Inactive-A "You are infected" call 1 888 666 xxxx
- Thread starter Twinfire
- Start date
- Status
I tried a restart without safe mode, same recurring issue.
I have tried to take a screenshot with the hold windows key+print screen to no avail. Cannot access the pictures library, another issue on it's own.
Just thinking, would the scans not "see" infected files if done in safe mode?
I will try again as you suggested on a different internet access point.
Twinfire
I have tried to take a screenshot with the hold windows key+print screen to no avail. Cannot access the pictures library, another issue on it's own.
Just thinking, would the scans not "see" infected files if done in safe mode?
I will try again as you suggested on a different internet access point.
Twinfire
Broni
Posts: 56,041 +516
Let's try to take a look at your computer from outside.
For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.
Plug the flashdrive into the infected PC.
If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt. To access Advanced Boot Options start and shut down computer TWICE. On third start you should see Advanced Boot Options.
If you are using Vista or Windows 7 enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
To enter System Recovery Options by using Windows installation disc:
On the System Recovery Options menu you will get the following options:
For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.
Plug the flashdrive into the infected PC.
If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt. To access Advanced Boot Options start and shut down computer TWICE. On third start you should see Advanced Boot Options.
If you are using Vista or Windows 7 enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
- Restart the computer.
- As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
- Use the arrow keys to select the Repair your computer menu item.
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
- Insert the installation disc.
- Restart your computer.
- If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
- Click Repair your computer.
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
- Startup Repair
- System Restore
- Windows Complete PC Restore
- Windows Memory Diagnostic Tool
- Command Prompt
- Select Command Prompt
- In the command window type in notepad and press Enter.
- The notepad opens. Under File menu select Open.
- Select "Computer" and find your flash drive letter and close the notepad.
- In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive. - The tool will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
Hello Broni, as per request here is the frst log, hopefully this yields something different.
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:13-06-2015
Ran by SYSTEM on MININT-M2H9OQE on 29-06-2015 19:26:25
Running from d:\
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
Tutorial for Farbar Recovery Scan Tool:
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13427784 2013-03-18] (Realtek Semiconductor)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [1794704 2015-03-31] (NVIDIA Corporation)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2717176 2013-01-04] (TOSHIBA Corporation)
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [170848 2013-01-28] (TOSHIBA Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-06] (Apple Inc.)
HKLM-x32\...\Run: [TSVU] => c:\Program Files\TOSHIBA\TOSHIBA Smart View Utility\TosSmartViewLauncher.exe [467360 2013-03-08] (TOSHIBA)
HKLM-x32\...\Run: [SacReminderBOX] => C:\ProgramData\Clickfree\BoxSoftware\reminder\SacReminder.exe [567120 2011-11-01] (SAC)
HKLM-x32\...\Run: [Intel AppUp(R) center] => C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [156000 2012-10-04] (Intel Corporation)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3745744 2015-05-17] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-01] (Apple Inc.)
HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1279120 2012-09-27] (CANON INC.)
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [452272 2012-08-30] (CANON INC.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\Administrator\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516608 2014-11-21] (Microsoft Corporation)
HKU\greg\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8204056 2015-04-23] (Piriform Ltd)
HKU\greg\...\Run: [CCleaner] => C:\Program Files\CCleaner\CCleaner64.exe [8204056 2015-04-23] (Piriform Ltd)
HKU\greg\...\RunOnce: [FlashPlayerUpdate] => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashUtil32_17_0_0_188_Plugin.exe [927920 2015-05-18] (Adobe Systems Incorporated)
HKU\Guest\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516608 2014-11-21] (Microsoft Corporation)
HKU\UpdatusUser\...\Run: [] => [X]
AppInit_DLLs: C:\windows\system32\nvinitx.dll => C:\windows\system32\nvinitx.dll [177624 2015-03-31] (NVIDIA Corporation)
AppInit_DLLs: , C:\WINDOWS\system32\nvinitx.dll => C:\WINDOWS\system32\nvinitx.dll [177624 2015-03-31] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\WINDOWS\SysWOW64\nvinit.dll => C:\WINDOWS\SysWOW64\nvinit.dll [164752 2015-03-31] (NVIDIA Corporation)
Startup: C:\Users\greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2015-05-13]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S4 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
S4 avgfws; C:\Program Files (x86)\AVG\AVG2015\avgfws.exe [1522664 2015-05-17] (AVG Technologies CZ, s.r.o.)
S4 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3438544 2015-05-17] (AVG Technologies CZ, s.r.o.)
S4 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [311792 2015-05-17] (AVG Technologies CZ, s.r.o.)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-11-21] (Microsoft Corporation)
S4 CFUACProxy_boxsoftware; C:\ProgramData\Clickfree\BoxSoftware\UACProxy.exe [83792 2011-11-01] (Storage Appliance Corp.)
S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2736824 2015-04-06] (Microsoft Corporation)
S4 dts_apo_service; C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_service.exe [16720 2013-03-25] ()
S4 HWDeviceService64.exe; C:\ProgramData\DatacardService\HWDeviceService64.exe [351824 2013-02-05] ()
S4 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [140456 2012-03-28] ()
S4 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [803872 2012-12-10] (Intel(R) Corporation)
S4 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [130592 2012-10-26] (Intel Corporation)
S4 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [165488 2012-12-18] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-13] (Malwarebytes Corporation)
S4 THAccelSvc; C:\Program Files\TOSHIBA\HDD Accelerator\THAccelSvc.exe [216976 2013-03-26] (TOSHIBA CORPORATION)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-05-02] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-05-02] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3858944 2013-10-23] (Qualcomm Atheros Communications, Inc.)
S0 Avgboota; C:\Windows\System32\DRIVERS\avgboota.sys [21152 2015-03-26] (AVG Technologies CZ, s.r.o.)
S1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [162784 2015-03-10] (AVG Technologies CZ, s.r.o.)
S1 Avgfwfd; C:\Windows\system32\DRIVERS\avgfwd6a.sys [67040 2015-03-19] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [284128 2015-04-26] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [253920 2015-05-06] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [256992 2015-04-14] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [378336 2015-05-06] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [220128 2015-05-06] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [40928 2015-03-19] (AVG Technologies CZ, s.r.o.)
S1 Avgwfpa; C:\Windows\system32\DRIVERS\avgwfpa.sys [293856 2015-05-03] (AVG Technologies CZ, s.r.o.)
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-11-21] (Microsoft Corporation)
S1 ElRawDisk; C:\WINDOWS\system32\drivers\rsdrvx64.sys [26024 2009-02-11] (EldoS Corporation)
S5 ew_hwusbdev; C:\Windows\System32\Drivers\ew_hwusbdev.sys [109568 2013-01-24] (Huawei Technologies Co., Ltd.)
S3 ksapi64; C:\WINDOWS\system32\drivers\ksapi64.sys [56680 2015-05-09] (Kingsoft Corporation)
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-04-13] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-04-13] (Malwarebytes Corporation)
S0 THAccel; C:\Windows\System32\DRIVERS\THAccel.sys [110976 2013-03-25] (TOSHIBA Corporation)
S3 Thotkey; C:\Windows\System32\drivers\Thotkey.sys [28632 2012-07-31] (Windows (R) Win 7 DDK provider)
S3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-06-03] ()
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-05-02] (Microsoft Corporation)
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-06-26 02:11 - 2015-06-29 03:21 - 00001187 _____ C:\Windows\setupact.log
2015-06-26 02:11 - 2015-06-26 02:11 - 00000000 ____H C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_11_00.Wdf
2015-06-26 02:11 - 2015-06-26 02:11 - 00000000 _____ C:\Windows\setuperr.log
2015-06-13 04:43 - 2015-06-13 04:43 - 00000207 _____ C:\Windows\tweaking.com-regbackup-REDMACK620-Windows-8.1-(64-bit).dat
2015-06-13 04:43 - 2015-06-13 04:43 - 00000000 ____D C:\RegBackup
2015-06-03 07:32 - 2015-06-03 07:32 - 00002113 _____ C:\mbamscan.txt
2015-06-03 03:28 - 2015-06-03 07:09 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2015-06-03 03:24 - 2015-06-03 03:24 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-06-03 03:24 - 2015-04-13 17:38 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mwac.sys
2015-06-03 03:24 - 2015-04-13 17:37 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
2015-06-03 03:12 - 2015-06-03 06:51 - 00035064 _____ C:\Windows\System32\Drivers\TrueSight.sys
2015-06-03 03:12 - 2015-06-03 03:14 - 00000000 ____D C:\ProgramData\RogueKiller
2015-06-02 09:02 - 2015-06-03 03:06 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-06-02 08:43 - 2015-06-17 05:02 - 00000000 ____D C:\FRST
2015-06-02 08:34 - 2015-06-02 08:34 - 00000000 ____D C:\NPE
2015-06-02 08:29 - 2015-06-14 02:34 - 00000000 ____D C:\Users\greg\AppData\Local\NPE
2015-06-02 08:17 - 2015-06-26 01:51 - 00053978 _____ C:\Windows\WindowsUpdate.log
2015-05-31 23:45 - 2015-05-31 23:45 - 00000000 ____D C:\Program Files (x86)\ESET
2015-05-31 20:25 - 2015-06-13 04:05 - 00000000 ____D C:\AdwCleaner
2015-05-31 20:18 - 2015-06-03 03:24 - 00001129 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-05-31 20:18 - 2015-06-03 03:24 - 00000000 ____D C:\Users\greg\AppData\Roaming\Malwarebytes
2015-05-31 20:18 - 2015-06-03 03:24 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-05-31 20:18 - 2015-04-13 17:37 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2015-05-30 03:30 - 2015-05-30 03:30 - 00000000 ____D C:\Windows\pss
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-06-29 03:22 - 2013-08-22 06:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-28 06:27 - 2014-11-21 00:44 - 00863592 _____ C:\Windows\System32\PerfStringBackup.INI
2015-06-28 06:13 - 2013-08-22 05:25 - 00524288 ___SH C:\Windows\System32\config\BBI
2015-06-28 06:00 - 2013-08-22 07:36 - 00000000 ____D C:\Windows\System32\sru
2015-06-26 01:48 - 2013-08-22 07:36 - 00000000 ____D C:\Windows\AppReadiness
2015-06-26 01:46 - 2015-05-05 03:42 - 00000000 ___RD C:\Users\greg\OneDrive
2015-06-23 03:36 - 2015-05-29 08:23 - 00000000 ____D C:\Users\greg\Camera Roll
2015-06-23 03:36 - 2015-04-30 21:41 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1144771067-2304087280-3493909680-1002
2015-06-17 05:09 - 2015-04-30 22:39 - 00000000 ____D C:\Users\greg\AppData\Local\CrashDumps
2015-06-04 17:25 - 2015-05-01 05:05 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-06-04 17:07 - 2015-05-01 20:53 - 00000000 ____D C:\users\greg
2015-06-03 03:06 - 2015-04-30 22:40 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-05-31 20:12 - 2015-05-04 23:08 - 00000000 ____D C:\ProgramData\CanonIJPLM
2015-05-30 03:21 - 2015-04-30 22:45 - 00000000 ____D C:\ProgramData\MFAData
2015-05-30 00:35 - 2015-05-01 20:53 - 00000000 ____D C:\users\Guest
2015-05-30 00:35 - 2015-05-01 20:53 - 00000000 ____D C:\users\Administrator
==================== Known DLLs (Whitelisted) ================
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe
[2014-11-21 01:15] - [2014-11-21 01:15] - 0572416 ____A (Microsoft Corporation) EC498BAE1F0D3E0E401C963F8D76C437
C:\Windows\System32\wininit.exe
[2014-11-21 01:15] - [2014-11-21 01:15] - 0145920 ____A (Microsoft Corporation) A570A64292214C43E0BA50E6A72A6380
C:\Windows\explorer.exe
[2015-05-02 12:03] - [2015-05-02 12:03] - 2501368 ____A (Microsoft Corporation) C10A66189DC8C090E7C84873EDCEBC88
C:\Windows\SysWOW64\explorer.exe
[2015-05-02 12:03] - [2015-05-02 12:03] - 2207488 ____A (Microsoft Corporation) 91E24273FCA076EA9E65DAFA98901225
C:\Windows\System32\svchost.exe
[2014-11-21 01:15] - [2014-11-21 01:15] - 0038792 ____A (Microsoft Corporation) E3A2AD05E24105B35E986CF9CB38EC47
C:\Windows\SysWOW64\svchost.exe
[2014-11-21 01:16] - [2014-11-21 01:16] - 0033088 ____A (Microsoft Corporation) D0ABC231C0B3E88C6B612B28ABBF734D
C:\Windows\System32\services.exe
[2015-05-13 00:21] - [2015-04-08 14:55] - 0410128 ____A (Microsoft Corporation) E0C7813A97CA7947FF5C18A8F3B61A45
C:\Windows\System32\User32.dll
[2014-11-21 01:16] - [2014-11-21 01:16] - 1540696 ____A (Microsoft Corporation) 25026E350BC3BE37631634EC72B10BD5
C:\Windows\SysWOW64\User32.dll
[2014-11-21 01:15] - [2014-11-21 01:15] - 1376256 ____A (Microsoft Corporation) 76C5CF09F53A3B089B5581B9938F8CAE
C:\Windows\System32\userinit.exe
[2014-11-21 01:15] - [2014-11-21 01:15] - 0026112 ____A (Microsoft Corporation) 5C131534A3EA4A461A793FB507A8004F
C:\Windows\SysWOW64\userinit.exe
[2014-11-21 01:16] - [2014-11-21 01:16] - 0022528 ____A (Microsoft Corporation) D10643FC0095434C819316CA6CD748C0
C:\Windows\System32\rpcss.dll
[2014-11-21 01:15] - [2014-11-21 01:15] - 0817664 ____A (Microsoft Corporation) A6F17C299A03BAFEFB9257C462A19E00
ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== Restore Points =========================
Restore point made on: 2015-05-18 18:40:55
Restore point made on: 2015-05-22 19:40:35
==================== Memory info ===========================
Percentage of memory in use: 22%
Total physical RAM: 3960.15 MB
Available physical RAM: 3070.34 MB
Total Pagefile: 3960.15 MB
Available Pagefile: 3089.14 MB
Total Virtual: 131072 MB
Available Virtual: 131071.88 MB
==================== Drives ================================
Drive c: (TI31053700C) (Fixed) (Total:682.69 GB) (Free:626.89 GB) NTFS
Drive d: (STORE N GO) (Removable) (Total:7.46 GB) (Free:7.44 GB) FAT32
Drive f: () (Fixed) (Total:0.44 GB) (Free:0.07 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.5 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 698.6 GB) (Disk ID: 00000000)
Partition: GPT Partition Type.
========================================================
Disk: 1 (Size: 7.5 GB) (Disk ID: 00000000)
Partition: GPT Partition Type.
LastRegBack: 2015-05-22 02:00
==================== End of log ============================
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:13-06-2015
Ran by SYSTEM on MININT-M2H9OQE on 29-06-2015 19:26:25
Running from d:\
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
Tutorial for Farbar Recovery Scan Tool:
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13427784 2013-03-18] (Realtek Semiconductor)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [1794704 2015-03-31] (NVIDIA Corporation)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2717176 2013-01-04] (TOSHIBA Corporation)
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [170848 2013-01-28] (TOSHIBA Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-04-06] (Apple Inc.)
HKLM-x32\...\Run: [TSVU] => c:\Program Files\TOSHIBA\TOSHIBA Smart View Utility\TosSmartViewLauncher.exe [467360 2013-03-08] (TOSHIBA)
HKLM-x32\...\Run: [SacReminderBOX] => C:\ProgramData\Clickfree\BoxSoftware\reminder\SacReminder.exe [567120 2011-11-01] (SAC)
HKLM-x32\...\Run: [Intel AppUp(R) center] => C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [156000 2012-10-04] (Intel Corporation)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3745744 2015-05-17] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-01] (Apple Inc.)
HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1279120 2012-09-27] (CANON INC.)
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [452272 2012-08-30] (CANON INC.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\Administrator\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516608 2014-11-21] (Microsoft Corporation)
HKU\greg\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8204056 2015-04-23] (Piriform Ltd)
HKU\greg\...\Run: [CCleaner] => C:\Program Files\CCleaner\CCleaner64.exe [8204056 2015-04-23] (Piriform Ltd)
HKU\greg\...\RunOnce: [FlashPlayerUpdate] => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashUtil32_17_0_0_188_Plugin.exe [927920 2015-05-18] (Adobe Systems Incorporated)
HKU\Guest\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516608 2014-11-21] (Microsoft Corporation)
HKU\UpdatusUser\...\Run: [] => [X]
AppInit_DLLs: C:\windows\system32\nvinitx.dll => C:\windows\system32\nvinitx.dll [177624 2015-03-31] (NVIDIA Corporation)
AppInit_DLLs: , C:\WINDOWS\system32\nvinitx.dll => C:\WINDOWS\system32\nvinitx.dll [177624 2015-03-31] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\WINDOWS\SysWOW64\nvinit.dll => C:\WINDOWS\SysWOW64\nvinit.dll [164752 2015-03-31] (NVIDIA Corporation)
Startup: C:\Users\greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2015-05-13]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S4 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
S4 avgfws; C:\Program Files (x86)\AVG\AVG2015\avgfws.exe [1522664 2015-05-17] (AVG Technologies CZ, s.r.o.)
S4 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3438544 2015-05-17] (AVG Technologies CZ, s.r.o.)
S4 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [311792 2015-05-17] (AVG Technologies CZ, s.r.o.)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-11-21] (Microsoft Corporation)
S4 CFUACProxy_boxsoftware; C:\ProgramData\Clickfree\BoxSoftware\UACProxy.exe [83792 2011-11-01] (Storage Appliance Corp.)
S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2736824 2015-04-06] (Microsoft Corporation)
S4 dts_apo_service; C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_service.exe [16720 2013-03-25] ()
S4 HWDeviceService64.exe; C:\ProgramData\DatacardService\HWDeviceService64.exe [351824 2013-02-05] ()
S4 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [140456 2012-03-28] ()
S4 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [803872 2012-12-10] (Intel(R) Corporation)
S4 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [130592 2012-10-26] (Intel Corporation)
S4 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [165488 2012-12-18] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-13] (Malwarebytes Corporation)
S4 THAccelSvc; C:\Program Files\TOSHIBA\HDD Accelerator\THAccelSvc.exe [216976 2013-03-26] (TOSHIBA CORPORATION)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-05-02] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-05-02] (Microsoft Corporation)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3858944 2013-10-23] (Qualcomm Atheros Communications, Inc.)
S0 Avgboota; C:\Windows\System32\DRIVERS\avgboota.sys [21152 2015-03-26] (AVG Technologies CZ, s.r.o.)
S1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [162784 2015-03-10] (AVG Technologies CZ, s.r.o.)
S1 Avgfwfd; C:\Windows\system32\DRIVERS\avgfwd6a.sys [67040 2015-03-19] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [284128 2015-04-26] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [253920 2015-05-06] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [256992 2015-04-14] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [378336 2015-05-06] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [220128 2015-05-06] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [40928 2015-03-19] (AVG Technologies CZ, s.r.o.)
S1 Avgwfpa; C:\Windows\system32\DRIVERS\avgwfpa.sys [293856 2015-05-03] (AVG Technologies CZ, s.r.o.)
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-11-21] (Microsoft Corporation)
S1 ElRawDisk; C:\WINDOWS\system32\drivers\rsdrvx64.sys [26024 2009-02-11] (EldoS Corporation)
S5 ew_hwusbdev; C:\Windows\System32\Drivers\ew_hwusbdev.sys [109568 2013-01-24] (Huawei Technologies Co., Ltd.)
S3 ksapi64; C:\WINDOWS\system32\drivers\ksapi64.sys [56680 2015-05-09] (Kingsoft Corporation)
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-04-13] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-04-13] (Malwarebytes Corporation)
S0 THAccel; C:\Windows\System32\DRIVERS\THAccel.sys [110976 2013-03-25] (TOSHIBA Corporation)
S3 Thotkey; C:\Windows\System32\drivers\Thotkey.sys [28632 2012-07-31] (Windows (R) Win 7 DDK provider)
S3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-06-03] ()
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-05-02] (Microsoft Corporation)
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-06-26 02:11 - 2015-06-29 03:21 - 00001187 _____ C:\Windows\setupact.log
2015-06-26 02:11 - 2015-06-26 02:11 - 00000000 ____H C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_11_00.Wdf
2015-06-26 02:11 - 2015-06-26 02:11 - 00000000 _____ C:\Windows\setuperr.log
2015-06-13 04:43 - 2015-06-13 04:43 - 00000207 _____ C:\Windows\tweaking.com-regbackup-REDMACK620-Windows-8.1-(64-bit).dat
2015-06-13 04:43 - 2015-06-13 04:43 - 00000000 ____D C:\RegBackup
2015-06-03 07:32 - 2015-06-03 07:32 - 00002113 _____ C:\mbamscan.txt
2015-06-03 03:28 - 2015-06-03 07:09 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2015-06-03 03:24 - 2015-06-03 03:24 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-06-03 03:24 - 2015-04-13 17:38 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mwac.sys
2015-06-03 03:24 - 2015-04-13 17:37 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
2015-06-03 03:12 - 2015-06-03 06:51 - 00035064 _____ C:\Windows\System32\Drivers\TrueSight.sys
2015-06-03 03:12 - 2015-06-03 03:14 - 00000000 ____D C:\ProgramData\RogueKiller
2015-06-02 09:02 - 2015-06-03 03:06 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-06-02 08:43 - 2015-06-17 05:02 - 00000000 ____D C:\FRST
2015-06-02 08:34 - 2015-06-02 08:34 - 00000000 ____D C:\NPE
2015-06-02 08:29 - 2015-06-14 02:34 - 00000000 ____D C:\Users\greg\AppData\Local\NPE
2015-06-02 08:17 - 2015-06-26 01:51 - 00053978 _____ C:\Windows\WindowsUpdate.log
2015-05-31 23:45 - 2015-05-31 23:45 - 00000000 ____D C:\Program Files (x86)\ESET
2015-05-31 20:25 - 2015-06-13 04:05 - 00000000 ____D C:\AdwCleaner
2015-05-31 20:18 - 2015-06-03 03:24 - 00001129 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-05-31 20:18 - 2015-06-03 03:24 - 00000000 ____D C:\Users\greg\AppData\Roaming\Malwarebytes
2015-05-31 20:18 - 2015-06-03 03:24 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-05-31 20:18 - 2015-04-13 17:37 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2015-05-30 03:30 - 2015-05-30 03:30 - 00000000 ____D C:\Windows\pss
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2015-06-29 03:22 - 2013-08-22 06:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-28 06:27 - 2014-11-21 00:44 - 00863592 _____ C:\Windows\System32\PerfStringBackup.INI
2015-06-28 06:13 - 2013-08-22 05:25 - 00524288 ___SH C:\Windows\System32\config\BBI
2015-06-28 06:00 - 2013-08-22 07:36 - 00000000 ____D C:\Windows\System32\sru
2015-06-26 01:48 - 2013-08-22 07:36 - 00000000 ____D C:\Windows\AppReadiness
2015-06-26 01:46 - 2015-05-05 03:42 - 00000000 ___RD C:\Users\greg\OneDrive
2015-06-23 03:36 - 2015-05-29 08:23 - 00000000 ____D C:\Users\greg\Camera Roll
2015-06-23 03:36 - 2015-04-30 21:41 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1144771067-2304087280-3493909680-1002
2015-06-17 05:09 - 2015-04-30 22:39 - 00000000 ____D C:\Users\greg\AppData\Local\CrashDumps
2015-06-04 17:25 - 2015-05-01 05:05 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-06-04 17:07 - 2015-05-01 20:53 - 00000000 ____D C:\users\greg
2015-06-03 03:06 - 2015-04-30 22:40 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-05-31 20:12 - 2015-05-04 23:08 - 00000000 ____D C:\ProgramData\CanonIJPLM
2015-05-30 03:21 - 2015-04-30 22:45 - 00000000 ____D C:\ProgramData\MFAData
2015-05-30 00:35 - 2015-05-01 20:53 - 00000000 ____D C:\users\Guest
2015-05-30 00:35 - 2015-05-01 20:53 - 00000000 ____D C:\users\Administrator
==================== Known DLLs (Whitelisted) ================
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe
[2014-11-21 01:15] - [2014-11-21 01:15] - 0572416 ____A (Microsoft Corporation) EC498BAE1F0D3E0E401C963F8D76C437
C:\Windows\System32\wininit.exe
[2014-11-21 01:15] - [2014-11-21 01:15] - 0145920 ____A (Microsoft Corporation) A570A64292214C43E0BA50E6A72A6380
C:\Windows\explorer.exe
[2015-05-02 12:03] - [2015-05-02 12:03] - 2501368 ____A (Microsoft Corporation) C10A66189DC8C090E7C84873EDCEBC88
C:\Windows\SysWOW64\explorer.exe
[2015-05-02 12:03] - [2015-05-02 12:03] - 2207488 ____A (Microsoft Corporation) 91E24273FCA076EA9E65DAFA98901225
C:\Windows\System32\svchost.exe
[2014-11-21 01:15] - [2014-11-21 01:15] - 0038792 ____A (Microsoft Corporation) E3A2AD05E24105B35E986CF9CB38EC47
C:\Windows\SysWOW64\svchost.exe
[2014-11-21 01:16] - [2014-11-21 01:16] - 0033088 ____A (Microsoft Corporation) D0ABC231C0B3E88C6B612B28ABBF734D
C:\Windows\System32\services.exe
[2015-05-13 00:21] - [2015-04-08 14:55] - 0410128 ____A (Microsoft Corporation) E0C7813A97CA7947FF5C18A8F3B61A45
C:\Windows\System32\User32.dll
[2014-11-21 01:16] - [2014-11-21 01:16] - 1540696 ____A (Microsoft Corporation) 25026E350BC3BE37631634EC72B10BD5
C:\Windows\SysWOW64\User32.dll
[2014-11-21 01:15] - [2014-11-21 01:15] - 1376256 ____A (Microsoft Corporation) 76C5CF09F53A3B089B5581B9938F8CAE
C:\Windows\System32\userinit.exe
[2014-11-21 01:15] - [2014-11-21 01:15] - 0026112 ____A (Microsoft Corporation) 5C131534A3EA4A461A793FB507A8004F
C:\Windows\SysWOW64\userinit.exe
[2014-11-21 01:16] - [2014-11-21 01:16] - 0022528 ____A (Microsoft Corporation) D10643FC0095434C819316CA6CD748C0
C:\Windows\System32\rpcss.dll
[2014-11-21 01:15] - [2014-11-21 01:15] - 0817664 ____A (Microsoft Corporation) A6F17C299A03BAFEFB9257C462A19E00
ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== Restore Points =========================
Restore point made on: 2015-05-18 18:40:55
Restore point made on: 2015-05-22 19:40:35
==================== Memory info ===========================
Percentage of memory in use: 22%
Total physical RAM: 3960.15 MB
Available physical RAM: 3070.34 MB
Total Pagefile: 3960.15 MB
Available Pagefile: 3089.14 MB
Total Virtual: 131072 MB
Available Virtual: 131071.88 MB
==================== Drives ================================
Drive c: (TI31053700C) (Fixed) (Total:682.69 GB) (Free:626.89 GB) NTFS
Drive d: (STORE N GO) (Removable) (Total:7.46 GB) (Free:7.44 GB) FAT32
Drive f: () (Fixed) (Total:0.44 GB) (Free:0.07 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.5 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 698.6 GB) (Disk ID: 00000000)
Partition: GPT Partition Type.
========================================================
Disk: 1 (Size: 7.5 GB) (Disk ID: 00000000)
Partition: GPT Partition Type.
LastRegBack: 2015-05-22 02:00
==================== End of log ============================
Broni
Posts: 56,041 +516
Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
On Vista or Windows 7/8: Now please enter System Recovery Options.
On Windows XP: Now please boot into the OTLPE CD.
Run FRST(FRST64) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
On Vista or Windows 7/8: Now please enter System Recovery Options.
On Windows XP: Now please boot into the OTLPE CD.
Run FRST(FRST64) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
- Status
