Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

help my desktop has been deleted!?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

help my desktop has been deleted!?

Unread postby john2054 » November 29th, 2015, 7:59 pm

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:29-11-2015
Ran by john (administrator) on JOHN2054 (29-11-2015 23:49:01)
Running from C:\Users\john\Downloads
Loaded Profiles: john (Available Profiles: john & Michelle & Administrator)
Platform: Windows 10 Home (X64) Language: English (United Kingdom)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgcsrva.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgfws.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgidsagent.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgemca.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files\WindowsApps\Microsoft.Windows.Photos_15.1120.13270.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MouseDriver] => C:\WINDOWS\system32\TiltWheelMouse.exe [241152 2013-04-09] (Pixart Imaging Inc)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13885696 2015-06-24] (Realtek Semiconductor)
HKLM-x32\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguix.exe [1130408 2015-10-16] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\Av\avgui.exe [3812264 2015-10-12] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [597040 2015-10-06] (Oracle Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL No File
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL No File
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{d8766016-3ff0-4478-be0e-2e2acec5c62a}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2015-11-01] (Microsoft Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2015-11-01] (Microsoft Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll => No File
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\ssv.dll [2015-10-28] (Oracle Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL => No File
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\jp2ssv.dll [2015-10-28] (Oracle Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2015-11-01] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2015-11-01] (Microsoft Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - No File
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2015-11-01] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2015-11-01] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\john\AppData\Roaming\Mozilla\Firefox\Profiles\axx3nzab.default
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_19_0_0_245.dll [2015-11-27] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_245.dll [2015-11-27] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.65.2 -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\dtplugin\npDeployJava1.dll [2015-10-28] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.65.2 -> C:\Program Files (x86)\Java\jre1.8.0_65\bin\plugin2\npjp2.dll [2015-10-28] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [No File]
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2015-11-01] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-10-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-10-17] (Google Inc.)

Chrome:
=======
CHR Profile: C:\Users\john\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-10-17]
CHR Extension: (Google Docs) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-10-17]
CHR Extension: (Google Drive) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-22]
CHR Extension: (YouTube) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-17]
CHR Extension: (Google Search) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-26]
CHR Extension: (Google Sheets) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-10-17]
CHR Extension: (Google Docs Offline) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-11-17]
CHR Extension: (Chrome Web Store Payments) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-10-17]
CHR Extension: (Gmail) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-10-17]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AvgAMPS; C:\Program Files (x86)\AVG\Av\avgamps.exe [604712 2015-10-12] (AVG Technologies CZ, s.r.o.)
R2 avgfws; C:\Program Files (x86)\AVG\Av\avgfws.exe [1568848 2015-10-12] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\Av\avgidsagent.exe [3792880 2015-10-12] (AVG Technologies CZ, s.r.o.)
S4 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1046952 2015-10-16] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe [596344 2015-10-12] (AVG Technologies CZ, s.r.o.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2869432 2015-11-01] (Microsoft Corporation)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [25800 2015-09-28] (Hewlett-Packard Company)
S4 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [370064 2015-10-17] (Intel Corporation)
R2 TuneUp.UtilitiesSvc; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe [4368808 2015-10-14] (AVG Technologies CZ, s.r.o.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [362928 2015-07-10] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-07-10] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 athr; C:\Windows\System32\drivers\athwbx.sys [3888640 2014-02-14] (Qualcomm Atheros Communications, Inc.)
S0 Avgboota; C:\Windows\System32\DRIVERS\avgboota.sys [23152 2015-09-09] (AVG Technologies CZ, s.r.o.)
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [197040 2015-08-10] (AVG Technologies CZ, s.r.o.)
R1 Avgfwfd; C:\Windows\system32\DRIVERS\avgfwd6a.sys [97208 2015-08-29] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [312752 2015-09-11] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [298416 2015-08-20] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [293296 2015-08-10] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [398256 2015-08-14] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [251312 2015-08-10] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [42416 2015-08-10] (AVG Technologies CZ, s.r.o.)
R1 Avgwfpa; C:\Windows\system32\DRIVERS\avgwfpa.sys [314800 2015-08-31] (AVG Technologies CZ, s.r.o.)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [237568 2015-07-10] (Microsoft Corporation)
R3 ElcMouLFlt; C:\Windows\System32\drivers\ElcMouLFlt.sys [28648 2015-10-17] (ELECOM)
R3 ElcMouUFlt; C:\Windows\System32\drivers\ElcMouUFlt.sys [27624 2015-10-17] (ELECOM)
R3 ETDI2C; C:\Windows\System32\drivers\ETDI2C.sys [173384 2014-04-09] (ELAN Microelectronic Corp.)
S3 iaLPSS_I2C; C:\Windows\System32\drivers\iaLPSS_I2C.sys [120312 2014-06-02] (Intel Corporation)
S3 LMDriver; C:\Windows\System32\drivers\LMDriver.sys [21360 2013-07-17] (Acer Incorporated)
R3 MEIx64; C:\Windows\System32\drivers\TeeDriverx64.sys [100312 2013-12-09] (Intel Corporation)
S3 RadioShim; C:\Windows\System32\drivers\RadioShim.sys [14680 2013-07-17] (Acer Incorporated)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [886528 2015-07-22] (Realtek )
R3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [761600 2015-06-24] (Realsil Semiconductor Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-11-28] ()
R3 TuneUpUtilitiesDrv; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver64.sys [31144 2015-10-14] (TuneUp Software)
R3 t_mouse.sys; C:\Windows\System32\drivers\t_mouse.sys [6144 2013-04-09] ()
S3 UdeCx; C:\Windows\System32\drivers\udecx.sys [44032 2015-07-10] ()
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-07-10] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [291680 2015-07-10] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [119648 2015-07-10] (Microsoft Corporation)
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-29 23:49 - 2015-11-29 23:49 - 00013574 _____ C:\Users\john\Downloads\FRST.txt
2015-11-29 23:48 - 2015-11-29 23:49 - 00000000 ____D C:\FRST
2015-11-29 23:48 - 2015-11-29 23:48 - 02350080 _____ (Farbar) C:\Users\john\Downloads\FRST64.exe
2015-11-29 22:10 - 2015-11-29 22:10 - 00016148 _____ C:\WINDOWS\system32\JOHN2054_john_HistoryPrediction.bin
2015-11-29 17:20 - 2015-11-29 17:20 - 00016148 _____ C:\WINDOWS\system32\JOHN2054_Michelle_HistoryPrediction.bin
2015-11-28 01:42 - 2015-11-28 01:42 - 00000000 ____D C:\Users\john\AppData\Local\Macromedia
2015-11-28 00:41 - 2015-11-28 00:41 - 19746888 _____ C:\Users\john\Downloads\RogueKiller.exe
2015-11-28 00:41 - 2015-11-28 00:41 - 00035064 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2015-11-28 00:17 - 2015-11-28 00:19 - 00002318 _____ C:\Users\john\Desktop\unhide.txt
2015-11-28 00:17 - 2015-11-28 00:17 - 00398752 _____ (Bleeping Computer, LLC) C:\Users\john\Downloads\unhide.exe
2015-11-27 01:05 - 2015-11-27 01:06 - 00000000 ____D C:\Users\john\AppData\Local\Adobe
2015-11-27 01:04 - 2015-11-27 01:04 - 01190616 _____ (Adobe Systems Incorporated) C:\Users\john\Downloads\flashplayer19_a_install.exe
2015-11-24 12:15 - 2015-11-24 12:15 - 00276712 _____ C:\WINDOWS\Minidump\112415-55234-01.dmp
2015-11-24 12:15 - 2015-11-24 12:15 - 00000000 ____D C:\WINDOWS\Minidump
2015-11-24 12:14 - 2015-11-24 12:14 - 648734500 _____ C:\WINDOWS\MEMORY.DMP
2015-11-22 02:46 - 2015-11-22 02:46 - 00000036 _____ C:\Users\john\Downloads\internet-radio.com.playlist.ram
2015-11-22 02:46 - 2015-11-22 02:46 - 00000036 _____ C:\Users\john\Downloads\internet-radio.com.playlist.m3u
2015-11-18 00:57 - 2015-11-18 01:03 - 495057348 _____ C:\Users\john\Downloads\rnb 2 mega mix.zip
2015-11-11 02:44 - 2015-11-11 03:19 - 00000000 ____D C:\Users\john\AppData\Roaming\ChessBase
2015-11-11 02:44 - 2015-11-11 02:44 - 00002132 _____ C:\Users\john\Desktop\CBReader .lnk
2015-11-11 02:44 - 2015-11-11 02:44 - 00000000 ____D C:\Users\john\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ChessBase
2015-11-11 02:42 - 2015-11-11 02:44 - 00000000 ____D C:\Users\john\AppData\Local\ChessBase
2015-11-11 02:42 - 2015-11-11 02:44 - 00000000 ____D C:\Program Files (x86)\ChessBase
2015-11-10 20:54 - 2015-11-05 05:15 - 08020832 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2015-11-10 20:54 - 2015-11-05 05:15 - 00541024 _____ (Microsoft Corporation) C:\WINDOWS\system32\mcupdate_GenuineIntel.dll
2015-11-10 20:54 - 2015-11-05 05:14 - 00459104 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\netio.sys
2015-11-10 20:54 - 2015-11-05 05:13 - 00577888 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\afd.sys
2015-11-10 20:54 - 2015-11-05 05:11 - 01392480 _____ (Microsoft Corporation) C:\WINDOWS\system32\LicenseManager.dll
2015-11-10 20:54 - 2015-11-05 05:06 - 03621248 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-11-10 20:54 - 2015-11-05 05:06 - 00966416 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinapi.appcore.dll
2015-11-10 20:54 - 2015-11-05 05:01 - 00607408 _____ (Microsoft Corporation) C:\WINDOWS\system32\fontdrvhost.exe
2015-11-10 20:54 - 2015-11-05 04:56 - 01083072 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2015-11-10 20:54 - 2015-11-05 04:56 - 00116064 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\tdx.sys
2015-11-10 20:54 - 2015-11-05 04:56 - 00025280 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2015-11-10 20:54 - 2015-11-05 04:30 - 00961376 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LicenseManager.dll
2015-11-10 20:54 - 2015-11-05 04:24 - 02878512 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-11-10 20:54 - 2015-11-05 04:23 - 00762888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinapi.appcore.dll
2015-11-10 20:54 - 2015-11-05 04:23 - 00076800 _____ (Microsoft Corporation) C:\WINDOWS\system32\browserbroker.dll
2015-11-10 20:54 - 2015-11-05 04:20 - 21873664 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2015-11-10 20:54 - 2015-11-05 04:18 - 24597504 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-11-10 20:54 - 2015-11-05 04:18 - 03248128 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.dll
2015-11-10 20:54 - 2015-11-05 04:18 - 00539728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fontdrvhost.exe
2015-11-10 20:54 - 2015-11-05 04:17 - 02418688 _____ (Microsoft Corporation) C:\WINDOWS\system32\MFMediaEngine.dll
2015-11-10 20:54 - 2015-11-05 04:12 - 00515072 _____ (Microsoft Corporation) C:\WINDOWS\system32\internetmail.dll
2015-11-10 20:54 - 2015-11-05 04:11 - 00333312 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusUpdateHandlers.dll
2015-11-10 20:54 - 2015-11-05 04:10 - 12504064 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-11-10 20:54 - 2015-11-05 04:10 - 02987520 _____ (Microsoft Corporation) C:\WINDOWS\system32\esent.dll
2015-11-10 20:54 - 2015-11-05 04:07 - 01068032 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiosrv.dll
2015-11-10 20:54 - 2015-11-05 04:06 - 00453120 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Devices.Usb.dll
2015-11-10 20:54 - 2015-11-05 04:05 - 01602560 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2015-11-10 20:54 - 2015-11-05 04:05 - 00826880 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2015-11-10 20:54 - 2015-11-05 04:03 - 02180608 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentServer.dll
2015-11-10 20:54 - 2015-11-05 04:03 - 01015808 _____ (Microsoft Corporation) C:\WINDOWS\system32\RDXService.dll
2015-11-10 20:54 - 2015-11-05 04:01 - 00949760 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll
2015-11-10 20:54 - 2015-11-05 04:01 - 00713216 _____ (Microsoft Corporation) C:\WINDOWS\system32\usermgr.dll
2015-11-10 20:54 - 2015-11-05 04:01 - 00579072 _____ (Microsoft Corporation) C:\WINDOWS\system32\winlogon.exe
2015-11-10 20:54 - 2015-11-05 03:59 - 03587072 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
2015-11-10 20:54 - 2015-11-05 03:59 - 02675200 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.StateRepository.dll
2015-11-10 20:54 - 2015-11-05 03:58 - 01383936 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kbase.sys
2015-11-10 20:54 - 2015-11-05 03:58 - 00627712 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.dll
2015-11-10 20:54 - 2015-11-05 03:56 - 01795072 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentExtensions.dll
2015-11-10 20:54 - 2015-11-05 03:55 - 00145408 _____ (Microsoft Corporation) C:\WINDOWS\system32\dssvc.dll
2015-11-10 20:54 - 2015-11-05 03:54 - 00502272 _____ (Microsoft Corporation) C:\WINDOWS\system32\dlnashext.dll
2015-11-10 20:54 - 2015-11-05 03:47 - 19326464 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-11-10 20:54 - 2015-11-05 03:42 - 02647040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.dll
2015-11-10 20:54 - 2015-11-05 03:40 - 01918976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MFMediaEngine.dll
2015-11-10 20:54 - 2015-11-05 03:35 - 18803712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2015-11-10 20:54 - 2015-11-05 03:35 - 02639872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\esent.dll
2015-11-10 20:54 - 2015-11-05 03:34 - 00311296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Devices.Usb.dll
2015-11-10 20:54 - 2015-11-05 03:33 - 01380864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2015-11-10 20:54 - 2015-11-05 03:33 - 00650240 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2015-11-10 20:54 - 2015-11-05 03:30 - 00767488 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kerberos.dll
2015-11-10 20:54 - 2015-11-05 03:28 - 11262976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-11-10 20:54 - 2015-11-05 03:27 - 02049536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.StateRepository.dll
2015-11-10 20:54 - 2015-11-05 03:27 - 00464896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.dll
2015-11-10 20:54 - 2015-11-05 03:23 - 00441344 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dlnashext.dll
2015-11-09 00:52 - 2015-11-09 00:52 - 00095822 _____ C:\Users\john\Desktop\Troubleshoot HP Installation Failure - Network.hta
2015-11-09 00:36 - 2015-11-09 00:36 - 00000000 ____D C:\Users\john\AppData\Roaming\Hewlett-Packard
2015-11-09 00:33 - 2015-11-09 00:52 - 00000000 ____D C:\Program Files (x86)\HP
2015-11-09 00:33 - 2015-11-09 00:33 - 00002281 _____ C:\Users\Public\Desktop\HP Officejet Pro 8610.lnk
2015-11-09 00:33 - 2015-11-09 00:33 - 00001233 _____ C:\Users\Public\Desktop\Shop for Supplies - HP Officejet Pro 8610.lnk
2015-11-09 00:33 - 2015-11-09 00:33 - 00000000 ____D C:\Program Files\HP
2015-11-09 00:33 - 2014-07-21 16:31 - 00763912 ____N (Hewlett-Packard Development Company, LP) C:\WINDOWS\system32\HPDiscoPM7112.dll
2015-11-09 00:32 - 2015-11-09 00:33 - 40247720 _____ C:\Users\john\Downloads\OJ8610_Basicx64_198.exe
2015-11-09 00:30 - 2015-11-09 00:30 - 00002308 _____ C:\Users\john\Desktop\HP Support Assistant.lnk
2015-11-09 00:29 - 2015-11-12 01:08 - 00000000 ____D C:\Users\john\AppData\Roaming\hpqLog
2015-11-09 00:29 - 2015-11-09 00:33 - 00000000 ____D C:\Users\john\AppData\Local\HP
2015-11-09 00:29 - 2015-11-09 00:30 - 00000000 ____D C:\Program Files (x86)\InstallShield Installation Information
2015-11-09 00:29 - 2015-11-09 00:29 - 00000000 ____D C:\System.sav
2015-11-09 00:27 - 2015-11-17 20:54 - 00000000 ____D C:\WINDOWS\System32\Tasks\Hewlett-Packard
2015-11-09 00:27 - 2015-11-09 01:11 - 00000000 ____D C:\Users\john\AppData\Local\Hewlett-Packard
2015-11-09 00:26 - 2015-11-09 00:27 - 03774136 _____ (Oleg N. Scherbakov) C:\Users\john\Downloads\HPSupportSolutionsFramework-12.0.30.81 (2).exe
2015-11-09 00:25 - 2015-11-09 00:25 - 03774136 _____ (Oleg N. Scherbakov) C:\Users\john\Downloads\HPSupportSolutionsFramework-12.0.30.81 (1).exe
2015-11-09 00:24 - 2015-11-09 00:29 - 00000000 ____D C:\Program Files (x86)\Hewlett-Packard
2015-11-09 00:23 - 2015-11-09 00:24 - 03774136 _____ (Oleg N. Scherbakov) C:\Users\john\Downloads\HPSupportSolutionsFramework-12.0.30.81.exe
2015-11-06 22:40 - 2015-11-06 22:40 - 00003798 _____ C:\WINDOWS\System32\Tasks\Java Platform SE Auto Updater
2015-11-01 02:58 - 2015-11-12 01:00 - 00000000 ____D C:\Users\john\Desktop\aiki pics

