BoRe

Great working with you! Thanks and thanks again. BoRe

You just don't know how much I appreciate all your help, Ron. Just a few questions, and I'll close this thread. Any links you have would be a great start. Was the certificate thumbprint correct? Can you recommend a way to make an impenetrable USB stick? I'd like to load the latest HP drivers and firmware to it on a clean machine and install offline to this PC. Also would like to be able to run various installers, tools, scanners, etc. offline from it. Is there a way to reset and set up my modem and router on a clean PC, then bring it home and hook things up so the remote controller from the domain can be blocked from access? If that doesn't work, is there something besides the "clean" and "clean all" commands or common 3rd-party programs like DBAN, Acronis, Parted Magic, etc. that might wipe every groove of my HDD platen? I'm not finding the "solved" button to use later...lemme post this & do a site search for instructions. I'll come ask if I still can't find it. Thanks so much! BoRe

Thanks, Ron. BoRe

Yes. IE had reverted to version 8. It kept saying I needed to update to the latest version 11, so I said yes. The 'congratulations, you've updated' page came up, then a popup saying I need the Update Readiness Tool, which would not complete installation. It asked for a machine restart, which I did. Then a popup said the tool had installed successfully. Still couldn't get IE11 updates - 'need URT'. Tried twice more. Oh, and the reboots showed 'starting windows' for 4 seconds, 'please wait' for 6 or 7 seconds, and 'welcome' for 10 seconds. Then the blue circle would churn for 5 seconds after the desktop icons came up. Tried getting Windows updates - no dice there, either - 'need URT' but it won't install. Shut down and took a rest. The next time I started the PC, at the black startup screen it said 'configuring updates, do not turn off'. Then 67,076 updates were successfully installed in about 30 seconds. It seemed to boot, but all I got was the desktop wallpaper; no error message, no way I knew of to operate anything. It wouldn't obey the 3-finger salute, either - had to power down with the on/off button. F8, same in safe mode. I couldn't communicate with you unless I clean installed. Believe me, it's just as frustrating for me as I know it must be for you. Got any hair at all left? No worries - I can send you what I've pulled out... BoRe P.S. MBAM & MBAE Premium installed and activated. May I send you pics of all the MBAE default settings to make sure they haven't been messed with?

Thanks, Ron. I hope I didn't waste any of your time, but IE11 got so corrupted somehow that my attempts to update it resulted in having no account on the desktop to log into. This is clean install #3! Should I start over from the beginning of your instructions and perform the various scans, posting the requested logs?

Well, um, I guess I'll just run AdwCleaner...

Will run JRT and AdwCleaner after I post this... FRST.txt Addition.txt Shortcut.txt

Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 1/23/2016 Scan Time: 9:50 PM Logfile: Administrator: Yes Version: 2.2.0.1024 Malware Database: v2016.01.23.06 Rootkit Database: v2016.01.20.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Trial2 Scan Type: Threat Scan Result: Completed Objects Scanned: 353628 Time Elapsed: 15 min, 35 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) Out of curiosity, I ran FRST with everything in the Whitelist area unchecked and everything in the Optional Scan area checked. FRST.txt under Internet Explorer has a bunch of "hxxp:" URLs that seem to be redirects to the actual SYSTEM user. (Or I could be a paranoid idiot!) Would you like to see that? Or Addition.txt which shows ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Microsoft Security Essentials (Enabled - Out of date) {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A} AS: Microsoft Security Essentials (Enabled - Out of date) {0C8D1929-27B2-688D-E114-9117BD2BB1B7} AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} even though the MSE dashboard I see said it was up to date? Or Shortcut.txt?

Thanks, Ron. Logs attached. FRST.txt Addition.txt

I'm so sorry to tell you my PC is still misbehaving. I tried to run the MBAE-test. Can't run because "MSVCR100.dll is missing. Try uninstalling and reinstalling the program." I uninstalled in Control Panel. Tried to run "clean_mbae.bat" (R-click, run as admin). Got error "ADMIN Privileges Required" "This file must be run as an administrator to work properly. If you're seeing this after clicking on the batch file then log off and back on with an Administrator account or right click choose "Run as Administrator" on Windows 7/8/10. Any key to continue" which closes the error box and file folder. Logged on to Super Admin account. No password was needed, though I had set a very long and complicated one. No matter how I tried to run mbae_clean.bat, the same error message (yellow text on maroon background) came up. I'm using IE since I did the second clean install to be able to interact with this website - the fewer programs, the better, I thought. It still redirects nearly every page to something from 2012 or 2013, though images seem current on MSN home page. I await your instructions with thanks for your help. BoRe

MBAM Premium and Anti-Exploit Premium both appear to have installed and activated. Ran MBAM as Super Admin. Here are logs. Thanks, BoRe ScanHistLog.txt ProtectionLog.txt

Hi, AS Hope you got what you needed from me. I'm ready to work on this some more. Thanks, BoRe

Hey, AS - thanks for the advice. I followed the instructions for Paid PRO / PREMIUM version at MBAM Clean Removal Process 2x. When I got to "Launch the program and click on the Activation button. Then copy and paste your activation ID and Key into the dialog box. This should automatically enable Protection and offer to add an automated update schedule which you should allow or ensure that you create one on your own to keep the program updated," three attempts at activating with my CD key and ID failed. I have closed the MBAM application. I'll wait to hear from you before taking any further action. Thanks again, BoRe

