Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Intel PC on a stick being remotely accessed sys32 files being replaced


  • This topic is locked This topic is locked
13 replies to this topic

#1 Nickp71

Nickp71

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 PM

Posted 21 July 2017 - 03:28 PM

HI There, I have some really strange behaviour going on at the moment - firstly, my Surface Pro 4 just BSOD and wouldn't o up again so after being on the phone to MS support they are replacing the whole device . I noticed that my network was very slow so I reset my router / flashed nd added a TPLIBK R600 VPN router with SPI firewall runing and Im currently using an Intel PC on a stick STK1AW32SC that Ive now reloaded windows 3 times as it too is behaving in a manner that is not at all logical or normal Even typing now it is missing words out and I only have one browser window open! Im running ESET Internet Security with some pretty tight rules in place however, the machine is showing outbound TCP & UDP connections on a whole array of ports from 61000-65923 (System Process) 49666-49669 (svchost) and the 'system'PID 4 has a local IP connected of 192.168.56.1 when my local IP range is 192.168.0.1 to 192.168.0.50. Services that I keep disabling are re-inabling by themself and the mouse will even move by itself even though I check and it states im running in console 0. I compltely formatted the drive and ran a freshly downloaded copy of Win 10 Home from a fresh USB drive. Yet it still created a hidden directory called $SYSReset that has some log files and a directory called 'scratch' that has a csrss.exe in it. There are many other strange things going on and I wold really appreciate some assistance resolving this issue. I am convinced that the attack happens on the internal network first before going out to the internet letting whomever know that Im here and ready to be pissed off again... Ive locked down the 4 routers ive gone through over the past 12 months so strongly that it has to be occuring internally....we do have 3 Sony TV's connected to the network - 2 are the older type Bravia's with somesort of Linux distro running on them and the other one is Andriod - ive re-set the Andriod and disbaled things like bluetooth and wireless (all cable connections) but I have noticed that it does have alot of traffic on the port its on the switch even when its in standby mode. When I was looking at open ports on the PC Stick tonight I saw the Android IP address come up a couple of times ...not sure what it was doing. I have bound all the MAC addresses of the networked devices via ARP binding but as soon as I disconnect a device something else with a spoofed MAC address will get the device I have removed IP address and when I connect the device again it gets a totally different IP address. I am desperate for some help with working out what is going on.....thanks heaps

 

PS...To add to this actual executables like eset.exe are changing names to dllhost.exe - ICMP redirect is also switched on by itself.

 

Another thing that is occuring - when I have disabled Bluetooth in Bios and do a full power down and boot pressing F4 (which is to get into Bios Recovery) some yellow text appears before anything else that says 'Pairing with Bluetooth Device' - this is even before the BIOS settings load....

 

I ran HiJack This and below is the startuplist tool:

 

StartupList report, 22/07/2017, 3:54:29 AM
StartupList version: 1.52.2
Started from : C:\HiJackthis\HijackThis.EXE
Detected: Unknown Windows (WinNT 6.02.1008)
Detected: Internet Explorer v11.0 (11.00.15063.0000)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\system32\sihost.exe
C:\WINDOWS\system32\taskhostw.exe
C:\WINDOWS\system32\igfxEM.exe
C:\WINDOWS\system32\igfxHK.exe
C:\WINDOWS\system32\igfxTray.exe
C:\WINDOWS\Explorer.EXE
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
C:\WINDOWS\system32\DllHost.exe
C:\Windows\System32\RuntimeBroker.exe
C:\Program Files\ESET\ESET Security\egui.exe
C:\Program Files\Windows Defender\MSASCuiL.exe
C:\Program Files\Zemana AntiMalware\ZAM.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Tweaking.com\Technicians Toolbox\Technicians_Toolbox.exe
C:\Program Files\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ApplicationFrameHost.exe
C:\Program Files\WindowsApps\Microsoft.WindowsStore_11705.1001.21.0_x86__8wekyb3d8bbwe\WinStore.App.exe
C:\WINDOWS\ImmersiveControlPanel\SystemSettings.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Opera\46.0.2597.57\opera.exe
C:\Program Files\Opera\46.0.2597.57\opera_crashreporter.exe
C:\Program Files\Opera\46.0.2597.57\opera.exe
C:\Program Files\Opera\46.0.2597.57\opera.exe
C:\Program Files\Opera\46.0.2597.57\opera.exe
C:\Program Files\Opera\46.0.2597.57\opera.exe
C:\Program Files\Opera\46.0.2597.57\opera.exe
C:\Program Files\Opera\46.0.2597.57\opera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
C:\HiJackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\SnippingTool.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ZAM = "C:\Program Files\Zemana AntiMalware\ZAM.exe" /minimized

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\Windows\System32\mshta.exe "%1" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}%U{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = %SystemRoot%\system32\unregmp2.exe /ShowWMP

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = /UserInstall

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = %SystemRoot%\system32\unregmp2.exe /FirstLogon

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = U

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\Windows\System32\ie4uinit.exe -UserConfig

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\Windows\System32\Rundll32.exe C:\Windows\System32\mscories.dll,Install

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\PROGRA~1\KEYCRY~1\KEYCRY~3.DLL

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: *Registry key not found*
.shb: *Registry key not found*
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename NOT OK: 'REGEDIT.EXE.MUI'
- File description: 'Registry Editor'

Registry check failed!

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\system32\napinsp.dll
NameSpace #2: C:\WINDOWS\system32\pnrpnsp.dll
NameSpace #3: C:\WINDOWS\system32\pnrpnsp.dll
NameSpace #4: C:\WINDOWS\system32\NLAapi.dll
NameSpace #7: C:\WINDOWS\System32\wshbth.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

@%SystemRoot%\system32\AudioEndpointBuilder.dll,-204: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
@%SystemRoot%\system32\audiosrv.dll,-200: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (autostart)
@%SystemRoot%\system32\bfe.dll,-1001: %systemroot%\system32\svchost.exe -k LocalServiceNoNetwork (autostart)
@%windir%\system32\bisrv.dll,-100: %SystemRoot%\system32\svchost.exe -k DcomLaunch (autostart)
@%SystemRoot%\system32\cdpsvc.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
@%SystemRoot%\system32\cdpusersvc.dll,-100: %SystemRoot%\system32\svchost.exe -k UnistackSvcGroup (autostart)
Connected Devices Platform User Service_2a265: C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup (autostart)
Windows Cloud Files Filter Driver: system32\drivers\cldflt.sys (autostart)
@%SystemRoot%\system32\drivers\registry.sys,-100: \SystemRoot\System32\drivers\registry.sys (autostart)
@%SystemRoot%\system32\coremessaging.dll,-1: %SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork (autostart)
@%SystemRoot%\system32\cryptsvc.dll,-1001: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
@combase.dll,-5012: %SystemRoot%\system32\svchost.exe -k DcomLaunch (autostart)
@%SystemRoot%\system32\dhcpcore.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted (autostart)
@%SystemRoot%\system32\diagtrack.dll,-3001: %SystemRoot%\System32\svchost.exe -k utcsvc (autostart)
@%SystemRoot%\System32\dnsapi.dll,-101: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
@%systemroot%\system32\dosvc.dll,-100: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
@%systemroot%\system32\dps.dll,-500: %SystemRoot%\System32\svchost.exe -k LocalServiceNoNetwork (autostart)
@%SystemRoot%\System32\dusmsvc.dll,-1: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (autostart)
ekbdflt: \SystemRoot\system32\DRIVERS\ekbdflt.sys (autostart)
ESET Service: "C:\Program Files\ESET\ESET Security\ekrn.exe" (autostart)
@%SystemRoot%\system32\wevtsvc.dll,-200: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (autostart)
@comres.dll,-2450: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
@%systemroot%\system32\FntCache.dll,-100: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
@gpapi.dll,-112: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Intel® HD Graphics Control Panel Service: %SystemRoot%\system32\igfxCUIService.exe (autostart)
@%SystemRoot%\system32\iphlpsvc.dll,-500: %SystemRoot%\System32\svchost.exe -k NetSvcs (autostart)
@%systemroot%\system32\wkssvc.dll,-100: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
@%SystemRoot%\system32\lltdres.dll,-6: system32\drivers\lltdio.sys (autostart)
@%windir%\system32\lsm.dll,-1001: %SystemRoot%\system32\svchost.exe -k DcomLaunch (autostart)
@%systemroot%\system32\drivers\luafv.sys,-100: \SystemRoot\system32\drivers\luafv.sys (autostart)
@%SystemRoot%\System32\moshost.dll,-100: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
@%systemroot%\system32\drivers\mmcss.sys,-100: \SystemRoot\system32\drivers\mmcss.sys (autostart)
@%SystemRoot%\system32\FirewallAPI.dll,-23090: %SystemRoot%\system32\svchost.exe -k LocalServiceNoNetwork (autostart)
@%SystemRoot%\system32\drivers\mslldp.sys,-200: system32\drivers\mslldp.sys (autostart)
@%SystemRoot%\system32\drivers\Ndu.sys,-10001: system32\drivers\Ndu.sys (autostart)
@%SystemRoot%\System32\nlasvc.dll,-1: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
@%SystemRoot%\system32\nsisvc.dll,-200: %systemroot%\system32\svchost.exe -k LocalService (autostart)
@%SystemRoot%\system32\APHostRes.dll,-10002: %SystemRoot%\system32\svchost.exe -k UnistackSvcGroup (autostart)
Sync Host_2a265: C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup (autostart)
Parvdm: \SystemRoot\System32\drivers\parvdm.sys (autostart)
PEAUTH: system32\drivers\peauth.sys (autostart)
@%SystemRoot%\system32\umpo.dll,-100: %SystemRoot%\system32\svchost.exe -k DcomLaunch (autostart)
@%systemroot%\system32\profsvc.dll,-300: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
@%windir%\system32\RpcEpMap.dll,-1001: %SystemRoot%\system32\svchost.exe -k RPCSS (autostart)
@combase.dll,-5010: %SystemRoot%\system32\svchost.exe -k rpcss (autostart)
@%SystemRoot%\system32\lltdres.dll,-5: system32\drivers\rspndr.sys (autostart)
@%SystemRoot%\system32\samsrv.dll,-1: %SystemRoot%\system32\lsass.exe (autostart)
@%SystemRoot%\system32\schedsvc.dll,-100: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
@%systemroot%\system32\SecurityHealthAgent.dll,-1002: %SystemRoot%\system32\SecurityHealthService.exe (autostart)
@%SystemRoot%\system32\Sens.dll,-200: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
@%SystemRoot%\System32\shsvcs.dll,-12288: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
@%systemroot%\system32\spoolsv.exe,-1: %SystemRoot%\System32\spoolsv.exe (autostart)
@%SystemRoot%\system32\sppsvc.exe,-101: %SystemRoot%\system32\sppsvc.exe (autostart)
@%SystemRoot%\System32\drivers\storqosflt.sys,-101: system32\drivers\storqosflt.sys (autostart)
@%SystemRoot%\system32\sysmain.dll,-1000: %systemroot%\system32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
@%windir%\system32\SystemEventsBrokerServer.dll,-1001: %SystemRoot%\system32\svchost.exe -k DcomLaunch (autostart)
TCP/IP Registry Compatibility: System32\drivers\tcpipreg.sys (autostart)
@%SystemRoot%\System32\themeservice.dll,-8192: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
@%SystemRoot%\system32\tileobjserver.dll,-1: %systemroot%\system32\svchost.exe -k appmodel (autostart)
@%SystemRoot%\system32\trkwks.dll,-1: %SystemRoot%\System32\svchost.exe -k LocalSystemNetworkRestricted (autostart)
@%systemroot%\system32\usermgr.dll,-100: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
@%systemroot%\system32\mprmsg.dll,-32011: System32\DRIVERS\wanarp.sys (autostart)
@%systemroot%\system32\drivers\wcifs.sys,-100: \SystemRoot\system32\drivers\wcifs.sys (autostart)
@%SystemRoot%\System32\wcmsvc.dll,-4097: %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted (autostart)
@%Systemroot%\system32\wbem\wmisvc.dll,-205: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
@%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101: "%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe" (autostart)
@%SystemRoot%\system32\WpnUserService.dll,-1: %SystemRoot%\system32\svchost.exe -k UnistackSvcGroup (autostart)
Windows Push Notifications User Service_2a265: C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup (autostart)
@%SystemRoot%\System32\wscsvc.dll,-200: %SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted (autostart)
ZAM Controller Service: "C:\Program Files\Zemana AntiMalware\ZAM.exe" /service (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: *Registry key not found*

--------------------------------------------------
End of report, 14,914 bytes
Report generated in 0.282 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:25 AM

Posted 23 July 2017 - 07:44 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===


Please run the Farbar tool and post a fresh FRST.txt log for my review.
Post also the Addition.txt file created by the tool.

Also, please provide an update on how the computer is behaving after running the above script.

===

#3 Nickp71

Nickp71
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 PM

Posted 23 July 2017 - 09:23 AM

Hi Nasdaq, thank you for assisting me. Please find below the logs as requested. Just before I stopped AV/FW/Malware etc I received a message that the machine was running an ARP poisoning attack on the network!

 

Zoek.exe v5.0.0.1 Updated 27-09-2015
Tool run by SmartTV on Sun 23/07/2017 at 21:11:26.64.
Microsoft Windows 10 Home 10.0.15063  x86
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\SmartTV\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

23/07/2017 9:12:59 PM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\Program Files\Zemana AntiMalware deleted successfully
C:\PROGRA~2\SoftwareDistribution deleted successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\LocalLow deleted successfully
C:\Users\SmartTV\AppData\Local\DBG deleted successfully
C:\Users\SmartTV\AppData\Local\VirtualStore deleted successfully

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

Deleted from C:\Users\SmartTV\AppData\Roaming\Mozilla\Firefox\Profiles\8eas806p.default\prefs.js:

Added to C:\Users\SmartTV\AppData\Roaming\Mozilla\Firefox\Profiles\8eas806p.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\Program Files\Zemana AntiMalware not found
C:\Program Files\Zemana AntiLogger deleted
C:\PROGRA~2\Package Cache deleted
C:\WINDOWS\system32\GroupPolicy\Machine deleted
C:\WINDOWS\system32\GroupPolicy\User deleted
C:\WINDOWS\system32\GroupPolicy\gpt.ini deleted
C:\Users\SmartTV\AppData\Roaming\Mozilla\Firefox\Profiles\8eas806p.default\extensions\firefox@ghostery.com.xpi deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\SmartTV\AppData\Roaming\Mozilla\Firefox\Profiles\8eas806p.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

==== Firefox Extensions ======================

ProfilePath: C:\Users\SmartTV\AppData\Roaming\Mozilla\Firefox\Profiles\8eas806p.default
- anonymoX - %ProfilePath%\extensions\client@anonymox.net.xpi
- Copy Link URL em:version1.5.1-signed.1-signed em:creatorJason Fah em:descriptionCopy the URLs of the selected links. em:homepageURLhttp:www.bluelightdev.com em:iconURLchrome:copylinkurlcontenticon.png em:contributorJackieKu - %ProfilePath%\extensions\copylinkurl@bluelightdev.com.xpi
- HTTPS Everywhere - %ProfilePath%\extensions\https-everywhere@eff.org.xpi
- Download Manager S3 - %ProfilePath%\extensions\s3download@statusbar.xpi

AppDir: C:\Program Files\Mozilla Firefox
- Undetermined - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi

==== Firefox Plugins ======================

Profilepath: C:\Users\SmartTV\AppData\Roaming\Mozilla\Firefox\Profiles\8eas806p.default
B7CA365E7F1BECCE849FF6D390F16DCE    - C:\Program Files\VideoLAN\VLC\npvlc.dll -    VLC Web Plugin
626791785FF2A338575E8AF0563D8333    - C:\WINDOWS\npMSDM.dll -    Microsoft Download Manager Plugin


