Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Clean install W7 Pro - still infected!


BoRe
 Share

Recommended Posts

Couldn't save a MBAM log.

 

FRST notes:

  1. I set Firefox as default browser, not IE

  2. There is only one physical HDD

  3. I installed W7 on the 24GB partition 2, now shown as inactive

  4. I never installed a GPT partition - I think this is the hidden drive containing the malware

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:09-12-2015
Ran by Fuzzy (administrator) on TRIAL-PC (11-12-2015 08:09:47)
Running from C:\Users\Trial\Desktop
Loaded Profiles: Trial & Fuzzy (Available Profiles: Trial & Fuzzy)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKU\S-1-5-21-1625722349-1841773593-886300088-1000\...\MountPoints2: {b688ef49-9e83-11e5-830e-806e6f6e6963} - E:\MbamMbae-setup.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Tcpip\..\Interfaces\{CB4BF8C3-107B-4830-88D1-31341AC78398}: [DhcpNameServer] 209.18.47.61 209.18.47.62

Internet Explorer:
==================
HKU\S-1-5-21-1625722349-1841773593-886300088-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [109272 2015-10-05] (Malwarebytes)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2015-12-11] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)

========================== Drivers MD5 =======================

C:\Windows\system32\drivers\1394ohci.sys ==> MD5 is legit
C:\Windows\System32\drivers\ACPI.sys ==> MD5 is legit
C:\Windows\system32\drivers\acpipmi.sys ==> MD5 is legit
C:\Windows\system32\drivers\adp94xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\adpahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\adpu320.sys ==> MD5 is legit
C:\Windows\system32\drivers\afd.sys ==> MD5 is legit
C:\Windows\system32\drivers\agp440.sys ==> MD5 is legit
C:\Windows\system32\drivers\aliide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdide.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdk8.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\amdppm.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsata.sys ==> MD5 is legit
C:\Windows\system32\drivers\amdsbs.sys ==> MD5 is legit
C:\Windows\System32\drivers\amdxata.sys ==> MD5 is legit
C:\Windows\system32\drivers\appid.sys ==> MD5 is legit
C:\Windows\system32\drivers\arc.sys ==> MD5 is legit
C:\Windows\system32\drivers\arcsas.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\asyncmac.sys ==> MD5 is legit
C:\Windows\System32\drivers\atapi.sys ==> MD5 is legit
C:\Windows\system32\drivers\bxvbda.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\b57nd60a.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Beep.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\blbdrive.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\bowser.sys 91CE0D3DC57DD377E690A2D324022B08
C:\Windows\system32\drivers\BrFiltLo.sys ==> MD5 is legit
C:\Windows\system32\drivers\BrFiltUp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Brserid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrSerWdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbMdm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\BrUsbSer.sys ==> MD5 is legit
C:\Windows\system32\drivers\bthmodem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdfs.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\cdrom.sys ==> MD5 is legit
C:\Windows\system32\drivers\circlass.sys ==> MD5 is legit
C:\Windows\System32\CLFS.sys ==> MD5 is legit
C:\Windows\system32\drivers\CmBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\cmdide.sys ==> MD5 is legit
C:\Windows\System32\Drivers\cng.sys ==> MD5 is legit
C:\Windows\system32\drivers\compbatt.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\CompositeBus.sys ==> MD5 is legit
C:\Windows\system32\drivers\crcdisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\csc.sys ==> MD5 is legit
C:\Windows\System32\Drivers\dfsc.sys ==> MD5 is legit
C:\Windows\System32\drivers\discache.sys ==> MD5 is legit
C:\Windows\System32\drivers\disk.sys ==> MD5 is legit
C:\Windows\system32\drivers\dmvsc.sys 5DB085A8A6600BE6401F2B24EECB5415
C:\Windows\System32\drivers\drmkaud.sys ==> MD5 is legit
C:\Windows\System32\drivers\dxgkrnl.sys ==> MD5 is legit
C:\Windows\system32\drivers\evbda.sys ==> MD5 is legit
C:\Windows\system32\drivers\elxstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\errdev.sys ==> MD5 is legit
C:\Windows\System32\Drivers\exfat.sys ==> MD5 is legit
C:\Windows\System32\Drivers\fastfat.sys ==> MD5 is legit
C:\Windows\system32\drivers\fdc.sys ==> MD5 is legit
C:\Windows\System32\drivers\fileinfo.sys ==> MD5 is legit
C:\Windows\System32\drivers\filetrace.sys ==> MD5 is legit
C:\Windows\system32\drivers\flpydisk.sys ==> MD5 is legit
C:\Windows\System32\drivers\fltmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\FsDepends.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Fs_Rec.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\fvevol.sys ==> MD5 is legit
C:\Windows\system32\drivers\gagp30kx.sys ==> MD5 is legit
C:\Windows\system32\drivers\hcw85cir.sys ==> MD5 is legit
C:\Windows\System32\drivers\HdAudio.sys 975761C778E33CD22498059B91E7373A
C:\Windows\System32\DRIVERS\HDAudBus.sys ==> MD5 is legit
C:\Windows\system32\drivers\HidBatt.sys ==> MD5 is legit
C:\Windows\system32\drivers\hidbth.sys ==> MD5 is legit
C:\Windows\system32\drivers\hidir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\hidusb.sys ==> MD5 is legit
C:\Windows\system32\drivers\HpSAMD.sys ==> MD5 is legit
C:\Windows\System32\drivers\HTTP.sys ==> MD5 is legit
C:\Windows\System32\drivers\hwpolicy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\i8042prt.sys ==> MD5 is legit
C:\Windows\system32\drivers\iaStorV.sys ==> MD5 is legit
C:\Windows\system32\drivers\iirsp.sys ==> MD5 is legit
C:\Windows\system32\drivers\intelide.sys ==> MD5 is legit
C:\Windows\system32\drivers\intelppm.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ipfltdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\IPMIDrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\ipnat.sys ==> MD5 is legit
C:\Windows\System32\drivers\irenum.sys ==> MD5 is legit
C:\Windows\system32\drivers\isapnp.sys ==> MD5 is legit
C:\Windows\system32\drivers\msiscsi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\kbdclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\kbdhid.sys ==> MD5 is legit
C:\Windows\System32\Drivers\ksecdd.sys ==> MD5 is legit
C:\Windows\System32\Drivers\ksecpkg.sys ==> MD5 is legit
C:\Windows\system32\drivers\ksthunk.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\lltdio.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_fc.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_sas.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_sas2.sys ==> MD5 is legit
C:\Windows\system32\drivers\lsi_scsi.sys ==> MD5 is legit
C:\Windows\system32\drivers\luafv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mbamchameleon.sys 42B3F5C9FBC9B3F0E0BA6B5D7FC8E849
C:\Windows\system32\drivers\mbam.sys CFBC6C6D8A492697CABD1D353EE64933
C:\Windows\system32\drivers\MBAMSwissArmy.sys 78488AF2AB2111D67B3C4044707A519B
C:\Windows\system32\drivers\mwac.sys D61070CFAD43038DC56AEAD9BFE9CE2A
C:\Windows\system32\drivers\megasas.sys ==> MD5 is legit
C:\Windows\system32\drivers\MegaSR.sys ==> MD5 is legit
C:\Windows\System32\drivers\modem.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\monitor.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouclass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mouhid.sys ==> MD5 is legit
C:\Windows\System32\drivers\mountmgr.sys ==> MD5 is legit
C:\Windows\system32\drivers\mpio.sys ==> MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys ==> MD5 is legit
C:\Windows\system32\drivers\mrxdav.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mrxsmb.sys FAF015B07E3A2874A790A39B7D2C579F
C:\Windows\System32\DRIVERS\mrxsmb10.sys 08E2345DF129082BCDFFDC1440F9C00D
C:\Windows\System32\DRIVERS\mrxsmb20.sys 108D87409C5812EF47D81E22843E8C9D
C:\Windows\System32\drivers\msahci.sys ==> MD5 is legit
C:\Windows\system32\drivers\msdsm.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Msfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\mshidkmdf.sys ==> MD5 is legit
C:\Windows\System32\drivers\msisadrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSKSSRV.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPCLOCK.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSPQM.sys ==> MD5 is legit
C:\Windows\System32\Drivers\MsRPC.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\mssmbios.sys ==> MD5 is legit
C:\Windows\System32\drivers\MSTEE.sys ==> MD5 is legit
C:\Windows\system32\drivers\MTConfig.sys ==> MD5 is legit
C:\Windows\System32\Drivers\mup.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\nwifi.sys ==> MD5 is legit
C:\Windows\System32\drivers\ndis.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiscap.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndistapi.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndisuio.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\ndiswan.sys ==> MD5 is legit
C:\Windows\System32\Drivers\NDProxy.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbios.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\netbt.sys ==> MD5 is legit
C:\Windows\system32\drivers\nfrd960.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Npfs.sys ==> MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Ntfs.sys ==> MD5 is legit
C:\Windows\System32\Drivers\Null.sys ==> MD5 is legit
C:\Windows\system32\drivers\nvraid.sys ==> MD5 is legit
C:\Windows\system32\drivers\nvstor.sys ==> MD5 is legit
C:\Windows\system32\drivers\nv_agp.sys ==> MD5 is legit
C:\Windows\system32\drivers\ohci1394.sys ==> MD5 is legit
C:\Windows\system32\drivers\parport.sys ==> MD5 is legit
C:\Windows\System32\drivers\partmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\pci.sys ==> MD5 is legit
C:\Windows\system32\drivers\pciide.sys ==> MD5 is legit
C:\Windows\system32\drivers\pcmcia.sys ==> MD5 is legit
C:\Windows\System32\drivers\pcw.sys ==> MD5 is legit
C:\Windows\System32\drivers\peauth.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspptp.sys ==> MD5 is legit
C:\Windows\system32\drivers\processr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\pacer.sys ==> MD5 is legit
C:\Windows\system32\drivers\ql2300.sys ==> MD5 is legit
C:\Windows\system32\drivers\ql40xx.sys ==> MD5 is legit
C:\Windows\system32\drivers\qwavedrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasacd.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\AgileVpn.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rasl2tp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\raspppoe.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rassstp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdbss.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rdpbus.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\RDPCDD.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpdr.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdpencdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdprefmp.sys ==> MD5 is legit
C:\Windows\System32\Drivers\RDPWD.sys ==> MD5 is legit
C:\Windows\System32\drivers\rdyboost.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\rspndr.sys ==> MD5 is legit
C:\Windows\system32\drivers\vms3cap.sys ==> MD5 is legit
C:\Windows\system32\drivers\sbp2port.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\scfilter.sys ==> MD5 is legit
C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serenum.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\serial.sys ==> MD5 is legit
C:\Windows\system32\drivers\sermouse.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffdisk.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_mmc.sys ==> MD5 is legit
C:\Windows\system32\drivers\sffp_sd.sys ==> MD5 is legit
C:\Windows\system32\drivers\sfloppy.sys ==> MD5 is legit
C:\Windows\system32\drivers\SiSRaid2.sys ==> MD5 is legit
C:\Windows\system32\drivers\sisraid4.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\smb.sys ==> MD5 is legit
C:\Windows\System32\Drivers\spldr.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\srv.sys 2098B8556D1CEC2ACA9A29CD479E3692
C:\Windows\System32\DRIVERS\srv2.sys D0F73A42040F21F92FD314B42AC5C9E7
C:\Windows\System32\DRIVERS\srvnet.sys 2BA8F3250828CCDB4204ECF2C6F40B6A
C:\Windows\system32\drivers\stexstor.sys ==> MD5 is legit
C:\Windows\System32\drivers\vmstorfl.sys ==> MD5 is legit
C:\Windows\system32\drivers\storvsc.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\swenum.sys ==> MD5 is legit
C:\Windows\System32\drivers\tcpip.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tcpip.sys ==> MD5 is legit
C:\Windows\System32\drivers\tcpipreg.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdpipe.sys ==> MD5 is legit
C:\Windows\System32\drivers\tdtcp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\tdx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\termdd.sys ==> MD5 is legit
C:\Windows\System32\drivers\tpm.sys DBCC20C02E8A3E43B03C304A4E40A84F
C:\Windows\System32\DRIVERS\tssecsrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\tsusbflt.sys ==> MD5 is legit
C:\Windows\system32\drivers\TsUsbGD.sys 9CC2CCAE8A84820EAECB886D477CBCB8
C:\Windows\System32\DRIVERS\tunnel.sys ==> MD5 is legit
C:\Windows\system32\drivers\uagp35.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\udfs.sys ==> MD5 is legit
C:\Windows\system32\drivers\uliagpkx.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\umbus.sys ==> MD5 is legit
C:\Windows\system32\drivers\umpass.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbccgp.sys ==> MD5 is legit
C:\Windows\system32\drivers\usbcir.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbehci.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbhub.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbohci.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbprint.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\usbscan.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\USBSTOR.SYS ==> MD5 is legit
C:\Windows\system32\drivers\usbuhci.sys ==> MD5 is legit
C:\Windows\System32\drivers\vdrvroot.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\vgapnp.sys ==> MD5 is legit
C:\Windows\System32\drivers\vga.sys ==> MD5 is legit
C:\Windows\system32\drivers\vhdmp.sys ==> MD5 is legit
C:\Windows\system32\drivers\viaide.sys ==> MD5 is legit
C:\Windows\system32\drivers\vmbus.sys ==> MD5 is legit
C:\Windows\system32\drivers\VMBusHID.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgr.sys ==> MD5 is legit
C:\Windows\System32\drivers\volmgrx.sys ==> MD5 is legit
C:\Windows\System32\drivers\volsnap.sys ==> MD5 is legit
C:\Windows\system32\drivers\vsmraid.sys ==> MD5 is legit
C:\Windows\System32\drivers\vwifibus.sys ==> MD5 is legit
C:\Windows\system32\drivers\wacompen.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wanarp.sys ==> MD5 is legit
C:\Windows\system32\drivers\wd.sys ==> MD5 is legit
C:\Windows\System32\drivers\Wdf01000.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wfplwf.sys ==> MD5 is legit
C:\Windows\System32\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\SysWOW64\drivers\wimmount.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\wmiacpi.sys ==> MD5 is legit
C:\Windows\system32\drivers\ws2ifsl.sys ==> MD5 is legit
C:\Windows\System32\drivers\WudfPf.sys ==> MD5 is legit
C:\Windows\System32\DRIVERS\WUDFRd.sys ==> MD5 is legit

