-09-05 13:35 - 2014-05-14 09:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
    2015-09-05 13:35 - 2014-05-14 09:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
    2015-09-05 13:35 - 2014-05-14 09:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2015-09-05 13:35 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
    2015-09-05 13:35 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2015-09-05 13:35 - 2014-05-14 09:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
    2015-09-05 13:35 - 2014-05-14 09:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
    2015-09-05 13:35 - 2014-05-14 09:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
    2015-09-05 13:35 - 2014-05-14 09:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2015-09-05 13:35 - 2014-05-14 09:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
    2015-09-05 13:35 - 2014-05-14 09:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
    2015-09-05 13:35 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
    2015-09-05 13:35 - 2014-05-14 09:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2015-09-05 13:35 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2015-09-05 13:34 - 2015-09-05 13:34 - 00000000 ____D C:\ProgramData\{EB5F5A55-037A-4E47-806B-2C8AA9374701}
    2015-09-05 13:33 - 2015-09-05 14:02 - 00000000 ____D C:\Program Files (x86)\Qualcomm Atheros
    2015-09-05 13:33 - 2014-02-21 00:49 - 04044800 _____ (Qualcomm Atheros Communications, Inc.) C:\Windows\system32\Drivers\athrx.sys
    2015-09-05 13:31 - 2015-09-05 13:34 - 00000000 ____D C:\ProgramData\Qualcomm Atheros
    2015-09-05 13:03 - 2015-09-05 13:03 - 00000000 ____D C:\Windows\system32\EventProviders
    2015-09-05 12:54 - 2015-09-05 12:59 - 00000000 ____D C:\3952d7c720e8b2dbeeff
    2015-09-05 12:41 - 2015-09-05 12:41 - 00003162 _____ C:\Windows\System32\Tasks\{D38C8C4C-8276-4D0A-B1C7-8D33C382A0F3}
    2015-09-05 12:34 - 2015-09-05 12:34 - 00000000 ____D C:\ProgramData\Intel
    2015-09-05 12:34 - 2015-09-05 12:34 - 00000000 ____D C:\Program Files\Intel
    2015-09-05 12:34 - 2015-09-05 12:34 - 00000000 ____D C:\Program Files (x86)\Intel
    2015-09-05 12:33 - 2015-09-05 12:33 - 00000000 ____D C:\Users\Philip\Intel
    2015-09-05 12:31 - 2015-09-05 12:31 - 00000000 ____D C:\Program Files (x86)\Cisco
    2015-09-05 12:31 - 2014-05-22 01:40 - 03450584 _____ (Realtek Semiconductor Corporation ) C:\Windows\system32\Drivers\rtwlane.sys
    2015-09-05 12:30 - 2013-04-01 23:19 - 00574464 _____ (Realtek Semiconductor Corp. ) C:\Windows\system32\Rtlihvs.dll
    2015-09-05 12:29 - 2015-09-05 13:33 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
    2015-09-05 12:29 - 2015-09-05 12:29 - 00000000 ____D C:\Program Files (x86)\REALTEK
    2015-09-05 12:29 - 2014-03-24 12:37 - 00422400 _____ (Realtek) C:\Windows\SwUSB.exe
    2015-09-05 12:29 - 2013-10-18 16:42 - 00048856 _____ () C:\Windows\runSW.exe
    2015-09-05 12:29 - 2010-12-01 09:31 - 00451072 _____ C:\Windows\SysWOW64\ISSRemoveSP.exe
    2015-09-05 12:27 - 2015-09-05 12:27 - 00000000 ____D C:\Intel
    2015-09-05 12:22 - 2015-09-05 13:45 - 00057538 _____ C:\Windows\DPINST.LOG
    2015-09-05 12:18 - 2015-09-05 12:18 - 00057560 _____ C:\Users\Philip\AppData\Local\GDIPFONTCACHEV1.DAT
    2015-09-05 12:12 - 2015-09-05 12:18 - 00000000 ____D C:\Users\Philip\AppData\Local\Apps\Windows 7 USB DVD Download Tool
    2015-09-05 12:12 - 2015-09-05 12:12 - 00002533 _____ C:\Users\Philip\Desktop\Windows 7 USB DVD Download Tool.lnk
    2015-09-05 12:12 - 2015-09-05 12:12 - 00000000 ____D C:\Users\Philip\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 USB DVD Download Tool
    2015-09-05 09:59 - 2015-09-05 09:59 - 00000000 ____D C:\_SMSTaskSequence
    2015-09-05 09:16 - 2015-09-05 09:16 - 00008192 __RSH C:\BOOTSECT.BAK
    2015-09-05 09:16 - 2015-09-05 08:23 - 00000000 ____D C:\Windows\Panther
    2015-09-05 09:16 - 2010-11-20 20:23 - 00383786 __RSH C:\bootmgr
    2015-09-05 08:45 - 2015-09-05 13:09 - 00001908 _____ C:\Windows\diagwrn.xml
    2015-09-05 08:45 - 2015-09-05 13:09 - 00001908 _____ C:\Windows\diagerr.xml
    2015-09-05 08:44 - 2015-09-05 08:44 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
    2015-09-05 08:27 - 2015-09-05 08:27 - 00000000 ____D C:\Windows\pss
    2015-09-05 08:23 - 2015-09-05 15:41 - 00380302 _____ C:\Windows\WindowsUpdate.log
    2015-09-05 08:23 - 2015-09-05 12:33 - 00000000 ____D C:\Users\Philip
    2015-09-05 08:23 - 2015-09-05 08:23 - 00001465 _____ C:\Users\Philip\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
    2015-09-05 08:23 - 2015-09-05 08:23 - 00001425 _____ C:\Users\Philip\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
    2015-09-05 08:23 - 2015-09-05 08:23 - 00000020 ___SH C:\Users\Philip\ntuser.ini
    2015-09-05 08:23 - 2015-09-05 08:23 - 00000000 __SHD C:\Recovery
    2015-09-05 08:23 - 2015-09-05 08:23 - 00000000 ____D C:\Users\Philip\AppData\Local\VirtualStore
    2015-09-05 08:23 - 2009-07-13 21:54 - 00000000 ___RD C:\Users\Philip\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
    2015-09-05 08:23 - 2009-07-13 21:49 - 00000000 ___RD C:\Users\Philip\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
    2015-09-05 08:21 - 2015-09-05 08:21 - 00001345 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
    2015-09-05 08:20 - 2015-09-05 08:20 - 00001355 _____ C:\Windows\TSSysprep.log
    2015-09-05 08:20 - 2015-09-05 08:20 - 00001326 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2015-09-05 15:31 - 2009-07-13 22:13 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
    2015-09-05 15:24 - 2010-11-20 20:47 - 00004888 _____ C:\Windows\PFRO.log
    2015-09-05 15:24 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2015-09-05 15:24 - 2009-07-13 21:51 - 00002201 _____ C:\Windows\setupact.log
    2015-09-05 15:23 - 2009-07-13 21:45 - 00016832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2015-09-05 15:23 - 2009-07-13 21:45 - 00016832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2015-09-05 14:25 - 2009-07-13 20:20 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
    2015-09-05 13:41 - 2009-07-13 20:20 - 00000000 __RHD C:\Users\Public\Libraries
    2015-09-05 13:32 - 2009-07-13 20:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
    2015-09-05 13:09 - 2009-07-13 21:51 - 00000000 _____ C:\Windows\setuperr.log
    2015-09-05 13:08 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\NDF
    2015-09-05 12:12 - 2009-07-13 22:32 - 00000000 ____D C:\Windows\system32\restore
    2015-09-05 12:05 - 2009-07-13 22:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
    2015-09-05 09:16 - 2009-07-13 22:38 - 00025600 ___SH C:\Windows\system32\config\BCD-Template.LOG
    2015-09-05 09:16 - 2009-07-13 22:32 - 00028672 _____ C:\Windows\system32\config\BCD-Template
    2015-09-05 08:23 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\rescache
    2015-09-05 08:22 - 2009-07-13 21:45 - 00274320 _____ C:\Windows\system32\FNTCACHE.DAT
    2015-09-05 08:21 - 2009-07-13 22:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
    2015-09-05 08:20 - 2009-07-13 21:46 - 00002790 _____ C:\Windows\DtcInstall.log
    2015-09-05 08:20 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\sysprep
    2015-09-05 08:18 - 2010-11-21 00:16 - 00000000 ____D C:\Windows\CSC

