Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IMAP email hacked?


  • Please log in to reply
32 replies to this topic

#1 chaostoday

chaostoday

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central PA
  • Local time:09:37 PM

Posted 24 August 2017 - 09:29 AM

My IMAP email sent out several emails to people in and out of my contact list. It said:

 

Morning,

Please see attached and confirm

 

I am getting all kinds of responses from it. I can't find this in the sent folder of any of my ios devices or my two home PC's running outlook and windows 10.

I use the outlook app on my ipad and imail on my iphone. My PC's use Outlook 2013 and the other one is updated outlook app from my Office annual subscription.

I ran Malwarebytes on both PC's. Home PC found nothing. Laptop had 5 issues. 2 were Trojans. Is this the infected computer?

How can I tell which computer sent the email? Was it a hacked password on the server? I don't use my email password for anything else other than email.

 

 

Found 2 Trojans

Trojan.Nymaim in 2 different locations.

I can post log with permission if asked.

 

 

Is it safe to use my email with a changed password? My ISP provided me a new one via phone to use.

Thanks for all your help.

 

 

 

 



BC AdBot (Login to Remove)

 


#2 Wireshark

Wireshark

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 24 August 2017 - 10:20 PM

The detection of the Trojan.Nymaim signature indicates a critical infection on a device.

It's very likely that this is responsible for the compromise of your e-mail account, as e-mail accounts are highly targeted for further propagation.

 

Personally, I would migrate to a free gmail account with a completely new set of credentials.



#3 chaostoday

chaostoday
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central PA
  • Local time:09:37 PM

Posted 24 August 2017 - 11:22 PM

Thank you for the response.
Is there any other risk now that I have deleted the Trojan? What about identity theft? Should I be concerned?
I am very invested in this email and changing to a web based email would be nice but my email address is very important to myself and my business. I wouldn't even begin to know how I could reach out to hundreds of clients and customers that have my email but aren't in my contacts to let them know the change.
Please advise if you have any thoughts or suggestions for migration as I'm open to everything.
Thanks again.

#4 Wireshark

Wireshark

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:37 PM

Posted 25 August 2017 - 12:06 AM

I would recommend another cleanup effort before you declare it's been deleted.

The nature of this software is to establish persistence inside your system.

Please see this thread for instructions

 

You should always be concerned about identity theft, I can't determine what has been compromised without more information.

I would highly recommend changing your passwords for all important online accounts.

Please ensure to follow best security practices and use unique passwords for each online account.

 

You mention this is a e-mail for your business, are you hosting the e-mail server?



#5 chaostoday

chaostoday
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central PA
  • Local time:09:37 PM

Posted 26 August 2017 - 04:43 PM

Thanks so much. I am running all them today. I appologoze for the delay. I work overnights and I'm away from my laptop for long periods of time.

I currently don't host an email server. This email is a personal one through Penn Teledata. I have had it for over 15 years.



#6 chaostoday

chaostoday
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central PA
  • Local time:09:37 PM

Posted 26 August 2017 - 04:47 PM

I'm sorry. Should I be posting my logs in this thread?



#7 chaostoday

chaostoday
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central PA
  • Local time:09:37 PM

Posted 26 August 2017 - 04:59 PM

Security Check notepad:

 Results of screen317's Security Check version 1.014 --- 12/23/15 
   x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Windows Defender  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Google Chrome (60.0.3112.101)
 Google Chrome (SetupMetrics...)
````````Process Check: objlist.exe by Laurent```````` 
 Windows Defender MSASCuiL.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````
 

 

FSS Notepad log:

 

Farbar Service Scanner Version: 27-01-2016
Ran by Jason (administrator) on 26-08-2017 at 17:50:58
Running from "C:\Users\Jason\Desktop"
Microsoft Windows 10 Home  (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Policy:
========================

Security Center:
============

Windows Update:
============
Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****

 

Mini Toolbox log:

 

MiniToolBox by Farbar  Version: 17-06-2016
Ran by Jason (administrator) on 26-08-2017 at 17:53:53
Running from "C:\Users\Jason\Desktop"
Microsoft Windows 10 Home  (X64)
Model: 20405 Manufacturer: LENOVO
Boot Mode: Normal
***************************************************************************
========================= IE Proxy Settings: ==============================
Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================
127.0.0.1                   127.0.0.1 www.internetdownloadmanager.com
127.0.0.1                   207.44.199.159 registeridm.com
127.0.0.1                   localhost
127.0.0.1                   lmlicenses.wip4.adobe.com
127.0.0.1                   lm.licenses.adobe.com
127.0.0.1                   activate.adobe.com
127.0.0.1                   practivate.adobe.com
127.0.0.1                   ereg.adobe.com
127.0.0.1                   activate.wip3.adobe.com
127.0.0.1                   3dns-3.adobe.com
127.0.0.1                   3dns-2.adobe.com
127.0.0.1                   adobe-dns.adobe.com
127.0.0.1                   adobe-dns-2.adobe.com
127.0.0.1                   adobe-dns-3.adobe.com
127.0.0.1                   ereg.wip3.adobe.com
127.0.0.1                   activate-sea.adobe.com
127.0.0.1                   wwis-dubc1-vip60.adobe.com
127.0.0.1                   activate-sjc0.adobe.com
127.0.0.1                   adobeereg.com
127.0.0.1                   adobe.activate.com
127.0.0.1                   3dns-2.adobe.com #192.150.22.22
127.0.0.1                   3dns-3.adobe.com #192.150.14.21
127.0.0.1                   3dns-4.adobe.com #192.150.18.247
127.0.0.1                   3dns-5.adobe.com #192.150.22.46
127.0.0.1                   adobe-dns.adobe.com #192.150.11.30
127.0.0.1                   adobe-dns-2.adobe.com #192.150.11.247
127.0.0.1                   adobe-dns-3.adobe.com #192.150.22.30
127.0.0.1                   adobe.activate.com #69.175.22.26
127.0.0.1                   activate.adobe.com #192.150.22.40
127.0.0.1                   activate.wip3.adobe.com #192.150.22.40
There are 68 entries.
========================= IP Configuration: ================================
Qualcomm Atheros AR956x Wireless Network Adapter = Wi-Fi (Connected)
Realtek PCIe GBE Family Controller = Ethernet (Media disconnected)
Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Media disconnected)

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
reset
set global icmpredirects=enabled
add route prefix=192.168.1.235/32 interface="iftype0_0" nexthop=127.0.0.1 metric=1 publish=Yes
set interface interface="Wi-Fi" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 4" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 1" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 3" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Bluetooth Network Connection" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 2" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="other_0" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="other_1" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled

popd
# End of IPv4 configuration
 
Windows IP Configuration
   Host Name . . . . . . . . . . . . : Lenovo-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Ethernet:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 54-EE-75-30-7A-E2
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Local Area Connection* 3:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 1E-93-A2-B2-C7-4D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Local Area Connection* 4:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hosted Network Virtual Adapter
   Physical Address. . . . . . . . . : 4E-93-A2-B2-C7-4D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wi-Fi:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Qualcomm Atheros AR956x Wireless Network Adapter
   Physical Address. . . . . . . . . : 5C-93-A2-B2-C7-4D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8876:aae9:5704:3703%2(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.77(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Saturday, August 26, 2017 4:58:31 PM
   Lease Expires . . . . . . . . . . : Sunday, August 27, 2017 4:58:31 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 106730402
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-C9-0F-5D-54-EE-75-30-7A-E2
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Bluetooth Network Connection:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 5C-93-A2-B2-C7-4E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 14:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:953c:102e:234f:b9d3:976b(Preferred)
   Link-local IPv6 Address . . . . . : fe80::102e:234f:b9d3:976b%12(Preferred)
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 201326592
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-C9-0F-5D-54-EE-75-30-7A-E2
   NetBIOS over Tcpip. . . . . . . . : Disabled
Server:  router.asus.com
Address:  192.168.1.1
Name:    google.com
Addresses:  2607:f8b0:4004:80e::200e
   216.58.217.174

Pinging google.com [216.58.217.174] with 32 bytes of data:
Reply from 216.58.217.174: bytes=32 time=24ms TTL=55
Reply from 216.58.217.174: bytes=32 time=20ms TTL=55
Ping statistics for 216.58.217.174:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 20ms, Maximum = 24ms, Average = 22ms
Server:  router.asus.com
Address:  192.168.1.1
Name:    yahoo.com
Addresses:  2001:4998:c:a06::2:4008
   2001:4998:44:204::a7
   2001:4998:58:c02::a9
   98.139.180.149
   206.190.36.45
   98.138.253.109

Pinging yahoo.com [98.138.253.109] with 32 bytes of data:
Reply from 98.138.253.109: bytes=32 time=57ms TTL=54
Reply from 98.138.253.109: bytes=32 time=55ms TTL=54
Ping statistics for 98.138.253.109:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 55ms, Maximum = 57ms, Average = 56ms
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
  6...54 ee 75 30 7a e2 ......Realtek PCIe GBE Family Controller
  7...1e 93 a2 b2 c7 4d ......Microsoft Wi-Fi Direct Virtual Adapter
 18...4e 93 a2 b2 c7 4d ......Microsoft Hosted Network Virtual Adapter
  2...5c 93 a2 b2 c7 4d ......Qualcomm Atheros AR956x Wireless Network Adapter
  5...5c 93 a2 b2 c7 4e ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.77     55
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.1.0    255.255.255.0         On-link      192.168.1.77    311
     192.168.1.77  255.255.255.255         On-link      192.168.1.77    311
    192.168.1.255  255.255.255.255         On-link      192.168.1.77    311
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      192.168.1.77    311
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      192.168.1.77    311
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
    192.168.1.235  255.255.255.255        127.0.0.1       1
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 12    331 ::/0                     On-link
  1    331 ::1/128                  On-link
 12    331 2001::/32                On-link
 12    331 2001:0:9d38:953c:102e:234f:b9d3:976b/128
                                    On-link
  2    311 fe80::/64                On-link
 12    331 fe80::/64                On-link
 12    331 fe80::102e:234f:b9d3:976b/128
                                    On-link
  2    311 fe80::8876:aae9:5704:3703/128
                                    On-link
  1    331 ff00::/8                 On-link
  2    311 ff00::/8                 On-link
 12    331 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
Catalog5 01 C:\WINDOWS\SysWOW64\napinsp.dll [54784] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70144] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70144] (Microsoft Corporation)
Catalog5 04 C:\WINDOWS\SysWOW64\NLAapi.dll [63488] (Microsoft Corporation)
Catalog5 05 C:\WINDOWS\SysWOW64\mswsock.dll [305568] (Microsoft Corporation)
Catalog5 06 C:\WINDOWS\SysWOW64\winrnr.dll [23040] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [122128] (Apple Inc.)
Catalog5 08 C:\WINDOWS\SysWOW64\wshbth.dll [50688] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\SysWOW64\mswsock.dll [305568] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\SysWOW64\mswsock.dll [305568] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\SysWOW64\mswsock.dll [305568] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\SysWOW64\mswsock.dll [305568] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\SysWOW64\mswsock.dll [305568] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\SysWOW64\mswsock.dll [305568] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\SysWOW64\mswsock.dll [305568] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\SysWOW64\mswsock.dll [305568] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\SysWOW64\mswsock.dll [305568] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\SysWOW64\mswsock.dll [305568] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\SysWOW64\mswsock.dll [305568] (Microsoft Corporation)
Catalog9 12 C:\WINDOWS\SysWOW64\mswsock.dll [305568] (Microsoft Corporation)
Catalog9 13 C:\WINDOWS\SysWOW64\mswsock.dll [305568] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\napinsp.dll [66560] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [85504] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [85504] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [79872] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [358600] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [31232] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [133392] (Apple Inc.)
x64-Catalog5 08 C:\Windows\System32\wshbth.dll [63488] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [358600] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [358600] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [358600] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [358600] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [358600] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [358600] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [358600] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [358600] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [358600] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [358600] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [358600] (Microsoft Corporation)
x64-Catalog9 12 C:\Windows\System32\mswsock.dll [358600] (Microsoft Corporation)
x64-Catalog9 13 C:\Windows\System32\mswsock.dll [358600] (Microsoft Corporation)
========================= Event log errors: ===============================
Application errors:
==================
Error: (08/26/2017 05:23:43 PM) (Source: Perflib) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8
Error: (08/23/2017 04:27:15 PM) (Source: Perflib) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8
Error: (08/23/2017 04:15:46 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: Lenovo-PC)
Description: Activation of app Microsoft.Windows.Photos_8wekyb3d8bbwe!App failed with error: -2147023170 See the Microsoft-Windows-TWinUI/Operational log for additional information.
Error: (08/22/2017 02:37:30 PM) (Source: Perflib) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8
Error: (08/21/2017 08:56:12 PM) (Source: Outlook) (User: )
Description: Failed to determine if the store is in the crawl scope (error=0x80070005).
Error: (08/21/2017 08:56:12 PM) (Source: Outlook) (User: )
Description: Failed to get the Crawl Scope Manager with error=0x80070005.
Error: (08/21/2017 08:45:16 PM) (Source: Application Error) (User: )
Description: Faulting application name: MicrosoftEdgeCP.exe, version: 11.0.15063.483, time stamp: 0x595f2577
Faulting module name: edgehtml.dll, version: 11.0.15063.540, time stamp: 0xb73979ce
Exception code: 0xcfffffff
Fault offset: 0x000000000047ebab
Faulting process id: 0x2a54
Faulting application start time: 0xMicrosoftEdgeCP.exe0
Faulting application path: MicrosoftEdgeCP.exe1
Faulting module path: MicrosoftEdgeCP.exe2
Report Id: MicrosoftEdgeCP.exe3
Faulting package full name: MicrosoftEdgeCP.exe4
Faulting package-relative application ID: MicrosoftEdgeCP.exe5
Error: (08/21/2017 12:04:39 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: Lenovo-PC)
Description: Activation of app Microsoft.Windows.Photos_8wekyb3d8bbwe!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.
Error: (08/19/2017 05:36:02 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: Lenovo-PC)
Description: Package Microsoft.Windows.Photos_2017.35071.13510.0_x64__8wekyb3d8bbwe+App was terminated because it took too long to suspend.
Error: (08/17/2017 03:20:13 PM) (Source: Perflib) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

System errors:
=============
Error: (08/26/2017 05:24:07 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: {F3B4E234-7A68-4E43-B813-E4BA55A065F6}
Error: (08/26/2017 05:19:33 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: {F3B4E234-7A68-4E43-B813-E4BA55A065F6}
Error: (08/26/2017 05:07:30 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalActivation{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)UnavailableUnavailable
Error: (08/26/2017 05:07:30 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalActivation{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)UnavailableUnavailable
Error: (08/26/2017 04:58:38 PM) (Source: Service Control Manager) (User: )
Description: The ymc service failed to start due to the following error:
%%1053 = The service did not respond to the start or control request in a timely fashion.

Error: (08/26/2017 04:58:38 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the ymc service to connect.
Error: (08/26/2017 04:58:38 PM) (Source: Service Control Manager) (User: )
Description: The PGService service failed to start due to the following error:
%%1053 = The service did not respond to the start or control request in a timely fashion.

Error: (08/26/2017 04:58:38 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the PGService service to connect.
Error: (08/26/2017 04:58:38 PM) (Source: Service Control Manager) (User: )
Description: The ClickToRunSvc service failed to start due to the following error:
%%1053 = The service did not respond to the start or control request in a timely fashion.

Error: (08/26/2017 04:58:38 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the ClickToRunSvc service to connect.

Microsoft Office Sessions:
=========================
Error: (08/26/2017 05:23:43 PM) (Source: Perflib)(User: )
Description: BITSC:\Windows\System32\bitsperf.dll8
Error: (08/23/2017 04:27:15 PM) (Source: Perflib)(User: )
Description: BITSC:\Windows\System32\bitsperf.dll8
Error: (08/23/2017 04:15:46 PM) (Source: Microsoft-Windows-Immersive-Shell)(User: Lenovo-PC)
Description: Microsoft.Windows.Photos_8wekyb3d8bbwe!App-2147023170
Error: (08/22/2017 02:37:30 PM) (Source: Perflib)(User: )
Description: BITSC:\Windows\System32\bitsperf.dll8
Error: (08/21/2017 08:56:12 PM) (Source: Outlook)(User: )
Description: 0x80070005
Error: (08/21/2017 08:56:12 PM) (Source: Outlook)(User: )
Description: 0x80070005
Error: (08/21/2017 08:45:16 PM) (Source: Application Error)(User: )
Description: MicrosoftEdgeCP.exe11.0.15063.483595f2577edgehtml.dll11.0.15063.540b73979cecfffffff000000000047ebab2a5401d31ac56e51a540C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exeC:\WINDOWS\SYSTEM32\edgehtml.dlle69f3b9a-4126-4ca5-b94b-9dde7b26a699Microsoft.MicrosoftEdge_40.15063.0.0_neutral__8wekyb3d8bbweContentProcess
Error: (08/21/2017 12:04:39 PM) (Source: Microsoft-Windows-Immersive-Shell)(User: Lenovo-PC)
Description: Microsoft.Windows.Photos_8wekyb3d8bbwe!App-2144927141
Error: (08/19/2017 05:36:02 PM) (Source: Microsoft-Windows-Immersive-Shell)(User: Lenovo-PC)
Description: Microsoft.Windows.Photos_2017.35071.13510.0_x64__8wekyb3d8bbwe+App
Error: (08/17/2017 03:20:13 PM) (Source: Perflib)(User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

CodeIntegrity Errors:
===================================
  Date: 2017-08-26 17:02:16.696
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
  Date: 2017-08-26 17:02:16.688
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
  Date: 2017-08-24 10:25:33.560
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
  Date: 2017-08-24 10:25:33.551
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
  Date: 2017-08-21 20:56:47.672
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
  Date: 2017-08-21 20:56:47.647
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
  Date: 2017-08-11 14:07:19.579
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
  Date: 2017-08-11 14:07:19.571
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
  Date: 2017-08-10 09:36:49.591
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
  Date: 2017-08-10 09:36:49.580
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

=========================== Installed Programs ============================
64 Bit HP CIO Components Installer (HKLM\...\{345F3F90-0505-4EDF-B7A9-5E3AC1AC6CE4}) (Version: 15.2.1 - Hewlett-Packard) Hidden
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 17.012.20095 - Adobe Systems Incorporated)
Adobe Acrobat X Pro - English, Français, Deutsch (HKLM-x32\...\{AC76BA86-1033-F400-7760-000000000005}) (Version: 10.1.16 - Adobe Systems)
Adobe Creative Suite 6 Master Collection (HKLM-x32\...\{E8AD3069-9EB7-4BA8-8BFE-83F4E69355C0}) (Version: 6 - Adobe Systems Incorporated)
Adobe CS6 Licence PREACTIVATION CS6 (HKLM-x32\...\Adobe CS6 Licence PREACTIVATION CS6) (Version: CS6 - Adobe)
Apple Application Support (32-bit) (HKLM-x32\...\{D2FE6376-E549-4F63-A2C5-CA24DA035DE4}) (Version: 5.6 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{BB109E24-EE90-485B-A28B-ADDEFB40540B}) (Version: 5.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{0A596141-97D5-45FA-9281-98DFAF48D579}) (Version: 10.3.2.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{52D87F32-70E4-4348-8148-C0B9F35B1314}) (Version: 2.3.0.177 - Apple Inc.)
Athentech Perfectly Clear (HKLM\...\{E0D82A61-137F-4FFA-A247-B1B10C3F094E}) (Version: 1.0.0.135 - Corel Corporation) Hidden
Athentech Perfectly Clear (HKLM-x32\...\_{128FBA3A-36CA-4BEB-8AAA-036A0AF8E4E2}) (Version: 1.0.0.135 - Corel Corporation)
Athentech Perfectly Clear (HKLM-x32\...\{128FBA3A-36CA-4BEB-8AAA-036A0AF8E4E2}) (Version: 1.0.0.135 - Corel Corporation) Hidden
Bitdefender Internet Security 2015 (HKLM\...\Bitdefender) (Version: 18.22.0.1521 - Bitdefender)
bl (HKLM-x32\...\{2A075BB4-E976-4278-BF3F-E5C6945D84C0}) (Version: 1.0.0 - Your Company Name) Hidden
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Corel AfterShot 3 - ICA x64 (HKLM\...\{FE875B02-11A1-4D1E-B57A-8DE2C00C0B51}) (Version: 3.3 - Corel Corporation) Hidden
Corel AfterShot 3 - IPM Content x64 (HKLM\...\{3E064BED-C9D8-4BEF-A2EE-8D67E99C3932}) (Version: 3.3 - Corel Corporation) Hidden
Corel AfterShot 3 - IPM x64 (HKLM\...\{5059B47C-4D7B-46E9-9D7A-1E2FCF5DDBED}) (Version: 3.3.0.234 - Corel Corporation) Hidden
Corel AfterShot 3 x64 (HKLM\...\{1CC44D99-D0F5-4F25-8E72-58DD27DED43B}) (Version: 3.3 - Corel Corporation) Hidden
Corel AfterShot 3(64-bit) (HKLM\...\_{FE875B02-11A1-4D1E-B57A-8DE2C00C0B51}) (Version: 3.3.0.234 - Corel Corporation)
Corel PaintShop Pro X9 (HKLM-x32\...\_{998717E5-1031-4D28-A143-48ADAF062E5F}) (Version: 19.2.0.7 - Corel Corporation)
Corel PaintShop Pro X9 (HKLM-x32\...\{93EE564E-9DA1-4655-8A90-4E816019B409}) (Version: 19.0.0.96 - Corel Corporation) Hidden
Corel ScreenCap (HKLM\...\{99642277-4695-438F-8F07-E59D3E8EDB26}) (Version: 1.0.0 - Corel Corporation)
Corel Update Manager (HKLM\...\{B6C0FB43-0C9B-46E6-93E4-DF171ED80C53}) (Version: 2.3.201 - Corel corporation) Hidden
Corel Update Manager (HKLM\...\{B8C05FFE-C36F-4F17-AD20-739E4BC65AC9}) (Version: 2.3.201 - Corel corporation) Hidden
Corel Update Manager (HKLM-x32\...\{EE61B6C5-F017-4505-85D3-6D40B1797D32}) (Version: 2.3.201 - Corel corporation) Hidden
CyberLink PowerDirector 10 (HKLM\...\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}) (Version: 10.0.0.2810 - CyberLink Corp.) Hidden
CyberLink PowerDirector 10 (HKLM-x32\...\InstallShield_{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}) (Version: 10.0.0.2810 - CyberLink Corp.)
Dell 2135cn MFP Address Book Editor Ver.1.0.4.0 (HKLM-x32\...\{373B8456-BDA0-4ACE-AC44-BE7E9FC3DC19}) (Version: 1.0.4.0 - Dell Inc.)
Dell 2135cn MFP ScanButton Manager Ver.1.0.2.1 (HKLM-x32\...\{39F5FD42-493F-48E1-9413-0F5C90EEB313}) (Version: 1.0.2.1 - Dell Inc.)
Dell Printer Software (HKLM-x32\...\{105F3CE5-FE55-408E-BF30-E78F85BA0B12}) (Version: 1.00.000 - Dell Inc.)
diasend® Uploader version 2.4.0_BuildR2e02 (HKLM\...\{59A10021-5C7B-4C63-BB15-FAA9C04F8B26}_is1) (Version: 2.4.0_BuildR2e02 - Diasend)
Dolby Digital Plus Advanced Audio (HKLM\...\{B0BFC63F-EA07-419E-960B-3FB2ED5DD0B2}) (Version: 7.5.1.1 - Dolby Laboratories Inc)
Dynamic Web TWAIN HTML5 Edition (HKLM-x32\...\{B4D31736-4D13-4BCD-B050-7DD3E45C1650}) (Version: 11.1.831 - Dynamsoft)
Energy Manager (HKLM-x32\...\{AC768037-7079-4658-AC24-2897650E0ABE}) (Version: 1.5.0.20 - Lenovo) Hidden
Energy Manager (HKLM-x32\...\InstallShield_{AC768037-7079-4658-AC24-2897650E0ABE}) (Version: 1.5.0.20 - Lenovo)
Genesys USB Mass Storage Device (HKLM-x32\...\{959B7F35-2819-40C5-A0CD-3C53B5FCC935}) (Version: 4.3.2.0 - Genesys Logic)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 60.0.3112.101 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
Hightail for Lenovo (HKLM\...\{2F10E937-F6D7-4174-8AB9-B299E8FC5CEC}) (Version: 2.4.97.2857 - Hightail, Inc.)
HP Color LaserJet Pro MFP M476 (HKLM-x32\...\{4b849805-3b07-4b35-874a-705c0d103672}) (Version: 15.0.15188.627 - Hewlett-Packard)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
HPCLJProMFPM476 (HKLM-x32\...\{C44C593D-3009-4D03-910E-243050C5E193}) (Version: 0.05.0000 - Hewlett-Packard)
HPDXP (HKLM-x32\...\{6BAA82C9-42B6-4B7D-A490-23EAC0E70C17}) (Version: 3.0.26.15 - HP) Hidden
HPLJDXPHelper (HKLM-x32\...\{010788AB-706E-4604-A46B-6785EAB64B5E}) (Version: 140.069.007 - HP) Hidden
HPLJUTCore (HKLM-x32\...\{B445502B-2F83-4873-90F1-06059F71A46A}) (Version: 014.000.0001 - HP) Hidden
HPLJUTM476 (HKLM-x32\...\{92AB9371-D327-4D56-9BDD-B38A671A631D}) (Version: 010.000.0001 - HP) Hidden
hppLaserJetService (HKLM-x32\...\{0C4C3664-157A-4D69-B474-31EBF2EE1AE3}) (Version: 009.033.00926 - Hewlett-Packard) Hidden
hppM476LaserJetService (HKLM-x32\...\{CD86BE42-2844-4A15-A487-0F60CAB31664}) (Version: 001.034.00634 - Hewlett-Packard) Hidden
hpStatusAlerts (HKLM-x32\...\{E35D0ED5-716B-4E1F-8477-54DD746DF527}) (Version: 140.040.00231 - Hewlett Packard) Hidden
hpStatusAlertsM476 (HKLM-x32\...\{C864CA6F-3A1D-45B5-A115-C8D47CAE3845}) (Version: 100.046.00121 - Hewlett-Packard) Hidden
ICA (HKLM-x32\...\{998717E5-1031-4D28-A143-48ADAF062E5F}) (Version: 19.0.0.96 - Corel Corporation) Hidden
iCloud (HKLM\...\{C510BB61-AE0B-4420-87AF-9CF646E86364}) (Version: 6.2.3.17 - Apple Inc.)
Intel® Manageability Engine Firmware Recovery Agent (HKLM-x32\...\{0EC7F9CC-4741-45AE-9F55-6E9343F726F5}) (Version: 1.1.0.36960 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.14.1724 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 20.19.15.4531 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 13.0.2.1000 - Intel Corporation)
IPM_PSP_COM (HKLM-x32\...\{9A86C6EE-2CCC-4A51-BCC8-AAF97C2F4615}) (Version: 19.0.0.96 - Corel Corporation) Hidden
IPM_PSP_COM64 (HKLM\...\{966E78A9-AB34-4FC6-BEDA-7D3F1F42121D}) (Version: 19.0.0.96 - Corel Corporation) Hidden
iTunes (HKLM\...\{02F95875-9527-49CC-B32F-970ADAEBD1EF}) (Version: 12.6.2.20 - Apple Inc.)
Lenovo EasyCamera (HKLM-x32\...\{E399A5B3-ED53-4DEA-AF04-8011E1EB1EAC}) (Version: 6.3.9600.11103 - Realtek Semiconductor Corp.)
Lenovo Flex 2 Demo (HKLM-x32\...\{8300CA15-AD32-4C12-A6D4-121DEBCA11CC}) (Version: 1.0.0 - Lenovo)
Lenovo FusionEngine  (HKLM-x32\...\Lenovo FusionEngine) (Version: 1.0.13.0 - Lenovo, Inc.)
Lenovo Mobile Phone Wireless Import (HKLM-x32\...\{DFB2E0D6-8DDE-49A4-B8F7-03C14DACCBA6}) (Version: 1.1.1.9 - Lenovo) Hidden
Lenovo Mobile Phone Wireless Import (HKLM-x32\...\InstallShield_{DFB2E0D6-8DDE-49A4-B8F7-03C14DACCBA6}) (Version: 1.1.1.9 - Lenovo)
Lenovo Motion Control (HKLM-x32\...\{0D740B00-2307-44AC-B91B-F3E67444ECA6}) (Version: 2.0.1.0107 - PointGrab) Hidden
Lenovo Motion Control (HKLM-x32\...\InstallShield_{0D740B00-2307-44AC-B91B-F3E67444ECA6}) (Version: 2.0.1.0107 - PointGrab)
Lenovo OneKey Recovery (HKLM\...\{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 8.1.0.2326 - CyberLink Corp.) Hidden
Lenovo OneKey Recovery (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 8.1.0.2326 - CyberLink Corp.)
Lenovo PhoneCompanion (HKLM-x32\...\{0F82EA83-B0C5-4AB9-9695-DFE92C5FD57B}) (Version: 1.2.0.0 - Lenovo) Hidden
Lenovo PhoneCompanion (HKLM-x32\...\InstallShield_{0F82EA83-B0C5-4AB9-9695-DFE92C5FD57B}) (Version: 1.2.0.0 - Lenovo)
Lenovo Photo Master (HKLM-x32\...\{BC94C56A-3649-420C-8756-2ADEBE399D33}) (Version: 1.0.1823.01 - CyberLink Corp.) Hidden
Lenovo Photo Master (HKLM-x32\...\InstallShield_{BC94C56A-3649-420C-8756-2ADEBE399D33}) (Version: 1.0.1823.01 - CyberLink Corp.)
Lenovo PowerDVD10 (HKLM-x32\...\{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.5630.52 - CyberLink Corp.) Hidden
Lenovo PowerDVD10 (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.5630.52 - CyberLink Corp.)
Lenovo Reach (HKLM-x32\...\{3245D8C8-7FE0-4FD4-B04B-2720A333D592}) (Version: 1.1.3.7 - Stoneware, Inc.)
Lenovo SHAREit (HKLM-x32\...\Lenovo SHAREit_is1) (Version: 2.0.5.0 - Lenovo Group Limited)
Lenovo Smart Voice (HKLM\...\Lenovo SmartVoice) (Version: 1.0.2.4 - Lenovo)
Lenovo Solution Center (HKLM\...\{C1FC707B-AE6B-4DC4-89A5-6628A01F8103}) (Version: 3.3.003.00 - Lenovo)
Lenovo System Interface Foundation Driver (HKLM\...\{C2E5CA37-C862-4A69-AC6D-24F450A20C16}) (Version: 1.0.078.00 - Lenovo)
Lenovo Transition (HKLM\...\Lenovo Transition) (Version: 2.1.14.1221 - Lenovo)
LJDXPHelperUI (HKLM-x32\...\{DEB23FB1-04FF-44AC-98B5-EEB243D65A28}) (Version: 140.069.007 - HP) Hidden
Magic Transfer (HKLM\...\{AD2B2BD1-A1D7-4798-8FDD-B2A58FD94E68}) (Version: 1.1.1.11 - )
Magic Transfer (HKLM-x32\...\{AD2B2BD1-A1D7-4798-8FDD-B2A58FD94E68}) (Version: 1.1.1.11 - Lenovo) Hidden
Magic Transfer (HKLM-x32\...\InstallShield_{AD2B2BD1-A1D7-4798-8FDD-B2A58FD94E68}) (Version: 1.1.1.11 - Lenovo)
Malwarebytes Anti-Malware version 2.1.6.1022 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
Metric Collection SDK 35 (HKLM-x32\...\{C2B5B5B0-2545-4E94-B4BA-548D4BF0B196}) (Version: 1.2.0001.00 - Lenovo Group Limited) Hidden
Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.8326.2076 - Microsoft Corporation)
Microsoft OneDrive (HKCU\...\OneDriveSetup.exe) (Version: 17.3.6943.0625 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Nitro Pro 8 (HKLM\...\{392C767D-4EE2-49B5-A3B4-A4C3AB6DC145}) (Version: 8.5.7.1 - Nitro)
Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.8326.2076 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component 64-bit Registration (HKLM\...\{90160000-00DD-0000-1000-0000000FF1CE}) (Version: 16.0.8326.2076 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.8326.2076 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0409-0000-0000000FF1CE}) (Version: 16.0.8326.2076 - Microsoft Corporation) Hidden
PDF Settings CS6 (HKLM-x32\...\{BFEAAE77-BD7F-4534-B286-9C5CB4697EB1}) (Version: 11.0 - Adobe Systems Incorporated) Hidden
ph (HKLM-x32\...\{185F9795-9663-4F13-9EF9-307A282ADB5A}) (Version: 1.0.0 - Your Company Name) Hidden
Power2Go (HKLM-x32\...\{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 5.6.0.10525 - CyberLink Corp.)
PSPPContent (HKLM-x32\...\{91773E30-F29C-4381-854A-95281DEB8DA1}) (Version: 19.0.0.96 - Corel Corporation) Hidden
PSPPHelp (HKLM-x32\...\{9F087D85-EDDC-4DC4-B665-AFDD3734D987}) (Version: 19.0.0.96 - Corel Corporation) Hidden
PSPPro64 (HKLM\...\{9722764A-D7C1-483A-931C-9C0A95D5F4EB}) (Version: 19.0.0.96 - Corel Corporation) Hidden
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.314 - Qualcomm Atheros Communications)
Qualcomm Atheros Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Qualcomm Atheros)
QuickTime 7 (HKLM-x32\...\{FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}) (Version: 7.79.80.95 - Apple Inc.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.24.1218.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7188 - Realtek Semiconductor Corp.)
Setup (HKLM-x32\...\{9E0054AB-F957-4177-850E-3541960DBD53}) (Version: 19.0.0.96 - Corel Corporation) Hidden
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Skype™ 7.23 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.23.105 - Skype Technologies S.A.)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 19.0.9.5 - Synaptics Incorporated)
Ultimate Creative Collection (X9) (HKLM-x32\...\_{A0A52581-11B8-4ED7-B61F-7900C5E38F18}) (Version: 1.0.0.129 - Corel Corporation)
Ultimate Creative Collection (X9) (HKLM-x32\...\{A0A52581-11B8-4ED7-B61F-7900C5E38F18}) (Version: 1.0.0.129 - Corel Corporation) Hidden
User Manuals (HKLM-x32\...\{F07C2CF8-4C53-4EC3-8162-A6221E36EB88}) (Version: 3.0.0.3 - Lenovo) Hidden
User Manuals (HKLM-x32\...\InstallShield_{F07C2CF8-4C53-4EC3-8162-A6221E36EB88}) (Version: 3.0.0.3 - Lenovo)
Windows 10 Update and Privacy Settings (HKLM\...\{293F2009-0145-450B-B4AA-063D43FB368C}) (Version: 1.0.13.0 - Microsoft Corporation)
Windows Driver Package - DexCom, Inc. (usbser) Ports  (05/24/2010 1.0.0.2) (HKLM\...\34C19A05C447FC9BDD48174F6232DC357FBB62D1) (Version: 05/24/2010 1.0.0.2 - DexCom, Inc.)
Windows Driver Package - Lenovo (ACPIVPC) System  (09/24/2013 19.29.2.34) (HKLM\...\EE9B1F2037C580F36D92FA431CC02BFF04C31F15) (Version: 09/24/2013 19.29.2.34 - Lenovo)
Windows Driver Package - Lenovo (WUDFRd) LenovoVhid  (07/25/2013 10.30.0.288) (HKLM\...\6BCA401E9CBEED970D75F55FA5320F60D11984E9) (Version: 07/25/2013 10.30.0.288 - Lenovo)
WinRAR 5.21 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.21.0 - win.rar GmbH)
========================= Devices: ================================

========================= Memory info: ===================================
Percentage of memory in use: 37%
Total physical RAM: 8100.01 MB
Available physical RAM: 5036.19 MB
Total Virtual: 9380.01 MB
Available Virtual: 6063.23 MB
========================= Partitions: =====================================
1 Drive c: (Windows8_OS) (Fixed) (Total:888.73 GB) (Free:758.81 GB) NTFS
2 Drive d: (LENOVO) (Fixed) (Total:25 GB) (Free:24.86 GB) NTFS
========================= Users: ========================================
User accounts for \\LENOVO-PC
Administrator            DefaultAccount           Guest                   
Jason                   
========================= Restore Points ==================================
07-08-2017 20:16:00 Scheduled Checkpoint
17-08-2017 11:47:54 Scheduled Checkpoint
26-08-2017 21:26:27 Scheduled Checkpoint
**** End of log ****


#8 chaostoday

chaostoday
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central PA
  • Local time:09:37 PM

Posted 26 August 2017 - 05:01 PM

Malwarebytes 8-24-17 scan log. Threats deleted.

 

Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 8/24/2017
Scan Time: 9:04:46 AM
Logfile:
Administrator: Yes
Version: 2.01.6.1022
Malware Database: v2017.08.24.04
Rootkit Database: v2017.08.02.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows 8
CPU: x64
File System: NTFS
User: Jason
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 289646
Time Elapsed: 18 min, 58 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 0
(No malicious items detected)
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 5
Trojan.Nymaim, C:\Users\Jason\AppData\Local\Temp\97FB.tmp, Quarantined, [63c13d54acfd84b2d386ad4a8e72c43c],
Trojan.Nymaim, C:\Users\Jason\AppData\Roaming\tssop-53\tssop-8.exe, Quarantined, [58cc39586f3abf77873f6ecead546799],
PUP.Optional.VisualDiscovery, C:\Windows\SysWOW64\VisualDiscovery.ini, Quarantined, [4bd99ff276330a2c3fd0e1c605fd0bf5],
PUP.Optional.Winsock.WnskRST, C:\Windows\System32\VisualDiscoveryOff.ini, Quarantined, [d45099f88d1cbd797be39b1f8979e11f],
PUP.Optional.Winsock.WnskRST, C:\Windows\SysWOW64\VisualDiscoveryOff.ini, Quarantined, [958f415038719b9ba4bac2f8fb07e61a],
Physical Sectors: 0
(No malicious items detected)

(end)


#9 chaostoday

chaostoday
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central PA
  • Local time:09:37 PM

Posted 26 August 2017 - 07:02 PM

Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 8/26/2017
Scan Time: 6:01:50 PM
Logfile:
Administrator: Yes
Version: 2.01.6.1022
Malware Database: v2017.08.26.07
Rootkit Database: v2017.08.02.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows 8
CPU: x64
File System: NTFS
User: Jason
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 289918
Time Elapsed: 20 min, 49 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 0
(No malicious items detected)
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 1
Ransom.Cerber, C:\ProgramData\lvpecl-5\lvpecl-1.exe, Quarantined, [bc33c1d08c1dfa3c0e7e14c136ca1ce4],
Physical Sectors: 0
(No malicious items detected)

(end)


#10 chaostoday

chaostoday
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central PA
  • Local time:09:37 PM

Posted 27 August 2017 - 07:24 AM

Rkill 2.9.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 08/27/2017 08:20:24 AM in x64 mode.
Windows Version: Windows 10 Home
Checking for Windows services to stop:
 * No malware services found to stop.
Checking for processes to terminate:
 * C:\Windows\SysWOW64\UMonit64.exe (PID: 8228) [WD-HEUR]
1 proccess terminated!
Checking Registry for malware related settings:
 * No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
 * Modified HKCU\...\Winlogon: [Shell] => C:\ProgramData\lvpecl-5\lvpecl-1.exe -s,explorer.exe
 * Windows Defender Disabled
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
Searching for Missing Digital Signatures:
 * No issues found.
Checking HOSTS File:
 * HOSTS file entries found:
  127.0.0.1                   127.0.0.1 www.internetdownloadmanager.com
  127.0.0.1                   207.44.199.159 registeridm.com
  127.0.0.1                   localhost
  127.0.0.1                   lmlicenses.wip4.adobe.com
  127.0.0.1                   lm.licenses.adobe.com
  127.0.0.1                   activate.adobe.com
  127.0.0.1                   practivate.adobe.com
  127.0.0.1                   ereg.adobe.com
  127.0.0.1                   activate.wip3.adobe.com
  127.0.0.1                   3dns-3.adobe.com
  127.0.0.1                   3dns-2.adobe.com
  127.0.0.1                   adobe-dns.adobe.com
  127.0.0.1                   adobe-dns-2.adobe.com
  127.0.0.1                   adobe-dns-3.adobe.com
  127.0.0.1                   ereg.wip3.adobe.com
  127.0.0.1                   activate-sea.adobe.com
  127.0.0.1                   wwis-dubc1-vip60.adobe.com
  127.0.0.1                   activate-sjc0.adobe.com
  127.0.0.1                   adobeereg.com
  127.0.0.1                   adobe.activate.com
  20 out of 99 HOSTS entries shown.
  Please review HOSTS file for further entries.
Program finished at: 08/27/2017 08:22:49 AM
Execution time: 0 hours(s), 2 minute(s), and 24 seconds(s)


#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:37 PM

Posted 29 August 2017 - 01:47 PM

Would you also run ESET..
  • It is recommended to turn off your antivirus program. Click on the E5rfZI9.png button to see which antivirus is currently enabled:
c4VVzVO.png
  • Turn off your antivirus program. See here how to do this.
  • Check the option beside: Enable detection of potentially unwanted applications.
  • Now click on Advanced Settings and make sure that the option Clean threats automatically is NOT checked, and select the following:
Enable detection of potentially unsafe applications
Enable detection of suspicious applications
Scan archives
Enable Anti-Stealth Technology
  • Click on the Change button and select only Operating memory, Autostart locations and drive C:\ to be scanned.
yKulboi.jpg
  • Push the dtoGjAL.png button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
8L8IBHJ.png
  • When the scan completes a list of found threats will open automatically (if any malicious files are found).
imxEgHt.png
  • Push thecRhRYZ8.png button and save the file to your desktop using a unique name, such as ESETScan.txt. Include the contents of this report in your next reply.
  • Push the 9IjfdXq.png button.
  • Check the box beside RHzfZB1.png to uninstall the application when closed.
  • Push Vc3btaC.png and the close the application clicking the X in upper right corner.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 chaostoday

chaostoday
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central PA
  • Local time:09:37 PM

Posted 30 August 2017 - 07:51 AM

My computer is running the scan now. I'm concerned because my Anti Virus has not been running. It's like it was shut off somehow. I can't seem to access it. It's Bit Defender. I also tried enabling Windows Defender and it enables but then immediately goes back to disabled. Something seems wrong. Is this computer possibly accessing my passwords and account information?



#13 chaostoday

chaostoday
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central PA
  • Local time:09:37 PM

Posted 30 August 2017 - 12:47 PM

C:\Users\Jason\AppData\Local\Temp\2475.tmp a variant of Win32/Kryptik.FVRB Trojan 
 



#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:37 PM

Posted 30 August 2017 - 03:38 PM

Ok.. some malware affect the AV so Run Rkill first and then the tools.

Please download Rkill by Grinler and save it to your desktop.
  • Link 1
  • Link 2
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista/Windows7, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 chaostoday

chaostoday
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central PA
  • Local time:09:37 PM

Posted 30 August 2017 - 03:48 PM

I already ran rkill when instruction in the order above. I should run it again?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users