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Three Months Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-11 08:09 - 2015-12-11 08:10 - 00018059 _____ C:\Users\Trial\Desktop\FRST.txt
2015-12-11 08:09 - 2015-12-11 08:09 - 00000000 ____D C:\FRST
2015-12-11 08:08 - 2015-12-11 08:08 - 02369024 _____ (Farbar) C:\Users\Trial\Desktop\FRST64.exe
2015-12-11 07:31 - 2015-12-11 07:33 - 00000000 ____D C:\Program Data
2015-12-11 07:11 - 2015-12-11 07:35 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-12-11 07:10 - 2015-12-11 07:10 - 00065536 _____ C:\Windows\system32\Ikeext.etl
2015-12-11 07:10 - 2015-12-11 07:10 - 00001102 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-12-11 07:10 - 2015-12-11 07:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-12-11 07:10 - 2015-12-11 07:10 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-12-11 07:10 - 2015-12-11 07:10 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-12-11 07:10 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-12-11 07:10 - 2015-10-05 09:50 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-12-11 07:10 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2015-12-11 07:03 - 2015-12-11 07:03 - 00000000 ____D C:\Chameleon
2015-12-11 06:47 - 2015-12-11 06:47 - 01592131 _____ C:\Users\Trial\Desktop\MalwarebytesAntiMalwareUserGuide.pdf
2015-12-11 06:42 - 2015-12-11 06:42 - 00001409 _____ C:\Users\Fuzzy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2015-12-11 06:41 - 2015-12-11 06:42 - 00001443 _____ C:\Users\Fuzzy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-12-11 06:41 - 2015-12-11 06:41 - 00000000 ____D C:\Users\Fuzzy\AppData\Local\VirtualStore
2015-12-10 04:15 - 2015-12-11 06:40 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-12-10 04:15 - 2015-12-10 04:17 - 00001147 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-12-10 04:15 - 2015-12-10 04:16 - 00243656 _____ C:\Users\Trial\Downloads\Firefox Setup Stub 42.0.exe
2015-12-10 04:15 - 2015-12-10 04:15 - 00000000 ____D C:\Users\Trial\AppData\Roaming\Mozilla
2015-12-10 04:15 - 2015-12-10 04:15 - 00000000 ____D C:\Users\Trial\AppData\Local\Mozilla
2015-12-10 03:33 - 2015-12-10 03:33 - 00057560 _____ C:\Users\Fuzzy\AppData\Local\GDIPFONTCACHEV1.DAT
2015-12-10 03:19 - 2015-12-10 03:12 - 00003900 _____ C:\Users\Trial\Desktop\route.print.txt
2015-12-10 03:18 - 2015-12-10 03:12 - 00003060 _____ C:\Users\Trial\Desktop\ipconfig.all.txt
2015-12-10 03:03 - 2015-12-11 06:41 - 00000000 ____D C:\Users\Fuzzy
2015-12-10 03:03 - 2015-12-10 03:03 - 00000020 ___SH C:\Users\Fuzzy\ntuser.ini
2015-12-10 03:03 - 2015-12-10 03:03 - 00000000 _SHDL C:\Users\Fuzzy\My Documents
2015-12-10 03:03 - 2015-12-10 03:03 - 00000000 _SHDL C:\Users\Fuzzy\Documents\My Videos
2015-12-10 03:03 - 2015-12-10 03:03 - 00000000 _SHDL C:\Users\Fuzzy\Documents\My Pictures
2015-12-10 03:03 - 2015-12-10 03:03 - 00000000 _SHDL C:\Users\Fuzzy\Documents\My Music
2015-12-10 03:03 - 2011-04-12 03:28 - 00000000 ____D C:\Users\Fuzzy\AppData\Roaming\Media Center Programs
2015-12-09 09:51 - 2015-12-09 09:51 - 00001345 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
2015-12-09 09:51 - 2015-12-09 09:51 - 00001326 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
2015-12-09 09:48 - 2015-12-09 09:48 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2015-12-09 09:46 - 2015-12-09 07:35 - 00000000 ____D C:\Windows\Panther
2015-12-09 08:42 - 2015-12-09 08:42 - 00057560 _____ C:\Users\Trial\AppData\Local\GDIPFONTCACHEV1.DAT
2015-12-09 08:07 - 2015-12-09 08:07 - 00000000 ____D C:\OriginalDrvrsPkg
2015-12-09 08:05 - 2015-12-09 08:11 - 00000000 ____D C:\swsetup
2015-12-09 07:39 - 2015-12-09 07:39 - 00003050 _____ C:\Windows\System32\Tasks\{DC1C5A7C-B7B8-4338-A806-4F1E0A929F4B}
2015-12-09 07:36 - 2015-12-09 07:36 - 00001443 _____ C:\Users\Trial\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-12-09 07:36 - 2015-12-09 07:36 - 00001409 _____ C:\Users\Trial\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2015-12-09 07:36 - 2015-12-09 07:36 - 00000000 ____D C:\Users\Trial\AppData\Local\VirtualStore
2015-12-09 07:35 - 2015-12-09 07:36 - 00000000 ____D C:\Users\Trial
2015-12-09 07:35 - 2015-12-09 07:35 - 00000020 ___SH C:\Users\Trial\ntuser.ini
2015-12-09 07:35 - 2015-12-09 07:35 - 00000000 _SHDL C:\Users\Trial\My Documents
2015-12-09 07:35 - 2015-12-09 07:35 - 00000000 _SHDL C:\Users\Trial\Documents\My Videos
2015-12-09 07:35 - 2015-12-09 07:35 - 00000000 _SHDL C:\Users\Trial\Documents\My Pictures
2015-12-09 07:35 - 2015-12-09 07:35 - 00000000 _SHDL C:\Users\Trial\Documents\My Music
2015-12-09 07:35 - 2011-04-12 03:28 - 00000000 ____D C:\Users\Trial\AppData\Roaming\Media Center Programs

