Closed "HxTsr.exe"

[MJmusicguy 5]

9/6/2017 7:26:01 PM
Application Rule created for "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8500.40725.0_x64__8wekyb3d8bbwe\HxTsr.exe"

ive looked it up and it appers to be rlated to office or outlook but i dont use office nor outlook so what is it also on a unrelated not EAM sees to hve crashed mysteriously but its not refelected in the logs atlest on screen

should i be concerned or am i just paranoid  

[Kevin Zoll 309]

You very likely have or had a trial version of MS Office that came with your Computer.

I am going to have you invoke WIndows File Protection by running the System File Checker.

System File Checker

• Click on Start and type cmd in the search box. Right click on cmd in the popup menu and select Run as Administrator.
• Another box will open, at the Command Prompt, type sfc /scannow and press Enter. (Note the gap between the c and the /)
• Let the check run to completion. DO NOT reboot the PC or close the cmd window.
• Copy & Paste the following command at the Command Prompt and press Enter:
  

findstr /c:"[SR]" %windir%\logs\cbs\cbs.log >%userprofile%\Desktop\sfcdetails.txt

[MJmusicguy 5]

heres the file as requested I dont recall having office i may have had it when i first got the pc last year but Libre office has always been my suite of choice also why would EIS have crashed i sent a report in but did not entire my email i havnt had any issues till tonight 

sfcdetails.txt

[MJmusicguy 5]

would you like me to proceed with a farbar scan?

[Kevin Zoll 309]

THe system does not appear to have been corrupted according to that SFC scan log.

Yes, run a scan with FRST in accordance with the instructions in our start here thread.

[MJmusicguy 5]

Hi I will do so first thing tomorrow 

[MJmusicguy 5]

here are the logs requested

Addition.txt

FRST.txt

[Kevin Zoll 309]

MBAM and EIS are not compatible.  Use one or the other.

Other than some orphaned stuff and a restriction, nothing looks amiss.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
SearchScopes: HKU\S-1-5-21-2431762388-1408777004-2867943247-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2431762388-1408777004-2867943247-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard64.sys [203680 2017-07-02] (Zemana Ltd.)
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers1: [BtSendToMenuEx] -> {CF24E6B8-F148-4BCB-9108-ADF313966E80} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
Task: {08642EB7-349A-4269-8C5B-242809B23C7C} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[MJmusicguy 5]

here you are Kevin 

Fixlog.txt

[Kevin Zoll 309]

I apologize for the delay in getting back to you.

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

[MJmusicguy 5]

Scan_170913-120149.txt

Addition.txt

FRST.txt

[Kevin Zoll 309]

Looking through the Event Lo g portion of the FRST logs, it appears that there may be an issue with Cryptographic Services on this system.

Let's try resetting some areas of Windows to their defaults.

Download Windows Repair by Tweaking.com http://www.tweaking.com/content/page/windows_repair_all_in_one.html to your desktop.  Use the direct download link for the Portable version of Windows Repair by Tweaking.com

• Double-click "tweaking.com_windows_repair_aio.zip" and extract the "Tweaking.com - Windows Repair" folder to your desktop.
• Now open this folder and double-click "Repair_Windows.exe".
• Click the "Repairs" tab on the far right.
• Click the "Open Repairs" button (bottom right)

Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.

• Click "Unselect All"
• Put a checkmark in the following items:
  • 01 - Reset Registry Permissions
  • 02 - Reset File Permissions
  • 03 - Reset Service Permissions
  • 04 - Register System Files
  • 05 - Repair WMI
  • 10 - Remove Policies Set By Infections
  • 19 - Repair Volume Shadow Copy Service
  • 21 - Repair MSI (Windows Installer)
  • 26 - Restore Important Windows Services
  • 27 - Set Windows Services To Default Startup
  • 28.01 - Repair Windows 8/10 App Store
  • 28.02 - Repair Windows 8/10 App Store (Completely Reset App Store)
  • 29 - Repair Windows 8/10 Component Store
  • 30 - Repair Windows 8/10 COM+ Unmarshalers
  • 31 - Repair Windows 'New' Submenu
  • 32 - Restore UAC (User Account Control) Settings
  • 33 - Repair Performance Counters

Note: Leave everything else unchecked

• Put a checkmark in "Restart System When Finished"
• Now click the "Start" button (bottom right)

Run a fresh scan with FRST, attach the new FRST scan logs to your reply.

 

[MJmusicguy 5]

Sorry Keven before proceeding can you clarify a bit and if this is a large concern because i do use https://www.safer-networking.org/spybot-anti-beacon/

  

[MJmusicguy 5]

im  worried that such actions could damge my system

 

[MJmusicguy 5]

i wont begin to pretend anything that program  did and as nervous as i was with it your the expert and know far more then little old me  here are the logs first boot after windows repair

Addition.txt

FRST.txt

[MJmusicguy 5]

do you want the fix loga for the other tool to or no?

[Kevin Zoll 309]

No need for the Windows Repair logs.

As I mentioned in an earlier post MBAM and EIS are not compatible.  Uninstall one of them.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-2431762388-1408777004-2867943247-1001\...\RunOnce: [Application Restart #1] => C:\Program Files (x86)\ASUS\Giftbox\Asusgiftbox.exe  --no-displaying-insecure-content --disable-devtools --user-data-dir="C:\Users\Branden\AppData\Local\ASUS GIFTBOX\User Data" --no-sandbox --flag-swi (the data entry has 100 more characters).
U1 aswbdisk; no ImagePath
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
Task: {13B80432-7F47-44F9-8D04-DC0E19CA63C6} - C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System\{662D790F-5C55-49FD-BF1D-34742578904E}_System Diagnostics => Command(1): C:\WINDOWS\system32\rundll32.exe -> C:\WINDOWS\system32\pla.dll,PlaHost "system\System Diagnostics" "$(Arg0)"
Task: {13B80432-7F47-44F9-8D04-DC0E19CA63C6} - C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System\{662D790F-5C55-49FD-BF1D-34742578904E}_System Diagnostics => Command(2): C:\WINDOWS\system32\schtasks.exe -> /delete /f /tn "\Microsoft\Windows\PLA\System\{662D790F-5C55-49FD-BF1D-34742578904E}_System Diagnostics"
Task: {77880A83-BCFA-4F61-975E-D28FAB3E2DE1} - C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System\{0439115E-8125-45CE-ACDD-A2BC8248C4D3}_System Diagnostics => Command(1): C:\WINDOWS\system32\rundll32.exe -> C:\WINDOWS\system32\pla.dll,PlaHost "system\System Diagnostics" "$(Arg0)"
Task: {77880A83-BCFA-4F61-975E-D28FAB3E2DE1} - C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System\{0439115E-8125-45CE-ACDD-A2BC8248C4D3}_System Diagnostics => Command(2): C:\WINDOWS\system32\schtasks.exe -> /delete /f /tn "\Microsoft\Windows\PLA\System\{0439115E-8125-45CE-ACDD-A2BC8248C4D3}_System Diagnostics"
Task: {D3873DE7-29D8-4146-B6E2-99A991D7DC88} - C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System\{3C4866E3-A93B-44BE-A8E8-8D4BCE7DB4B8}_System Diagnostics => Command(1): C:\WINDOWS\system32\rundll32.exe -> C:\WINDOWS\system32\pla.dll,PlaHost "system\System Diagnostics" "$(Arg0)"
Task: {D3873DE7-29D8-4146-B6E2-99A991D7DC88} - C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System\{3C4866E3-A93B-44BE-A8E8-8D4BCE7DB4B8}_System Diagnostics => Command(2): C:\WINDOWS\system32\schtasks.exe -> /delete /f /tn "\Microsoft\Windows\PLA\System\{3C4866E3-A93B-44BE-A8E8-8D4BCE7DB4B8}_System Diagnostics"

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[MJmusicguy 5]

ok here ya go i will uninstall malwarebytes  soon  and i asked if you wamted the logs because there were some warnings in there so ill include them all in a zip just in case 

 

2017-09-13_10.46.36-PM.zip

Fixlog.txt

[Kevin Zoll 309]

Everything should be fine at this point, but let's double check.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

[MJmusicguy 5]

heres fresh logs after MBAM removal  should we not be concernd by the errors warnings generated by the windows repair tool? 

Addition.txt

FRST.txt

[Kevin Zoll 309]

The errors in the Windows Repair log are not something to be overly concerned with they will not effect system performance or stability.

Your FRST logs look fine.

How are things running?

[MJmusicguy 5]

great now thanks kevin can you just explain what the tweak tool did and why you had merun it i just like to learn

also heres the eek log i missed

 

scan_170914-211005.txt

[MJmusicguy 5]

how do i remove all the tools we use and do i keep the repair tools registry backup?

[Kevin Zoll 309]

The Windows Repair tool loads and runs several different scripts based on what I told it to do.  The scripts reset the selected items to their default values and settings.  I decided to have you run it with the options I selected, because of several permissions related errors that were present in the Events log of the FRST Additional Scans report.

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

• Ensure Remove disinfection tools is checked.
• Also place a checkmark next to:
  
  • Create registry backup
  • Purge system restore
    
  
  
• Click the Run button.
  

When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad.

Empty the Recycle Bin

Download to your Desktop:
- CCleaner Portable

To remove Windows Repair by Tweaking.com run its uninstaller.

Run Windows Update and update your Windows Operating System.

Articles to Read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
How Did I Get Infected?

That should take care of everything.

Safe Surfing!

[Kevin Zoll 309]

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.