==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/p/?LinkId=255141"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/p/?LinkId=255141"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"

==== Reset Google Chrome ======================

Nothing found to reset

==== Empty IE Cache ======================

C:\Users\SmartTV\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\SmartTV\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\SmartTV\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\SmartTV\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

C:\Users\SmartTV\AppData\Local\Mozilla\Firefox\Profiles\8eas806p.default\cache2 emptied successfully

==== Empty Chrome Cache ======================

C:\Users\SmartTV\AppData\Local\Opera Software\Opera Stable\Cache emptied successfully

==== Empty All Flash Cache ======================

No Flash Cache Found

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=16 folders=12 75007278 bytes)

==== Empty Temp Folders ======================

C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\SmartTV\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on Sun 23/07/2017 at 21:39:59.12 ======================
 

 

LastRegBack: 2017-07-19 18:50

==================== End of FRST.txt ============================

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 18-07-2017
Ran by SmartTV (23-07-2017 21:44:57)
Running from C:\Users\SmartTV\Desktop
Microsoft Windows 10 Home Version 1703 (X86) (2017-07-19 10:56:10)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2935074924-20800281-1268189492-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-2935074924-20800281-1268189492-503 - Limited - Disabled)
Guest (S-1-5-21-2935074924-20800281-1268189492-501 - Limited - Disabled)
SmartTV (S-1-5-21-2935074924-20800281-1268189492-1001 - Administrator - Enabled) => C:\Users\SmartTV

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: ESET Internet Security (Enabled - Up to date) {EC1D6F37-E411-475A-DF50-12FF7FE4AC70}
AS: ESET Internet Security (Enabled - Up to date) {577C8ED3-C22B-48D4-E5E0-298D0463E6CD}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall (Disabled) {D426EE12-AE7E-4602-F40F-BBCA8137EB0B}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

. . . (HKLM\...\{3C0FACBA-53B9-4FFF-BFB6-38366D7700EE}) (Version: 2.8.2.2 - Intel) Hidden
ESET Internet Security (HKLM\...\{755CEE0B-EB6E-438B-B066-A6956ED95718}) (Version: 10.1.210.0 - ESET, spol. s r.o.)
ImgBurn (HKLM\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Intel® Wireless Bluetooth® (HKLM\...\{559FA847-377D-4926-80A3-ED9E014D363A}) (Version: 19.60.0 - Intel Corporation)
Intel® Driver Update Utility (HKLM\...\{c6d89415-9575-4fe3-aa1b-2047bd4dd6cb}) (Version: 2.8.2.2 - Intel)
Intel® PROSet/Wireless Software (HKLM\...\{72471787-a083-47c2-b7f6-146e46a4b1c0}) (Version: 19.60.0 - Intel Corporation)
Microsoft Download Manager (HKLM\...\{654977DB-0001-0002-0001-EABD228DDE8B}) (Version: 1.2.1 - Microsoft Corporation)
Mozilla Firefox 54.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 54.0.1 (x86 en-US)) (Version: 54.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 54.0.1 - Mozilla)
Opera Stable 46.0.2597.57 (HKLM\...\Opera 46.0.2597.57) (Version: 46.0.2597.57 - Opera Software)
Oracle VM VirtualBox 5.1.24 (HKLM\...\{F57B99A8-C19B-4A3B-A7BE-BA20AD768EAB}) (Version: 5.1.24 - Oracle Corporation)
Tweaking.com - Technicians Toolbox (HKLM\...\Tweaking.com - Technicians Toolbox) (Version: 1.2.0 - Tweaking.com)
Tweaking.com - Windows Repair (HKLM\...\Tweaking.com - Windows Repair) (Version: 3.9.36 - Tweaking.com)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.6 - VideoLAN)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2935074924-20800281-1268189492-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\SmartTV\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileSyncShell.dll => No File
CustomCLSID: HKU\S-1-5-21-2935074924-20800281-1268189492-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\SmartTV\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileSyncShell.dll => No File
CustomCLSID: HKU\S-1-5-21-2935074924-20800281-1268189492-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\SmartTV\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileSyncShell.dll => No File
ContextMenuHandlers01: [ESET Smart Security - Context Menu Shell Extension] -> {B089FE88-FB52-11D3-BDF1-0050DA34150D} => C:\Program Files\ESET\ESET Security\shellExt.dll [2017-04-27] (ESET)
ContextMenuHandlers02: [ESET Smart Security - Context Menu Shell Extension] -> {B089FE88-FB52-11D3-BDF1-0050DA34150D} => C:\Program Files\ESET\ESET Security\shellExt.dll [2017-04-27] (ESET)
ContextMenuHandlers05: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers05: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\WINDOWS\system32\igfxDTCM.dll [2017-03-29] (Intel Corporation)
ContextMenuHandlers06: [ESET Smart Security - Context Menu Shell Extension] -> {B089FE88-FB52-11D3-BDF1-0050DA34150D} => C:\Program Files\ESET\ESET Security\shellExt.dll [2017-04-27] (ESET)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {10D30BD2-53D3-47F1-BBB8-9DFC6DFEE288} - System32\Tasks\S-1-5-21-2935074924-20800281-1268189492-1001\DataSenseLiveTileTask => C:\WINDOWS\System32\DataUsageLiveTileTask.exe [2017-03-19] (Microsoft Corporation)
Task: {B751F60D-5CC9-4CB5-A86D-83D489A04198} - System32\Tasks\Tweaking.com - Windows Repair Tray Icon => C:\Program Files\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe [2015-03-12] (Tweaking.com)
Task: {C5857F70-9B64-4D2D-B37A-12FCF4B7C580} - System32\Tasks\Opera scheduled Autoupdate 1500551260 => C:\Program Files\Opera\launcher.exe [2017-07-18] (Opera Software)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2017-03-19 02:19 - 2017-03-19 02:19 - 00116824 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll
2017-03-29 12:54 - 2017-03-29 12:54 - 00406528 _____ () C:\WINDOWS\system32\igfxTray.exe
2017-03-19 02:19 - 2017-03-19 04:25 - 01456128 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\iai2ce.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\iaspie.sys => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2017-07-19 19:38 - 2017-07-20 22:32 - 00000858 _____ C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1 localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2935074924-20800281-1268189492-1001\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Windows\img0.jpg
DNS Servers: 180.181.127.3 - 180.181.127.4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [Microsoft-Windows-WLANSvc-ASP-CP-In] => (Block) %systemroot%\system32\svchost.exe
FirewallRules: [RemoteAssistance-RAServer-In-TCP-NoScope-Active] => (Block) %SystemRoot%\system32\raserver.exe
FirewallRules: [RemoteAssistance-DCOM-In-TCP-NoScope-Active] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [RemoteAssistance-In-TCP-EdgeScope-Active] => (Block) %SystemRoot%\system32\msra.exe
FirewallRules: [RemoteAssistance-SSDPSrv-In-UDP-Active] => (Block) %SystemRoot%\system32\svchost.exe
FirewallRules: [RemoteAssistance-PnrpSvc-UDP-In-EdgeScope-Active] => (Block) %systemroot%\system32\svchost.exe
FirewallRules: [ProximityUxHost-Sharing-In-TCP-NoScope] => (Block) %SystemRoot%\system32\proximityuxhost.exe
FirewallRules: [WirelessDisplay-In-TCP] => (Block) %systemroot%\system32\WUDFHost.exe
FirewallRules: [WirelessDisplay-Infra-In-TCP] => (Block) %systemroot%\system32\CastSrv.exe
FirewallRules: [{EA4BBDDA-2477-4886-BE80-372D1F529848}] => (Allow) C:\Program Files\Opera\46.0.2597.57\opera.exe
FirewallRules: [{217FFA26-6E29-4827-9960-FD08328AFEE9}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{623A7E60-10C7-48B1-BDEE-D8EF9034EE88}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{35091AE8-5071-42F0-97B9-C45B98909BE9}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe

==================== Restore Points =========================

20-07-2017 22:42:19 Windows Update
22-07-2017 16:36:42 Windows Modules Installer
23-07-2017 21:12:38 zoek.exe restore point

==================== Faulty Device Manager Devices =============

Name: VirtualBox Host-Only Ethernet Adapter
Description: VirtualBox Host-Only Ethernet Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Oracle Corporation
Service: VBoxNetAdp
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Intel® Dual Band Wireless-AC 7265
Description: Intel® Dual Band Wireless-AC 7265
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Intel Corporation
Service: Netwtn04
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Microsoft Kernel Debug Network Adapter
Description: Microsoft Kernel Debug Network Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: kdnic
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (07/23/2017 09:38:55 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ZeroConfigService.exe, version: 19.60.0.0, time stamp: 0x58d16645
Faulting module name: ZeroConfigService.exe, version: 19.60.0.0, time stamp: 0x58d16645
Exception code: 0xc0000409
Fault offset: 0x001af2f6
Faulting process id: 0x974
Faulting application start time: 0x01d303b3b67268c2
Faulting application path: C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
Faulting module path: C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
Report Id: 8934b53a-c17e-4b29-b91a-b36403c57401
Faulting package full name:
Faulting package-relative application ID:

Error: (07/23/2017 09:12:41 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (07/23/2017 09:03:18 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ShellExperienceHost.exe, version: 10.0.15063.0, time stamp: 0x58ccb9b0
Faulting module name: combase.dll, version: 10.0.15063.447, time stamp: 0x8543d53c
Exception code: 0xc000027b
Fault offset: 0x001ccf71
Faulting process id: 0x1008
Faulting application start time: 0x01d303b3bd174531
Faulting application path: C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
Faulting module path: C:\WINDOWS\System32\combase.dll
Report Id: 61dbd48b-5c18-44f2-a71d-ccaa73cab946
Faulting package full name: Microsoft.Windows.ShellExperienceHost_10.0.15063.332_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: App

Error: (07/22/2017 06:30:57 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: DESKTOP-EVSN2BL)
Description: Package Microsoft.MicrosoftEdge_40.15063.0.0_neutral__8wekyb3d8bbwe+ContentProcess#{00041401-0001-0000-fa1b-300000000000} was terminated because it took too long to suspend.

Error: (07/22/2017 05:51:30 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ShellExperienceHost.exe, version: 10.0.15063.0, time stamp: 0x58ccb9b0
Faulting module name: combase.dll, version: 10.0.15063.447, time stamp: 0x8543d53c
Exception code: 0xc000027b
Fault offset: 0x001ccf71
Faulting process id: 0x1374
Faulting application start time: 0x01d302d00b72d1c9
Faulting application path: C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
Faulting module path: C:\WINDOWS\System32\combase.dll
Report Id: ccec72de-e6ca-4f12-bef8-f5da5cf990b5
Faulting package full name: Microsoft.Windows.ShellExperienceHost_10.0.15063.332_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: App

Error: (07/22/2017 05:51:07 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ShellExperienceHost.exe, version: 10.0.15063.0, time stamp: 0x58ccb9b0
Faulting module name: combase.dll, version: 10.0.15063.447, time stamp: 0x8543d53c
Exception code: 0xc000027b
Fault offset: 0x001ccf71
Faulting process id: 0x13bc
Faulting application start time: 0x01d302d00a323c77
Faulting application path: C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
Faulting module path: C:\WINDOWS\System32\combase.dll
Report Id: d9ba10ae-c63a-475a-b99c-6e97c33c7074
Faulting package full name: Microsoft.Windows.ShellExperienceHost_10.0.15063.332_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: App

Error: (07/22/2017 05:51:02 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ShellExperienceHost.exe, version: 10.0.15063.0, time stamp: 0x58ccb9b0
Faulting module name: combase.dll, version: 10.0.15063.447, time stamp: 0x8543d53c
Exception code: 0xc000027b
Fault offset: 0x001ccf71
Faulting process id: 0x11c0
Faulting application start time: 0x01d302cfd0197d7c
Faulting application path: C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
Faulting module path: C:\WINDOWS\System32\combase.dll
Report Id: c1af2e3d-cca0-4664-b425-4ff534c75625
Faulting package full name: Microsoft.Windows.ShellExperienceHost_10.0.15063.332_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: App

Error: (07/22/2017 05:49:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ShellExperienceHost.exe, version: 10.0.15063.0, time stamp: 0x58ccb9b0
Faulting module name: combase.dll, version: 10.0.15063.447, time stamp: 0x8543d53c
Exception code: 0xc000027b
Fault offset: 0x001ccf71
Faulting process id: 0x122c
Faulting application start time: 0x01d302ceb4bad371
Faulting application path: C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
Faulting module path: C:\WINDOWS\System32\combase.dll
Report Id: 199b7246-61f8-4bdd-a115-61a6aad77b8d
Faulting package full name: Microsoft.Windows.ShellExperienceHost_10.0.15063.332_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: App

Error: (07/22/2017 05:41:43 PM) (Source: Microsoft-Windows-AppModel-State) (EventID: 13) (User: DESKTOP-EVSN2BL)
Description: C:\Users\SmartTV\AppData\Local\Packages\king.com.CandyCrushSodaSaga_kgqvnymyfvs32\LocalCacheking.com.CandyCrushSodaSaga_kgqvnymyfvs32-2147024894

Error: (07/22/2017 05:41:43 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: stritz.exe, version: 0.0.0.0, time stamp: 0x59676352
Faulting module name: combase.dll, version: 10.0.15063.447, time stamp: 0x8543d53c
Exception code: 0xc000027b
Fault offset: 0x001ccf71
Faulting process id: 0x1374
Faulting application start time: 0x01d302ceb910b3b3
Faulting application path: C:\Program Files\WindowsApps\king.com.CandyCrushSodaSaga_1.93.1400.0_x86__kgqvnymyfvs32\stritz.exe
Faulting module path: C:\WINDOWS\System32\combase.dll
Report Id: cecfb37b-3a6c-4117-87aa-7876dbaaa131
Faulting package full name: king.com.CandyCrushSodaSaga_1.93.1400.0_x86__kgqvnymyfvs32
Faulting package-relative application ID: App


System errors:
=============
Error: (07/23/2017 09:43:03 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x8007000d: Logitech - Other hardware - Logitech USB Input Device.

Error: (07/23/2017 09:39:29 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The iphlpsvc service depends on the WinHttpAutoProxySvc service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Error: (07/23/2017 09:39:26 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The CldFlt service failed to start due to the following error:
The request is not supported.

Error: (07/23/2017 09:38:56 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel® PROSet/Wireless Zero Configuration Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (07/23/2017 09:33:43 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (07/23/2017 09:33:43 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (07/23/2017 09:33:42 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (07/23/2017 09:33:41 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (07/23/2017 09:33:41 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (07/23/2017 09:04:23 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x8007000d: Logitech - Other hardware - Logitech USB Input Device.


CodeIntegrity:
===================================
  Date: 2017-07-22 18:42:51.376
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume5\Program Files\ESET\ESET Security\eplgEdge.dll that did not meet the Store signing level requirements.

  Date: 2017-07-22 18:41:41.586
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume5\Program Files\ESET\ESET Security\eplgEdge.dll that did not meet the Store signing level requirements.

  Date: 2017-07-22 18:30:52.096
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume5\Program Files\ESET\ESET Security\eplgEdge.dll that did not meet the Store signing level requirements.

  Date: 2017-07-22 18:30:47.144
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume5\Program Files\ESET\ESET Security\eplgEdge.dll that did not meet the Store signing level requirements.

  Date: 2017-07-22 18:30:27.086
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume5\Program Files\ESET\ESET Security\eplgEdge.dll that did not meet the Store signing level requirements.