Thanks very much, Advanced Setup. This thing is a bear and a half! I suspect interference with JRT operation, as happened before my clean install, too. It took less than a minute to scan, and JRT.txt did not save to desktop. It is not found by Search in Explorer, either. Luckily I remembered that from before and SelectAll/Copied so I could paste it here. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Malwarebytes Version: 8.0.1 (11.24.2015) Operating System: Windows 7 Professional x64 Ran by Fuzzy (Administrator) on Thu 12/17/2015 at 4:41:00.27 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ File System: 0 Registry: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Thu 12/17/2015 at 4:42:18.67 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ AdwCleaner also completed in less than a minute. I ran it on the previous install, too - same behavior. # AdwCleaner v5.025 - Logfile created 17/12/2015 at 05:32:39 # Updated 13/12/2015 by Xplode # Database : 2015-12-13.2 [server] # Operating system : Windows 7 Professional Service Pack 1 (x64) # Username : Fuzzy - TRIAL-PC # Running from : C:\Users\Trial\Desktop\AdwCleaner.exe # Option : Cleaning # Support : http://toolslib.net/forum ***** [ Services ] ***** ***** [ Folders ] ***** ***** [ Files ] ***** ***** [ DLLs ] ***** ***** [ Shortcuts ] ***** ***** [ Scheduled tasks ] ***** ***** [ Registry ] ***** ***** [ Web browsers ] ***** ************************* :: "Tracing" keys removed :: Winsock settings cleared ########## EOF - \AdwCleaner\AdwCleaner[C1].txt - [674 bytes] ########## I purchased a retail box Anti-Malware +/Anti-Exploit Premium combo, but they would not install - "could not find server" error. This the free trial premium version. There is no option to run as admin. Access is denied to permissions changes. This scan will likely come up "no threats" as always. It scanned rootkits for a split second and checked the circle. Also, I was able to type in www.malwarebtes.org and arrive at your website certified by Geotrust when I first fired up my PC. Now it only redirects. After AdwCleaner reboot, here's what's in my address bar (https://forums.malwarebytes.org/index.php?app=forums&module=post&section=post&do=reply_post&f=7&t=175958). Sorry, I'm barred from uploading image files to this site, but here's some info from the now-DigiCert certificate: DigiCert SHA2 High Assurance Server CA CN: *malwarebytes.org Serial#: 0E:45:44:AD:9F:E0:0B:7D:1C:C1:67:C5:A0:CE:48:A3 SHA1 Fingerprint: F6:AF:55:48:FF:56:4E:09:75:1F:37:9A:C0:50:A3:C6:62:E9:17:C1 SHA256: BD:35:41:3E:D9:7E:48:5C:94:5D:3F:DD:8E:17:CA:E3:8E:15:0C:EF:98:86:5A:48:E5:B4:53:D0:0B:68:0E:A3 Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 12/17/2015 Scan Time: 5:43 AM Logfile: Administrator: No Version: 2.2.0.1024 Malware Database: v2015.12.17.02 Rootkit Database: v2015.12.16.01 License: Trial Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Trial Scan Type: Threat Scan Result: Completed Objects Scanned: 244122 Time Elapsed: 1 min, 42 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) ESET found nothing. Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:17-12-2015 Ran by Fuzzy (administrator) on TRIAL-PC (17-12-2015 06:41:11) Running from C:\Users\Trial\Desktop Loaded Profiles: Trial & Fuzzy (Available Profiles: Trial & Fuzzy) Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States) Internet Explorer Version 8 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Broadcom Corporation) C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKU\S-1-5-21-1625722349-1841773593-886300088-1000\...\MountPoints2: {b688ef49-9e83-11e5-830e-806e6f6e6963} - E:\MbamMbae-setup.exe HKU\S-1-5-21-1625722349-1841773593-886300088-1001\...\RunOnce: [Report] => \AdwCleaner\AdwCleaner[C1].txt ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62 Tcpip\..\Interfaces\{CB4BF8C3-107B-4830-88D1-31341AC78398}: [DhcpNameServer] 209.18.47.61 209.18.47.62 Internet Explorer: ================== HKU\S-1-5-21-1625722349-1841773593-886300088-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/ SearchScopes: HKU\S-1-5-21-1625722349-1841773593-886300088-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation) Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation) Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation) Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation) ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 BrcmMgmtAgent; C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [213504 2014-04-01] (Broadcom Corporation) [File not signed] R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes) R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes) R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation) ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation) R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [109272 2015-10-05] (Malwarebytes) R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes) S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2015-12-11] (Malwarebytes) R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation) S3 HWiNFO32; \??\C:\Users\Fuzzy\AppData\Local\Temp\HWiNFO64A.SYS [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-12-17 06:41 - 2015-12-17 06:41 - 00004378 _____ C:\Users\Trial\Desktop\FRST.txt 2015-12-17 06:40 - 2015-12-17 06:40 - 00000000 ____D C:\Users\Trial\Desktop\FRST-OlderVersion 2015-12-17 06:24 - 2015-12-17 06:24 - 00000000 ____D C:\Program Files (x86)\ESET 2015-12-17 06:23 - 2015-12-17 06:23 - 02870984 _____ (ESET) C:\Users\Trial\Desktop\esetsmartinstaller_enu.exe 2015-12-17 05:54 - 2015-12-17 05:54 - 00260560 _____ C:\Users\Trial\Desktop\MBAMAccessDenied.MHT 2015-12-17 05:50 - 2015-12-17 05:50 - 00055272 _____ C:\Users\Trial\Desktop\ScanResult12_17_15.MHT 2015-12-17 05:27 - 2015-12-17 05:27 - 00218604 _____ C:\Users\Trial\Desktop\AdwCleaner message.MHT 2015-12-17 05:24 - 2015-12-17 05:32 - 00000000 ____D C:\AdwCleaner 2015-12-17 05:21 - 2015-12-17 05:22 - 01740288 _____ C:\Users\Trial\Desktop\AdwCleaner.exe 2015-12-17 05:01 - 2015-12-17 05:01 - 00000562 _____ C:\Users\Fuzzy\Desktop\JRTcopy.txt 2015-12-17 04:38 - 2015-12-17 04:42 - 00000562 _____ C:\Users\Fuzzy\Desktop\JRT.txt 2015-12-17 04:27 - 2015-12-17 04:27 - 01599336 _____ (Malwarebytes) C:\Users\Trial\Desktop\JRT.exe 2015-12-15 06:47 - 2015-12-15 06:47 - 02379124 _____ C:\Users\Trial\Desktop\hw64_510.zip 2015-12-15 06:47 - 2015-12-15 06:47 - 00000000 ____D C:\Users\Trial\Desktop\hw64_510 2015-12-15 04:33 - 2015-12-15 04:33 - 00205940 _____ C:\Users\Trial\Desktop\ModemCode2.MHT 2015-12-15 04:31 - 2015-12-15 04:32 - 00205584 _____ C:\Users\Trial\Desktop\ModemCode.MHT 2015-12-15 04:28 - 2015-12-15 04:28 - 00226340 _____ C:\Users\Trial\Desktop\ModemBlocked2.MHT 2015-12-15 04:27 - 2015-12-15 04:27 - 00221110 _____ C:\Users\Trial\Desktop\ModemBlocked.MHT 2015-12-14 21:06 - 2015-12-14 21:14 - 00000000 ____D C:\Users\Fuzzy\AppData\Local\BACS 2015-12-14 20:18 - 2015-12-14 20:18 - 00168684 _____ C:\Users\Trial\Desktop\SpeedTest.MHT 2015-12-14 19:26 - 2015-12-14 19:26 - 00151456 _____ C:\Users\Trial\Desktop\ModemEventLog.MHT 2015-12-14 19:24 - 2015-12-14 19:24 - 00147108 _____ C:\Users\Trial\Desktop\ModemStatus.MHT 2015-12-14 19:22 - 2015-12-14 19:22 - 00122348 _____ C:\Users\Trial\Desktop\ModemSysInf.MHT 2015-12-14 19:20 - 2015-12-14 19:20 - 00123904 _____ C:\Users\Trial\Desktop\ModemInitialization.MHT 2015-12-14 05:29 - 2015-12-14 05:29 - 00001954 _____ C:\Users\Trial\Desktop\-.malwarebytes.org.crt 2015-12-14 05:01 - 2015-12-14 05:08 - 00006287 _____ C:\Users\Trial\Desktop\switch.txt 2015-12-14 05:00 - 2015-12-14 05:07 - 00002860 _____ C:\Users\Trial\Desktop\pppmenu.txt 2015-12-14 04:59 - 2015-12-14 05:08 - 00014581 _____ C:\Users\Trial\Desktop\pad.txt 2015-12-14 04:56 - 2015-12-14 05:07 - 00000787 _____ C:\Users\Trial\Desktop\cis.scp 2015-12-14 04:23 - 2015-12-14 05:38 - 00002882 _____ C:\Users\Trial\Desktop\bitsctrs0000.txt 2015-12-14 04:19 - 2015-12-14 04:21 - 00002876 _____ C:\Users\Trial\Desktop\bitsctrs0409.ini 2015-12-13 06:34 - 2015-12-13 06:34 - 00001433 _____ C:\Users\Fuzzy\Desktop\Port Forward Network Utilities.lnk 2015-12-13 06:34 - 2015-12-13 06:34 - 00000000 ____D C:\Program Files (x86)\Portforward.com 2015-12-13 06:28 - 2015-12-13 06:28 - 00000000 ____D C:\Users\Fuzzy\AppData\Local\ElevatedDiagnostics 2015-12-13 06:07 - 2015-12-13 06:16 - 00000000 ____D C:\Users\Trial\AppData\Local\BACS 2015-12-13 06:02 - 2015-12-13 06:02 - 00000000 ____D C:\Windows\Dell 2015-12-13 06:02 - 2015-12-13 06:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Broadcom 2015-12-13 06:02 - 2015-12-13 06:02 - 00000000 ____D C:\Program Files\Broadcom 2015-12-13 05:58 - 2015-12-13 05:58 - 00000000 ____D C:\Users\Fuzzy\AppData\Local\Downloaded Installations 2015-12-13 05:23 - 2015-12-13 05:24 - 00000000 ____D C:\Users\Trial\AppData\Roaming\Portforward.com 2015-12-12 08:02 - 2015-12-13 05:00 - 00000000 ____D C:\Users\Fuzzy\AppData\Roaming\PortForward.com 2015-12-12 08:02 - 2015-12-12 08:02 - 00000000 ____D C:\Users\Fuzzy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Portforward.com 2015-12-11 08:16 - 2015-12-11 08:17 - 00000000 ____D C:\Users\Trial\Desktop\FRSTlogs 2015-12-11 08:09 - 2015-12-17 06:41 - 00000000 ____D C:\FRST 2015-12-11 08:08 - 2015-12-17 06:40 - 02370048 _____ (Farbar) C:\Users\Trial\Desktop\FRST64.exe 2015-12-11 07:31 - 2015-12-11 07:33 - 00000000 ____D C:\Program Data 2015-12-11 07:11 - 2015-12-11 10:07 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2015-12-11 07:10 - 2015-12-17 05:33 - 00065536 _____ C:\Windows\system32\Ikeext.etl 2015-12-11 07:10 - 2015-12-11 07:10 - 00001102 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2015-12-11 07:10 - 2015-12-11 07:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware 2015-12-11 07:10 - 2015-12-11 07:10 - 00000000 ____D C:\ProgramData\Malwarebytes 2015-12-11 07:10 - 2015-12-11 07:10 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware 2015-12-11 07:10 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys 2015-12-11 07:10 - 2015-10-05 09:50 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys 2015-12-11 07:10 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys 2015-12-11 07:03 - 2015-12-11 07:03 - 00000000 ____D C:\Chameleon 2015-12-11 06:47 - 2015-12-11 06:47 - 01592131 _____ C:\Users\Trial\Desktop\MalwarebytesAntiMalwareUserGuide.pdf 2015-12-11 06:42 - 2015-12-11 06:42 - 00001409 _____ C:\Users\Fuzzy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk 2015-12-11 06:41 - 2015-12-11 06:42 - 00001443 _____ C:\Users\Fuzzy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk 2015-12-11 06:41 - 2015-12-11 06:41 - 00000000 ____D C:\Users\Fuzzy\AppData\Local\VirtualStore 2015-12-10 04:15 - 2015-12-11 06:40 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox 2015-12-10 04:15 - 2015-12-10 04:17 - 00001147 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk 2015-12-10 04:15 - 2015-12-10 04:16 - 00243656 _____ C:\Users\Trial\Downloads\Firefox Setup Stub 42.0.exe 2015-12-10 04:15 - 2015-12-10 04:15 - 00000000 ____D C:\Users\Trial\AppData\Roaming\Mozilla 2015-12-10 04:15 - 2015-12-10 04:15 - 00000000 ____D C:\Users\Trial\AppData\Local\Mozilla 2015-12-10 03:33 - 2015-12-10 03:33 - 00057560 _____ C:\Users\Fuzzy\AppData\Local\GDIPFONTCACHEV1.DAT 2015-12-10 03:19 - 2015-12-10 03:12 - 00003900 _____ C:\Users\Trial\Desktop\route.print.txt 2015-12-10 03:18 - 2015-12-10 03:12 - 00003060 _____ C:\Users\Trial\Desktop\ipconfig.all.txt 2015-12-10 03:03 - 2015-12-12 08:02 - 00000000 ____D C:\Users\Fuzzy 2015-12-10 03:03 - 2015-12-10 03:03 - 00000020 ___SH C:\Users\Fuzzy\ntuser.ini 2015-12-10 03:03 - 2015-12-10 03:03 - 00000000 _SHDL C:\Users\Fuzzy\My Documents 2015-12-10 03:03 - 2015-12-10 03:03 - 00000000 _SHDL C:\Users\Fuzzy\Documents\My Videos 2015-12-10 03:03 - 2015-12-10 03:03 - 00000000 _SHDL C:\Users\Fuzzy\Documents\My Pictures 2015-12-10 03:03 - 2015-12-10 03:03 - 00000000 _SHDL C:\Users\Fuzzy\Documents\My Music 2015-12-10 03:03 - 2011-04-12 03:28 - 00000000 ____D C:\Users\Fuzzy\AppData\Roaming\Media Center Programs 2015-12-09 09:51 - 2015-12-09 09:51 - 00001345 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk 2015-12-09 09:51 - 2015-12-09 09:51 - 00001326 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk 2015-12-09 09:48 - 2015-12-09 09:48 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf 2015-12-09 09:46 - 2015-12-09 07:35 - 00000000 ____D C:\Windows\Panther 2015-12-09 08:42 - 2015-12-09 08:42 - 00057560 _____ C:\Users\Trial\AppData\Local\GDIPFONTCACHEV1.DAT 2015-12-09 08:07 - 2015-12-09 08:07 - 00000000 ____D C:\OriginalDrvrsPkg 2015-12-09 08:05 - 2015-12-13 05:58 - 00000000 ____D C:\swsetup 2015-12-09 07:39 - 2015-12-09 07:39 - 00003050 _____ C:\Windows\System32\Tasks\{DC1C5A7C-B7B8-4338-A806-4F1E0A929F4B} 2015-12-09 07:36 - 2015-12-09 07:36 - 00001443 _____ C:\Users\Trial\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk 2015-12-09 07:36 - 2015-12-09 07:36 - 00001409 _____ C:\Users\Trial\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk 2015-12-09 07:36 - 2015-12-09 07:36 - 00000000 ____D C:\Users\Trial\AppData\Local\VirtualStore 2015-12-09 07:35 - 2015-12-09 07:36 - 00000000 ____D C:\Users\Trial 2015-12-09 07:35 - 2015-12-09 07:35 - 00000020 ___SH C:\Users\Trial\ntuser.ini 2015-12-09 07:35 - 2015-12-09 07:35 - 00000000 _SHDL C:\Users\Trial\My Documents 2015-12-09 07:35 - 2015-12-09 07:35 - 00000000 _SHDL C:\Users\Trial\Documents\My Videos 2015-12-09 07:35 - 2015-12-09 07:35 - 00000000 _SHDL C:\Users\Trial\Documents\My Pictures 2015-12-09 07:35 - 2015-12-09 07:35 - 00000000 _SHDL C:\Users\Trial\Documents\My Music 2015-12-09 07:35 - 2011-04-12 03:28 - 00000000 ____D C:\Users\Trial\AppData\Roaming\Media Center Programs ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-12-17 06:35 - 2009-07-13 23:45 - 00016848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2015-12-17 06:35 - 2009-07-13 23:45 - 00016848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2015-12-17 06:10 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\tracing 2015-12-17 05:37 - 2009-07-14 00:13 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI 2015-12-17 05:37 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf 2015-12-17 05:33 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2015-12-15 04:20 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\NDF 2015-12-13 06:22 - 2009-07-13 22:20 - 00000000 ____D C:\Windows 2015-12-09 10:35 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache 2015-12-09 09:52 - 2009-07-13 23:45 - 00274320 _____ C:\Windows\system32\FNTCACHE.DAT 2015-12-09 09:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\sysprep 2015-12-09 09:48 - 2011-04-12 03:28 - 00000000 ____D C:\Windows\CSC 2015-12-09 09:46 - 2009-07-14 00:32 - 00028672 _____ C:\Windows\system32\config\BCD-Template ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2015-12-11 10:02 ==================== End of FRST.txt ============================ Additional scan result of Farbar Recovery Scan Tool (x64) Version:17-12-2015 Ran by Fuzzy (2015-12-17 06:41:31) Running from C:\Users\Trial\Desktop Windows 7 Professional Service Pack 1 (X64) (2015-12-09 12:35:45) Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-1625722349-1841773593-886300088-500 - Administrator - Disabled) Fuzzy (S-1-5-21-1625722349-1841773593-886300088-1001 - Administrator - Enabled) => C:\Users\Fuzzy Guest (S-1-5-21-1625722349-1841773593-886300088-501 - Limited - Enabled) Trial (S-1-5-21-1625722349-1841773593-886300088-1000 - Limited - Enabled) => C:\Users\Trial ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) Broadcom NetXtreme-I Netlink Driver and Management Installer (HKLM\...\{47B8DBFC-2891-480C-92D6-92143AD0D027}) (Version: 16.6.1.6 - Broadcom Corporation) Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes) Mozilla Firefox 42.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 42.0 (x86 en-US)) (Version: 42.0 - Mozilla) Port Forward Network Utilities 2.0.16c (HKLM-x32\...\Port Forward Network Utilities) (Version: 2.0.16c - Portforward.com) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== Restore Points ========================= 17-12-2015 04:41:00 JRT Pre-Junkware Removal ==================== Hosts content: =============================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {D782AC97-277B-41AA-8CEF-1C26A2596BA7} - System32\Tasks\{DC1C5A7C-B7B8-4338-A806-4F1E0A929F4B} => pcalua.exe -a E:\MbamMbae-setup.exe -d E:\ (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) ==================== Shortcuts ============================= (The entries could be listed to be restored or removed.) ==================== Loaded Modules (Whitelisted) ============== ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) ==================== EXE Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-1625722349-1841773593-886300088-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Trial\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg HKU\S-1-5-21-1625722349-1841773593-886300088-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Fuzzy\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg DNS Servers: 209.18.47.61 - 209.18.47.62 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == (Currently there is no automatic fix for this section.) ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [sPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe FirewallRules: [sPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe FirewallRules: [{E349130A-80FF-4039-9D9F-5BBC6953B7F4}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [{60811ED5-8C79-4861-B0E6-BA64FD9BB999}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [{08577180-EA8D-47A2-B6D9-866F04D7CD6C}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [{6371C883-3255-4226-A299-8DA5D00D3448}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [TCP Query User{F2316BA4-474B-4CA3-891C-3DE741ACBBD8}C:\program files (x86)\portforward.com\portforward network utilities\pfportchecker.exe] => (Allow) C:\program files (x86)\portforward.com\portforward network utilities\pfportchecker.exe FirewallRules: [uDP Query User{9F59A733-B58B-4C17-9F9A-0E408D57F0A1}C:\program files (x86)\portforward.com\portforward network utilities\pfportchecker.exe] => (Allow) C:\program files (x86)\portforward.com\portforward network utilities\pfportchecker.exe ==================== Faulty Device Manager Devices ============= Name: PS/2 Compatible Mouse Description: PS/2 Compatible Mouse Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318} Manufacturer: Microsoft Service: i8042prt Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24) Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed. Devices stay in this state if they have been prepared for removal. After you remove the device, this error disappears.Remove the device, and this error should be resolved. Name: Standard PS/2 Keyboard Description: Standard PS/2 Keyboard Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318} Manufacturer: (Standard keyboards) Service: i8042prt Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24) Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed. Devices stay in this state if they have been prepared for removal. After you remove the device, this error disappears.Remove the device, and this error should be resolved. ==================== Event log errors: ========================= Application errors: ================== Error: (12/17/2015 06:24:26 AM) (Source: SideBySide) (EventID: 80) (User: ) Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3. A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest. Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest. Error: (12/17/2015 06:24:24 AM) (Source: SideBySide) (EventID: 80) (User: ) Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3. A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest. Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest. Error: (12/17/2015 06:24:02 AM) (Source: SideBySide) (EventID: 80) (User: ) Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3. A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest. Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest. Error: (12/17/2015 06:23:59 AM) (Source: SideBySide) (EventID: 80) (User: ) Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3. A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest. Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest. Error: (12/17/2015 06:23:59 AM) (Source: SideBySide) (EventID: 80) (User: ) Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3. A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest. Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest. Error: (12/17/2015 06:23:52 AM) (Source: SideBySide) (EventID: 80) (User: ) Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3. A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest. Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest. Error: (12/17/2015 05:33:53 AM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (12/17/2015 03:51:48 AM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (12/15/2015 04:10:07 AM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (12/14/2015 06:48:33 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 System errors: ============= Error: (12/17/2015 06:28:18 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The eapihdrv service failed to start due to the following error: %%1275 Error: (12/17/2015 06:28:18 AM) (Source: Application Popup) (EventID: 1060) (User: ) Description: \??\C:\Users\Fuzzy\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver. Error: (12/17/2015 06:28:17 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The eapihdrv service failed to start due to the following error: %%1275 Error: (12/17/2015 06:28:17 AM) (Source: Application Popup) (EventID: 1060) (User: ) Description: \??\C:\Users\Fuzzy\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver. Error: (12/17/2015 06:28:17 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The eapihdrv service failed to start due to the following error: %%1275 Error: (12/17/2015 06:28:17 AM) (Source: Application Popup) (EventID: 1060) (User: ) Description: \??\C:\Users\Fuzzy\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver. Error: (12/17/2015 06:26:00 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The eapihdrv service failed to start due to the following error: %%1275 Error: (12/17/2015 06:26:00 AM) (Source: Application Popup) (EventID: 1060) (User: ) Description: \??\C:\Users\Fuzzy\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver. Error: (12/17/2015 06:25:59 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The eapihdrv service failed to start due to the following error: %%1275 Error: (12/17/2015 06:25:59 AM) (Source: Application Popup) (EventID: 1060) (User: ) Description: \??\C:\Users\Fuzzy\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver. ==================== Memory info =========================== Processor: AMD Athlon II X2 B24 Processor Percentage of memory in use: 21% Total physical RAM: 7679.39 MB Available physical RAM: 6019.58 MB Total Virtual: 15356.98 MB Available Virtual: 13613.43 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:23.96 GB) (Free:2.54 GB) NTFS Drive d: () (Fixed) (Total:208.83 GB) (Free:208.73 GB) NTFS Drive f: () (Removable) (Total:7.26 GB) (Free:3.29 GB) FAT32 ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: 06F7285A) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=24 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=208.8 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (Size: 7.3 GB) (Disk ID: 00000000) Partition: GPT. ==================== End of Addition.txt ============================ Thanks again, Advanced! I'll be patient - this is a lot to look at! BoRe

You asked me for pictures of these files in post #9, right? As I have explained in posts #5 and 7, this website is not acting at all normally! I cannot attach text or image files. I was lucky the copy/paste was working so I could even show you the files. Why is this stuff happening on the Malwarebytes Forums? Please answer this question. If there is an update or patch, please supply it. MBAM Premium won't update automatically, and manually there are never any new updates available (yeah, right...). Frankly, I don't care if you want to call it "not Infected" or whatever. I just need help to have a working PC. That is why I did a clean install. But I'm having the exact same problems I was having with the previous install I wiped out. Something was blocking me from having my settings the way I wanted them in various Windows apps including IE, Firefox, my modem and MBAM Premium. I could not access BIOS setup because there was a password there I never set. Boot was always PXE, but I had never joined a domain and had tried to disable Remote Management unsuccessfully using the built-in hidden admin account. I got constant "Access denied" or would click on a folder or file and it would disappear. If I didn't unplug the PC after shutdown, I would find it running in the wee hours, even though I kept disabling WOL. I haven't tried to change anything on this clean install because I was instructed not to. But Boot is PXE again. I found the PC running in the wee hours because I hadn't unplugged it. MBAM isn't working right. I can reset my modem, but I'm not offered any options to change any settings. I can change the username and password, but they're never accepted - I just get rerouted to the "change user name and password" option every time. There is no login option. After 3 resets, Firefox now times out every connection attempt to my modem. I had a cable modem and router that got ruined exactly like this one that I replaced it with. That's why I haven't hooked up my new router yet until everything is cleared up. It doesn't make sense to me to buy a new modem right now and hook it up to whomever is turning on my PC remotely in the middle of the night if I forget to unplug it after shutdown.

Yes, I have JPG and PNG versions of the files also, but when I try to attach an image (insert is not available) I always get the error message "You are not allowed to use that image extension on this community." Let me try other methods - it seems things change as I work. C:\Windows\SysWOW64\ras\Switch.txt ; SWITCH.INF for Windows XP Network and Dial-up Connections/ ; Remote Access Service ; Copyright © Microsoft Corporation. All rights reserved. ; You should read all of the comments in this file before you ; activate a script. Complete information about using this file ; is available in NETCFG.CHM. ; This file provides sample logon scripts for connections to ; remote computers. Connections to Windows NT RAS computers do not use ; this file, so this file is used only for connecting to ; non-Microsoft computers. ; SEE Network Connections now supports the Windows 95 scripting ; ALSO language which you may find easier to use than SWITCH.INF ; scripts. The language is described in NETCFG.CHM ; The most common use of scripts is an after-dialing script that ; logs you on to a remote computer, such as an Internet connection ; provider. You activate the scripts in this file by editing the ; Interactive logon and scripting settings in the Security properties ; of the Network Connection. ; The Generic logon script can be activated and used immediately. ; The additional scripts in this file are provided as examples from ; which you can cut and paste relevant sections into your own scripts. ; The comment marker ( in column one of the non-generic scripts must ; be removed before the scripts will work. ; These scripts assume the remote computer uses the words login and ; password followed by a colon (eg "login:" and "password:") to prompt ; you for your username and password. If the remote computer prompts ; you with words other than login and password, you must ; replace ogin: and assword: in the scripts below with the exact ; text the remote computer uses. Note: The text in the script does not ; include the first few letters because the remote computer may respond ; with <Password> or <password>. ;============================================================== [Generic login] ; This script will automate many logons when the remote computer ; prompts only for login (username) and password. This script requires ; Windows NT 3.51 or later. ; When you first dial this entry, the "Connect" window will ; prompt for your username and password. The username and password ; entered on that window will be used by the <username> and <password> ; macros in this script. By requiring the username and password on ; initial dial, this script is secure. ; The "Use Windows password" check box on the Network Connections ; Security page must be cleared when using this script (cleared by ; default), because the clear password is not available in that case. ; Passwords saved with the "Save Password" checkbox will work. ; Each script is a sequence of alternating COMMANDs and responses. ; Here, we start communication with the remote computer by saying ; we have nothing to send before expecting a response. COMMAND= ; The following two lines cause Network Connections to ignore all responses ; until the remote computer requests your login name. If the remote ; computer prompts you with a word other than login you must ; replace ogin: in the line below with the exact text the ; remote computer uses. OK=<match>"ogin:" LOOP=<ignore> ; This is the equivalent of typing the same username you filled in ; on the "Connect" window or saved with the "Save password" ; checkbox. COMMAND=<username><cr> ; The following two lines cause Network Connections to ignore all ; responses until the remote computer requests your password. If ; the remote computer prompts you with a word other than password ; you must replace assword: in the line below with the exact text the ; remote computer uses. OK=<match>"assword:" LOOP=<ignore> ; This is the equivalent of typing the same password you filled in ; on the "Connect" window or saved with the "Save password" ; checkbox. COMMAND=<password><cr> ; Ignore the final responses from the computer. OK=<ignore> ; ===================================================================== ; ADDITIONAL EXAMPLE SECTION ; This additional script is provided as an example from which you can ; cut and paste relevant sections into your own scripts. The comment ; marker ( in column one must be removed before the ; script will ; work. ;====================================================================== ; [sample SLIP login] ; Because SLIP connection logon sequences vary widely, it is difficult ; to provide even a generic version for you to use. The following script ; was used to connect to an actual SLIP provider. ; Start communication with remote computer by sending COMMAND= ; COMMAND= ; The following two lines cause Network Connections to ignore all responses ; until the remote computer requests your login name. If the remote ; computer prompts you with a word other than login you must ; replace ogin: in the line below with the exact text the ; remote computer uses. ; OK=<match>"ogin:" ; LOOP=<ignore> ; You must replace YourLoginHere in the line below ; with your actual login. ; COMMAND=YourLoginHere<cr> ; The following two lines cause Network Connections to ignore all responses ; until the remote computer requests your password. If the remote ; computer prompts you with a word other than password you must ; replace assword: in the line below with the exact text the ; remote computer uses. ; OK=<match>"assword:" ; LOOP=<ignore> ; You must replace YourPasswordHere in the line below ; with your actual password. ; COMMAND=YourPasswordHere<cr> ; Provide 4 carriage returns to ignore 4 questions. ; COMMAND=<cr> ; COMMAND=<cr> ; COMMAND=<cr> ; COMMAND=<cr> ; Wait for Home prompt. ; COMMAND= ; OK=<match>"Home" ; LOOP=<ignore> ; Request SLIP connection. ; COMMAND=SLIP<cr> ; At this point the script successfully ends and the SLIP Login Terminal ; window appears. You would enter the IP address provided by the remote ; computer (in the SLIP Login Terminal window) in the IP Address box and ; press the Done button. C:\Windows\SysWOW64\ras\pppmenu ; ; This is a script file that demonstrates how ; to establish a PPP connection with a host ; that uses a menu system. ; ; A script file must have a 'main' procedure. ; All script execution starts with this 'main' ; procedure. ; ; Main entry point to script ; proc main ; Change these variables to customize for your ; specific Internet service provider integer nTries = 3 ; This is the login prompt and timeout values string szLogin = "username:" integer nLoginTimeout = 3 ; This is the password prompt and timeout values string szPW = "password:" integer nPWTimeout = 3 ; This is the prompt once your password is verified string szPrompt = "annex:" ; This is the command to send to establish the ; connection. This script assumes you only need ; to issue one command to continue. Feel free ; to add more commands if your provider requires ; it. ; ; This provider has a menu list like this: ; ; 1 : Our special GUI ; 2 : Establish slip connection ; 3 : Establish PPP connection ; 4 : Establish shell access ; 5 : Download our software ; 6 : Exit ; ; annex: ; string szConnect = "3^M" ; Set this to FALSE if you don't want to get an IP ; address boolean bUseSlip = FALSE ; ----------------------------------------------------- ; Delay for 2 seconds first to make sure the ; host doesn't get confused when we send the ; two carriage-returns. delay 2 transmit "^M^M" ; Attempt to login at most 'nTries' times while 0 < nTries do ; Wait for the login prompt before entering ; the user ID, timeout after x seconds waitfor szLogin then DoLogin until nLoginTimeout TryAgain: transmit "^M" ; ping nTries = nTries - 1 endwhile goto BailOut DoLogin: ; Enter user ID transmit $USERID, raw transmit "^M" ; Wait for the password prompt waitfor szPW until nPWTimeout if FALSE == $SUCCESS then goto TryAgain endif ; Send the password transmit $PASSWORD, raw transmit "^M" ; Wait for the prompt waitfor szPrompt transmit szConnect if bUseSlip then ; An alternative to the following line is ; ; waitfor "Your address is " ; set ipaddr getip ; ; if we don't know the order of the IP addresses. set ipaddr getip 2 endif goto Done BailOut: ; Something isn't responding. Halt the script ; and let the user handle it manually. set screen keyboard on halt Done: endproc C:\Windows\SysWOW64\ras\pad ;----------------------------------------------------------------------------- [Responses] ; This section is temporary. ;----------------------------------------------------------------------------- [sprintNet, Standard] DEFAULTOFF= MAXCARRIERBPS=9600 MAXCONNECTBPS=9600 ; The next two lines ignore logon banners COMMAND= OK=<ignore> ; The @ characters sets the SprintNet PAD for 8 databit communication. COMMAND=@ NoResponse ; The D character requests a 9600 speed. COMMAND=D<cr> ; We dont care about the response so we ignore it (unless modem has hung up). ERROR_NO_CARRIER=<match>"NO CARRIER" OK=<ignore> ; A carriage return to initialize the PAD read/write buffers COMMAND=<cr> ERROR_NO_CARRIER=<match>"NO CARRIER" OK=<ignore> ; Set X.3 settings on the PAD which make it work well with RAS. Broken into ; two parts since the line is too long. COMMAND=SET 1:0,2:0,3:0,4:1,5:0,6:1,7:0,8:0,9:0,10:0<cr> ERROR_NO_CARRIER=<match>"NO CARRIER" OK=<ignore> ; Set the other half of X.3 parameters COMMAND=SET 12:0,13:0,14:0,15:0,16:0,17:0,18:0,19:0,20:0,22:0<cr> ERROR_NO_CARRIER=<match>"NO CARRIER" OK=<ignore> ; Finally try to call RAS X25 server COMMAND=C <x25address>*<UserData><cr> CONNECT=<match>" CONNECT" ERROR_NO_CARRIER=<match>"NO CARRIER" ERROR_DIAGNOSTICS=<cr><lf><Diagnostics> ERROR_DIAGNOSTICS=<lf><cr><lf><Diagnostics> ; CONNECT response means that the connection completed fine. ; ERROR_DIAGNOISTICS response means connection attempt failed - the X25 ; DIAGNOSTIC information will be extracted from the response and sent to the ; user. ; ERROR_NO_CARRIER means that the remote modem hung up. ; ERROR resonses are for generic failures. ;----------------------------------------------------------------------------- [sprintNet, Alternate] ; Connections can be made more reliably in some SprintNet locations if ; there are some delays near the beginning of the pad.inf entry. As a ; general rule of thumb use this entry with older, slower (2400 bps) ; locations. DEFAULTOFF= MAXCARRIERBPS=9600 MAXCONNECTBPS=9600 ; The next line will give a delay of 2 secs - allowing the PAD to initialize COMMAND= NoResponse ; The next line will give a delay of 2 secs - allowing the PAD to initialize COMMAND= NoResponse ; The @ characters sets the SprintNet PAD for 8 databit communication. COMMAND=@ NoResponse COMMAND= NoResponse ; The D character requests a 9600 speed. COMMAND=D<cr> ; We dont care about the response so we ignore it (unless modem has hung up). ERROR_NO_CARRIER=<match>"NO CARRIER" OK=<ignore> ; A carriage return to initialize the PAD read/write buffers COMMAND=<cr> ERROR_NO_CARRIER=<match>"NO CARRIER" OK=<ignore> ; Set X.3 settings on the PAD which make it work well with RAS. Broken into ; two parts since the line is too long. COMMAND=SET 1:0,2:0,3:0,4:1,5:0,6:1,7:0,8:0,9:0,10:0<cr> ERROR_NO_CARRIER=<match>"NO CARRIER" OK=<ignore> ; Set the other half of X.3 parameters COMMAND=SET 12:0,13:0,14:0,15:0,16:0,17:0,18:0,19:0,20:0,22:0<cr> ERROR_NO_CARRIER=<match>"NO CARRIER" OK=<ignore> ; Finally try to call RAS X25 server COMMAND=C <x25address>*<UserData><cr> CONNECT=<match>" CONNECT" ERROR_NO_CARRIER=<match>"NO CARRIER" ERROR_DIAGNOSTICS=<cr><lf><Diagnostics> ERROR_DIAGNOSTICS=<lf><cr><lf><Diagnostics> ; CONNECT response means that the connection completed fine. ; ERROR_DIAGNOISTICS response means connection attempt failed - the X25 ; DIAGNOSTIC information will be extracted from the response and sent to the ; user. ; ERROR_NO_CARRIER means that the remote modem hung up. ; ERROR resonses are for generic failures. ;----------------------------------------------------------------------------- [infoNet] DEFAULTOFF= MAXCARRIERBPS=2400 MAXCONNECTBPS=2400 ; The next line will give a delay of 2 secs - allowing the PAD to initialize COMMAND= NoResponse ; The next line will give a delay of 2 secs - allowing the PAD to initialize COMMAND= NoResponse COMMAND=<cr> ; We dont care about the response so we ignore it (unless modem has hung up). ERROR_NO_CARRIER=<match>"NO CARRIER" OK=<ignore> COMMAND=<cr> ERROR_NO_CARRIER=<match>"NO CARRIER" OK=<ignore> COMMAND=X<cr> ERROR_NO_CARRIER=<match>"NO CARRIER" OK=<ignore> ; Set X.3 settings on the PAD which make it work well with RAS. Broken into ; two parts since the line is too long. COMMAND=SET 1:126,2:1,3:0,4:1,5:0,6:1,7:0,8:0,9:0,10:0<cr> NoResponse COMMAND= NoResponse ; Set the other half of X.3 parameters COMMAND=SET 12:0,13:0,14:0,15:0,16:0,17:0,18:0,19:0,20:0,21:0,22:0<cr> NoResponse COMMAND= NoResponse ; Try to call RAS X25 server COMMAND=<x25address><cr><lf> OK=<match>"COM" ERROR_NO_CARRIER=<match>"NO CARRIER" ERROR_DIAGNOSTICS=<cr><lf><Diagnostics> ; CONNECT response means that the connection completed fine. ; ERROR_DIAGNOISTICS response means connection attempt failed - the X25 ; DIAGNOSTIC information will be extracted from the response and sent ; to the user. ; ERROR_NO_CARRIER means that the remote modem hung up. ; ERROR resonses are for generic failures. ; Finally set no escape and no echo COMMAND=SET 1:0,2:0<cr> NoResponse ;----------------------------------------------------------------------------- [infoNet, Alternate] DEFAULTOFF= MAXCARRIERBPS=9600 MAXCONNECTBPS=9600 ; The next line will give a delay of 2 secs - allowing the PAD to initialize COMMAND= NoResponse ; The next line will give a delay of 2 secs - allowing the PAD to initialize COMMAND= NoResponse COMMAND=<cr> ; We dont care about the response so we ignore it (unless modem has hung up). ERROR_NO_CARRIER=<match>"NO CARRIER" OK=<ignore> COMMAND=<cr> ERROR_NO_CARRIER=<match>"NO CARRIER" OK=<ignore> COMMAND=X<cr> ERROR_NO_CARRIER=<match>"NO CARRIER" OK=<ignore> ; Set X.3 settings on the PAD which make it work well with RAS. Broken into ; two parts since the line is too long. ;COMMAND=SET 1:126,2:1,3:0,4:1,5:0,6:1,7:0,8:0,9:0,10:0<cr> COMMAND=SET 1:126,2:1,3:0,4:1,5:0,6:1,7:2,9:0,10:0<cr> ERROR_NO_CARRIER=<match>"NO CARRIER" ERROR=<match>"ERR" OK=<ignore> ; Set the other half of X.3 parameters COMMAND=SET 12:0,13:0,14:0,15:0,16:127,17:24,18:18,19:0,20:0,21:0,22:0<cr> ERROR_NO_CARRIER=<match>"NO CARRIER" ERROR=<match>"ERR" OK=<ignore> ; Try to call RAS X25 server COMMAND=<x25address><cr><lf> OK=<ignore> OK=<match>"COM" ERROR_NO_CARRIER=<match>"NO CARRIER" ERROR_DIAGNOSTICS=<cr><lf><Diagnostics> ERROR=<match>"ERR" ; CONNECT response means that the connection completed fine. ; ERROR_DIAGNOISTICS response means connection attempt failed - the X25 ; DIAGNOSTIC information will be extracted from the response and sent ; to the user. ; ERROR_NO_CARRIER means that the remote modem hung up. ; ERROR resonses are for generic failures. ; Finally set no escape and no echo COMMAND=SET 1:0,2:0<cr> NoEcho ERROR=<match>"ERR" CONNECT=<ignore> [Transpac] DEFAULTOFF= MAXCARRIERBPS=2400 MAXCONNECTBPS=2400 ; The next line will give a delay of 2 secs - allowing the PAD to initialize COMMAND= NoResponse ; The next line will give a delay of 2 secs - allowing the PAD to initialize COMMAND= NoResponse ; We dont care about the response so we ignore it (unless modem has hung up). ERROR_NO_CARRIER=<match>"NO CARRIER" OK=<match>"TRANSPAC" ; Set X.3 settings on the PAD which make it work well with RAS. Broken into ; two parts since the line is too long. COMMAND=SET 1:1,2:1,3:0,4:1,5:0,6:1,7:0,9:0,10:0<cr> ERROR_NO_CARRIER=<match>"NO CARRIER" ERROR=<match>"ERR" OK=<ignore> ; Set the other half of X.3 parameters COMMAND=SET 12:0,13:0,14:0,15:0,16:127,17:24,18:18,19:0,20:0,21:0,22:0<cr> ERROR_NO_CARRIER=<match>"NO CARRIER" ERROR=<match>"ERR" OK=<ignore> ; Try to call RAS X25 server COMMAND=<x25address><cr><lf> OK=<ignore> OK=<match>"COM" ERROR_NO_CARRIER=<match>"NO CARRIER" ERROR_DIAGNOSTICS=<cr><lf><Diagnostics> ; CONNECT response means that the connection completed fine. ; ERROR_DIAGNOISTICS response means connection attempt failed - the X25 ; DIAGNOSTIC information will be extracted from the response and sent ; to the user. ; ERROR_NO_CARRIER means that the remote modem hung up. ; ERROR resonses are for generic failures. ; Finally set no escape and no echo COMMAND=SET 1:0,2:0<cr> NoEcho CONNECT=<ignore> ;----------------------------------------------------------------------------- [Eicon X.PAD] DEVICETYPE=pad DEFAULTOFF= MAXCARRIERBPS=1200 MAXCONNECTBPS=1200 ; ; INIT section. ; COMMAND_INIT=PAR 2<cr> NoEcho OK=par 2:<ignore> ERROR_DIAGNOSTICS=CLR <Diagnostics> ERROR=ERR<ignore> ; ; LISTEN section. ; COMMAND_LISTEN= NoEcho CONNECT=<match>"COM" ERROR_DIAGNOSTICS=CLR <Diagnostics> ERROR=ERR<ignore> ; ; CALL section. ; COMMAND_DIAL=<x25address><cr><lf> NoEcho CONNECT=<match>"COM" ERROR_DIAGNOSTICS=CLR CONF <cr><lf>CLR<Diagnostics> ERROR_DIAGNOSTICS=CLR <Diagnostics> ERROR=ERR<ignore> ;----------------------------------------------------------------------------- [Compuserve] ; Disclaimer: ; This script has been included for customer convenience, but has NOT been ; fully verified to work under all circumstances. Microsoft makes NO guarantees ; as to the performance of this script. Please contact Microsoft ; PSS NT support if you have problems or questions. DEFAULTOFF= MAXCARRIERBPS=9600 MAXCONNECTBPS=9600 COMMAND= NoResponse COMMAND=<cr> OK=<ignore> COMMAND=+<cr> OK=<match>"Host Name:" COMMAND=<x25address><cr> CONNECT=<match>"Connected" ERROR_NO_CARRIER=<match>"NO CARRIER" ERROR_DIAGNOSTICS=<cr><lf><Diagnostics> ERROR_DIAGNOSTICS=<lf><cr><lf><Diagnostics> ;----------------------------------------------------------------------------------- [sITA Group Network] ; Disclaimer: ; This script has been included for customer convenience, but has NOT been ; fully verified to work under all circumstances. Microsoft makes NO guarantees ; as to the performance of this script. Please contact Microsoft ; PSS NT support if you have problems or questions. ; PLEASE SEE COMMENTS BELOW REGARDING USAGE OF THE "User Data:" ; and "Facilities:" FIELDS IN RAS WHEN USING THIS SITA SCRIPT. DEFAULTOFF= MAXCARRIERBPS=9600 MAXCONNECTBPS=9600 COMMAND=...<cr> OK=<match>"SITA NETWORK:" ; Enter your NUI number in the Remote Access program's X.25 Settings "User Data:" field. COMMAND=<UserData><cr> OK=<ignore> ; Enter your x.25 password in the Remote Access program's X.25 Settings "Facilities:" field. COMMAND=<Facilities><cr> OK=<match>"active" ERROR_DIAGNOSTICS=<cr><lf><cr><lf><lf><Diagnostics> ERROR_DIAGNOSTICS=<lf><cr><lf><Diagnostics> COMMAND=PROF 6<cr> NoResponse COMMAND= NoResponse COMMAND=SET 2:1<cr> OK=<ignore> COMMAND= NoResponse COMMAND=SET 4:1,6:1,16:0,17:0,18:0,19:0,21:0<cr> OK=<ignore> COMMAND= NoResponse COMMAND=SET 118:0,119:0,120:0<cr> OK=<ignore> COMMAND=PAR?<cr> OK=<ignore> COMMAND=SET 2:0<cr> NoResponse COMMAND= NoResponse COMMAND=<x25address><cr> CONNECT=<match>"connected" ;CONNECT=<ignore> ERROR_DIAGNOSTICS=<cr><lf><cr><lf><lf><Diagnostics> ERROR_DIAGNOSTICS=<lf><cr><lf><Diagnostics> ;----------------------------------------------------------------------------------- [Alascom/Tymnet/MCI] ; Disclaimer: ; This script has been included for customer convenience, but has NOT been ; fully verified to work under all circumstances. Microsoft makes NO guarantees ; as to the performance of this script. Please contact Microsoft ; PSS NT support if you have problems or questions. ; NOTE: Whether your X.25 account is set up for a single x.121 identifier or a ; username/password combination, they both are entered in the Remote Access program's ; "X.25 Settings" dialog box in the "X.121 Address:" field. ; A username and password combination is entered simply by separating them with a ; SEMICOLON, e.g.: John;mypass ; where "John" is the username and "mypass" is the password. DEFAULTOFF= MAXCARRIERBPS=9600 MAXCONNECTBPS=9600 ; The "o" changes the terminal identifer so that the x.25 network responses are ; readable and don't appear as garbage. No carriage return is required after it. COMMAND=o OK=<match>"log in:" ERROR_DIAGNOSTICS=<cr><lf><Diagnostics> ERROR_DIAGNOSTICS=<lf><cr><lf><Diagnostics> ; Note: The "<h08>" represents a Ctrl-H or Backspace character which turns the ; echo facility in the x.25 network off which interferes with RAS operation. COMMAND=<h08><x25address><cr> CONNECT=<match>"connected" ERROR_NO_CARRIER=<match>"NO CARRIER" ERROR_DIAGNOSTICS=<cr><lf><Diagnostics> ERROR_DIAGNOSTICS=<lf><cr><lf><Diagnostics> [Telematics] DEFAULTOFF= MAXCARRIERBPS=19200 MAXCONNECTBPS=19200 ; The next line will give a delay of 2 secs - allowing the PAD to initialize COMMAND=<cr> ; The next line will give a delay of 2 secs - allowing the PAD to initialize COMMAND=<cr> ;The next line will initiate AUTOBAUD/AUTOPARITY with the ;Telematics PAD COMMAND=..<cr> ERROR_NO_CARRIER=<match>"NO CARRIER" OK=<match>"*" ; Finally try to call RAS X25 server COMMAND=<x25address><cr> CONNECT=<match>"com" [infoNet X25] DEFAULTOFF= MAXCARRIERBPS=2400 MAXCONNECTBPS=2400 ; The next line will give a delay of 2 secs - allowing the PAD to initialize COMMAND= NoResponse ; The next line will give a delay of 2 secs - allowing the PAD to initialize COMMAND= NoResponse COMMAND=<cr> ; We dont care about the response so we ignore it (unless modem has hung up). ERROR_NO_CARRIER=<match>"NO CARRIER" OK=<ignore> COMMAND=<cr> ERROR_NO_CARRIER=<match>"NO CARRIER" OK=<ignore> COMMAND=SET 2:1<cr> NoResponse COMMAND=X<cr> ERROR_NO_CARRIER=<match>"NO CARRIER" OK=<ignore> ; Try to call RAS X25 server COMMAND=<x25address><cr><lf> OK=<match>"COM" ERROR_NO_CARRIER=<match>"NO CARRIER" ERROR_DIAGNOSTICS=<cr><lf><Diagnostics> ; CONNECT response means that the connection completed fine. ; ERROR_DIAGNOISTICS response means connection attempt failed - the X25 ; DIAGNOSTIC information will be extracted from the response and sent ; to the user. ; ERROR_NO_CARRIER means that the remote modem hung up. ; ERROR resonses are for generic failures. C:\Windows\SysWOW64\ras\cis ; ; This is a script file that demonstrates how ; to establish a PPP connection with Compuserve, ; which requires changing the port settings to ; log in. ; ; Main entry point to script ; proc main ; Set the port settings so we can wait for ; non-gibberish text. set port databits 7 set port parity even transmit "^M" waitfor "Host Name:" transmit "CIS^M" waitfor "User ID:" transmit $USERID, raw transmit "/go:pppconnect^M" waitfor "Password: " transmit $PASSWORD, raw transmit "^M" waitfor "One moment please..." ; Set the port settings back to allow successful ; negotiation. set port databits 8 set port parity none endproc Sorry I had to copy/paste - hope these are helpful. Going to follow your instructions for the modem now. Thanks a lot! BoRe

The files I wanted to show you are located at C:\Windows\SysWOW64\ras. They are named "cis", "pad", "pppmenu" and "switch". Thanks very much for your help, Double-Headed Eagle. BoRe

No luck resetting my modem. My ISP says they can't help because it isn't rented from them, but belongs to me. My public internet and PC internal IPs are the same - is that normal? I have never connected to a remote server - I don't work for a company. This is strictly a personal PC. So why are the attached files needed and "Access Denied"? Darn! Now I get an error that I'm not allowed to upload .txt files. Sorry I'll have to copy/paste. Oh, no! CtrlV is now disabled, too. What is going on?

Hello, Hello and thanks your reply. Is this your computer? Yes, it is. What makes you think you're infected? - I cannot set up a network connection, but there's a working connection that won't let me modify any settings. - Search in Firefox by Google yields pages from 2012 and 2013! Redirect much? - When I bought this Joy Systems refurbished HP 6005 Pro SSF PC, the drivers were mostly HP branded. Now almost all are Microsoft from 2006. No drivers can be updated with the clean newer versions I downloaded from HP onto a new thumb drive. - I cannot access my modem. The rigorous password was changed. Soft or hard resets do nothing. - Whenever I try to harden my Win 7 installation by changing settings, many choices are greyed out. If it appears changes were accepted and I go back to check, all have been reset to what I changed from. - I've spent hours trying to prove I'm infected. With all due respect, please realize that a main feature of the malware I suspect is its ability to hide.

Couldn't save a MBAM log. FRST notes: 1. I set Firefox as default browser, not IE 2. There is only one physical HDD 3. I installed W7 on the 24GB partition 2, now shown as inactive 4. I never installed a GPT partition - I think this is the hidden drive containing the malware Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:09-12-2015 Ran by Fuzzy (administrator) on TRIAL-PC (11-12-2015 08:09:47) Running from C:\Users\Trial\Desktop Loaded Profiles: Trial & Fuzzy (Available Profiles: Trial & Fuzzy) Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States) Internet Explorer Version 8 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKU\S-1-5-21-1625722349-1841773593-886300088-1000\...\MountPoints2: {b688ef49-9e83-11e5-830e-806e6f6e6963} - E:\MbamMbae-setup.exe ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62 Tcpip\..\Interfaces\{CB4BF8C3-107B-4830-88D1-31341AC78398}: [DhcpNameServer] 209.18.47.61 209.18.47.62 Internet Explorer: ================== HKU\S-1-5-21-1625722349-1841773593-886300088-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/ Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation) Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation) Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation) Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation) ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes) R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes) R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation) ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation) R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [109272 2015-10-05] (Malwarebytes) R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes) R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2015-12-11] (Malwarebytes) R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation) ========================== Drivers MD5 ======================= C:\Windows\system32\drivers\1394ohci.sys ==> MD5 is legit C:\Windows\System32\drivers\ACPI.sys ==> MD5 is legit C:\Windows\system32\drivers\acpipmi.sys ==> MD5 is legit C:\Windows\system32\drivers\adp94xx.sys ==> MD5 is legit C:\Windows\system32\drivers\adpahci.sys ==> MD5 is legit C:\Windows\system32\drivers\adpu320.sys ==> MD5 is legit C:\Windows\system32\drivers\afd.sys ==> MD5 is legit C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit C:\Windows\system32\drivers\aliide.sys ==> MD5 is legit C:\Windows\system32\drivers\amdide.sys ==> MD5 is legit C:\Windows\system32\drivers\amdk8.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\amdppm.sys ==> MD5 is legit C:\Windows\system32\drivers\amdsata.sys ==> MD5 is legit C:\Windows\system32\drivers\amdsbs.sys ==> MD5 is legit C:\Windows\System32\drivers\amdxata.sys ==> MD5 is legit C:\Windows\system32\drivers\appid.sys ==> MD5 is legit C:\Windows\system32\drivers\arc.sys ==> MD5 is legit C:\Windows\system32\drivers\arcsas.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit C:\Windows\System32\drivers\atapi.sys ==> MD5 is legit C:\Windows\system32\drivers\bxvbda.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\b57nd60a.sys ==> MD5 is legit C:\Windows\System32\Drivers\Beep.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\bowser.sys 91CE0D3DC57DD377E690A2D324022B08 C:\Windows\system32\drivers\BrFiltLo.sys ==> MD5 is legit C:\Windows\system32\drivers\BrFiltUp.sys ==> MD5 is legit C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit C:\Windows\system32\drivers\bthmodem.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\cdrom.sys ==> MD5 is legit C:\Windows\system32\drivers\circlass.sys ==> MD5 is legit C:\Windows\System32\CLFS.sys ==> MD5 is legit C:\Windows\system32\drivers\CmBatt.sys ==> MD5 is legit C:\Windows\system32\drivers\cmdide.sys ==> MD5 is legit C:\Windows\System32\Drivers\cng.sys ==> MD5 is legit C:\Windows\system32\drivers\compbatt.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\CompositeBus.sys ==> MD5 is legit C:\Windows\system32\drivers\crcdisk.sys ==> MD5 is legit C:\Windows\System32\drivers\csc.sys ==> MD5 is legit C:\Windows\System32\Drivers\dfsc.sys ==> MD5 is legit C:\Windows\System32\drivers\discache.sys ==> MD5 is legit C:\Windows\System32\drivers\disk.sys ==> MD5 is legit C:\Windows\system32\drivers\dmvsc.sys 5DB085A8A6600BE6401F2B24EECB5415 C:\Windows\System32\drivers\drmkaud.sys ==> MD5 is legit C:\Windows\System32\drivers\dxgkrnl.sys ==> MD5 is legit C:\Windows\system32\drivers\evbda.sys ==> MD5 is legit C:\Windows\system32\drivers\elxstor.sys ==> MD5 is legit C:\Windows\system32\drivers\errdev.sys ==> MD5 is legit C:\Windows\System32\Drivers\exfat.sys ==> MD5 is legit C:\Windows\System32\Drivers\fastfat.sys ==> MD5 is legit C:\Windows\system32\drivers\fdc.sys ==> MD5 is legit C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit C:\Windows\system32\drivers\flpydisk.sys ==> MD5 is legit C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit C:\Windows\System32\Drivers\Fs_Rec.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\fvevol.sys ==> MD5 is legit C:\Windows\system32\drivers\gagp30kx.sys ==> MD5 is legit C:\Windows\system32\drivers\hcw85cir.sys ==> MD5 is legit C:\Windows\System32\drivers\HdAudio.sys 975761C778E33CD22498059B91E7373A C:\Windows\System32\DRIVERS\HDAudBus.sys ==> MD5 is legit C:\Windows\system32\drivers\HidBatt.sys ==> MD5 is legit C:\Windows\system32\drivers\hidbth.sys ==> MD5 is legit C:\Windows\system32\drivers\hidir.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\hidusb.sys ==> MD5 is legit C:\Windows\system32\drivers\HpSAMD.sys ==> MD5 is legit C:\Windows\System32\drivers\HTTP.sys ==> MD5 is legit C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\i8042prt.sys ==> MD5 is legit C:\Windows\system32\drivers\iaStorV.sys ==> MD5 is legit C:\Windows\system32\drivers\iirsp.sys ==> MD5 is legit C:\Windows\system32\drivers\intelide.sys ==> MD5 is legit C:\Windows\system32\drivers\intelppm.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\ipfltdrv.sys ==> MD5 is legit C:\Windows\system32\drivers\IPMIDrv.sys ==> MD5 is legit C:\Windows\System32\drivers\ipnat.sys ==> MD5 is legit C:\Windows\System32\drivers\irenum.sys ==> MD5 is legit C:\Windows\system32\drivers\isapnp.sys ==> MD5 is legit C:\Windows\system32\drivers\msiscsi.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\kbdclass.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\kbdhid.sys ==> MD5 is legit C:\Windows\System32\Drivers\ksecdd.sys ==> MD5 is legit C:\Windows\System32\Drivers\ksecpkg.sys ==> MD5 is legit C:\Windows\system32\drivers\ksthunk.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\lltdio.sys ==> MD5 is legit C:\Windows\system32\drivers\lsi_fc.sys ==> MD5 is legit C:\Windows\system32\drivers\lsi_sas.sys ==> MD5 is legit C:\Windows\system32\drivers\lsi_sas2.sys ==> MD5 is legit C:\Windows\system32\drivers\lsi_scsi.sys ==> MD5 is legit C:\Windows\system32\drivers\luafv.sys ==> MD5 is legit C:\Windows\system32\drivers\mbamchameleon.sys 42B3F5C9FBC9B3F0E0BA6B5D7FC8E849 C:\Windows\system32\drivers\mbam.sys CFBC6C6D8A492697CABD1D353EE64933 C:\Windows\system32\drivers\MBAMSwissArmy.sys 78488AF2AB2111D67B3C4044707A519B C:\Windows\system32\drivers\mwac.sys D61070CFAD43038DC56AEAD9BFE9CE2A C:\Windows\system32\drivers\megasas.sys ==> MD5 is legit C:\Windows\system32\drivers\MegaSR.sys ==> MD5 is legit C:\Windows\System32\drivers\modem.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\monitor.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\mouclass.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\mouhid.sys ==> MD5 is legit C:\Windows\System32\drivers\mountmgr.sys ==> MD5 is legit C:\Windows\system32\drivers\mpio.sys ==> MD5 is legit C:\Windows\System32\drivers\mpsdrv.sys ==> MD5 is legit C:\Windows\system32\drivers\mrxdav.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\mrxsmb.sys FAF015B07E3A2874A790A39B7D2C579F C:\Windows\System32\DRIVERS\mrxsmb10.sys 08E2345DF129082BCDFFDC1440F9C00D C:\Windows\System32\DRIVERS\mrxsmb20.sys 108D87409C5812EF47D81E22843E8C9D C:\Windows\System32\drivers\msahci.sys ==> MD5 is legit C:\Windows\system32\drivers\msdsm.sys ==> MD5 is legit C:\Windows\System32\Drivers\Msfs.sys ==> MD5 is legit C:\Windows\System32\drivers\mshidkmdf.sys ==> MD5 is legit C:\Windows\System32\drivers\msisadrv.sys ==> MD5 is legit C:\Windows\System32\drivers\MSKSSRV.sys ==> MD5 is legit C:\Windows\System32\drivers\MSPCLOCK.sys ==> MD5 is legit C:\Windows\System32\drivers\MSPQM.sys ==> MD5 is legit C:\Windows\System32\Drivers\MsRPC.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\mssmbios.sys ==> MD5 is legit C:\Windows\System32\drivers\MSTEE.sys ==> MD5 is legit C:\Windows\system32\drivers\MTConfig.sys ==> MD5 is legit C:\Windows\System32\Drivers\mup.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\nwifi.sys ==> MD5 is legit C:\Windows\System32\drivers\ndis.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\ndiscap.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\ndistapi.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\ndisuio.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\ndiswan.sys ==> MD5 is legit C:\Windows\System32\Drivers\NDProxy.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\netbios.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\netbt.sys ==> MD5 is legit C:\Windows\system32\drivers\nfrd960.sys ==> MD5 is legit C:\Windows\System32\Drivers\Npfs.sys ==> MD5 is legit C:\Windows\System32\drivers\nsiproxy.sys ==> MD5 is legit C:\Windows\System32\Drivers\Ntfs.sys ==> MD5 is legit C:\Windows\System32\Drivers\Null.sys ==> MD5 is legit C:\Windows\system32\drivers\nvraid.sys ==> MD5 is legit C:\Windows\system32\drivers\nvstor.sys ==> MD5 is legit C:\Windows\system32\drivers\nv_agp.sys ==> MD5 is legit C:\Windows\system32\drivers\ohci1394.sys ==> MD5 is legit C:\Windows\system32\drivers\parport.sys ==> MD5 is legit C:\Windows\System32\drivers\partmgr.sys ==> MD5 is legit C:\Windows\System32\drivers\pci.sys ==> MD5 is legit C:\Windows\system32\drivers\pciide.sys ==> MD5 is legit C:\Windows\system32\drivers\pcmcia.sys ==> MD5 is legit C:\Windows\System32\drivers\pcw.sys ==> MD5 is legit C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\raspptp.sys ==> MD5 is legit C:\Windows\system32\drivers\processr.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\pacer.sys ==> MD5 is legit C:\Windows\system32\drivers\ql2300.sys ==> MD5 is legit C:\Windows\system32\drivers\ql40xx.sys ==> MD5 is legit C:\Windows\system32\drivers\qwavedrv.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\rasacd.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\AgileVpn.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\rasl2tp.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\raspppoe.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\rassstp.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\rdbss.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\rdpbus.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\RDPCDD.sys ==> MD5 is legit C:\Windows\System32\drivers\rdpdr.sys ==> MD5 is legit C:\Windows\System32\drivers\rdpencdd.sys ==> MD5 is legit C:\Windows\System32\drivers\rdprefmp.sys ==> MD5 is legit C:\Windows\System32\Drivers\RDPWD.sys ==> MD5 is legit C:\Windows\System32\drivers\rdyboost.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\rspndr.sys ==> MD5 is legit C:\Windows\system32\drivers\vms3cap.sys ==> MD5 is legit C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\scfilter.sys ==> MD5 is legit C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\serenum.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\serial.sys ==> MD5 is legit C:\Windows\system32\drivers\sermouse.sys ==> MD5 is legit C:\Windows\system32\drivers\sffdisk.sys ==> MD5 is legit C:\Windows\system32\drivers\sffp_mmc.sys ==> MD5 is legit C:\Windows\system32\drivers\sffp_sd.sys ==> MD5 is legit C:\Windows\system32\drivers\sfloppy.sys ==> MD5 is legit C:\Windows\system32\drivers\SiSRaid2.sys ==> MD5 is legit C:\Windows\system32\drivers\sisraid4.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\smb.sys ==> MD5 is legit C:\Windows\System32\Drivers\spldr.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\srv.sys 2098B8556D1CEC2ACA9A29CD479E3692 C:\Windows\System32\DRIVERS\srv2.sys D0F73A42040F21F92FD314B42AC5C9E7 C:\Windows\System32\DRIVERS\srvnet.sys 2BA8F3250828CCDB4204ECF2C6F40B6A C:\Windows\system32\drivers\stexstor.sys ==> MD5 is legit C:\Windows\System32\drivers\vmstorfl.sys ==> MD5 is legit C:\Windows\system32\drivers\storvsc.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\swenum.sys ==> MD5 is legit C:\Windows\System32\drivers\tcpip.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\tcpip.sys ==> MD5 is legit C:\Windows\System32\drivers\tcpipreg.sys ==> MD5 is legit C:\Windows\System32\drivers\tdpipe.sys ==> MD5 is legit C:\Windows\System32\drivers\tdtcp.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\tdx.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\termdd.sys ==> MD5 is legit C:\Windows\System32\drivers\tpm.sys DBCC20C02E8A3E43B03C304A4E40A84F C:\Windows\System32\DRIVERS\tssecsrv.sys ==> MD5 is legit C:\Windows\System32\drivers\tsusbflt.sys ==> MD5 is legit C:\Windows\system32\drivers\TsUsbGD.sys 9CC2CCAE8A84820EAECB886D477CBCB8 C:\Windows\System32\DRIVERS\tunnel.sys ==> MD5 is legit C:\Windows\system32\drivers\uagp35.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\udfs.sys ==> MD5 is legit C:\Windows\system32\drivers\uliagpkx.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\umbus.sys ==> MD5 is legit C:\Windows\system32\drivers\umpass.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\usbccgp.sys ==> MD5 is legit C:\Windows\system32\drivers\usbcir.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\usbehci.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\usbhub.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\usbohci.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\usbprint.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\usbscan.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\USBSTOR.SYS ==> MD5 is legit C:\Windows\system32\drivers\usbuhci.sys ==> MD5 is legit C:\Windows\System32\drivers\vdrvroot.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit C:\Windows\System32\drivers\vga.sys ==> MD5 is legit C:\Windows\system32\drivers\vhdmp.sys ==> MD5 is legit C:\Windows\system32\drivers\viaide.sys ==> MD5 is legit C:\Windows\system32\drivers\vmbus.sys ==> MD5 is legit C:\Windows\system32\drivers\VMBusHID.sys ==> MD5 is legit C:\Windows\System32\drivers\volmgr.sys ==> MD5 is legit C:\Windows\System32\drivers\volmgrx.sys ==> MD5 is legit C:\Windows\System32\drivers\volsnap.sys ==> MD5 is legit C:\Windows\system32\drivers\vsmraid.sys ==> MD5 is legit C:\Windows\System32\drivers\vwifibus.sys ==> MD5 is legit C:\Windows\system32\drivers\wacompen.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit C:\Windows\system32\drivers\wd.sys ==> MD5 is legit C:\Windows\System32\drivers\Wdf01000.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\wfplwf.sys ==> MD5 is legit C:\Windows\System32\drivers\wimmount.sys ==> MD5 is legit C:\Windows\SysWOW64\drivers\wimmount.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\wmiacpi.sys ==> MD5 is legit C:\Windows\system32\drivers\ws2ifsl.sys ==> MD5 is legit C:\Windows\System32\drivers\WudfPf.sys ==> MD5 is legit C:\Windows\System32\DRIVERS\WUDFRd.sys ==> MD5 is legit ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== Three Months Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-12-11 08:09 - 2015-12-11 08:10 - 00018059 _____ C:\Users\Trial\Desktop\FRST.txt 2015-12-11 08:09 - 2015-12-11 08:09 - 00000000 ____D C:\FRST 2015-12-11 08:08 - 2015-12-11 08:08 - 02369024 _____ (Farbar) C:\Users\Trial\Desktop\FRST64.exe 2015-12-11 07:31 - 2015-12-11 07:33 - 00000000 ____D C:\Program Data 2015-12-11 07:11 - 2015-12-11 07:35 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2015-12-11 07:10 - 2015-12-11 07:10 - 00065536 _____ C:\Windows\system32\Ikeext.etl 2015-12-11 07:10 - 2015-12-11 07:10 - 00001102 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2015-12-11 07:10 - 2015-12-11 07:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware 2015-12-11 07:10 - 2015-12-11 07:10 - 00000000 ____D C:\ProgramData\Malwarebytes 2015-12-11 07:10 - 2015-12-11 07:10 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware 2015-12-11 07:10 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys 2015-12-11 07:10 - 2015-10-05 09:50 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys 2015-12-11 07:10 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys 2015-12-11 07:03 - 2015-12-11 07:03 - 00000000 ____D C:\Chameleon 2015-12-11 06:47 - 2015-12-11 06:47 - 01592131 _____ C:\Users\Trial\Desktop\MalwarebytesAntiMalwareUserGuide.pdf 2015-12-11 06:42 - 2015-12-11 06:42 - 00001409 _____ C:\Users\Fuzzy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk 2015-12-11 06:41 - 2015-12-11 06:42 - 00001443 _____ C:\Users\Fuzzy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk 2015-12-11 06:41 - 2015-12-11 06:41 - 00000000 ____D C:\Users\Fuzzy\AppData\Local\VirtualStore 2015-12-10 04:15 - 2015-12-11 06:40 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox 2015-12-10 04:15 - 2015-12-10 04:17 - 00001147 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk 2015-12-10 04:15 - 2015-12-10 04:16 - 00243656 _____ C:\Users\Trial\Downloads\Firefox Setup Stub 42.0.exe 2015-12-10 04:15 - 2015-12-10 04:15 - 00000000 ____D C:\Users\Trial\AppData\Roaming\Mozilla 2015-12-10 04:15 - 2015-12-10 04:15 - 00000000 ____D C:\Users\Trial\AppData\Local\Mozilla 2015-12-10 03:33 - 2015-12-10 03:33 - 00057560 _____ C:\Users\Fuzzy\AppData\Local\GDIPFONTCACHEV1.DAT 2015-12-10 03:19 - 2015-12-10 03:12 - 00003900 _____ C:\Users\Trial\Desktop\route.print.txt 2015-12-10 03:18 - 2015-12-10 03:12 - 00003060 _____ C:\Users\Trial\Desktop\ipconfig.all.txt 2015-12-10 03:03 - 2015-12-11 06:41 - 00000000 ____D C:\Users\Fuzzy 2015-12-10 03:03 - 2015-12-10 03:03 - 00000020 ___SH C:\Users\Fuzzy\ntuser.ini 2015-12-10 03:03 - 2015-12-10 03:03 - 00000000 _SHDL C:\Users\Fuzzy\My Documents 2015-12-10 03:03 - 2015-12-10 03:03 - 00000000 _SHDL C:\Users\Fuzzy\Documents\My Videos 2015-12-10 03:03 - 2015-12-10 03:03 - 00000000 _SHDL C:\Users\Fuzzy\Documents\My Pictures 2015-12-10 03:03 - 2015-12-10 03:03 - 00000000 _SHDL C:\Users\Fuzzy\Documents\My Music 2015-12-10 03:03 - 2011-04-12 03:28 - 00000000 ____D C:\Users\Fuzzy\AppData\Roaming\Media Center Programs 2015-12-09 09:51 - 2015-12-09 09:51 - 00001345 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk 2015-12-09 09:51 - 2015-12-09 09:51 - 00001326 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk 2015-12-09 09:48 - 2015-12-09 09:48 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf 2015-12-09 09:46 - 2015-12-09 07:35 - 00000000 ____D C:\Windows\Panther 2015-12-09 08:42 - 2015-12-09 08:42 - 00057560 _____ C:\Users\Trial\AppData\Local\GDIPFONTCACHEV1.DAT 2015-12-09 08:07 - 2015-12-09 08:07 - 00000000 ____D C:\OriginalDrvrsPkg 2015-12-09 08:05 - 2015-12-09 08:11 - 00000000 ____D C:\swsetup 2015-12-09 07:39 - 2015-12-09 07:39 - 00003050 _____ C:\Windows\System32\Tasks\{DC1C5A7C-B7B8-4338-A806-4F1E0A929F4B} 2015-12-09 07:36 - 2015-12-09 07:36 - 00001443 _____ C:\Users\Trial\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk 2015-12-09 07:36 - 2015-12-09 07:36 - 00001409 _____ C:\Users\Trial\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk 2015-12-09 07:36 - 2015-12-09 07:36 - 00000000 ____D C:\Users\Trial\AppData\Local\VirtualStore 2015-12-09 07:35 - 2015-12-09 07:36 - 00000000 ____D C:\Users\Trial 2015-12-09 07:35 - 2015-12-09 07:35 - 00000020 ___SH C:\Users\Trial\ntuser.ini 2015-12-09 07:35 - 2015-12-09 07:35 - 00000000 _SHDL C:\Users\Trial\My Documents 2015-12-09 07:35 - 2015-12-09 07:35 - 00000000 _SHDL C:\Users\Trial\Documents\My Videos 2015-12-09 07:35 - 2015-12-09 07:35 - 00000000 _SHDL C:\Users\Trial\Documents\My Pictures 2015-12-09 07:35 - 2015-12-09 07:35 - 00000000 _SHDL C:\Users\Trial\Documents\My Music 2015-12-09 07:35 - 2011-04-12 03:28 - 00000000 ____D C:\Users\Trial\AppData\Roaming\Media Center Programs ==================== Three Months Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-12-11 08:09 - 2009-07-13 22:20 - 00000000 ____D C:\Windows 2015-12-11 07:15 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\tracing 2015-12-11 06:45 - 2009-07-14 00:13 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI 2015-12-11 06:45 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf 2015-12-11 06:41 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2015-12-10 05:29 - 2009-07-13 23:45 - 00016848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2015-12-10 05:29 - 2009-07-13 23:45 - 00016848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2015-12-10 03:27 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\NDF 2015-12-09 10:35 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache 2015-12-09 09:52 - 2009-07-13 23:45 - 00274320 _____ C:\Windows\system32\FNTCACHE.DAT 2015-12-09 09:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\sysprep 2015-12-09 09:48 - 2011-04-12 03:28 - 00000000 ____D C:\Windows\CSC 2015-12-09 09:46 - 2009-07-14 00:32 - 00028672 _____ C:\Windows\system32\config\BCD-Template ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed ==================== BCD ================================ Windows Boot Manager -------------------- identifier {bootmgr} device partition=\Device\HarddiskVolume1 description Windows Boot Manager locale en-US inherit {globalsettings} default {current} resumeobject {a0d9432a-9e83-11e5-8695-cdd7567fadc1} displayorder {current} toolsdisplayorder {memdiag} timeout 30 Windows Boot Loader ------------------- identifier {current} device partition=C: path \Windows\system32\winload.exe description Windows 7 locale en-US inherit {bootloadersettings} recoverysequence {a0d9432c-9e83-11e5-8695-cdd7567fadc1} recoveryenabled Yes osdevice partition=C: systemroot \Windows resumeobject {a0d9432a-9e83-11e5-8695-cdd7567fadc1} nx OptIn Windows Boot Loader ------------------- identifier {a0d9432c-9e83-11e5-8695-cdd7567fadc1} device ramdisk=[C:]\Recovery\a0d9432c-9e83-11e5-8695-cdd7567fadc1\Winre.wim,{a0d9432d-9e83-11e5-8695-cdd7567fadc1} path \windows\system32\winload.exe description Windows Recovery Environment inherit {bootloadersettings} osdevice ramdisk=[C:]\Recovery\a0d9432c-9e83-11e5-8695-cdd7567fadc1\Winre.wim,{a0d9432d-9e83-11e5-8695-cdd7567fadc1} systemroot \windows nx OptIn winpe Yes Resume from Hibernate --------------------- identifier {a0d9432a-9e83-11e5-8695-cdd7567fadc1} device partition=C: path \Windows\system32\winresume.exe description Windows Resume Application locale en-US inherit {resumeloadersettings} filedevice partition=C: filepath \hiberfil.sys debugoptionenabled No Windows Memory Tester --------------------- identifier {memdiag} device partition=\Device\HarddiskVolume1 path \boot\memtest.exe description Windows Memory Diagnostic locale en-US inherit {globalsettings} badmemoryaccess Yes EMS Settings ------------ identifier {emssettings} bootems Yes Debugger Settings ----------------- identifier {dbgsettings} debugtype Serial debugport 1 baudrate 115200 RAM Defects ----------- identifier {badmemory} Global Settings --------------- identifier {globalsettings} inherit {dbgsettings} {emssettings} {badmemory} Boot Loader Settings -------------------- identifier {bootloadersettings} inherit {globalsettings} {hypervisorsettings} Hypervisor Settings ------------------- identifier {hypervisorsettings} hypervisordebugtype Serial hypervisordebugport 1 hypervisorbaudrate 115200 Resume Loader Settings ---------------------- identifier {resumeloadersettings} inherit {globalsettings} Device options -------------- identifier {a0d9432d-9e83-11e5-8695-cdd7567fadc1} description Ramdisk Options ramdisksdidevice partition=C: ramdisksdipath \Recovery\a0d9432c-9e83-11e5-8695-cdd7567fadc1\boot.sdi LastRegBack: 2015-12-09 09:47 ==================== End of FRST.txt ============================ Additional scan result of Farbar Recovery Scan Tool (x64) Version:09-12-2015 Ran by Fuzzy (2015-12-11 08:10:14) Running from C:\Users\Trial\Desktop Windows 7 Professional Service Pack 1 (X64) (2015-12-09 12:35:45) Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-1625722349-1841773593-886300088-500 - Administrator - Disabled) Fuzzy (S-1-5-21-1625722349-1841773593-886300088-1001 - Administrator - Enabled) => C:\Users\Fuzzy Guest (S-1-5-21-1625722349-1841773593-886300088-501 - Limited - Enabled) Trial (S-1-5-21-1625722349-1841773593-886300088-1000 - Limited - Enabled) => C:\Users\Trial ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes) Mozilla Firefox 42.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 42.0 (x86 en-US)) (Version: 42.0 - Mozilla) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== Restore Points ========================= ==================== Hosts content: =============================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {D782AC97-277B-41AA-8CEF-1C26A2596BA7} - System32\Tasks\{DC1C5A7C-B7B8-4338-A806-4F1E0A929F4B} => pcalua.exe -a E:\MbamMbae-setup.exe -d E:\ (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) ==================== Shortcuts ============================= (The entries could be listed to be restored or removed.) ==================== Loaded Modules (Whitelisted) ============== ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) ==================== EXE Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-1625722349-1841773593-886300088-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Trial\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg HKU\S-1-5-21-1625722349-1841773593-886300088-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Fuzzy\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg DNS Servers: 209.18.47.61 - 209.18.47.62 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == (Currently there is no automatic fix for this section.) ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [sPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe FirewallRules: [sPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe FirewallRules: [{E349130A-80FF-4039-9D9F-5BBC6953B7F4}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [{60811ED5-8C79-4861-B0E6-BA64FD9BB999}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [{08577180-EA8D-47A2-B6D9-866F04D7CD6C}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [{6371C883-3255-4226-A299-8DA5D00D3448}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe ==================== Faulty Device Manager Devices ============= Name: PS/2 Compatible Mouse Description: PS/2 Compatible Mouse Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318} Manufacturer: Microsoft Service: i8042prt Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24) Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed. Devices stay in this state if they have been prepared for removal. After you remove the device, this error disappears.Remove the device, and this error should be resolved. Name: Standard PS/2 Keyboard Description: Standard PS/2 Keyboard Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318} Manufacturer: (Standard keyboards) Service: i8042prt Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24) Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed. Devices stay in this state if they have been prepared for removal. After you remove the device, this error disappears.Remove the device, and this error should be resolved. ==================== Event log errors: ========================= Application errors: ================== Error: (12/11/2015 06:42:46 AM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (12/10/2015 03:46:36 AM) (Source: RasClient) (EventID: 20227) (User: ) Description: CoId={1A8EDC33-A5B0-4ECA-9FA9-E16CBA38FBF7}: The user Trial-PC\Trial dialed a connection named Broadband Connection which has failed. The error code returned on failure is 651. Error: (12/10/2015 03:45:09 AM) (Source: RasClient) (EventID: 20227) (User: ) Description: CoId={4388CA10-F398-4476-A836-397F4B710378}: The user Trial-PC\Trial dialed a connection named Broadband Connection which has failed. The error code returned on failure is 651. Error: (12/10/2015 03:44:12 AM) (Source: RasClient) (EventID: 20227) (User: ) Description: CoId={84543412-4326-4887-BD0F-A25CE5FA4B5E}: The user Trial-PC\Trial dialed a connection named Broadband Connection which has failed. The error code returned on failure is 651. Error: (12/10/2015 03:43:30 AM) (Source: RasClient) (EventID: 20227) (User: ) Description: CoId={624C7252-FB5B-4399-B741-ED022EEA60D3}: The user Trial-PC\Trial dialed a connection named Broadband Connection which has failed. The error code returned on failure is 651. Error: (12/10/2015 02:52:53 AM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (12/09/2015 10:35:11 AM) (Source: WinMgmt) (EventID: 10) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 System errors: ============= ==================== Memory info =========================== Processor: AMD Athlon II X2 B24 Processor Percentage of memory in use: 21% Total physical RAM: 7679.39 MB Available physical RAM: 6038.07 MB Total Virtual: 15356.98 MB Available Virtual: 13755.97 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:23.96 GB) (Free:3.16 GB) NTFS Drive d: () (Fixed) (Total:208.83 GB) (Free:208.73 GB) NTFS Drive f: () (Removable) (Total:7.26 GB) (Free:3.3 GB) FAT32 ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: 06F7285A) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=24 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=208.8 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (Size: 7.3 GB) (Disk ID: 00000000) Partition: GPT. ==================== End of Addition.txt ============================

My reply text this color... I followed the instructions and was asked to post my logs at https://forums.malwarebytes.org/index.php?/forum/7-malware-removal-help/, which I did. However, that post isn't showing anywhere, although I navigated away from the page, then checked for replies before I signed out and it was there. One reason I'm posting within your quote is to see if my comments get disappeared this way, too. Thanks tons, daledoc1 BoRe

To have it ready in case it's needed, I downloaded Chameleon to Desktop and extracted the files. Please note the file location in the address bar. I've attached a screen shot of the files included, which look bogus to me. Are they?

I just bought the Premium edition at a store. Before I try to install, I need to know if it can defeat the infection I have and actually install without being altered (basically controlled by) the infection like all the other things of any kind that I try to install. Thanks, BR

One question before I start. Trusted Installer is a user account! Does that change your advice? Thanks, BoRe