==================== Three Months Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-11 08:09 - 2009-07-13 22:20 - 00000000 ____D C:\Windows
2015-12-11 07:15 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\tracing
2015-12-11 06:45 - 2009-07-14 00:13 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-11 06:45 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2015-12-11 06:41 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-10 05:29 - 2009-07-13 23:45 - 00016848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-10 05:29 - 2009-07-13 23:45 - 00016848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-10 03:27 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\NDF
2015-12-09 10:35 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2015-12-09 09:52 - 2009-07-13 23:45 - 00274320 _____ C:\Windows\system32\FNTCACHE.DAT
2015-12-09 09:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\sysprep
2015-12-09 09:48 - 2011-04-12 03:28 - 00000000 ____D C:\Windows\CSC
2015-12-09 09:46 - 2009-07-14 00:32 - 00028672 _____ C:\Windows\system32\config\BCD-Template

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

==================== BCD ================================

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume1
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
resumeobject            {a0d9432a-9e83-11e5-8695-cdd7567fadc1}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {a0d9432c-9e83-11e5-8695-cdd7567fadc1}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {a0d9432a-9e83-11e5-8695-cdd7567fadc1}
nx                      OptIn

Windows Boot Loader
-------------------
identifier              {a0d9432c-9e83-11e5-8695-cdd7567fadc1}
device                  ramdisk=[C:]\Recovery\a0d9432c-9e83-11e5-8695-cdd7567fadc1\Winre.wim,{a0d9432d-9e83-11e5-8695-cdd7567fadc1}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[C:]\Recovery\a0d9432c-9e83-11e5-8695-cdd7567fadc1\Winre.wim,{a0d9432d-9e83-11e5-8695-cdd7567fadc1}
systemroot              \windows
nx                      OptIn
winpe                   Yes

Resume from Hibernate
---------------------
identifier              {a0d9432a-9e83-11e5-8695-cdd7567fadc1}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=\Device\HarddiskVolume1
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Device options
--------------
identifier              {a0d9432d-9e83-11e5-8695-cdd7567fadc1}
description             Ramdisk Options
ramdisksdidevice        partition=C:
ramdisksdipath          \Recovery\a0d9432c-9e83-11e5-8695-cdd7567fadc1\boot.sdi



LastRegBack: 2015-12-09 09:47

==================== End of FRST.txt ============================

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:09-12-2015
Ran by Fuzzy (2015-12-11 08:10:14)
Running from C:\Users\Trial\Desktop
Windows 7 Professional Service Pack 1 (X64) (2015-12-09 12:35:45)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1625722349-1841773593-886300088-500 - Administrator - Disabled)
Fuzzy (S-1-5-21-1625722349-1841773593-886300088-1001 - Administrator - Enabled) => C:\Users\Fuzzy
Guest (S-1-5-21-1625722349-1841773593-886300088-501 - Limited - Enabled)
Trial (S-1-5-21-1625722349-1841773593-886300088-1000 - Limited - Enabled) => C:\Users\Trial

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Mozilla Firefox 42.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 42.0 (x86 en-US)) (Version: 42.0 - Mozilla)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Restore Points =========================


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {D782AC97-277B-41AA-8CEF-1C26A2596BA7} - System32\Tasks\{DC1C5A7C-B7B8-4338-A806-4F1E0A929F4B} => pcalua.exe -a E:\MbamMbae-setup.exe -d E:\

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============


==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1625722349-1841773593-886300088-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Trial\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-1625722349-1841773593-886300088-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Fuzzy\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 209.18.47.61 - 209.18.47.62
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [sPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [sPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{E349130A-80FF-4039-9D9F-5BBC6953B7F4}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{60811ED5-8C79-4861-B0E6-BA64FD9BB999}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{08577180-EA8D-47A2-B6D9-866F04D7CD6C}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{6371C883-3255-4226-A299-8DA5D00D3448}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe

==================== Faulty Device Manager Devices =============

Name: PS/2 Compatible Mouse
Description: PS/2 Compatible Mouse
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Standard PS/2 Keyboard
Description: Standard PS/2 Keyboard
Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard keyboards)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (12/11/2015 06:42:46 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/10/2015 03:46:36 AM) (Source: RasClient) (EventID: 20227) (User: )
Description: CoId={1A8EDC33-A5B0-4ECA-9FA9-E16CBA38FBF7}: The user Trial-PC\Trial dialed a connection named Broadband Connection which has failed. The error code returned on failure is 651.

Error: (12/10/2015 03:45:09 AM) (Source: RasClient) (EventID: 20227) (User: )
Description: CoId={4388CA10-F398-4476-A836-397F4B710378}: The user Trial-PC\Trial dialed a connection named Broadband Connection which has failed. The error code returned on failure is 651.

Error: (12/10/2015 03:44:12 AM) (Source: RasClient) (EventID: 20227) (User: )
Description: CoId={84543412-4326-4887-BD0F-A25CE5FA4B5E}: The user Trial-PC\Trial dialed a connection named Broadband Connection which has failed. The error code returned on failure is 651.

Error: (12/10/2015 03:43:30 AM) (Source: RasClient) (EventID: 20227) (User: )
Description: CoId={624C7252-FB5B-4399-B741-ED022EEA60D3}: The user Trial-PC\Trial dialed a connection named Broadband Connection which has failed. The error code returned on failure is 651.

Error: (12/10/2015 02:52:53 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/09/2015 10:35:11 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============

==================== Memory info ===========================

Processor: AMD Athlon II X2 B24 Processor
Percentage of memory in use: 21%
Total physical RAM: 7679.39 MB
Available physical RAM: 6038.07 MB
Total Virtual: 15356.98 MB
Available Virtual: 13755.97 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:23.96 GB) (Free:3.16 GB) NTFS
Drive d: () (Fixed) (Total:208.83 GB) (Free:208.73 GB) NTFS
Drive f: () (Removable) (Total:7.26 GB) (Free:3.3 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: 06F7285A)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=24 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=208.8 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 7.3 GB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt ============================

Link to post
Share on other sites

Hello,  Hello and thanks your reply.

 

Is this your computer? Yes, it is. What makes you think you're infected? 

 

- I cannot set up a network connection, but there's a working connection that won't let me modify any settings.

- Search in Firefox by Google yields pages from 2012 and 2013! Redirect much?

- When I bought this Joy Systems refurbished HP 6005 Pro SSF PC, the drivers were mostly HP branded. Now almost all are Microsoft from 2006. No drivers can be updated with the clean newer versions I downloaded from HP onto a new thumb drive.

- I cannot access my modem. The rigorous password was changed. Soft or hard resets do nothing.

- Whenever I try to harden my Win 7 installation by changing settings, many choices are greyed out. If it appears changes were accepted and I go back to check, all have been reset to what I changed from.

- I've spent hours trying to prove I'm infected. With all due respect, please realize that a main feature of the malware I suspect is its ability to hide.

Link to post
Share on other sites

First of all let's clear make one thing clear. Your PC isn't infected and we put a period on this thing.
 
Now we will try to solve one by one problem.
 



Take a look at this link how to reset your router:
 
http://setuprouter.com/networking/how-to-reset-your-router/
 
It would also hep if you would tell me exact model of your router.
 

 
Now let's install all drivers for your computer.
 
21ajseu.gif Scan with HWiNFO
 
Download HWiNFO64 Portable and save it to your Desktop.
  • Unpack arhive and run HWiNFO64.exe
  • When Welcome window opens, click Settings and make sure to uncheck following boxes:
    • Show System Summary on Startup
    • Automatic Update
  • Click OK and then click Run
  • Wait until program analyzes your computer.
  • Click Report --> Create
  • In the next window, check Text Logfile, and then click Browse.
  • Select your Desktop and name the report as you wish. Press Save.
  • Click Next --> Finish.
  • Attach produced report in your next reply.
Link to post
Share on other sites

 

First of all let's clear make one thing clear. Your PC isn't infected and we put a period on this thing.

 

Now we will try to solve one by one problem. You don't know how much I appreciate your help!

 


Take a look at this link how to reset your router:

 

http://setuprouter.com/networking/how-to-reset-your-router/ 

I'll go through all that info carefully, but won't perform a reset until you tell me to.

It would also hep if you would tell me exact model of your router.  Xytel Hitron BRG- 35503  broadband modem

 No router in my network


 

Now let's install all drivers for your computer.

 

21ajseu.gif Scan with HWiNFO

 

Download HWiNFO64 Portable and save it to your Desktop.

  • Unpack arhive and run HWiNFO64.exe
  • When Welcome window opens, click Settings and make sure to uncheck following boxes:
    • Show System Summary on Startup
    • Automatic Update
  • Click OK and then click Run
  • Wait until program analyzes your computer.
  • Click Report --> Create
  • In the next window, check Text Logfile, and then click Browse.
  • Select your Desktop and name the report as you wish. Press Save.
  • Click Next --> Finish.
  • Attach produced report in your next reply.

Completed this, except I don't see the paperclip icon for uploading attachments. Maybe I'm an idiot, but here's the screen shot. Had to use CtrlV, as right click Paste was greyed out for this PNG.

 

My mouse is acting up - I put it where I want and start typing and the paragraph and cursor go flying somewhere else in the reply form. If I try to type below this screenshot, the image disappears. Let me see if this will post and finish up in another reply.

 

Nope. I get an error "You are not allowed to use that image extension on this community."  Tried posting it as a PNG and JPG. OK, so the screenshot won't be here...sigh.

 

TRIAL-PC.LOG

Link to post
Share on other sites

No luck resetting my modem. My ISP says they can't help because it isn't rented from them, but belongs to me. My public internet and PC internal IPs are the same - is that normal?

 

I have never connected to a remote server - I don't work for a company. This is strictly a personal PC. So why are the attached files needed and "Access Denied"?

 

Darn! Now I get an error that I'm not allowed to upload .txt files. Sorry I'll have to copy/paste.

 

Oh, no! CtrlV is now disabled, too. What is going on?

 

 

Link to post
Share on other sites

Can you make a picture of these files?

Is there a option to change your router, for some much better and newer product like TP-Link or Asus? That's only my suggestion, it isn't mandatory.

 

There is a reset button on rear side of your modem:

 

post-167802-0-79159900-1450099354_thumb.

 

While the router is on, use a pin or the end of a paper clip to press and hold the reset button. You will need to hold if for about 10 seconds.

 

When you reset your router, you can try to access it by typing 192.168.100.1 into your web browser. Default username/password should be admin/hitron.

Link to post
Share on other sites

Yes, I have JPG and PNG versions of the files also, but when I try to attach an image (insert is not available) I always get the error message "You are not allowed to use that image extension on this community." Let me try other methods - it seems things change as I work.