    ==================== Files in the root of some directories =======

    2015-09-05 15:46 - 2015-09-05 15:46 - 0000041 _____ () C:\Users\Philip\AppData\Roaming\WB.CFG

    Some files in TEMP:
    ====================
    C:\Users\Philip\AppData\Local\Temp\{2F32168C-B4D1-4065-978F-DA2DAD91A0D6}.exe


    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\system32\winlogon.exe => File is digitally signed
    C:\Windows\system32\wininit.exe => File is digitally signed
    C:\Windows\SysWOW64\wininit.exe => File is digitally signed
    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\SysWOW64\explorer.exe => File is digitally signed
    C:\Windows\system32\svchost.exe => File is digitally signed
    C:\Windows\SysWOW64\svchost.exe => File is digitally signed
    C:\Windows\system32\services.exe => File is digitally signed
    C:\Windows\system32\User32.dll => File is digitally signed
    C:\Windows\SysWOW64\User32.dll => File is digitally signed
    C:\Windows\system32\userinit.exe => File is digitally signed
    C:\Windows\SysWOW64\userinit.exe => File is digitally signed
    C:\Windows\system32\rpcss.dll => File is digitally signed
    C:\Windows\system32\dnsapi.dll => File is digitally signed
    C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
    C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2015-09-05 09:28
     
  6. PhilipMoore62

    PhilipMoore62 TS Booster Topic Starter Posts: 303

    Addition text:
    Additional scan result of Farbar Recovery Scan Tool (x64) Version:04-09-2015
    Ran by Philip (2015-09-05 15:46:08)
    Running from C:\Users\Philip\Downloads
    Boot Mode: Normal
    ==========================================================


    ==================== Accounts: =============================

    Administrator (S-1-5-21-3686608022-1110692643-3377733670-500 - Administrator - Disabled)
    Guest (S-1-5-21-3686608022-1110692643-3377733670-501 - Limited - Disabled)
    HomeGroupUser$ (S-1-5-21-3686608022-1110692643-3377733670-1002 - Limited - Enabled)
    Philip (S-1-5-21-3686608022-1110692643-3377733670-1000 - Administrator - Enabled) => C:\Users\Philip

    ==================== Security CScan result of Farbar Recovery Scan Tool (FRST) (x64) Version:04-09-2015
    Ran by Philip (administrator) on PHILIP-PC (05-09-2015 15:45:20)
    Running from C:\Users\Philip\Downloads
    Loaded Profiles: Philip (Available Profiles: Philip)
    Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
    Internet Explorer Version 8 (Default browser: FF)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (Windows (R) Win 7 DDK provider) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
    (Microsoft Corporation) C:\Windows\System32\rundll32.exe
    (Qualcomm®Atheros®) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
    (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    (Microsoft Corporation) C:\Users\Philip\Downloads\dotNetFx40_Full_x86_x64.exe
    (Microsoft Corporation) C:\248a575184350bd1a619eb6b29\Setup.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\wusa.exe


    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [134784 2014-02-25] (Qualcomm®Atheros®)
    HKU\S-1-5-21-3686608022-1110692643-3377733670-1000\...\Run: [GoogleChromeAutoLaunch_A2B3EDA80A4C0AFF3796BF2C7D65C8C6] => "C:\Users\Philip\AppData\Local\Chromium\Application\chrome.exe" --auto-launch-at-startup --profile-directory="Default" --restore-last-session

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    Tcpip\Parameters: [DhcpNameServer] 216.228.160.4 216.228.160.3
    Tcpip\..\Interfaces\{728AF2CB-3B7D-467A-9B09-A7942DD77908}: [DhcpNameServer] 216.228.160.4 216.228.160.3