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-29 23:48 - 2015-10-17 08:26 - 00000000 ____D C:\Windows
2015-11-29 23:35 - 2015-10-17 22:30 - 00000912 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-11-29 23:35 - 2015-10-17 22:30 - 00000908 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-11-29 17:28 - 2015-10-28 01:07 - 00004152 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{AC924FE6-05FB-474F-9A96-842D3FDD818A}
2015-11-29 17:27 - 2015-10-17 08:44 - 00000000 ____D C:\WINDOWS\INF
2015-11-29 17:27 - 2015-10-17 08:24 - 00875126 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-11-29 17:22 - 2015-10-17 08:05 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-11-29 17:21 - 2015-10-17 08:26 - 01048576 ___SH C:\WINDOWS\system32\config\BBI
2015-11-29 09:03 - 2015-10-17 08:26 - 00032768 ___SH C:\WINDOWS\system32\config\ELAM
2015-11-29 09:01 - 2015-10-17 08:46 - 00000000 ___HD C:\Program Files\WindowsApps
2015-11-29 09:01 - 2015-10-17 08:46 - 00000000 ____D C:\WINDOWS\AppReadiness
2015-11-24 12:18 - 2015-10-17 08:18 - 00000000 ____D C:\Users\Michelle
2015-11-23 20:21 - 2015-10-17 20:16 - 00000000 ____D C:\WINDOWS\System32\Tasks\NCH Software
2015-11-22 03:10 - 2015-03-14 23:40 - 00000000 ____D C:\Users\john\Desktop\Banking
2015-11-18 19:37 - 2015-10-28 01:23 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2015-11-18 01:26 - 2015-08-23 03:43 - 00000000 ____D C:\Users\john\Desktop\mp3
2015-11-17 10:40 - 2015-10-17 19:11 - 00000000 ____D C:\Users\Michelle\AppData\Local\Packages
2015-11-15 05:07 - 2015-10-17 08:18 - 00000000 ____D C:\Users\john
2015-11-13 00:55 - 2015-10-17 16:46 - 00000000 ____D C:\Users\john\AppData\Local\Packages
2015-11-12 22:36 - 2015-10-17 22:31 - 00002264 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-11-11 19:56 - 2015-08-25 21:53 - 00000000 ____D C:\Users\john\Desktop\ebay images
2015-11-11 19:53 - 2015-10-17 08:04 - 00361976 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2015-11-11 19:50 - 2015-10-17 08:46 - 00000000 ____D C:\WINDOWS\SysWOW64\en-GB
2015-11-11 19:50 - 2015-10-17 08:46 - 00000000 ____D C:\WINDOWS\system32\en-GB
2015-11-11 19:50 - 2015-10-17 08:46 - 00000000 ____D C:\WINDOWS\system32\appraiser
2015-11-10 21:18 - 2015-10-17 19:14 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-11-10 21:18 - 2015-10-17 08:35 - 00000000 ____D C:\WINDOWS\CbsTemp
2015-11-10 21:12 - 2015-10-17 19:14 - 145617392 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-11-09 01:09 - 2015-02-04 23:06 - 00000000 ____D C:\Users\john\Desktop\psychiatry
2015-11-09 00:12 - 2015-10-27 00:39 - 00000000 ____D C:\Users\john\AppData\Local\ElevatedDiagnostics
2015-11-08 22:40 - 2015-10-17 08:46 - 00000000 ____D C:\WINDOWS\rescache
2015-11-06 13:16 - 2015-10-17 19:17 - 00002351 _____ C:\Users\Michelle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2015-11-06 13:16 - 2015-08-06 09:43 - 00000000 ___RD C:\Users\Michelle\OneDrive
2015-11-04 22:53 - 2015-01-08 07:57 - 00000000 ____D C:\Users\john\Desktop\mywebsite
2015-11-03 18:20 - 2015-10-17 08:48 - 00810488 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-11-03 18:20 - 2015-10-17 08:48 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl

==================== Files in the root of some directories =======

2015-11-09 00:29 - 2015-11-09 00:29 - 0000057 _____ () C:\ProgramData\Ament.ini
2015-10-17 08:10 - 2015-10-17 08:10 - 0000000 _____ () C:\ProgramData\DP45977C.lfl

Some files in TEMP:
====================
C:\Users\john\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Michelle\AppData\Local\Temp\avguirn_081445423918.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-11-22 19:27

==================== End of FRST.txt ============================Additional scan result of Farbar Recovery Scan Tool (x64) Version:29-11-2015
Ran by john (2015-11-29 23:50:27)
Running from C:\Users\john\Downloads
Windows 10 Home (X64) (2015-10-17 08:20:55)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1248494375-3095192198-3662275328-500 - Administrator - Disabled) => C:\Users\Administrator
DefaultAccount (S-1-5-21-1248494375-3095192198-3662275328-503 - Limited - Disabled)
Guest (S-1-5-21-1248494375-3095192198-3662275328-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1248494375-3095192198-3662275328-1005 - Limited - Enabled)
john (S-1-5-21-1248494375-3095192198-3662275328-1001 - Administrator - Enabled) => C:\Users\john
Michelle (S-1-5-21-1248494375-3095192198-3662275328-1004 - Limited - Enabled) => C:\Users\Michelle

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: AVG Internet Security (Enabled - Up to date) {4D41356F-32AD-7C42-C820-63775EE4F413}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG Internet Security (Enabled - Up to date) {F620D48B-1497-73CC-F290-58052563BEAE}
FW: AVG Internet Security (Enabled) {757AB44A-78C2-7D1A-E37F-CA42A037B368}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 19 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 19.0.0.245 - Adobe Systems Incorporated)
AVG (HKLM\...\AvgZen) (Version: 1.13.1.26255 - AVG Technologies)
AVG (Version: 16.4.7163 - AVG Technologies) Hidden
AVG 2016 (Version: 16.0.4477 - AVG Technologies) Hidden
AVG PC TuneUp (HKLM-x32\...\AVG PC TuneUp) (Version: 16.3.1.24857 - AVG Technologies)
AVG PC TuneUp (x32 Version: 16.3.3 - AVG Technologies) Hidden
AVG Protection (HKLM\...\AVG) (Version: 2016.4.7163 - AVG Technologies)
AVG Zen (Version: 1.13.1 - AVG Technologies) Hidden
CBReader (HKLM-x32\...\CBReader ) (Version: - ChessBase GmbH)
ELAN HIDI2C Filter Driver X64 13.6.1.1_WHQL (HKLM\...\Elantech) (Version: 13.6.1.1 - ELAN Microelectronic Corp.)
FMW 1 (Version: 1.22.2 - AVG Technologies) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 46.0.2490.86 - Google Inc.)
Google Update Helper (x32 Version: 1.3.28.15 - Google Inc.) Hidden
HP Officejet Pro 8610 Basic Device Software (HKLM\...\{39DA3F40-0B9E-4002-8E01-108FEC9EFE43}) (Version: 32.3.198.49673 - Hewlett-Packard Co.)
HP Support Assistant (HKLM-x32\...\{79C54A05-F146-4EA0-8A70-D4EFE6181E52}) (Version: 8.1.40.3 - Hewlett-Packard Company)
HP Support Solutions Framework (HKLM-x32\...\{F6A11738-3EE4-4573-AEA5-6CD5D491C167}) (Version: 12.0.30.219 - Hewlett-Packard Company)
HPDiagnosticCoreDll (HKLM-x32\...\{9262B08F-E183-4FED-A2BD-23FF1A84EB79}) (Version: 1.0.15.0 - Hewlett Packard)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.15.4248 - Intel Corporation)
Java 8 Update 65 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218065F0}) (Version: 8.0.650.17 - Oracle Corporation)
Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.6001.1038 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Mozilla Firefox 41.0.2 (x86 en-GB) (HKLM-x32\...\Mozilla Firefox 41.0.2 (x86 en-GB)) (Version: 41.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 41.0.2 - Mozilla)
Office 15 Click-to-Run Licensing Component (Version: 15.0.4763.1003 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component (x32 Version: 16.0.6001.1038 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (Version: 16.0.6001.1038 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (x32 Version: 16.0.6001.1038 - Microsoft Corporation) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7535 - Realtek Semiconductor Corp.)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Restore Points =========================

27-10-2015 01:21:53 Installed AVG 2016
08-11-2015 22:34:39 Scheduled Checkpoint
11-11-2015 02:42:45 Installed Microsoft Visual C++ 2005 Redistributable

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2015-10-17 08:46 - 2015-10-17 08:43 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0C1FBBAC-0AEE-4BED-846C-7DB89B4D18A7} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe
Task: {2628813F-9E36-4465-889D-A6326E600410} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-10-17] (Google Inc.)
Task: {430C49A3-B744-4097-9D4D-28371DD68031} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Active Health Launcher => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [2015-11-04] (Hewlett-Packard)
Task: {463ECFC6-2B63-4C3A-9917-5A921379AB42} - System32\Tasks\Hewlett-Packard\HP Active Health\HP Active Health Scan (HPSA) => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [2015-11-04] (Hewlett-Packard)
Task: {492F568A-7033-4E26-9FFF-3475B27EE13D} - System32\Tasks\TuneUpUtilities_Task_BkGndMaintenance2013 => C:\Program Files (x86)\AVG\AVG PC TuneUp\OneClick.exe [2015-10-14] (AVG Technologies CZ, s.r.o.)
Task: {63EBD6BC-FA37-41E8-A98F-277F461C207E} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2015-09-28] (Hewlett-Packard Company)
Task: {6A7DF227-983A-49F1-8F98-DC8212B6F373} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2015-11-01] (Microsoft Corporation)
Task: {7A8FB4B0-789B-4ED9-B1A2-00319C831C3F} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonx86\Microsoft Shared\Office16\OLicenseHeartbeat.exe [2015-11-01] (Microsoft Corporation)
Task: {8039B42B-E6BF-42DE-AE10-505818A532CC} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2015-11-01] (Microsoft Corporation)
Task: {8A6B870C-3C3A-455A-B660-511559FFE69C} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-10-17] (Google Inc.)
Task: {921B1AC0-3102-4FB4-85AB-3DE9146925A8} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2015-09-28] (Hewlett-Packard)
Task: {C2B907E9-E9DB-4BA1-8922-F6393C11644B} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2015-09-28] (Hewlett-Packard Company)
Task: {CE0AFA8E-970A-4D91-A123-644F1E180A34} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe
Task: {E413DEE5-2B4E-4090-885B-60E9F45CF5F1} - System32\Tasks\Java Platform SE Auto Updater => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [2015-10-06] (Oracle Corporation)
Task: {ECBFC41D-86A9-4E34-A886-ABF1D7384E95} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2015-11-10] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2015-08-05 19:18 - 2015-08-05 19:18 - 00032768 ____N () C:\WINDOWS\SYSTEM32\licensemanagerapi.dll
2015-08-20 05:13 - 2015-08-11 09:13 - 00413184 ____N () C:\WINDOWS\System32\diagtrack_win.dll
2015-10-28 01:23 - 2015-11-01 02:11 - 00161448 _____ () C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ApiClient.dll
2015-10-03 13:10 - 2015-09-17 06:48 - 02494712 ____N () C:\WINDOWS\system32\CoreUIComponents.dll
2015-10-03 13:10 - 2015-09-17 06:48 - 02494712 ____N () C:\WINDOWS\System32\CoreUIComponents.dll
2015-11-18 19:35 - 2015-11-01 10:11 - 08901800 _____ () C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\1033\GrooveIntlResource.dll
2015-10-03 13:09 - 2015-09-17 05:48 - 00429056 ____N () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\QuickActions.dll
2015-10-03 13:09 - 2015-09-17 06:04 - 00642048 ____N () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\MtcUvc.dll
2015-07-10 10:59 - 2015-07-10 10:59 - 00143360 ____N () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\XamlTileRendering.dll
2015-11-21 17:21 - 2015-11-21 17:21 - 00012800 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_15.1120.13270.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
2015-11-21 17:21 - 2015-11-21 17:21 - 11526656 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_15.1120.13270.0_x64__8wekyb3d8bbwe\Microsoft.Photos.dll
2015-11-19 22:07 - 2015-11-19 22:07 - 00258560 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_15.1120.13270.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.dll
2015-10-03 13:10 - 2015-09-17 05:44 - 06569472 ____N () C:\WINDOWS\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2015-10-03 13:09 - 2015-09-17 05:42 - 00471040 ____N () C:\WINDOWS\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2015-10-03 13:09 - 2015-09-17 05:42 - 01808384 ____N () C:\WINDOWS\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2015-10-03 13:10 - 2015-09-17 05:43 - 02274816 ____N () C:\WINDOWS\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2015-07-10 11:00 - 2015-07-10 16:28 - 00210432 ____N () C:\WINDOWS\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.ProxyStub.dll
2015-11-12 22:36 - 2015-11-07 04:36 - 01532744 _____ () C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.86\libglesv2.dll
2015-11-12 22:36 - 2015-11-07 04:36 - 00081224 _____ () C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.86\libegl.dll
2015-11-12 22:36 - 2015-11-07 04:36 - 16496456 _____ () C:\Program Files (x86)\Google\Chrome\Application\46.0.2490.86\PepperFlash\pepflashplayer.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1248494375-3095192198-3662275328-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\acer01.jpg
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: avgsvc => 2
MSCONFIG\Services: cphs => 3
MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: igfxCUIService2.0.0.0 => 2
MSCONFIG\Services: MozillaMaintenance => 3
MSCONFIG\Services: TuneUp.UtilitiesSvc => 2
HKLM\...\StartupApproved\Run32: => "AvgUi"
HKLM\...\StartupApproved\Run32: => "AVG_UI"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKU\S-1-5-21-1248494375-3095192198-3662275328-1001\...\StartupApproved\Run: => "OneDrive"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{38EF6CC1-176F-4FA7-8FC0-FC23C7918762}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe
FirewallRules: [{F3EA4E0F-773C-4DCD-AF90-6152C0E72237}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe
FirewallRules: [{F045D3F7-C346-42BA-9143-AF9044E36FB2}] => (Allow) C:\Program Files (x86)\AVG\Av\avgdiagex.exe
FirewallRules: [{635171E1-CADD-4FB2-986D-BC72DC3F45BB}] => (Allow) C:\Program Files (x86)\AVG\Av\avgdiagex.exe
FirewallRules: [{1FFF9459-A515-431A-A72B-3D94313C37B4}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{A250D57E-214E-4B6B-B291-C0FE58ACBBA9}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{C5D33854-465D-4D0E-A36D-1E4517354485}] => (Allow) C:\Program Files (x86)\AVG\Av\avgemca.exe
FirewallRules: [{1A7B69E4-7C37-4D02-B44D-1D62839AFCF6}] => (Allow) C:\Program Files (x86)\AVG\Av\avgemca.exe
FirewallRules: [{6175F0E0-A76A-4BA1-9225-F9450B5482D5}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{4FC8E9C7-0FF5-4999-B8CE-ACB3EAC88983}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{6C6D6048-9936-4C9C-8C40-B166765CB143}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8610\bin\FaxApplications.exe
FirewallRules: [{60A17C5D-5C12-4A21-AA40-F0826B5EE165}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8610\bin\DigitalWizards.exe
FirewallRules: [{1E6F3A53-BB13-46DD-8207-F1E2ADBD18C8}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8610\bin\SendAFax.exe
FirewallRules: [{64FA3766-41F0-4892-8B54-5BD72F64C385}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8610\Bin\DeviceSetup.exe
FirewallRules: [{73B827B6-E32B-40C3-B1CD-C1E565A1F34B}] => (Allow) LPort=5357
FirewallRules: [{CD4AD8CF-CDB0-48CD-B049-D25103F2BEC8}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8610\Bin\HPNetworkCommunicatorCom.exe
FirewallRules: [{BFFD5CE8-87B5-4897-AB59-932C72E448FC}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{5E9B02C5-F4F8-4976-BD25-DF3673F8E075}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (11/29/2015 11:46:24 PM) (Source: Windows Search Service) (EventID: 7042) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

Details:
The content index catalogue is corrupt. 0xc0041801 (0xc0041801)

Error: (11/29/2015 11:46:21 PM) (Source: Windows Search Service) (EventID: 7040) (User: )
Description: The search service has detected corrupted data files in the index {id=4810 - base\appmodel\search\search\ytrip\tripoli\inverted\decodinglayerpages.h (425)}. The service will attempt to automatically correct this problem by rebuilding the index.

Details:
The data is invalid. 0x8007000d (0x8007000d)

Error: (11/29/2015 01:26:17 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: JOHN2054)
Description: Activation of application Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (11/29/2015 00:59:39 AM) (Source: Office 2016 Licensing Service) (EventID: 0) (User: )
Description: Subscription licensing service failed: -1073418220

Error: (11/28/2015 00:59:39 AM) (Source: Office 2016 Licensing Service) (EventID: 0) (User: )
Description: Subscription licensing service failed: -1073418220

Error: (11/27/2015 00:59:40 AM) (Source: Office 2016 Licensing Service) (EventID: 0) (User: )
Description: Subscription licensing service failed: -1073418220

Error: (11/27/2015 00:23:45 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ShellExperienceHost.exe, version: 10.0.10240.16515, time stamp: 0x55fa599a
Faulting module name: CoreUIComponents.dll, version: 0.0.0.0, time stamp: 0x55fa4b76
Exception code: 0xc0000005
Fault offset: 0x00000000000605ca
Faulting process ID: 0x14d8
Faulting application start time: 0xShellExperienceHost.exe0
Faulting application path: ShellExperienceHost.exe1
Faulting module path: ShellExperienceHost.exe2
Report ID: ShellExperienceHost.exe3
Faulting package full name: ShellExperienceHost.exe4
Faulting package-relative application ID: ShellExperienceHost.exe5

Error: (11/26/2015 00:59:39 AM) (Source: Office 2016 Licensing Service) (EventID: 0) (User: )
Description: Subscription licensing service failed: -1073418220

Error: (11/25/2015 03:16:23 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: JOHN2054)
Description: Activation of application Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (11/25/2015 00:59:41 AM) (Source: Office 2016 Licensing Service) (EventID: 0) (User: )
Description: Subscription licensing service failed: -1073418220


System errors:
=============
Error: (11/29/2015 06:38:17 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The User Data Access_Session1 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (11/29/2015 06:38:17 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The User Data Storage_Session1 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (11/29/2015 06:38:17 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Contact Data_Session1 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (11/29/2015 06:38:17 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Sync Host_Session1 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (11/29/2015 05:26:40 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)UnavailableUnavailable

Error: (11/29/2015 05:26:39 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)UnavailableUnavailable

Error: (11/29/2015 05:26:38 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)UnavailableUnavailable

Error: (11/29/2015 05:26:37 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)UnavailableUnavailable

Error: (11/29/2015 05:26:36 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)UnavailableUnavailable

Error: (11/29/2015 05:26:36 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)UnavailableUnavailable


==================== Memory info ===========================

Processor: Intel(R) Core(TM) i3-4005U CPU @ 1.70GHz
Percentage of memory in use: 20%
Total physical RAM: 16307.27 MB
Available physical RAM: 12920.48 MB
Total Virtual: 18739.27 MB
Available Virtual: 15020.83 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:914.92 GB) (Free:756.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 5FB7B9DB)

Partition: GPT.

==================== End of Addition.txt ============================
john2054
Active Member
 
Posts: 14
Joined: November 29th, 2015, 7:55 pm
Advertisement
Register to Remove

Re: help my desktop has been deleted!?

Unread postby capnkrunch » December 3rd, 2015, 12:58 am

Warning!
The steps presented in these posts are for this person and machine ONLY. Do not apply these steps to your own system, without the guidance of a trained malware removal helper. Doing so, may possibly damage your system, preventing it from starting.

Hello john2054 and welcome to the Malware Removal Forums :)

My name is capnkrunch and I will be helping you with your malware problems. I'm an Undergraduate trainee here, and as such my posts to you have to first be checked by a Teacher, because of this my replies to your posts may be slightly delayed. Please be patient and I'm sure we'll be able to resolve your problems.

I apologize for the delay in responding to your log. If you no longer require help, please let me know in your reply.

Before we begin, please read and follow these important guidelines, so things will proceed smoothly.
  • The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  • You must have Administrator rights, permissions for this computer.
  • DO NOT run any other fix or removal tools unless instructed to do so.
  • DO NOT install any other software (or hardware) during the cleaning process.
  • Only post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  • Print each set of instructions, if possible. Your Internet connection will not be available during some fix processes.
  • Only reply to this thread, do not start another ... Please, continue responding, until I give you the "All Clean".
    Remember, absence of symptoms does mean the infection is all gone.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Failure to respond for 3 days, will result in your topic being closed.

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.

Malware removal:
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care, not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

For your safety and protection, I would advise backing up all your important documents, personal data files and photos to a CD or DVD drive as some infections may render your computer unbootable during or before the disinfection process. The safest practice is not to backup any files with the following file extensions:
exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

User avatar
capnkrunch
MRU Graduate
MRU Graduate
 
Posts: 664
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: help my desktop has been deleted!?

Unread postby capnkrunch » December 3rd, 2015, 2:04 am

Hello john2054 :)

Registry Cleaners
There are signs that you have registry cleaners/optimizers (AVG PC TuneUp) installed on your computer. These programs have little to no benefit and the potential to cause great harm to your system; because of this we recommend removing them. The Windows registry is very resilient, it can handle thousands of old entries without any performance penalties. In addition, making changes to the registry without expert supervision can cause problems, potential severe enough to require a reinstallation of your operating system. This is the basis for our recommendation to avoid these programs. This is also in line with Microsoft's official position:
"Microsoft does not support the use of registry cleaners."

Of course, in the end it is your computer and your choice, but if you choose to remove this program I have included instructions to do so below.

If you are interested in more information the Malwarebytes Unpacked blog has an article called Registry Cleaners: Digital Snake Oil.

First...

Before we begin we need to create a backup of your registry that we can restore to in case anything goes wrong.

Create a Backup With Tweaking.com Registry Backup (TCRB)
There is also a tutorial with pictures available HERE.
  • Download TCRB from HERE and save it to your Desktop.
  • Double-click on tweaking.com_registry_backup_setup.exe and follow the prompts to install TCRB.
  • Double-click on the Tweaking.com Registry Backup icon on your desktop to open the program.
  • It should open with the Backup Registry tab selected and all options checked. If any boxes are unchecked be sure to check them.
  • Click on Backup Now.
  • Once it is finished you will see a message saying something like Successful 12/12 Registry Files Backed Up <--- (the number of files may vary).
  • You can now exit the program.

STOP! Do not proceed any further if you were not able to create a registry backup and System Restore Point. Post back with what happened so we can determine why it was unsuccessful.

Next...

Uninstall Programs
  • Click on Start.
  • Enter appwiz.cpl into the Search programs and files text box and press Enter.
  • Locate the following programs:
    AVG PC TuneUp
    Java 8 Update 65
  • Press the Uninstall or Uninstall/Change button and carefully follow any prompts to uninstall the program.
    • Take care to read through any prompts completely! Some uninstallers may attempt to trick you into keeping the program.
    • Do this for every program listed.
    • Don't worry if you can't find one of the programs. Just be sure to let me know in your reply.
  • Once finished reboot your computer.

Next...

Since it has been several days since you ran FRST I would like to see a new log. I did not see any signs of malware in your first log but I'd also like to see couple other logs to make sure.

FRST Scan
  • You should still have FRST64.exe in your Downloads folder. If not, please download it from HERE.
  • Close all open programs.
  • Right-click FRST64.exe and select Run as administrator.
  • When the tool opens click Yes to the disclaimer.
  • If FRST asks to update itself please allow it to do so.
  • Press Scan button and wait while the scan finishes.
  • This time, only FRST.txt will be produced. Please copy and paste the contents of this log in your reply.
    The log can also be found in the same directory where FRST was run from.

Next...

Malwarebytes Anti-Malware (MBAM) Scan
  • Please download Malwarebytes Anti-Malware.
  • Double-click the mbam-setup-*version*.exe file and follow any prompts to install MBAM. Before you click Finish ensure that Lauch Malwarebytes Anti-Malware is checked.
  • When MBAM launches all it to update its databases if prompted. You will need to be connected to the internet for this.
  • Click Scan Now. MBAM will proceed to scan your computer.
    • Be patient as this may take some time.
    • If MBAM finds any malware it will automatically quarantine it.
  • If prompted to allow a reboot please do so.
    Failing to reboot when asked can prevent MBAM from removing all the malware it finds.
  • Once the scan is finished click Save Results >> in the bottom right corner and select Copy to Clipboard. Paste the results in your next reply.
    The log file can also be found at C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs. Look for the one with the current date and time.

Next...

It looks like you have run RogueKiller recently. I would like to see the log. It should be in the same directory as RogueKiller.exe (your Downloads folder) and named RKreport[0]_S_MMDDYYYY_HHMMSS.txt where MMDDYYY_HHMMSS is the time and date RogueKiller was run.

Please post all logs seperately to avoid being cut off and in the requested order.

In your next reply please include:
  • Did you have any problems with the instructions?
  • FRST.txt
  • The MBAM log
  • RKreport[0]_S_MMDDYYYY_HHMMSS.txt
  • Are there any changes in computer behavior?
User avatar
capnkrunch
MRU Graduate
MRU Graduate
 
Posts: 664
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: help my desktop has been deleted!?

Unread postby john2054 » December 3rd, 2015, 5:45 pm

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:01-12-2015
Ran by john (administrator) on JOHN2054 (03-12-2015 20:52:00)
Running from C:\Users\john\Downloads
Loaded Profiles: john (Available Profiles: john & Michelle & Administrator)
Platform: Windows 10 Home (X64) Language: English (United Kingdom)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgcsrva.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgfws.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgemca.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MouseDriver] => C:\WINDOWS\system32\TiltWheelMouse.exe [241152 2013-04-09] (Pixart Imaging Inc)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13885696 2015-06-24] (Realtek Semiconductor)
HKLM-x32\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguix.exe [1130408 2015-10-16] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\Av\avgui.exe [3812264 2015-10-12] (AVG Technologies CZ, s.r.o.)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL No File
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL No File
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{d8766016-3ff0-4478-be0e-2e2acec5c62a}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2015-11-01] (Microsoft Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2015-11-01] (Microsoft Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll => No File
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL => No File
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2015-11-01] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2015-11-01] (Microsoft Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - No File
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2015-11-01] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2015-11-01] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\john\AppData\Roaming\Mozilla\Firefox\Profiles\axx3nzab.default
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_19_0_0_245.dll [2015-11-27] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_245.dll [2015-11-27] ()
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [No File]
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2015-11-01] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-10-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-10-17] (Google Inc.)

Chrome:
=======
CHR Profile: C:\Users\john\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-10-17]
CHR Extension: (Google Docs) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-10-17]
CHR Extension: (Google Drive) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-22]
CHR Extension: (YouTube) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-17]
CHR Extension: (Google Search) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-26]
CHR Extension: (Google Sheets) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-10-17]
CHR Extension: (Google Docs Offline) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-11-17]
CHR Extension: (Chrome Web Store Payments) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-10-17]
CHR Extension: (Gmail) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-10-17]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AvgAMPS; C:\Program Files (x86)\AVG\Av\avgamps.exe [604712 2015-10-12] (AVG Technologies CZ, s.r.o.)
R2 avgfws; C:\Program Files (x86)\AVG\Av\avgfws.exe [1568848 2015-10-12] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\Av\avgidsagent.exe [3792880 2015-10-12] (AVG Technologies CZ, s.r.o.)
S4 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1046952 2015-10-16] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe [596344 2015-10-12] (AVG Technologies CZ, s.r.o.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2869432 2015-11-01] (Microsoft Corporation)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [25800 2015-09-28] (Hewlett-Packard Company)
S4 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [370064 2015-10-17] (Intel Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [362928 2015-07-10] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-07-10] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 athr; C:\Windows\System32\drivers\athwbx.sys [3888640 2014-02-14] (Qualcomm Atheros Communications, Inc.)
S0 Avgboota; C:\Windows\System32\DRIVERS\avgboota.sys [23152 2015-09-09] (AVG Technologies CZ, s.r.o.)
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [197040 2015-08-10] (AVG Technologies CZ, s.r.o.)
R1 Avgfwfd; C:\Windows\system32\DRIVERS\avgfwd6a.sys [97208 2015-08-29] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [312752 2015-09-11] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [298416 2015-08-20] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [293296 2015-08-10] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [398256 2015-08-14] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [251312 2015-08-10] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [42416 2015-08-10] (AVG Technologies CZ, s.r.o.)
R1 Avgwfpa; C:\Windows\system32\DRIVERS\avgwfpa.sys [314800 2015-08-31] (AVG Technologies CZ, s.r.o.)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [237568 2015-07-10] (Microsoft Corporation)
S3 ElcMouLFlt; C:\Windows\System32\drivers\ElcMouLFlt.sys [28648 2015-10-17] (ELECOM)
S3 ElcMouUFlt; C:\Windows\System32\drivers\ElcMouUFlt.sys [27624 2015-10-17] (ELECOM)
R3 ETDI2C; C:\Windows\System32\drivers\ETDI2C.sys [173384 2014-04-09] (ELAN Microelectronic Corp.)
S3 iaLPSS_I2C; C:\Windows\System32\drivers\iaLPSS_I2C.sys [120312 2014-06-02] (Intel Corporation)
S3 LMDriver; C:\Windows\System32\drivers\LMDriver.sys [21360 2013-07-17] (Acer Incorporated)
R3 MEIx64; C:\Windows\System32\drivers\TeeDriverx64.sys [100312 2013-12-09] (Intel Corporation)
S3 RadioShim; C:\Windows\System32\drivers\RadioShim.sys [14680 2013-07-17] (Acer Incorporated)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [886528 2015-07-22] (Realtek )
R3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [761600 2015-06-24] (Realsil Semiconductor Corporation)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-11-28] ()
S3 t_mouse.sys; C:\Windows\System32\drivers\t_mouse.sys [6144 2013-04-09] ()
S3 UdeCx; C:\Windows\System32\drivers\udecx.sys [44032 2015-07-10] ()
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-07-10] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [291680 2015-07-10] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [119648 2015-07-10] (Microsoft Corporation)
S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-03 20:51 - 2015-12-03 20:51 - 02350080 _____ (Farbar) C:\Users\john\Downloads\FRST64.exe
2015-12-03 20:47 - 2015-12-03 20:47 - 00016148 _____ C:\WINDOWS\system32\JOHN2054_john_HistoryPrediction.bin
2015-12-03 20:34 - 2015-12-03 20:34 - 00000207 _____ C:\WINDOWS\tweaking.com-regbackup-JOHN2054-Windows-10-Home-(64-bit).dat
2015-12-03 20:34 - 2015-12-03 20:34 - 00000000 ____D C:\RegBackup
2015-12-03 20:33 - 2015-12-03 20:33 - 04777232 _____ (Tweaking.com) C:\Users\john\Downloads\tweaking.com_registry_backup_setup.exe
2015-12-03 20:33 - 2015-12-03 20:33 - 00016383 _____ C:\WINDOWS\Tweaking.com - Registry Backup Setup Log.txt
2015-12-03 20:33 - 2015-12-03 20:33 - 00002316 _____ C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2015-12-03 20:33 - 2015-12-03 20:33 - 00000000 ____D C:\Program Files (x86)\Tweaking.com
2015-12-03 20:16 - 2015-12-03 20:16 - 00016148 _____ C:\WINDOWS\system32\JOHN2054_Michelle_HistoryPrediction.bin
2015-12-01 14:38 - 2015-12-01 14:39 - 00276712 _____ C:\WINDOWS\Minidump\120115-54203-01.dmp
2015-11-29 23:50 - 2015-11-29 23:51 - 00022861 _____ C:\Users\john\Downloads\Addition.txt
2015-11-29 23:49 - 2015-12-03 20:52 - 00012141 _____ C:\Users\john\Downloads\FRST.txt
2015-11-29 23:48 - 2015-12-03 20:52 - 00000000 ____D C:\FRST
2015-11-28 01:42 - 2015-11-28 01:42 - 00000000 ____D C:\Users\john\AppData\Local\Macromedia
2015-11-28 00:41 - 2015-11-28 00:41 - 19746888 _____ C:\Users\john\Downloads\RogueKiller.exe
2015-11-28 00:41 - 2015-11-28 00:41 - 00035064 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2015-11-28 00:17 - 2015-11-28 00:19 - 00002318 _____ C:\Users\john\Desktop\unhide.txt
2015-11-28 00:17 - 2015-11-28 00:17 - 00398752 _____ (Bleeping Computer, LLC) C:\Users\john\Downloads\unhide.exe
2015-11-27 01:05 - 2015-11-27 01:06 - 00000000 ____D C:\Users\john\AppData\Local\Adobe
2015-11-27 01:04 - 2015-11-27 01:04 - 01190616 _____ (Adobe Systems Incorporated) C:\Users\john\Downloads\flashplayer19_a_install.exe
2015-11-24 12:15 - 2015-12-01 14:38 - 00000000 ____D C:\WINDOWS\Minidump
2015-11-24 12:15 - 2015-11-24 12:15 - 00276712 _____ C:\WINDOWS\Minidump\112415-55234-01.dmp
2015-11-24 12:14 - 2015-12-01 14:38 - 627627876 _____ C:\WINDOWS\MEMORY.DMP
2015-11-22 02:46 - 2015-11-22 02:46 - 00000036 _____ C:\Users\john\Downloads\internet-radio.com.playlist.ram
2015-11-22 02:46 - 2015-11-22 02:46 - 00000036 _____ C:\Users\john\Downloads\internet-radio.com.playlist.m3u
2015-11-18 00:57 - 2015-11-18 01:03 - 495057348 _____ C:\Users\john\Downloads\rnb 2 mega mix.zip
2015-11-11 02:44 - 2015-11-11 03:19 - 00000000 ____D C:\Users\john\AppData\Roaming\ChessBase
2015-11-11 02:44 - 2015-11-11 02:44 - 00002132 _____ C:\Users\john\Desktop\CBReader .lnk
2015-11-11 02:44 - 2015-11-11 02:44 - 00000000 ____D C:\Users\john\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ChessBase
2015-11-11 02:42 - 2015-11-11 02:44 - 00000000 ____D C:\Users\john\AppData\Local\ChessBase
2015-11-11 02:42 - 2015-11-11 02:44 - 00000000 ____D C:\Program Files (x86)\ChessBase
2015-11-10 20:54 - 2015-11-05 05:15 - 08020832 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2015-11-10 20:54 - 2015-11-05 05:15 - 00541024 _____ (Microsoft Corporation) C:\WINDOWS\system32\mcupdate_GenuineIntel.dll
2015-11-10 20:54 - 2015-11-05 05:14 - 00459104 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\netio.sys
2015-11-10 20:54 - 2015-11-05 05:13 - 00577888 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\afd.sys
2015-11-10 20:54 - 2015-11-05 05:11 - 01392480 _____ (Microsoft Corporation) C:\WINDOWS\system32\LicenseManager.dll
2015-11-10 20:54 - 2015-11-05 05:06 - 03621248 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-11-10 20:54 - 2015-11-05 05:06 - 00966416 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinapi.appcore.dll
2015-11-10 20:54 - 2015-11-05 05:01 - 00607408 _____ (Microsoft Corporation) C:\WINDOWS\system32\fontdrvhost.exe
2015-11-10 20:54 - 2015-11-05 04:56 - 01083072 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2015-11-10 20:54 - 2015-11-05 04:56 - 00116064 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\tdx.sys
2015-11-10 20:54 - 2015-11-05 04:56 - 00025280 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2015-11-10 20:54 - 2015-11-05 04:30 - 00961376 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LicenseManager.dll
2015-11-10 20:54 - 2015-11-05 04:24 - 02878512 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-11-10 20:54 - 2015-11-05 04:23 - 00762888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinapi.appcore.dll
2015-11-10 20:54 - 2015-11-05 04:23 - 00076800 _____ (Microsoft Corporation) C:\WINDOWS\system32\browserbroker.dll
2015-11-10 20:54 - 2015-11-05 04:20 - 21873664 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2015-11-10 20:54 - 2015-11-05 04:18 - 24597504 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-11-10 20:54 - 2015-11-05 04:18 - 03248128 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.dll
2015-11-10 20:54 - 2015-11-05 04:18 - 00539728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fontdrvhost.exe
2015-11-10 20:54 - 2015-11-05 04:17 - 02418688 _____ (Microsoft Corporation) C:\WINDOWS\system32\MFMediaEngine.dll
2015-11-10 20:54 - 2015-11-05 04:12 - 00515072 _____ (Microsoft Corporation) C:\WINDOWS\system32\internetmail.dll
2015-11-10 20:54 - 2015-11-05 04:11 - 00333312 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusUpdateHandlers.dll
2015-11-10 20:54 - 2015-11-05 04:10 - 12504064 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-11-10 20:54 - 2015-11-05 04:10 - 02987520 _____ (Microsoft Corporation) C:\WINDOWS\system32\esent.dll
2015-11-10 20:54 - 2015-11-05 04:07 - 01068032 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiosrv.dll
2015-11-10 20:54 - 2015-11-05 04:06 - 00453120 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Devices.Usb.dll
2015-11-10 20:54 - 2015-11-05 04:05 - 01602560 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2015-11-10 20:54 - 2015-11-05 04:05 - 00826880 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2015-11-10 20:54 - 2015-11-05 04:03 - 02180608 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentServer.dll
2015-11-10 20:54 - 2015-11-05 04:03 - 01015808 _____ (Microsoft Corporation) C:\WINDOWS\system32\RDXService.dll
2015-11-10 20:54 - 2015-11-05 04:01 - 00949760 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll
2015-11-10 20:54 - 2015-11-05 04:01 - 00713216 _____ (Microsoft Corporation) C:\WINDOWS\system32\usermgr.dll
2015-11-10 20:54 - 2015-11-05 04:01 - 00579072 _____ (Microsoft Corporation) C:\WINDOWS\system32\winlogon.exe
2015-11-10 20:54 - 2015-11-05 03:59 - 03587072 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
2015-11-10 20:54 - 2015-11-05 03:59 - 02675200 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.StateRepository.dll
2015-11-10 20:54 - 2015-11-05 03:58 - 01383936 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kbase.sys
2015-11-10 20:54 - 2015-11-05 03:58 - 00627712 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.dll
2015-11-10 20:54 - 2015-11-05 03:56 - 01795072 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentExtensions.dll
2015-11-10 20:54 - 2015-11-05 03:55 - 00145408 _____ (Microsoft Corporation) C:\WINDOWS\system32\dssvc.dll
2015-11-10 20:54 - 2015-11-05 03:54 - 00502272 _____ (Microsoft Corporation) C:\WINDOWS\system32\dlnashext.dll
2015-11-10 20:54 - 2015-11-05 03:47 - 19326464 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-11-10 20:54 - 2015-11-05 03:42 - 02647040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.dll
2015-11-10 20:54 - 2015-11-05 03:40 - 01918976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MFMediaEngine.dll
2015-11-10 20:54 - 2015-11-05 03:35 - 18803712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2015-11-10 20:54 - 2015-11-05 03:35 - 02639872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\esent.dll
2015-11-10 20:54 - 2015-11-05 03:34 - 00311296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Devices.Usb.dll
2015-11-10 20:54 - 2015-11-05 03:33 - 01380864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2015-11-10 20:54 - 2015-11-05 03:33 - 00650240 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2015-11-10 20:54 - 2015-11-05 03:30 - 00767488 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kerberos.dll
2015-11-10 20:54 - 2015-11-05 03:28 - 11262976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-11-10 20:54 - 2015-11-05 03:27 - 02049536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.StateRepository.dll
2015-11-10 20:54 - 2015-11-05 03:27 - 00464896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.dll
2015-11-10 20:54 - 2015-11-05 03:23 - 00441344 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dlnashext.dll
2015-11-09 00:52 - 2015-11-09 00:52 - 00095822 _____ C:\Users\john\Desktop\Troubleshoot HP Installation Failure - Network.hta
2015-11-09 00:36 - 2015-11-09 00:36 - 00000000 ____D C:\Users\john\AppData\Roaming\Hewlett-Packard
2015-11-09 00:33 - 2015-11-09 00:52 - 00000000 ____D C:\Program Files (x86)\HP
2015-11-09 00:33 - 2015-11-09 00:33 - 00002281 _____ C:\Users\Public\Desktop\HP Officejet Pro 8610.lnk
2015-11-09 00:33 - 2015-11-09 00:33 - 00001233 _____ C:\Users\Public\Desktop\Shop for Supplies - HP Officejet Pro 8610.lnk
2015-11-09 00:33 - 2015-11-09 00:33 - 00000000 ____D C:\Program Files\HP
2015-11-09 00:33 - 2014-07-21 16:31 - 00763912 ____N (Hewlett-Packard Development Company, LP) C:\WINDOWS\system32\HPDiscoPM7112.dll
2015-11-09 00:32 - 2015-11-09 00:33 - 40247720 _____ C:\Users\john\Downloads\OJ8610_Basicx64_198.exe
2015-11-09 00:30 - 2015-11-09 00:30 - 00002308 _____ C:\Users\john\Desktop\HP Support Assistant.lnk
2015-11-09 00:29 - 2015-11-12 01:08 - 00000000 ____D C:\Users\john\AppData\Roaming\hpqLog
2015-11-09 00:29 - 2015-11-09 00:33 - 00000000 ____D C:\Users\john\AppData\Local\HP
2015-11-09 00:29 - 2015-11-09 00:30 - 00000000 ____D C:\Program Files (x86)\InstallShield Installation Information
2015-11-09 00:29 - 2015-11-09 00:29 - 00000000 ____D C:\System.sav
2015-11-09 00:27 - 2015-11-17 20:54 - 00000000 ____D C:\WINDOWS\System32\Tasks\Hewlett-Packard
2015-11-09 00:27 - 2015-11-09 01:11 - 00000000 ____D C:\Users\john\AppData\Local\Hewlett-Packard
2015-11-09 00:26 - 2015-11-09 00:27 - 03774136 _____ (Oleg N. Scherbakov) C:\Users\john\Downloads\HPSupportSolutionsFramework-12.0.30.81 (2).exe
2015-11-09 00:25 - 2015-11-09 00:25 - 03774136 _____ (Oleg N. Scherbakov) C:\Users\john\Downloads\HPSupportSolutionsFramework-12.0.30.81 (1).exe
2015-11-09 00:24 - 2015-11-09 00:29 - 00000000 ____D C:\Program Files (x86)\Hewlett-Packard
2015-11-09 00:23 - 2015-11-09 00:24 - 03774136 _____ (Oleg N. Scherbakov) C:\Users\john\Downloads\HPSupportSolutionsFramework-12.0.30.81.exe
2015-11-06 22:40 - 2015-11-06 22:40 - 00003798 _____ C:\WINDOWS\System32\Tasks\Java Platform SE Auto Updater

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-03 20:51 - 2015-10-17 08:44 - 00000000 ____D C:\WINDOWS\INF
2015-12-03 20:51 - 2015-10-17 08:24 - 00875126 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-12-03 20:47 - 2015-10-17 22:30 - 00000908 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-12-03 20:45 - 2015-10-17 08:05 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-12-03 20:44 - 2015-10-17 08:26 - 01048576 ___SH C:\WINDOWS\system32\config\BBI
2015-12-03 20:38 - 2015-10-17 22:17 - 00000000 ____D C:\Users\john\AppData\Local\AvgSetupLog
2015-12-03 20:35 - 2015-10-17 22:30 - 00000912 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-12-03 20:34 - 2015-10-17 08:26 - 00000000 ____D C:\Windows
2015-12-03 20:24 - 2015-10-28 01:07 - 00004152 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{AC924FE6-05FB-474F-9A96-842D3FDD818A}
2015-12-03 20:24 - 2015-10-17 08:46 - 00000000 ___HD C:\Program Files\WindowsApps
2015-12-03 20:24 - 2015-10-17 08:46 - 00000000 ____D C:\WINDOWS\AppReadiness
2015-11-30 21:42 - 2015-10-27 00:39 - 00000000 ____D C:\Users\john\AppData\Local\ElevatedDiagnostics
2015-11-30 21:34 - 2015-03-14 23:40 - 00000000 ____D C:\Users\john\Desktop\Banking
2015-11-29 09:03 - 2015-10-17 08:26 - 00032768 ___SH C:\WINDOWS\system32\config\ELAM
2015-11-24 12:18 - 2015-10-17 08:18 - 00000000 ____D C:\Users\Michelle
2015-11-23 20:21 - 2015-10-17 20:16 - 00000000 ____D C:\WINDOWS\System32\Tasks\NCH Software
2015-11-18 19:37 - 2015-10-28 01:23 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2015-11-18 01:26 - 2015-08-23 03:43 - 00000000 ____D C:\Users\john\Desktop\mp3
2015-11-17 10:40 - 2015-10-17 19:11 - 00000000 ____D C:\Users\Michelle\AppData\Local\Packages
2015-11-15 05:07 - 2015-10-17 08:18 - 00000000 ____D C:\Users\john
2015-11-13 00:55 - 2015-10-17 16:46 - 00000000 ____D C:\Users\john\AppData\Local\Packages
2015-11-12 22:36 - 2015-10-17 22:31 - 00002264 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-11-12 01:00 - 2015-11-01 02:58 - 00000000 ____D C:\Users\john\Desktop\aiki pics
2015-11-11 19:56 - 2015-08-25 21:53 - 00000000 ____D C:\Users\john\Desktop\ebay images
2015-11-11 19:53 - 2015-10-17 08:04 - 00361976 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2015-11-11 19:50 - 2015-10-17 08:46 - 00000000 ____D C:\WINDOWS\SysWOW64\en-GB
2015-11-11 19:50 - 2015-10-17 08:46 - 00000000 ____D C:\WINDOWS\system32\en-GB
2015-11-11 19:50 - 2015-10-17 08:46 - 00000000 ____D C:\WINDOWS\system32\appraiser
2015-11-10 21:18 - 2015-10-17 19:14 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-11-10 21:18 - 2015-10-17 08:35 - 00000000 ____D C:\WINDOWS\CbsTemp
2015-11-10 21:12 - 2015-10-17 19:14 - 145617392 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-11-09 01:09 - 2015-02-04 23:06 - 00000000 ____D C:\Users\john\Desktop\psychiatry
2015-11-08 22:40 - 2015-10-17 08:46 - 00000000 ____D C:\WINDOWS\rescache
2015-11-06 13:16 - 2015-10-17 19:17 - 00002351 _____ C:\Users\Michelle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2015-11-06 13:16 - 2015-08-06 09:43 - 00000000 ___RD C:\Users\Michelle\OneDrive
2015-11-04 22:53 - 2015-01-08 07:57 - 00000000 ____D C:\Users\john\Desktop\mywebsite
2015-11-03 18:20 - 2015-10-17 08:48 - 00810488 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-11-03 18:20 - 2015-10-17 08:48 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl

==================== Files in the root of some directories =======

2015-11-09 00:29 - 2015-11-09 00:29 - 0000057 _____ () C:\ProgramData\Ament.ini
2015-10-17 08:10 - 2015-10-17 08:10 - 0000000 _____ () C:\ProgramData\DP45977C.lfl

Some files in TEMP:
====================
C:\Users\john\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Michelle\AppData\Local\Temp\avguirn_081445423918.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-11-30 21:41

==================== End of FRST.txt ============================
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 03/12/2015
Scan Time: 20:55
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.12.03.05
Rootkit Database: v2015.11.26.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: john

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 401645
Time Elapsed: 17 min, 12 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)RogueKiller V11.0.0.0 (x64) [Nov 27 2015] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.10240) 64 bits version
Started in : Normal mode
User : john [Administrator]
Started from : C:\Users\john\Downloads\RogueKillerX64.exe
Mode : Scan -- Date : 12/03/2015 21:35:51

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 1 ¤¤¤
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\Partner -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10JPVX-22JC3T0 +++++
--- User ---
[MBR] 677ee91fb788f81b3c0ae9f7a1c6bfdc
[BSP] d57371aa4320d3b78ea70e93d94a1d80 : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 600 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1230848 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1845248 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2107392 | Size: 936883 MB
4 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1920843776 | Size: 15957 MB
User = LL1 ... OK
User = LL2 ... OK

Please note Roguekiller picked up something in the registry. Should i delete this? And by the way please be courteous in your replies to me thanks! John Robinson.
john2054
Active Member
 
Posts: 14
Joined: November 29th, 2015, 7:55 pm

Re: help my desktop has been deleted!?

Unread postby capnkrunch » December 5th, 2015, 2:32 pm

Hello John :)

Good job running those scans.

john2054 wrote:And by the way please be courteous in your replies to me thanks!

I apologize if I was discourteous, that certainly wasn't my intention. Please let me know what I said that was offensive so I can do better in the future.

john2054 wrote:Please note Roguekiller picked up something in the registry. Should i delete this?

RogueKiller flagged it as a Potentially Unwanted Program. These generally include things like search hijackers or adware or even just programs with questionable privacy policies. While annoying they usually wouldn't cause the symptoms you are experiencing and I think this is actually a false positive detection by RogueKiller. Let's try a couple more scans to double check before we remove it.

First...

FRST Fix
  • You should still have FRST64.exe in your Downloads folder. If not, please download it from HERE.
  • Press the Windows Key + R.
  • Type notepad.exe into the text box and click OK.
  • A blank Notepad page should open.
    • Copy and Paste the following script into Notepad, Do not include the words Code: Select all.
    • (Click the Select all button next to Code: to select the entire script).
    Code: Select all
    2015-11-06 22:40 - 2015-11-06 22:40 - 00003798 _____ C:\WINDOWS\System32\Tasks\Java Platform SE Auto Updater
    Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - No File
    Task: {E413DEE5-2B4E-4090-885B-60E9F45CF5F1} - System32\Tasks\Java Platform SE Auto Updater => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [2015-10-06] (Oracle Corporation)
    CHR Extension: (YouTube) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-17]
    CHR Extension: (Chrome Web Store Payments) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-10-17] 
    
    Folder: C:\Users\john\Desktop
    Folder: C:\Users
    Reg: reg query HKEY_LOCAL_MACHINE\Software\Partner /s
    EmptyTemp:
  • Save it next to FRST64.exe as fixlist.txt.
    Important! fixlist.txt must be saved in the same directory as FRST64.exe to work.
  • Right click on FRST64.exe and select Run as administrator.
  • Press the Fix button one time only and wait.
  • FRST will reboot your computer to complete the fix.
  • On reboot a log Fixlog.txt will be created in your Downloads folder. Copy and paste the contents in your reply.

Next...

AdwCleaner Scan
  • Please download AdwCleaner by Xplode.
  • Close all open programs.
  • Right click on adwcleaner.exe and click Run as administrator.
  • Click on the Scan button.
    When the scan finishes, you'll see a message in the AdwCleaner window: "Waiting for action. Please uncheck elements you want to keep."
  • Do not attempt to clean anything at this point.
  • Click on the Logfile button.
  • This will open a file, AdwCleaner[S1].txt. Copy and paste the contents of that logfile in your reply.

Next...

Junkware Removal Tool (JRT)
  • Please download Junkware Removal Tool (JRT) by Malwarebytes.
  • Close all open programs.
  • Right click on JRT.exe and select Run as administrator.
  • When the tool loads press any key to start the scan.
  • When JRT finishes it will open a log in Notepad, JRT.txt. Copy and paste the contents in your reply.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections...

In your next reply please include:
  • Did you have any problems with the instructions?
  • Fixlog.txt
  • AdwCleaner[S1].txt
  • JRT.txt
  • Are there any changes in computer behavior?
User avatar
capnkrunch
MRU Graduate
MRU Graduate
 
Posts: 664
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: help my desktop has been deleted!?

Unread postby john2054 » December 6th, 2015, 5:02 pm

i have completed the frst fix, but where it says the fix should reboot the computer, nothing has happened. What do i do now?
john2054
Active Member
 
Posts: 14
Joined: November 29th, 2015, 7:55 pm

Re: help my desktop has been deleted!?

Unread postby capnkrunch » December 6th, 2015, 11:06 pm

Hello John :)

john2054 wrote:i have completed the frst fix, but where it says the fix should reboot the computer, nothing has happened. What do i do now?

I'm sorry, I think my instructions were not very good there. I've changed them and the script slightly so please give it another shot following this post.

FRST Fix
  • Open your Downloads folder.
  • If FRST64.exe is not there, please download it from HERE.
  • If there are any fixlist.txt or Fixlog.txt files present, please delete them.
  • Press the Windows Key + R.
  • Type notepad.exe into the text box and click OK.
  • A blank Notepad page should open.
    • Copy and Paste the following script into Notepad, Do not include the words Code: Select all.
    • (Click the Select all button next to Code: to select the entire script).
    Code: Select all
    2015-11-06 22:40 - 2015-11-06 22:40 - 00003798 _____ C:\WINDOWS\System32\Tasks\Java Platform SE Auto Updater
    Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - No File
    Task: {E413DEE5-2B4E-4090-885B-60E9F45CF5F1} - System32\Tasks\Java Platform SE Auto Updater => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [2015-10-06] (Oracle Corporation)
    CHR Extension: (YouTube) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-17]
    CHR Extension: (Chrome Web Store Payments) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-10-17] 
    
    CMD: dir C:\Users\john\Desktop
    CMD: dir C:\Users
    Reg: reg query HKEY_LOCAL_MACHINE\Software\Partner /s
    EmptyTemp:
  • Save it next to FRST64.exe as fixlist.txt.
    Important! fixlist.txt must be saved in the same directory as FRST64.exe to work.
  • Right click on FRST64.exe and select Run as administrator.
  • Press the Fix button one time only and wait.
  • After you click the Fix button please take note of the following:
    If you get a pop-up that says "No fixlist.txt found." open up your Downloads folder and make sure both FRST64.exe and fixlist.txt are there then try again.
  • Once finished you should get a pop-up saying "Fix completed". It should also say "Click OK to restart."
  • Click OK.
  • Your computer should now restart. On reboot navigate to your Downloads folder where there you should find Fixlog.txt. Copy and paste the contents in your reply.
    If something else happens please note the following:
    • Did the program close or remain open?
    • Was there any message given? If so what did it say?
    • Is there still a fixlist.txt file in your Downloads folder?
    • Is there a Fixlog.txt file in your Downloads folder? If so please post the contents.

    If you do get a Fixlog.txt then please go ahead and continue with the AdwCleaner and JRT scans from my last post.

    In your next reply please include:
    • Did you have any problems with the instructions?
    • Fixlog.txt
    • AdwCleaner[S1].txt
    • JRT.txt
    • Are there any changes in computer behavior?
User avatar
capnkrunch
MRU Graduate
MRU Graduate
 
Posts: 664
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: help my desktop has been deleted!?

Unread postby capnkrunch » December 9th, 2015, 12:21 am

Hello John :)

It has been 48 hours since my last post.
  • Do you still need help?
  • Do you need more time?
  • Are you having problems following my instructions?
  • According to Malware Removal's latest policy, topics can be closed after 3 days without a response.
  • If you do not reply within the next 24 hours, this topic will be closed.
User avatar
capnkrunch
MRU Graduate
MRU Graduate
 
Posts: 664
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: help my desktop has been deleted!?

Unread postby john2054 » December 9th, 2015, 11:05 am

Hi Cap, yes i haven't gotten round to looking at it again. Please give me some more time thanks. John.
john2054
Active Member
 
Posts: 14
Joined: November 29th, 2015, 7:55 pm

Re: help my desktop has been deleted!?

Unread postby capnkrunch » December 9th, 2015, 4:56 pm

Hello John :)
john2054 wrote:Hi Cap, yes i haven't gotten round to looking at it again. Please give me some more time thanks.