 

 C:\Windows\SysWOW64\ras\Switch.txt

; SWITCH.INF for Windows XP Network and Dial-up Connections/
; Remote Access Service
; Copyright © Microsoft Corporation.  All rights reserved.

; You should read all of the comments in this file before you
; activate a script. Complete information about using this file
; is available in NETCFG.CHM.

; This file provides sample logon scripts for connections to
; remote computers. Connections to Windows NT RAS computers do not use
; this file, so this file is used only for connecting to
; non-Microsoft computers.

; SEE   Network Connections now supports the Windows 95 scripting
; ALSO  language which you may find easier to use than SWITCH.INF
;       scripts.  The language is described in NETCFG.CHM

; The most common use of scripts is an after-dialing script that
; logs you on to a remote computer, such as an Internet connection
; provider.  You activate the scripts in this file by editing the
; Interactive logon and scripting settings in the Security properties
; of the Network Connection.

; The Generic logon script can be activated and used immediately.
; The additional scripts in this file are provided as examples from
; which you can cut and paste relevant sections into your own scripts.
; The comment marker (;) in column one of the non-generic scripts must
; be removed before the scripts will work.

; These scripts assume the remote computer uses the words login and
; password followed by a colon (eg "login:" and "password:") to prompt
; you for your username and password.  If the remote computer prompts
; you with words other than login and password,  you must
; replace ogin: and assword: in the scripts below with the exact
; text the remote computer uses. Note: The text in the script does not
; include the first few letters because the remote computer may respond
; with <Password> or <password>.

;==============================================================

[Generic login]

; This script will automate many logons when the remote computer
; prompts only for login (username) and password. This script requires
; Windows NT 3.51 or later.

; When you first dial this entry, the "Connect" window will
; prompt for your username and password.  The username and password
; entered on that window will be used by the <username> and <password>
; macros in this script.  By requiring the username and password on
; initial dial, this script is secure.

; The "Use Windows password" check box on the Network Connections
; Security page must be cleared when using this script (cleared by
; default), because the clear password is not available in that case.  
; Passwords saved with the "Save Password" checkbox will work.


; Each script is a sequence of alternating COMMANDs and responses.
; Here, we start communication with the remote computer by saying
; we have nothing to send before expecting a response.

      COMMAND=


; The following two lines cause Network Connections to ignore all responses
; until the remote computer requests your login name. If the remote
; computer prompts you with a word other than login you must
; replace ogin: in the line below with the exact text the
; remote computer uses.

      OK=<match>"ogin:"
      LOOP=<ignore>


; This is the equivalent of typing the same username you filled in
; on the "Connect" window or saved with the "Save password"
; checkbox.

      COMMAND=<username><cr>


; The following two lines cause Network Connections to ignore all
; responses until the remote computer requests your password. If
; the remote computer prompts you with a word other than password
; you must replace assword: in the line below with the exact text the
; remote computer uses.

      OK=<match>"assword:"
      LOOP=<ignore>


; This is the equivalent of typing the same password you filled in
; on the "Connect" window or saved with the "Save password"
; checkbox.

      COMMAND=<password><cr>


; Ignore the final responses from the computer.

      OK=<ignore>

; =====================================================================
; ADDITIONAL EXAMPLE SECTION

; This additional script is provided as an example from which you can
; cut and paste relevant sections into your own scripts.  The comment
; marker (;) in column one must be removed before the ; script will
; work.

;======================================================================

; [sample SLIP login]

; Because SLIP connection logon sequences vary widely, it is difficult
; to provide even a generic version for you to use. The following script
; was used to connect to an actual SLIP provider.

;  Start communication with remote computer by sending COMMAND=
;      COMMAND=


; The following two lines cause Network Connections to ignore all responses
; until the remote computer requests your login name. If the remote
; computer prompts you with a word other than login you must
; replace ogin: in the line below with the exact text the
; remote computer uses.

;     OK=<match>"ogin:"
;     LOOP=<ignore>


; You must replace YourLoginHere in the line below
; with your actual login.

;      COMMAND=YourLoginHere<cr>


; The following two lines cause Network Connections to ignore all responses
; until the remote computer requests your password. If the remote
; computer prompts you with a word other than password you must
; replace assword: in the line below with the exact text the
; remote computer uses.

;      OK=<match>"assword:"
;      LOOP=<ignore>


; You must replace YourPasswordHere in the line below
; with your actual password.

;      COMMAND=YourPasswordHere<cr>


; Provide 4 carriage returns to ignore 4 questions.
;    COMMAND=<cr>
;    COMMAND=<cr>
;    COMMAND=<cr>
;    COMMAND=<cr>

; Wait for Home prompt.
;    COMMAND=
;    OK=<match>"Home"
;    LOOP=<ignore>

; Request SLIP connection.
;   COMMAND=SLIP<cr>

; At this point the script successfully ends and the SLIP Login Terminal
; window appears. You would enter the IP address provided by the remote
; computer (in the SLIP Login Terminal window) in the IP Address box and
; press the Done button.

 

 

C:\Windows\SysWOW64\ras\pppmenu

;
; This is a script file that demonstrates how
; to establish a PPP connection with a host
; that uses a menu system.
;
; A script file must have a 'main' procedure.
; All script execution starts with this 'main'
; procedure.
;


; Main entry point to script
;
proc main

   ; Change these variables to customize for your
   ; specific Internet service provider

   integer nTries = 3

   ; This is the login prompt and timeout values

   string szLogin = "username:"
   integer nLoginTimeout = 3

   ; This is the password prompt and timeout values

   string szPW = "password:"
   integer nPWTimeout = 3

   ; This is the prompt once your password is verified

   string szPrompt = "annex:"

   ; This is the command to send to establish the
   ; connection.  This script assumes you only need
   ; to issue one command to continue.  Feel free
   ; to add more commands if your provider requires
   ; it.

   ;
   ; This provider has a menu list like this:
   ;
   ;   1              : Our special GUI
   ;   2              : Establish slip connection
   ;   3              : Establish PPP connection
   ;   4              : Establish shell access
   ;   5              : Download our software
   ;   6              : Exit
   ;
   ;   annex:
   ;

   string szConnect = "3^M"

   ; Set this to FALSE if you don't want to get an IP
   ; address

   boolean bUseSlip = FALSE

   
   ; -----------------------------------------------------


   ; Delay for 2 seconds first to make sure the
   ; host doesn't get confused when we send the
   ; two carriage-returns.

   delay 2
   transmit "^M^M"

   ; Attempt to login at most 'nTries' times

   while 0 < nTries do

      ; Wait for the login prompt before entering
      ; the user ID, timeout after x seconds

      waitfor szLogin then DoLogin
        until nLoginTimeout

TryAgain:
      transmit "^M"        ; ping
      nTries = nTries - 1

   endwhile

   goto BailOut

DoLogin:
   ; Enter user ID

   transmit $USERID, raw
   transmit "^M"

   ; Wait for the password prompt

   waitfor szPW until nPWTimeout
   if FALSE == $SUCCESS then
      goto TryAgain
   endif

   ; Send the password

   transmit $PASSWORD, raw
   transmit "^M"

   ; Wait for the prompt

   waitfor szPrompt

   transmit szConnect

   if bUseSlip then
      ; An alternative to the following line is
      ;
      ;     waitfor "Your address is "
      ;     set ipaddr getip
      ;
      ; if we don't know the order of the IP addresses.

      set ipaddr getip 2
   endif
   goto Done

BailOut:
   ; Something isn't responding.  Halt the script
   ; and let the user handle it manually.

   set screen keyboard on
   halt

Done:

endproc

 

 

C:\Windows\SysWOW64\ras\pad

;-----------------------------------------------------------------------------
[Responses]
; This section is temporary.

;-----------------------------------------------------------------------------
[sprintNet, Standard]

DEFAULTOFF=
MAXCARRIERBPS=9600
MAXCONNECTBPS=9600


; The next two lines ignore logon banners
COMMAND=
OK=<ignore>


; The @ characters sets the SprintNet PAD for 8 databit communication.
COMMAND=@
NoResponse


; The D character requests a 9600 speed.
COMMAND=D<cr>
; We dont care about the response so we ignore it (unless modem has hung up).
ERROR_NO_CARRIER=<match>"NO CARRIER"
OK=<ignore>


; A carriage return to initialize the PAD read/write buffers
COMMAND=<cr>
ERROR_NO_CARRIER=<match>"NO CARRIER"
OK=<ignore>


; Set X.3 settings on the PAD which make it work well with RAS. Broken into
; two parts since the line is too long.
COMMAND=SET 1:0,2:0,3:0,4:1,5:0,6:1,7:0,8:0,9:0,10:0<cr>
ERROR_NO_CARRIER=<match>"NO CARRIER"
OK=<ignore>


; Set the other half of X.3 parameters
COMMAND=SET 12:0,13:0,14:0,15:0,16:0,17:0,18:0,19:0,20:0,22:0<cr>
ERROR_NO_CARRIER=<match>"NO CARRIER"
OK=<ignore>


; Finally try to call RAS X25 server
COMMAND=C <x25address>*<UserData><cr>

CONNECT=<match>" CONNECT"
ERROR_NO_CARRIER=<match>"NO CARRIER"
ERROR_DIAGNOSTICS=<cr><lf><Diagnostics>
ERROR_DIAGNOSTICS=<lf><cr><lf><Diagnostics>


; CONNECT response means that the connection completed fine.
; ERROR_DIAGNOISTICS response means connection attempt failed - the X25
;  DIAGNOSTIC information will be extracted from the response and sent to the
;  user.
; ERROR_NO_CARRIER means that the remote modem hung up.
; ERROR resonses are for generic failures.

;-----------------------------------------------------------------------------
[sprintNet, Alternate]

; Connections can be made more reliably in some SprintNet locations if
; there are some delays near the beginning of the pad.inf entry.  As a
; general rule of thumb use this entry with older, slower (2400 bps)
; locations.


DEFAULTOFF=
MAXCARRIERBPS=9600
MAXCONNECTBPS=9600


; The next line will give a delay of 2 secs - allowing the PAD to initialize
COMMAND=
NoResponse


; The next line will give a delay of 2 secs - allowing the PAD to initialize
COMMAND=
NoResponse


; The @ characters sets the SprintNet PAD for 8 databit communication.
COMMAND=@
NoResponse


COMMAND=
NoResponse


; The D character requests a 9600 speed.
COMMAND=D<cr>
; We dont care about the response so we ignore it (unless modem has hung up).
ERROR_NO_CARRIER=<match>"NO CARRIER"
OK=<ignore>


; A carriage return to initialize the PAD read/write buffers
COMMAND=<cr>
ERROR_NO_CARRIER=<match>"NO CARRIER"
OK=<ignore>


; Set X.3 settings on the PAD which make it work well with RAS. Broken into
; two parts since the line is too long.
COMMAND=SET 1:0,2:0,3:0,4:1,5:0,6:1,7:0,8:0,9:0,10:0<cr>
ERROR_NO_CARRIER=<match>"NO CARRIER"
OK=<ignore>


; Set the other half of X.3 parameters
COMMAND=SET 12:0,13:0,14:0,15:0,16:0,17:0,18:0,19:0,20:0,22:0<cr>
ERROR_NO_CARRIER=<match>"NO CARRIER"
OK=<ignore>


; Finally try to call RAS X25 server
COMMAND=C <x25address>*<UserData><cr>

CONNECT=<match>" CONNECT"
ERROR_NO_CARRIER=<match>"NO CARRIER"
ERROR_DIAGNOSTICS=<cr><lf><Diagnostics>
ERROR_DIAGNOSTICS=<lf><cr><lf><Diagnostics>


; CONNECT response means that the connection completed fine.
; ERROR_DIAGNOISTICS response means connection attempt failed - the X25
;  DIAGNOSTIC information will be extracted from the response and sent to the
;  user.
; ERROR_NO_CARRIER means that the remote modem hung up.
; ERROR resonses are for generic failures.

;-----------------------------------------------------------------------------
[infoNet]

DEFAULTOFF=
MAXCARRIERBPS=2400
MAXCONNECTBPS=2400


; The next line will give a delay of 2 secs - allowing the PAD to initialize
COMMAND=
NoResponse


; The next line will give a delay of 2 secs - allowing the PAD to initialize
COMMAND=
NoResponse


COMMAND=<cr>
; We dont care about the response so we ignore it (unless modem has hung up).
ERROR_NO_CARRIER=<match>"NO CARRIER"
OK=<ignore>


COMMAND=<cr>
ERROR_NO_CARRIER=<match>"NO CARRIER"
OK=<ignore>


COMMAND=X<cr>
ERROR_NO_CARRIER=<match>"NO CARRIER"
OK=<ignore>


; Set X.3 settings on the PAD which make it work well with RAS. Broken into
; two parts since the line is too long.
COMMAND=SET 1:126,2:1,3:0,4:1,5:0,6:1,7:0,8:0,9:0,10:0<cr>
NoResponse

COMMAND=
NoResponse

; Set the other half of X.3 parameters
COMMAND=SET 12:0,13:0,14:0,15:0,16:0,17:0,18:0,19:0,20:0,21:0,22:0<cr>
NoResponse


COMMAND=
NoResponse

; Try to call RAS X25 server
COMMAND=<x25address><cr><lf>

OK=<match>"COM"
ERROR_NO_CARRIER=<match>"NO CARRIER"
ERROR_DIAGNOSTICS=<cr><lf><Diagnostics>


; CONNECT response means that the connection completed fine.
; ERROR_DIAGNOISTICS response means connection attempt failed - the X25
;  DIAGNOSTIC information will be extracted from the response and sent
;  to the user.
; ERROR_NO_CARRIER means that the remote modem hung up.
; ERROR resonses are for generic failures.


; Finally set no escape and no echo
COMMAND=SET 1:0,2:0<cr>
NoResponse

;-----------------------------------------------------------------------------
[infoNet, Alternate]

DEFAULTOFF=
MAXCARRIERBPS=9600
MAXCONNECTBPS=9600


; The next line will give a delay of 2 secs - allowing the PAD to initialize
COMMAND=
NoResponse


; The next line will give a delay of 2 secs - allowing the PAD to initialize
COMMAND=
NoResponse


COMMAND=<cr>
; We dont care about the response so we ignore it (unless modem has hung up).
ERROR_NO_CARRIER=<match>"NO CARRIER"
OK=<ignore>


COMMAND=<cr>
ERROR_NO_CARRIER=<match>"NO CARRIER"
OK=<ignore>


COMMAND=X<cr>
ERROR_NO_CARRIER=<match>"NO CARRIER"
OK=<ignore>


; Set X.3 settings on the PAD which make it work well with RAS. Broken into
; two parts since the line is too long.
;COMMAND=SET 1:126,2:1,3:0,4:1,5:0,6:1,7:0,8:0,9:0,10:0<cr>
COMMAND=SET 1:126,2:1,3:0,4:1,5:0,6:1,7:2,9:0,10:0<cr>
ERROR_NO_CARRIER=<match>"NO CARRIER"
ERROR=<match>"ERR"
OK=<ignore>


; Set the other half of X.3 parameters
COMMAND=SET 12:0,13:0,14:0,15:0,16:127,17:24,18:18,19:0,20:0,21:0,22:0<cr>
ERROR_NO_CARRIER=<match>"NO CARRIER"
ERROR=<match>"ERR"
OK=<ignore>

; Try to call RAS X25 server
COMMAND=<x25address><cr><lf>
OK=<ignore>

OK=<match>"COM"
ERROR_NO_CARRIER=<match>"NO CARRIER"
ERROR_DIAGNOSTICS=<cr><lf><Diagnostics>
ERROR=<match>"ERR"


; CONNECT response means that the connection completed fine.
; ERROR_DIAGNOISTICS response means connection attempt failed - the X25
;  DIAGNOSTIC information will be extracted from the response and sent
;  to the user.
; ERROR_NO_CARRIER means that the remote modem hung up.
; ERROR resonses are for generic failures.


; Finally set no escape and no echo
COMMAND=SET 1:0,2:0<cr>
NoEcho
ERROR=<match>"ERR"
CONNECT=<ignore>

[Transpac]

DEFAULTOFF=
MAXCARRIERBPS=2400
MAXCONNECTBPS=2400


; The next line will give a delay of 2 secs - allowing the PAD to initialize
COMMAND=
NoResponse

; The next line will give a delay of 2 secs - allowing the PAD to initialize
COMMAND=
NoResponse

; We dont care about the response so we ignore it (unless modem has hung up).
ERROR_NO_CARRIER=<match>"NO CARRIER"
OK=<match>"TRANSPAC"

; Set X.3 settings on the PAD which make it work well with RAS. Broken into
; two parts since the line is too long.
COMMAND=SET 1:1,2:1,3:0,4:1,5:0,6:1,7:0,9:0,10:0<cr>
ERROR_NO_CARRIER=<match>"NO CARRIER"
ERROR=<match>"ERR"
OK=<ignore>


; Set the other half of X.3 parameters
COMMAND=SET 12:0,13:0,14:0,15:0,16:127,17:24,18:18,19:0,20:0,21:0,22:0<cr>
ERROR_NO_CARRIER=<match>"NO CARRIER"
ERROR=<match>"ERR"
OK=<ignore>

; Try to call RAS X25 server
COMMAND=<x25address><cr><lf>
OK=<ignore>

OK=<match>"COM"
ERROR_NO_CARRIER=<match>"NO CARRIER"
ERROR_DIAGNOSTICS=<cr><lf><Diagnostics>


; CONNECT response means that the connection completed fine.
; ERROR_DIAGNOISTICS response means connection attempt failed - the X25
;  DIAGNOSTIC information will be extracted from the response and sent
;  to the user.
; ERROR_NO_CARRIER means that the remote modem hung up.
; ERROR resonses are for generic failures.


; Finally set no escape and no echo
COMMAND=SET 1:0,2:0<cr>
NoEcho
CONNECT=<ignore>


;-----------------------------------------------------------------------------
[Eicon X.PAD]

DEVICETYPE=pad
DEFAULTOFF=

MAXCARRIERBPS=1200
MAXCONNECTBPS=1200

;
; INIT section.
;
COMMAND_INIT=PAR 2<cr>
NoEcho
OK=par 2:<ignore>
ERROR_DIAGNOSTICS=CLR <Diagnostics>
ERROR=ERR<ignore>

;
; LISTEN section.
;
COMMAND_LISTEN=
NoEcho
CONNECT=<match>"COM"
ERROR_DIAGNOSTICS=CLR <Diagnostics>
ERROR=ERR<ignore>

;
; CALL section.
;
COMMAND_DIAL=<x25address><cr><lf>
NoEcho
CONNECT=<match>"COM"
ERROR_DIAGNOSTICS=CLR CONF  <cr><lf>CLR<Diagnostics>
ERROR_DIAGNOSTICS=CLR <Diagnostics>
ERROR=ERR<ignore>

;-----------------------------------------------------------------------------
[Compuserve]

; Disclaimer:
; This script has been included for customer convenience, but has NOT been
; fully verified to work under all circumstances. Microsoft makes NO guarantees
; as to the performance of this script. Please contact Microsoft
; PSS NT support if you have problems or questions.

DEFAULTOFF=
MAXCARRIERBPS=9600
MAXCONNECTBPS=9600

COMMAND=
NoResponse

COMMAND=<cr>
OK=<ignore>

COMMAND=+<cr>
OK=<match>"Host Name:"

COMMAND=<x25address><cr>
CONNECT=<match>"Connected"
ERROR_NO_CARRIER=<match>"NO CARRIER"
ERROR_DIAGNOSTICS=<cr><lf><Diagnostics>
ERROR_DIAGNOSTICS=<lf><cr><lf><Diagnostics>


;-----------------------------------------------------------------------------------
[sITA Group Network]

; Disclaimer:
; This script has been included for customer convenience, but has NOT been
; fully verified to work under all circumstances. Microsoft makes NO guarantees
; as to the performance of this script. Please contact Microsoft
; PSS NT support if you have problems or questions.
;      PLEASE SEE COMMENTS BELOW REGARDING USAGE OF THE "User Data:"
;      and "Facilities:" FIELDS IN RAS WHEN USING THIS SITA SCRIPT.

DEFAULTOFF=
MAXCARRIERBPS=9600
MAXCONNECTBPS=9600

COMMAND=...<cr>
OK=<match>"SITA NETWORK:"

; Enter your NUI number in the Remote Access program's X.25 Settings "User Data:" field.
COMMAND=<UserData><cr>
OK=<ignore>

; Enter your x.25 password in the Remote Access program's X.25 Settings "Facilities:" field.
COMMAND=<Facilities><cr>
OK=<match>"active"
ERROR_DIAGNOSTICS=<cr><lf><cr><lf><lf><Diagnostics>
ERROR_DIAGNOSTICS=<lf><cr><lf><Diagnostics>

COMMAND=PROF 6<cr>
NoResponse

COMMAND=
NoResponse

COMMAND=SET 2:1<cr>
OK=<ignore>

COMMAND=
NoResponse

COMMAND=SET 4:1,6:1,16:0,17:0,18:0,19:0,21:0<cr>
OK=<ignore>

COMMAND=
NoResponse

COMMAND=SET 118:0,119:0,120:0<cr>
OK=<ignore>

COMMAND=PAR?<cr>
OK=<ignore>

COMMAND=SET 2:0<cr>
NoResponse

COMMAND=
NoResponse

COMMAND=<x25address><cr>
CONNECT=<match>"connected"
;CONNECT=<ignore>
ERROR_DIAGNOSTICS=<cr><lf><cr><lf><lf><Diagnostics>
ERROR_DIAGNOSTICS=<lf><cr><lf><Diagnostics>

;-----------------------------------------------------------------------------------
[Alascom/Tymnet/MCI]

; Disclaimer:
; This script has been included for customer convenience, but has NOT been
; fully verified to work under all circumstances. Microsoft makes NO guarantees
; as to the performance of this script. Please contact Microsoft
; PSS NT support if you have problems or questions.
; NOTE: Whether your X.25 account is set up for a single x.121 identifier or a
; username/password combination, they both are entered in the Remote Access program's
; "X.25 Settings" dialog box in the "X.121 Address:" field.
; A username and password combination is entered simply by separating them with a
; SEMICOLON, e.g.:  John;mypass
; where "John" is the username and "mypass" is the password.

DEFAULTOFF=
MAXCARRIERBPS=9600
MAXCONNECTBPS=9600

; The "o" changes the terminal identifer so that the x.25 network responses are
; readable and don't appear as garbage. No carriage return is required after it.
COMMAND=o
OK=<match>"log in:"
ERROR_DIAGNOSTICS=<cr><lf><Diagnostics>
ERROR_DIAGNOSTICS=<lf><cr><lf><Diagnostics>

; Note: The "<h08>" represents a Ctrl-H or Backspace character which turns the
; echo facility in the x.25 network off which interferes with RAS operation.
COMMAND=<h08><x25address><cr>
CONNECT=<match>"connected"
ERROR_NO_CARRIER=<match>"NO CARRIER"
ERROR_DIAGNOSTICS=<cr><lf><Diagnostics>
ERROR_DIAGNOSTICS=<lf><cr><lf><Diagnostics>

[Telematics]

DEFAULTOFF=
MAXCARRIERBPS=19200
MAXCONNECTBPS=19200


; The next line will give a delay of 2 secs - allowing the PAD to initialize
COMMAND=<cr>
; The next line will give a delay of 2 secs - allowing the PAD to initialize
COMMAND=<cr>

;The next line will initiate AUTOBAUD/AUTOPARITY with the
;Telematics PAD
COMMAND=..<cr>
ERROR_NO_CARRIER=<match>"NO CARRIER"
OK=<match>"*"


; Finally try to call RAS X25 server
COMMAND=<x25address><cr>

CONNECT=<match>"com"


[infoNet X25]

DEFAULTOFF=
MAXCARRIERBPS=2400
MAXCONNECTBPS=2400


; The next line will give a delay of 2 secs - allowing the PAD to initialize
COMMAND=
NoResponse


; The next line will give a delay of 2 secs - allowing the PAD to initialize
COMMAND=
NoResponse


COMMAND=<cr>
; We dont care about the response so we ignore it (unless modem has hung up).
ERROR_NO_CARRIER=<match>"NO CARRIER"
OK=<ignore>


COMMAND=<cr>
ERROR_NO_CARRIER=<match>"NO CARRIER"
OK=<ignore>


COMMAND=SET 2:1<cr>
NoResponse

COMMAND=X<cr>
ERROR_NO_CARRIER=<match>"NO CARRIER"
OK=<ignore>

; Try to call RAS X25 server
COMMAND=<x25address><cr><lf>

OK=<match>"COM"
ERROR_NO_CARRIER=<match>"NO CARRIER"
ERROR_DIAGNOSTICS=<cr><lf><Diagnostics>


; CONNECT response means that the connection completed fine.
; ERROR_DIAGNOISTICS response means connection attempt failed - the X25
;  DIAGNOSTIC information will be extracted from the response and sent
;  to the user.
; ERROR_NO_CARRIER means that the remote modem hung up.
; ERROR resonses are for generic failures.

 

C:\Windows\SysWOW64\ras\cis

;
; This is a script file that demonstrates how
; to establish a PPP connection with Compuserve,
; which requires changing the port settings to
; log in.
;


; Main entry point to script
;
proc main

   ; Set the port settings so we can wait for
   ; non-gibberish text.

   set port databits 7
   set port parity even

   transmit "^M"

   waitfor "Host Name:"
   transmit "CIS^M"

   waitfor "User ID:"
   transmit $USERID, raw
   transmit "/go:pppconnect^M"

   waitfor "Password: "
   transmit $PASSWORD, raw
   transmit "^M"

   waitfor "One moment please..."

   ; Set the port settings back to allow successful
   ; negotiation.

   set port databits 8
   set port parity none

endproc

 

Sorry I had to copy/paste - hope these are helpful. Going to follow your instructions for the modem now. Thanks a lot!  BoRe
 

Link to post
Share on other sites

You asked me for pictures of these files in post #9, right?

 

As I have explained in posts #5 and 7, this website is not acting at all normally! I cannot attach text or image files. I was lucky the copy/paste was working so I could even show you the files. Why is this stuff happening on the Malwarebytes Forums? Please answer this question. If there is an update or patch, please supply it. MBAM Premium won't update automatically, and manually there are never any new updates available (yeah, right...).

 

Frankly, I don't care if you want to call it "not Infected" or whatever. I just need help to have a working PC. That is why I did a clean install. But I'm having the exact same problems I was having with the previous install I wiped out.

 

Something was blocking me from having my settings the way I wanted them in various Windows apps including IE, Firefox, my modem and MBAM Premium. I could not access BIOS setup because there was a password there I never set. Boot was always PXE, but I had never joined a domain and had tried to disable Remote Management unsuccessfully using the built-in hidden admin account. I got constant "Access denied" or would click on a folder or file and it would disappear. If I didn't unplug the PC after shutdown, I would find it running in the wee hours, even though I kept disabling WOL.

 

I haven't tried to change anything on this clean install because I was instructed not to. But Boot is PXE again. I found the PC running in the wee hours because I hadn't unplugged it. MBAM isn't working right.

 

I can reset my modem, but I'm not offered any options to change any settings. I can change the username and password, but they're never accepted - I just get rerouted to the "change user name and password" option every time. There is no login option. After 3 resets, Firefox now times out every connection attempt to my modem.

 

I had a cable modem and router that got ruined exactly like this one that I replaced it with. That's why I haven't hooked up my new router yet until everything is cleared up. It doesn't make sense to me to buy a new modem right now and hook it up to whomever is turning on my PC remotely in the middle of the night if I forget to unplug it after shutdown.

Link to post
Share on other sites

  • Root Admin

Hello BoRe

 

I've been asked to take a look and see if I can help you. Let's go ahead and have your run through the following and we'll see what we can find.

 

 

Please go ahead and run through the following steps and post back the logs when ready.
 
STEP 04
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 05
Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.


  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

STEP 06
Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button. Remove any threats found
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.


STEP 07
button_eos.gif

Please go here to run the online antivirus scannner from ESET.


  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

STEP 08
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

 

 

Link to post
Share on other sites

Thanks very much, Advanced Setup. This thing is a bear and a half!

 

I suspect interference with JRT operation, as happened before my clean install, too. It took less than a minute to scan, and JRT.txt did not save to desktop. It is not found by Search in Explorer, either. Luckily I remembered that from before and SelectAll/Copied so I could paste it here.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.1 (11.24.2015)
Operating System: Windows 7 Professional x64
Ran by Fuzzy (Administrator) on Thu 12/17/2015 at  4:41:00.27
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 12/17/2015 at  4:42:18.67
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

AdwCleaner also completed in less than a minute. I ran it on the previous install, too - same behavior.

 

# AdwCleaner v5.025 - Logfile created 17/12/2015 at 05:32:39
# Updated 13/12/2015 by Xplode
# Database : 2015-12-13.2 [server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Fuzzy - TRIAL-PC
# Running from : C:\Users\Trial\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****


*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - \AdwCleaner\AdwCleaner[C1].txt - [674 bytes] ##########

 

I purchased a retail box Anti-Malware +/Anti-Exploit Premium combo, but they would not install - "could not find server" error. This the free trial premium version.

 

There is no option to run as admin. Access is denied to permissions changes.

 

This scan will likely come up "no threats" as always. It scanned rootkits for a split second and checked the circle.

 

Also, I was able to type in www.malwarebtes.org and arrive at your website certified by Geotrust when I first fired up my PC. Now it only redirects.

 

After AdwCleaner reboot, here's what's in my address bar (https://forums.malwarebytes.org/index.php?app=forums&module=post&section=post&do=reply_post&f=7&t=175958). Sorry, I'm barred from uploading image files to this site, but here's some info from the  now-DigiCert certificate:

 

DigiCert SHA2 High Assurance Server CA

CN: *malwarebytes.org   Serial#: 0E:45:44:AD:9F:E0:0B:7D:1C:C1:67:C5:A0:CE:48:A3

SHA1 Fingerprint: F6:AF:55:48:FF:56:4E:09:75:1F:37:9A:C0:50:A3:C6:62:E9:17:C1

SHA256: BD:35:41:3E:D9:7E:48:5C:94:5D:3F:DD:8E:17:CA:E3:8E:15:0C:EF:98:86:5A:48:E5:B4:53:D0:0B:68:0E:A3

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/17/2015
Scan Time: 5:43 AM
Logfile:
Administrator: No

Version: 2.2.0.1024
Malware Database: v2015.12.17.02
Rootkit Database: v2015.12.16.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Trial

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 244122
Time Elapsed: 1 min, 42 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

ESET found nothing.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:17-12-2015
Ran by Fuzzy (administrator) on TRIAL-PC (17-12-2015 06:41:11)
Running from C:\Users\Trial\Desktop
Loaded Profiles: Trial & Fuzzy (Available Profiles: Trial & Fuzzy)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Broadcom Corporation) C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKU\S-1-5-21-1625722349-1841773593-886300088-1000\...\MountPoints2: {b688ef49-9e83-11e5-830e-806e6f6e6963} - E:\MbamMbae-setup.exe
HKU\S-1-5-21-1625722349-1841773593-886300088-1001\...\RunOnce: [Report] => \AdwCleaner\AdwCleaner[C1].txt

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Tcpip\..\Interfaces\{CB4BF8C3-107B-4830-88D1-31341AC78398}: [DhcpNameServer] 209.18.47.61 209.18.47.62

Internet Explorer:
==================
HKU\S-1-5-21-1625722349-1841773593-886300088-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/
SearchScopes: HKU\S-1-5-21-1625722349-1841773593-886300088-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 BrcmMgmtAgent; C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [213504 2014-04-01] (Broadcom Corporation) [File not signed]
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [109272 2015-10-05] (Malwarebytes)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2015-12-11] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
S3 HWiNFO32; \??\C:\Users\Fuzzy\AppData\Local\Temp\HWiNFO64A.SYS [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-17 06:41 - 2015-12-17 06:41 - 00004378 _____ C:\Users\Trial\Desktop\FRST.txt
2015-12-17 06:40 - 2015-12-17 06:40 - 00000000 ____D C:\Users\Trial\Desktop\FRST-OlderVersion
2015-12-17 06:24 - 2015-12-17 06:24 - 00000000 ____D C:\Program Files (x86)\ESET
2015-12-17 06:23 - 2015-12-17 06:23 - 02870984 _____ (ESET) C:\Users\Trial\Desktop\esetsmartinstaller_enu.exe
2015-12-17 05:54 - 2015-12-17 05:54 - 00260560 _____ C:\Users\Trial\Desktop\MBAMAccessDenied.MHT
2015-12-17 05:50 - 2015-12-17 05:50 - 00055272 _____ C:\Users\Trial\Desktop\ScanResult12_17_15.MHT
2015-12-17 05:27 - 2015-12-17 05:27 - 00218604 _____ C:\Users\Trial\Desktop\AdwCleaner message.MHT
2015-12-17 05:24 - 2015-12-17 05:32 - 00000000 ____D C:\AdwCleaner
2015-12-17 05:21 - 2015-12-17 05:22 - 01740288 _____ C:\Users\Trial\Desktop\AdwCleaner.exe
2015-12-17 05:01 - 2015-12-17 05:01 - 00000562 _____ C:\Users\Fuzzy\Desktop\JRTcopy.txt
2015-12-17 04:38 - 2015-12-17 04:42 - 00000562 _____ C:\Users\Fuzzy\Desktop\JRT.txt
2015-12-17 04:27 - 2015-12-17 04:27 - 01599336 _____ (Malwarebytes) C:\Users\Trial\Desktop\JRT.exe
2015-12-15 06:47 - 2015-12-15 06:47 - 02379124 _____ C:\Users\Trial\Desktop\hw64_510.zip
2015-12-15 06:47 - 2015-12-15 06:47 - 00000000 ____D C:\Users\Trial\Desktop\hw64_510
2015-12-15 04:33 - 2015-12-15 04:33 - 00205940 _____ C:\Users\Trial\Desktop\ModemCode2.MHT
2015-12-15 04:31 - 2015-12-15 04:32 - 00205584 _____ C:\Users\Trial\Desktop\ModemCode.MHT
2015-12-15 04:28 - 2015-12-15 04:28 - 00226340 _____ C:\Users\Trial\Desktop\ModemBlocked2.MHT
2015-12-15 04:27 - 2015-12-15 04:27 - 00221110 _____ C:\Users\Trial\Desktop\ModemBlocked.MHT
2015-12-14 21:06 - 2015-12-14 21:14 - 00000000 ____D C:\Users\Fuzzy\AppData\Local\BACS
2015-12-14 20:18 - 2015-12-14 20:18 - 00168684 _____ C:\Users\Trial\Desktop\SpeedTest.MHT
2015-12-14 19:26 - 2015-12-14 19:26 - 00151456 _____ C:\Users\Trial\Desktop\ModemEventLog.MHT
2015-12-14 19:24 - 2015-12-14 19:24 - 00147108 _____ C:\Users\Trial\Desktop\ModemStatus.MHT
2015-12-14 19:22 - 2015-12-14 19:22 - 00122348 _____ C:\Users\Trial\Desktop\ModemSysInf.MHT
2015-12-14 19:20 - 2015-12-14 19:20 - 00123904 _____ C:\Users\Trial\Desktop\ModemInitialization.MHT
2015-12-14 05:29 - 2015-12-14 05:29 - 00001954 _____ C:\Users\Trial\Desktop\-.malwarebytes.org.crt
2015-12-14 05:01 - 2015-12-14 05:08 - 00006287 _____ C:\Users\Trial\Desktop\switch.txt
2015-12-14 05:00 - 2015-12-14 05:07 - 00002860 _____ C:\Users\Trial\Desktop\pppmenu.txt
2015-12-14 04:59 - 2015-12-14 05:08 - 00014581 _____ C:\Users\Trial\Desktop\pad.txt
2015-12-14 04:56 - 2015-12-14 05:07 - 00000787 _____ C:\Users\Trial\Desktop\cis.scp
2015-12-14 04:23 - 2015-12-14 05:38 - 00002882 _____ C:\Users\Trial\Desktop\bitsctrs0000.txt
2015-12-14 04:19 - 2015-12-14 04:21 - 00002876 _____ C:\Users\Trial\Desktop\bitsctrs0409.ini
2015-12-13 06:34 - 2015-12-13 06:34 - 00001433 _____ C:\Users\Fuzzy\Desktop\Port Forward Network Utilities.lnk
2015-12-13 06:34 - 2015-12-13 06:34 - 00000000 ____D C:\Program Files (x86)\Portforward.com
2015-12-13 06:28 - 2015-12-13 06:28 - 00000000 ____D C:\Users\Fuzzy\AppData\Local\ElevatedDiagnostics
2015-12-13 06:07 - 2015-12-13 06:16 - 00000000 ____D C:\Users\Trial\AppData\Local\BACS
2015-12-13 06:02 - 2015-12-13 06:02 - 00000000 ____D C:\Windows\Dell
2015-12-13 06:02 - 2015-12-13 06:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Broadcom
2015-12-13 06:02 - 2015-12-13 06:02 - 00000000 ____D C:\Program Files\Broadcom
2015-12-13 05:58 - 2015-12-13 05:58 - 00000000 ____D C:\Users\Fuzzy\AppData\Local\Downloaded Installations
2015-12-13 05:23 - 2015-12-13 05:24 - 00000000 ____D C:\Users\Trial\AppData\Roaming\Portforward.com
2015-12-12 08:02 - 2015-12-13 05:00 - 00000000 ____D C:\Users\Fuzzy\AppData\Roaming\PortForward.com
2015-12-12 08:02 - 2015-12-12 08:02 - 00000000 ____D C:\Users\Fuzzy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Portforward.com
2015-12-11 08:16 - 2015-12-11 08:17 - 00000000 ____D C:\Users\Trial\Desktop\FRSTlogs
2015-12-11 08:09 - 2015-12-17 06:41 - 00000000 ____D C:\FRST
2015-12-11 08:08 - 2015-12-17 06:40 - 02370048 _____ (Farbar) C:\Users\Trial\Desktop\FRST64.exe
2015-12-11 07:31 - 2015-12-11 07:33 - 00000000 ____D C:\Program Data
2015-12-11 07:11 - 2015-12-11 10:07 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-12-11 07:10 - 2015-12-17 05:33 - 00065536 _____ C:\Windows\system32\Ikeext.etl
2015-12-11 07:10 - 2015-12-11 07:10 - 00001102 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-12-11 07:10 - 2015-12-11 07:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-12-11 07:10 - 2015-12-11 07:10 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-12-11 07:10 - 2015-12-11 07:10 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-12-11 07:10 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-12-11 07:10 - 2015-10-05 09:50 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-12-11 07:10 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2015-12-11 07:03 - 2015-12-11 07:03 - 00000000 ____D C:\Chameleon
2015-12-11 06:47 - 2015-12-11 06:47 - 01592131 _____ C:\Users\Trial\Desktop\MalwarebytesAntiMalwareUserGuide.pdf
2015-12-11 06:42 - 2015-12-11 06:42 - 00001409 _____ C:\Users\Fuzzy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2015-12-11 06:41 - 2015-12-11 06:42 - 00001443 _____ C:\Users\Fuzzy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-12-11 06:41 - 2015-12-11 06:41 - 00000000 ____D C:\Users\Fuzzy\AppData\Local\VirtualStore
2015-12-10 04:15 - 2015-12-11 06:40 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-12-10 04:15 - 2015-12-10 04:17 - 00001147 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-12-10 04:15 - 2015-12-10 04:16 - 00243656 _____ C:\Users\Trial\Downloads\Firefox Setup Stub 42.0.exe
2015-12-10 04:15 - 2015-12-10 04:15 - 00000000 ____D C:\Users\Trial\AppData\Roaming\Mozilla
2015-12-10 04:15 - 2015-12-10 04:15 - 00000000 ____D C:\Users\Trial\AppData\Local\Mozilla
2015-12-10 03:33 - 2015-12-10 03:33 - 00057560 _____ C:\Users\Fuzzy\AppData\Local\GDIPFONTCACHEV1.DAT
2015-12-10 03:19 - 2015-12-10 03:12 - 00003900 _____ C:\Users\Trial\Desktop\route.print.txt
2015-12-10 03:18 - 2015-12-10 03:12 - 00003060 _____ C:\Users\Trial\Desktop\ipconfig.all.txt
2015-12-10 03:03 - 2015-12-12 08:02 - 00000000 ____D C:\Users\Fuzzy
2015-12-10 03:03 - 2015-12-10 03:03 - 00000020 ___SH C:\Users\Fuzzy\ntuser.ini
2015-12-10 03:03 - 2015-12-10 03:03 - 00000000 _SHDL C:\Users\Fuzzy\My Documents
2015-12-10 03:03 - 2015-12-10 03:03 - 00000000 _SHDL C:\Users\Fuzzy\Documents\My Videos
2015-12-10 03:03 - 2015-12-10 03:03 - 00000000 _SHDL C:\Users\Fuzzy\Documents\My Pictures
2015-12-10 03:03 - 2015-12-10 03:03 - 00000000 _SHDL C:\Users\Fuzzy\Documents\My Music
2015-12-10 03:03 - 2011-04-12 03:28 - 00000000 ____D C:\Users\Fuzzy\AppData\Roaming\Media Center Programs
2015-12-09 09:51 - 2015-12-09 09:51 - 00001345 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
2015-12-09 09:51 - 2015-12-09 09:51 - 00001326 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
2015-12-09 09:48 - 2015-12-09 09:48 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2015-12-09 09:46 - 2015-12-09 07:35 - 00000000 ____D C:\Windows\Panther
2015-12-09 08:42 - 2015-12-09 08:42 - 00057560 _____ C:\Users\Trial\AppData\Local\GDIPFONTCACHEV1.DAT
2015-12-09 08:07 - 2015-12-09 08:07 - 00000000 ____D C:\OriginalDrvrsPkg
2015-12-09 08:05 - 2015-12-13 05:58 - 00000000 ____D C:\swsetup
2015-12-09 07:39 - 2015-12-09 07:39 - 00003050 _____ C:\Windows\System32\Tasks\{DC1C5A7C-B7B8-4338-A806-4F1E0A929F4B}
2015-12-09 07:36 - 2015-12-09 07:36 - 00001443 _____ C:\Users\Trial\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-12-09 07:36 - 2015-12-09 07:36 - 00001409 _____ C:\Users\Trial\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2015-12-09 07:36 - 2015-12-09 07:36 - 00000000 ____D C:\Users\Trial\AppData\Local\VirtualStore
2015-12-09 07:35 - 2015-12-09 07:36 - 00000000 ____D C:\Users\Trial
2015-12-09 07:35 - 2015-12-09 07:35 - 00000020 ___SH C:\Users\Trial\ntuser.ini
2015-12-09 07:35 - 2015-12-09 07:35 - 00000000 _SHDL C:\Users\Trial\My Documents
2015-12-09 07:35 - 2015-12-09 07:35 - 00000000 _SHDL C:\Users\Trial\Documents\My Videos
2015-12-09 07:35 - 2015-12-09 07:35 - 00000000 _SHDL C:\Users\Trial\Documents\My Pictures
2015-12-09 07:35 - 2015-12-09 07:35 - 00000000 _SHDL C:\Users\Trial\Documents\My Music
2015-12-09 07:35 - 2011-04-12 03:28 - 00000000 ____D C:\Users\Trial\AppData\Roaming\Media Center Programs

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-17 06:35 - 2009-07-13 23:45 - 00016848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-17 06:35 - 2009-07-13 23:45 - 00016848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-17 06:10 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\tracing
2015-12-17 05:37 - 2009-07-14 00:13 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-17 05:37 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2015-12-17 05:33 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-15 04:20 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\NDF
2015-12-13 06:22 - 2009-07-13 22:20 - 00000000 ____D C:\Windows
2015-12-09 10:35 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\rescache
2015-12-09 09:52 - 2009-07-13 23:45 - 00274320 _____ C:\Windows\system32\FNTCACHE.DAT
2015-12-09 09:50 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\sysprep
2015-12-09 09:48 - 2011-04-12 03:28 - 00000000 ____D C:\Windows\CSC
2015-12-09 09:46 - 2009-07-14 00:32 - 00028672 _____ C:\Windows\system32\config\BCD-Template

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-12-11 10:02

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version:17-12-2015
Ran by Fuzzy (2015-12-17 06:41:31)
Running from C:\Users\Trial\Desktop
Windows 7 Professional Service Pack 1 (X64) (2015-12-09 12:35:45)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1625722349-1841773593-886300088-500 - Administrator - Disabled)
Fuzzy (S-1-5-21-1625722349-1841773593-886300088-1001 - Administrator - Enabled) => C:\Users\Fuzzy
Guest (S-1-5-21-1625722349-1841773593-886300088-501 - Limited - Enabled)
Trial (S-1-5-21-1625722349-1841773593-886300088-1000 - Limited - Enabled) => C:\Users\Trial

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Broadcom NetXtreme-I Netlink Driver and Management Installer (HKLM\...\{47B8DBFC-2891-480C-92D6-92143AD0D027}) (Version: 16.6.1.6 - Broadcom Corporation)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Mozilla Firefox 42.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 42.0 (x86 en-US)) (Version: 42.0 - Mozilla)
Port Forward Network Utilities 2.0.16c (HKLM-x32\...\Port Forward Network Utilities) (Version: 2.0.16c - Portforward.com)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Restore Points =========================

17-12-2015 04:41:00 JRT Pre-Junkware Removal

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {D782AC97-277B-41AA-8CEF-1C26A2596BA7} - System32\Tasks\{DC1C5A7C-B7B8-4338-A806-4F1E0A929F4B} => pcalua.exe -a E:\MbamMbae-setup.exe -d E:\

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============


==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1625722349-1841773593-886300088-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Trial\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-1625722349-1841773593-886300088-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Fuzzy\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 209.18.47.61 - 209.18.47.62
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [sPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [sPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{E349130A-80FF-4039-9D9F-5BBC6953B7F4}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{60811ED5-8C79-4861-B0E6-BA64FD9BB999}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{08577180-EA8D-47A2-B6D9-866F04D7CD6C}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{6371C883-3255-4226-A299-8DA5D00D3448}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{F2316BA4-474B-4CA3-891C-3DE741ACBBD8}C:\program files (x86)\portforward.com\portforward network utilities\pfportchecker.exe] => (Allow) C:\program files (x86)\portforward.com\portforward network utilities\pfportchecker.exe
FirewallRules: [uDP Query User{9F59A733-B58B-4C17-9F9A-0E408D57F0A1}C:\program files (x86)\portforward.com\portforward network utilities\pfportchecker.exe] => (Allow) C:\program files (x86)\portforward.com\portforward network utilities\pfportchecker.exe

==================== Faulty Device Manager Devices =============

Name: PS/2 Compatible Mouse
Description: PS/2 Compatible Mouse
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Standard PS/2 Keyboard
Description: Standard PS/2 Keyboard
Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard keyboards)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (12/17/2015 06:24:26 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (12/17/2015 06:24:24 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (12/17/2015 06:24:02 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (12/17/2015 06:23:59 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (12/17/2015 06:23:59 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (12/17/2015 06:23:52 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (12/17/2015 05:33:53 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/17/2015 03:51:48 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/15/2015 04:10:07 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/14/2015 06:48:33 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (12/17/2015 06:28:18 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
%%1275

Error: (12/17/2015 06:28:18 AM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Fuzzy\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (12/17/2015 06:28:17 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
%%1275

Error: (12/17/2015 06:28:17 AM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Fuzzy\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (12/17/2015 06:28:17 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
%%1275

Error: (12/17/2015 06:28:17 AM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Fuzzy\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (12/17/2015 06:26:00 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
%%1275

Error: (12/17/2015 06:26:00 AM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Fuzzy\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (12/17/2015 06:25:59 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
%%1275

Error: (12/17/2015 06:25:59 AM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Fuzzy\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.


==================== Memory info ===========================

Processor: AMD Athlon II X2 B24 Processor
Percentage of memory in use: 21%
Total physical RAM: 7679.39 MB
Available physical RAM: 6019.58 MB
Total Virtual: 15356.98 MB
Available Virtual: 13613.43 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:23.96 GB) (Free:2.54 GB) NTFS
Drive d: () (Fixed) (Total:208.83 GB) (Free:208.73 GB) NTFS
Drive f: () (Removable) (Total:7.26 GB) (Free:3.29 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: 06F7285A)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=24 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=208.8 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 7.3 GB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt ============================

 

Thanks again, Advanced! I'll be patient - this is a lot to look at!    BoRe

Link to post
Share on other sites

  • Root Admin

Okay, nothing there to indicate an infection. Please temporarily disable your antivirus and run a clean removal process for MBAM. Then download the latest version from the Web and temporarily disable your firewall and antivirus to allow the MBAM activation.

The web download is the same version of MBAM but will be newer than the one on your CD.

 

Please uninstall your current version of MBAM and reinstall the latest version. MBAM Clean Removal Process 2x

 

Then reinstall the latest version of MBAM Anti-Exploit as well and reactivate it as well with your firewall and antivirus off.

 

Let me know how that goes.

Link to post
Share on other sites

Hey, AS - thanks for the advice.

 

I followed the instructions for Paid PRO / PREMIUM version at MBAM Clean Removal Process 2x.

 

When I got to "Launch the program and click on the Activation button. Then copy and paste your activation ID and Key into the dialog box. This should automatically enable Protection and offer to add an automated update schedule which you should allow or ensure that you create one on your own to keep the program updated," three attempts at activating with my CD key and ID failed.

 

post-186591-0-64460300-1450793152_thumb.

 

I have closed the  MBAM application. I'll wait to hear from you before taking any further action.

 

Thanks again, BoRe

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

  • 2 weeks later...

I'm so sorry to tell you my PC is still misbehaving.

 

I tried to run the MBAE-test.  Can't run because "MSVCR100.dll is missing. Try uninstalling and reinstalling the program."

 

I uninstalled in Control Panel. Tried to run "clean_mbae.bat" (R-click, run as admin). Got error "ADMIN Privileges Required" 

 

"This file must be run as an administrator to work properly. If you're seeing this after clicking on the batch file then log off and back on with an Administrator account or right click choose "Run as Administrator" on Windows 7/8/10. Any key to continue" which closes the error box and file folder.

 

Logged on to Super Admin account. No password was needed, though I had set a very long and complicated one. No matter how I tried to run mbae_clean.bat, the same error message (yellow text on maroon background) came up.

 

I'm using IE since I did the second clean install to be able to interact with this website - the fewer programs, the better, I thought. It still redirects nearly every page to something from 2012 or 2013, though images seem current on MSN home page.

 

I await your instructions with thanks for your help.  BoRe

Link to post
Share on other sites

  • Root Admin

Please run the FRST program again and make sure you place a check mark in the Additions.txt check box and attach both new logs on your next reply and I'll take a another look.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.

You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply as well.
Thanks
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.