1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

In Progress .cryped added to all my files

Discussion in 'Virus & Other Malware Removal' started by Daveman1, May 25, 2016.

Thread Status:
Not open for further replies.
Advertisement
  1. Daveman1

    Daveman1 Thread Starter

    Joined:
    Jan 27, 2000
    Messages:
    278
    Hello old friends.
    I got a trojin from ytdownloader or one of the videos I downloaded. It added ".crypt" to the end of all my music, picture and video files making them unviewable. I was told by a pretty good tech friend that I could just rename them without the .crypt exetention and all would be fine. even if I did have to rename every one of my files. It doesn't seem to work. I keep getting black screens with error messages. Running win. 8.1. background pic on the comp. showed up as a text message saying to download bitcoin.com and pay to get files released or wait and pay more. They also gave me a personal id# and a link to 3 web sites ending in .onion.com, I run webroot in the background but apperantly the antivirus was installed but not active. It's active now but to late.
    Is there a way to repair my files and make them useable?
    I got spyhunter from my tech friend and it found and repaired 89 things and my comp. seems to work and download pics. and stuff fine now and I can view them. I just want to see all the stuff I had on here before.
    Any help would be greatly appreciated.
     
  2. Curie

    Curie Malware Specialist

    Joined:
    Jun 18, 2015
    Messages:
    481
    Hello Daveman1.

    I am Marie Curie and will gladly help you with any malware-related problems.

    The .crypt extension may be caused by several different ransomware families. We need to identify the ransomware, before I can estimate if those files can be decrypted.
    Please send me a ransom note, an encrypted file and possible malware files.

    File Submission
    • Please go to my channel
    • Click Browse and locate the file
    • Click Submit Query.

    Reply here when you have uploaded the files.

    Marie
     
  3. Daveman1

    Daveman1 Thread Starter

    Joined:
    Jan 27, 2000
    Messages:
    278
    I went to "my channel" and clicked browse and could not copy and paste anything in the supplied field. Also tried to open the file after highliting it and nothing. What should I do differently.
     
  4. Daveman1

    Daveman1 Thread Starter

    Joined:
    Jan 27, 2000
    Messages:
    278
    I do have three different files that show up in every folder that sound like what you want. I just can't seem to give them to you.
     
  5. Curie

    Curie Malware Specialist

    Joined:
    Jun 18, 2015
    Messages:
    481
  6. Daveman1

    Daveman1 Thread Starter

    Joined:
    Jan 27, 2000
    Messages:
    278
    I figured it out, went to "my channel" and filed in the fields.
     
  7. Daveman1

    Daveman1 Thread Starter

    Joined:
    Jan 27, 2000
    Messages:
    278
    Looking at a link I found from your repley, I found this virus on may 23, hope this means I have vers. 1 or 2.
     
  8. Curie

    Curie Malware Specialist

    Joined:
    Jun 18, 2015
    Messages:
    481
    Hi Daveman1

    I also suspect that it is CryptXXX.

    You may be lucky by using Kaspersky's tool.
    • Download the tool and launch it.
    • Open Settings and choose drive types (removable, network or hard drive) for scanning. Don’t check the “Delete crypted files after decryption” option until you are 100% that decrypted files open properly.
    • Click the Start scan link. You may have to choose and encrypted .crypt file and its original counterpart (depending on the CryptXXX version). If that's the case, try to find a file pair that is big in size.
    • After that RannohDecryptor starts searching for all other files with .crypt extension and tries to decrypt all files.
    Let me know if that works.
     
  9. Daveman1

    Daveman1 Thread Starter

    Joined:
    Jan 27, 2000
    Messages:
    278
    Kaspersky had me pick a file then an error "The decryption of files encrypted by this variant of Trojan-Ransom.Win32.CryptXXX is not supported."
    The scan is still going at 6 min. and counting. I'll give it a while to make sure it didn't work. It got up to 30:27 min. then I click ok on the error message and the scan stopped.
     
  10. Curie

    Curie Malware Specialist

    Joined:
    Jun 18, 2015
    Messages:
    481
    Hi Daveman1.

    There is no fully functional decrypter for the newest version of CryptXXX yet.
    There is one from TrendMicro, but it only works partially for that ransomware version and only for some file types. If you try that one, make sure to backup the files first. You find the download and instruction page here: https://esupport.trendmicro.com/solution/en-US/1114221.aspx

    Other than that your best bet is to wait for Kaspersky to update their tool.

    Please tell me if you also want to clean your computer from any remaining malware.

    Best regards
    Marie
     
  11. Daveman1

    Daveman1 Thread Starter

    Joined:
    Jan 27, 2000
    Messages:
    278
    Thanks for all your help. I thought I had already cleaned my comp. with spyhunter since it found the bedup file and "removed it" however I tried to save a notepad file I had copyied and paysted and could not do it. I got a message about not addministraiter or permission or whatever. so I guess I need more cleaning. Your help would be welcome.
     
  12. Curie

    Curie Malware Specialist

    Joined:
    Jun 18, 2015
    Messages:
    481
    Hi Daveman.

    You find intructions for system diagnosis below. I will be busy this weekend, so I can only start analysing your logs on Monday.

    Please familiarize yourself with the following ground rules before you start.
    • Read my instructions thoroughly, carry out each step in the given order.
    • Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
    • If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
    • Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
    • Back up important files before we start.

    --------------------------------------------------------------

    Please run the following diagnostic scans so I can ascertain the state of your computer.