    Internet Explorer:
    ==================
    HKU\S-1-5-21-3686608022-1110692643-3377733670-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://us.yhs4.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_bimmed_15_36_ssg01&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0A0C0ByDyB0DtDyCyBtB0EzyzytDtDyBtN0D0Tzu0StCtAyEtAtN1L2XzutAtFtCtBtFyDtFtCtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyD0CyB0B0FyByBtG0FtDtCyDtGyE0B0FtCtGzyyE0C0CtGyDtCzyyEzzyCyC0F0AyD0CtA2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCtB0FyBzz0BtAyEtGtCtByE0BtGyEyDyCtDtGzy0F0EyCtGtByD0AzyyEzy0CtCzztD0Fzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzuzyyEtA%26cr%3D1781368651%26a%3Dwncy_bimmed_15_36_ssg01%26os%3DWindows%2B7%2BUltimate
    HKU\S-1-5-21-3686608022-1110692643-3377733670-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
    SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://us.yhs4.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_bimmed_15_36_ssg01&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0A0C0ByDyB0DtDyCyBtB0EzyzytDtDyBtN0D0Tzu0StCtAyEtAtN1L2XzutAtFtCtBtFyDtFtCtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyD0CyB0B0FyByBtG0FtDtCyDtGyE0B0FtCtGzyyE0C0CtGyDtCzyyEzzyCyC0F0AyD0CtA2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCtB0FyBzz0BtAyEtGtCtByE0BtGyEyDyCtDtGzy0F0EyCtGtByD0AzyyEzy0CtCzztD0Fzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzuzyyEtA%26cr%3D1781368651%26a%3Dwncy_bimmed_15_36_ssg01%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
    SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://us.yhs4.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_bimmed_15_36_ssg01&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0A0C0ByDyB0DtDyCyBtB0EzyzytDtDyBtN0D0Tzu0StCtAyEtAtN1L2XzutAtFtCtBtFyDtFtCtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyD0CyB0B0FyByBtG0FtDtCyDtGyE0B0FtCtGzyyE0C0CtGyDtCzyyEzzyCyC0F0AyD0CtA2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCtB0FyBzz0BtAyEtGtCtByE0BtGyEyDyCtDtGzy0F0EyCtGtByD0AzyyEzy0CtCzztD0Fzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzuzyyEtA%26cr%3D1781368651%26a%3Dwncy_bimmed_15_36_ssg01%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
    SearchScopes: HKU\S-1-5-21-3686608022-1110692643-3377733670-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://us.yhs4.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_bimmed_15_36_ssg01&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0A0C0ByDyB0DtDyCyBtB0EzyzytDtDyBtN0D0Tzu0StCtAyEtAtN1L2XzutAtFtCtBtFyDtFtCtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyD0CyB0B0FyByBtG0FtDtCyDtGyE0B0FtCtGzyyE0C0CtGyDtCzyyEzzyCyC0F0AyD0CtA2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCtB0FyBzz0BtAyEtGtCtByE0BtGyEyDyCtDtGzy0F0EyCtGtByD0AzyyEzy0CtCzztD0Fzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzuzyyEtA%26cr%3D1781368651%26a%3Dwncy_bimmed_15_36_ssg01%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
    SearchScopes: HKU\S-1-5-21-3686608022-1110692643-3377733670-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://us.yhs4.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_bimmed_15_36_ssg01&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0A0C0ByDyB0DtDyCyBtB0EzyzytDtDyBtN0D0Tzu0StCtAyEtAtN1L2XzutAtFtCtBtFyDtFtCtDtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2StAyD0CyB0B0FyByBtG0FtDtCyDtGyE0B0FtCtGzyyE0C0CtGyDtCzyyEzzyCyC0F0AyD0CtA2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCtB0FyBzz0BtAyEtGtCtByE0BtGyEyDyCtDtGzy0F0EyCtGtByD0AzyyEzy0CtCzztD0Fzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzuzyyEtA%26cr%3D1781368651%26a%3Dwncy_bimmed_15_36_ssg01%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
    Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
    Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
    Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
    Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
    StartMenuInternet: IEXPLORE.EXE - iexplore.exe

    FireFox:
    ========
    FF ProfilePath: C:\Users\Philip\AppData\Roaming\Mozilla\Firefox\Profiles\mqeue6ue.default

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [319104 2014-02-25] (Windows (R) Win 7 DDK provider) [File not signed]
    S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\TXE Components\TCS\SocketHeciServer.exe [822232 2013-07-01] (Intel(R) Corporation)
    R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R3 BTATH_LWFLT; C:\Windows\System32\DRIVERS\btath_lwflt.sys [77464 2014-02-25] (Qualcomm Atheros)
    S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
    S3 TXEIx64; C:\Windows\System32\DRIVERS\TXEIx64.sys [88592 2014-01-15] (Intel Corporation)
    S3 VGPU; System32\drivers\rdvgkmd.sys [X]

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2015-09-05 15:46 - 2015-09-05 15:46 - 00000041 _____ C:\Users\Philip\AppData\Roaming\WB.CFG
    2015-09-05 15:45 - 2015-09-05 15:46 - 01654272 _____ C:\Users\Philip\Downloads\AdwCleaner.exe
    2015-09-05 15:45 - 2015-09-05 15:45 - 00007838 _____ C:\Users\Philip\Downloads\FRST.txt
    2015-09-05 15:45 - 2015-09-05 15:45 - 00000000 ____D C:\FRST
    2015-09-05 15:44 - 2015-09-05 15:44 - 02188800 _____ (Farbar) C:\Users\Philip\Downloads\FRST64.exe
    2015-09-05 15:41 - 2015-09-05 15:41 - 00000000 ___HT C:\Windows\wusa.lock
    2015-09-05 15:41 - 2015-09-05 15:41 - 00000000 ____D C:\065435139c6af5e4c08f16648de09b
    2015-09-05 15:41 - 2013-10-14 18:00 - 00028368 _____ (Microsoft Corporation) C:\Windows\system32\IEUDINIT.EXE
    2015-09-05 15:40 - 2015-09-05 15:40 - 00000000 ____D C:\248a575184350bd1a619eb6b29
    2015-09-05 15:39 - 2015-09-05 15:39 - 50449456 _____ (Microsoft Corporation) C:\Users\Philip\Downloads\dotNetFx40_Full_x86_x64.exe
    2015-09-05 15:33 - 2015-09-05 15:39 - 00000000 ____D C:\Users\Philip\AppData\Local\Mozilla
    2015-09-05 15:33 - 2015-09-05 15:33 - 00001179 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
    2015-09-05 15:33 - 2015-09-05 15:33 - 00001167 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
    2015-09-05 15:33 - 2015-09-05 15:33 - 00000000 ____D C:\Users\Philip\AppData\Roaming\Mozilla
    2015-09-05 15:33 - 2015-09-05 15:33 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2015-09-05 15:33 - 2015-09-05 15:33 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2015-09-05 15:28 - 2015-09-05 15:41 - 00012036 _____ C:\Windows\IE11_main.log
    2015-09-05 15:25 - 2015-09-05 15:25 - 00000000 ___RD C:\Users\Philip\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices
    2015-09-05 15:21 - 2015-09-05 15:21 - 00000000 ____D C:\TDSSKiller_Quarantine
    2015-09-05 14:47 - 2015-09-05 14:48 - 04404952 _____ (Kaspersky Lab ZAO) C:\Users\Philip\Downloads\tdsskiller.exe
    2015-09-05 14:47 - 2015-09-05 14:47 - 00002030 _____ C:\Users\Philip\Desktop\Secure Chromium.lnk
    2015-09-05 14:47 - 2015-09-05 14:47 - 00000000 ____D C:\Users\Philip\AppData\Local\Chromium
    2015-09-05 14:46 - 2015-09-05 15:46 - 00000336 _____ C:\Windows\Tasks\UpdateTask.job
    2015-09-05 14:46 - 2015-09-05 15:46 - 00000000 ____D C:\Users\Philip\AppData\Local\{C9AAFFF6-ED02-934E-809A-B6A6A4F24A3E}
    2015-09-05 14:46 - 2015-09-05 14:46 - 01200163 _____ C:\Users\Philip\Downloads\7zip.exe
    2015-09-05 14:46 - 2015-09-05 14:46 - 00003280 _____ C:\Windows\System32\Tasks\UpdateTask
    2015-09-05 14:45 - 2015-09-05 14:45 - 00883800 _____ (Software ) C:\Users\Philip\Downloads\zipinstall.exe
    2015-09-05 14:37 - 2015-09-05 14:37 - 00000000 ____D C:\Users\Philip\AppData\Roaming\Atheros
    2015-09-05 14:37 - 2015-09-05 14:37 - 00000000 ____D C:\Users\Philip\AppData\Local\BMExplorer
    2015-09-05 14:37 - 2015-09-05 14:37 - 00000000 ____D C:\ProgramData\Atheros
    2015-09-05 14:18 - 2015-09-05 14:19 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BT Program
    2015-09-05 14:18 - 2015-09-05 14:19 - 00000000 ____D C:\Program Files (x86)\Bluetooth Suite
    2015-09-05 14:18 - 2015-09-05 14:18 - 00000000 ____D C:\Program Files\Common Files\QCA_Bluetooth
    2015-09-05 13:47 - 2015-09-05 13:47 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_btath_hcrp_01009.Wdf
    2015-09-05 13:35 - 2015-09-05 14:37 - 00000000 ____D C:\Users\Philip\Documents\Bluetooth Folder
    2015-09-05 13:35 - 2014-05-14 09:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
    2015-09-05 13:35 - 2014-05-14 09:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
    2015-09-05 13:35 - 2014-05-14 09:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2015-09-05 13:35 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
    2015-09-05 13:35 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2015-09-05 13:35 - 2014-05-14 09:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
    2015-09-05 13:35 - 2014-05-14 09:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
    2015-09-05 13:35 - 2014-05-14 09:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
    2015-09-05 13:35 - 2014-05-14 09:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2015-09-05 13:35 - 2014-05-14 09:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
    2015-09-05 13:35 - 2014-05-14 09:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
    2015-09-05 13:35 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
    2015-09-05 13:35 - 2014-05-14 09:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2015-09-05 13:35 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2015-09-05 13:34 - 2015-09-05 13:34 - 00000000 ____D C:\ProgramData\{EB5F5A55-037A-4E47-806B-2C8AA9374701}
    2015-09-05 13:33 - 2015-09-05 14:02 - 00000000 ____D C:\Program Files (x86)\Qualcomm Atheros
    2015-09-05 13:33 - 2014-02-21 00:49 - 04044800 _____ (Qualcomm Atheros Communications, Inc.) C:\Windows\system32\Drivers\athrx.sys
    2015-09-05 13:31 - 2015-09-05 13:34 - 00000000 ____D C:\ProgramData\Qualcomm Atheros
    2015-09-05 13:03 - 2015-09-05 13:03 - 00000000 ____D C:\Windows\system32\EventProviders
    2015-09-05 12:54 - 2015-09-05 12:59 - 00000000 ____D C:\3952d7c720e8b2dbeeff
    2015-09-05 12:41 - 2015-09-05 12:41 - 00003162 _____ C:\Windows\System32\Tasks\{D38C8C4C-8276-4D0A-B1C7-8D33C382A0F3}
    2015-09-05 12:34 - 2015-09-05 12:34 - 00000000 ____D C:\ProgramData\Intel
    2015-09-05 12:34 - 2015-09-05 12:34 - 00000000 ____D C:\Program Files\Intel
    2015-09-05 12:34 - 2015-09-05 12:34 - 00000000 ____D C:\Program Files (x86)\Intel
    2015-09-05 12:33 - 2015-09-05 12:33 - 00000000 ____D C:\Users\Philip\Intel
    2015-09-05 12:31 - 2015-09-05 12:31 - 00000000 ____D C:\Program Files (x86)\Cisco
    2015-09-05 12:31 - 2014-05-22 01:40 - 03450584 _____ (Realtek Semiconductor Corporation ) C:\Windows\system32\Drivers\rtwlane.sys
    2015-09-05 12:30 - 2013-04-01 23:19 - 00574464 _____ (Realtek Semiconductor Corp. ) C:\Windows\system32\Rtlihvs.dll
    2015-09-05 12:29 - 2015-09-05 13:33 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
    2015-09-05 12:29 - 2015-09-05 12:29 - 00000000 ____D C:\Program Files (x86)\REALTEK
    2015-09-05 12:29 - 2014-03-24 12:37 - 00422400 _____ (Realtek) C:\Windows\SwUSB.exe
    2015-09-05 12:29 - 2013-10-18 16:42 - 00048856 _____ () C:\Windows\runSW.exe
    2015-09-05 12:29 - 2010-12-01 09:31 - 00451072 _____ C:\Windows\SysWOW64\ISSRemoveSP.exe
    2015-09-05 12:27 - 2015-09-05 12:27 - 00000000 ____D C:\Intel
    2015-09-05 12:22 - 2015-09-05 13:45 - 00057538 _____ C:\Windows\DPINST.LOG
    2015-09-05 12:18 - 2015-09-05 12:18 - 00057560 _____ C:\Users\Philip\AppData\Local\GDIPFONTCACHEV1.DAT
    2015-09-05 12:12 - 2015-09-05 12:18 - 00000000 ____D C:\Users\Philip\AppData\Local\Apps\Windows 7 USB DVD Download Tool
    2015-09-05 12:12 - 2015-09-05 12:12 - 00002533 _____ C:\Users\Philip\Desktop\Windows 7 USB DVD Download Tool.lnk
    2015-09-05 12:12 - 2015-09-05 12:12 - 00000000 ____D C:\Users\Philip\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows 7 USB DVD Download Tool
    2015-09-05 09:59 - 2015-09-05 09:59 - 00000000 ____D C:\_SMSTaskSequence
    2015-09-05 09:16 - 2015-09-05 09:16 - 00008192 __RSH C:\BOOTSECT.BAK
    2015-09-05 09:16 - 2015-09-05 08:23 - 00000000 ____D C:\Windows\Panther
    2015-09-05 09:16 - 2010-11-20 20:23 - 00383786 __RSH C:\bootmgr
    2015-09-05 08:45 - 2015-09-05 13:09 - 00001908 _____ C:\Windows\diagwrn.xml
    2015-09-05 08:45 - 2015-09-05 13:09 - 00001908 _____ C:\Windows\diagerr.xml
    2015-09-05 08:44 - 2015-09-05 08:44 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
    2015-09-05 08:27 - 2015-09-05 08:27 - 00000000 ____D C:\Windows\pss
    2015-09-05 08:23 - 2015-09-05 15:41 - 00380302 _____ C:\Windows\WindowsUpdate.log
    2015-09-05 08:23 - 2015-09-05 12:33 - 00000000 ____D C:\Users\Philip
    2015-09-05 08:23 - 2015-09-05 08:23 - 00001465 _____ C:\Users\Philip\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
    2015-09-05 08:23 - 2015-09-05 08:23 - 00001425 _____ C:\Users\Philip\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
    2015-09-05 08:23 - 2015-09-05 08:23 - 00000020 ___SH C:\Users\Philip\ntuser.ini
    2015-09-05 08:23 - 2015-09-05 08:23 - 00000000 __SHD C:\Recovery
    2015-09-05 08:23 - 2015-09-05 08:23 - 00000000 ____D C:\Users\Philip\AppData\Local\VirtualStore
    2015-09-05 08:23 - 2009-07-13 21:54 - 00000000 ___RD C:\Users\Philip\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
    2015-09-05 08:23 - 2009-07-13 21:49 - 00000000 ___RD C:\Users\Philip\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
    2015-09-05 08:21 - 2015-09-05 08:21 - 00001345 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
    2015-09-05 08:20 - 2015-09-05 08:20 - 00001355 _____ C:\Windows\TSSysprep.log
    2015-09-05 08:20 - 2015-09-05 08:20 - 00001326 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2015-09-05 15:31 - 2009-07-13 22:13 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
    2015-09-05 15:24 - 2010-11-20 20:47 - 00004888 _____ C:\Windows\PFRO.log
    2015-09-05 15:24 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2015-09-05 15:24 - 2009-07-13 21:51 - 00002201 _____ C:\Windows\setupact.log
    2015-09-05 15:23 - 2009-07-13 21:45 - 00016832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2015-09-05 15:23 - 2009-07-13 21:45 - 00016832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2015-09-05 14:25 - 2009-07-13 20:20 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
    2015-09-05 13:41 - 2009-07-13 20:20 - 00000000 __RHD C:\Users\Public\Libraries
    2015-09-05 13:32 - 2009-07-13 20:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
    2015-09-05 13:09 - 2009-07-13 21:51 - 00000000 _____ C:\Windows\setuperr.log
    2015-09-05 13:08 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\NDF
    2015-09-05 12:12 - 2009-07-13 22:32 - 00000000 ____D C:\Windows\system32\restore
    2015-09-05 12:05 - 2009-07-13 22:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
    2015-09-05 09:16 - 2009-07-13 22:38 - 00025600 ___SH C:\Windows\system32\config\BCD-Template.LOG
    2015-09-05 09:16 - 2009-07-13 22:32 - 00028672 _____ C:\Windows\system32\config\BCD-Template
    2015-09-05 08:23 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\rescache
    2015-09-05 08:22 - 2009-07-13 21:45 - 00274320 _____ C:\Windows\system32\FNTCACHE.DAT
    2015-09-05 08:21 - 2009-07-13 22:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
    2015-09-05 08:20 - 2009-07-13 21:46 - 00002790 _____ C:\Windows\DtcInstall.log
    2015-09-05 08:20 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\sysprep
    2015-09-05 08:18 - 2010-11-21 00:16 - 00000000 ____D C:\Windows\CSC