  Date: 2017-07-22 18:30:12.225
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume5\Program Files\ESET\ESET Security\eplgEdge.dll that did not meet the Store signing level requirements.

  Date: 2017-07-22 18:30:11.818
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume5\Program Files\ESET\ESET Security\eplgEdge.dll that did not meet the Store signing level requirements.

  Date: 2017-07-22 17:59:25.147
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2017-07-22 17:59:23.850
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2017-07-22 17:59:23.445
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: Intel® Atom™ x5-Z8330 CPU @ 1.44GHz
Percentage of memory in use: 39%
Total physical RAM: 1977.04 MB
Available physical RAM: 1193.37 MB
Total Virtual: 3129.04 MB
Available Virtual: 2106.13 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:28.34 GB) (Free:10.82 GB) NTFS
Drive d: () (Removable) (Total:59.73 GB) (Free:14.21 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 29.1 GB) (Disk ID: FD8F3C66)

Partition: GPT.

========================================================
Disk: 1 (Size: 59.7 GB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt ============================



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:25 AM

Posted 23 July 2017 - 01:14 PM

Hi,

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicy: Restriction ? <==== ATTENTION
S3 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
CustomCLSID: HKU\S-1-5-21-2935074924-20800281-1268189492-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\SmartTV\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileSyncShell.dll => No File
ContextMenuHandlers05: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#5 Nickp71

Nickp71
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 PM

Posted 24 July 2017 - 12:19 AM

Hi Nasdaq,

 

It is still not right - I tried to open the wireless networks from the task bar and they are not displaying so I went into settings and got the attached error. It took me several attempts to get an IP address again, I had to try static and then also had to do a network reset. There are unknown files sitting in all sorts of strange places (see attached for an example) and its not running properly.

 

Do you have any ideas as to what the Malware Could be?

 

Here is the fixresult:

 

 

 

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 23-07-2017
Ran by SmartTV (24-07-2017 11:54:15) Run:1
Running from C:\Users\SmartTV\Desktop
Loaded Profiles: SmartTV (Available Profiles: SmartTV)
Boot Mode: Normal

==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicy: Restriction ? <==== ATTENTION
S3 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
CustomCLSID: HKU\S-1-5-21-2935074924-20800281-1268189492-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\SmartTV\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\FileSyncShell.dll => No File
ContextMenuHandlers05: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

End
*****************

Restore point was successfully created.
Processes closed successfully.
"C:\WINDOWS\system32\GroupPolicy\Machine" => not found.
HKLM\System\CurrentControlSet\Services\ibtsiva => key removed successfully.
ibtsiva => service removed successfully.
HKU\S-1-5-21-2935074924-20800281-1268189492-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E} => key removed successfully.
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => key removed successfully.
HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => key not found.

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= IPCONFIG /release =========


Windows IP Configuration


Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . :
   Default Gateway . . . . . . . . . :

========= End of CMD: =========


========= IPCONFIG /renew =========


Windows IP Configuration

An error occurred while renewing interface Ethernet 2 : unable to contact your DHCP server. Request has timed out.

========= End of CMD: =========


========= netsh advfirewall reset =========

Ok.


========= End of CMD: =========


========= netsh advfirewall set allprofiles state ON =========

Ok.


========= End of CMD: =========


========= netsh winsock reset catalog =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


========= netsh int ip reset c:\resetlog.txt =========

Resetting Compartment Forwarding, OK!
Resetting Compartment, OK!
Resetting Control Protocol, OK!
Resetting Echo Sequence Request, OK!
Resetting Global, OK!
Resetting Interface, OK!
Resetting Anycast Address, OK!
Resetting Multicast Address, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Potential, OK!
Resetting Prefix Policy, OK!
Resetting Proxy Neighbor, OK!
Resetting Route, OK!
Resetting Site Prefix, OK!
Resetting Subinterface, OK!
Resetting Wakeup Pattern, OK!
Resetting Resolve Neighbor, OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= netsh int ipv4 reset =========

Resetting Compartment Forwarding, OK!
Resetting Compartment, OK!
Resetting Control Protocol, OK!
Resetting Echo Sequence Request, OK!
Resetting Global, OK!
Resetting Interface, OK!
Resetting Anycast Address, OK!
Resetting Multicast Address, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Potential, OK!
Resetting Prefix Policy, OK!
Resetting Proxy Neighbor, OK!
Resetting Route, OK!
Resetting Site Prefix, OK!
Resetting Subinterface, OK!
Resetting Wakeup Pattern, OK!
Resetting Resolve Neighbor, OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= netsh int ipv6 reset =========

Resetting Compartment Forwarding, OK!
Resetting Compartment, OK!
Resetting Control Protocol, OK!
Resetting Echo Sequence Request, OK!
Resetting Global, OK!
Resetting Interface, OK!
Resetting Anycast Address, OK!
Resetting Multicast Address, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Potential, OK!
Resetting Prefix Policy, OK!
Resetting Proxy Neighbor, OK!
Resetting Route, OK!
Resetting Site Prefix, OK!
Resetting Subinterface, OK!
Resetting Wakeup Pattern, OK!
Resetting Resolve Neighbor, OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , failed.
Access is denied.

Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= bitsadmin /reset /allusers =========


BITSADMIN version 3.0
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 6053888 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 13819967 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 19295 B
Edge => 29952168 B
Chrome => 0 B
Firefox => 36399845 B
Opera => 240538719 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
LocalService => 11482 B
NetworkService => 0 B
SmartTV => 3623987 B

RecycleBin => 107167 B
EmptyTemp: => 315.2 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 11:59:36 ====

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:25 AM

Posted 24 July 2017 - 07:37 AM


Hi,

I went into settings and got the attached error. It took me several attempts to get an IP address again


Please try to open it in Control Panel and let me know if we cannot to do so.
===

Since this issue can be caused by corrupted system files, please try following commands to repair Windows:

Execute cmd.exe which will open the DOS screen.

Type of copy paste the following at the DOS prompt.
Dism /Online /Cleanup-Image /RestoreHealth

When completed run this command to check the integrity of the Operating files.

SFC /scannow

p.s.
No infection found. Something when wrong with your system.

#7 Nickp71

Nickp71
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:25 PM

Posted 26 July 2017 - 09:15 PM

Hi Nasdaq,

I completed both (I had done so already) and both returned 0 issues. What is a concern for me was why is GP running on a Windows10 Home Pc and why does this same issue continue to happen on all my devices? Im on my 5th Microsoft Surface in 12 months. I really need to get to the bottom of it.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:25 AM

Posted 27 July 2017 - 07:54 AM


Navigate to this page.
https://techjourney.net/clear-delete-and-refresh-arp-cache-entry/

Follow the instructions to flush the ARP
Use the NetShell (netsh) command to clear, delete or refresh the Address Resolution Protocol (ARP) cache by following the following steps.

Keep me posted.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:25 AM

Posted 02 August 2017 - 09:50 AM

Are you still with me?

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:25 AM

Posted 05 January 2018 - 09:05 AM

Copies from the PM.

As requested Nasdaq :) Please note: I have replaced the text where my full name was displayed with 'My Name Replaced'


Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02.01.2018
Ran by My Name Replaced (administrator) on NICHOLASSP4 (05-01-2018 01:37:06)
Running from C:\Users\My Name Replaced\Downloads
Loaded Profiles: My Name Replaced (Available Profiles: My Name Replaced & My Name Replaced)
Platform: Windows 10 Pro Insider Preview Version 1709 17025.1000 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Opera)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Code Sector) C:\Program Files\TeraCopy\TeraCopyService.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Security\vsserv.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Device Management\DevMgmtService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Bitdefender) C:\Program Files\Bitdefender Agent\ProductAgentService.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Security\updatesrv.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Security\vsservp.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Bitdefender) C:\Program Files\Common Files\Bitdefender\SetupInformation\Bitdefender RedLine\bdredline.exe
(Microsoft Corporation) C:\Windows\System32\SurfaceService.exe
(Dropbox, Inc.) C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Greenshot) C:\Program Files\Greenshot\Greenshot.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Security\bdagent.exe
(Opera Software) C:\Program Files\Opera\50.0.2762.45_0\opera.exe
(Opera Software) C:\Program Files\Opera\50.0.2762.45_0\opera_crashreporter.exe
(Opera Software) C:\Program Files\Opera\50.0.2762.45_0\opera.exe
(Opera Software) C:\Program Files\Opera\50.0.2762.45_0\opera.exe
(Opera Software) C:\Program Files\Opera\50.0.2762.45_0\opera.exe
(Opera Software) C:\Program Files\Opera\50.0.2762.45_0\opera.exe
(Opera Software) C:\Program Files\Opera\50.0.2762.45_0\opera.exe
(Opera Software) C:\Program Files\Opera\50.0.2762.45_0\opera.exe
(Opera Software) C:\Program Files\Opera\50.0.2762.45_0\opera.exe
(Opera Software) C:\Program Files\Opera\50.0.2762.45_0\opera.exe
(Opera Software) C:\Program Files\Opera\50.0.2762.45_0\opera.exe
(Opera Software) C:\Program Files\Opera\50.0.2762.45_0\opera.exe
(Opera Software) C:\Program Files\Opera\50.0.2762.45_0\opera.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.WindowsStore_11711.1001.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe
(Tweaking.com) C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Tweaking.com) C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\Repair_Windows.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [632144 2017-10-21] (Microsoft Corporation)
HKLM\...\Run: [Greenshot] => C:\Program Files\Greenshot\Greenshot.exe [527792 2017-08-09] (Greenshot)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [297272 2017-12-11] (Apple Inc.)
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [3567928 2017-12-05] (Dropbox, Inc.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [4509184 2012-12-27] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsInd00] => C:\Program Files (x86)\BrownyInd\Brother\BrIndicator.exe [1885184 2012-12-18] (Brother Industries, Ltd.)
HKLM\...\Policies\Explorer: [NoViewOnDrive] 0
HKLM\...\Policies\Explorer: [DisableLocalMachineRun] 0
HKLM\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
HKLM\...\Policies\Explorer: [DisableCurrentUserRun] 0
HKLM\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
HKLM\...\Policies\Explorer: [NoViewContextMenu] 0
HKLM\...\Policies\Explorer: [NoShellSearchButton] 0
HKLM\...\Policies\Explorer: [NoFind] 0
HKLM\...\Policies\Explorer: [NoFile] 0
HKLM\...\Policies\Explorer: [HideClock] 0
HKLM\...\Policies\Explorer: [NoTrayContextMenu] 0
HKLM\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKLM\...\Policies\Explorer: [NoSetFolders] 0
HKLM\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKLM\...\Policies\Explorer: [NoSetTaskbar] 0
HKLM\...\Policies\Explorer: [NoDeletePrinter] 0
HKLM\...\Policies\Explorer: [NoDFSTab] 0
HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0
HKLM\...\Policies\Explorer: [NoLogoff] 0
HKLM\...\Policies\Explorer: [NoWindowsUpdate] 0
HKLM\...\Policies\Explorer: [NoEncryptOnMove] 0
HKLM\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKLM\...\Policies\Explorer: [NoResolveSearch] 0
HKLM\...\Policies\Explorer: [NoSaveSettings] 0
HKLM\...\Policies\Explorer: [NoHardwareTab] 0
HKLM\...\Policies\Explorer: [NoStartMenuSubFolders] 0
HKLM\...\Policies\Explorer: [NoDesktop] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Run: [GUDelayStartup] => C:\Program Files (x86)\Glary Utilities 5\StartupManager.exe [44024 2017-12-15] (Glarysoft Ltd)
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\system: [DisableCMD] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\system: [NoDispAppearancePage] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\system: [NoDispBackgroundPage] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\system: [NoDispSettingsPage] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoViewOnDrive] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [DisableLocalMachineRun] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [DisableCurrentUserRun] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoViewContextMenu] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoShellSearchButton] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoFind] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoFile] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [HideClock] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoTrayContextMenu] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoSetFolders] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoSetTaskbar] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoDeletePrinter] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoDFSTab] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoLogoff] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoEncryptOnMove] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoResolveSearch] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoSaveSettings] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoHardwareTab] 0
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\Policies\Explorer: [NoStartMenuSubFolders] 0
GroupPolicy: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 180.181.127.3 180.181.127.4
Tcpip\..\Interfaces\{09bf6998-06e5-455f-a064-57f4ea2f8cb6}: [DhcpNameServer] 180.181.127.3 180.181.127.4
Tcpip\..\Interfaces\{f1561487-71d5-4e78-bbc2-eb5db79b46d3}: [DhcpNameServer] 180.181.127.3 180.181.127.4

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
BHO: Bitdefender Wallet -> {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -> C:\Program Files\Bitdefender\Bitdefender Security\pmbxie.dll [2017-12-04] (Bitdefender)
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2018-01-04] (Microsoft Corporation)
BHO: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar64.dll => No File
BHO-x32: Bitdefender Wallet -> {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -> C:\Program Files\Bitdefender\Bitdefender Security\Antispam32\pmbxie.dll [2017-12-04] (Bitdefender)
BHO-x32: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar.dll => No File
Toolbar: HKLM - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar64.dll No File
Toolbar: HKLM - Bitdefender Wallet - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender Security\pmbxie.dll [2017-12-04] (Bitdefender)
Toolbar: HKLM-x32 - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar.dll No File
Toolbar: HKLM-x32 - Bitdefender Wallet - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender Security\Antispam32\pmbxie.dll [2017-12-04] (Bitdefender)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-01-04] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-01-04] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-01-04] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-01-04] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: nkxrfyzx.default
FF ProfilePath: C:\Users\My Name Replaced\AppData\Roaming\Mozilla\Firefox\Profiles\nkxrfyzx.default [2018-01-04]
FF Homepage: Mozilla\Firefox\Profiles\nkxrfyzx.default -> about:home
FF NewTab: Mozilla\Firefox\Profiles\nkxrfyzx.default -> about:newtab
FF NetworkProxy: Mozilla\Firefox\Profiles\nkxrfyzx.default -> type", 0
FF Extension: (Easy Screenshot) - C:\Users\My Name Replaced\AppData\Roaming\Mozilla\Firefox\Profiles\nkxrfyzx.default\Extensions\easyscreenshot@mozillaonline.com.xpi [2018-01-03]
FF Extension: (Ghostery) - C:\Users\My Name Replaced\AppData\Roaming\Mozilla\Firefox\Profiles\nkxrfyzx.default\Extensions\firefox@ghostery.com.xpi [2018-01-03]
FF Extension: (LastPass: Free Password Manager) - C:\Users\My Name Replaced\AppData\Roaming\Mozilla\Firefox\Profiles\nkxrfyzx.default\Extensions\support@lastpass.com.xpi [2018-01-03]
FF Extension: (uBlock Origin) - C:\Users\My Name Replaced\AppData\Roaming\Mozilla\Firefox\Profiles\nkxrfyzx.default\Extensions\uBlock0@raymondhill.net.xpi [2018-01-03]
FF HKLM\...\Firefox\Extensions: [bdwtwe@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender Security\bdwteff
FF Extension: (Bitdefender Wallet) - C:\Program Files\Bitdefender\Bitdefender Security\bdwteff [2017-12-11]
FF HKLM\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender Security\bdtbext
FF Extension: (Bitdefender Antispam Toolbar) - C:\Program Files\Bitdefender\Bitdefender Security\bdtbext [2017-12-11] [Legacy] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [bdwtwe@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender Security\bdwteff
FF HKLM-x32\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender Security\bdtbext
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.2.8 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2017-11-30] (VideoLAN)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1231201.dll [2017-11-02] (Adobe Systems, Inc.)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2018-01-04] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-01-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-01-03] (Google Inc.)

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [gannpgaobkkhmpomoijebaigcapoeebl] - hxxps://clients2.google.com/service/update2/crx

Opera:
=======
StartMenuInternet: (HKLM) OperaStable - C:\Program Files\Opera\Launcher.exe

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2017-11-27] (Apple Inc.)
R2 bdredline; C:\Program Files\Common Files\Bitdefender\SetupInformation\Bitdefender RedLine\bdredline.exe [2119184 2017-09-26] (Bitdefender)
S3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [282112 2012-10-26] (Brother Industries, Ltd.) [File not signed]
S3 BTAGService; C:\WINDOWS\System32\BTAGService.dll [244224 2017-10-21] (Microsoft Corporation)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [7760552 2017-12-07] (Microsoft Corporation)
S4 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2018-01-03] (Dropbox, Inc.)
S4 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2018-01-03] (Dropbox, Inc.)
S4 DbxSvc; C:\Windows\system32\DbxSvc.exe [51016 2017-12-05] (Dropbox, Inc.)
R2 DevMgmtService; C:\Program Files\Bitdefender\Bitdefender Device Management\DevMgmtService.exe [103072 2017-12-04] (Bitdefender)
R2 ProductAgentService; C:\Program Files\Bitdefender Agent\ProductAgentService.exe [1278584 2017-10-31] (Bitdefender)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [4288552 2017-10-21] (Microsoft Corporation)
R2 TeraCopyService; C:\Program Files\TeraCopy\TeraCopyService.exe [110416 2017-05-05] (Code Sector)
R2 UPDATESRV; C:\Program Files\Bitdefender\Bitdefender Security\updatesrv.exe [218416 2017-12-04] (Bitdefender)
R2 VSSERV; C:\Program Files\Bitdefender\Bitdefender Security\vsserv.exe [1129720 2017-12-04] (Bitdefender)
R2 vsservp; C:\Program Files\Bitdefender\Bitdefender Security\vsservp.exe [524872 2016-08-25] (Bitdefender)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [341944 2017-10-21] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [92456 2017-10-21] (Microsoft Corporation)
S3 WpcMonSvc; C:\WINDOWS\System32\WpcDesktopMonSvc.dll [1140224 2017-10-21] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 atc; C:\WINDOWS\System32\DRIVERS\atc.sys [1019880 2017-09-15] (BitDefender S.R.L. Bucharest, ROMANIA)
R0 avc3; C:\WINDOWS\System32\DRIVERS\avc3.sys [1763744 2017-08-23] (BitDefender)
S0 bdelam; C:\WINDOWS\System32\drivers\bdelam.sys [23672 2016-03-14] (Bitdefender)
R1 bdfwfpf; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [133088 2017-06-06] (BitDefender LLC)
R0 bdprivmon; C:\WINDOWS\System32\DRIVERS\bdprivmon.sys [47376 2017-10-09] (© Bitdefender SRL)
R1 BDVEDISK; C:\WINDOWS\system32\DRIVERS\bdvedisk.sys [87912 2015-12-04] (BitDefender)
R1 GUBootStartup; C:\Windows\System32\drivers\GUBootStartup.sys [20160 2018-01-03] (Glarysoft Ltd)
R0 gzflt; C:\WINDOWS\System32\DRIVERS\gzflt.sys [187688 2017-05-11] (BitDefender LLC)
R3 iactrllogic; C:\WINDOWS\System32\drivers\iactrllogic64.sys [174496 2017-06-29] (Intel® Corporation)
R0 Ignis; C:\WINDOWS\system32\DRIVERS\ignis.sys [362664 2017-08-10] (Bitdefender)
S3 nvdimm; C:\WINDOWS\System32\drivers\nvdimm.sys [88576 2017-10-21] (Microsoft Corporation)
R0 trufos; C:\WINDOWS\System32\DRIVERS\trufos.sys [439576 2017-04-11] (BitDefender S.R.L.)
S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [40832 2017-10-21] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [303440 2017-10-21] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [114000 2017-10-21] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-05 10:40 - 2018-01-04 18:51 - 000000000 ____D C:\Windows.old
2018-01-05 10:40 - 2017-10-31 23:03 - 000767560 _____ (Intel Corporation) C:\WINDOWS\system32\Drivers\iaPreciseTouch.sys
2018-01-05 10:40 - 2017-02-22 10:14 - 000760376 _____ (Intel Corporation) C:\WINDOWS\system32\Drivers\SET480F.tmp
2018-01-05 00:58 - 2018-01-05 00:58 - 000002246 _____ C:\Users\My Name Replaced\Desktop\Tweaking.com - Windows Repair.lnk
2018-01-05 00:41 - 2018-01-05 00:58 - 000194193 _____ C:\WINDOWS\Tweaking.com - Windows Repair Setup Log.txt
2018-01-05 00:41 - 2018-01-05 00:41 - 000003786 _____ C:\WINDOWS\System32\Tasks\Tweaking.com - Windows Repair Tray Icon
2018-01-05 00:40 - 2018-01-05 00:40 - 000003174 _____ C:\WINDOWS\System32\Tasks\Tweaking.com - Remote Desktop IP Monitor & Blocker
2018-01-05 00:40 - 2018-01-05 00:40 - 000000598 _____ C:\WINDOWS\Tasks\Tweaking.com - Remote Desktop IP Monitor & Blocker.job
2018-01-05 00:39 - 2018-01-05 00:39 - 000000000 ____D C:\Users\My Name Replaced\Downloads\remotedesktop
2018-01-05 00:35 - 2018-01-05 00:41 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2018-01-05 00:35 - 2018-01-05 00:41 - 000000000 ____D C:\Program Files (x86)\Tweaking.com
2018-01-05 00:35 - 2018-01-05 00:35 - 000002190 _____ C:\Users\My Name Replaced\Desktop\Tweaking.com - Hardware Identify.lnk
2018-01-05 00:34 - 2018-01-05 00:34 - 006373968 _____ (Tweaking.com) C:\Users\My Name Replaced\Downloads\tweaking.com_technicians_toolbox_setup.exe
2018-01-05 00:31 - 2018-01-05 00:32 - 007801424 _____ (Tweaking.com) C:\Users\My Name Replaced\Downloads\tweaking.com_hardware_identify_setup.exe
2018-01-05 00:31 - 2018-01-05 00:31 - 001159417 _____ C:\Users\My Name Replaced\Downloads\tweaking.com_remote_desktop_ip_monitor_blocker_portable.zip
2018-01-05 00:30 - 2018-01-05 00:30 - 005951048 _____ C:\Users\My Name Replaced\Downloads\tweaking.com_advanced_system_tweaker_setup.exe
2018-01-05 00:29 - 2018-01-05 00:29 - 037693392 _____ (Tweaking.com) C:\Users\My Name Replaced\Downloads\tweaking.com_windows_repair_aio_setup.exe
2018-01-05 00:08 - 2018-01-05 00:08 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd
2018-01-04 23:17 - 2018-01-04 23:17 - 000036280 _____ C:\Users\My Name Replaced\Downloads\Addition_old.txt
2018-01-04 23:16 - 2018-01-05 01:37 - 000018635 _____ C:\Users\My Name Replaced\Downloads\FRST.txt
2018-01-04 23:16 - 2018-01-05 01:36 - 000014513 _____ C:\Users\My Name Replaced\Downloads\FRST_old.txt
2018-01-04 23:16 - 2018-01-05 01:36 - 000000000 ____D C:\FRST
2018-01-04 23:14 - 2018-01-04 23:14 - 002393088 _____ (Farbar) C:\Users\My Name Replaced\Downloads\FRST64.exe
2018-01-04 19:33 - 2018-01-04 19:33 - 000000000 ____D C:\Users\My Name Replaced\MicrosoftEdgeBackups
2018-01-04 19:28 - 2018-01-04 19:28 - 000026624 _____ C:\Users\My Name Replaced\Downloads\My Name Replaced Monthly Budget - Expenses 2017 (1).xls
2018-01-04 19:26 - 2018-01-04 19:26 - 000026624 _____ C:\Users\My Name Replaced\Downloads\My Name Replaced Monthly Budget - Expenses 2017.xls
2018-01-04 19:14 - 2018-01-04 19:14 - 000000000 ____D C:\Bitdefender
2018-01-04 19:12 - 2018-01-04 19:12 - 000000000 ____D C:\ProgramData\Microsoft OneDrive
2018-01-04 19:11 - 2018-01-04 19:11 - 000001425 _____ C:\Users\My Name Replaced\Desktop\Microsoft Edge.lnk
2018-01-04 19:10 - 2018-01-04 19:10 - 000000020 ___SH C:\Users\My Name Replaced\ntuser.ini
2018-01-04 19:10 - 2018-01-04 19:10 - 000000000 ___RD C:\Users\My Name Replaced\3D Objects
2018-01-04 18:54 - 2018-01-05 00:12 - 000877424 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2018-01-04 18:51 - 2018-01-04 18:51 - 000000000 _SHDL C:\Documents and Settings
2018-01-04 18:49 - 2018-01-04 18:49 - 000022744 _____ C:\WINDOWS\system32\emptyregdb.dat
2018-01-04 18:49 - 2018-01-04 18:49 - 000011433 _____ C:\WINDOWS\diagwrn.xml
2018-01-04 18:49 - 2018-01-04 18:49 - 000011433 _____ C:\WINDOWS\diagerr.xml
2018-01-04 18:48 - 2018-01-05 00:08 - 000000006 _____ C:\WINDOWS\Tasks\SA.DAT
2018-01-04 18:48 - 2018-01-04 19:12 - 000003802 _____ C:\WINDOWS\System32\Tasks\Bitdefender Agent WatchDog_65D6944A0EF74FDAB96E31112AD39864
2018-01-04 18:48 - 2018-01-04 18:49 - 000003464 _____ C:\WINDOWS\System32\Tasks\DropboxUpdateTaskMachineUA
2018-01-04 18:48 - 2018-01-04 18:49 - 000003344 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2018-01-04 18:48 - 2018-01-04 18:49 - 000003240 _____ C:\WINDOWS\System32\Tasks\DropboxUpdateTaskMachineCore
2018-01-04 18:48 - 2018-01-04 18:49 - 000003000 _____ C:\WINDOWS\System32\Tasks\GlaryOneClickOptimizer 5
2018-01-04 18:48 - 2018-01-04 18:49 - 000002518 _____ C:\WINDOWS\System32\Tasks\GlaryInitialize 5
2018-01-04 18:48 - 2018-01-04 18:49 - 000002226 _____ C:\WINDOWS\System32\Tasks\GU5SkipUAC
2018-01-04 18:48 - 2018-01-04 18:48 - 000003320 _____ C:\WINDOWS\System32\Tasks\Opera scheduled Autoupdate 1514980278
2018-01-04 18:48 - 2018-01-04 18:48 - 000003300 _____ C:\WINDOWS\System32\Tasks\Opera scheduled Autoupdate 1515059146
2018-01-04 18:48 - 2018-01-04 18:48 - 000003120 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2018-01-04 18:48 - 2018-01-04 18:48 - 000002404 _____ C:\WINDOWS\System32\Tasks\Bitdefender AgentTask_AD394AE64E874073B10A89FEEC305A3C
2018-01-04 18:48 - 2018-01-04 18:48 - 000000000 ____D C:\WINDOWS\System32\Tasks\Apple
2018-01-04 18:47 - 2018-01-04 18:47 - 000000000 ____D C:\ProgramData\USOShared
2018-01-04 18:46 - 2018-01-04 18:46 - 000000000 ____D C:\data
2018-01-04 18:44 - 2018-01-05 01:32 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\Packages
2018-01-04 18:43 - 2018-01-04 19:33 - 000000000 ____D C:\Users\My Name Replaced
2018-01-04 18:43 - 2018-01-04 18:48 - 000000000 ____D C:\Users\My Name Replaced
2018-01-04 18:43 - 2018-01-04 18:44 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\Packages
2018-01-04 18:43 - 2017-10-21 21:17 - 002744832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PrintConfig.dll
2018-01-04 18:43 - 2016-11-23 19:36 - 005254664 ____R (Realtek Semiconductor Corp.) C:\WINDOWS\system32\Drivers\RTKVHD64.sys
2018-01-04 18:43 - 2016-11-23 19:36 - 003283248 ____R (Realtek Semiconductor Corp.) C:\WINDOWS\system32\RtkApi64.dll
2018-01-04 18:43 - 2016-11-23 19:36 - 003203592 ____R (Realtek Semiconductor Corp.) C:\WINDOWS\system32\RtPgEx64.dll
2018-01-04 18:43 - 2016-11-23 19:36 - 003101912 ____R (Realtek Semiconductor Corp.) C:\WINDOWS\system32\RltkAPO64.dll
2018-01-04 18:43 - 2016-11-23 19:36 - 002439048 ____R (Dolby Laboratories) C:\WINDOWS\system32\DolbyDAX2APOv201.dll
2018-01-04 18:43 - 2016-11-23 19:36 - 001355616 ____R (Realtek Semiconductor Corp.) C:\WINDOWS\system32\RTCOM64.dll
2018-01-04 18:43 - 2016-11-23 19:36 - 001115144 ____R (Dolby Laboratories) C:\WINDOWS\system32\DolbyDAX2APOProp.dll
2018-01-04 18:43 - 2016-11-23 19:36 - 000372736 ____R (Dolby Laboratories) C:\WINDOWS\system32\HiFiDAX2API.dll
2018-01-04 18:43 - 2016-11-23 19:36 - 000192984 ____R (Realtek Semiconductor Corp.) C:\WINDOWS\system32\RtkCfg64.dll
2018-01-04 18:43 - 2016-11-23 19:36 - 000003618 ____R C:\WINDOWS\system32\Drivers\RTAIODAT.DAT
2018-01-04 18:42 - 2018-01-05 00:23 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2018-01-04 18:42 - 2018-01-04 18:47 - 000458632 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2018-01-04 18:42 - 2017-09-14 17:54 - 000113664 _____ (Khronos Group) C:\WINDOWS\system32\OpenCL.DLL
2018-01-04 18:41 - 2018-01-04 18:51 - 000000000 ___DC C:\WINDOWS\Panther
2018-01-04 18:34 - 2017-10-09 07:25 - 000047376 _____ (© Bitdefender SRL) C:\WINDOWS\system32\Drivers\bdprivmon.sys
2018-01-04 18:34 - 2017-09-15 00:49 - 001019880 _____ (BitDefender S.R.L. Bucharest, ROMANIA) C:\WINDOWS\system32\Drivers\atc.sys
2018-01-04 18:34 - 2017-08-23 03:49 - 001763744 _____ (BitDefender) C:\WINDOWS\system32\Drivers\avc3.sys
2018-01-04 18:34 - 2017-08-10 04:40 - 000362664 _____ (Bitdefender) C:\WINDOWS\system32\Drivers\ignis.sys
2018-01-04 18:34 - 2017-05-11 05:37 - 000187688 _____ (BitDefender LLC) C:\WINDOWS\system32\Drivers\gzflt.sys
2018-01-04 18:34 - 2017-04-11 04:19 - 000439576 _____ (BitDefender S.R.L.) C:\WINDOWS\system32\Drivers\trufos.sys
2018-01-04 18:34 - 2016-03-14 22:04 - 000023672 _____ (Bitdefender) C:\WINDOWS\system32\Drivers\bdelam.sys
2018-01-04 18:34 - 2015-12-04 19:27 - 000087912 _____ (BitDefender) C:\WINDOWS\system32\Drivers\bdvedisk.sys
2018-01-04 18:33 - 2018-01-05 10:40 - 000000000 ____D C:\WINDOWS\system32\config\bbimigrate
2018-01-04 18:31 - 2018-01-04 18:33 - 000000000 ____D C:\WINDOWS\ServiceProfiles
2018-01-04 18:22 - 2018-01-04 18:22 - 000008192 _____ C:\WINDOWS\system32\config\userdiff
2018-01-04 17:49 - 2018-01-04 18:51 - 000000400 __RSH C:\ProgramData\ntuser.pol
2018-01-04 17:45 - 2018-01-05 00:38 - 000000000 ____D C:\Program Files\Opera
2018-01-04 17:45 - 2018-01-04 17:45 - 001277064 _____ (Opera Software) C:\Users\My Name Replaced\Downloads\OperaSetup.exe
2018-01-04 17:45 - 2018-01-04 17:45 - 001277064 _____ (Opera Software) C:\Users\My Name Replaced\Downloads\OperaSetup(1).exe
2018-01-04 17:31 - 2018-01-04 17:32 - 000000000 ____D C:\Users\My Name Replaced\Desktop\Win1017025
2018-01-04 17:20 - 2018-01-04 17:20 - 041767776 _____ (Microsoft) C:\Users\My Name Replaced\Downloads\SurfaceDiagnosticToolkit_SA (1).exe
2018-01-04 17:19 - 2018-01-04 17:19 - 041767776 _____ (Microsoft) C:\Users\My Name Replaced\Downloads\SurfaceDiagnosticToolkit_SA.exe
2018-01-04 17:10 - 2018-01-04 17:24 - 414646272 _____ C:\Users\My Name Replaced\Desktop\Windows10_InsiderPreview_x64_en-us_17025.iso
2018-01-04 17:07 - 2018-01-04 17:07 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\CEF
2018-01-04 16:06 - 2018-01-04 16:07 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\vlc
2018-01-04 15:59 - 2018-01-05 10:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Brother
2018-01-04 15:59 - 2018-01-04 15:59 - 000002142 _____ C:\Users\Public\Desktop\Brother Utilities.lnk
2018-01-04 15:58 - 2018-01-04 15:59 - 000000000 ____D C:\ProgramData\Brother
2018-01-04 15:58 - 2018-01-04 15:58 - 000000000 ____D C:\Program Files (x86)\InstallShield Installation Information
2018-01-04 15:58 - 2018-01-04 15:58 - 000000000 ____D C:\Program Files (x86)\BrownyInd
2018-01-04 15:58 - 2018-01-04 15:58 - 000000000 ____D C:\Program Files (x86)\Browny02
2018-01-04 15:58 - 2018-01-04 15:58 - 000000000 ____D C:\Program Files (x86)\Brother
2018-01-04 15:58 - 2018-01-04 15:58 - 000000000 ____D C:\Brother
2018-01-04 15:58 - 2015-08-28 09:59 - 000180224 _____ (Brother Industries, Ltd.) C:\WINDOWS\SysWOW64\BROSNMP.DLL
2018-01-04 15:58 - 2015-08-28 09:59 - 000113744 _____ (Brother Industries Ltd) C:\WINDOWS\SysWOW64\BRRBTOOL.EXE
2018-01-04 15:58 - 2015-08-28 09:59 - 000077824 _____ (Brother Industries, Ltd.) C:\WINDOWS\SysWOW64\BRLMW03A.DLL
2018-01-04 15:58 - 2015-08-28 09:59 - 000045056 _____ C:\WINDOWS\SysWOW64\BRTCPCON.DLL
2018-01-04 15:58 - 2015-08-28 09:59 - 000025299 _____ (Brother Industries, Ltd) C:\WINDOWS\SysWOW64\BRLM03A.DLL
2018-01-04 15:58 - 2015-08-28 09:59 - 000000114 _____ C:\WINDOWS\SysWOW64\BRLMW03A.INI
2018-01-04 15:58 - 2015-08-28 09:59 - 000000050 _____ C:\WINDOWS\system32\BRADM12A.DAT
2018-01-04 15:58 - 2015-08-28 00:01 - 000226816 _____ (Brother Industries, Ltd.) C:\WINDOWS\system32\BRCOM12A.DLL
2018-01-04 05:07 - 2018-01-04 04:29 - 000005084 _____ C:\Users\My Name Replaced\Desktop\lg.xml
2018-01-04 03:59 - 2018-01-04 03:59 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\DBG
2018-01-04 03:31 - 2018-01-04 03:34 - 000000000 ___SD C:\WINDOWS\UpdateAssistantV2
2018-01-04 03:09 - 2018-01-04 03:09 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\Opera Software
2018-01-04 03:09 - 2018-01-04 03:09 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\Opera Software
2018-01-04 03:02 - 2018-01-04 03:02 - 000000000 ____D C:\Users\My Name Replaced\AppData\Temp
2018-01-04 02:51 - 2018-01-04 02:51 - 000060627 _____ C:\ProgramData\dm.1515005450.bdinstall.bin
2018-01-04 02:50 - 2018-01-04 02:50 - 000400966 _____ C:\ProgramData\cl.1515005157.bdinstall.bin
2018-01-04 02:50 - 2018-01-04 02:50 - 000076540 _____ C:\ProgramData\cl.kit.1515005144.bdinstall.bin
2018-01-04 02:48 - 2018-01-05 10:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bitdefender Security
2018-01-04 02:48 - 2018-01-04 02:48 - 000002357 _____ C:\Users\Public\Desktop\Bitdefender.lnk
2018-01-04 02:47 - 2018-01-04 02:50 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\Bitdefender
2018-01-04 02:46 - 2018-01-04 02:50 - 000000000 ____D C:\Program Files\Bitdefender
2018-01-04 02:45 - 2018-01-04 02:46 - 000000000 ____D C:\Program Files\Common Files\Bitdefender
2018-01-04 02:44 - 2018-01-04 02:44 - 000034372 _____ C:\ProgramData\agent.update.1515005023.bdinstall.bin
2018-01-04 02:43 - 2018-01-04 02:42 - 010992984 _____ C:\Users\My Name Replaced\Downloads\bitdefender_windows_f5eb586f-85ee-451f-a7ee-5a523c1bf406.exe
2018-01-04 02:20 - 2018-01-05 00:08 - 000004880 _____ C:\bdlog.txt
2018-01-04 01:59 - 2018-01-04 01:59 - 000000000 ____D C:\ProgramData\Bitdefender Device Management
2018-01-04 01:56 - 2018-01-04 01:56 - 000000000 ____D C:\ProgramData\Atc
2018-01-04 01:54 - 2018-01-04 01:54 - 000000000 ____D C:\ProgramData\BDLogging
2018-01-04 01:54 - 2007-04-11 11:11 - 000511328 _____ (Microsoft Corporation) C:\WINDOWS\capicom.dll
2018-01-04 01:51 - 2018-01-04 03:00 - 000000000 ____D C:\ProgramData\Bitdefender
2018-01-04 01:51 - 2018-01-04 01:51 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\QuickScan
2018-01-04 01:51 - 2018-01-04 01:51 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\lptmp
2018-01-04 01:49 - 2018-01-04 01:49 - 000049834 _____ C:\ProgramData\agent.1515001739.bdinstall.bin
2018-01-04 01:48 - 2018-01-04 02:51 - 000000000 ____D C:\Program Files\Bitdefender Agent
2018-01-04 01:48 - 2018-01-04 01:49 - 000000000 ____D C:\ProgramData\Bitdefender Agent
2018-01-04 01:48 - 2018-01-04 01:48 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\TeraCopy
2018-01-04 01:48 - 2018-01-04 01:48 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\Obsidium
2018-01-04 01:48 - 2018-01-04 01:48 - 000000000 ____D C:\Users\My Name Replaced\.obs32
2018-01-04 01:47 - 2018-01-04 01:47 - 010992984 _____ C:\Users\My Name Replaced\Downloads\bitdefender_windows_befb1b24-6ca8-4f2c-a1fe-2569771074c7.exe
2018-01-04 01:29 - 2018-01-05 10:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BankVault SafeWindow
2018-01-04 01:29 - 2018-01-04 01:29 - 000001209 _____ C:\Users\Public\Desktop\BankVault SafeWindow.lnk
2018-01-04 01:29 - 2018-01-04 01:29 - 000000000 ____D C:\Program Files (x86)\BankVault SafeWindow
2018-01-04 01:22 - 2018-01-04 01:22 - 013756160 _____ (GoPC PTY LTD ) C:\Users\My Name Replaced\Downloads\bankvault-client-setup(1).exe
2018-01-04 01:21 - 2018-01-04 01:21 - 013756160 _____ (GoPC PTY LTD ) C:\Users\My Name Replaced\Downloads\bankvault-client-setup.exe
2018-01-04 00:38 - 2018-01-04 00:38 - 000159000 _____ C:\Users\My Name Replaced\Documents\sys info.txt
2018-01-04 00:28 - 2018-01-04 00:28 - 001501398 _____ C:\Users\My Name Replaced\Documents\sys report.nfo
2018-01-04 00:26 - 2018-01-04 00:26 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\VirtualStore
2018-01-03 23:46 - 2018-01-03 23:46 - 000000000 ____D C:\zoek_backup
2018-01-03 23:45 - 2018-01-03 23:46 - 001313792 _____ C:\Users\My Name Replaced\Downloads\zoek.exe
2018-01-03 23:36 - 2018-01-03 23:36 - 005659243 _____ (Swearware) C:\Users\My Name Replaced\Downloads\ComboFix.exe
2018-01-03 23:33 - 2018-01-03 23:37 - 000000000 ____D C:\AdwCleaner
2018-01-03 23:33 - 2018-01-03 23:33 - 014178840 _____ (Malwarebytes Corp.) C:\Users\My Name Replaced\Downloads\mbar-1.10.3.1001.exe
2018-01-03 23:33 - 2018-01-03 23:33 - 008198432 _____ (Malwarebytes) C:\Users\My Name Replaced\Downloads\AdwCleaner.exe
2018-01-03 23:30 - 2018-01-03 23:32 - 000001004 _____ C:\Users\My Name Replaced\Downloads\SALog.txt
2018-01-03 23:29 - 2018-01-03 23:29 - 000899584 _____ C:\Users\My Name Replaced\Downloads\myinstall.exe
2018-01-03 23:27 - 2018-01-05 00:08 - 000041448 _____ C:\WINDOWS\system32\OV7251_FRONT.aiqd
2018-01-03 23:27 - 2018-01-05 00:08 - 000040190 _____ C:\WINDOWS\system32\OV5693_FRONT.aiqd
2018-01-03 23:06 - 2018-01-03 23:06 - 001068904 _____ (Webroot) C:\Users\My Name Replaced\Downloads\syswranalyzerbus.exe
2018-01-03 21:14 - 2018-01-04 15:53 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\MicrosoftEdge
2018-01-03 20:45 - 2018-01-03 20:56 - 000000000 ___RD C:\Users\My Name Replaced\OneDrive
2018-01-03 20:44 - 2018-01-04 17:46 - 000000000 ____D C:\Users\My Name Replaced\AppData\LocalLow\Mozilla
2018-01-03 20:44 - 2018-01-03 20:48 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\Mozilla
2018-01-03 20:44 - 2018-01-03 20:44 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\Mozilla
2018-01-03 20:43 - 2018-01-03 21:51 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\GlarySoft
2018-01-03 20:42 - 2018-01-03 20:43 - 001438056 _____ C:\TDSSKiller.3.1.0.15_03.01.2018_20.42.14_log.txt
2018-01-03 20:42 - 2018-01-03 20:43 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\Dropbox
2018-01-03 20:42 - 2018-01-03 20:42 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\Greenshot
2018-01-03 20:42 - 2018-01-03 20:42 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\Apple Computer
2018-01-03 20:42 - 2018-01-03 20:42 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\Greenshot
2018-01-03 20:42 - 2018-01-03 20:42 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\Google
2018-01-03 20:32 - 2018-01-03 20:33 - 000059288 _____ C:\TDSSKiller.3.1.0.15_03.01.2018_20.32.37_log.txt
2018-01-03 20:32 - 2018-01-03 20:32 - 004830473 _____ C:\Users\My Name Replaced\Downloads\tdsskiller.zip
2018-01-03 20:00 - 2018-01-05 10:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2018-01-03 20:00 - 2018-01-05 10:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HandBrake
2018-01-03 20:00 - 2018-01-03 20:04 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\Mozilla
2018-01-03 20:00 - 2018-01-03 20:00 - 000001826 _____ C:\Users\Public\Desktop\iTunes.lnk
2018-01-03 20:00 - 2018-01-03 20:00 - 000000875 _____ C:\Users\Public\Desktop\HandBrake.lnk
2018-01-03 20:00 - 2018-01-03 20:00 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\Mozilla
2018-01-03 20:00 - 2018-01-03 20:00 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\Apple Computer
2018-01-03 20:00 - 2018-01-03 20:00 - 000000000 ____D C:\Users\My Name Replaced\AppData\LocalLow\Mozilla
2018-01-03 20:00 - 2018-01-03 20:00 - 000000000 ____D C:\Program Files\Malwarebytes
2018-01-03 20:00 - 2018-01-03 20:00 - 000000000 ____D C:\Program Files\iPod
2018-01-03 19:59 - 2018-01-03 20:00 - 000000000 ____D C:\Program Files\iTunes
2018-01-03 19:59 - 2018-01-03 19:59 - 000002535 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2018-01-03 19:59 - 2018-01-03 19:59 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\Apple
2018-01-03 19:59 - 2018-01-03 19:59 - 000000000 ____D C:\ProgramData\Apple Computer
2018-01-03 19:59 - 2018-01-03 19:59 - 000000000 ____D C:\Program Files\Bonjour
2018-01-03 19:59 - 2018-01-03 19:59 - 000000000 ____D C:\Program Files (x86)\Bonjour
2018-01-03 19:59 - 2018-01-03 19:59 - 000000000 ____D C:\Program Files (x86)\Apple Software Update
2018-01-03 19:58 - 2018-01-03 19:59 - 000000000 ____D C:\ProgramData\Apple
2018-01-03 19:58 - 2018-01-03 19:59 - 000000000 ____D C:\Program Files\Common Files\Apple
2018-01-03 19:56 - 2018-01-05 10:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2018-01-03 19:56 - 2018-01-03 19:56 - 000001345 _____ C:\Users\My Name Replaced\Desktop\Dropbox.lnk
2018-01-03 19:56 - 2018-01-03 19:56 - 000001345 _____ C:\Users\My Name Replaced\Desktop\Dropbox.lnk
2018-01-03 19:56 - 2018-01-03 19:56 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\Google
2018-01-03 19:55 - 2018-01-03 20:34 - 000000950 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job
2018-01-03 19:55 - 2018-01-03 20:34 - 000000946 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job
2018-01-03 19:55 - 2018-01-03 19:56 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\Dropbox
2018-01-03 19:55 - 2018-01-03 19:56 - 000000000 ____D C:\Program Files (x86)\Dropbox
2018-01-03 19:55 - 2018-01-03 19:55 - 000001910 _____ C:\Users\My Name Replaced\Desktop\Spotify.lnk
2018-01-03 19:55 - 2018-01-03 19:55 - 000001896 _____ C:\Users\My Name Replaced\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spotify.lnk
2018-01-03 19:55 - 2018-01-03 19:55 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\Dropbox
2018-01-03 19:55 - 2018-01-03 19:55 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\Spotify
2018-01-03 19:55 - 2018-01-03 19:55 - 000000000 ____D C:\ProgramData\Dropbox
2018-01-03 19:54 - 2018-01-05 10:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2018-01-03 19:54 - 2018-01-05 10:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller
2018-01-03 19:54 - 2018-01-05 10:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qBittorrent
2018-01-03 19:54 - 2018-01-05 10:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PuTTY (64-bit)
2018-01-03 19:54 - 2018-01-05 10:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Notepad++
2018-01-03 19:54 - 2018-01-05 10:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CutePDF
2018-01-03 19:54 - 2018-01-03 19:55 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\Spotify
2018-01-03 19:54 - 2018-01-03 19:54 - 000001735 _____ C:\Users\Public\Desktop\TeraCopy.lnk
2018-01-03 19:54 - 2018-01-03 19:54 - 000001735 _____ C:\ProgramData\Microsoft\Windows\Start Menu\TeraCopy.lnk
2018-01-03 19:54 - 2018-01-03 19:54 - 000001156 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinSCP.lnk
2018-01-03 19:54 - 2018-01-03 19:54 - 000001144 _____ C:\Users\Public\Desktop\WinSCP.lnk
2018-01-03 19:54 - 2018-01-03 19:54 - 000001120 _____ C:\Users\Public\Desktop\Notepad++.lnk
2018-01-03 19:54 - 2018-01-03 19:54 - 000001089 _____ C:\Users\Public\Desktop\Revo Uninstaller.lnk
2018-01-03 19:54 - 2018-01-03 19:54 - 000001029 _____ C:\Users\Public\Desktop\PuTTY.lnk
2018-01-03 19:54 - 2018-01-03 19:54 - 000000926 _____ C:\Users\Public\Desktop\VLC media player.lnk
2018-01-03 19:54 - 2018-01-03 19:54 - 000000917 _____ C:\Users\Public\Desktop\qBittorrent.lnk
2018-01-03 19:54 - 2018-01-03 19:54 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\Notepad++
2018-01-03 19:54 - 2018-01-03 19:54 - 000000000 ____D C:\Program Files\VS Revo Group
2018-01-03 19:54 - 2018-01-03 19:54 - 000000000 ____D C:\Program Files\VideoLAN
2018-01-03 19:54 - 2018-01-03 19:54 - 000000000 ____D C:\Program Files\TeraCopy
2018-01-03 19:54 - 2018-01-03 19:54 - 000000000 ____D C:\Program Files\qBittorrent
2018-01-03 19:54 - 2018-01-03 19:54 - 000000000 ____D C:\Program Files\PuTTY
2018-01-03 19:54 - 2018-01-03 19:54 - 000000000 ____D C:\Program Files (x86)\WinSCP
2018-01-03 19:54 - 2018-01-03 19:54 - 000000000 ____D C:\Program Files (x86)\Notepad++
2018-01-03 19:54 - 2018-01-03 19:54 - 000000000 ____D C:\Program Files (x86)\GPLGS
2018-01-03 19:54 - 2018-01-03 19:54 - 000000000 ____D C:\Program Files (x86)\Acro Software
2018-01-03 19:54 - 2017-05-26 06:47 - 000090096 _____ C:\WINDOWS\system32\cpwmon64_v32.dll
2018-01-03 19:53 - 2018-01-05 10:40 - 000000000 ____D C:\WINDOWS\SysWOW64\Adobe
2018-01-03 19:53 - 2018-01-05 10:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDirStat
2018-01-03 19:53 - 2018-01-05 10:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2018-01-03 19:53 - 2018-01-05 10:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IrfanView
2018-01-03 19:53 - 2018-01-05 10:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Greenshot
2018-01-03 19:53 - 2018-01-05 10:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2018-01-03 19:53 - 2018-01-03 19:53 - 000001114 _____ C:\Users\Public\Desktop\WinDirStat.lnk
2018-01-03 19:53 - 2018-01-03 19:53 - 000001081 _____ C:\Users\Public\Desktop\IrfanView.lnk
2018-01-03 19:53 - 2018-01-03 19:53 - 000000893 _____ C:\Users\Public\Desktop\Greenshot.lnk
2018-01-03 19:53 - 2018-01-03 19:53 - 000000000 ____D C:\Program Files\Greenshot
2018-01-03 19:53 - 2018-01-03 19:53 - 000000000 ____D C:\Program Files\7-Zip
2018-01-03 19:53 - 2018-01-03 19:53 - 000000000 ____D C:\Program Files (x86)\WinDirStat
2018-01-03 19:53 - 2018-01-03 19:53 - 000000000 ____D C:\Program Files (x86)\IrfanView
2018-01-03 19:52 - 2018-01-04 18:49 - 000002282 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-01-03 19:52 - 2018-01-04 18:49 - 000002270 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-01-03 19:52 - 2018-01-03 19:52 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\Macromedia
2018-01-03 19:52 - 2018-01-03 19:52 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\Adobe
2018-01-03 19:52 - 2018-01-03 19:52 - 000000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
2018-01-03 19:52 - 2018-01-03 19:52 - 000000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
2018-01-03 19:52 - 2018-01-03 19:52 - 000000000 ____D C:\ProgramData\Adobe
2018-01-03 19:52 - 2018-01-03 19:52 - 000000000 ____D C:\Program Files\Microsoft Silverlight
2018-01-03 19:52 - 2018-01-03 19:52 - 000000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2018-01-03 19:52 - 2018-01-03 19:52 - 000000000 ____D C:\Program Files (x86)\Adobe
2018-01-03 19:51 - 2018-01-05 00:13 - 000000000 ____D C:\Program Files (x86)\Opera
2018-01-03 19:51 - 2018-01-04 17:46 - 000001176 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera Browser.lnk
2018-01-03 19:51 - 2018-01-04 17:45 - 000001176 _____ C:\Users\Public\Desktop\Opera Browser.lnk
2018-01-03 19:51 - 2018-01-03 19:52 - 000000000 ____D C:\Program Files (x86)\Google
2018-01-03 19:51 - 2018-01-03 19:51 - 000001015 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2018-01-03 19:51 - 2018-01-03 19:51 - 000001003 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2018-01-03 19:51 - 2018-01-03 19:51 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-01-03 19:50 - 2018-01-03 19:51 - 000000000 ____D C:\Program Files\Mozilla Firefox
2018-01-03 19:21 - 2018-01-03 19:21 - 000298810 _____ C:\Users\My Name Replaced\Documents\47C Temple Street VIC PARK.pdf
2018-01-03 18:30 - 2018-01-04 00:11 - 000000000 ____D C:\Scripts_Tools
2018-01-03 17:53 - 2018-01-03 17:53 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup-Disabled
2018-01-03 17:49 - 2018-01-05 10:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Glary Utilities 5
2018-01-03 17:49 - 2018-01-03 21:51 - 000000000 ____D C:\Program Files (x86)\Glary Utilities 5
2018-01-03 17:49 - 2018-01-03 17:52 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\GlarySoft
2018-01-03 17:49 - 2018-01-03 17:49 - 000020160 _____ (Glarysoft Ltd) C:\WINDOWS\system32\Drivers\GUBootStartup.sys
2018-01-03 17:49 - 2018-01-03 17:49 - 000001175 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Glary Utilities 5.lnk
2018-01-03 17:49 - 2018-01-03 17:49 - 000001163 _____ C:\Users\Public\Desktop\Glary Utilities 5.lnk
2018-01-03 17:49 - 2018-01-03 17:49 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\DiskDefrag
2018-01-03 17:47 - 2018-01-03 17:47 - 000916254 _____ C:\Users\My Name Replaced\Desktop\WSA_SA_Report-Wed_2018-01-03_17-47-07.bmp
2018-01-03 17:47 - 2018-01-03 17:47 - 000000079 _____ C:\Users\My Name Replaced\Desktop\WSA_SA_Report-Wed_2018-01-03_17-47-07.html
2018-01-03 17:40 - 2018-01-03 17:40 - 000000000 ____D C:\Users\My Name Replaced\AppData\LocalLow\webroot
2018-01-03 17:39 - 2018-01-03 17:39 - 000000000 ____D C:\Program Files\Common Files\Webroot
2018-01-03 17:27 - 2018-01-03 17:27 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\Comms
2018-01-03 17:25 - 2018-01-04 19:15 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\ConnectedDevicesPlatform
2018-01-03 17:25 - 2018-01-03 17:25 - 000001061 _____ C:\Users\My Name Replaced\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Optional Features.lnk
2018-01-03 17:25 - 2018-01-03 17:25 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\Adobe
2018-01-03 17:25 - 2018-01-03 17:25 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\TileDataLayer
2018-01-03 17:25 - 2018-01-03 17:25 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\Publishers
2018-01-03 17:19 - 2018-01-03 17:19 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\Comms
2018-01-03 17:14 - 2018-01-04 18:34 - 000000000 ____D C:\WINDOWS\system32\cAVS
2018-01-03 17:13 - 2018-01-04 00:13 - 000000000 ____D C:\SPDrivers
2018-01-03 17:13 - 2018-01-03 17:13 - 000000000 ____D C:\SurfacePlatformInstaller
2018-01-03 17:11 - 2018-01-03 17:13 - 474325970 _____ C:\Users\My Name Replaced\Downloads\SurfacePro4_Win10_15063_1708201_1.zip
2018-01-03 17:11 - 2018-01-03 17:12 - 232165376 _____ C:\Users\My Name Replaced\Downloads\SurfacePro4_Win10_15063_1708201_0.msi
2018-01-03 17:11 - 2018-01-03 17:11 - 004747781 _____ C:\Users\My Name Replaced\Downloads\Wintab_x64_1.0.0.20.zip
2018-01-03 17:07 - 2018-01-03 17:07 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\MicrosoftEdge
2018-01-03 17:02 - 2018-01-03 19:52 - 000000000 ____D C:\Users\My Name Replaced\AppData\Roaming\Adobe
2018-01-03 17:02 - 2018-01-03 18:08 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\Publishers
2018-01-03 17:02 - 2018-01-03 17:21 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\ConnectedDevicesPlatform
2018-01-03 17:02 - 2018-01-03 17:02 - 000000000 ____D C:\Users\My Name Replaced\AppData\Local\TileDataLayer
2018-01-03 16:56 - 2018-01-03 23:01 - 000545440 _____ (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2018-01-03 16:56 - 2018-01-03 16:56 - 000000000 ____D C:\Program Files (x86)\Intel
2018-01-03 16:55 - 2018-01-05 00:00 - 000000000 ____D C:\WINDOWS\Firmware
2018-01-03 16:53 - 2018-01-03 16:54 - 000000000 ____D C:\WINDOWS\system32\MRT
2018-01-03 16:53 - 2018-01-03 16:53 - 133326408 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT-KB890830.exe
2018-01-03 16:53 - 2018-01-03 16:53 - 133326408 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2018-01-03 16:40 - 2018-01-03 16:40 - 000000000 _____ C:\WINDOWS\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2018-01-03 15:53 - 2018-01-03 15:53 - 000000000 ____D C:\WINDOWS\CSC
2018-01-03 15:48 - 2018-01-04 18:33 - 000000000 ____D C:\Program Files\Intel
2018-01-03 15:48 - 2018-01-03 23:27 - 000000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2018-01-03 15:48 - 2018-01-03 15:48 - 000000000 ____D C:\Intel
2018-01-03 15:48 - 2018-01-03 15:48 - 000000000 _____ C:\WINDOWS\system32\GfxValDisplayLog.bin
2018-01-03 15:48 - 2018-01-03 15:48 - 000000000 _____ C:\WINDOWS\system32\Drivers\Msft_Kernel_SurfacePenDriver_01011.Wdf
2018-01-03 15:48 - 2016-11-23 19:35 - 000818898 _____ C:\WINDOWS\system32\DisplayAudiox64.cab
2018-01-03 15:48 - 2016-11-23 19:35 - 000410632 _____ C:\WINDOWS\system32\igfxTray.exe
2018-01-03 15:48 - 2016-11-23 19:35 - 000398880 _____ (Intel Corporation) C:\WINDOWS\system32\igfxOSP.dll
2018-01-03 15:48 - 2016-11-23 19:35 - 000277512 _____ (Intel Corporation) C:\WINDOWS\system32\igfxHK.exe
2018-01-03 15:48 - 2016-11-23 19:35 - 000241152 _____ (Intel Corporation) C:\WINDOWS\system32\DPTopologyApp.exe
2018-01-03 15:48 - 2016-11-23 19:35 - 000240648 _____ (Intel Corporation) C:\WINDOWS\system32\DPTopologyAppv2_0.exe
2018-01-03 15:48 - 2016-11-23 19:35 - 000216600 _____ (Intel Corporation) C:\WINDOWS\system32\igfxCoIn_v4463.dll
2018-01-03 15:48 - 2016-11-23 19:35 - 000000935 _____ C:\WINDOWS\system32\DPTopologyApp.exe.config
2018-01-03 15:48 - 2016-11-23 19:35 - 000000895 _____ C:\WINDOWS\system32\DPTopologyAppv2_0.exe.config
2018-01-03 15:48 - 2016-11-23 19:34 - 020785176 _____ (Intel Corporation) C:\WINDOWS\system32\libmfxsw64.dll
2018-01-03 15:48 - 2016-11-23 19:34 - 016609304 _____ (Intel Corporation) C:\WINDOWS\SysWOW64\libmfxsw32.dll
2018-01-03 15:48 - 2016-11-23 19:34 - 015283736 _____ C:\WINDOWS\SysWOW64\pvl.dll
2018-01-03 15:48 - 2016-11-23 19:34 - 009369624 _____ C:\WINDOWS\SysWOW64\libia_cp.dll
2018-01-03 15:48 - 2016-11-23 19:34 - 005389840 _____ (Intel Corporation) C:\WINDOWS\SysWOW64\IntelCameraPlugin.dll
2018-01-03 15:48 - 2016-11-23 19:34 - 000432664 _____ C:\WINDOWS\system32\SkyCamAIC_dynamic64.dll
2018-01-03 15:48 - 2016-11-23 19:34 - 000394776 _____ C:\WINDOWS\SysWOW64\SkyCamAIC_dynamic.dll
2018-01-03 15:48 - 2016-11-23 19:34 - 000277008 _____ (Intel Corporation) C:\WINDOWS\SysWOW64\cilkrts20_32.dll
2018-01-03 15:48 - 2016-11-23 19:34 - 000171024 _____ (Intel Corporation) C:\WINDOWS\system32\IntelSocYuvCopy64.dll
2018-01-03 15:48 - 2016-11-23 19:34 - 000145944 _____ (Intel Corporation) C:\WINDOWS\SysWOW64\IntelSocYuvCopy.dll
2018-01-03 15:48 - 2016-11-23 19:34 - 000065920 _____ C:\WINDOWS\SysWOW64\defaultCpff.aiqb
2017-12-07 20:23 - 2017-12-07 20:23 - 000223872 _____ (Intel Corporation) C:\WINDOWS\system32\Drivers\TeeDriverW8x64.sys

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-05 10:41 - 2017-10-21 21:23 - 000028672 _____ C:\WINDOWS\system32\config\BCD-Template
2018-01-05 10:40 - 2017-10-21 22:53 - 000000000 ____D C:\WINDOWS\SysWOW64\WCN
2018-01-05 10:40 - 2017-10-21 22:53 - 000000000 ____D C:\WINDOWS\system32\WCN
2018-01-05 10:40 - 2017-10-21 21:26 - 000000000 ____D C:\WINDOWS\Setup
2018-01-05 10:40 - 2017-10-21 21:23 - 000000000 ___SD C:\WINDOWS\SysWOW64\DiagSvcs
2018-01-05 10:40 - 2017-10-21 21:23 - 000000000 ____D C:\WINDOWS\SysWOW64\GroupPolicy
2018-01-05 10:40 - 2017-10-21 21:23 - 000000000 ____D C:\WINDOWS\system32\WinBioDatabase
2018-01-05 10:40 - 2017-10-21 21:23 - 000000000 ____D C:\WINDOWS\system32\spool
2018-01-05 10:40 - 2017-10-21 21:23 - 000000000 ____D C:\WINDOWS\system32\NDF
2018-01-05 10:40 - 2017-10-21 21:23 - 000000000 ____D C:\WINDOWS\IME
2018-01-05 10:40 - 2017-10-21 21:23 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2018-01-05 10:40 - 2017-04-06 03:56 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools
2018-01-05 10:40 - 2017-03-19 05:03 - 000000000 ___HD C:\WINDOWS\system32\GroupPolicy
2018-01-05 10:40 - 2017-03-19 05:03 - 000000000 ____D C:\WINDOWS\system32\Tasks_Migrated
2018-01-05 01:32 - 2017-10-21 21:23 - 000000000 ____D C:\WINDOWS\AppReadiness
2018-01-05 01:13 - 2017-10-21 19:35 - 000065536 _____ C:\WINDOWS\system32\config\ELAM
2018-01-05 01:07 - 2017-10-21 21:21 - 000000000 ____D C:\WINDOWS\INF
2018-01-05 00:08 - 2017-10-21 19:35 - 000524288 _____ C:\WINDOWS\system32\config\BBI
2018-01-05 00:07 - 2017-10-21 21:12 - 000000000 ____D C:\WINDOWS\CbsTemp
2018-01-05 00:05 - 2017-10-21 21:23 - 000000000 ____D C:\WINDOWS\appcompat
2018-01-05 00:02 - 2017-10-21 21:23 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2018-01-05 00:01 - 2017-04-06 03:55 - 000000000 ____D C:\Program Files (x86)\Microsoft Office
2018-01-04 19:55 - 2017-10-21 21:23 - 000000000 ____D C:\Program Files\WindowsApps
2018-01-04 19:10 - 2017-04-06 04:17 - 000000000 ___RD C:\Users\Public\AccountPictures
2018-01-04 18:50 - 2017-10-21 21:23 - 000000000 ____D C:\WINDOWS\Registration
2018-01-04 18:48 - 2017-10-21 21:23 - 000000000 ___RD C:\Users\Public\Libraries
2018-01-04 18:47 - 2017-10-21 21:23 - 000000000 ____D C:\ProgramData\USOPrivate
2018-01-04 18:44 - 2017-10-21 21:23 - 000000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2018-01-04 18:43 - 2017-10-21 19:35 - 000000000 ____D C:\WINDOWS\system32\Sysprep
2018-01-04 18:34 - 2017-10-21 22:53 - 000000000 ____D C:\WINDOWS\SysWOW64\winrm
2018-01-04 18:34 - 2017-10-21 22:53 - 000000000 ____D C:\WINDOWS\SysWOW64\slmgr
2018-01-04 18:34 - 2017-10-21 22:53 - 000000000 ____D C:\WINDOWS\SysWOW64\Printing_Admin_Scripts
2018-01-04 18:34 - 2017-10-21 22:53 - 000000000 ____D C:\WINDOWS\system32\winrm
2018-01-04 18:34 - 2017-10-21 22:53 - 000000000 ____D C:\WINDOWS\system32\slmgr
2018-01-04 18:34 - 2017-10-21 22:53 - 000000000 ____D C:\WINDOWS\system32\Printing_Admin_Scripts
2018-01-04 18:34 - 2017-10-21 21:23 - 000000000 ___SD C:\WINDOWS\SysWOW64\F12
2018-01-04 18:34 - 2017-10-21 21:23 - 000000000 ___SD C:\WINDOWS\system32\F12
2018-01-04 18:34 - 2017-10-21 21:23 - 000000000 ___SD C:\WINDOWS\system32\dsc
2018-01-04 18:34 - 2017-10-21 21:23 - 000000000 ___SD C:\WINDOWS\system32\DiagSvcs
2018-01-04 18:34 - 2017-10-21 21:23 - 000000000 ____D C:\WINDOWS\SysWOW64\oobe
2018-01-04 18:34 - 2017-10-21 21:23 - 000000000 ____D C:\WINDOWS\SysWOW64\en-GB
2018-01-04 18:34 - 2017-10-21 21:23 - 000000000 ____D C:\WINDOWS\SysWOW64\Dism
2018-01-04 18:34 - 2017-10-21 21:23 - 000000000 ____D C:\WINDOWS\system32\WinBioPlugIns
2018-01-04 18:34 - 2017-10-21 21:23 - 000000000 ____D C:\WINDOWS\system32\SystemResetPlatform
2018-01-04 18:34 - 2017-10-21 21:23 - 000000000 ____D C:\WINDOWS\system32\oobe
2018-01-04 18:34 - 2017-10-21 21:23 - 000000000 ____D C:\WINDOWS\system32\en-GB
2018-01-04 18:34 - 2017-10-21 19:35 - 000000000 ____D C:\WINDOWS\system32\Dism
2018-01-04 18:34 - 2017-04-06 03:26 - 000000000 ____D C:\WINDOWS\system32\Intel
2018-01-04 18:33 - 2017-10-21 22:56 - 000000000 ____D C:\WINDOWS\OCR
2018-01-04 18:33 - 2017-10-21 21:23 - 000000000 ____D C:\WINDOWS\PolicyDefinitions
2018-01-04 18:33 - 2017-10-21 21:23 - 000000000 ____D C:\WINDOWS\Help
2018-01-04 18:33 - 2017-10-21 21:23 - 000000000 ____D C:\Program Files\Windows Photo Viewer
2018-01-04 18:33 - 2017-10-21 21:23 - 000000000 ____D C:\Program Files\Common Files\system
2018-01-04 18:33 - 2017-10-21 21:23 - 000000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2018-01-04 18:30 - 2017-10-21 21:23 - 000000000 ____D C:\WINDOWS\system32\setup
2018-01-04 18:30 - 2017-10-21 21:17 - 000131584 _____ (Microsoft Corporation) C:\WINDOWS\system32\telnet.exe
2018-01-04 18:30 - 2017-10-21 21:17 - 000025088 _____ (Microsoft Corporation) C:\WINDOWS\system32\TFTP.EXE
2018-01-04 18:04 - 2017-04-06 03:21 - 000701798 _____ C:\WINDOWS\system32\prfh0804.dat
2018-01-04 18:04 - 2017-04-06 03:21 - 000214050 _____ C:\WINDOWS\system32\prfc0804.dat
2018-01-04 18:04 - 2017-04-06 03:19 - 000714988 _____ C:\WINDOWS\system32\prfh0404.dat
2018-01-04 18:04 - 2017-04-06 03:19 - 000214662 _____ C:\WINDOWS\system32\prfc0404.dat
2018-01-04 18:04 - 2017-04-06 03:18 - 001049330 _____ C:\WINDOWS\system32\perfh00A.dat
2018-01-04 18:04 - 2017-04-06 03:18 - 000236844 _____ C:\WINDOWS\system32\perfc00A.dat
2018-01-04 18:04 - 2017-04-06 03:16 - 001040368 _____ C:\WINDOWS\system32\prfh0816.dat
2018-01-04 18:04 - 2017-04-06 03:16 - 000233756 _____ C:\WINDOWS\system32\prfc0816.dat
2018-01-04 18:04 - 2017-04-06 03:15 - 001046686 _____ C:\WINDOWS\system32\perfh015.dat
2018-01-04 18:04 - 2017-04-06 03:15 - 000233732 _____ C:\WINDOWS\system32\perfc015.dat

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:25 AM

Posted 05 January 2018 - 09:07 AM

Copied from the PM.

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by Nick Parish (05-01-2018 01:38:06)
Running from C:\Users\Nick Parish\Downloads
Windows 10 Pro Insider Preview Version 1709 17025.1000 (X64) (2018-01-04 10:51:13)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Admin (S-1-5-21-1394197139-1152076442-3030521781-500 - Administrator - Disabled)
Def (S-1-5-21-1394197139-1152076442-3030521781-503 - Limited - Disabled)
Gst (S-1-5-21-1394197139-1152076442-3030521781-501 - Limited - Disabled)
Nicholas Parish (S-1-5-21-1394197139-1152076442-3030521781-1002 - Administrator - Enabled) => C:\Users\Nicholas Parish
Nick Parish (S-1-5-21-1394197139-1152076442-3030521781-1001 - Administrator - Enabled) => C:\Users\Nick Parish
WDAGUtilityAccount (S-1-5-21-1394197139-1152076442-3030521781-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Bitdefender Antivirus (Enabled - Up to date) {3FB17364-4FCC-0FA7-6BBF-973897395371}
AS: Bitdefender Antispyware (Enabled - Up to date) {84D09280-69F6-0029-510F-AC4AECBE19CC}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Bitdefender Firewall (Enabled) {078AF241-05A3-0EFF-40E0-3E0D69EA140A}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 16.04 (x64) (HKLM\...\7-Zip) (Version: 16.04 - Igor Pavlov)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 28.0.0.127 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.3 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.3.1.201 - Adobe Systems, Inc.)
Apple Application Support (32-bit) (HKLM-x32\...\{BC7C46A4-D7A7-48EC-A98C-32A7762B5EFA}) (Version: 6.2.1 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{F0C4B709-8BF4-4A72-B527-12E7BF5482F8}) (Version: 6.2.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{BD6778C5-6FA5-492A-ADD6-E706339C2A7B}) (Version: 11.0.2.4 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{C1BBFD2A-BCDD-45B3-8C0B-66BD434970A8}) (Version: 2.4.8.1 - Apple Inc.)
BankVault SafeWindow version 3.0.1 (HKLM-x32\...\{E869C31E-2595-4698-B40C-6145DA2776DB}_is1) (Version: 3.0.1 - GoPC PTY LTD)
Bitdefender Agent (HKLM\...\Bitdefender Agent) (Version: 22.0.10.67 - Bitdefender)
Bitdefender Device Management (HKLM\...\Bitdefender Device Management) (Version: 22.0.17.208 - Bitdefender)
Bitdefender Total Security (HKLM\...\Bitdefender) (Version: 22.0.17.205 - Bitdefender)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
CutePDF Writer 3.2 (HKLM\...\CutePDF Writer Installation) (Version: 3.2 - Acro Software Inc.)
Dropbox (HKLM-x32\...\Dropbox) (Version: 40.4.46 - Dropbox, Inc.)
Dropbox Update Helper (HKLM-x32\...\{099218A5-A723-43DC-8DB5-6173656A1E94}) (Version: 1.3.65.1 - Dropbox, Inc.) Hidden
Glary Utilities PRO 5.90 (HKLM-x32\...\Glary Utilities 5) (Version: 5.90.0.111 - Glarysoft Ltd)
Google Chrome (HKLM\...\{B98EEA88-7820-3A65-A3AF-99A11D1A9D49}) (Version: 63.0.3239.108 - Google, Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Greenshot 1.2.10.6 (HKLM\...\Greenshot_is1) (Version: 1.2.10.6 - Greenshot)
HL-1110 series (HKLM-x32\...\{4F2442B7-A89E-42A4-8F0E-6937499855CA}) (Version: 1.0.1.0 - Brother Industries, Ltd.)
IrfanView 4.50 (32-bit) (HKLM-x32\...\IrfanView) (Version: 4.50 - Irfan Skiljan)
iTunes (HKLM\...\{D7D4465C-B3B6-4BC1-B336-2803FB57BFAF}) (Version: 12.7.2.60 - Apple Inc.)
Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.8730.2127 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50907.0 - Microsoft Corporation)
Mozilla Firefox 57.0.3 (x64 en-US) (HKLM\...\Mozilla Firefox 57.0.3 (x64 en-US)) (Version: 57.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 57.0.3 - Mozilla)
Notepad++ (32-bit x86) (HKLM-x32\...\Notepad++) (Version: 7.5.4 - Notepad++ Team)
Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.8730.2127 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component 64-bit Registration (HKLM\...\{90160000-00DD-0000-1000-0000000FF1CE}) (Version: 16.0.8730.2127 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.8730.2127 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0409-0000-0000000FF1CE}) (Version: 16.0.8730.2127 - Microsoft Corporation) Hidden
Opera Stable 49.0.2725.64 (HKLM-x32\...\Opera 49.0.2725.64) (Version: 49.0.2725.64 - Opera Software)
Opera Stable 50.0.2762.45 (HKLM-x32\...\Opera 50.0.2762.45) (Version: 50.0.2762.45 - Opera Software)
PuTTY release 0.70 (64-bit) (HKLM\...\{45B3032F-22CC-40CD-9E97-4DA7095FA5A2}) (Version: 0.70.0.0 - Simon Tatham)
qBittorrent 4.0.3 (HKLM-x32\...\qBittorrent) (Version: 4.0.3 - The qBittorrent project)
Revo Uninstaller 2.0.4 (HKLM\...\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1) (Version: 2.0.4 - VS Revo Group, Ltd.)
SurfacePro4 Update 17_082_01 (64 bit) (HKLM\...\{DA37088D-394B-4522-BEF0-9B20A559A20F}) (Version: 17.082.17293.0 - Microsoft)
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
TeraCopy version 3.26 (HKLM\...\TeraCopy_is1) (Version: 3.26 - Code Sector)
Tweaking.com - Hardware Identify (HKLM-x32\...\Tweaking.com - Hardware Identify) (Version: 2.1.1 - Tweaking.com)
Tweaking.com - Windows Repair (HKLM-x32\...\Tweaking.com - Windows Repair) (Version: 4.0.11 - Tweaking.com)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.8 - VideoLAN)
WinSCP 5.11.3 (HKLM-x32\...\winscp3_is1) (Version: 5.11.3 - Martin Prikryl)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1394197139-1152076442-3030521781-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\Nick Parish\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1394197139-1152076442-3030521781-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\Nick Parish\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1394197139-1152076442-3030521781-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\Nick Parish\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File
ShellIconOverlayIdentifiers: [ DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers-x32: [ DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov)
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => C:\Program Files (x86)\Notepad++\NppShell_06.dll [2018-01-01] ()
ContextMenuHandlers1: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ContextMenuHandlers1: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => C:\Program Files (x86)\Glary Utilities 5\x64\ContextHandler.dll [2017-11-17] (Glarysoft Ltd)
ContextMenuHandlers1: [TeraCopy] -> {A8005AF0-D6E8-48AF-8DFA-023B1CF660A7} => C:\Program Files\TeraCopy\TERACO~2.DLL [2016-12-07] ()
ContextMenuHandlers2: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => C:\Program Files (x86)\Glary Utilities 5\x64\ContextHandler.dll [2017-11-17] (Glarysoft Ltd)
ContextMenuHandlers2: [TeraCopy] -> {A8005AF0-D6E8-48AF-8DFA-023B1CF660A7} => C:\Program Files\TeraCopy\TERACO~2.DLL [2016-12-07] ()
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov)
ContextMenuHandlers4: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ContextMenuHandlers4: [TeraCopy] -> {A8005AF0-D6E8-48AF-8DFA-023B1CF660A7} => C:\Program Files\TeraCopy\TERACO~2.DLL [2016-12-07] ()
ContextMenuHandlers5: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.19.0.dll [2017-12-05] (Dropbox, Inc.)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov)
ContextMenuHandlers6: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => C:\Program Files (x86)\Glary Utilities 5\x64\ContextHandler.dll [2017-11-17] (Glarysoft Ltd)
ContextMenuHandlers6: [TeraCopy] -> {A8005AF0-D6E8-48AF-8DFA-023B1CF660A7} => C:\Program Files\TeraCopy\TERACO~2.DLL [2016-12-07] ()

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {187DDE00-729E-4B9D-9568-72D8B6BF2003} - System32\Tasks\Bitdefender AgentTask_AD394AE64E874073B10A89FEEC305A3C => C:\Program Files\Bitdefender\Bitdefender Security\bdagent.exe [2017-12-04] (Bitdefender)
Task: {203B2343-412D-47B6-BEFF-7E1293F80BF8} - System32\Tasks\Bitdefender Agent WatchDog_65D6944A0EF74FDAB96E31112AD39864 => C:\Program Files\Bitdefender Agent\WatchDog.exe [2017-10-31] (Bitdefender)
Task: {22367A1F-0C71-4AFF-96BF-1BE2D1A4FCC7} - System32\Tasks\DropboxUpdateTaskMachineUA => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [2018-01-03] (Dropbox, Inc.)
Task: {2DAA7E51-20F9-4EBD-8FF7-D06D46B36E95} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2017-07-24] (Apple Inc.)
Task: {517CDBD5-7518-4947-804E-40DA2CB44149} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-12-07] (Microsoft Corporation)
Task: {54DA5B3D-9986-4F59-98CD-B58A701DD5B3} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-01-04] (Microsoft Corporation)
Task: {70446E7C-3020-444B-A715-F1F7FA4615FD} - System32\Tasks\GlaryOneClickOptimizer 5 => C:\Program Files (x86)\Glary Utilities 5\OneClickMaintenance.exe [2017-12-15] (Glarysoft Ltd)
Task: {7716DFAF-748E-4BD7-81CE-8F2A1A9AF822} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-01-03] (Google Inc.)
Task: {7DB1CF45-DC29-4160-A805-4BABE466E39F} - System32\Tasks\Opera scheduled Autoupdate 1514980278 => C:\Program Files (x86)\Opera\launcher.exe [2017-12-18] (Opera Software)
Task: {81CF28B1-40F2-4D84-8F71-FCE2C70221F0} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonx86\Microsoft Shared\Office16\OLicenseHeartbeat.exe [2018-01-04] (Microsoft Corporation)
Task: {85E2A15F-953B-4F71-A19E-81A675D44FE8} - System32\Tasks\Opera scheduled Autoupdate 1515059146 => C:\Program Files\Opera\launcher.exe [2018-01-03] (Opera Software)
Task: {97D58D3E-26B3-4EBD-86EC-3BC4C84CC48D} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-01-03] (Google Inc.)
Task: {997BEC70-8924-4486-9337-DFABBE8B1F74} - System32\Tasks\GlaryInitialize 5 => C:\Program Files (x86)\Glary Utilities 5\Initialize.exe [2017-12-15] (Glarysoft Ltd)
Task: {D350F820-EA71-4419-A5AB-996CEAEF0A1B} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-12-07] (Microsoft Corporation)
Task: {DB27391B-67E1-4F55-89C8-AD4FD867BA75} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-01-04] (Microsoft Corporation)
Task: {DE653AF8-8CAC-4AB7-A42F-7298F3DA9C13} - System32\Tasks\GU5SkipUAC => C:\Program Files (x86)\Glary Utilities 5\Integrator.exe [2017-12-15] (Glarysoft Ltd)
Task: {EE3B3837-9E6C-4077-8FE0-95F9DA5691B8} - System32\Tasks\Tweaking.com - Windows Repair Tray Icon => C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe [2017-05-03] (Tweaking.com)
Task: {FAE5C444-ACFA-4E10-BD88-C015C11B356E} - System32\Tasks\Tweaking.com - Remote Desktop IP Monitor & Blocker => C:\Users\Nick Parish\Downloads\remotedesktop\RDP_Monitor.exe [2016-09-14] (Tweaking.com)
Task: {FC4D67D2-4715-41E2-A0CD-32481E81F7CF} - System32\Tasks\DropboxUpdateTaskMachineCore => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [2018-01-03] (Dropbox, Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\WINDOWS\Tasks\Tweaking.com - Remote Desktop IP Monitor & Blocker.job => C:\Users\Nick Parish\Downloads\remotedesktop\RDP_Monitor.exe/startup C:\Users\Nick Parish\Downloads\remotedesktop3Tweaking.com - Remote Desktop IP Monitor & Blocker>Created By Tweaking.com

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2017-10-21 21:17 - 2017-10-21 21:17 - 000172032 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll
2017-10-21 21:17 - 2017-10-21 21:17 - 000223232 _____ () C:\WINDOWS\system32\HeatCore.dll
2018-01-04 02:48 - 2017-02-07 12:34 - 001008448 _____ () C:\Program Files\Bitdefender\Bitdefender Security\otengines_001_001\ashttpbr.mdl
2018-01-04 02:48 - 2017-02-07 12:34 - 000541952 _____ () C:\Program Files\Bitdefender\Bitdefender Security\otengines_001_001\ashttpdsp.mdl
2018-01-04 02:48 - 2017-02-07 12:34 - 003243920 _____ () C:\Program Files\Bitdefender\Bitdefender Security\otengines_001_001\ashttpph.mdl
2018-01-04 02:48 - 2017-02-07 12:34 - 001544568 _____ () C:\Program Files\Bitdefender\Bitdefender Security\otengines_001_001\ashttprbl.mdl
2018-01-03 19:54 - 2017-05-26 06:47 - 000090096 _____ () C:\WINDOWS\System32\cpwmon64_v32.dll
2017-12-08 01:48 - 2017-12-08 01:48 - 000088888 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2017-12-08 01:48 - 2017-12-08 01:48 - 001356088 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2018-01-03 19:54 - 2016-12-07 16:40 - 003681104 _____ () C:\Program Files\TeraCopy\TERACO~2.DLL
2018-01-01 09:07 - 2018-01-01 09:07 - 000230064 _____ () C:\Program Files (x86)\Notepad++\NppShell_06.dll
2017-10-21 21:18 - 2017-10-21 22:56 - 011714560 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-10-21 21:18 - 2017-10-21 22:56 - 001766400 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2018-01-04 17:46 - 2018-01-03 14:47 - 096347432 _____ () C:\Program Files\Opera\50.0.2762.45_0\opera_browser.dll
2018-01-04 17:46 - 2018-01-03 14:47 - 004215592 _____ () C:\Program Files\Opera\50.0.2762.45_0\libglesv2.dll
2018-01-04 17:46 - 2018-01-03 14:47 - 000108328 _____ () C:\Program Files\Opera\50.0.2762.45_0\libegl.dll
2018-01-03 17:51 - 2018-01-03 17:51 - 004698848 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsStore_11711.1001.5.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\Software\Classes\exefile: "%1" %* <==== ATTENTION
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\Software\Classes\.exe: exefile => "%1" %* <==== ATTENTION

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2017-03-19 05:03 - 2018-01-05 01:08 - 000000824 _____ C:\WINDOWS\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 180.181.127.3 - 180.181.127.4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: cphs => 3
MSCONFIG\Services: cplspcon => 3
MSCONFIG\Services: dbupdate => 2
MSCONFIG\Services: dbupdatem => 3
MSCONFIG\Services: DbxSvc => 2
HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run32: => "Dropbox"
HKLM\...\StartupApproved\Run32: => "BrStsInd00"
HKLM\...\StartupApproved\Run32: => "BrStsMon00"
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\...\StartupApproved\Run: => "GUDelayStartup"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{2D5B3718-DC1C-4EA4-B067-0236A7C7FB84}] => (Allow) C:\Program Files\Opera\50.0.2762.45_0\opera.exe
FirewallRules: [{93EA1A76-8DF1-416B-B7ED-71BE6868ADBE}] => (Allow) C:\Program Files\Opera\50.0.2762.45\opera.exe
FirewallRules: [{EA33C8C0-7292-4ADE-94DE-F22F70F78571}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe

==================== Restore Points =========================

ATTENTION: System Restore is disabled

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (01/05/2018 12:08:52 AM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\NICHOLASSP4$ via https://IFX-KeyId-40b8682b8d18450a2b06849d9b5cd96f4cddf4be.microsoftaik.azure.net/templates/Aik/scep failed:

GetCACaps

Method: GET(703ms)
Stage: GetCACaps
A connection with the server could not be established 0x80072efd (WinHttp: 12029 ERROR_WINHTTP_CANNOT_CONNECT)

Error: (01/05/2018 12:01:36 AM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\NICHOLASSP4$ via https://IFX-KeyId-40b8682b8d18450a2b06849d9b5cd96f4cddf4be.microsoftaik.azure.net/templates/Aik/scep failed:

GetCACaps

Method: GET(641ms)
Stage: GetCACaps
A connection with the server could not be established 0x80072efd (WinHttp: 12029 ERROR_WINHTTP_CANNOT_CONNECT)

Error: (01/04/2018 09:59:08 PM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\NICHOLASSP4$ via https://IFX-KeyId-40b8682b8d18450a2b06849d9b5cd96f4cddf4be.microsoftaik.azure.net/templates/Aik/scep failed:

GetCACaps

Method: GET(829ms)
Stage: GetCACaps
A connection with the server could not be established 0x80072efd (WinHttp: 12029 ERROR_WINHTTP_CANNOT_CONNECT)

Error: (01/04/2018 09:49:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: OfficeC2RClient.exe, version: 16.0.6925.1016, time stamp: 0x5745a2eb
Faulting module name: mso20win32client.dll, version: 16.0.6925.1016, time stamp: 0x5745a0f1
Exception code: 0xc0000005
Fault offset: 0x000000000010e74e
Faulting process id: 0x5d8
Faulting application start time: 0x01d38562c6265e7e
Faulting application path: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
Faulting module path: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\mso20win32client.dll
Report Id: 454ecc67-cbd2-420f-a784-d36bda5398d5
Faulting package full name:
Faulting package-relative application ID:

Error: (01/04/2018 07:13:52 PM) (Source: Microsoft-Windows-AppModel-State) (EventID: 10) (User: NICHOLASSP4)
Description: Microsoft.VCLibs.140.00_8wekyb3d8bbwe-2147024893

Error: (01/04/2018 07:13:52 PM) (Source: Microsoft-Windows-AppModel-State) (EventID: 10) (User: NICHOLASSP4)
Description: Microsoft.NET.Native.Runtime.1.7_8wekyb3d8bbwe-2147024893

Error: (01/04/2018 07:13:52 PM) (Source: Microsoft-Windows-AppModel-State) (EventID: 10) (User: NICHOLASSP4)
Description: Microsoft.NET.Native.Runtime.1.6_8wekyb3d8bbwe-2147024893

Error: (01/04/2018 07:13:52 PM) (Source: Microsoft-Windows-AppModel-State) (EventID: 10) (User: NICHOLASSP4)
Description: Microsoft.NET.Native.Runtime.1.4_8wekyb3d8bbwe-2147024893

Error: (01/04/2018 07:13:52 PM) (Source: Microsoft-Windows-AppModel-State) (EventID: 10) (User: NICHOLASSP4)
Description: Microsoft.NET.Native.Runtime.1.3_8wekyb3d8bbwe-2147024893

Error: (01/04/2018 07:13:52 PM) (Source: Microsoft-Windows-AppModel-State) (EventID: 10) (User: NICHOLASSP4)
Description: Microsoft.NET.Native.Framework.1.7_8wekyb3d8bbwe-2147024893


System errors:
=============
Error: (01/05/2018 01:21:18 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.

Error: (01/05/2018 12:58:19 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (01/05/2018 12:55:27 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (01/05/2018 12:51:30 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (01/05/2018 12:51:26 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.

Error: (01/05/2018 12:38:55 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (01/05/2018 12:38:07 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (01/05/2018 12:38:07 AM) (Source: DCOM) (EventID: 10016) (User: NICHOLASSP4)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NICHOLASSP4\Nick Parish SID (S-1-5-21-1394197139-1152076442-3030521781-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (01/05/2018 12:35:28 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.

Error: (01/05/2018 12:34:08 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.


CodeIntegrity:
===================================
Date: 2018-01-05 00:08:38.972
Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files\Bitdefender\Bitdefender Security\vsservp.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bitdefender\Bitdefender Security\dbghelp.dll that did not meet the Custom 3 / Antimalware signing level requirements.

Date: 2018-01-05 00:01:20.794
Description: Code Integrity determined that a process (\Device\HarddiskVolume3\Program Files\Bitdefender\Bitdefender Security\vsservp.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bitdefender\Bitdefender Security\dbghelp.dll that did not meet the Custom 3 / Antimalware signing level requirements.

Date: 2018-01-04 23:29:19.387
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Bitdefender\Bitdefender Security\wscfix.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2018-01-04 23:29:19.374
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Bitdefender\Bitdefender Security\wscfix.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2018-01-04 23:15:57.046
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Bitdefender\Bitdefender Security\wscfix.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2018-01-04 23:15:57.033
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Bitdefender\Bitdefender Security\wscfix.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2018-01-04 18:50:34.956
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Bitdefender\Bitdefender Security\wscfix.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2018-01-04 18:50:34.946
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Bitdefender\Bitdefender Security\wscfix.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2018-01-04 18:50:34.928
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Bitdefender\Bitdefender Security\wscfix.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2018-01-04 18:50:34.915
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Bitdefender\Bitdefender Security\wscfix.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: Intel® Core™ m3-6Y30 CPU @ 0.90GHz
Percentage of memory in use: 80%
Total physical RAM: 4021.09 MB
Available physical RAM: 785.28 MB
Total Virtual: 5429.09 MB
Available Virtual: 1594.76 MB

==================== Drives ================================

Drive c: (Local Disk) (Fixed) (Total:117.14 GB) (Free:56.16 GB) NTFS
Drive d: (SurfaceMicro) (Removable) (Total:119.07 GB) (Free:95.13 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 119.2 GB) (Disk ID: C346C3DA)

Partition: GPT.

========================================================
Disk: 1 (Size: 119.1 GB) (Disk ID: 70975C0D)
Partition 1: (Not Active) - (Size=119.1 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

To add, system restore should not be disabled - ive been running them since I updated Windows yesterday!

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:25 AM

Posted 05 January 2018 - 09:44 AM

Hi,

Did you installed this remotedesktop program?
Do you still need it?

Task: {FAE5C444-ACFA-4E10-BD88-C015C11B356E} - System32\Tasks\Tweaking.com - Remote Desktop IP Monitor & Blocker => C:\Users\Nick Parish\Downloads\remotedesktop\RDP_Monitor.exe [2016-09-14] (Tweaking.com)
Task: C:\WINDOWS\Tasks\Tweaking.com - Remote Desktop IP Monitor & Blocker.job => C:\Users\Nick Parish\Downloads\remotedesktop\RDP_Monitor.exe/startup C:\Users\Nick Parish\Downloads\remotedesktop3Tweaking.com - Remote Desktop IP Monitor & Blocker>Created By Tweaking.com


To stop the Tasks add the text in the Quote box to the Fislist.txt file before creating it.
You can place them anywhere after the CloseProcess: command.

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
BHO: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar64.dll => No File
BHO-x32: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar.dll => No File
Toolbar: HKLM - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar64.dll No File
Toolbar: HKLM-x32 - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar.dll No File
CustomCLSID: HKU\S-1-5-21-1394197139-1152076442-3030521781-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\Nick Parish\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1394197139-1152076442-3030521781-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\Nick Parish\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\amd64\FileSyncShell64.dll => No File
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\Software\Classes\exefile: "%1" %* <==== ATTENTION
HKU\S-1-5-21-1394197139-1152076442-3030521781-1001\Software\Classes\.exe: exefile => "%1" %* <==== ATTENTION

CMD: netsh interface ip delete arpcache
CMD: netsh winsock reset catalog

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download to your Desktop the Junkware Removal Tool Download from this link.
http://www.bleepingcomputer.com/download/junkware-removal-tool/

Shutdown your antivirus to avoid any conflicts.
Right click the icon - disable for say 20 mins.
Right-mouse click JRT.exe and select Run as administrator (If using XP just double click on the icon to run it.)
The tool will open and start scanning your system.
Please be patient as this can take a while to complete.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.
======

Let me know how the computer is performing now?

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:25 AM

Posted 11 January 2018 - 09:05 AM

Are you still with me?

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,541 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:25 AM

Posted 17 January 2018 - 07:36 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users