    STEP 1

    [​IMG] Farbar Recovery Scan Tool (FRST) Scan
    • Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
    • Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
    • Double-Click FRST.exe or FRST64.exe to run the programme.
    • Click Yes to the disclaimer.
    • Ensure the Addition.txt box is checked.
    • Click the Scan button and let the programme run.
    • Upon completion, click OK, then OK on the Addition.txt pop up screen.
    • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Attach both logs in your next reply.

    STEP 2
    [​IMG] aswMBR
    • Please download aswMBR and save the file to your Desktop.
    • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
    • Right-Click aswMBR.exe and select [​IMG] Run as administrator to run the programme.
    • Click Yes when prompted to download avast! virus definitions. Wait until AVAST engine defs: ### appears.
    • If you are prompted to enable the use of "Virtualization Technology", click Yes.
    • Click the AV Scan: drop down box and click C:\.
    • Click Scan.
    • Upon completion, you will see Scan finished successfully. Click Save log. Save the log to your Desktop.
    • Re-enable your anti-virus software.
    • Attach the log in your next reply.
    Note: Do NOT click Fix or FixMBR.
    Note: A file (MBR.dat) will be created on your Desktop. Do NOT click or delete it.

    ======================================================
    STEP 3
    [​IMG] Logs
    In your next reply please include the following logs.
    • FRST.txt
    • Addition.txt
    • aswMBR log
     
  13. Daveman1

    Daveman1 Thread Starter

    Joined:
    Jan 27, 2000
    Messages:
    278
    Sorry to be gone so long, my scatter brain remembered this as finished.


    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-07-2016
    Ran by Daveman1 (administrator) on INTERNET-PC (21-07-2016 20:05:48)
    Running from C:\Users\Daveman1\AppData\Local\Microsoft\Windows\INetCache\IE\EL8TXW4P
    Loaded Profiles: Daveman1 (Available Profiles: Daveman1)
    Platform: Windows 8.1 (Update) (X64) Language: English (United States)
    Internet Explorer Version 11 (Default browser: IE)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (Microsoft Corporation) C:\Windows\System32\dllhost.exe
    (Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler.exe
    (Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler64.exe
    (Microsoft Corporation) C:\Windows\System32\LogonUI.exe
    (Microsoft Corporation) C:\Windows\System32\LogonUI.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\Splendid\ColorUService.exe
    (ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe
    (ASUS) C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
    (IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
    (Intel Corporation) C:\Windows\System32\igfxtray.exe
    (Intel Corporation) C:\Windows\System32\igfxsrvc.exe
    (Intel Corporation) C:\Windows\System32\hkcmd.exe
    (Intel Corporation) C:\Windows\System32\igfxpers.exe
    (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
    (Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe
    (Enigma Software Group USA, LLC.) C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
    (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
    (Webroot) C:\Program Files\Webroot\WRSA.exe
    (Webroot) C:\Program Files\Webroot\WRSA.exe
    (Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe


    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13632216 2013-07-22] (Realtek Semiconductor)
    HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1321688 2013-07-04] (Realtek Semiconductor)
    HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [163520 2015-04-09] (IvoSoft)
    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [35736 2010-11-15] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [932288 2010-11-15] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [ASUSPRP] => C:\Program Files (x86)\ASUS\APRP\APRP.EXE [3187360 2013-04-26] (ASUSTek Computer Inc.)
    HKLM-x32\...\Run: [WRSVC] => C:\Program Files\Webroot\WRSA.exe [896472 2016-07-20] (Webroot)
    Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
    HKLM\...\Policies\Explorer: [NoViewOnDrive] 0
    HKLM\...\Policies\Explorer: [DisableLocalMachineRun] 0
    HKLM\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
    HKLM\...\Policies\Explorer: [DisableCurrentUserRun] 0
    HKLM\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
    HKLM\...\Policies\Explorer: [NoViewContextMenu] 0
    HKLM\...\Policies\Explorer: [NoShellSearchButton] 0
    HKLM\...\Policies\Explorer: [NoFind] 0
    HKLM\...\Policies\Explorer: [NoFile] 0
    HKLM\...\Policies\Explorer: [HideClock] 0
    HKLM\...\Policies\Explorer: [NoTrayContextMenu] 0
    HKLM\...\Policies\Explorer: [NoTrayItemsDisplay] 0
    HKLM\...\Policies\Explorer: [NoSetFolders] 0
    HKLM\...\Policies\Explorer: [NoDevMgrUpdate] 0
    HKLM\...\Policies\Explorer: [NoSetTaskbar] 0
    HKLM\...\Policies\Explorer: [NoDeletePrinter] 0
    HKLM\...\Policies\Explorer: [NoDFSTab] 0
    HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0
    HKLM\...\Policies\Explorer: [NoLogoff] 0
    HKLM\...\Policies\Explorer: [NoWindowsUpdate] 0
    HKLM\...\Policies\Explorer: [NoEncryptOnMove] 0
    HKLM\...\Policies\Explorer: [NoRunasInstallPrompt] 0
    HKLM\...\Policies\Explorer: [NoResolveSearch] 0
    HKLM\...\Policies\Explorer: [NoSaveSettings] 0
    HKLM\...\Policies\Explorer: [NoHardwareTab] 0
    HKLM\...\Policies\Explorer: [NoStartMenuSubFolders] 0
    HKLM\...\Policies\Explorer: [NoDesktop] 0
    HKU\S-1-5-19\...\Policies\system: [DisableCMD] 0
    HKU\S-1-5-19\...\Policies\system: [NoDispAppearancePage] 0
    HKU\S-1-5-19\...\Policies\system: [NoDispBackgroundPage] 0
    HKU\S-1-5-19\...\Policies\system: [NoDispSettingsPage] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoViewOnDrive] 0
    HKU\S-1-5-19\...\Policies\Explorer: [DisableLocalMachineRun] 0
    HKU\S-1-5-19\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
    HKU\S-1-5-19\...\Policies\Explorer: [DisableCurrentUserRun] 0
    HKU\S-1-5-19\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoViewContextMenu] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoShellSearchButton] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoFind] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoFile] 0
    HKU\S-1-5-19\...\Policies\Explorer: [HideClock] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoTrayContextMenu] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoTrayItemsDisplay] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoSetFolders] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoDevMgrUpdate] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoSetTaskbar] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoDeletePrinter] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoDFSTab] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoChangeStartMenu] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoLogoff] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoWindowsUpdate] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoEncryptOnMove] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoRunasInstallPrompt] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoResolveSearch] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoSaveSettings] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoHardwareTab] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoStartMenuSubFolders] 0
    HKU\S-1-5-20\...\Policies\system: [DisableCMD] 0
    HKU\S-1-5-20\...\Policies\system: [NoDispAppearancePage] 0
    HKU\S-1-5-20\...\Policies\system: [NoDispBackgroundPage] 0
    HKU\S-1-5-20\...\Policies\system: [NoDispSettingsPage] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoViewOnDrive] 0
    HKU\S-1-5-20\...\Policies\Explorer: [DisableLocalMachineRun] 0
    HKU\S-1-5-20\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
    HKU\S-1-5-20\...\Policies\Explorer: [DisableCurrentUserRun] 0
    HKU\S-1-5-20\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoViewContextMenu] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoShellSearchButton] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoFind] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoFile] 0
    HKU\S-1-5-20\...\Policies\Explorer: [HideClock] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoTrayContextMenu] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoTrayItemsDisplay] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoSetFolders] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoDevMgrUpdate] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoSetTaskbar] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoDeletePrinter] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoDFSTab] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoChangeStartMenu] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoLogoff] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoWindowsUpdate] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoEncryptOnMove] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoRunasInstallPrompt] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoResolveSearch] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoSaveSettings] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoHardwareTab] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoStartMenuSubFolders] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8721624 2016-05-13] (Piriform Ltd)
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\system: [DisableCMD] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\system: [NoDispAppearancePage] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\system: [NoDispBackgroundPage] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\system: [NoDispSettingsPage] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoViewOnDrive] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [DisableLocalMachineRun] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [DisableCurrentUserRun] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoViewContextMenu] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoShellSearchButton] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoFind] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoFile] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [HideClock] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoTrayContextMenu] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoTrayItemsDisplay] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoSetFolders] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoDevMgrUpdate] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoSetTaskbar] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoDeletePrinter] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoDFSTab] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoChangeStartMenu] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoLogoff] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoWindowsUpdate] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoEncryptOnMove] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoRunasInstallPrompt] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoResolveSearch] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoSaveSettings] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoHardwareTab] 0
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\Policies\Explorer: [NoStartMenuSubFolders] 0
    HKU\S-1-5-18\...\Policies\system: [DisableCMD] 0
    HKU\S-1-5-18\...\Policies\system: [NoDispAppearancePage] 0
    HKU\S-1-5-18\...\Policies\system: [NoDispBackgroundPage] 0
    HKU\S-1-5-18\...\Policies\system: [NoDispSettingsPage] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoViewOnDrive] 0
    HKU\S-1-5-18\...\Policies\Explorer: [DisableLocalMachineRun] 0
    HKU\S-1-5-18\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
    HKU\S-1-5-18\...\Policies\Explorer: [DisableCurrentUserRun] 0
    HKU\S-1-5-18\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoViewContextMenu] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoShellSearchButton] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoFind] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoFile] 0
    HKU\S-1-5-18\...\Policies\Explorer: [HideClock] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoTrayContextMenu] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoTrayItemsDisplay] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoSetFolders] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoDevMgrUpdate] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoSetTaskbar] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoDeletePrinter] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoDFSTab] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoChangeStartMenu] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoLogoff] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoWindowsUpdate] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoEncryptOnMove] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoRunasInstallPrompt] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoResolveSearch] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoSaveSettings] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoHardwareTab] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoStartMenuSubFolders] 0
    ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\Daveman1\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64\FileSyncShell64.dll [2016-05-18] (Microsoft Corporation)
    ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\Daveman1\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64\FileSyncShell64.dll [2016-05-18] (Microsoft Corporation)
    ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\Daveman1\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64\FileSyncShell64.dll [2016-05-18] (Microsoft Corporation)
    ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\Daveman1\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\FileSyncShell.dll [2016-05-18] (Microsoft Corporation)
    ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\Daveman1\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\FileSyncShell.dll [2016-05-18] (Microsoft Corporation)
    ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\Daveman1\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\FileSyncShell.dll [2016-05-18] (Microsoft Corporation)
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass IE RunOnce.lnk [2016-05-19]
    ShortcutTarget: Install LastPass IE RunOnce.lnk -> C:\Program Files (x86)\Common Files\wruninstall.exe (Webroot Software, Inc.)
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install Webroot FF RunOnce.lnk [2015-05-26]
    ShortcutTarget: Install Webroot FF RunOnce.lnk -> C:\Program Files (x86)\Common Files\wruninstall.exe (Webroot Software, Inc.)
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install Webroot IE RunOnce.lnk [2015-05-26]
    ShortcutTarget: Install Webroot IE RunOnce.lnk -> C:\Program Files (x86)\Common Files\wruninstall.exe (Webroot Software, Inc.)
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    Tcpip\..\Interfaces\{C536937A-3250-4726-8334-7D560F465F90}: [DhcpNameServer] 192.168.1.1

    Internet Explorer:
    ==================
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?gws_rd=ssl
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://asus13.msn.com
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-4258404686-904759918-622595745-1001 -> DefaultScope {57144C8C-240B-4690-B3ED-AB8E43187BA6} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
    SearchScopes: HKU\S-1-5-21-4258404686-904759918-622595745-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-4258404686-904759918-622595745-1001 -> {57144C8C-240B-4690-B3ED-AB8E43187BA6} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
    BHO: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar64.dll [2016-05-19] (Webroot)
    BHO: Webroot Filtering Extension -> {C9C42510-9B41-42c1-9DCD-7282A2D07C61} -> C:\Program Files\Common Files\Webroot\WebFiltering\wrflt.dll [2016-07-21] (Webroot)
    BHO-x32: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar.dll [2016-05-19] (Webroot)
    BHO-x32: Webroot Filtering Extension -> {C9C42510-9B41-42c1-9DCD-7282A2D07C61} -> C:\Program Files (x86)\Common Files\Webroot\WebFiltering\wrflt.dll [2016-07-21] (Webroot)
    Toolbar: HKLM - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar64.dll [2016-05-19] (Webroot)
    Toolbar: HKLM-x32 - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar.dll [2016-05-19] (Webroot)

    FireFox:
    ========
    FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
    FF HKLM-x32\...\Thunderbird\Extensions: [[email protected]] - C:\Program Files\McAfee\MSK => not found

    Chrome:
    =======
    CHR HKLM-x32\...\Chrome\Extension: [kjeghcllfecehndceplomkocgfbklffd] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [okfhiodnpcnnnpgbjbhfebjnbagmfhab] - C:\ProgramData\WRData\pkg\lpchrome.crx [2016-05-19]

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S4 Asus WebStorage Windows Service; C:\Program Files (x86)\ASUS\WebStorage Sync Agent\1.1.18.159\AsusWSWinService.exe [72192 2012-12-19] () [File not signed]
    S4 IHA_MessageCenter; C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [368640 2014-08-13] (Verizon) [File not signed]
    S2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [1072296 2016-07-19] (Enigma Software Group USA, LLC.)
    S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347880 2014-11-21] (Microsoft Corporation)
    S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2014-11-21] (Microsoft Corporation)
    R2 WRSVC; C:\Program Files\Webroot\WRSA.exe [896472 2016-07-20] (Webroot)

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R3 ATP; C:\Windows\System32\drivers\AsusTP.sys [70928 2013-12-12] (ASUS Corporation)
    S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
    R3 esgiguard; C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [15920 2016-05-25] (Enigma Software Group USA, LLC.)
    S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2016-05-25] ()
    R3 kbfiltr; C:\Windows\System32\drivers\kbfiltr.sys [14992 2012-08-01] ( )
    S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [35856 2014-11-21] (Microsoft Corporation)
    S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [257880 2014-11-21] (Microsoft Corporation)
    S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123224 2014-11-21] (Microsoft Corporation)
    R0 WRkrn; C:\Windows\System32\drivers\WRkrn.sys [117728 2016-06-30] (Webroot)
    S3 wrUrlFlt; C:\WINDOWS\system32\DRIVERS\wrUrlFlt.sys [54512 2016-07-21] (Webroot)
    S0 XotaQcVQ; C:\Windows\System32\drivers\XotaQcVQ.sys [117728 2016-07-21] (Webroot)
    U0 SR; no ImagePath
    U2 srservice; no ImagePath

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-07-21 20:05 - 2016-07-21 20:05 - 00000000 ____D C:\FRST
    2016-07-21 19:43 - 2016-07-21 19:43 - 00117728 _____ (Webroot) C:\WINDOWS\system32\Drivers\XotaQcVQ.sys

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-07-21 19:47 - 2014-11-21 03:44 - 00863592 _____ C:\WINDOWS\system32\PerfStringBackup.INI
    2016-07-21 19:47 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\Inf
    2016-07-21 19:43 - 2016-05-19 21:35 - 00000000 ____D C:\ProgramData\WRData
    2016-07-21 19:43 - 2014-11-18 06:36 - 00000000 ____D C:\Users\Daveman1\Desktop\My Documents
    2016-07-21 19:42 - 2015-08-18 19:00 - 00000930 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
    2016-07-21 18:42 - 2015-08-18 19:00 - 00000926 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
    2016-07-21 17:45 - 2016-05-19 21:35 - 00054512 ____T (Webroot) C:\WINDOWS\system32\Drivers\wrUrlFlt.sys
    2016-07-21 12:00 - 2015-11-15 21:15 - 00003474 _____ C:\WINDOWS\System32\Tasks\ASUS Live Update1
    2016-07-21 12:00 - 2015-05-26 18:40 - 00003464 _____ C:\WINDOWS\System32\Tasks\ASUS Live Update2
    2016-07-20 23:17 - 2014-11-17 06:10 - 00003594 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4258404686-904759918-622595745-1001
    2016-07-20 23:11 - 2016-05-19 21:36 - 00000761 _____ C:\Users\Public\Desktop\Webroot SecureAnywhere.lnk
    2016-07-20 23:11 - 2016-05-19 21:35 - 00181176 _____ (Webroot) C:\WINDOWS\SysWOW64\WRusr.dll
    2016-07-20 23:11 - 2016-05-19 21:35 - 00115768 _____ (Webroot) C:\WINDOWS\system32\WRusr.dll
    2016-07-19 21:54 - 2016-05-25 17:46 - 00001105 _____ C:\Users\Daveman1\Desktop\SpyHunter.lnk
    2016-07-18 21:31 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\AppReadiness
    2016-07-14 21:33 - 2015-05-26 21:19 - 00000074 _____ C:\Users\Daveman1\AppData\Roaming\sp_data.sys
    2016-07-12 23:25 - 2015-05-08 21:15 - 00000000 ____D C:\Users\Daveman1\AppData\Local\ClassicShell
    2016-06-30 22:27 - 2016-05-19 21:35 - 00117728 _____ (Webroot) C:\WINDOWS\system32\Drivers\WRkrn.sys
    2016-06-30 21:45 - 2013-08-22 10:36 - 00000000 ___HD C:\Program Files\WindowsApps

    ==================== Files in the root of some directories =======

    2015-05-26 21:16 - 2016-05-19 21:36 - 12964920 _____ (Webroot Software, Inc.) C:\Program Files (x86)\Common Files\wruninstall.exe
    2015-05-26 21:19 - 2016-07-14 21:33 - 0000074 _____ () C:\Users\Daveman1\AppData\Roaming\sp_data.sys
    2014-11-17 05:01 - 2014-11-17 05:05 - 0007601 _____ () C:\Users\Daveman1\AppData\Local\resmon.resmoncfg

    Files to move or delete:
    ====================
    C:\Users\Daveman1\MetricCollection.dll


    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\WINDOWS\system32\winlogon.exe => File is digitally signed
    C:\WINDOWS\system32\wininit.exe => File is digitally signed
    C:\WINDOWS\explorer.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
    C:\WINDOWS\system32\svchost.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
    C:\WINDOWS\system32\services.exe => File is digitally signed
    C:\WINDOWS\system32\User32.dll => File is digitally signed
    C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
    C:\WINDOWS\system32\userinit.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
    C:\WINDOWS\system32\rpcss.dll => File is digitally signed
    C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
    C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
    C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2016-07-21 03:19

    Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-07-2016
    Ran by Daveman1 (2016-07-21 20:07:50)
    Running from C:\Users\Daveman1\AppData\Local\Microsoft\Windows\INetCache\IE\EL8TXW4P
    Windows 8.1 (Update) (X64) (2015-03-05 00:38:36)
    Boot Mode: Normal
    ==========================================================


    ==================== Accounts: =============================

    Administrator (S-1-5-21-4258404686-904759918-622595745-500 - Administrator - Disabled)
    Daveman1 (S-1-5-21-4258404686-904759918-622595745-1001 - Administrator - Enabled) => C:\Users\Daveman1
    Guest (S-1-5-21-4258404686-904759918-622595745-501 - Limited - Disabled)
    HomeGroupUser$ (S-1-5-21-4258404686-904759918-622595745-1003 - Limited - Enabled)

    ==================== Security Center ========================

    (If an entry is included in the fixlist, it will be removed.)

    AV: Webroot SecureAnywhere (Enabled - Up to date) {4646A877-74EB-CD3B-8FDB-210DB94FA61A}
    AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    AS: Webroot SecureAnywhere (Enabled - Up to date) {FD274993-52D1-C2B5-B56B-1A7FC2C8ECA7}
    AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ==================== Installed Programs ======================

    (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

    Adobe Reader X MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}) (Version: 10.0.0 - Adobe Systems Incorporated)
    ASUS InstantOn (HKLM-x32\...\{749F674B-2674-47E8-879C-5626A06B2A91}) (Version: 3.0.6 - ASUS)
    ASUS Live Update (HKLM-x32\...\{FA540E67-095C-4A1B-97BA-4D547DEC9AF4}) (Version: 3.3.4 - ASUS)
    ASUS Power4Gear Hybrid (HKLM\...\{9B6239BF-4E85-4590-8D72-51E30DB1A9AA}) (Version: 3.0.8 - ASUS)
    ASUS Screen Saver (HKLM-x32\...\{0FBEEDF8-30FA-4FA3-B31F-C9C7E7E8DFA2}) (Version: 1.0.2 - ASUS)
    ASUS Splendid Video Enhancement Technology (HKLM-x32\...\{0969AF05-4FF6-4C00-9406-43599238DE0D}) (Version: 2.01.0021 - ASUS)
    ASUS USB Charger Plus (HKLM-x32\...\{A859E3E5-C62F-4BFA-AF1D-2B95E03166AF}) (Version: 2.1.5 - ASUS)
    ASUS WebStorage Sync Agent (HKLM-x32\...\ASUS WebStorage) (Version: 1.1.18.159 - ASUS Cloud Corporation)
    AsusVibe2.0 (HKLM-x32\...\Asus Vibe2.0) (Version: 2.0.12.311 - ASUSTEK)
    ATK Package (HKLM-x32\...\{AB5C933E-5C7D-4D30-B314-9C83A49B94BE}) (Version: 1.0.0031 - ASUS)
    Azteca (x32 Version: 2.2.0.97 - WildTangent) Hidden
    Bejeweled 3 (x32 Version: 2.2.0.97 - WildTangent) Hidden
    CCleaner (HKLM\...\CCleaner) (Version: 5.18 - Piriform)
    Classic Shell (HKLM\...\{7C129CF8-199F-4269-AAEE-60B5D8D716E2}) (Version: 4.2.1 - IvoSoft)
    Cut the Rope (x32 Version: 3.0.2.38 - WildTangent) Hidden
    D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
    Free FreeCell Solitaire 2015 v3.0 (HKLM-x32\...\Free FreeCell Solitaire_is1) (Version: - TreeCardGames)
    Galería de fotos (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
    Galerie de photos (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
    Google Earth (HKLM-x32\...\{817750FA-EC6A-485D-9901-0683AE6FFDF1}) (Version: 7.1.5.1557 - Google)
    Google Update Helper (x32 Version: 1.3.30.3 - Google Inc.) Hidden
    HP Deskjet 1010 series Basic Device Software (HKLM\...\{CFD917BE-F1F6-410E-ABEC-9EC819507D0D}) (Version: 32.2.188.47710 - Hewlett-Packard Co.)
    IHA_MessageCenter (HKLM-x32\...\{270235CC-405E-4F9E-B8CF-A937CA0DA4A0}) (Version: 2.0.64 - Verizon)
    Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
    Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3308 - Intel Corporation)
    Intel(R) SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
    IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.38 - Irfan Skiljan)
    Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4454.1510 - Microsoft Corporation)
    Microsoft OneDrive (HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\OneDriveSetup.exe) (Version: 17.3.6390.0509 - Microsoft Corporation)
    Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
    Movie Maker (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
    MyBitCast 2.0 (HKLM-x32\...\MyBitCast) (Version: 2.0 - ASUS)
    Peggle (x32 Version: 2.2.0.95 - WildTangent) Hidden
    Penguins! (x32 Version: 2.2.0.98 - WildTangent) Hidden
    Ralink RT2860 Wireless LAN Card (HKLM-x32\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309B0}) (Version: 1.2.0.41 - Ralink)
    Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.14.327.2013 - Realtek)
    Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6976 - Realtek Semiconductor Corp.)
    Realtek PCIE Card Reader (HKLM-x32\...\{C9661090-C134-46E8-90B2-76D72355C2A6}) (Version: 6.2.9200.27038 - Realtek Semiconductor Corp.)
    Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
    SpyHunter 4 (HKLM-x32\...\SpyHunter) (Version: 4.23.2.4686 - Enigma Software Group, LLC)
    Tales of Lagoona (x32 Version: 2.2.0.110 - WildTangent) Hidden
    Vz In-Home Agent (HKLM-x32\...\VzInHomeAgent) (Version: 9.0.68.0 - Verizon)
    VzDownloadManager (HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\VzDownloadManager) (Version: 2.0.0.29 - Verizon)
    Webroot SecureAnywhere (HKLM-x32\...\WRUNINST) (Version: 9.0.10.21 - Webroot)
    WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.0.0 - WildTangent)
    Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)
    WinFlash (HKLM-x32\...\{8F21291E-0444-4B1D-B9F9-4370A73E346D}) (Version: 2.42.0 - ASUS)

    ==================== Custom CLSID (Whitelisted): ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    CustomCLSID: HKU\S-1-5-21-4258404686-904759918-622595745-1001_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\Daveman1\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64\FileCoAuthLib64.dll ()
    CustomCLSID: HKU\S-1-5-21-4258404686-904759918-622595745-1001_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\Daveman1\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\FileCoAuth.exe (Microsoft Corporation)

    ==================== Scheduled Tasks (Whitelisted) =============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    Task: {0049E018-DCE2-4B49-A6CB-24F752805086} - System32\Tasks\ASUS Splendid ACMON => C:\Program Files (x86)\ASUS\Splendid\ACMON.exe [2013-10-07] (ASUS)
    Task: {3208BCF2-6314-4944-B683-A4CADD8241A8} - System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-4258404686-904759918-622595745-1001 => C:\Users\Daveman1\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2016-05-18] (Microsoft Corporation)
    Task: {3C81C573-A980-4C97-BF23-964960FB7834} - System32\Tasks\AsusVibeSchedule => C:\Program Files (x86)\Asus\AsusVibe\AsusVibeLauncher.exe [2013-11-04] ()
    Task: {50CDEA68-7DA3-4BEB-9898-DE3C54AAC3F0} - System32\Tasks\ASUS Splendid ColorU => C:\Program Files (x86)\ASUS\Splendid\ColorUService.exe [2013-10-07] (ASUSTeK Computer Inc.)
    Task: {61507A5F-1D99-4719-B574-E0B8AFF948C6} - System32\Tasks\ASUS P4G => C:\Program Files\ASUS\P4G\BatteryLife.exe [2014-02-11] (ASUS)
    Task: {6617F39F-DB86-457A-8723-661949E96A5B} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-18] (Google Inc.)
    Task: {6BE32FE9-C44E-41F5-933B-C48CA41242E9} - \Microsoft\Windows Live\SOXE\Extractor Definitions Update Task -> No File <==== ATTENTION
    Task: {8C0B2F85-3B74-4380-8FDE-FDF675C15CFC} - System32\Tasks\ASUS Live Update1 => C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe [2015-03-23] (ASUSTeK Computer Inc.)
    Task: {9952E4E3-6BE1-417C-9A4E-64E6513B95F3} - System32\Tasks\ASUS Live Update2 => C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe [2015-03-23] (ASUSTeK Computer Inc.)
    Task: {9F2F332A-803E-4F45-9063-36F8675385E2} - System32\Tasks\Update Checker => C:\Program Files (x86)\ASUS\ASUS Live Update\UpdateChecker.exe [2015-02-12] ()
    Task: {B76EFD19-4B3B-4C9C-BF3F-2A0605E2A246} - System32\Tasks\ASUS USB Charger Plus => C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe [2012-09-18] (ASUSTek Computer Inc.)
    Task: {BC206AC6-DC09-4F34-80C5-7C0386343A28} - \{22196FCF-96CB-42A8-8671-21075627CEED} -> No File <==== ATTENTION
    Task: {F7380590-57E6-4D9D-84FF-1A44FE4004E4} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-05-13] (Piriform Ltd)
    Task: {F7F14455-64C7-4B9F-BC63-D17A07B83CDB} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-18] (Google Inc.)

    (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

    Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

    ==================== Shortcuts =============================

    (The entries could be listed to be restored or removed.)

    ==================== Loaded Modules (Whitelisted) ==============

    2013-10-01 14:02 - 2013-10-01 14:02 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
    2013-09-09 20:23 - 2013-09-09 20:23 - 00162816 _____ () C:\Program Files (x86)\ASUS\Splendid\CCTAdjust.dll
    2013-10-08 22:41 - 2013-10-08 22:41 - 00037968 _____ () C:\Program Files (x86)\ASUS\Splendid\DetectDisplayDC.dll
    2013-04-27 10:24 - 2013-04-27 10:24 - 00071680 _____ () C:\Program Files (x86)\ASUS\ASUS Live Update\checkmetro.dll

    ==================== Alternate Data Streams (Whitelisted) =========

    (If an entry is included in the fixlist, only the ADS will be removed.)


    ==================== Safe Mode (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRkrn => ""="Driver"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRSVC => ""="Service"

    ==================== Association (Whitelisted) ===============

    (If an entry is included in the fixlist, the registry item will be restored to default or removed.)

    HKU\.DEFAULT\Software\Classes\exefile: "%1" %* <===== ATTENTION
    HKU\.DEFAULT\Software\Classes\.exe: exefile => "%1" %* <===== ATTENTION
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\Software\Classes\exefile: "%1" %* <===== ATTENTION
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\Software\Classes\.exe: exefile => "%1" %* <===== ATTENTION

    ==================== Internet Explorer trusted/restricted ===============

    (If an entry is included in the fixlist, it will be removed from the registry.)


    ==================== Hosts content: ===============================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2013-08-22 08:25 - 2013-08-22 08:25 - 00000824 ____N C:\WINDOWS\system32\Drivers\etc\hosts


    ==================== Other Areas ============================

    (Currently there is no automatic fix for this section.)

    HKU\S-1-5-21-4258404686-904759918-622595745-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Daveman1\Desktop\My Documents\New files\Ht1umbr1a.jpg
    DNS Servers: 192.168.1.1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: ) (ConsentPromptBehaviorUser: ) (EnableLUA: 1)
    Windows Firewall is enabled.

    ==================== MSCONFIG/TASK MANAGER disabled items ==

    (Currently there is no automatic fix for this section.)

    MSCONFIG\Services: Asus WebStorage Windows Service => 2
    MSCONFIG\Services: cphs => 3
    MSCONFIG\Services: GamesAppService => 3
    MSCONFIG\Services: ICCS => 3
    MSCONFIG\Services: IHA_MessageCenter => 2
    MSCONFIG\Services: Intel(R) Capability Licensing Service Interface => 2
    MSCONFIG\Services: MBAMScheduler => 2
    MSCONFIG\Services: MBAMService => 2
    MSCONFIG\Services: UNS => 2
    HKLM\...\StartupApproved\StartupFolder: => "Install Webroot IE RunOnce.lnk"
    HKLM\...\StartupApproved\StartupFolder: => "Install Webroot FF RunOnce.lnk"
    HKLM\...\StartupApproved\Run32: => "SDTray"
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\StartupApproved\StartupFolder: => "AB65F4091265H.lnk"
    HKU\S-1-5-21-4258404686-904759918-622595745-1001\...\StartupApproved\StartupFolder: => "AB65F4091265B.lnk"

    ==================== FirewallRules (Whitelisted) ===============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
    FirewallRules: [{58050994-47BC-4171-B42F-7FFCA8E84B92}] => (Allow) LPort=50000
    FirewallRules: [{B8CDCB21-0742-4F47-A9BC-6B0F1522F348}] => (Allow) LPort=50000
    FirewallRules: [{9E835905-E224-44C0-A818-B972D817FB78}] => (Allow) LPort=1900
    FirewallRules: [{DB976C7D-0F91-4268-89D9-93C9888B22BF}] => (Allow) LPort=2869
    FirewallRules: [{7DDB678C-AD17-4EE6-8C24-64C1BF85C773}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
    FirewallRules: [{9DA196BD-B8E9-4754-B110-86E9873F4CBD}] => (Allow) C:\Program Files\HP\HP Deskjet 1010 series\Bin\USBSetup.exe
    FirewallRules: [{B155878E-E033-4EED-ADE4-F2DFF68EA605}] => (Allow) C:\Program Files\HP\HP Deskjet 1010 series\Bin\HPNetworkCommunicatorCom.exe

    ==================== Restore Points =========================

    04-07-2016 00:31:16 Scheduled Checkpoint
    14-07-2016 21:42:29 Scheduled Checkpoint

    ==================== Faulty Device Manager Devices =============


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (07/21/2016 07:43:06 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: IEXPLORE.EXE, version: 11.0.9600.17416, time stamp: 0x5452eed9
    Faulting module name: ntdll.dll, version: 6.3.9600.17630, time stamp: 0x54b0d74f
    Exception code: 0xc0000008
    Fault offset: 0x0003d68c
    Faulting process id: 0x2b0c
    Faulting application start time: 0xIEXPLORE.EXE0
    Faulting application path: IEXPLORE.EXE1
    Faulting module path: IEXPLORE.EXE2
    Report Id: IEXPLORE.EXE3
    Faulting package full name: IEXPLORE.EXE4
    Faulting package-relative application ID: IEXPLORE.EXE5

    Error: (07/14/2016 09:42:47 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
    Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

    Details:
    AddLegacyDriverFiles: Unable to back up image of binary SASKUTIL.

    System Error:
    The system cannot find the file specified.
    .

    Error: (07/04/2016 12:32:33 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
    Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

    Details:
    AddLegacyDriverFiles: Unable to back up image of binary SASKUTIL.

    System Error:
    The system cannot find the file specified.
    .

    Error: (07/04/2016 12:26:44 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
    Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

    Details:
    AddLegacyDriverFiles: Unable to back up image of binary SASKUTIL.

    System Error:
    The system cannot find the file specified.
    .

    Error: (06/25/2016 11:07:59 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
    Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

    Details:
    AddLegacyDriverFiles: Unable to back up image of binary SASKUTIL.

    System Error:
    The system cannot find the file specified.
    .

    Error: (06/18/2016 05:38:07 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
    Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

    Details:
    AddLegacyDriverFiles: Unable to back up image of binary SASKUTIL.

    System Error:
    The system cannot find the file specified.
    .

    Error: (06/18/2016 01:09:17 AM) (Source: Application Hang) (EventID: 1002) (User: )
    Description: The program IEXPLORE.EXE version 11.0.9600.17416 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

    Process ID: 1fcc

    Start Time: 01d1c927dcf7b47e

    Termination Time: 55

    Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

    Report Id: 2e24514d-351b-11e6-be8f-10c37bbe08ba

    Faulting package full name:

    Faulting package-relative application ID:

    Error: (06/18/2016 01:08:35 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: IEXPLORE.EXE, version: 11.0.9600.17416, time stamp: 0x5452eed9
    Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
    Exception code: 0xc0000005
    Fault offset: 0x20203a72
    Faulting process id: 0x3b34
    Faulting application start time: 0xIEXPLORE.EXE0
    Faulting application path: IEXPLORE.EXE1
    Faulting module path: IEXPLORE.EXE2
    Report Id: IEXPLORE.EXE3
    Faulting package full name: IEXPLORE.EXE4
    Faulting package-relative application ID: IEXPLORE.EXE5

    Error: (06/09/2016 05:10:52 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
    Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

    Details:
    AddLegacyDriverFiles: Unable to back up image of binary SASKUTIL.

    System Error:
    The system cannot find the file specified.
    .

    Error: (06/01/2016 10:03:58 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: LiveUpdate.exe, version: 3.3.4.0, time stamp: 0x550fb5dc
    Faulting module name: KERNELBASE.dll, version: 6.3.9600.17415, time stamp: 0x54504ade
    Exception code: 0xc000041d
    Fault offset: 0x00014598
    Faulting process id: 0x2834
    Faulting application start time: 0xLiveUpdate.exe0
    Faulting application path: LiveUpdate.exe1
    Faulting module path: LiveUpdate.exe2
    Report Id: LiveUpdate.exe3
    Faulting package full name: LiveUpdate.exe4
    Faulting package-relative application ID: LiveUpdate.exe5


    System errors:
    =============
    Error: (07/21/2016 03:20:55 AM) (Source: DCOM) (EventID: 10010) (User: Internet-PC)
    Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

    Error: (07/21/2016 03:20:25 AM) (Source: DCOM) (EventID: 10010) (User: Internet-PC)
    Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

    Error: (07/20/2016 05:38:16 AM) (Source: DCOM) (EventID: 10010) (User: Internet-PC)
    Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

    Error: (07/20/2016 05:37:45 AM) (Source: DCOM) (EventID: 10010) (User: Internet-PC)
    Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

    Error: (07/19/2016 04:18:44 AM) (Source: DCOM) (EventID: 10010) (User: Internet-PC)
    Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

    Error: (07/19/2016 04:18:14 AM) (Source: DCOM) (EventID: 10010) (User: Internet-PC)
    Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

    Error: (07/18/2016 03:28:32 AM) (Source: DCOM) (EventID: 10010) (User: Internet-PC)
    Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

    Error: (07/18/2016 03:28:02 AM) (Source: DCOM) (EventID: 10010) (User: Internet-PC)
    Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

    Error: (07/17/2016 03:44:26 AM) (Source: DCOM) (EventID: 10010) (User: Internet-PC)
    Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

    Error: (07/17/2016 03:43:56 AM) (Source: DCOM) (EventID: 10010) (User: Internet-PC)
    Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}


    ==================== Memory info ===========================

    Processor: Intel(R) Core(TM) i3-3217U CPU @ 1.80GHz
    Percentage of memory in use: 57%
    Total physical RAM: 3981.68 MB
    Available physical RAM: 1675.21 MB
    Total Virtual: 4685.68 MB
    Available Virtual: 1953.56 MB

    ==================== Drives ================================

    Drive c: (OS) (Fixed) (Total:444.21 GB) (Free:371 GB) NTFS ==>[system with boot components (obtained from drive)]

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (Size: 465.8 GB) (Disk ID: 0FE4DC0A)

    Partition: GPT.

    ==================== End of Addition.txt ============================

    ==================== End of FRST.txt ============================

    aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
    Run date: 2016-07-21 20:14:09
    -----------------------------
    20:14:09.176 OS Version: Windows x64 6.2.9200
    20:14:09.176 Number of processors: 4 586 0x3A09
    20:14:09.191 ComputerName: INTERNET-PC UserName: Daveman1
    20:14:10.982 Initialize success
    20:14:11.194 VM: initialized successfully
    20:14:11.194 VM: Intel CPU supported
    20:14:17.002 VM: disk I/O iaStorA.sys
    20:16:09.441 AVAST engine defs: 16072101
    20:18:46.511 The log file has been saved successfully to "C:\Users\Daveman1\Desktop\aswMBR.txt"
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1171873

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice