Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 10 Computer Infected - Chromium Virus?


  • This topic is locked This topic is locked
14 replies to this topic

#1 Berries

Berries

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 12 July 2017 - 02:00 PM

My Windows 10 desktop is infected and I need your expertise to clean it up.  This is my mother's computer and the first sign that something was wrong was that she couldn't use her email program.  By the time she let me know what was going on, icons began appearing on the desktop (Avast, Chromium, Secure Passwords).  I have ran Windows Defender, which found nothing.  I ran Malwarebytes and over 200 items were found and removed.  I had hoped that had fixed the issue, but it didn't.  I ran MB again, only to find more issues.  I have run RKill just to get Chrome to work, but it is so slow.  This problem is way above my knowledge, so I am hoping you all can help!!  Thanks!!

 

Here are the FRST logs that you request.....

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 11-07-2017
Ran by Jean (administrator) on DESKTOP-C2D7DI9 (12-07-2017 13:36:46)
Running from C:\Users\Jean\Desktop
Loaded Profiles: Jean (Available Profiles: Jean)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
( ) C:\Windows\System32\lxbfcoms.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(AVAST Software s.r.o.) C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(IncrediMail Ltd.) C:\Program Files (x86)\IncrediMail\Bin\IncMail.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(The Chromium Authors) C:\Users\Jean\AppData\Local\chromium\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(The Chromium Authors) C:\Users\Jean\AppData\Local\chromium\Application\chrome.exe
(IncrediMail Ltd.) C:\Program Files (x86)\IncrediMail\Bin\ImApp.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(The Chromium Authors) C:\Users\Jean\AppData\Local\chromium\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(The Chromium Authors) C:\Users\Jean\AppData\Local\chromium\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgentUserBroker.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Corporation) C:\Windows\System32\consent.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13885696 2015-06-24] (Realtek Semiconductor)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [3146704 2017-05-09] (Malwarebytes)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [213832 2017-07-10] (AVAST Software)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2015-08-21] (Advanced Micro Devices, Inc.)
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
HKU\S-1-5-21-489656164-657507032-1723202617-1003\...\Run: [IncrediMail] => C:\Program Files (x86)\IncrediMail\bin\IncMail.exe [444424 2017-06-22] (IncrediMail Ltd.)
HKU\S-1-5-21-489656164-657507032-1723202617-1003\...\Run: [GoogleChromeAutoLaunch_76F2AE789A64FBA063F2980B364474D8] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1197912 2017-06-22] (Google Inc.)
HKU\S-1-5-21-489656164-657507032-1723202617-1003\...\Run: [GoogleChromeAutoLaunch_4FCE1C237510B7FAF2C47D189ECD460F] => C:\Users\Jean\AppData\Local\chromium\Application\chrome.exe [828416 2017-01-20] (The Chromium Authors)
HKU\S-1-5-21-489656164-657507032-1723202617-1003\...\Run: [Chromium] => c:\users\jean\appdata\local\chromium\application\chrome.exe [828416 2017-01-20] (The Chromium Authors)
HKU\S-1-5-21-489656164-657507032-1723202617-1003\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\PhotoScreensaver.scr [572416 2017-03-04] (Microsoft Corporation)
GroupPolicy: Restriction <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 10.0.0.1
Tcpip\..\Interfaces\{2645115f-9291-4eb8-aafb-f150cc55cdb9}: [DhcpNameServer] 10.0.0.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-489656164-657507032-1723202617-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
 
Chrome: 
=======
CHR DefaultSearchURL: Default -> hxxp://srch.bar/{searchTerms}
CHR DefaultSuggestURL: Default -> hxxp://srch.bar/?s={searchTerms}
CHR Profile: C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default [2017-07-12]
CHR Extension: (Google Slides) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-06-13]
CHR Extension: (Google Docs) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-06-13]
CHR Extension: (Google Drive) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-06-13]
CHR Extension: (YouTube) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-06-13]
CHR Extension: (Google Sheets) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-06-13]
CHR Extension: (ArcadeStar Ads) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\gegomapkcjcggpkfiponneooagciibgl [2017-05-17]
CHR Extension: (Google Docs Offline) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-06-13]
CHR Extension: (Pinterest Save Button) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpdjojdkbbmdfjfahjcgigfpmkopogic [2017-04-21]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-15]
CHR Extension: (JesterCade Advertising) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\obmimehgnlcbkkdpajmaenimohfhjmko [2017-07-12]
CHR Extension: (Cool Game Channel Ad) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\oonkpiocoijlghljmlkakpfkmcpnckpe [2017-07-10]
CHR Extension: (Gmail) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-06-13]
CHR Extension: (Chrome Media Router) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-07-10]
CHR HKLM\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-489656164-657507032-1723202617-1003\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2015-08-21] (Advanced Micro Devices, Inc.) [File not signed]
R3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7430992 2017-07-10] (AVAST Software s.r.o.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [263312 2017-07-10] (AVAST Software)
R2 lxbf_device; C:\WINDOWS\system32\lxbfcoms.exe [566704 2007-04-24] ( )
R2 lxbf_device; C:\WINDOWS\SysWOW64\lxbfcoms.exe [537520 2007-04-24] ( )
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4470736 2017-05-09] (Malwarebytes)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347320 2017-04-27] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103712 2017-04-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 aswbidsdriver; C:\WINDOWS\system32\drivers\aswbidsdrivera.sys [319984 2017-07-10] (AVAST Software s.r.o.)
R0 aswbidsh; C:\WINDOWS\system32\drivers\aswbidsha.sys [198944 2017-07-10] (AVAST Software s.r.o.)
R0 aswblog; C:\WINDOWS\system32\drivers\aswbloga.sys [343264 2017-07-10] (AVAST Software s.r.o.)
R0 aswbuniv; C:\WINDOWS\system32\drivers\aswbuniva.sys [57704 2017-07-10] (AVAST Software s.r.o.)
S3 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [46984 2017-07-10] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [146664 2017-07-10] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr2.sys [110352 2017-07-10] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\drivers\aswRvrt.sys [84392 2017-07-10] (AVAST Software)
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [1015848 2017-07-10] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [585608 2017-07-10] (AVAST Software)
R2 aswStm; C:\WINDOWS\system32\drivers\aswStm.sys [198768 2017-07-10] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\drivers\aswVmm.sys [361336 2017-07-10] (AVAST Software)
R3 AtiHDAudioService; C:\WINDOWS\system32\drivers\AtihdWT6.sys [102912 2015-05-28] (Advanced Micro Devices)
R0 MBAMSwissArmy; C:\WINDOWS\System32\drivers\MBAMSwissArmy.sys [252832 2017-07-12] (Malwarebytes)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [589824 2016-07-16] (Realtek                                            )
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-07-12 13:36 - 2017-07-12 13:37 - 00012080 _____ C:\Users\Jean\Desktop\FRST.txt
2017-07-12 13:36 - 2017-07-12 13:36 - 00000000 ____D C:\FRST
2017-07-12 13:35 - 2017-07-12 13:30 - 02435584 _____ (Farbar) C:\Users\Jean\Desktop\FRST64.exe
2017-07-11 11:27 - 2017-07-12 11:51 - 00005778 _____ C:\Users\Jean\Desktop\Rkill.txt
2017-07-11 11:27 - 2017-07-11 11:27 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Jean\Downloads\rkill (2).exe
2017-07-11 11:27 - 2017-07-11 11:27 - 01106888 _____ (Bleeping Computer, LLC) C:\Users\Jean\Downloads\rkill (2)64.exe
2017-07-10 12:30 - 2017-07-10 12:30 - 00000000 ____D C:\ProgramData\SWCUTemp
2017-07-10 12:00 - 2017-07-10 12:00 - 00003552 _____ C:\WINDOWS\System32\Tasks\ByteFence Scan
2017-07-10 12:00 - 2017-07-10 12:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ByteFence Anti-Malware
2017-07-10 11:54 - 2017-07-10 11:54 - 00000000 ____D C:\Users\Jean\AppData\Roaming\AVAST Software
2017-07-10 11:53 - 2017-07-10 11:53 - 00000000 ____D C:\Users\Jean\AppData\Local\CEF
2017-07-10 11:50 - 2017-07-10 11:50 - 00001986 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast Free Antivirus.lnk
2017-07-10 11:50 - 2017-07-10 11:50 - 00001974 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2017-07-10 11:49 - 2017-07-10 11:49 - 00061304 _____ () C:\WINDOWS\system32\Drivers\lpsport.sys
2017-07-10 11:49 - 2017-07-10 11:49 - 00003994 _____ C:\WINDOWS\System32\Tasks\Avast Emergency Update
2017-07-10 11:48 - 2017-07-10 11:50 - 00361336 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswvmm.sys
2017-07-10 11:48 - 2017-07-10 11:43 - 00585608 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2017-07-10 11:48 - 2017-07-10 11:43 - 00198768 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStm.sys
2017-07-10 11:48 - 2017-07-10 11:43 - 00146664 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2017-07-10 11:48 - 2017-07-10 11:43 - 00110352 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr2.sys
2017-07-10 11:48 - 2017-07-10 11:43 - 00084392 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRvrt.sys
2017-07-10 11:48 - 2017-07-10 11:43 - 00046984 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswHwid.sys
2017-07-10 11:48 - 2017-07-10 11:38 - 01015848 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys
2017-07-10 11:48 - 2017-07-10 11:37 - 00343264 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbloga.sys
2017-07-10 11:48 - 2017-07-10 11:37 - 00319984 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbidsdrivera.sys
2017-07-10 11:48 - 2017-07-10 11:37 - 00198944 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbidsha.sys
2017-07-10 11:48 - 2017-07-10 11:37 - 00057704 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbuniva.sys
2017-07-10 11:46 - 2017-07-10 11:43 - 00400464 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2017-07-10 11:30 - 2017-07-10 11:30 - 00000000 ____D C:\ProgramData\ByteFence
2017-07-10 11:28 - 2017-07-10 11:28 - 00002336 _____ C:\Users\Jean\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chromium.lnk
2017-07-10 11:28 - 2017-07-10 11:28 - 00002328 _____ C:\Users\Jean\Desktop\Chromium.lnk
2017-07-10 11:25 - 2017-07-10 11:25 - 00000000 ____D C:\Users\Jean\AppData\Local\WebDiscoverBrowser
2017-07-10 11:24 - 2017-07-10 11:24 - 00000000 ____D C:\Program Files\AVAST Software
2017-07-10 11:23 - 2017-07-10 11:25 - 00000000 ____D C:\Program Files\WebDiscoverBrowser
2017-07-10 11:22 - 2017-07-10 11:28 - 00000000 ____D C:\Users\Jean\AppData\Local\chromium
2017-07-10 11:18 - 2017-07-11 11:24 - 00000000 ____D C:\Users\Jean\AppData\Roaming\Pasebo
2017-07-10 11:18 - 2017-07-10 17:51 - 00000000 ____D C:\ProgramData\AVAST Software
2017-07-10 11:16 - 2017-07-10 11:16 - 00000258 __RSH C:\ProgramData\ntuser.pol
2017-07-10 11:15 - 2017-07-10 12:28 - 00000000 ____D C:\Program Files\ByteFence
2017-07-07 13:50 - 2017-07-07 13:50 - 00000000 ____D C:\Users\Jean\AppData\Local\UNP
2017-07-07 12:27 - 2017-07-07 12:28 - 00000000 ____D C:\Program Files\UNP
2017-07-07 12:27 - 2017-07-07 12:27 - 00000000 ____D C:\WINDOWS\system32\UNP
2017-06-30 14:52 - 2017-06-30 14:52 - 00061734 _____ C:\Users\Jean\Downloads\Little Golden Book List - Little Golden Book Collector.html
2017-06-30 14:52 - 2017-06-30 14:52 - 00000000 ____D C:\Users\Jean\Downloads\Little Golden Book List - Little Golden Book Collector_files
2017-06-30 06:28 - 2017-06-30 06:28 - 00061682 _____ C:\Users\Jean\Downloads\Little Golden Books collector - List of books 2013.html
2017-06-30 06:28 - 2017-06-30 06:28 - 00000000 ____D C:\Users\Jean\Downloads\Little Golden Books collector - List of books 2013_files
2017-06-30 06:20 - 2017-06-30 06:20 - 00061679 _____ C:\Users\Jean\Downloads\Little Golden Book List - Little Golden Book Collector  - Last updated 2005.html
2017-06-30 06:20 - 2017-06-30 06:20 - 00000000 ____D C:\Users\Jean\Downloads\Little Golden Book List - Little Golden Book Collector  - Last updated 2005_files
2017-06-22 10:33 - 2017-06-22 10:33 - 00002165 _____ C:\Users\Public\Desktop\Secure passwords.lnk
2017-06-19 07:59 - 2017-06-19 07:59 - 00000000 ____D C:\Users\Jean\Documents\FeedbackHub
2017-06-15 17:48 - 2017-06-15 17:49 - 00000000 ___SD C:\WINDOWS\UpdateAssistantV2
2017-06-14 10:16 - 2017-06-03 04:58 - 00340832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msv1_0.dll
2017-06-14 10:16 - 2017-06-03 04:55 - 00780640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WWAHost.exe
2017-06-14 10:16 - 2017-06-03 04:52 - 00607072 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupEngine.dll
2017-06-14 10:16 - 2017-06-03 04:52 - 00111968 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupApi.dll
2017-06-14 10:16 - 2017-06-03 04:49 - 20967840 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shell32.dll
2017-06-14 10:16 - 2017-06-03 04:39 - 05686272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Data.Pdf.dll
2017-06-14 10:16 - 2017-06-03 04:33 - 00095232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UserDataTimeUtil.dll
2017-06-14 10:16 - 2017-06-03 04:31 - 00224256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ExSMime.dll
2017-06-14 10:16 - 2017-06-03 04:28 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.BlockedShutdown.dll
2017-06-14 10:16 - 2017-06-03 04:26 - 00100352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AuthBrokerUI.dll
2017-06-14 10:16 - 2017-06-03 04:23 - 00306688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieproxy.dll
2017-06-14 10:16 - 2017-06-03 04:22 - 00364544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupShim.dll
2017-06-14 10:16 - 2017-06-03 04:22 - 00327168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\netcorehc.dll
2017-06-14 10:16 - 2017-06-03 04:22 - 00181760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tcpipcfg.dll
2017-06-14 10:16 - 2017-06-03 04:20 - 00755712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kerberos.dll
2017-06-14 10:16 - 2017-06-03 04:19 - 01164288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certutil.exe
2017-06-14 10:16 - 2017-06-03 04:16 - 00709120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\CPFilters.dll
2017-06-14 10:16 - 2017-06-03 04:15 - 00886272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\aadtb.dll
2017-06-14 10:16 - 2017-06-03 04:12 - 00027136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fdProxy.dll
2017-06-14 10:16 - 2017-06-03 04:08 - 02643968 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tquery.dll
2017-06-14 10:16 - 2017-06-03 04:08 - 01221120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.Audio.dll
2017-06-14 10:16 - 2017-06-03 04:06 - 03664384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2017-06-14 10:16 - 2017-06-03 04:05 - 01883648 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Logon.dll
2017-06-14 10:16 - 2017-06-03 04:04 - 06042624 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
2017-06-14 10:16 - 2017-06-03 04:04 - 00773120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SearchIndexer.exe
2017-06-14 10:16 - 2017-06-03 04:03 - 01988096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mssrch.dll
2017-06-14 10:16 - 2017-06-03 04:02 - 02997760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\win32kfull.sys
2017-06-14 10:16 - 2017-03-04 01:22 - 00822784 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakradiag.dll
2017-06-14 10:16 - 2017-03-04 01:19 - 00635904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9diag.dll
2017-06-14 10:16 - 2017-03-04 01:16 - 00368128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\puiobj.dll
2017-06-14 10:16 - 2016-09-06 23:53 - 00118272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppointmentActivation.dll
2017-06-14 10:15 - 2017-06-03 05:50 - 00315744 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\atmfd.dll
2017-06-14 10:15 - 2017-06-03 05:50 - 00192856 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\aepic.dll
2017-06-14 10:15 - 2017-06-03 05:11 - 01706488 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KernelBase.dll
2017-06-14 10:15 - 2017-06-03 05:06 - 02048496 _____ C:\WINDOWS\SysWOW64\CoreUIComponents.dll
2017-06-14 10:15 - 2017-06-03 04:52 - 01021784 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppxPackaging.dll
2017-06-14 10:15 - 2017-06-03 04:44 - 01412640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32full.dll
2017-06-14 10:15 - 2017-06-03 04:44 - 00545944 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fontdrvhost.exe
2017-06-14 10:15 - 2017-06-03 04:32 - 00002560 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tzres.dll
2017-06-14 10:15 - 2017-06-03 04:31 - 00037376 _____ (Adobe Systems) C:\WINDOWS\SysWOW64\atmlib.dll
2017-06-14 10:15 - 2017-06-03 04:28 - 00232448 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edputil.dll
2017-06-14 10:15 - 2017-06-03 04:26 - 00231936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.ApplicationModel.LockScreen.dll
2017-06-14 10:15 - 2017-06-03 04:15 - 19414016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2017-06-14 10:15 - 2017-06-03 04:15 - 18364928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2017-06-14 10:15 - 2017-06-03 04:08 - 12187648 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2017-06-14 10:15 - 2017-06-03 04:05 - 00295424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\hnetcfg.dll
2017-06-14 10:15 - 2017-06-03 04:04 - 02006528 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\DWrite.dll
2017-06-14 10:15 - 2017-06-03 03:40 - 00483840 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\CoreMessaging.dll
2017-06-14 10:06 - 2017-06-03 04:14 - 00124416 _____ (Microsoft Corporation) C:\WINDOWS\system32\mssprxy.dll
2017-06-14 10:06 - 2017-06-03 03:52 - 03403264 _____ (Microsoft Corporation) C:\WINDOWS\system32\tquery.dll
2017-06-14 10:06 - 2017-06-03 03:50 - 02538496 _____ (Microsoft Corporation) C:\WINDOWS\system32\mssrch.dll
2017-06-14 10:06 - 2017-06-03 03:49 - 00903680 _____ (Microsoft Corporation) C:\WINDOWS\system32\SearchIndexer.exe
2017-06-14 10:05 - 2017-06-03 05:11 - 00128864 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\tm.sys
2017-06-14 10:05 - 2017-06-03 04:59 - 00118112 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\tdx.sys
2017-06-14 10:05 - 2017-06-03 04:53 - 00404824 _____ (Microsoft Corporation) C:\WINDOWS\system32\msv1_0.dll
2017-06-14 10:05 - 2017-06-03 04:50 - 00857440 _____ (Microsoft Corporation) C:\WINDOWS\system32\WWAHost.exe
2017-06-14 10:05 - 2017-06-03 04:49 - 00509280 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\storport.sys
2017-06-14 10:05 - 2017-06-03 04:45 - 22220864 _____ (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
2017-06-14 10:05 - 2017-06-03 04:44 - 01600624 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppobjs.dll
2017-06-14 10:05 - 2017-06-03 04:39 - 02532192 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\tcpip.sys
2017-06-14 10:05 - 2017-06-03 04:16 - 00119808 _____ (Microsoft Corporation) C:\WINDOWS\system32\UserDataTimeUtil.dll
2017-06-14 10:05 - 2017-06-03 04:15 - 00053248 _____ (Microsoft Corporation) C:\WINDOWS\system32\musdialoghandlers.dll
2017-06-14 10:05 - 2017-06-03 04:14 - 00238592 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotification.exe
2017-06-14 10:05 - 2017-06-03 04:14 - 00098304 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotificationUx.exe
2017-06-14 10:05 - 2017-06-03 04:11 - 00353792 _____ (Microsoft Corporation) C:\WINDOWS\system32\cloudAP.dll
2017-06-14 10:05 - 2017-06-03 04:10 - 00418304 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.BlockedShutdown.dll
2017-06-14 10:05 - 2017-06-03 04:10 - 00117760 _____ (Microsoft Corporation) C:\WINDOWS\system32\AuthBrokerUI.dll
2017-06-14 10:05 - 2017-06-03 04:08 - 00147456 _____ (Microsoft Corporation) C:\WINDOWS\system32\winsrv.dll
2017-06-14 10:05 - 2017-06-03 04:07 - 00552960 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusUpdateHandlers.dll
2017-06-14 10:05 - 2017-06-03 04:03 - 00932864 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll
2017-06-14 10:05 - 2017-06-03 03:53 - 08125440 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2017-06-14 10:05 - 2017-06-03 03:52 - 02510848 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetworkMobileSettings.dll
2017-06-14 10:05 - 2017-06-03 03:50 - 04744704 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2017-06-14 10:05 - 2017-06-03 03:49 - 03615744 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
2017-06-14 10:05 - 2017-06-03 03:49 - 02691072 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Logon.dll
2017-06-14 10:05 - 2017-06-03 03:49 - 02318848 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2017-06-14 10:05 - 2017-06-03 03:49 - 01513472 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kbase.sys
2017-06-14 10:05 - 2017-06-03 03:48 - 00391168 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuuhext.dll
2017-06-14 10:05 - 2017-06-03 03:46 - 01121280 _____ (Microsoft Corporation) C:\WINDOWS\system32\aadtb.dll
2017-06-14 10:04 - 2017-06-03 05:14 - 00136024 _____ (Microsoft Corporation) C:\WINDOWS\system32\ImplatSetup.dll
2017-06-14 10:04 - 2017-06-03 05:09 - 02213760 _____ (Microsoft Corporation) C:\WINDOWS\system32\KernelBase.dll
2017-06-14 10:04 - 2017-06-03 05:08 - 07783256 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2017-06-14 10:04 - 2017-06-03 04:59 - 01181024 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ndis.sys
2017-06-14 10:04 - 2017-06-03 04:51 - 02187104 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgkrnl.sys
2017-06-14 10:04 - 2017-06-03 04:51 - 00402272 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms1.sys
2017-06-14 10:04 - 2017-06-03 04:49 - 00624048 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2017-06-14 10:04 - 2017-06-03 04:48 - 00857952 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupEngine.dll
2017-06-14 10:04 - 2017-06-03 04:48 - 00148832 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupApi.dll
2017-06-14 10:04 - 2017-06-03 04:18 - 22569984 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2017-06-14 10:04 - 2017-06-03 04:16 - 00002560 _____ (Microsoft Corporation) C:\WINDOWS\system32\tzres.dll
2017-06-14 10:04 - 2017-06-03 04:09 - 00489472 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupShim.dll
2017-06-14 10:04 - 2017-06-03 04:09 - 00441344 _____ (Microsoft Corporation) C:\WINDOWS\system32\netcorehc.dll
2017-06-14 10:04 - 2017-06-03 04:09 - 00337408 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetworkBindingEngineMigPlugin.dll
2017-06-14 10:04 - 2017-06-03 04:08 - 00691200 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieproxy.dll
2017-06-14 10:04 - 2017-06-03 04:07 - 00456192 _____ (Microsoft Corporation) C:\WINDOWS\system32\puiobj.dll
2017-06-14 10:04 - 2017-06-03 04:00 - 23677440 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2017-06-14 10:04 - 2017-06-03 03:56 - 13091840 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2017-06-14 10:04 - 2017-06-03 03:54 - 01217024 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.Audio.dll
2017-06-14 10:04 - 2017-06-03 03:51 - 00266752 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupSvc.dll
2017-06-14 10:04 - 2017-06-03 03:48 - 01490432 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2017-06-14 10:04 - 2017-06-03 03:48 - 01131008 _____ (Microsoft Corporation) C:\WINDOWS\system32\localspl.dll
2017-06-14 10:04 - 2017-06-03 03:48 - 00834048 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32spl.dll
2017-06-14 10:04 - 2017-05-25 00:56 - 00038752 _____ (Microsoft Corporation) C:\WINDOWS\system32\OOBEUpdater.exe
2017-06-14 10:04 - 2017-03-04 01:16 - 00100864 _____ (Microsoft Corporation) C:\WINDOWS\system32\wpninprc.dll
2017-06-14 10:03 - 2017-06-03 05:14 - 01564512 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2017-06-14 10:03 - 2017-06-03 05:14 - 00629088 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2017-06-14 10:03 - 2017-06-03 05:14 - 00379232 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\atmfd.dll
2017-06-14 10:03 - 2017-06-03 05:14 - 00335712 _____ (Microsoft Corporation) C:\WINDOWS\system32\dcntel.dll
2017-06-14 10:03 - 2017-06-03 05:14 - 00136032 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2017-06-14 10:03 - 2017-06-03 05:14 - 00096608 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2017-06-14 10:03 - 2017-06-03 05:14 - 00034648 _____ (Microsoft Corporation) C:\WINDOWS\system32\DeviceCensus.exe
2017-06-14 10:03 - 2017-06-03 05:01 - 02681200 _____ C:\WINDOWS\system32\CoreUIComponents.dll
2017-06-14 10:03 - 2017-06-03 04:48 - 01112416 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppxPackaging.dll
2017-06-14 10:03 - 2017-06-03 04:40 - 01566552 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32full.dll
2017-06-14 10:03 - 2017-06-03 04:40 - 00628552 _____ (Microsoft Corporation) C:\WINDOWS\system32\fontdrvhost.exe
2017-06-14 10:03 - 2017-06-03 04:22 - 07217152 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Data.Pdf.dll
2017-06-14 10:03 - 2017-06-03 04:14 - 00045056 _____ (Adobe Systems) C:\WINDOWS\system32\atmlib.dll
2017-06-14 10:03 - 2017-06-03 04:10 - 00252928 _____ (Microsoft Corporation) C:\WINDOWS\system32\edputil.dll
2017-06-14 10:03 - 2017-06-03 04:07 - 00255488 _____ (Microsoft Corporation) C:\WINDOWS\system32\HNetCfgClient.dll
2017-06-14 10:03 - 2017-06-03 04:06 - 00198144 _____ (Microsoft Corporation) C:\WINDOWS\system32\dpapisrv.dll
2017-06-14 10:03 - 2017-06-03 04:01 - 00856064 _____ (Microsoft Corporation) C:\WINDOWS\system32\efscore.dll
2017-06-14 10:03 - 2017-06-03 03:52 - 00975872 _____ (Microsoft Corporation) C:\WINDOWS\HelpPane.exe
2017-06-14 10:03 - 2017-06-03 03:52 - 00886784 _____ (Microsoft Corporation) C:\WINDOWS\system32\CPFilters.dll
2017-06-14 10:03 - 2017-06-03 03:51 - 01418240 _____ (Microsoft Corporation) C:\WINDOWS\system32\certutil.exe
2017-06-14 10:03 - 2017-06-03 03:49 - 02475520 _____ (Microsoft Corporation) C:\WINDOWS\system32\DWrite.dll
2017-06-14 10:03 - 2017-06-03 03:49 - 01845248 _____ (Microsoft Corporation) C:\WINDOWS\system32\FntCache.dll
2017-06-14 10:03 - 2017-06-03 03:49 - 00351744 _____ (Microsoft Corporation) C:\WINDOWS\system32\hnetcfg.dll
2017-06-14 10:03 - 2017-06-03 01:08 - 00080078 _____ C:\WINDOWS\system32\normidna.nls
2017-06-14 10:02 - 2017-06-03 05:14 - 01214816 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2017-06-14 10:02 - 2017-06-03 05:14 - 00544096 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2017-06-14 10:02 - 2017-06-03 05:14 - 00334176 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2017-06-14 10:02 - 2017-06-03 05:14 - 00233824 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
2017-06-14 10:02 - 2017-06-03 04:59 - 00764392 _____ (Microsoft Corporation) C:\WINDOWS\system32\CoreMessaging.dll
2017-06-14 10:02 - 2017-06-03 04:48 - 01100128 _____ (Microsoft Corporation) C:\WINDOWS\system32\hvix64.exe
2017-06-14 10:02 - 2017-06-03 04:48 - 00989024 _____ (Microsoft Corporation) C:\WINDOWS\system32\hvax64.exe
2017-06-14 10:02 - 2017-06-03 04:39 - 00455520 _____ (Microsoft Corporation) C:\WINDOWS\system32\securekernel.exe
2017-06-14 10:02 - 2017-06-03 04:08 - 00324608 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.ApplicationModel.LockScreen.dll
2017-06-14 10:02 - 2017-06-03 03:58 - 00064512 _____ (Microsoft Corporation) C:\WINDOWS\system32\fdProxy.dll
2017-06-14 10:01 - 2017-06-03 05:16 - 00279904 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\sdbus.sys
2017-06-14 10:01 - 2017-06-03 04:54 - 00187232 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dumpsd.sys
2017-06-14 10:01 - 2017-06-03 04:50 - 00381792 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\USBXHCI.SYS
2017-06-14 10:01 - 2017-06-03 04:15 - 00041472 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\BasicRender.sys
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-07-12 13:26 - 2016-07-16 06:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-07-12 13:26 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-07-12 12:27 - 2016-09-17 09:38 - 00000000 ____D C:\Users\Jean
2017-07-12 12:27 - 2016-09-17 09:25 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-07-12 12:19 - 2016-07-16 06:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-07-12 11:51 - 2016-09-17 09:56 - 00003304 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{4D620EF9-3DFC-427D-9222-6FC6A7D47527}
2017-07-12 11:49 - 2015-08-23 15:51 - 01620564 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-07-12 11:42 - 2017-04-02 14:06 - 00252832 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-07-12 11:42 - 2016-09-17 09:56 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-07-10 12:28 - 2016-07-16 01:04 - 00524288 _____ C:\WINDOWS\system32\config\BBI
2017-07-10 11:16 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\SysWOW64\GroupPolicy
2017-07-10 11:16 - 2015-08-23 18:12 - 00000000 ___HD C:\WINDOWS\system32\GroupPolicy
2017-07-10 11:12 - 2015-08-23 16:58 - 00000000 ____D C:\Users\Jean\AppData\Local\VirtualStore
2017-07-10 08:07 - 2016-09-17 09:28 - 00000000 ____D C:\Program Files\AMD
2017-07-10 08:07 - 2015-08-23 17:39 - 00000000 ____D C:\AMD
2017-07-07 16:27 - 2017-02-11 15:52 - 00000250 _____ C:\Users\Jean\AppData\LocalLow\rbxcsettings.rbx
2017-06-30 16:14 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\LiveKernelReports
2017-06-30 16:14 - 2016-07-16 06:45 - 00000000 ____D C:\WINDOWS\INF
2017-06-28 23:46 - 2016-06-13 15:24 - 00002279 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-06-22 10:33 - 2016-06-15 11:03 - 00002105 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IncrediMail.lnk
2017-06-22 10:33 - 2016-06-15 11:03 - 00002093 _____ C:\Users\Public\Desktop\IncrediMail.lnk
2017-06-22 10:33 - 2016-06-15 11:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IncrediMail
2017-06-22 10:33 - 2016-06-15 11:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2017-06-22 08:34 - 2016-12-17 14:35 - 00003288 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task v2
2017-06-22 08:34 - 2016-06-13 14:45 - 00002367 _____ C:\Users\Jean\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-06-22 08:34 - 2016-06-13 14:45 - 00000000 ___RD C:\Users\Jean\OneDrive
2017-06-21 12:47 - 2017-02-11 15:52 - 00000000 ____D C:\Users\Jean\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Roblox
2017-06-20 08:48 - 2015-08-23 16:58 - 00000000 ____D C:\Users\Jean\AppData\Local\Packages
2017-06-19 08:00 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\NDF
2017-06-17 08:10 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\rescache
2017-06-15 17:53 - 2016-04-27 01:39 - 00000000 __RHD C:\Users\Public\AccountPictures
2017-06-15 17:50 - 2016-09-17 09:25 - 00194192 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-06-15 17:49 - 2016-07-16 06:47 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2017-06-15 17:49 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\appraiser
2017-06-15 17:49 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\ShellExperiences
2017-06-14 11:15 - 2016-06-16 09:51 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-06-14 11:11 - 2016-06-16 09:51 - 133627792 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
 
==================== Files in the root of some directories =======
 
2016-09-17 09:29 - 2016-09-17 09:29 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
Some files in TEMP:
====================
2016-10-26 12:20 - 2016-10-26 12:34 - 314388840 _____ (AMD Inc.) C:\Users\Jean\AppData\Local\Temp\tmp2EBD.exe
2017-07-10 07:31 - 2017-07-10 07:56 - 537915768 _____ (AMD Inc.) C:\Users\Jean\AppData\Local\Temp\tmp8B23.exe
2016-11-15 08:17 - 2016-11-15 08:34 - 314388840 _____ (AMD Inc.) C:\Users\Jean\AppData\Local\Temp\tmpC7BC.exe
2017-01-21 11:43 - 2017-01-21 12:10 - 521014800 _____ (AMD Inc.) C:\Users\Jean\AppData\Local\Temp\tmpE09D.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-07-06 10:06
 
==================== End of FRST.txt ============================
 
 
 
 
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-07-2017
Ran by Jean (12-07-2017 13:39:31)
Running from C:\Users\Jean\Desktop
Windows 10 Home Version 1607 (X64) (2016-09-17 14:59:14)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-489656164-657507032-1723202617-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-489656164-657507032-1723202617-503 - Limited - Disabled)
Guest (S-1-5-21-489656164-657507032-1723202617-501 - Limited - Disabled)
Jean (S-1-5-21-489656164-657507032-1723202617-1003 - Administrator - Enabled) => C:\Users\Jean
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Avast Antivirus (Enabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Enabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat 4.0 (HKLM-x32\...\Adobe Acrobat 4.0) (Version: 4.0 - Adobe Systems, Inc.)
AMD Catalyst Control Center (HKLM-x32\...\WUCCCApp) (Version: 1.00.0000 - AMD)
Avast Free Antivirus (HKLM-x32\...\Avast Antivirus) (Version: 17.5.2302 - AVAST Software)
BookWorm Deluxe 1.02 (HKLM-x32\...\BookWorm Deluxe 1.02) (Version:  - )
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 59.0.3071.115 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
IncrediMail (HKLM-x32\...\{35505AE1-27E2-4206-B3BF-58771803B8D0}) (Version: 6.6.0.5328 - IncrediMail) Hidden
IncrediMail 2.5 (HKLM-x32\...\IncrediMail) (Version: 6.6.0.5328 - IncrediMail Ltd.)
Lexmark X6100 Series (HKLM\...\Lexmark X6100 Series) (Version:  - Lexmark International, Inc.)
Malwarebytes version 3.1.2.1733 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.1.2.1733 - Malwarebytes)
Microsoft OneDrive (HKU\S-1-5-21-489656164-657507032-1723202617-1003\...\OneDriveSetup.exe) (Version: 17.3.6917.0607 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7535 - Realtek Semiconductor Corp.)
ROBLOX Player for Jean (HKU\S-1-5-21-489656164-657507032-1723202617-1003\...\{373B1718-8CC5-4567-8EE2-9033AD08A680}) (Version:  - ROBLOX Corporation)
Windows 10 Update and Privacy Settings (HKLM\...\{4DFCD818-036A-4229-A67D-CF17DC461D92}) (Version: 1.0.14.0 - Microsoft Corporation)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-07-10] (AVAST Software)
ContextMenuHandlers01: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-07-10] (AVAST Software)
ContextMenuHandlers03: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-07-10] (AVAST Software)
ContextMenuHandlers03: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-05-09] (Malwarebytes)
ContextMenuHandlers05: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\atiacm64.dll [2015-08-21] (Advanced Micro Devices, Inc.)
ContextMenuHandlers06: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-07-10] (AVAST Software)
ContextMenuHandlers06: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-05-09] (Malwarebytes)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {157ECD09-AD1C-41FB-BF00-031C082136E2} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-06-13] (Google Inc.)
Task: {212D9390-51E4-4B42-8D09-9456A978D954} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-06-13] (Google Inc.)
Task: {7EE9EC13-CFC8-4A4F-9DEA-690113745E94} - System32\Tasks\OneDrive Standalone Update Task => C:\Users\Jean\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\OneDriveStandaloneUpdater.exe
Task: {81055A0E-C79C-4E92-AA3D-7F58AA3A87C6} - System32\Tasks\{7AA8B958-39C5-4CA4-B33D-6A5128744881} => pcalua.exe -a C:\Users\Jean\Desktop\IncrediMail\bin\IMSetup.exe
Task: {8B375CCD-71BA-4165-9800-10BA65949645} - System32\Tasks\ByteFence Scan => C:\Program Files\ByteFence\ByteFence.exe <==== ATTENTION
Task: {BA925A42-CA27-46E6-B14A-036C2D9F03E6} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe [2017-07-10] (AVAST Software)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-07-16 06:42 - 2016-07-16 06:42 - 00231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2017-06-14 10:03 - 2017-06-03 05:01 - 02681200 _____ () C:\WINDOWS\System32\CoreUIComponents.dll
2016-09-17 12:14 - 2016-09-17 12:14 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2017-03-15 12:40 - 2017-03-04 01:31 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2017-06-28 23:46 - 2017-06-22 22:21 - 03807064 _____ () C:\Program Files (x86)\Google\Chrome\Application\59.0.3071.115\libglesv2.dll
2017-06-28 23:46 - 2017-06-22 22:21 - 00100184 _____ () C:\Program Files (x86)\Google\Chrome\Application\59.0.3071.115\libegl.dll
2015-08-21 22:09 - 2015-08-21 22:09 - 00102400 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Proxy.Native.dll
2017-03-15 12:41 - 2017-03-04 01:12 - 09760768 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-03-15 12:41 - 2017-03-04 01:05 - 01401856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-03-15 12:41 - 2017-03-04 01:05 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2017-06-14 10:03 - 2017-06-03 03:47 - 01033216 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
2017-06-14 10:03 - 2017-06-03 03:47 - 02424320 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2017-06-14 10:03 - 2017-06-03 03:51 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2017-07-10 11:39 - 2017-07-10 11:39 - 00170224 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2017-07-10 11:42 - 2017-07-10 11:42 - 01038952 _____ () C:\Program Files\AVAST Software\Avast\AvChrome.dll
2017-07-10 11:42 - 2017-07-10 11:42 - 67109376 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2017-07-10 11:40 - 2017-07-10 11:40 - 00192664 _____ () C:\Program Files\AVAST Software\Avast\event_routing_rpc.dll
2017-07-10 11:40 - 2017-07-10 11:40 - 00224256 _____ () C:\Program Files\AVAST Software\Avast\tasks_core.dll
2017-07-10 11:37 - 2017-07-10 11:37 - 00292920 _____ () C:\Program Files\AVAST Software\Avast\gaming_mode_ui.dll
2017-07-10 11:37 - 2017-07-10 11:49 - 02962096 _____ () C:\Program Files\AVAST Software\Avast\aswDataScan.dll
2017-07-10 11:40 - 2017-07-10 11:40 - 00689272 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2017-07-10 11:28 - 2017-01-20 18:27 - 02246144 _____ () C:\Users\Jean\AppData\Local\chromium\Application\58.0.2988.0\libglesv2.dll
2017-07-10 11:28 - 2017-01-20 18:27 - 00079360 _____ () C:\Users\Jean\AppData\Local\chromium\Application\58.0.2988.0\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2015-08-23 18:12 - 2017-07-10 11:30 - 00002024 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
0.0.0.0 media.opencandy.com
0.0.0.0 cdn.opencandy.com
0.0.0.0 tracking.opencandy.com
0.0.0.0 api.opencandy.com
0.0.0.0 api.recommendedsw.com
0.0.0.0 installer.betterinstaller.com
0.0.0.0 installer.filebulldog.com
0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
0.0.0.0 inno.bisrv.com
0.0.0.0 nsis.bisrv.com
0.0.0.0 cdn.file2desktop.com
0.0.0.0 cdn.goateastcach.us
0.0.0.0 cdn.guttastatdk.us
0.0.0.0 cdn.inskinmedia.com
0.0.0.0 cdn.insta.oibundles2.com
0.0.0.0 cdn.insta.playbryte.com
0.0.0.0 cdn.llogetfastcach.us
0.0.0.0 cdn.montiera.com
0.0.0.0 cdn.msdwnld.com
0.0.0.0 cdn.mypcbackup.com
0.0.0.0 cdn.ppdownload.com
0.0.0.0 cdn.riceateastcach.us
0.0.0.0 cdn.shyapotato.us
0.0.0.0 cdn.solimba.com
0.0.0.0 cdn.tuto4pc.com
0.0.0.0 cdn.appround.biz
0.0.0.0 cdn.bigspeedpro.com
0.0.0.0 cdn.bispd.com
 
There are 4 more lines.
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-489656164-657507032-1723202617-1003\Control Panel\Desktop\\Wallpaper -> C:\Users\Jean\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 10.0.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{CAD9BE5A-F187-4E43-B3B6-66E8D03B1A8F}] => (Allow) C:\Windows\System32\lxbfcoms.exe
FirewallRules: [{712DC30B-2B1D-4794-904D-2C9C9E783030}] => (Allow) C:\Windows\System32\lxbfcoms.exe
FirewallRules: [{64E97121-EA93-4269-A703-21DE21752790}] => (Allow) C:\Windows\System32\spool\drivers\x64\3\lxbfpswx.exe
FirewallRules: [{34D0E3C4-070F-4ED6-9FC0-57CCA4EEC804}] => (Allow) C:\Windows\System32\spool\drivers\x64\3\lxbfpswx.exe
FirewallRules: [{44FC9818-4332-4744-A572-1DAAF3368EBD}] => (Allow) C:\Windows\System32\lxbfcoms.exe
FirewallRules: [{7970FE05-67D1-4CD0-B203-F761ACD98AE6}] => (Allow) C:\Windows\System32\lxbfcoms.exe
FirewallRules: [{EB414348-B8B2-40EB-8BC2-FFFA2B60DED9}] => (Allow) C:\Windows\SysWOW64\lxbfcoms.exe
FirewallRules: [{829DD81E-9C68-425A-BCF4-940236317307}] => (Allow) C:\Windows\SysWOW64\lxbfcoms.exe
FirewallRules: [{4AE40FAB-34A8-4318-8974-2EEDAA9A3401}] => (Allow) C:\Program Files (x86)\IncrediMail\Bin\ImpCnt.exe
FirewallRules: [{B1AF9F35-1576-47AA-A25B-170DFAFC0932}] => (Allow) C:\Program Files (x86)\IncrediMail\Bin\ImpCnt.exe
FirewallRules: [{77BC5B9B-C1B1-46B5-ADAB-C327994C9D95}] => (Allow) C:\Program Files (x86)\IncrediMail\Bin\IncMail.exe
FirewallRules: [{ADC8D727-89A9-4937-A596-B73D14EDA33D}] => (Allow) C:\Program Files (x86)\IncrediMail\Bin\IncMail.exe
FirewallRules: [{129539D7-E470-4AC5-A71C-42BB600C7045}] => (Allow) C:\Program Files (x86)\IncrediMail\Bin\ImApp.exe
FirewallRules: [{D60CD06C-08AE-4C6A-A0B7-87780A77814F}] => (Allow) C:\Program Files (x86)\IncrediMail\Bin\ImApp.exe
FirewallRules: [{928BACA6-1E6A-4758-B8DF-7E2FD728D6F2}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{A1489063-BB19-41FD-B435-11C03C7190D8}] => (Allow) C:\Users\Jean\AppData\Local\Chromium\Application\chrome.exe
 
==================== Restore Points =========================
 
24-06-2017 07:54:37 Scheduled Checkpoint
03-07-2017 09:01:53 Scheduled Checkpoint
07-07-2017 12:26:01 Windows Update
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (07/12/2017 01:20:44 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-C2D7DI9)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (07/12/2017 01:20:26 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\IncrediMail\Bin\MFC80U.DLL".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (07/12/2017 01:20:26 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\IncrediMail\Bin\MFC80U.DLL".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (07/12/2017 01:20:20 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\IncrediMail\Bin\MFC80U.DLL".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (07/12/2017 01:20:20 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\IncrediMail\Bin\MFC80U.DLL".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (07/12/2017 01:20:07 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\IncrediMail\Bin\MFC80U.DLL".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (07/12/2017 01:19:52 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\IncrediMail\Bin\MFC80U.DLL".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (07/12/2017 01:19:34 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\IncrediMail\Bin\MFC80U.DLL".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (07/12/2017 01:19:30 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\IncrediMail\Bin\MFC80U.DLL".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (07/12/2017 01:19:17 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\IncrediMail\Bin\MFC80U.DLL".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
 
System errors:
=============
Error: (07/12/2017 01:17:49 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID 
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/12/2017 12:27:46 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/12/2017 11:42:31 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID 
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/12/2017 11:42:19 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 4:08:31 PM on ‎7/‎11/‎2017 was unexpected.
 
Error: (07/11/2017 07:14:39 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/10/2017 05:54:08 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/10/2017 01:12:54 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/10/2017 12:29:07 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID 
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/10/2017 12:28:58 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-C2D7DI9)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID 
{7022A3B3-D004-4F52-AF11-E9E987FEE25F}
 and APPID 
{ADA41B3C-C6FD-4A08-8CC1-D6EFDE67BE7D}
 to the user DESKTOP-C2D7DI9\Jean SID (S-1-5-21-489656164-657507032-1723202617-1003) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/10/2017 12:27:36 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
 
==================== Memory info =========================== 
 
Processor: AMD E1-1200 APU with Radeon™ HD Graphics
Percentage of memory in use: 51%
Total physical RAM: 3800.02 MB
Available physical RAM: 1852.44 MB
Total Virtual: 4440.02 MB
Available Virtual: 2239.52 MB
 
==================== Drives ================================
 
Drive c: (Gateway) (Fixed) (Total:441.61 GB) (Free:408.46 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 9093115C)
 
Partition: GPT.
 
==================== End of Addition.txt ============================

 



BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,361 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:13 PM

Posted 13 July 2017 - 06:27 AM

Berries:

 
:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum.  My name is Phil.  May I address you by your first name?
 
I will be assisting you with your computer issues.  I will endeavor to respond within a reasonable time, normally 48 hours after your last post.
 
I would ask that you continue to copy and paste the contents of all requested log files directly into your replies.   Please do not use "code" or "quote" boxes.  Thank you for your anticipated cooperation.
 
I will need some time to review your FRST logs.  That could take a day or two.
 
PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues.  It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.
 
Thank you and have a great day.
 
Regards,
-Phil

Member of the Unified Network of Instructors and Trusted Eliminators


#3 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,361 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:13 PM

Posted 13 July 2017 - 08:14 AM

Berries:

Thank you for your patience while I analyzed your FRST logs.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I can only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post(s), unless otherwise instructed. Please do not use code or quote boxes.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

:step1: Please run a FRST fix for me.

NOTICE: This FRST "fixlist" script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

Start::
CreateRestorePoint:
CloseProcesses:
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
HKU\S-1-5-21-489656164-657507032-1723202617-1003\...\Run: [GoogleChromeAutoLaunch_4FCE1C237510B7FAF2C47D189ECD460F] => C:\Users\Jean\AppData\Local\chromium\Application\chrome.exe [828416 2017-01-20] (The Chromium Authors)
HKU\S-1-5-21-489656164-657507032-1723202617-1003\...\Run: [Chromium] => c:\users\jean\appdata\local\chromium\application\chrome.exe [828416 2017-01-20] (The Chromium Authors)
C:\Users\Jean\AppData\Local\chromium
GroupPolicy: Restriction <==== ATTENTION
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-489656164-657507032-1723202617-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR DefaultSearchURL: Default -> hxxp://srch.bar/{searchTerms}
CHR DefaultSuggestURL: Default -> hxxp://srch.bar/?s={searchTerms}
CHR Extension: (ArcadeStar Ads) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\gegomapkcjcggpkfiponneooagciibgl [2017-05-17]
CHR Extension: (JesterCade Advertising) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\obmimehgnlcbkkdpajmaenimohfhjmko [2017-07-12]
CHR Extension: (Cool Game Channel Ad) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\oonkpiocoijlghljmlkakpfkmcpnckpe [2017-07-10]
CHR HKLM\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-489656164-657507032-1723202617-1003\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce] - hxxps://clients2.google.com/service/update2/crx
Folder: C:\ProgramData\SWCUTemp
2017-07-10 12:00 - 2017-07-10 12:00 - 00003552 _____ C:\WINDOWS\System32\Tasks\ByteFence Scan
2017-07-10 12:00 - 2017-07-10 12:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ByteFence Anti-Malware
2017-07-10 11:30 - 2017-07-10 11:30 - 00000000 ____D C:\ProgramData\ByteFence
2017-07-10 11:28 - 2017-07-10 11:28 - 00002336 _____ C:\Users\Jean\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chromium.lnk
2017-07-10 11:28 - 2017-07-10 11:28 - 00002328 _____ C:\Users\Jean\Desktop\Chromium.lnk
2017-07-10 11:25 - 2017-07-10 11:25 - 00000000 ____D C:\Users\Jean\AppData\Local\WebDiscoverBrowser
2017-07-10 11:23 - 2017-07-10 11:25 - 00000000 ____D C:\Program Files\WebDiscoverBrowser
2017-07-10 11:22 - 2017-07-10 11:28 - 00000000 ____D C:\Users\Jean\AppData\Local\chromium
Folder: C:\Users\Jean\AppData\Roaming\Pasebo
C:\Program Files\ByteFence
File: C:\WINDOWS\system32\normidna.nls
Task: {8B375CCD-71BA-4165-9800-10BA65949645} - System32\Tasks\ByteFence Scan => C:\Program Files\ByteFence\ByteFence.exe <==== ATTENTION
Hosts:
FirewallRules: [{A1489063-BB19-41FD-B435-11C03C7190D8}] => (Allow) C:\Users\Jean\AppData\Local\Chromium\Application\chrome.exe
EmptyTemp:
End::
  • Please highlight the entire contents of the code box above, from the "Start::" line to the "End::" line, including both of those lines, right click, and select "Copy", which will copy the "fix" script into the Windows clipboard.
  • Right click FRST/FRST64.exe, and select "Run as Administrator".
  • Press Fix button once and wait.
  • Please reboot the computer, if requested.
  • A log file called "fixlog.txt" will be saved in the same folder as the FRST program is located.
  • Please copy and paste the contents of the "fixlog.txt" file into your next reply.

.

:step2: There are a lot of IncrediMail errors being reported in the "Addition.txt" log:
 

Error: (07/12/2017 01:20:20 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\IncrediMail\Bin\MFC80U.DLL".
Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

 
You may want to do some research on how to resolve those errors. You might have to uninstall and reinstall the program. It is not a program that I am familiar with. Before doing uninstalling and reinstalling, we probably should check the Window 10 Home OS for possible resource integrity violations, but we will do that in the next post, assuming all goes well with the FRST "fixlist" script.

.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#4 Berries

Berries
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 13 July 2017 - 10:18 PM

Hi Phil!  

 

Thank you for such a quick response!  I wasn't expecting a reply so soon, so I apologize for the delay in getting back to you.  I will leave the Incredible Mail program alone and will most likely have to uninstall/reinstall once you are able to heal the computer.  It is painful to try to utilize the internet on this thing at the moment!  Here is the log you requested.

 

Thank you so much,

Holly

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 13-07-2017
Ran by Jean (13-07-2017 21:54:26) Run:1
Running from C:\Users\Jean\Desktop
Loaded Profiles: Jean (Available Profiles: Jean)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
 
CreateRestorePoint:
CloseProcesses:
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
HKU\S-1-5-21-489656164-657507032-1723202617-1003\...\Run: [GoogleChromeAutoLaunch_4FCE1C237510B7FAF2C47D189ECD460F] => C:\Users\Jean\AppData\Local\chromium\Application\chrome.exe [828416 2017-01-20] (The Chromium Authors)
HKU\S-1-5-21-489656164-657507032-1723202617-1003\...\Run: [Chromium] => c:\users\jean\appdata\local\chromium\application\chrome.exe [828416 2017-01-20] (The Chromium Authors)
C:\Users\Jean\AppData\Local\chromium
GroupPolicy: Restriction <==== ATTENTION
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-489656164-657507032-1723202617-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR DefaultSearchURL: Default -> hxxp://srch.bar/{searchTerms}
CHR DefaultSuggestURL: Default -> hxxp://srch.bar/?s={searchTerms}
CHR Extension: (ArcadeStar Ads) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\gegomapkcjcggpkfiponneooagciibgl [2017-05-17]
CHR Extension: (JesterCade Advertising) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\obmimehgnlcbkkdpajmaenimohfhjmko [2017-07-12]
CHR Extension: (Cool Game Channel Ad) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\oonkpiocoijlghljmlkakpfkmcpnckpe [2017-07-10]
CHR HKLM\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-489656164-657507032-1723202617-1003\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [nahhmpbckpgdidfnmfkfgiflpjijilce] - hxxps://clients2.google.com/service/update2/crx
Folder: C:\ProgramData\SWCUTemp
2017-07-10 12:00 - 2017-07-10 12:00 - 00003552 _____ C:\WINDOWS\System32\Tasks\ByteFence Scan
2017-07-10 12:00 - 2017-07-10 12:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ByteFence Anti-Malware
2017-07-10 11:30 - 2017-07-10 11:30 - 00000000 ____D C:\ProgramData\ByteFence
2017-07-10 11:28 - 2017-07-10 11:28 - 00002336 _____ C:\Users\Jean\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chromium.lnk
2017-07-10 11:28 - 2017-07-10 11:28 - 00002328 _____ C:\Users\Jean\Desktop\Chromium.lnk
2017-07-10 11:25 - 2017-07-10 11:25 - 00000000 ____D C:\Users\Jean\AppData\Local\WebDiscoverBrowser
2017-07-10 11:23 - 2017-07-10 11:25 - 00000000 ____D C:\Program Files\WebDiscoverBrowser
2017-07-10 11:22 - 2017-07-10 11:28 - 00000000 ____D C:\Users\Jean\AppData\Local\chromium
Folder: C:\Users\Jean\AppData\Roaming\Pasebo
C:\Program Files\ByteFence
File: C:\WINDOWS\system32\normidna.nls
Task: {8B375CCD-71BA-4165-9800-10BA65949645} - System32\Tasks\ByteFence Scan => C:\Program Files\ByteFence\ByteFence.exe <==== ATTENTION
Hosts:
FirewallRules: [{A1489063-BB19-41FD-B435-11C03C7190D8}] => (Allow) C:\Users\Jean\AppData\Local\Chromium\Application\chrome.exe
EmptyTemp:
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION => restored successfully
HKU\S-1-5-21-489656164-657507032-1723202617-1003\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_4FCE1C237510B7FAF2C47D189ECD460F => value removed successfully
HKU\S-1-5-21-489656164-657507032-1723202617-1003\Software\Microsoft\Windows\CurrentVersion\Run\\Chromium => value removed successfully
C:\Users\Jean\AppData\Local\chromium => moved successfully
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKU\S-1-5-21-489656164-657507032-1723202617-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
Chrome DefaultSearchURL => removed successfully
Chrome DefaultSuggestURL => removed successfully
CHR Extension: (ArcadeStar Ads) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\gegomapkcjcggpkfiponneooagciibgl [2017-05-17] => Error: No automatic fix found for this entry.
CHR Extension: (JesterCade Advertising) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\obmimehgnlcbkkdpajmaenimohfhjmko [2017-07-12] => Error: No automatic fix found for this entry.
CHR Extension: (Cool Game Channel Ad) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\oonkpiocoijlghljmlkakpfkmcpnckpe [2017-07-10] => Error: No automatic fix found for this entry.
HKLM\SOFTWARE\Google\Chrome\Extensions\nahhmpbckpgdidfnmfkfgiflpjijilce => key removed successfully
HKU\S-1-5-21-489656164-657507032-1723202617-1003\SOFTWARE\Google\Chrome\Extensions\nahhmpbckpgdidfnmfkfgiflpjijilce => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\nahhmpbckpgdidfnmfkfgiflpjijilce => key removed successfully
 
========================= Folder: C:\ProgramData\SWCUTemp ========================
 
 
====== End of Folder: ======
 
C:\WINDOWS\System32\Tasks\ByteFence Scan => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ByteFence Anti-Malware => moved successfully
C:\ProgramData\ByteFence => moved successfully
C:\Users\Jean\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chromium.lnk => moved successfully
C:\Users\Jean\Desktop\Chromium.lnk => moved successfully
C:\Users\Jean\AppData\Local\WebDiscoverBrowser => moved successfully
C:\Program Files\WebDiscoverBrowser => moved successfully
"C:\Users\Jean\AppData\Local\chromium" => not found.
 
========================= Folder: C:\Users\Jean\AppData\Roaming\Pasebo ========================
 
2013-04-13 01:09 - 2013-04-13 01:09 - 0001015 _____ () C:\Users\Jean\AppData\Roaming\Pasebo\info.dat
2013-05-04 23:53 - 2013-05-04 23:53 - 0000004 _____ () C:\Users\Jean\AppData\Roaming\Pasebo\TTL.DAT
 
====== End of Folder: ======
 
C:\Program Files\ByteFence => moved successfully
 
========================= File: C:\WINDOWS\system32\normidna.nls ========================
 
File is digitally signed
MD5: 597C96281C55868CDBB06E22ADAEDCA9
Creation and modification date: 2017-06-14 10:03 - 2017-06-03 01:08
Size: 0080078
Attributes: ----A
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
 
====== End of File: ======
 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8B375CCD-71BA-4165-9800-10BA65949645} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8B375CCD-71BA-4165-9800-10BA65949645} => key removed successfully
C:\WINDOWS\System32\Tasks\ByteFence Scan => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ByteFence Scan => key removed successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A1489063-BB19-41FD-B435-11C03C7190D8} => value removed successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 112538235 B
Java, Flash, Steam htmlcache => 801 B
Windows/system/drivers => 16315238 B
Edge => 1253652 B
Chrome => 108487819 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 7680 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 4449 B
NetworkService => 127750398 B
Jean => 2944461332 B
 
RecycleBin => 63094 B
EmptyTemp: => 3.1 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 22:06:47 ====


#5 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,361 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:13 PM

Posted 14 July 2017 - 05:53 AM

Holly:
 
Thank you for the "fixlog.txt" file contents.  It looks really good, but ...
 
We have three issues that FRST could not fix automatically and that is some bad Chrome extensions.
 

CHR Extension: (ArcadeStar Ads) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\gegomapkcjcggpkfiponneooagciibgl [2017-05-17] => Error: No automatic fix found for this entry.
CHR Extension: (JesterCade Advertising) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\obmimehgnlcbkkdpajmaenimohfhjmko [2017-07-12] => Error: No automatic fix found for this entry.
CHR Extension: (Cool Game Channel Ad) - C:\Users\Jean\AppData\Local\Google\Chrome\User Data\Default\Extensions\oonkpiocoijlghljmlkakpfkmcpnckpe [2017-07-10] => Error: No automatic fix found for this entry.


Please attempt to locate those Chrome extensions and remove them: see this link for more information on how to do that.  Some nefarious extensions may not be visible or they may "resist" removal, so please don't be concerned if you can't see, or remove, one or more of the identified malware Chrome extensions.

 

If you are unable to remove all three Chrome extensions, please download and run the Google Cleanup Tool.

 

If that fails to resolve the problem with those three extensions, the "gold standard" of treatment is to uninstall Google Chrome (Control Panel, Add/Remove Programs), reboot your mother's computer, and then reinstall Google Chrome.  Please download your new version of Google Chrome from this link to avoid any "bundled" software that your mother does not want.  The extensions should be gone.

 

Please let me know how you get along.

 

Your mother must be very happy to have your help.  Good for you! :thumbup2:  We'll get her back in business, between the two of us! :busy:

 

Thank you and have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#6 Berries

Berries
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 14 July 2017 - 09:18 AM

Good Morning Phil!

 

I ended up having to uninstall/reinstall Chrome.  Chrome is currently running with no pop ups, so that's a plus!  The computer is still running slow and kinda jumpy when scrolling pages.  I did notice that Chromium is still showing up as a choice for default browser, however the icon is gone from the desktop.  Not sure if that means anything or not???



#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,361 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:13 PM

Posted 14 July 2017 - 09:35 AM

Holly:
 
Thank you for your post.  Please check the Control Panel, Programs, Uninstall Program; and, if you find Chromium, please uninstall it and then reboot your computer.  If you don't find it, no problem.  We are going to get it! :)
 
.
 
:step1: ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Download esetsmartinstaller_enu.exe and save it to your Desktop.
  • Double click the icon.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Then select: "Enable detection of potentially unwanted applications" - Yes.
  • Click Advanced settings.
  • Check the following items.

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK.
  • Click Start.
  • ESET will then download updates and begin scanning your computer.
  • If no threats are found simply click Uninstall application on close and hit Finish.
  • If threats are found click List of found threats.
  • Click Export to text file.
  • Save the file on your Desktop as ESET.txt.
  • Click Back.
  • Check Uninstall application on close and Delete quarantined files.
  • Click Finish.
  • Close the ESET Online Scanner window.
  • Copy and paste the contents of ESET.txt into your reply, if any threats were detected.

Don't forget to re-enable your antivirus when finished!

.

:step2: Please run a Malwarebytes Anti-Malware scan. I see that your mother has it installed on her computer.

BEFORE clicking the "Scan" button, please go to settings, "Protection" and make sure the following are selected:

  • Turn on "Scan for rootkits", if it is not "On."
  • Ensure that under "Potential Threat Protection", both switches are set to "Always Detect PUPs/PUMs (recommended).
  • Then scroll to the bottom of that page and ensure that "Automatic Quarantine" is turned "On."

When the scan is complete, make sure that all Threats are selected, and click Remove Selected.

Restart your computer when prompted to do so.

The Scan log is available through History ->Application logs. Please copy and paste the contents of the log into your next reply.

.

Thank you, have a great day, ... and good luck! :)

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#8 Berries

Berries
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 14 July 2017 - 05:45 PM

Hi Phil,
 
ESET scan was clean.  Malwarebytes came up with a few issues as you will see in the report.  The popups have stopped, and the computer appears to be running well. YAY!!
 
 
Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 7/14/17
Scan Time: 5:09 PM
Log File: 
Administrator: Yes
 
-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.160
Update Package Version: 1.0.2365
License: Free
 
-System Information-
OS: Windows 10 (Build 14393.1480)
CPU: x64
File System: NTFS
User: DESKTOP-C2D7DI9\Jean
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 354020
Threats Detected: 4
Threats Quarantined: 4
Time Elapsed: 18 min, 22 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 4
PUP.Optional.ByteFence, HKLM\SOFTWARE\CLASSES\*\SHELL\ByteFence File Scan, Quarantined, [656], [391313],1.0.2365
PUP.Optional.ByteFence, HKU\S-1-5-21-489656164-657507032-1723202617-1003\SOFTWARE\ByteFence, Quarantined, [656], [388728],1.0.2365
PUP.Optional.WebDiscoverBrowser, HKU\S-1-5-21-489656164-657507032-1723202617-1003\SOFTWARE\WebDiscoverBrowser, Quarantined, [9457], [253912],1.0.2365
PUP.Optional.ByteFence, HKLM\SOFTWARE\CLASSES\DIRECTORY\SHELL\ByteFence Folder Scan, Quarantined, [656], [388724],1.0.2365
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 0
(No malicious items detected)
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)


#9 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,361 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:13 PM

Posted 15 July 2017 - 12:10 PM

Holly:
 
Thank you for the MB log.  Just some minor stuff there.  That is great news that the ESET Online scan came back clean.   :thumbup2:
 
OK, let's do a few more standard anti-malware scans that target adware, browser redirection, and other nuisance issues.
 
.
 
:step1: Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Vista/Windows 7/8/10 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait for it to complete the update.
  • Click on I Agree button.
  • Click on the Scan button.
  • AdwCleaner will begin its scan ... please be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, then make sure that you uncheck it before running the "Clean" process.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
  • After the scan has finished ...
  • Uncheck any PUP and adware applications that you want to keep.
  • Then click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Please copy and paste the contents of that logfile into your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

.

:step2: Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Please copy and paste the contents of JRT.txt into your next message.

.

Thank you and have a great weekend, Holly.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#10 Berries

Berries
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 16 July 2017 - 10:16 AM

Good Morning Phil!

 

Things are looking up!  Thank goodness!!  Here are the scans you requested.  Only a couple things were found and removed.  :)

 

# AdwCleaner v6.047 - Logfile created 16/07/2017 at 09:42:17
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-07-13.1 [Local]
# Operating System : Windows 10 Home  (X64)
# Username : Jean - DESKTOP-C2D7DI9
# Running from : C:\Users\Jean\Downloads\AdwCleaner.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
No malicious folders found.
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
Key Found:  HKLM\SOFTWARE\ByteFence
Key Found:  HKLM\SOFTWARE\WebDiscoverBrowser
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
No malicious Chromium based browser items found.
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [1188 Bytes] - [16/07/2017 09:28:39]
C:\AdwCleaner\AdwCleaner[S1].txt - [1108 Bytes] - [16/07/2017 09:42:17]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1181 Bytes] ##########
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 10 Home x64 
Ran by Jean (Administrator) on Sun 07/16/2017 at 10:05:25.18
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 0 
 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 07/16/2017 at 10:10:16.33
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


#11 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,361 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:13 PM

Posted 16 July 2017 - 11:31 AM

Holly:

 

Thank you for the logs.  Yes, looking good.   :thumbup2:

 

OK, I just want to make sure of one thing - my fault, because my post was not as clear as it should have been. :(  Did you actually press the "Clean" button on AdwCleaner?  You provided the scan log, which is what I mistakenly requested.  I wanted the Clean log, which has a filename of AdwCleanerC#.txt rather than an AdwCleanerS#.txt.  I have made a note to correct those instructions.

 

If you did run the Clean, please just copy and paste the contents of the latest AdwCleanerC#.txt file.  If you didn't, please run the AdwCleaner scan again, and then, when it completes, click the "Clean" button to remove what was detected.  A Clean log file will be created and I would ask you to please copy and paste the contents of that file into your next reply.

 

How is your mother's computer running now?  Are there any other issues?  If so, please describe them in detail.

 

If there are no issues, I will post instructions as to how to remove all of the anti-malware tools that I have used in one simple step.

 

I am not seeing any remaining evidence of malware. :thumbsup:

 

Thank you and have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#12 Berries

Berries
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 16 July 2017 - 03:22 PM

The computer is running fantastic, Phil!!!  I can't thank you enough for your patience and knowledge.  Here is the Clean Log that you asked for.

 

# AdwCleaner v6.047 - Logfile created 16/07/2017 at 09:51:30
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-07-13.1 [Local]
# Operating System : Windows 10 Home  (X64)
# Username : Jean - DESKTOP-C2D7DI9
# Running from : C:\Users\Jean\Downloads\AdwCleaner.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: HKLM\SOFTWARE\ByteFence
[-] Key deleted: HKLM\SOFTWARE\WebDiscoverBrowser
 
 
***** [ Web browsers ] *****
 
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [843 Bytes] - [16/07/2017 09:51:30]
C:\AdwCleaner\AdwCleaner[S0].txt - [1188 Bytes] - [16/07/2017 09:28:39]
C:\AdwCleaner\AdwCleaner[S1].txt - [1260 Bytes] - [16/07/2017 09:42:17]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1061 Bytes] ##########


#13 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,361 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:13 PM

Posted 17 July 2017 - 12:22 PM

Holly:
 
Thank you for the AdwCleaner log.  I am delighted that your mother's computer is working so much better.  We did a great job together!   :thumbsup:
 
.
 
:step1: We will now remove the tools we used during this fix using Delfix.

bwebb7v.jpgDownload Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click the Run button.

When the tool is finished, a log will open in notepad. Please copy and paste the log in your next reply.

.

:step2: . . . Some Final Advice . . .

The most common cause of an infected machine is the Trojan Horse, or programs which appear to be legitimate but which contain malicious payloads, or which are simply malicious in and of themselves. No antivirus, firewall, host-based intrusion prevention system (HIPS), or other security software can fully protect you against this kind of attack. The best way to project yourself is not to run email attachments from untrusted sources, and avoid software downloaded from the internet wherever possible. Remember, when you run an application, you are giving that application permission to do to your machine anything you can do to the machine, including create, modify, or destroy files or other data. In the Windows (and most other systems' such as Unix) security model, applications don't have privileges, users do.

The second most common cause of infection is out of date software. Leaving your system unpatched leaves holes through which attackers can execute code on your behalf without your consent. This goes for far more than common targets such as Windows and Internet Explorer. Most recent threats target other third party software, such as Adobe's Adobe Reader, Shockwave Player, or Flash Player, or Oracle's Java browser plugins. You can check your system for out of date software manually, or by using automated tools such as Secunia's Personal Software Inspector. This goes doubly for security applications such as antivirus and other antimalware products based on definition lists, where out-of-date lists mean no detection of newer malware.

Finally, occasionally you will be forced to run some potentially infected binary, or attackers will use a hole which is unpatched by software vendors, so a last line of defense is needed. That means turning on a firewall (Windows Firewall included with Windows Vista or later is fine) and leaving it on, and using and keeping up-to-date an antivirus solution such as Bitdefender. Antiviral solutions don't even have to cost money; later versions of Windows Defender provide perfectly acceptable protection for free. If for some reason you don't like Windows Defender, there are other free products available as well:

  • Avira (shows nag screen to purchase full product when updating, home use only)
  • Bitdefender Free (home use only)

That should be fine for the majority of users. However, if you absolutely want additional protection, consider one or more of the following products:

If you want more information on methods malware uses to infect your computer, consider browsing our How did I get infected? topic.

.

It has been a pleasure assisting you and I hope that your mother will avoid any further infections in the future. The most important protection step is to ALWAYS HAVE MORE THAN ONE RECENT BACKUP OF YOUR ENTIRE SYSTEM on an external drive that is only connected to your computer long enough to backup or restore. I do system images weekly. With the free backup software out there (Easeus ToDo Backup Home, Macrium Reflect, etc.), and the very reasonable prices for external USB hard drives, there is no reason to not have a backup.

Please copy and paste the contents of the Delfix log into your next reply. If that looks good, then we can conclude your topic.

On behalf of the Bleeping Computer Community, thank you for choosing BC to assist you with your mother's computer issues.  I hope that she stays safe out there in cyberspace.  Have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#14 Berries

Berries
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:13 AM

Posted 17 July 2017 - 01:31 PM

Hi Phil!!
 
Thank you, thank you, thank you!!!  My 83 yr old mother is beyond happy to have her computer back up running like a champ.  I have installed the recommended programs, so hopefully we won't have this problem in the future.  
 
Thanks again,
Holly
 
# DelFix v1.013 - Logfile created 17/07/2017 at 13:21:01
# Updated 17/04/2016 by Xplode
# Username : Jean - DESKTOP-C2D7DI9
# Operating System : Windows 10 Home  (64 bits)
 
~ Removing disinfection tools ...
 
Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\Jean\Desktop\FRST-OlderVersion
Deleted : C:\Users\Jean\Desktop\AdwCleaner[C0].txt
Deleted : C:\Users\Jean\Desktop\Fixlog.txt
Deleted : C:\Users\Jean\Desktop\FRST64.exe
Deleted : C:\Users\Jean\Desktop\JRT.txt
Deleted : C:\Users\Jean\Desktop\Rkill.txt
Deleted : C:\Users\Jean\Downloads\AdwCleaner (1).exe
Deleted : C:\Users\Jean\Downloads\AdwCleaner.exe
Deleted : C:\Users\Jean\Downloads\JRT.exe
Deleted : C:\Users\Jean\Downloads\rkill (1).exe
Deleted : C:\Users\Jean\Downloads\rkill (2).exe
Deleted : C:\Users\Jean\Downloads\rkill (2)64.exe
Deleted : C:\Users\Jean\Downloads\rkill.exe
 
~ Creating registry backup ... OK
 
~ Cleaning system restore ...
 
Deleted : RP #46 [Windows Update | 07/12/2017 19:02:35]
Deleted : RP #49 [JRT Pre-Junkware Removal | 07/16/2017 15:05:28]
 
New restore point created !
 
########## - EOF - ##########


#15 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,361 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:12:13 PM

Posted 18 July 2017 - 06:47 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Member of the Unified Network of Instructors and Trusted Eliminators





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users