Thank you for letting me know. Please post the requested logs when you are ready.
User avatar
capnkrunch
MRU Graduate
MRU Graduate
 
Posts: 664
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: help my desktop has been deleted!?

Unread postby john2054 » December 11th, 2015, 6:56 pm

Fix result of Farbar Recovery Scan Tool (x64) Version:05-12-2015
Ran by john (2015-12-11 20:53:00) Run:1
Running from C:\Users\john\Downloads
Loaded Profiles: john (Available Profiles: john & Michelle & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
2015-11-06 22:40 - 2015-11-06 22:40 - 00003798 _____ C:\WINDOWS\System32\Tasks\Java Platform SE Auto Updater
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - No File
Task: {E413DEE5-2B4E-4090-885B-60E9F45CF5F1} - System32\Tasks\Java Platform SE Auto Updater => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [2015-10-06] (Oracle Corporation)
CHR Extension: (YouTube) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-17]
CHR Extension: (Chrome Web Store Payments) - C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-10-17]

CMD: dir C:\Users\john\Desktop
CMD: dir C:\Users
Reg: reg query HKEY_LOCAL_MACHINE\Software\Partner /s
EmptyTemp:
*****************

C:\WINDOWS\System32\Tasks\Java Platform SE Auto Updater => moved successfully
"HKCR\PROTOCOLS\Handler\osf" => key removed successfully
HKCR\CLSID\{D924BDC6-C83A-4BD5-90D0-095128A113D1} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E413DEE5-2B4E-4090-885B-60E9F45CF5F1}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E413DEE5-2B4E-4090-885B-60E9F45CF5F1}" => key removed successfully
C:\WINDOWS\System32\Tasks\Java Platform SE Auto Updater => not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Java Platform SE Auto Updater" => key removed successfully
C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo => moved successfully
C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully

========= dir C:\Users\john\Desktop =========

Volume in drive C is Acer
Volume Serial Number is 98E8-C805

Directory of C:\Users\john\Desktop

11/12/2015 16:07 <DIR> .
11/12/2015 16:07 <DIR> ..
12/11/2015 01:00 <DIR> aiki pics
09/10/2015 23:18 153,780 AVGInstLog.cab
30/11/2015 21:34 <DIR> Banking
11/11/2015 02:44 2,132 CBReader .lnk
13/07/2015 23:44 <DIR> dropship
27/09/2008 11:12 755,685 DSC00013.JPG
11/11/2015 19:56 <DIR> ebay images
15/03/2015 20:38 325 HP Printer Diagnostic Tools.url
09/11/2015 00:30 2,308 HP Support Assistant.lnk
12/10/2015 23:49 4,051 JRT.txt
01/06/2015 22:20 31,988 legalv1.docx
17/03/2015 21:18 <DIR> mem stick
18/11/2015 01:26 <DIR> mp3
23/08/2015 01:59 <DIR> music
04/11/2015 22:53 <DIR> mywebsite
11/12/2015 16:07 981 PDF Reader for Windows 10.lnk
09/11/2015 01:09 <DIR> psychiatry
17/10/2015 16:49 25,658 Removed Applications.html
06/10/2013 19:01 2,582,425 Steiner - MINDSET BOOK.pdf
09/11/2015 00:52 95,822 Troubleshoot HP Installation Failure - Network.hta
28/11/2015 00:19 2,318 unhide.txt
18/09/2015 22:36 <DIR> university
12 File(s) 3,657,473 bytes
12 Dir(s) 803,332,984,832 bytes free

========= End of CMD: =========


========= dir C:\Users =========

Volume in drive C is Acer
Volume Serial Number is 98E8-C805

Directory of C:\Users

17/10/2015 08:18 <DIR> .
17/10/2015 08:18 <DIR> ..
17/10/2015 08:19 <DIR> Administrator
17/10/2015 08:05 <DIR> Default
15/11/2015 05:07 <DIR> john
24/11/2015 12:18 <DIR> Michelle
17/10/2015 08:19 <DIR> Public
0 File(s) 0 bytes
7 Dir(s) 803,332,980,736 bytes free

========= End of CMD: =========


========= reg query HKEY_LOCAL_MACHINE\Software\Partner /s =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========

EmptyTemp: => 1.8 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 20:55:06 ====

here is the fixlog.txt I will do the other stuff after you have had a look at this first, okay? John.
john2054
Active Member
 
Posts: 14
Joined: November 29th, 2015, 7:55 pm

Re: help my desktop has been deleted!?

Unread postby capnkrunch » December 12th, 2015, 10:11 am

Hello John :)

Good job running the fix. It completed properly so let's go ahead and run AdwCleaner. We'll also run an online scanner that will take a more comprehensive look at your system.

Step one...

It looks like you already ran JRT. I would like to see that log. It is located on your Desktop. If you can not see your Desktop try this:
  • Click Start and then click File Explorer.
  • Copy and paste the following into the address bar and press Enter:
    C:\Users\john\Desktop
  • If you see JRT.txt copy and paste the contents in your reply. If not please let me know.

Step two...

AdwCleaner Scan
  • Please download AdwCleaner by Xplode.
  • Close all open programs.
  • Right click on adwcleaner.exe and click Run as administrator.
  • Click on the Scan button.
  • When the scan finishes click Cleaning.
  • Click OK then OK again to reboot your computer.
  • When your computer reboots a log AdwCleaner[S1].txt will open. Copy and paste the contents of that logfile in your reply.

Step three...

ESET Online Scanner
NOTE: ESET Online Scanner can be run from Internet Explorer, Firefox, or Chrome.
  • First please disable any antivirus you have active, as shown in this topic.
  • Close all open programs and windows.
  • Open your browser by right clicking and selecting Run as administrator.
  • Go to the ESET Online Scanner site.
  • Click on the green Run ESET Online Scanner button.
    • If using Firefox or Chrome, you will need to download a small utility.
      Double-click esetsmartinstaller_enu.exe to run it.
  • Check the box to agree to the terms of use and click Start.
    • If using Internet Explorer, click Install when prompted to install the add-on.
  • Check Enable detection of of potentially unwanted applications.
  • Click Advanced settings.
  • UNCHECK Remove found threats.
  • Ensure the following are checked:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start.
  • ESET Online Scanner will download its virus signature database then automatically start the scan.
    The scan will take a while. Please be patient and do not use your computer during the scan. Some people find it best to let the scan run overnight.
  • When the scan completes press the text: Image
  • Press the text: Image then save the file to your desktop as ESETScan.txt.
  • Press the Back button then press the Finish button.
  • Copy and paste the contents of ESETScan.txt in your next reply.
    Note: If no threats are found, there is no option to create a log. Just report back to me there was nothing found.
IMPORTANT: Do not forget to re-enable your antivirus software.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections...

In your next reply please include:
  • Did you have any problems with the instructions?
  • JRT.txt
  • AdwCleaner[S1].txt
  • ESETScan.txt
  • Are there any changes in computer behavior?
User avatar
capnkrunch
MRU Graduate
MRU Graduate
 
Posts: 664
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: help my desktop has been deleted!?

Unread postby john2054 » December 13th, 2015, 5:07 pm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.6.4 (09.28.2015:1)
OS: Windows 10 Home x64
Ran by john on 13/10/2015 at 0:44:14.75
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services

Successfully deleted: [Service] vToolbarUpdater40.1.8 [Reboot required]



~~~ Tasks

Successfully deleted: [Task] C:\WINDOWS\system32\tasks\TuneUpUtilities_Task_BkGndMaintenance2013



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-1248494375-3095192198-3662275328-1001\Software\Microsoft\Internet Explorer\Main\\Start Page



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\TuneUp Undelete
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E2BC9E6B-0D45-11E5-826A-F0761C31CEA2}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}



~~~ Files

Successfully deleted: [File] C:\Users\john\Appdata\Local\google\chrome\user data\default\local storage\hxxp_www.azlyrics.com_0.localstorage
Successfully deleted: [File] C:\Users\john\Appdata\Local\google\chrome\user data\default\local storage\hxxp_www.azlyrics.com_0.localstorage-journal
Successfully deleted: [File] C:\Users\john\Appdata\Local\google\chrome\user data\default\local storage\hxxp_www.metrolyrics.com_0.localstorage
Successfully deleted: [File] C:\Users\john\Appdata\Local\google\chrome\user data\default\local storage\hxxp_www.metrolyrics.com_0.localstorage-journal
Successfully deleted: [File] C:\Users\john\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\pokki start menu.lnk
Successfully deleted: [File] C:\Users\Public\Desktop\ebay.lnk



~~~ Folders

Failed to delete: [Folder] C:\Users\john\Appdata\Local\pokki



~~~ FireFox

Successfully deleted: [File] C:\Users\john\AppData\Roaming\mozilla\firefox\profiles\dktlxplz.default\user.js
Successfully deleted: [File] C:\Users\john\AppData\Roaming\mozilla\firefox\profiles\dktlxplz.default\searchplugins\web search.xml
Successfully deleted the following from C:\Users\john\AppData\Roaming\mozilla\firefox\profiles\dktlxplz.default\prefs.js

user_pref(browser.search.defaultenginename, Web Search);
user_pref(browser.search.selectedEngine, Web Search);
user_pref(browser.startup.homepage, hxxp://homepage-web.com/?s=acer&m=start);



~~~ Chrome


[C:\Users\john\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\john\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\john\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\john\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 13/10/2015 at 0:49:58.09
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
john2054
Active Member
 
Posts: 14
Joined: November 29th, 2015, 7:55 pm

Re: help my desktop has been deleted!?

Unread postby john2054 » December 13th, 2015, 5:19 pm

# AdwCleaner v5.025 - Logfile created 13/12/2015 at 21:15:07
# Updated 13/12/2015 by Xplode
# Database : 2015-12-13.2 [Server]
# Operating system : Windows 10 Home (x64)
# Username : john - JOHN2054
# Running from : C:\Users\john\Downloads\adwcleaner_5.025.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****

[-] [C:\Users\Michelle\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : uk.ask.com

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [778 bytes] ##########
john2054
Active Member
 
Posts: 14
Joined: November 29th, 2015, 7:55 pm

Re: help my desktop has been deleted!?

Unread postby john2054 » December 13th, 2015, 5:24 pm

sorry i have just noticed that before i tried to run the esetscan, and disable my avg antivirus software, i noticed that the avg antivirus software failed to load when i clicked on it, instead just presenting with a *dead* box. Can we fix this issue with my antivirus software before continuing please? What would you recommend to do this??

John
john2054
Active Member
 
Posts: 14
Joined: November 29th, 2015, 7:55 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 47 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware