Urgent Help

[JordanR]

I have downloaded countless virus and malware programs trying to solve my problem. Malwarebytes has helped massively it got rid of a werfault.exe and constant dllhost.exe error messages and removed so much infected files from my laptop but it hasn't fixed one problem and that's my taskbar keeps restarting. I have searched for hours trying to find a solution but no help. Also to add my system restore is affected and I get a error message when opening it. I am on windows 8 and I have no restore point or anything. sfc/scannow finds a error but can not fix it

I also keep receiving a notification from C:\Windows\explorer.exe from Malwarebytes

[Naathim]

My name's Naathim and I'm a GeekU Minion! Now that we are mates and will be working together to clean your machine out of any junkware, feel free to call me Naat

Before we start please note the following:

• Analysis and research take some time, also sometimes real life gets in the way, please be patient.
• Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
• Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
• Paste the logs in your posts, attachments make my work harder and more complicated.
• Stay with me to the end, the absence of symtoms doesn't mean that your machine is fully operational.
• Note that we may live in totally different time zones, what may cause some delays between answers.

I can't foresee everything, so if anything unexpected happens, please stop and inform me!

There are no silly questions. Never be afraid to ask if in doubt!

Let's start and enjoy the fight!

Rules and policies

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

---

Scan with Malwarebytes' Anti-Malware

Please download and install Malwarebytes Anti-Malware, or re-run it if you already have it installed.

• First of all select update.
• Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
• Click the Scan tab, choose Threat Scan is checked and click Scan Now.
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

There will be two versions to download: 32-bit and 64-bit. Please download the one that is designed for your system. If you don't know which one should it be, download both of them and try each other out. Only one will run - this is the right one. Please leave it and delete the other.

• Right-click on icon and select Run as Administrator to start the tool.

  > XP users click run after receipt of Windows Security Warning - Open File.

  > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.

• When the tool opens click Yes to disclaimer.
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.

[JordanR]

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 31-08-2014 02

Ran by Jordan at 2014-09-01 15:54:30

Running from C:\Users\Jordan\Downloads

Boot Mode: Normal

==========================================================

 

 

==================== Security Center ========================

 

(If an entry is included in the fixlist, it will be removed.)

 

AV: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {ADA629C7-7F48-5689-624A-3B76997E0892}

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

AS: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {16C7C823-5972-5907-58FA-0004E2F9422F}

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FW: McAfee Firewall (Enabled) {959DA8E2-3527-57D1-4915-924367AD4FE9}

 

==================== Installed Programs ======================

 

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

 

µTorrent (HKCU\...\uTorrent) (Version: 3.4.2.32081 - BitTorrent Inc.)

Abacus UAV Predator for FSX (HKLM-x32\...\{5F1B0E61-396D-4E09-AC6B-04BD33284D3E}) (Version: 1.00.0000 - Abacus Software)

Aerosoft's - F-16 Fighting Falcon (HKLM-x32\...\{A663BED9-978C-4A04-82A3-3029245055BE}) (Version: 1.00 - Aerosoft)

Amazon 1Button App (HKLM-x32\...\{0A7D6F3C-F2AB-48ED-BE23-99791BFF87D6}) (Version: 1.0.0.4 - Amazon)

Apple Application Support (HKLM-x32\...\{78002155-F025-4070-85B3-7C0453561701}) (Version: 3.0.6 - Apple Inc.)

Apple Mobile Device Support (HKLM\...\{6AF2AC2A-3532-43FD-9F4D-BDC9C0D724C7}) (Version: 7.1.2.6 - Apple Inc.)

Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)

Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)

Captain Sim C-130 All-in-One (HKLM-x32\...\{D872B593-5F17-4507-92A6-5F3C9655AF2A}) (Version: 1.1 - The Silverwingz)

CCleaner (HKLM\...\CCleaner) (Version: 4.17 - Piriform)

CF-105 for FSX/Accel (HKLM-x32\...\CF-105 for FSX/Accel) (Version:  - )

Cheat Engine 6.4 (HKLM-x32\...\Cheat Engine 6.4_is1) (Version:  - Cheat Engine)

DAEMON Tools Ultra (HKLM-x32\...\DAEMON Tools Ultra) (Version: 2.2.0.0226 - Disc Soft Ltd)

Dell Backup and Recovery (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 1.7.1.2 - Dell Inc.)

Dell Digital Delivery (HKLM-x32\...\{D850CB7E-72BC-4510-BA4F-48932BFAB295}) (Version: 2.9.901.0 - Dell Products, LP)

Dell Product Registration (HKLM-x32\...\{764E68FE-C2F9-410E-90A8-CE7F8B9A36E2}) (Version: 2.03.0204 - Aviata Inc.)

Dell Touchpad (HKLM\...\SynTPDeinstKey) (Version: 18.1.2.1 - Synaptics Incorporated)

Dell Update (HKLM-x32\...\{D9D0E75C-F791-402A-98E2-A2F43E7B0CE3}) (Version: 1.1.1054.0 - Dell Inc.)

Diagnostics (HKLM-x32\...\Software Update11.041.44) (Version: 11.041.44 - Double Opt Media)

DSC/AA Factory Installer (Version: 3.5.6426.22 - PC-Doctor, Inc.) Hidden

Flight Simulator X (HKLM-x32\...\RTMshadow_{A9729B90-D37B-4A69-B66A-7436AC1F7274}) (Version:  - )

Flight Simulator X Service Pack 1 (HKLM-x32\...\SP1shadow_{A9729B90-D37B-4A69-B66A-7436AC1F7274}) (Version:  - )

Google Chrome (HKLM-x32\...\Google Chrome) (Version: 36.0.1985.143 - Google Inc.)

Google Update Helper (x32 Version: 1.3.24.15 - Google Inc.) Hidden

iCloud (HKLM\...\{81E20D41-C277-4526-934D-F2380AF91B78}) (Version: 3.1.0.40 - Apple Inc.)

iExplorer 3.3.2.1 (HKLM-x32\...\{7FD8B0C1-CDDA-4B4D-A577-B2E3570EA3A3}_is1) (Version:  - Macroplant LLC)

iFunbox (v2.8.2414.748), iFunbox DevTeam (HKLM-x32\...\iFunbox_is1) (Version: v2.8.2414.748 - )

Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3621 - Intel Corporation)

Intel® Trusted Execution Engine (HKLM\...\{176E2755-0A17-42C6-88E2-192AB2131278}) (Version: 1.0.0.1064 - Intel Corporation)

Intel® Trusted Execution Engine (Version: 1.1.1.1 - Intel Corporation) Hidden

Intel® Trusted Execution Engine Driver (Version: 1.0.0.1064 - Intel Corporation) Hidden

iTunes (HKLM\...\{77DE5105-D05E-448C-96CB-7FA381903753}) (Version: 11.3.1.2 - Apple Inc.)

Just Flight Constellation Professional (HKLM-x32\...\{070B2AFF-E7F2-4085-83CD-5ED64A4C9CE5}) (Version: 1.00.000 - )

JustFlight F-117 Nighthawk for FS9 and FSX (HKCU\...\JustFlight F-117 Nighthawk for FS9 and FSX) (Version:  - )

Kasumi Rebirth [uNCEN], âåðñèÿ 3.2.5 (HKLM-x32\...\{CCBB5E45-88C1-4721-98B2-7866422B05F2}_is1) (Version: 3.2.5 - )

Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)

McAfee LiveSafe – Internet Security (HKLM-x32\...\MSC) (Version: 12.8.988 - McAfee, Inc.)

McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.)

Microsoft Flight Simulator X (x32 Version: 10.0.61355.0 - Microsoft Game Studios) Hidden

Microsoft Flight Simulator X Service Pack 1 (x32 Version: 10.0.61355.0 - Microsoft Game Studios) Hidden

Microsoft Flight Simulator X: Acceleration (HKLM-x32\...\FlightSim_{A9729B90-D37B-4A69-B66A-7436AC1F7274}) (Version: 10.0.61637.0 - Microsoft Game Studios)

Microsoft Flight Simulator X: Acceleration (x32 Version: 10.0.61637.0 - Microsoft Game Studios) Hidden

Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4569.1506 - Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)

Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)

Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)

Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM-x32\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)

Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.50727 (Version: 11.0.50727 - Microsoft Corporation) Hidden

Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.50727 (Version: 11.0.50727 - Microsoft Corporation) Hidden

Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.50727 (x32 Version: 11.0.50727 - Microsoft Corporation) Hidden

Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.51106 (x32 Version: 11.0.51106 - Microsoft Corporation) Hidden

Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.50727 (x32 Version: 11.0.50727 - Microsoft Corporation) Hidden

Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.51106 (x32 Version: 11.0.51106 - Microsoft Corporation) Hidden

MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)

My Dell (HKLM\...\PC-Doctor for Windows) (Version: 3.5.6426.22 - PC-Doctor, Inc.)

My Dell Client Framework (HKLM-x32\...\InstallShield_{05F1B866-2372-4E82-9AA8-C64FB11CEF8B}) (Version: 1.0.0.3 - Dell)

My Dell Client Framework (x32 Version: 1.0.0.3 - Dell) Hidden

PocketCloud (HKLM-x32\...\{D9752C7D-A595-4687-A0D5-362E9C311C55}) (Version: 2.7.14 - Wyse Technology)

Quickset64 (HKLM\...\{87CF757E-C1F1-4D22-865C-00C6950B5258}) (Version: 10.16.005 - Dell Inc.)

QuickTime 7 (HKLM-x32\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)

Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.2.9200.39048 - Realtek Semiconductor Corp.)

Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7152 - Realtek Semiconductor Corp.)

Stardock DeskScapes 8 (HKLM-x32\...\Stardock DeskScapes 8) (Version: 8.00 - Stardock Software, Inc.)

There (HKLM-x32\...\There) (Version:  - )

TuneUp Utilities 2014 (en-US) (x32 Version: 14.0.1000.340 - TuneUp Software) Hidden

TuneUp Utilities 2014 (HKLM-x32\...\TuneUp Utilities) (Version: 14.0.1000.340 - TuneUp Software)

TuneUp Utilities 2014 (x32 Version: 14.0.1000.340 - TuneUp Software) Hidden

Turbo Booster for uTorrent (HKLM-x32\...\Turbo Booster for uTorrent) (Version: 4.7.0.0 - DownloadBoosters LLC)

uTorrent Turbo Accelerator (HKLM-x32\...\uTorrent Turbo Accelerator) (Version: 3.8.0.0 - WebSpeeders LLC)

Virtavia B-1B Lancer (HKLM-x32\...\{C82EB055-445B-47CF-B76B-2FED0D4A7329}) (Version: 1.0.0 - Virtavia Pty Ltd)

Virtavia F-22A Raptor FSX & P3D (HKLM\...\{CBFE9686-0EA2-4887-B97E-767B8AD25136}) (Version: 1 - Virtavia)

VRS F/A-18E Superbug X (HKLM-x32\...\{0F1F6144-F13A-433D-B66E-129C5E8D504B}_is1) (Version: 1.0.5.1 - Vertical Reality Simulations)

Windows 8 Codec Pack 2.0.1 (HKLM-x32\...\Windows 8 - Codec Pack) (Version: 2.0.1 - Windows 8 Codec Pack)

WinRAR 5.11 beta 1 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.11.1 - win.rar GmbH)

Xtreme Prototypes X-15-2-3 VC for Flight Simulator (HKLM-x32\...\Xtreme Prototypes X-15-2-3 VC for Flight Simulator1.1) (Version: 1.1 - Xtreme Prototypes, Inc.)

 

==================== Custom CLSID (selected items): ==========================

 

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

 

CustomCLSID: HKU\S-1-5-21-935466673-1756691942-2068257437-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)

 

==================== Restore Points  =========================

 

 

==================== Hosts content: ==========================

 

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

 

2013-08-22 06:25 - 2013-08-22 06:25 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

 

==================== Scheduled Tasks (whitelisted) =============

 

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

 

Task: {05293577-D647-4185-B859-C94839A0B2E3} - System32\Tasks\Microsoft\Windows\SettingSync\NetworkStateChangeTask

Task: {0B161361-13A5-40F1-A08F-0DF87E173947} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-08-12] (Google Inc.)

Task: {0B545118-B563-42FC-8D07-B78F602FCF34} - System32\Tasks\Microsoft\Windows\WS\WSRefreshBannedAppsListTask => Rundll32.exe WSClient.dll,RefreshBannedAppsList

Task: {0F6B994B-F36C-4AEE-977F-7A08E14655AB} - System32\Tasks\PCDEventLauncherTask => C:\Program Files\My Dell\sessionchecker.exe [2014-01-10] (PC-Doctor, Inc.)

Task: {2085BF56-520D-4951-B7C0-DF34AF90CC6A} - System32\Tasks\Microsoft\Windows\Sysmain\WsSwapAssessmentTask => Rundll32.exe sysmain.dll,PfSvWsSwapAssessmentTask

Task: {21199D4C-F9E7-4A63-8AFD-C469861365D8} - System32\Tasks\Microsoft\Windows\DiskFootprint\Diagnostics

Task: {2C9C0C6C-2A74-46F2-858A-4389D253EAD0} - System32\Tasks\Microsoft\Windows\Sysmain\HybridDriveCachePrepopulate

Task: {352E6CA0-7314-4DF4-89C4-682368D80D57} - System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => C:\Windows\System32\AutoWorkplace.exe [2013-08-21] (Microsoft Corporation)

Task: {379F4D38-B6FE-4D2C-89E2-795AF33111F3} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-08-21] (Piriform Ltd)

Task: {3B6D8A73-F20B-4C93-B8FB-56A154F172D2} - System32\Tasks\Microsoft\Windows\Time Zone\SynchronizeTimeZone => C:\Windows\system32\tzsync.exe [2013-08-22] (Microsoft Corporation)

Task: {3F1A154D-1834-4801-B395-1BF9D8DD8727} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [2014-07-31] (Microsoft Corporation)

Task: {49754026-21E1-41FC-94FD-727AFE414FE7} - System32\Tasks\Microsoft\Windows\Sysmain\HybridDriveCacheRebalance

Task: {59E743E4-AA13-4140-B155-E2655E974068} - \AmiUpdXp No Task File <==== ATTENTION

Task: {6AA91E8C-DDBD-4979-8464-4062F7681A19} - System32\Tasks\Microsoft\Windows\Plug and Play\Plug and Play Cleanup

Task: {6BDD40C1-B248-40AB-9AEA-BEF3C2FFE1DE} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)

Task: {6DFCB649-0769-4F83-BB10-F60F235F6D3D} - System32\Tasks\Microsoft\Windows\SkyDrive\Idle Sync Maintenance Task

Task: {73B1B253-CE67-4501-AE1A-377DD1D68B65} - System32\Tasks\Microsoft\Windows\Application Experience\StartupAppTask => Rundll32.exe Startupscan.dll,SusRunTask

Task: {77F1D869-6E65-4079-A2A0-E2023408EF97} - System32\Tasks\Microsoft\Windows\ApplicationData\CleanupTemporaryState => Rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState

Task: {872D0E53-FD2E-41E3-B431-698AF82882CE} - System32\Tasks\Microsoft\Windows\SkyDrive\Routine Maintenance Task

Task: {8CC813C9-712A-41EF-9512-B233444FC669} - System32\Tasks\Microsoft\Windows\AppxDeploymentClient\Pre-staged app cleanup => Rundll32.exe %windir%\system32\AppxDeploymentClient.dll,AppxPreStageCleanupRunTask

Task: {8FC4429E-91CC-47DA-9677-7562E780D5A3} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-08-12] (Google Inc.)

Task: {94D1C73E-845E-4CB9-9FA1-170EEFDFC19C} - System32\Tasks\Apple Diagnostics => C:\Program Files (x86)\Common Files\Apple\Internet Services\EReporter.exe [2013-11-20] (Apple Inc.)

Task: {98292BAF-42C3-4FC1-9056-7EB1EE3B3C57} - System32\Tasks\Microsoft\Windows\WOF\WIM-Hash-Validation

Task: {9FF4C139-5234-410C-B7FA-23EE2FD2AB53} - System32\Tasks\Microsoft\Windows\Work Folders\Work Folders Maintenance Work

Task: {A458EA11-E66F-40E7-812E-304AFE9BD64B} - System32\Tasks\PocketCloud => C:\Program Files (x86)\Wyse\PocketCloud\PocketCloudDesktopApp.exe [2013-08-22] ()

Task: {AA8010E3-2462-47B9-AB42-8CC9BBFD4BBC} - System32\Tasks\Dell\Dell Product Registration => C:\Program Files (x86)\Dell Product Registration\prodreg.exe [2014-02-19] (Aviata Inc)

Task: {B5D7E445-C4AD-4F8D-9E83-7D613AE6D6EA} - System32\Tasks\TuneUpUtilities_Task_BkGndMaintenance2013 => C:\Program Files (x86)\TuneUp Utilities 2014\OneClick.exe [2014-07-16] (TuneUp Software)

Task: {BC85E1B7-52D5-4AF3-BBD2-B06349C715D9} - System32\Tasks\Synaptics TouchPad Enhancements => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2014-02-19] (Synaptics Incorporated)

Task: {CBDA51B5-18F3-4C3F-BBAD-09E7E42FDD0E} - System32\Tasks\Microsoft\Windows\DiskCleanup\SilentCleanup => C:\Windows\system32\cleanmgr.exe [2014-03-18] (Microsoft Corporation)

Task: {CFD7C21A-808B-487B-A6EC-8A10E44E8360} - System32\Tasks\Microsoft\Windows\SettingSync\BackupTask

Task: {D0BA805A-E7F2-4AFB-80E7-E17F98C33F14} - System32\Tasks\PocketCloudUpdater => C:\Program

Task: {D352DA66-6B83-46D8-9915-8E7B856C5978} - System32\Tasks\Microsoft\Windows\WOF\WIM-Hash-Management

Task: {D828BC49-B57F-4951-9AF2-7C677582CC5E} - System32\Tasks\PCDoctorBackgroundMonitorTask => C:\Program Files\My Dell\uaclauncher.exe [2014-01-10] (PC-Doctor, Inc.)

Task: {D88FEC9E-A82A-46F9-87E2-B6B97B301C1A} - System32\Tasks\Microsoft\Windows\WS\License Validation => Rundll32.exe WSClient.dll,WSpTLR licensing

Task: {D91856EA-A2C7-48C5-81B5-B44C466C5B43} - System32\Tasks\Microsoft\Windows\Shell\FamilySafetyUpload

Task: {DA46820F-FF8A-4B5E-A6B2-B12185DCFFFB} - System32\Tasks\Microsoft\Windows\Work Folders\Work Folders Logon Synchronization

Task: {DB6EFCBC-BE82-4EB2-A0F5-878DBAD8CB84} - System32\Tasks\PocketCloudVirtualChannel => C:\Program Files (x86)\Wyse\PocketCloud\WPCRDPVirtualChannelServer.exe [2013-08-22] ()

Task: {E41BF617-1199-4A17-B822-3B87322B25DA} - System32\Tasks\SystemToolsDailyTest => uaclauncher.exe

Task: {E6D378FA-E068-4BCB-80DE-56D43A249507} - System32\Tasks\Microsoft\Windows\RecoveryEnvironment\VerifyWinRE

Task: {FDE1EBEC-EFDB-4FDE-A254-F1166DEBEC71} - System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start With Network => Sc.exe start wuauserv

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

 

==================== Loaded Modules (whitelisted) =============

 

2014-07-16 10:24 - 2014-07-16 10:24 - 00699704 _____ () C:\Program Files (x86)\TuneUp Utilities 2014\avgrepliba.dll

2014-04-14 12:41 - 2014-04-14 12:41 - 00039192 _____ () C:\Program Files\CCleaner\branding.dll

2014-07-31 12:16 - 2014-07-31 12:16 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll

2014-07-31 12:16 - 2014-07-31 12:16 - 01044776 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll

2014-08-12 14:34 - 2014-08-06 20:20 - 00718152 _____ () C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.143\libglesv2.dll

2014-08-12 14:34 - 2014-08-06 20:20 - 00126280 _____ () C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.143\libegl.dll

2014-08-12 14:34 - 2014-08-06 20:20 - 08537928 _____ () C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.143\pdf.dll

2014-08-12 14:34 - 2014-08-06 20:20 - 00353096 _____ () C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.143\ppGoogleNaClPluginChrome.dll

2014-08-12 14:34 - 2014-08-06 20:20 - 01732936 _____ () C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.143\ffmpegsumo.dll

2014-08-12 14:34 - 2014-08-06 20:20 - 14669128 _____ () C:\Program Files (x86)\Google\Chrome\Application\36.0.1985.143\PepperFlash\pepflashplayer.dll

 

==================== Alternate Data Streams (whitelisted) =========

 

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

 

AlternateDataStreams: C:\Users\Jordan\OneDrive:ms-properties

 

==================== Safe Mode (whitelisted) ===================

 

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

 

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\33558019.sys => ""="Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\33558019.sys => ""="Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""=""

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"

 

==================== EXE Association (whitelisted) =============

 

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

 

 

==================== MSCONFIG/TASK MANAGER disabled items =========

 

(Currently there is no automatic fix for this section.)

 

HKLM\...\StartupApproved\StartupFolder: => "TrayMenu.lnk"

HKLM\...\StartupApproved\Run32: => "iTunesHelper"

HKLM\...\StartupApproved\Run32: => "QuickTime Task"

HKLM\...\StartupApproved\Run32: => "FAStartup"

HKLM\...\StartupApproved\Run32: => "FATrayAlert"

HKCU\...\StartupApproved\Run: => "GoogleChromeAutoLaunch_D35563CBE1D1A1436A67A5E5C259B9F5"

HKCU\...\StartupApproved\Run: => "iCloudServices"

HKCU\...\StartupApproved\Run: => "ApplePhotoStreams"

HKCU\...\StartupApproved\Run: => "Diagnostics"

HKCU\...\StartupApproved\Run: => "uTorrent"

HKCU\...\StartupApproved\Run: => "DAEMON Tools Ultra Agent"

HKCU\...\StartupApproved\Run: => "YfddPack"

HKCU\...\StartupApproved\Run: => "UZDmedia"

 

==================== Faulty Device Manager Devices =============

 

 

==================== Event log errors: =========================

 

Application errors:

==================

Error: (09/01/2014 03:54:55 PM) (Source: VSS) (EventID: 12292) (User: )

Description: Volume Shadow Copy Service error: Error creating the Shadow Copy Provider COM class with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} [0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

].

 

 

Operation:

   Obtain a callable interface for this provider

   List interfaces for all providers supporting this context

   Query Shadow Copies

 

Context:

   Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}

   Class ID: {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a}

   Snapshot Context: 13

   Snapshot Context: 13

   Execution Context: Coordinator

 

Error: (09/01/2014 03:54:55 PM) (Source: VSS) (EventID: 13) (User: )

Description: Volume Shadow Copy Service information: The COM Server with CLSID {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a} and name SW_PROV cannot be started. [0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

]

 

 

Operation:

   Obtain a callable interface for this provider

   List interfaces for all providers supporting this context

   Query Shadow Copies

 

Context:

   Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}

   Class ID: {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a}

   Snapshot Context: 13

   Snapshot Context: 13

   Execution Context: Coordinator

 

Error: (09/01/2014 03:21:37 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 8727797

 

Error: (09/01/2014 03:21:37 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: m->NextScheduledEvent 8727797

 

Error: (09/01/2014 03:21:37 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: Continuously busy for more than a second

 

Error: (09/01/2014 00:56:15 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 5438

 

Error: (09/01/2014 00:56:15 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: m->NextScheduledEvent 5438

 

Error: (09/01/2014 00:56:15 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: Continuously busy for more than a second

 

Error: (09/01/2014 00:56:14 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 4313

 

Error: (09/01/2014 00:56:14 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: m->NextScheduledEvent 4313

 

 

System errors:

=============

Error: (09/01/2014 02:48:40 AM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)

Description: {209500FC-6B45-4693-8871-6296C4843751}

 

Error: (09/01/2014 02:43:31 AM) (Source: DCOM) (EventID: 10010) (User: JORDANSPC)

Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

 

Error: (09/01/2014 02:43:31 AM) (Source: DCOM) (EventID: 10010) (User: JORDANSPC)

Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

 

Error: (09/01/2014 02:41:20 AM) (Source: EventLog) (EventID: 6008) (User: )

Description: The previous system shutdown at 2:39:55 AM on ‎9/‎1/‎2014 was unexpected.

 

Error: (08/31/2014 10:30:27 PM) (Source: DCOM) (EventID: 10010) (User: JORDANSPC)

Description: Microsoft.WindowsLive.Mail.AppXj3e9v0xw9sf8t58nqr15tqqb2yq4zsfg.mca

 

Error: (08/31/2014 10:27:41 PM) (Source: Service Control Manager) (EventID: 7000) (User: )

Description: The Windows Defender Network Inspection Service service failed to start due to the following error: 

%%577

 

Error: (08/31/2014 10:27:41 PM) (Source: Service Control Manager) (EventID: 7000) (User: )

Description: The Windows Defender Service service failed to start due to the following error: 

%%577

 

Error: (08/31/2014 10:15:13 PM) (Source: Service Control Manager) (EventID: 7032) (User: )

Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Modules Installer service, but this action failed with the following error: 

%%1056

 

Error: (08/31/2014 10:15:13 PM) (Source: Service Control Manager) (EventID: 7000) (User: )

Description: The Windows Defender Network Inspection Service service failed to start due to the following error: 

%%577

 

Error: (08/31/2014 10:15:12 PM) (Source: Service Control Manager) (EventID: 7000) (User: )

Description: The Windows Defender Service service failed to start due to the following error: 

%%577

 

 

Microsoft Office Sessions:

=========================

Error: (09/01/2014 03:54:55 PM) (Source: VSS) (EventID: 12292) (User: )

Description: {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a}0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

 

 

Operation:

   Obtain a callable interface for this provider

   List interfaces for all providers supporting this context

   Query Shadow Copies

 

Context:

   Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}

   Class ID: {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a}

   Snapshot Context: 13

   Snapshot Context: 13

   Execution Context: Coordinator

 

Error: (09/01/2014 03:54:55 PM) (Source: VSS) (EventID: 13) (User: )

Description: {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a}SW_PROV0x80070422, The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

 

 

Operation:

   Obtain a callable interface for this provider

   List interfaces for all providers supporting this context

   Query Shadow Copies

 

Context:

   Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}

   Class ID: {65ee1dba-8ff4-4a58-ac1c-3470ee2f376a}

   Snapshot Context: 13

   Snapshot Context: 13

   Execution Context: Coordinator

 

Error: (09/01/2014 03:21:37 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 8727797

 

Error: (09/01/2014 03:21:37 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: m->NextScheduledEvent 8727797

 

Error: (09/01/2014 03:21:37 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: Continuously busy for more than a second

 

Error: (09/01/2014 00:56:15 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 5438

 

Error: (09/01/2014 00:56:15 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: m->NextScheduledEvent 5438

 

Error: (09/01/2014 00:56:15 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: Continuously busy for more than a second

 

Error: (09/01/2014 00:56:14 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 4313

 

Error: (09/01/2014 00:56:14 PM) (Source: Bonjour Service) (EventID: 100) (User: )

Description: Task Scheduling Error: m->NextScheduledEvent 4313

 

 

CodeIntegrity Errors:

===================================

  Date: 2014-08-31 22:27:41.283

  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume5\Program Files\Windows Defender\NisSrv.exe that did not meet the Custom 3 / Antimalware signing level requirements.

 

  Date: 2014-08-31 22:27:41.053

  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

 

  Date: 2014-08-31 22:15:13.784

  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume5\Program Files\Windows Defender\NisSrv.exe that did not meet the Custom 3 / Antimalware signing level requirements.

 

  Date: 2014-08-31 22:15:12.871

  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

 

  Date: 2014-08-31 18:52:45.345

  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

 

  Date: 2014-08-31 18:52:44.943

  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

 

  Date: 2014-08-31 18:52:44.754

  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume5\Program Files\Windows Defender\NisSrv.exe that did not meet the Custom 3 / Antimalware signing level requirements.

 

 

==================== Memory info =========================== 

 

Processor: Intel® Celeron® CPU N2830 @ 2.16GHz

Percentage of memory in use: 61%

Total physical RAM: 3979.2 MB

Available physical RAM: 1522.04 MB

Total Pagefile: 4875.2 MB

Available Pagefile: 2080.96 MB

Total Virtual: 131072 MB

Available Virtual: 131071.8 MB

 

==================== Drives ================================

 

Drive c: (OS) (Fixed) (Total:455.22 GB) (Free:263.56 GB) NTFS

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (Size: 465.8 GB) (Disk ID: 917E9FD1)

 

Partition: GPT Partition Type.

 

==================== End Of Log ============================

[JordanR]

I kept getting a error when trying to post this log so i just attached it

FRST_01-09-2014_16-02-27.txt

[Naathim]

Better take another look...

Rules and policies

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

Also

Illegal downloads warning!

Please stay away from this type of files. Our forum doesn't support piracy and documented illegal files may prevent me from helping you, so please bare in mind my expectation to get them removed from your machine.

I'm referring especially to all kind of movies and series that are visible in your logfiles.

[JordanR]

Here is the Scan

Malwarebytes Anti-Malware Scan.txt

[JordanR]

Do I have to remove the software and re do a scan agian?

[Naathim]

As told.

If I will find any indication of illegal software/illegal downloads/p2p program in your logfile, this thread will be abandoned.

[JordanR]

Ok the software is unstalled what now

[JordanR]

Now once I removed uTorrent the taskbar now flcikers and I get a continues warning of explorer.exe application error

[Naathim]

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.

• Right-click on icon and select Run as Administrator to start the tool.

  > XP users click run after receipt of Windows Security Warning - Open File.

  > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.

• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.

[JordanR]

I have removed utorrent from my laptop and when I did a search fr it in the files and it still shows uTorrent startup when I removed the program and then started the scan

FRST.txt

Addition.txt

[Naathim]

I am sorry, but there are still illegally obtained files on your machine.

 

As stated prior - we won't support any piracy. I am requesting this thread to be closed.

[JordanR]

If I have to I will go deeper into this and delete any torrent related content.

[Naathim]

So why it is still not done? I told it almost 10 posts earlier.

[JordanR]

I have been listening to you this entire time. I don't know all the folders where .torrent is coming up so I mainly deleted the torrented downloads. I might need assistance with further removing P2P programs or anything affiliated with it. But with my knowledge all related content should be gone.  

[Naathim]

Ok, I believe you. I'm signing off fir tonight as it is after midnight here. We will continue our work tomorrow.

[JordanR]

Ok and i'm sorry if i'm wasting your time with this pirated stuff and not knowing all else I can do to get further help. I have tried multiple things but nothing and I have been trying to use skype so I could see my sick reletive before they pasted today but no prevail.

[Naathim]

No, if you say that - you are not wasting.

I am (personally, it's not only the forum policy) against any pirated stuff. If you say that you just don't know where it us, but agree to remove it, don't worry. I will jump in with my tools and remove the illegally obtained files tomorrow.

Just bare in mind that I will be ruthless and will remove any found file/soft. Confirm that you agree to the aforementioned and I will investigate both illegal stuff and security issues tomorrow.

See you

[JordanR]

Ok well talk to you soon

[JordanR]

Also would it be a good idea if i include my Event Viewer logs in here?

[Naathim]

Hi.
 
No need to include event log, here, FRST makes a report that includes its entries. Let's see fresh reports and we will go from there.


Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.

• Right-click on icon and select Run as Administrator to start the tool.
  > XP users click run after receipt of Windows Security Warning - Open File.
  > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.

[JordanR]

OK there is the scan details. Oh and I mentioned the event viewer because it showed all the logs of the explorer.exe application error and where it was originating from. Oha and to add my task bar is no longer in working condition and I have to use task manager to do things and also since explorer.exe is effected anything that uses it won't stay opend

FRST_02-09-2014_10-27-55.txt

Addition_02-09-2014_10-41-12.txt

[AdvancedSetup]

Due to ongoing pirated software which has not been removed according to the logs per request of your helper the topic will be closed for piracy.

Examples:

C:\Users\Jordan\Downloads\Stardock DeskScape 8 incl. Trial reset-DeGun TPB 2013.06.rar
C:\Users\Jordan\Downloads\FSX_cracks_all_versions.rar
C:\Users\Jordan\Downloads\VRS FA18E Cracked.rar



Piracy Policy