    ==================== Files in the root of some directories =======

    2015-09-05 15:46 - 2015-09-05 15:46 - 0000041 _____ () C:\Users\Philip\AppData\Roaming\WB.CFG

    Some files in TEMP:
    ====================
    C:\Users\Philip\AppData\Local\Temp\{2F32168C-B4D1-4065-978F-DA2DAD91A0D6}.exe


    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\system32\winlogon.exe => File is digitally signed
    C:\Windows\system32\wininit.exe => File is digitally signed
    C:\Windows\SysWOW64\wininit.exe => File is digitally signed
    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\SysWOW64\explorer.exe => File is digitally signed
    C:\Windows\system32\svchost.exe => File is digitally signed
    C:\Windows\SysWOW64\svchost.exe => File is digitally signed
    C:\Windows\system32\services.exe => File is digitally signed
    C:\Windows\system32\User32.dll => File is digitally signed
    C:\Windows\SysWOW64\User32.dll => File is digitally signed
    C:\Windows\system32\userinit.exe => File is digitally signed
    C:\Windows\SysWOW64\userinit.exe => File is digitally signed
    C:\Windows\system32\rpcss.dll => File is digitally signed
    C:\Windows\system32\dnsapi.dll => File is digitally signed
    C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
    C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2015-09-05 09:28

    enter ========================

    (If an entry is included in the fixlist, it will be removed.)

    AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ==================== Installed Programs ======================

    (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

    Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
    Cisco LEAP Module (HKLM-x32\...\{AF312B06-5C5C-468E-89B3-BE6DE2645722}) (Version: 1.0.19 - Cisco Systems, Inc.)
    Cisco PEAP Module (HKLM-x32\...\{0A4EF0E6-A912-4CDE-A7F3-6E56E7C13A2F}) (Version: 1.1.6 - Cisco Systems, Inc.)
    Intel(R) Trusted Execution Engine (HKLM\...\{176E2755-0A17-42C6-88E2-192AB2131278}) (Version: 1.0.0.1064 - Intel Corporation)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
    Mozilla Firefox 40.0.3 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 40.0.3 (x86 en-US)) (Version: 40.0.3 - Mozilla)
    Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 40.0.3 - Mozilla)
    Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.318 - Qualcomm Atheros Communications)
    Qualcomm Atheros WLAN and Bluetooth Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 12.29 - Qualcomm Atheros WLAN and Bluetooth Client Installation Program)
    REALTEK Wireless LAN Driver (HKLM-x32\...\{9DAABC60-A5EF-41FF-B2B9-17329590CD5}) (Version: 1.00.243 - REALTEK Semiconductor Corp.)
    Secure Chromium (HKU\S-1-5-21-3686608022-1110692643-3377733670-1000\...\Chromium) (Version: 46.0.2480.0 - Chromium)
    Windows 7 USB/DVD Download Tool (HKLM-x32\...\{CCF298AF-9CE1-4B26-B251-486E98A34789}) (Version: 1.0.30 - Microsoft Corporation)

    ==================== Custom CLSID (Whitelisted): ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== Restore Points =========================

    05-09-2015 12:12:26 Installed Windows 7 USB/DVD Download Tool
    05-09-2015 12:28:52 Installed REALTEK PCIE Wireless LAN Driver
    05-09-2015 12:33:42 IIF_MSI
    05-09-2015 13:11:27 Device Driver Package Install: ieuinit.inf
    05-09-2015 13:12:46 Installed REALTEK PCIE Wireless LAN Driver
    05-09-2015 13:31:43 Installed Qualcomm Atheros WLAN and Bluetooth Client Installatio⺴ࠈ
    05-09-2015 15:29:54 Windows Modules Installer

    ==================== Hosts content: ===============================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2009-07-13 19:34 - 2009-06-10 14:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

    ==================== Scheduled Tasks (Whitelisted) =============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    Task: {5021DB2D-674F-4DAF-9AAA-796DA93859C4} - System32\Tasks\UpdateTask => C:\Users\Philip\AppData\Local\{C9AAFFF6-ED02-934E-809A-B6A6A4F24A3E}\uninstall.exe [2015-09-05] ()
    Task: {AA540CF9-33A4-4BBF-9FE2-F07E8F168D14} - System32\Tasks\{D38C8C4C-8276-4D0A-B1C7-8D33C382A0F3} => pcalua.exe -a E:\Chipset_Intel_9.4.4.1006_W81x64\Setup.exe -d E:\Chipset_Intel_9.4.4.1006_W81x64

    (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

    Task: C:\Windows\Tasks\UpdateTask.job => C:\Users\Philip\AppData\Local\{C9AAFFF6-ED02-934E-809A-B6A6A4F24A3E}\uninstall.exe

    ==================== Loaded Modules (Whitelisted) ==============

    2014-02-25 22:11 - 2014-02-25 22:11 - 00086016 _____ () C:\Program Files (x86)\Bluetooth Suite\Modules\Map\MAP.dll

    ==================== Alternate Data Streams (Whitelisted) =========

    (If an entry is included in the fixlist, only the ADS will be removed.)


    ==================== Safe Mode (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\94061638.sys => ""="Driver"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\94061638.sys => ""="Driver"

    ==================== EXE Association (Whitelisted) ===============

    (If an entry is included in the fixlist, the registry item will be restored to default or removed.)


    ==================== Internet Explorer trusted/restricted ===============

    (If an entry is included in the fixlist, it will be removed from the registry.)


    ==================== Other Areas ============================

    (Currently there is no automatic fix for this section.)

    HKU\S-1-5-21-3686608022-1110692643-3377733670-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Philip\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
    DNS Servers: 216.228.160.4 - 216.228.160.3
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
    Windows Firewall is enabled.

    ==================== MSCONFIG/TASK MANAGER disabled items ==

    (Currently there is no automatic fix for this section.)


    ==================== FirewallRules (Whitelisted) ===============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    FirewallRules: [{49F4EA33-2B92-4454-92E2-3E86624747EF}] => (Allow) C:\Users\Philip\AppData\Local\Chromium\Application\chrome.exe
    FirewallRules: [{F019A753-A260-4CE4-9E87-55B72EB16F23}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    FirewallRules: [{FA54971C-23D6-4B7D-AB7F-E6F740255126}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

    ==================== Faulty Device Manager Devices =============

    Name: Universal Serial Bus (USB) Controller
    Description: Universal Serial Bus (USB) Controller
    Class Guid:
    Manufacturer:
    Service:
    Problem: : The drivers for this device are not installed. (Code 28)
    Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

    Name: Bluetooth Peripheral Device
    Description: Bluetooth Peripheral Device
    Class Guid:
    Manufacturer:
    Service:
    Problem: : The drivers for this device are not installed. (Code 28)
    Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

    Name: Bluetooth Peripheral Device
    Description: Bluetooth Peripheral Device
    Class Guid:
    Manufacturer:
    Service:
    Problem: : The drivers for this device are not installed. (Code 28)
    Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

    Name: SM Bus Controller
    Description: SM Bus Controller
    Class Guid:
    Manufacturer:
    Service:
    Problem: : The drivers for this device are not installed. (Code 28)
    Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

    Name: Intel(R) Trusted Execution Engine Interface
    Description: Intel(R) Trusted Execution Engine Interface
    Class Guid: {4d36e97d-e325-11ce-bfc1-08002be10318}
    Manufacturer: Intel
    Service: TXEIx64
    Problem: : Windows cannot initialize the device driver for this hardware. (Code 37)
    Resolution: The driver returned failure from its DriverEntry routine. Uninstall the driver, and then click "Scan for hardware changes" to reinstall or upgrade the driver.

    Name: Ethernet Controller
    Description: Ethernet Controller
    Class Guid:
    Manufacturer:
    Service:
    Problem: : The drivers for this device are not installed. (Code 28)
    Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (09/05/2015 03:26:19 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (09/05/2015 02:40:47 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (09/05/2015 02:38:17 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (09/05/2015 01:46:50 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
    Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
    .

    Error: (09/05/2015 01:36:40 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
    Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
    .

    Error: (09/05/2015 01:28:46 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (09/05/2015 01:16:17 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (09/05/2015 01:15:48 PM) (Source: RasClient) (EventID: 20227) (User: )
    Description: CoId={0654A564-4FB9-4BD3-9410-AABBB0E0650F}: The user Philip-PC\Philip dialed a connection named Broadband Connection which has failed. The error code returned on failure is 651.

    Error: (09/05/2015 01:07:56 PM) (Source: RasClient) (EventID: 20227) (User: )
    Description: CoId={8D0E9AAF-0063-4425-A933-778ACDBE2F10}: The user Philip-PC\Philip dialed a connection named Broadband Connection which has failed. The error code returned on failure is 651.

    Error: (09/05/2015 01:07:27 PM) (Source: RasClient) (EventID: 20227) (User: )
    Description: CoId={545D362A-7146-4D7F-B32C-7A974A9897F6}: The user Philip-PC\Philip dialed a connection named Broadband Connection which has failed. The error code returned on failure is 651.


    System errors:
    =============
    Error: (09/05/2015 01:03:25 PM) (Source: Microsoft-Windows-Service Pack Installer) (EventID: 8) (User: Philip-PC)
    Description: Service Pack installation failed with error code 0x800f0a03.

    Error: (09/05/2015 12:34:40 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
    Description: The Windows Update service terminated with the following error:
    %%-2147467243


    Microsoft Office:
    =========================
    Error: (09/05/2015 03:26:19 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (09/05/2015 02:40:47 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (09/05/2015 02:38:17 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (09/05/2015 01:46:50 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
    Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

    Error: (09/05/2015 01:36:40 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
    Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

    Error: (09/05/2015 01:28:46 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (09/05/2015 01:16:17 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (09/05/2015 01:15:48 PM) (Source: RasClient) (EventID: 20227) (User: )
    Description: {0654A564-4FB9-4BD3-9410-AABBB0E0650F}Philip-PC\PhilipBroadband Connection651

    Error: (09/05/2015 01:07:56 PM) (Source: RasClient) (EventID: 20227) (User: )
    Description: {8D0E9AAF-0063-4425-A933-778ACDBE2F10}Philip-PC\PhilipBroadband Connection651

    Error: (09/05/2015 01:07:27 PM) (Source: RasClient) (EventID: 20227) (User: )
    Description: {545D362A-7146-4D7F-B32C-7A974A9897F6}Philip-PC\PhilipBroadband Connection651


    ==================== Memory info ===========================

    Processor: Intel(R) Pentium(R) CPU N3540 @ 2.16GHz
    Percentage of memory in use: 68%
    Total physical RAM: 1933.36 MB
    Available physical RAM: 609.2 MB
    Total Virtual: 3866.73 MB
    Available Virtual: 1891.46 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:465.42 GB) (Free:449.64 GB) NTFS ==>[drive with boot components (obtained from BCD)]
    Drive d: (System Reserved) (Fixed) (Total:0.34 GB) (Free:0.33 GB) NTFS
    Drive f: (UBUNTU 11_0) (Removable) (Total:29.1 GB) (Free:25.98 GB) FAT32

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 59E5C963)
    Partition 1: (Not Active) - (Size=350 MB) - (Type=07 NTFS)
    Partition 2: (Active) - (Size=465.4 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 1 (Size: 29.1 GB) (Disk ID: 009412F6)
    Partition 1: (Active) - (Size=29.1 GB) - (Type=0C)

    ==================== End of Addition.txt ============================
     
  7. PhilipMoore62

    PhilipMoore62 TS Booster Topic Starter Posts: 303

    Sorry Broni,
    What I didn't mention in my description of conditions is that when I change the UEFI to an alternate boot up (cd/dvd with legacy) there is nothing plugged into USB or no cd in the dvd/cd drive. And yet it still successfully boots up and logs into Windows 7.
     
  8. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    [​IMG] Download RogueKiller from one of the following links and save it to your Desktop:

    Link 1
    Link 2
    • Close all the running programs
    • Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
    [​IMG] Please download Malwarebytes Anti-Malware (MBAM) to your desktop.
    NOTE. If you already have MBAM 2.0 installed scroll down.
    • Double-click mbam-setup-2.0.0.1000.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
    • Click Finish.
    • On the Dashboard, click the 'Update Now >>' link
    • After the update completes, click the 'Scan Now >>' button.
    • Or, on the Dashboard, click the Scan Now >> button.
    • If an update is available, click the Update Now button.
    • A Threat Scan will begin.
    • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
    • In most cases, a restart will be required.
    • Wait for the prompt to restart the computer to appear, then click on Yes.
    If you already have MBAM 2.0 installed:
    • On the Dashboard, click the 'Update Now >>' link
    • After the update completes, click the 'Scan Now >>' button.
    • Or, on the Dashboard, click the Scan Now >> button.
    • If an update is available, click the Update Now button.
    • A Threat Scan will begin.
    • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
    • In most cases, a restart will be required.
    • Wait for the prompt to restart the computer to appear, then click on Yes.
    How to get logs:
    (Export log to save as txt)
    • After the restart once you are back at your desktop, open MBAM once more.
    • Click on the History tab > Application Logs.
    • Double click on the Scan Log which shows the Date and time of the scan just performed.
    • Click 'Export'.
    • Click 'Text file (*.txt)'
    • In the Save File dialog box which appears, click on Desktop.
    • In the File name: box type a name for your scan log.
    • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
    • Click Ok
    • Attach that saved log to your next reply.
    (Copy to clipboard for pasting into forum replies or tickets)
    • After the restart once you are back at your desktop, open MBAM once more.
    • Click on the History tab > Application Logs.
    • Double click on the Scan Log which shows the Date and time of the scan just performed.
    • Click 'Copy to Clipboard'
    • Paste the contents of the clipboard into your reply.
    [​IMG] Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Scan button.
    • When the scan has finished click on Clean button.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.
    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.
     
  9. PhilipMoore62

    PhilipMoore62 TS Booster Topic Starter Posts: 303

    Rouge Killer text
    RogueKiller V10.10.4.0 [Sep 4 2015] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/software/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Philip [Administrator]
    Started from : C:\Users\Philip\Downloads\RogueKiller.exe
    Mode : Delete -- Date : 09/06/2015 11:58:06

    ¤¤¤ Processes : 0 ¤¤¤

    ¤¤¤ Registry : 7 ¤¤¤
    [PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SWDUMon (system32\DRIVERS\SWDUMon.sys) -> Deleted
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 216.228.160.4 216.228.160.3 ([X][X]) -> Not selected
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 216.228.160.4 216.228.160.3 ([X][X]) -> Not selected
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 216.228.160.4 216.228.160.3 ([X][X]) -> Not selected
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{728AF2CB-3B7D-467A-9B09-A7942DD77908} | DhcpNameServer : 216.228.160.4 216.228.160.3 ([X][X]) -> Not selected
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{728AF2CB-3B7D-467A-9B09-A7942DD77908} | DhcpNameServer : 216.228.160.4 216.228.160.3 ([X][X]) -> Not selected
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{728AF2CB-3B7D-467A-9B09-A7942DD77908} | DhcpNameServer : 216.228.160.4 216.228.160.3 ([X][X]) -> Not selected

    ¤¤¤ Tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ Hosts File : 1 ¤¤¤
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhostDeleted

    ¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: WDC WD5000LPVX-22V0TT0 ATA Device +++++
    --- User ---
    [MBR] 5e39601d1e791b107eaff05ee9f70e78
    [BSP] f32991ef1eecbab2e117c783cb5081c2 : Windows Vista/7/8|VT.Unknown MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 476588 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    User = LL1 ... OK
    User = LL2 ... OK
     
  10. PhilipMoore62

    PhilipMoore62 TS Booster Topic Starter Posts: 303

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Malwarebytes
    Version: 7.6.0 (08.31.2015:1)
    OS: Windows 7 Ultimate x64
    Ran by Philip on Sun 09/06/2015 at 11:29:57.62
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services

    Successfully deleted: [Service] swdumon [Reboot required]



    ~~~ Tasks

    Successfully deleted: [Task] C:\Windows\system32\tasks\SlimDrivers Startup
    Successfully deleted: [Task] C:\Windows\Tasks\SlimDrivers Startup.job



    ~~~ Registry Values

    Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
    Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



    ~~~ Registry Keys



    ~~~ Files

    Successfully deleted: [File] C:\Windows\system32\drivers\swdumon.sys



    ~~~ Folders

    Successfully deleted: [Folder] C:\Users\Philip\Appdata\Local\slimware utilities inc
    Successfully deleted: [Folder] C:\users\Public\Documents\downloaded installers



    ~~~ Chrome


    [C:\Users\Philip\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

    [C:\Users\Philip\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

    [C:\Users\Philip\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

    [C:\Users\Philip\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
    []





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Sun 09/06/2015 at 11:39:29.82
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    More scans to follow
     
  11. PhilipMoore62

    PhilipMoore62 TS Booster Topic Starter Posts: 303

    # AdwCleaner v5.005 - Logfile created 06/09/2015 at 12:36:17
    # Updated 31/08/2015 by Xplode
    # Database : 2015-09-04.4 [Server]
    # Operating system : Windows 7 Ultimate Service Pack 1 (x64)
    # Username : Philip - PHILIP-PC
    # Running from : C:\Users\Philip\Downloads\AdwCleaner.exe
    # Option : Cleaning
    # Support : http://toolslib.net/forum

    ***** [ Services ] *****


    ***** [ Folders ] *****


    ***** [ Files ] *****


    ***** [ Shortcuts ] *****


    ***** [ Scheduled tasks ] *****


    ***** [ Registry ] *****

    [-] Key Deleted : HKCU\Software\PRODUCTSETUP
    [-] Key Deleted : HKCU\Software\SlimWare Utilities Inc
    [-] Key Deleted : HKLM\SOFTWARE\SlimWare Utilities Inc
    [!] Key Not Deleted : [x64] HKCU\Software\PRODUCTSETUP
    [!] Key Not Deleted : [x64] HKCU\Software\SlimWare Utilities Inc
    [-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    [-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope]
    [!] Key Not Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    [-] Data Restored : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope]
    [-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    [-] Data Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes [DefaultScope]
    [!] Key Not Deleted : HKU\S-1-5-21-3686608022-1110692643-3377733670-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
    [-] Data Restored : HKU\S-1-5-21-3686608022-1110692643-3377733670-1000\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope]

    ***** [ Web browsers ] *****


    *************************

    :: Winsock settings cleared

    ########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1818 bytes] ##########
     
  12. PhilipMoore62

    PhilipMoore62 TS Booster Topic Starter Posts: 303

    Hi Mr Broni,
    I'm pleased to tell you that I was able through research on my own resolve this crazy process.
    Through reading about how the UEFI configuration works, I learned that the HDD must be formatted to FAT 32. My initial format in which I did after cleaning the bugs was done as NTFS.
    Thank you for your attention.
    Philip Moore
     
  13. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Good news :)
     
  14. PhilipMoore62

    PhilipMoore62 TS Booster Topic Starter Posts: 303

    Mr Broni,
    If you would be more comfortable moving through all of the anti virus cleaning steps I'm willing to comply. Otherwise I would be comfortable with you showing this post as resolved.
     
  15. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    I already marked it as "Inactive".
    There is not much in your logs.

    Good luck :)
     
    B00kWyrm likes this.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...