Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked computer/phone, Latency-problems, Slow, BSODs, Wifi-problems etc


  • This topic is locked This topic is locked
40 replies to this topic

#1 rogerthat69

rogerthat69

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 AM

Posted 19 September 2017 - 04:59 PM

Computer had window-apps problems from start(Win8) which resulted in a clean OS re-installation. Problems did not really go away.

Later under Win 10 latency-disruptions came with regularity. One day I noticed how my phone, by itself, transmitted data/photos over the

3G-net. Have had firewall-intrusions showing i.e. transfer of bluetooth and other "unknown" radio-communication-programs. Often remote-

desktop connections were active with no reason. Have had a lot of error messages(EV-logs) that relates direct to Windows Server(2008)

although this is a single Workstation Laptop. Under Terminal Services - Local Session Manager starts a plugin every time I decide to re-

start the computer. It´s called RDSAppXPlugin. I don´t know what it is handling apart from initiating the Remote Desktop Service which I

try to prohibit without success. Can´t find anything about this plugin. It must be malware or something about Microsoft doing work under

my hood. There are also 2 unknown powershell startup items;

 

Dator\HKEY_CLASSES_ROOT\Drive\shell\Powershell\command; powershell.exe -noexit -command Set-Location -literalPath '%V'

Dator\HKEY_CLASSES_ROOT\Directory\shell\Powershell\command; powershell.exe -noexit -command Set-Location -literalPath '%V'

 

Access is denied. Can´t disable them. Before Win 10 I had Powershell disabled. That is impossible with Win 10. Is this the result when

you try to keep Microsoft out? Disabling most Windows remote services except RPC. Tired of all kinds of errors in the EV i did another

clean installation in April this year. This time the Powershell startup commands were there again even with all (remote) services activated

(set to automatic or manual(default)). But,,,,there was a new third startup item now: Named "fileownership";

 

Dator\HKEY_CLASSES_ROOT\Directory\shell\UpdateEncryptionSettings; DelegateExecute: {5B6D1451-B1E1-4372-90F5-88E541B4DAB9}

 

The thing was before I did the last clean installation the computer crashed due to me taking ownership over a file named: Windows Remote

Desktop Session Host Server SDK APIs(wtsapi32.dll)running under Firefox. I did not understand why this dll have to run under my browser.

Nevertheless the computer crashed when this file were stopped... and could not be restarted. The dll-file is running now. I don´t understand

why I run my system under a RD Server Host environment?? Maybe it has to do with MS or Mozilla/FF but still why is this file so essential

for the whole operatingsystem to collaps(could not restart computer)?

 

My wifi is very slow. 100 kbit/sec up to maximum of 1 Mbit/sec. With my netadapter and router I should have at least 20-40 Mbit/sec. Ethernet-

connection is fiber 100 Mbit/sec. Maybe I should try another adapter? Or another........adapter reinstallation? But......systems says GO...OK!!

 

Once I noticed an alien computer-interface name on my network(network and sharing center). Have also seen a wellknown ISP in my

registry. Not contracted to me though!!

 

 

Now to my instant problem:

 

Had problems with many of my security-programs like Adwcleaner(found nothing), JRT(Firefox deletion), SuperAntiSpyware(nothing), RKill.

Had to reinstall all of them to be able to run. I normally run them every week or so. Malwarebytes Anti-Malware(found nothing) and MS(nothing)

worked though as did ESET Online Scanner(found PUPs) and Hitman Pro.

 

Due to these running-problems I decided to run some Rootkit-programs that always worked fine before. AswMBR and GMER.

 

AswMBR gave a BSOD some minutes into scanning. Did download a new version(exe). Tried with AV etc disconnected. But BSOD.

Tried GMER in all 3 versions incl. iexplore.exe. BSOD´s. Third(of 4) time running GMER it came up with red alert from start regarding

Hitman Pro(Manual)!! GMER came to "iat", not any further.

Downloaded Malwarebytes Anti RootKit. Found nothing.

 

AswMBR: Error: module: aswvmm.sys  PAGE_FAULT_IN_NONPAGED_AREA

GMER: Error: module: kwxoipog.sys DRIVER_IRQL_NOT_LESS_OR_EQUAL

 

I don´t like my computer. Something is wrong. ntoskrnl.exe is a notorius source to errors(BSODs) and according to driver-load logs it often

fails to load properly(among a few others).

 

What to do?

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-09-2017 01
Ran by Christer (administrator) on NOTEBOOK-1F9FAJ (19-09-2017 19:03:43)
Running from C:\Users\Christer\Desktop
Loaded Profiles: Christer (Available Profiles: Christer & Bach)
Platform: Windows 10 Home Version 1703 (X64) Language: Svenska (Sverige)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2service.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
(Foxit Software Inc.) C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitConnectedPDFService.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLoader.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPCenter.exe
(AsusTek) C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPHelper.exe     (unstable, high cpu)
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2guard.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
(Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2start.exe
(Resplendence Software Projects) C:\Program Files\WhoCrashed\WhoCrashedEx.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [629152 2017-03-18] (Microsoft Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [1804360 2016-03-22] (NVIDIA Corporation)
HKLM\...\Run: [emsisoft anti-malware] => c:\program files\emsisoft anti-malware\a2guard.exe [8740696 2017-08-24] (Emsisoft Ltd)
HKLM-x32\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe [2480584 2017-07-18] (Malwarebytes Corporation)
HKU\S-1-5-21-2012168036-945120212-3105423917-1001\...\Run: [] => [X]
HKU\S-1-5-21-2012168036-945120212-3105423917-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\ssText3d.scr [228864 2017-03-18] (Microsoft Corporation)
GroupPolicy\User: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{6ca27c02-4362-4592-b65a-0a7212eb3318}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{cf0a693c-5374-4d70-ac23-a22a4302c0ac}: [DhcpNameServer] 192.168.1.1

Internet Explorer:                                                                    (have disabled IE. Don´t know why high traffic accordning to CCCleaner and TFT)
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =

Edge:
======
Edge Extension: (AdBlock) -> EdgeExtension_BetaFishAdBlock_c1wakc4j0nefm => C:\Program Files\WindowsApps\BetaFish.AdBlock_2.2.0.0_neutral__c1wakc4j0nefm [2017-07-13]

FireFox:
========
FF DefaultProfile: umbm031o.default
FF ProfilePath: C:\Users\Christer\AppData\Roaming\Mozilla\Firefox\Profiles\umbm031o.default [2017-09-19]
FF Extension: (NoScript) - C:\Users\Christer\AppData\Roaming\Mozilla\Firefox\Profiles\umbm031o.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2017-08-30]
FF Extension: (Adblock Plus) - C:\Users\Christer\AppData\Roaming\Mozilla\Firefox\Profiles\umbm031o.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2017-06-17]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_27_0_0_130.dll [2017-09-15] ()
FF Plugin: @videolan.org/vlc,version=2.2.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_27_0_0_130.dll [2017-09-15] ()
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2017-02-28] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2017-02-28] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2017-02-28] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2017-02-28] (Foxit Corporation)
FF Plugin-x32: @nokia.com/EnablerPlugin -> C:\Program Files (x86)\Nokia\Nokia Suite\npNokiaSuiteEnabler.dll [2014-11-19] ( )
FF Plugin-x32: @videolan.org/vlc,version=2.2.0 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2017-01-31] (SUPERAntiSpyware.com)
R2 a2AntiMalware; C:\Program Files\Emsisoft Anti-Malware\a2service.exe [9048360 2017-08-24] (Emsisoft Ltd)
R2 FoxitReaderService; C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitConnectedPDFService.exe [1659592 2017-02-24] (Foxit Software Inc.)
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [373728 2016-11-30] (Intel Corporation)
R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [155080 2017-07-18] (Malwarebytes Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [342264 2017-03-18] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [102816 2017-06-20] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 AsusTP; C:\Windows\System32\drivers\AsusTP.sys [128024 2017-03-09] (ASUS Corporation)
R1 epp; C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\epp.sys [124552 2016-11-23] (Emsisoft Ltd)
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [77432 2017-07-18] ()
R3 HIDSwitch; C:\Windows\System32\drivers\AsRadioControl.sys [31120 2016-12-19] (ASUS)
S3 rspLLL; C:\Windows\System32\DRIVERS\rspLLL64.sys [26368 2015-07-13] (Resplendence Software Projects Sp.)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [604160 2017-03-18] (Realtek )
R3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [751632 2015-05-14] (Realsil Semiconductor Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 SDFRd; C:\Windows\System32\drivers\SDFRd.sys [31128 2017-03-18] ()
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44632 2017-03-18] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [294816 2017-03-18] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [121248 2017-03-18] (Microsoft Corporation)
U3 kwxoipog; C:\Users\Christer\AppData\Local\Temp\kwxoipog.sys [56584 2017-09-19] (GMER) [File not signed] <==== ATTENTION

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-09-19 19:03 - 2017-09-19 19:04 - 000010672 _____ C:\Users\Christer\Desktop\FRST.txt
2017-09-19 19:03 - 2017-09-19 19:03 - 000000000 ____D C:\FRST
2017-09-19 19:01 - 2017-09-19 19:01 - 002399744 _____ (Farbar) C:\Users\Christer\Desktop\FRST64.exe
2017-09-19 16:16 - 2017-09-19 16:19 - 162170136 _____ (Microsoft Corporation) C:\Users\Christer\Downloads\msert.exe
2017-09-19 15:52 - 2017-09-19 16:06 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-09-19 15:29 - 2017-09-19 15:29 - 000574244 _____ C:\Windows\Minidump\091917-23312-01.dmp
2017-09-19 10:13 - 2017-09-19 10:30 - 000000000 ____D C:\ProgramData\Emsisoft
2017-09-19 10:11 - 2017-09-19 10:11 - 000000937 _____ C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2017-09-19 10:11 - 2017-09-19 10:11 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2017-09-19 10:10 - 2017-09-19 18:16 - 000000000 ____D C:\Program Files\Emsisoft Anti-Malware
2017-09-19 10:00 - 2017-09-19 10:08 - 253383016 _____ (Emsisoft Ltd. ) C:\Users\Bach\Downloads\EmsisoftAntiMalwareSetup_bc.exe
2017-09-19 01:28 - 2017-09-19 01:28 - 000000000 ____D C:\SUPERDelete
2017-09-19 00:35 - 2017-09-19 00:36 - 000563572 _____ C:\Windows\Minidump\091917-31531-01.dmp
2017-09-19 00:17 - 2017-09-19 00:17 - 000633572 _____ C:\Windows\Minidump\091917-23515-01.dmp
2017-09-19 00:13 - 2017-09-19 11:22 - 074448896 _____ C:\Windows\system32\config\SOFTWARE
2017-09-18 23:59 - 2017-09-19 00:00 - 000588548 _____ C:\Windows\Minidump\091817-25125-01.dmp
2017-09-18 23:19 - 2017-09-18 23:19 - 000602916 _____ C:\Windows\Minidump\091817-26171-01.dmp
2017-09-15 08:43 - 2017-09-05 07:30 - 000287648 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\sdbus.sys
2017-09-15 08:43 - 2017-09-05 07:24 - 000519584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2017-09-15 08:43 - 2017-09-05 07:21 - 000189344 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dumpsd.sys
2017-09-15 08:43 - 2017-09-05 07:18 - 000820128 _____ (Microsoft Corporation) C:\Windows\system32\WWAHost.exe
2017-09-15 08:43 - 2017-09-05 07:16 - 000546208 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys
2017-09-15 08:43 - 2017-09-05 07:14 - 004708504 _____ (Microsoft Corporation) C:\Windows\system32\mfcore.dll
2017-09-15 08:43 - 2017-09-05 07:14 - 000254176 _____ (Microsoft Corporation) C:\Windows\system32\mfps.dll
2017-09-15 08:43 - 2017-09-05 07:14 - 000094624 _____ (Microsoft Corporation) C:\Windows\system32\rdpudd.dll
2017-09-15 08:43 - 2017-09-05 07:12 - 001409048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32full.dll
2017-09-15 08:43 - 2017-09-05 07:12 - 001292880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user32.dll
2017-09-15 08:43 - 2017-09-05 07:12 - 000627080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontdrvhost.exe
2017-09-15 08:43 - 2017-09-05 07:12 - 000081176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\win32u.dll
2017-09-15 08:43 - 2017-09-05 07:11 - 002675104 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2017-09-15 08:43 - 2017-09-05 06:53 - 001839872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2017-09-15 08:43 - 2017-09-05 06:52 - 002259760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\CoreUIComponents.dll
2017-09-15 08:43 - 2017-09-05 06:50 - 004330920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setupapi.dll
2017-09-15 08:43 - 2017-09-05 06:46 - 004471888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
2017-09-15 08:43 - 2017-09-05 06:45 - 005821496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\windows.storage.dll
2017-09-15 08:43 - 2017-09-05 06:45 - 002476712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2017-09-15 08:43 - 2017-09-05 06:45 - 002166808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2017-09-15 08:43 - 2017-09-05 06:45 - 000750496 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WWAHost.exe
2017-09-15 08:43 - 2017-09-05 06:45 - 000085784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\CredentialUIBroker.exe
2017-09-15 08:43 - 2017-09-05 06:44 - 000569264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SHCore.dll
2017-09-15 08:43 - 2017-09-05 06:43 - 000611096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wer.dll
2017-09-15 08:43 - 2017-09-05 06:43 - 000359560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Faultrep.dll
2017-09-15 08:43 - 2017-09-05 06:43 - 000280480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WerFault.exe
2017-09-15 08:43 - 2017-09-05 06:43 - 000169376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wermgr.exe
2017-09-15 08:43 - 2017-09-05 06:43 - 000042456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tbs.dll
2017-09-15 08:43 - 2017-09-05 06:42 - 002330520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\combase.dll
2017-09-15 08:43 - 2017-09-05 06:42 - 000703056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winhttp.dll
2017-09-15 08:43 - 2017-09-05 06:42 - 000519680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AppXDeploymentClient.dll
2017-09-15 08:43 - 2017-09-05 06:42 - 000291904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wevtapi.dll
2017-09-15 08:43 - 2017-09-05 06:42 - 000182688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AppxAllUserStore.dll
2017-09-15 08:43 - 2017-09-05 06:41 - 020373408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2017-09-15 08:43 - 2017-09-05 06:41 - 006761560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Media.Protection.PlayReady.dll
2017-09-15 08:43 - 2017-09-05 06:41 - 004671832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfcore.dll
2017-09-15 08:43 - 2017-09-05 06:41 - 001106904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfds.dll
2017-09-15 08:43 - 2017-09-05 06:41 - 001013912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msvproc.dll
2017-09-15 08:43 - 2017-09-05 06:40 - 000052768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2017-09-15 08:43 - 2017-09-05 06:37 - 000583160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\CoreMessaging.dll
2017-09-15 08:43 - 2017-09-05 06:28 - 000071680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbser.sys
2017-09-15 08:43 - 2017-09-05 06:28 - 000039424 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\buttonconverter.sys
2017-09-15 08:43 - 2017-09-05 06:27 - 000128000 _____ (Microsoft Corporation) C:\Windows\system32\mssprxy.dll
2017-09-15 08:43 - 2017-09-05 06:27 - 000104960 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\UcmCx.sys
2017-09-15 08:43 - 2017-09-05 06:26 - 002953216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\win32kfull.sys
2017-09-15 08:43 - 2017-09-05 06:26 - 000404480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\werui.dll
2017-09-15 08:43 - 2017-09-05 06:26 - 000130560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\bthpan.sys
2017-09-15 08:43 - 2017-09-05 06:26 - 000107008 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hidbth.sys
2017-09-15 08:43 - 2017-09-05 06:26 - 000084992 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2017-09-15 08:43 - 2017-09-05 06:25 - 013844480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.UI.Xaml.dll
2017-09-15 08:43 - 2017-09-05 06:25 - 001448960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\GdiPlus.dll
2017-09-15 08:43 - 2017-09-05 06:25 - 000293376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\win32k.sys
2017-09-15 08:43 - 2017-09-05 06:25 - 000154624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWWIN.EXE
2017-09-15 08:43 - 2017-09-05 06:24 - 002199552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.UI.Xaml.Resources.dll
2017-09-15 08:43 - 2017-09-05 06:24 - 000457728 _____ (Microsoft Corporation) C:\Windows\system32\webplatstorageserver.dll
2017-09-15 08:43 - 2017-09-05 06:24 - 000182272 _____ (Microsoft Corporation) C:\Windows\system32\ngcrecovery.dll
2017-09-15 08:43 - 2017-09-05 06:24 - 000096256 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2017-09-15 08:43 - 2017-09-05 06:23 - 020509184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\edgehtml.dll
2017-09-15 08:43 - 2017-09-05 06:23 - 000107008 _____ (Microsoft Corporation) C:\Windows\system32\ngcpopkeysrv.dll
2017-09-15 08:43 - 2017-09-05 06:23 - 000025088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\odbcconf.dll
2017-09-15 08:43 - 2017-09-05 06:22 - 000742912 _____ (Microsoft Corporation) C:\Windows\system32\nshwfp.dll
2017-09-15 08:43 - 2017-09-05 06:22 - 000640512 _____ (Microsoft Corporation) C:\Windows\system32\ngccredprov.dll
2017-09-15 08:43 - 2017-09-05 06:22 - 000458752 _____ (Microsoft Corporation) C:\Windows\system32\NgcCtnr.dll
2017-09-15 08:43 - 2017-09-05 06:22 - 000327168 _____ (Microsoft Corporation) C:\Windows\system32\WinBioDataModel.dll
2017-09-15 08:43 - 2017-09-05 06:22 - 000274944 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2017-09-15 08:43 - 2017-09-05 06:22 - 000165888 _____ (Microsoft Corporation) C:\Windows\system32\storewuauth.dll
2017-09-15 08:43 - 2017-09-05 06:22 - 000079872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2017-09-15 08:43 - 2017-09-05 06:21 - 006728704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\twinui.dll
2017-09-15 08:43 - 2017-09-05 06:21 - 001178624 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Networking.Vpn.dll
2017-09-15 08:43 - 2017-09-05 06:21 - 000408576 _____ (Microsoft Corporation) C:\Windows\system32\cryptngc.dll
2017-09-15 08:43 - 2017-09-05 06:21 - 000312320 _____ (Microsoft Corporation) C:\Windows\system32\Phoneutil.dll
2017-09-15 08:43 - 2017-09-05 06:21 - 000123904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srpapi.dll
2017-09-15 08:43 - 2017-09-05 06:21 - 000064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2017-09-15 08:43 - 2017-09-05 06:21 - 000062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntprint.exe
2017-09-15 08:43 - 2017-09-05 06:20 - 000805888 _____ (Microsoft Corporation) C:\Windows\system32\ieproxy.dll
2017-09-15 08:43 - 2017-09-05 06:20 - 000546816 _____ (Microsoft Corporation) C:\Windows\system32\winspool.drv
2017-09-15 08:43 - 2017-09-05 06:20 - 000370176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\daxexec.dll
2017-09-15 08:43 - 2017-09-05 06:19 - 019336192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2017-09-15 08:43 - 2017-09-05 06:19 - 000364032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msIso.dll
2017-09-15 08:43 - 2017-09-05 06:19 - 000311296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntprint.dll
2017-09-15 08:43 - 2017-09-05 06:19 - 000181760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authz.dll
2017-09-15 08:43 - 2017-09-05 06:19 - 000134656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dinput.dll
2017-09-15 08:43 - 2017-09-05 06:19 - 000124928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2017-09-15 08:43 - 2017-09-05 06:19 - 000080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2017-09-15 08:43 - 2017-09-05 06:18 - 000524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ngccredprov.dll
2017-09-15 08:43 - 2017-09-05 06:18 - 000491520 _____ (Microsoft Corporation) C:\Windows\system32\NgcCtnrSvc.dll
2017-09-15 08:43 - 2017-09-05 06:18 - 000471040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TpmCoreProvisioning.dll
2017-09-15 08:43 - 2017-09-05 06:18 - 000452608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rasplap.dll
2017-09-15 08:43 - 2017-09-05 06:18 - 000266240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2017-09-15 08:43 - 2017-09-05 06:18 - 000175104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dinput8.dll
2017-09-15 08:43 - 2017-09-05 06:18 - 000100352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rasman.dll
2017-09-15 08:43 - 2017-09-05 06:17 - 008213504 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2017-09-15 08:43 - 2017-09-05 06:17 - 008207872 _____ (Microsoft Corporation) C:\Windows\system32\Chakra.dll
2017-09-15 08:43 - 2017-09-05 06:17 - 000918528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Networking.Vpn.dll
2017-09-15 08:43 - 2017-09-05 06:17 - 000852480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rasgcw.dll
2017-09-15 08:43 - 2017-09-05 06:17 - 000586240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nshwfp.dll
2017-09-15 08:43 - 2017-09-05 06:17 - 000307712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptngc.dll
2017-09-15 08:43 - 2017-09-05 06:16 - 005961728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Data.Pdf.dll
2017-09-15 08:43 - 2017-09-05 06:16 - 000844288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rasdlg.dll
2017-09-15 08:43 - 2017-09-05 06:16 - 000563200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdh.dll
2017-09-15 08:43 - 2017-09-05 06:16 - 000358400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieproxy.dll
2017-09-15 08:43 - 2017-09-05 06:16 - 000357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ActivationManager.dll
2017-09-15 08:43 - 2017-09-05 06:16 - 000257024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Phoneutil.dll
2017-09-15 08:43 - 2017-09-05 06:15 - 004730368 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2017-09-15 08:43 - 2017-09-05 06:15 - 001248768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AzureSettingSyncProvider.dll
2017-09-15 08:43 - 2017-09-05 06:15 - 000657408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\netlogon.dll
2017-09-15 08:43 - 2017-09-05 06:15 - 000636416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WpcWebFilter.dll
2017-09-15 08:43 - 2017-09-05 06:15 - 000430592 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winspool.drv
2017-09-15 08:43 - 2017-09-05 06:15 - 000223744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll
2017-09-15 08:43 - 2017-09-05 06:14 - 002516480 _____ (Microsoft Corporation) C:\Windows\system32\diagtrack.dll
2017-09-15 08:43 - 2017-09-05 06:14 - 001583616 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2017-09-15 08:43 - 2017-09-05 06:14 - 001046016 _____ (Microsoft Corporation) C:\Windows\system32\ngcsvc.dll
2017-09-15 08:43 - 2017-09-05 06:14 - 000754176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2017-09-15 08:43 - 2017-09-05 06:14 - 000590336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PCPKsp.dll
2017-09-15 08:43 - 2017-09-05 06:14 - 000476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dsreg.dll
2017-09-15 08:43 - 2017-09-05 06:13 - 007598080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2017-09-15 08:43 - 2017-09-05 06:13 - 000050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cldapi.dll
2017-09-15 08:43 - 2017-09-05 06:12 - 006265856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Chakra.dll
2017-09-15 08:43 - 2017-09-05 06:12 - 005225984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d2d1.dll
2017-09-15 08:43 - 2017-09-05 06:12 - 002859520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2017-09-15 08:43 - 2017-09-05 06:12 - 000899584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\twinui.appcore.dll
2017-09-15 08:43 - 2017-09-05 06:11 - 003667456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_47.dll
2017-09-15 08:43 - 2017-09-05 06:11 - 003654656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2017-09-15 08:43 - 2017-09-05 06:11 - 001463296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2017-09-15 08:43 - 2017-09-05 06:11 - 001355264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\OpcServices.dll
2017-09-15 08:43 - 2017-09-05 06:11 - 001060352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\XpsPrint.dll
2017-09-15 08:43 - 2017-09-05 06:11 - 001019904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aadtb.dll
2017-09-15 08:43 - 2017-09-05 06:11 - 000787456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2017-09-15 08:43 - 2017-09-05 06:10 - 004559360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dbgeng.dll
2017-09-15 08:43 - 2017-09-05 06:10 - 001627136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2017-09-15 08:43 - 2017-09-05 06:10 - 000761344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rasapi32.dll
2017-09-15 08:43 - 2017-09-05 06:10 - 000431616 _____ (Microsoft Corporation) C:\Windows\system32\BthHFSrv.dll
2017-09-15 08:43 - 2017-09-05 06:06 - 000221696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wisp.dll
2017-09-15 08:43 - 2017-09-05 06:06 - 000089088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\olepro32.dll
2017-09-15 08:43 - 2017-09-05 06:04 - 000175616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RstrtMgr.dll
2017-09-15 08:43 - 2017-09-05 06:04 - 000057856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\offreg.dll
2017-09-15 08:42 - 2017-09-05 07:31 - 001596592 _____ (Microsoft Corporation) C:\Windows\system32\gdi32full.dll
2017-09-15 08:42 - 2017-09-05 07:31 - 001346112 _____ (Microsoft Corporation) C:\Windows\system32\user32.dll
2017-09-15 08:42 - 2017-09-05 07:31 - 001147296 _____ (Microsoft Corporation) C:\Windows\system32\hvix64.exe
2017-09-15 08:42 - 2017-09-05 07:31 - 001024928 _____ (Microsoft Corporation) C:\Windows\system32\hvax64.exe
2017-09-15 08:42 - 2017-09-05 07:31 - 000821664 _____ (Microsoft Corporation) C:\Windows\system32\hvloader.exe
2017-09-15 08:42 - 2017-09-05 07:31 - 000750560 _____ (Microsoft Corporation) C:\Windows\system32\fontdrvhost.exe
2017-09-15 08:42 - 2017-09-05 07:31 - 000115792 _____ (Microsoft Corporation) C:\Windows\system32\win32u.dll
2017-09-15 08:42 - 2017-09-05 07:27 - 002399728 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2017-09-15 08:42 - 2017-09-05 07:27 - 000136096 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2017-09-15 08:42 - 2017-09-05 07:26 - 008319904 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2017-09-15 08:42 - 2017-09-05 07:26 - 001930840 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2017-09-15 08:42 - 2017-09-05 07:25 - 002969880 _____ (Microsoft Corporation) C:\Windows\system32\CoreUIComponents.dll
2017-09-15 08:42 - 2017-09-05 07:25 - 000159648 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\partmgr.sys
2017-09-15 08:42 - 2017-09-05 07:24 - 000923040 _____ (Microsoft Corporation) C:\Windows\system32\CoreMessaging.dll
2017-09-15 08:42 - 2017-09-05 07:23 - 004462120 _____ (Microsoft Corporation) C:\Windows\system32\setupapi.dll
2017-09-15 08:42 - 2017-09-05 07:23 - 001242528 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ndis.sys
2017-09-15 08:42 - 2017-09-05 07:20 - 001057824 _____ (Microsoft Corporation) C:\Windows\system32\MrmCoreR.dll
2017-09-15 08:42 - 2017-09-05 07:19 - 004848960 _____ (Microsoft Corporation) C:\Windows\explorer.exe
2017-09-15 08:42 - 2017-09-05 07:19 - 002443168 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2017-09-15 08:42 - 2017-09-05 07:18 - 007326128 _____ (Microsoft Corporation) C:\Windows\system32\windows.storage.dll
2017-09-15 08:42 - 2017-09-05 07:18 - 005477096 _____ (Microsoft Corporation) C:\Windows\system32\OneCoreUAPCommonProxyStub.dll
2017-09-15 08:42 - 2017-09-05 07:18 - 002972552 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2017-09-15 08:42 - 2017-09-05 07:18 - 002647224 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2017-09-15 08:42 - 2017-09-05 07:18 - 001668344 _____ (Microsoft Corporation) C:\Windows\system32\propsys.dll
2017-09-15 08:42 - 2017-09-05 07:18 - 000685512 _____ (Microsoft Corporation) C:\Windows\system32\SHCore.dll
2017-09-15 08:42 - 2017-09-05 07:18 - 000212384 _____ (Microsoft Corporation) C:\Windows\system32\browserbroker.dll
2017-09-15 08:42 - 2017-09-05 07:17 - 000316320 _____ (Microsoft Corporation) C:\Windows\system32\WerFault.exe
2017-09-15 08:42 - 2017-09-05 07:16 - 001320344 _____ (Microsoft Corporation) C:\Windows\system32\wpx.dll
2017-09-15 08:42 - 2017-09-05 07:16 - 000872472 _____ (Microsoft Corporation) C:\Windows\system32\ClipSVC.dll
2017-09-15 08:42 - 2017-09-05 07:16 - 000724200 _____ (Microsoft Corporation) C:\Windows\system32\wer.dll
2017-09-15 08:42 - 2017-09-05 07:16 - 000715168 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\fvevol.sys
2017-09-15 08:42 - 2017-09-05 07:16 - 000410168 _____ (Microsoft Corporation) C:\Windows\system32\Faultrep.dll
2017-09-15 08:42 - 2017-09-05 07:16 - 000228256 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2017-09-15 08:42 - 2017-09-05 07:16 - 000182688 _____ (Microsoft Corporation) C:\Windows\system32\wermgr.exe
2017-09-15 08:42 - 2017-09-05 07:16 - 000049720 _____ (Microsoft Corporation) C:\Windows\system32\tbs.dll
2017-09-15 08:42 - 2017-09-05 07:15 - 003116184 _____ (Microsoft Corporation) C:\Windows\system32\combase.dll
2017-09-15 08:42 - 2017-09-05 07:15 - 000871448 _____ (Microsoft Corporation) C:\Windows\system32\winhttp.dll
2017-09-15 08:42 - 2017-09-05 07:15 - 000654976 _____ (Microsoft Corporation) C:\Windows\system32\AppXDeploymentClient.dll
2017-09-15 08:42 - 2017-09-05 07:15 - 000381824 _____ (Microsoft Corporation) C:\Windows\system32\wevtapi.dll
2017-09-15 08:42 - 2017-09-05 07:15 - 000257440 _____ (Microsoft Corporation) C:\Windows\system32\AppxAllUserStore.dll
2017-09-15 08:42 - 2017-09-05 07:14 - 021352656 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2017-09-15 08:42 - 2017-09-05 07:14 - 007907344 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Media.Protection.PlayReady.dll
2017-09-15 08:42 - 2017-09-05 07:14 - 001146176 _____ (Microsoft Corporation) C:\Windows\system32\mfds.dll
2017-09-15 08:42 - 2017-09-05 07:14 - 000958664 _____ (Microsoft Corporation) C:\Windows\system32\msvproc.dll
2017-09-15 08:42 - 2017-09-05 07:13 - 001619816 _____ (Microsoft Corporation) C:\Windows\system32\sppobjs.dll
2017-09-15 08:42 - 2017-09-05 07:13 - 000064680 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2017-09-15 08:42 - 2017-09-05 07:11 - 000610720 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2017-09-15 08:42 - 2017-09-05 06:53 - 001620880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2017-09-15 08:42 - 2017-09-05 06:45 - 023679488 _____ (Microsoft Corporation) C:\Windows\system32\edgehtml.dll
2017-09-15 08:42 - 2017-09-05 06:31 - 003668992 _____ (Microsoft Corporation) C:\Windows\system32\win32kfull.sys
2017-09-15 08:42 - 2017-09-05 06:30 - 001639936 _____ (Microsoft Corporation) C:\Windows\system32\GdiPlus.dll
2017-09-15 08:42 - 2017-09-05 06:30 - 001275904 _____ (Microsoft Corporation) C:\Windows\system32\werconcpl.dll
2017-09-15 08:42 - 2017-09-05 06:30 - 000584192 _____ (Microsoft Corporation) C:\Windows\system32\UIRibbonRes.dll
2017-09-15 08:42 - 2017-09-05 06:30 - 000463360 _____ (Microsoft Corporation) C:\Windows\system32\werui.dll
2017-09-15 08:42 - 2017-09-05 06:30 - 000447488 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2017-09-15 08:42 - 2017-09-05 06:30 - 000184320 _____ (Microsoft Corporation) C:\Windows\system32\DWWIN.EXE
2017-09-15 08:42 - 2017-09-05 06:30 - 000093184 _____ (Microsoft Corporation) C:\Windows\system32\wercplsupport.dll
2017-09-15 08:42 - 2017-09-05 06:30 - 000089088 _____ (Microsoft Corporation) C:\Windows\system32\winsrvext.dll
2017-09-15 08:42 - 2017-09-05 06:30 - 000077824 _____ (Microsoft Corporation) C:\Windows\system32\wsqmcons.exe
2017-09-15 08:42 - 2017-09-05 06:29 - 000037376 _____ (Microsoft Corporation) C:\Windows\system32\SEMgrPS.dll
2017-09-15 08:42 - 2017-09-05 06:28 - 017371136 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.Xaml.dll
2017-09-15 08:42 - 2017-09-05 06:28 - 002199552 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.Xaml.Resources.dll
2017-09-15 08:42 - 2017-09-05 06:27 - 007931392 _____ (Microsoft Corporation) C:\Windows\system32\twinui.dll
2017-09-15 08:42 - 2017-09-05 06:27 - 000133632 _____ (Microsoft Corporation) C:\Windows\system32\CfgSPCellular.dll
2017-09-15 08:42 - 2017-09-05 06:27 - 000131584 _____ (Microsoft Corporation) C:\Windows\system32\EnterpriseAPNCsp.dll
2017-09-15 08:42 - 2017-09-05 06:27 - 000095232 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2017-09-15 08:42 - 2017-09-05 06:27 - 000090112 _____ (Microsoft Corporation) C:\Windows\system32\datamarketsvc.dll
2017-09-15 08:42 - 2017-09-05 06:27 - 000064000 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2017-09-15 08:42 - 2017-09-05 06:27 - 000029696 _____ (Microsoft Corporation) C:\Windows\system32\odbcconf.dll
2017-09-15 08:42 - 2017-09-05 06:26 - 000499712 _____ (Microsoft Corporation) C:\Windows\system32\nltest.exe
2017-09-15 08:42 - 2017-09-05 06:26 - 000156160 _____ (Microsoft Corporation) C:\Windows\system32\csplte.dll
2017-09-15 08:42 - 2017-09-05 06:26 - 000142848 _____ (Microsoft Corporation) C:\Windows\system32\srpapi.dll
2017-09-15 08:42 - 2017-09-05 06:26 - 000124928 _____ (Microsoft Corporation) C:\Windows\system32\httpprxm.dll
2017-09-15 08:42 - 2017-09-05 06:26 - 000113152 _____ (Microsoft Corporation) C:\Windows\system32\wuuhosdeployment.dll
2017-09-15 08:42 - 2017-09-05 06:26 - 000064000 _____ (Microsoft Corporation) C:\Windows\system32\ntprint.exe
2017-09-15 08:42 - 2017-09-05 06:26 - 000022016 _____ (Microsoft Corporation) C:\Windows\system32\wpnpinst.exe
2017-09-15 08:42 - 2017-09-05 06:25 - 000584192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UIRibbonRes.dll
2017-09-15 08:42 - 2017-09-05 06:25 - 000527872 _____ (Microsoft Corporation) C:\Windows\system32\daxexec.dll
2017-09-15 08:42 - 2017-09-05 06:25 - 000064512 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2017-09-15 08:42 - 2017-09-05 06:25 - 000043520 _____ (Microsoft Corporation) C:\Windows\system32\TpmTasks.dll
2017-09-15 08:42 - 2017-09-05 06:25 - 000043520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\nsiproxy.sys
2017-09-15 08:42 - 2017-09-05 06:24 - 000385536 _____ (Microsoft Corporation) C:\Windows\system32\tpmvsc.dll
2017-09-15 08:42 - 2017-09-05 06:24 - 000353280 _____ (Microsoft Corporation) C:\Windows\system32\ntprint.dll
2017-09-15 08:42 - 2017-09-05 06:24 - 000334336 _____ (Microsoft Corporation) C:\Windows\system32\wc_storage.dll
2017-09-15 08:42 - 2017-09-05 06:24 - 000274432 _____ (Microsoft Corporation) C:\Windows\system32\authz.dll
2017-09-15 08:42 - 2017-09-05 06:24 - 000160768 _____ (Microsoft Corporation) C:\Windows\system32\dinput.dll
2017-09-15 08:42 - 2017-09-05 06:24 - 000109056 _____ (Microsoft Corporation) C:\Windows\system32\dab.dll
2017-09-15 08:42 - 2017-09-05 06:23 - 000739840 _____ (Microsoft Corporation) C:\Windows\system32\PhoneProviders.dll
2017-09-15 08:42 - 2017-09-05 06:23 - 000450048 _____ (Microsoft Corporation) C:\Windows\system32\bcdedit.exe
2017-09-15 08:42 - 2017-09-05 06:23 - 000433664 _____ (Microsoft Corporation) C:\Windows\system32\msIso.dll
2017-09-15 08:42 - 2017-09-05 06:23 - 000305152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netbt.sys
2017-09-15 08:42 - 2017-09-05 06:23 - 000140288 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
2017-09-15 08:42 - 2017-09-05 06:23 - 000138752 _____ (Microsoft Corporation) C:\Windows\system32\appinfo.dll
2017-09-15 08:42 - 2017-09-05 06:23 - 000128512 _____ (Microsoft Corporation) C:\Windows\system32\rasman.dll
2017-09-15 08:42 - 2017-09-05 06:22 - 023684608 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2017-09-15 08:42 - 2017-09-05 06:22 - 000556032 _____ (Microsoft Corporation) C:\Windows\system32\TpmCoreProvisioning.dll
2017-09-15 08:42 - 2017-09-05 06:22 - 000527360 _____ (Microsoft Corporation) C:\Windows\system32\aadcloudap.dll
2017-09-15 08:42 - 2017-09-05 06:22 - 000477696 _____ (Microsoft Corporation) C:\Windows\system32\rasplap.dll
2017-09-15 08:42 - 2017-09-05 06:22 - 000413184 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2017-09-15 08:42 - 2017-09-05 06:22 - 000388096 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2017-09-15 08:42 - 2017-09-05 06:22 - 000329728 _____ (Microsoft Corporation) C:\Windows\system32\RasMediaManager.dll
2017-09-15 08:42 - 2017-09-05 06:22 - 000225792 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2017-09-15 08:42 - 2017-09-05 06:22 - 000213504 _____ (Microsoft Corporation) C:\Windows\system32\dinput8.dll
2017-09-15 08:42 - 2017-09-05 06:22 - 000173568 _____ (Microsoft Corporation) C:\Windows\system32\inetpp.dll
2017-09-15 08:42 - 2017-09-05 06:21 - 001051136 _____ (Microsoft Corporation) C:\Windows\system32\nettrace.dll
2017-09-15 08:42 - 2017-09-05 06:21 - 000946688 _____ (Microsoft Corporation) C:\Windows\system32\rasgcw.dll
2017-09-15 08:42 - 2017-09-05 06:21 - 000773120 _____ (Microsoft Corporation) C:\Windows\system32\PhoneService.dll
2017-09-15 08:42 - 2017-09-05 06:21 - 000691712 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll
2017-09-15 08:42 - 2017-09-05 06:21 - 000422400 _____ (Microsoft Corporation) C:\Windows\system32\WpAXHolder.dll
2017-09-15 08:42 - 2017-09-05 06:20 - 007337472 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Data.Pdf.dll
2017-09-15 08:42 - 2017-09-05 06:20 - 001878016 _____ (Microsoft Corporation) C:\Windows\system32\AzureSettingSyncProvider.dll
2017-09-15 08:42 - 2017-09-05 06:20 - 000925696 _____ (Microsoft Corporation) C:\Windows\system32\WpcWebFilter.dll
2017-09-15 08:42 - 2017-09-05 06:20 - 000412160 _____ (Microsoft Corporation) C:\Windows\system32\ActivationManager.dll
2017-09-15 08:42 - 2017-09-05 06:20 - 000282112 _____ (Microsoft Corporation) C:\Windows\system32\dnsrslvr.dll
2017-09-15 08:42 - 2017-09-05 06:20 - 000229888 _____ (Microsoft Corporation) C:\Windows\system32\SIHClient.exe
2017-09-15 08:42 - 2017-09-05 06:19 - 001260544 _____ (Microsoft Corporation) C:\Windows\system32\GamePanel.exe
2017-09-15 08:42 - 2017-09-05 06:19 - 001085440 _____ (Microsoft Corporation) C:\Windows\system32\rpcss.dll
2017-09-15 08:42 - 2017-09-05 06:19 - 001028608 _____ (Microsoft Corporation) C:\Windows\system32\modernexecserver.dll
2017-09-15 08:42 - 2017-09-05 06:19 - 000996864 _____ (Microsoft Corporation) C:\Windows\system32\iphlpsvc.dll
2017-09-15 08:42 - 2017-09-05 06:19 - 000772096 _____ (Microsoft Corporation) C:\Windows\system32\PCPKsp.dll
2017-09-15 08:42 - 2017-09-05 06:19 - 000772096 _____ (Microsoft Corporation) C:\Windows\system32\netlogon.dll
2017-09-15 08:42 - 2017-09-05 06:19 - 000243712 _____ (Microsoft Corporation) C:\Windows\system32\shdocvw.dll
2017-09-15 08:42 - 2017-09-05 06:18 - 012801536 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2017-09-15 08:42 - 2017-09-05 06:18 - 004175872 _____ (Microsoft Corporation) C:\Windows\system32\StartTileData.dll
2017-09-15 08:42 - 2017-09-05 06:18 - 002078720 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2017-09-15 08:42 - 2017-09-05 06:18 - 000922112 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2017-09-15 08:42 - 2017-09-05 06:18 - 000921600 _____ (Microsoft Corporation) C:\Windows\system32\rasdlg.dll
2017-09-15 08:42 - 2017-09-05 06:18 - 000874496 _____ (Microsoft Corporation) C:\Windows\system32\rasmans.dll
2017-09-15 08:42 - 2017-09-05 06:18 - 000864256 _____ (Microsoft Corporation) C:\Windows\system32\NotificationController.dll
2017-09-15 08:42 - 2017-09-05 06:18 - 000832000 _____ (Microsoft Corporation) C:\Windows\system32\printfilterpipelinesvc.exe
2017-09-15 08:42 - 2017-09-05 06:18 - 000803328 _____ (Microsoft Corporation) C:\Windows\system32\wcmsvc.dll
2017-09-15 08:42 - 2017-09-05 06:18 - 000752640 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2017-09-15 08:42 - 2017-09-05 06:18 - 000564736 _____ (Microsoft Corporation) C:\Windows\system32\dsreg.dll
2017-09-15 08:42 - 2017-09-05 06:18 - 000339968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2017-09-15 08:42 - 2017-09-05 06:18 - 000257024 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2017-09-15 08:42 - 2017-09-05 06:18 - 000176640 _____ (Microsoft Corporation) C:\Windows\system32\wersvc.dll
2017-09-15 08:42 - 2017-09-05 06:18 - 000056832 _____ (Microsoft Corporation) C:\Windows\system32\cldapi.dll
2017-09-15 08:42 - 2017-09-05 06:17 - 002765824 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Shell.UnifiedTile.CuratedTileCollections.dll
2017-09-15 08:42 - 2017-09-05 06:17 - 001886208 _____ (Microsoft Corporation) C:\Windows\system32\AppXDeploymentExtensions.onecore.dll
2017-09-15 08:42 - 2017-09-05 06:17 - 001397760 _____ (Microsoft Corporation) C:\Windows\system32\wwansvc.dll
2017-09-15 08:42 - 2017-09-05 06:17 - 000757760 _____ (Microsoft Corporation) C:\Windows\system32\spoolsv.exe
2017-09-15 08:42 - 2017-09-05 06:16 - 002805248 _____ (Microsoft Corporation) C:\Windows\system32\AppXDeploymentServer.dll
2017-09-15 08:42 - 2017-09-05 06:16 - 002680320 _____ (Microsoft Corporation) C:\Windows\system32\Windows.CloudStore.dll
2017-09-15 08:42 - 2017-09-05 06:16 - 000440320 _____ (Microsoft Corporation) C:\Windows\system32\windows.immersiveshell.serviceprovider.dll
2017-09-15 08:42 - 2017-09-05 06:16 - 000397312 _____ (Microsoft Corporation) C:\Windows\system32\rascustom.dll
2017-09-15 08:42 - 2017-09-05 06:15 - 004396032 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_47.dll
2017-09-15 08:42 - 2017-09-05 06:15 - 003307008 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2017-09-15 08:42 - 2017-09-05 06:15 - 003059200 _____ (Microsoft Corporation) C:\Windows\system32\NetworkMobileSettings.dll
2017-09-15 08:42 - 2017-09-05 06:15 - 002503680 _____ (Microsoft Corporation) C:\Windows\system32\twinui.pcshell.dll
2017-09-15 08:42 - 2017-09-05 06:15 - 002055680 _____ (Microsoft Corporation) C:\Windows\system32\win32kbase.sys
2017-09-15 08:42 - 2017-09-05 06:15 - 001736704 _____ (Microsoft Corporation) C:\Windows\system32\wevtsvc.dll
2017-09-15 08:42 - 2017-09-05 06:15 - 001460224 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2017-09-15 08:42 - 2017-09-05 06:15 - 001293824 _____ (Microsoft Corporation) C:\Windows\system32\aadtb.dll
2017-09-15 08:42 - 2017-09-05 06:15 - 001143296 _____ (Microsoft Corporation) C:\Windows\system32\localspl.dll
2017-09-15 08:42 - 2017-09-05 06:15 - 001077248 _____ (Microsoft Corporation) C:\Windows\system32\twinui.appcore.dll
2017-09-15 08:42 - 2017-09-05 06:15 - 000706560 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2017-09-15 08:42 - 2017-09-05 06:15 - 000664576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2017-09-15 08:42 - 2017-09-05 06:15 - 000232960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2017-09-15 08:42 - 2017-09-05 06:14 - 011887104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2017-09-15 08:42 - 2017-09-05 06:14 - 005557760 _____ (Microsoft Corporation) C:\Windows\system32\dbgeng.dll
2017-09-15 08:42 - 2017-09-05 06:14 - 002445824 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2017-09-15 08:42 - 2017-09-05 06:14 - 002177024 _____ (Microsoft Corporation) C:\Windows\system32\OpcServices.dll
2017-09-15 08:42 - 2017-09-05 06:14 - 002006528 _____ (Microsoft Corporation) C:\Windows\system32\LocationFramework.dll
2017-09-15 08:42 - 2017-09-05 06:14 - 001657344 _____ (Microsoft Corporation) C:\Windows\system32\XpsPrint.dll
2017-09-15 08:42 - 2017-09-05 06:14 - 000986624 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2017-09-15 08:42 - 2017-09-05 06:14 - 000827904 _____ (Microsoft Corporation) C:\Windows\system32\win32spl.dll
2017-09-15 08:42 - 2017-09-05 06:14 - 000810496 _____ (Microsoft Corporation) C:\Windows\system32\rasapi32.dll
2017-09-15 08:42 - 2017-09-05 06:13 - 002009600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2017-09-15 08:42 - 2017-09-05 06:13 - 001802752 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2017-09-15 08:42 - 2017-09-05 06:13 - 000407040 _____ (Microsoft Corporation) C:\Windows\system32\wuuhext.dll
2017-09-15 08:42 - 2017-09-05 06:12 - 002153984 _____ (Microsoft Corporation) C:\Windows\system32\wlidsvc.dll
2017-09-15 08:42 - 2017-09-05 06:11 - 000254976 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys
2017-09-15 08:42 - 2017-09-05 06:09 - 000268288 _____ (Microsoft Corporation) C:\Windows\system32\wisp.dll
2017-09-15 08:42 - 2017-09-05 06:07 - 000201728 _____ (Microsoft Corporation) C:\Windows\system32\RstrtMgr.dll
2017-09-15 08:42 - 2017-09-05 06:07 - 000061952 _____ (Microsoft Corporation) C:\Windows\system32\vss_ps.dll
2017-09-15 08:42 - 2017-09-05 06:06 - 000078848 _____ (Microsoft Corporation) C:\Windows\system32\offreg.dll
2017-09-15 08:42 - 2017-09-01 07:55 - 000031932 _____ C:\Windows\system32\edgehtmlpluginpolicy.bin
2017-09-06 01:44 - 2017-09-06 01:44 - 000000600 _____ C:\Users\Bach\Downloads\galileo-eniro-navionics.ms
2017-09-06 01:42 - 2017-09-06 01:42 - 000000395 _____ C:\Users\Bach\Downloads\galileo-navionics-sonar.ms
2017-09-06 01:41 - 2017-09-06 01:41 - 000000458 _____ C:\Users\Bach\Downloads\galileo-eniro_hybrid-2x.ms
2017-09-06 01:31 - 2017-09-06 01:31 - 000000264 _____ C:\Users\Bach\Downloads\galileo_fjallkartan.ms
2017-09-06 01:31 - 2017-09-06 01:31 - 000000169 _____ C:\Users\Bach\Downloads\gallileo-hitta-frilufts-2x.ms
2017-09-06 00:22 - 2017-09-06 00:22 - 000000258 _____ C:\Users\Bach\Downloads\galileo-eniro_sjokort-2x.ms
2017-09-05 19:40 - 2017-09-05 19:40 - 000079458 _____ C:\Users\Bach\Downloads\Torrsättning 2017_Bemanning_2017-09-04_Version 2.pdf
2017-09-04 15:55 - 2017-09-17 14:24 - 000002916 _____ C:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2012168036-945120212-3105423917-1002
2017-09-04 15:55 - 2017-09-04 15:55 - 000000000 ____D C:\Users\Bach\AppData\Roaming\Skype        (never used Skype)
2017-09-04 02:27 - 2017-09-04 02:27 - 337677872 _____ C:\Users\Christer\Documents\Networklist_Bredbandsbolaget.reg
2017-09-04 02:24 - 2017-09-04 02:24 - 000009884 _____ C:\Users\Christer\Documents\Networklist_Nla_Cache_Intranet_Bredbandsbolaget.reg   (An ISP never used by me)
2017-09-03 22:48 - 2017-09-03 22:48 - 000000279 _____ C:\Users\Christer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Papperskorg.lnk
2017-09-03 02:20 - 2017-09-03 02:20 - 000123930 _____ C:\Users\Bach\Downloads\BSB-demo.zip
2017-08-31 20:30 - 2017-08-31 20:30 - 000745623 _____ C:\Users\Bach\Desktop\GPSStatusProES.pdf
2017-08-31 03:08 - 2017-08-31 03:08 - 000367583 _____ C:\Users\Bach\Desktop\avc_android_201702_en.pdf
2017-08-31 01:11 - 2017-08-31 01:11 - 000495425 _____ C:\Users\Christer\Downloads\435___Villkor_BankID_(1600).pdf
2017-08-30 15:46 - 2017-08-30 15:46 - 000495423 _____ C:\Users\Bach\Desktop\Skandiabanken_villkor.pdf
2017-08-29 16:18 - 2017-08-29 16:19 - 000213402 _____ C:\Users\Bach\Desktop\Torrsättning 2017_Bemanning_2017-08-28_Version 1.pdf
2017-08-23 22:59 - 2017-08-23 22:59 - 000773108 _____ C:\Users\Bach\Desktop\lenovo_tab_2_a10-70_ug_sv_v1.0_201503.pdf
2017-08-23 13:05 - 2017-08-23 13:10 - 000008696 _____ C:\Users\Bach\Desktop\Torrsättning 2017_Bemanning_2017-08-14_Christer_Kamb.xlsx
2017-08-23 12:48 - 2017-08-23 12:48 - 000550784 _____ C:\Users\Bach\Desktop\Torr- och sjösättningsplan_Arbetsdagar_2017-08-14_UTKAST.pdf
2017-08-22 23:10 - 2017-08-22 23:10 - 001238739 _____ C:\Users\Bach\Downloads\quick-charge-device-list.pdf

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-09-19 18:20 - 2017-04-13 22:58 - 000000000 ____D C:\Users\Christer\AppData\LocalLow\Mozilla
2017-09-19 18:17 - 2017-04-29 13:59 - 000000000 ____D C:\Program Files\WhoCrashed
2017-09-19 18:16 - 2017-04-19 11:09 - 010916727 _____ C:\Users\Bach\Documents\Multi Product_CFDs.cs2
2017-09-19 18:16 - 2017-04-14 21:10 - 001452500 _____ C:\Windows\ntbtlog.txt
2017-09-19 18:16 - 2017-04-13 14:23 - 000000000 ____D C:\ProgramData\ASUS Smart Gesture
2017-09-19 18:16 - 2017-04-12 00:31 - 000000000 ____D C:\Users\Bach
2017-09-19 18:16 - 2017-04-10 18:32 - 000000000 __SHD C:\Users\Christer\IntelGraphicsProfiles
2017-09-19 18:16 - 2017-04-10 18:31 - 000000180 _____ C:\Windows\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2017-09-19 17:07 - 2017-04-12 00:31 - 000000000 __SHD C:\Users\Bach\IntelGraphicsProfiles
2017-09-19 17:07 - 2017-04-10 18:17 - 000000000 ____D C:\Users\Christer
2017-09-19 17:00 - 2017-04-10 18:03 - 000000000 ____D C:\Windows\system32\SleepStudy
2017-09-19 15:52 - 2017-04-14 19:00 - 000192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-09-19 15:51 - 2017-04-14 18:59 - 000109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2017-09-19 15:51 - 2017-04-11 23:21 - 000000000 ____D C:\Users\Christer\Desktop\Säkerhet
2017-09-19 15:42 - 2017-04-18 03:36 - 000000000 ____D C:\Users\Christer\AppData\Local\CrashDumps
2017-09-19 15:33 - 2017-04-10 18:12 - 004759090 _____ C:\Windows\system32\PerfStringBackup.INI
2017-09-19 15:33 - 2017-03-20 06:03 - 002289460 _____ C:\Windows\system32\perfh01D.dat
2017-09-19 15:33 - 2017-03-20 06:03 - 000610296 _____ C:\Windows\system32\perfc01D.dat
2017-09-19 15:29 - 2017-04-26 02:54 - 1017747944 _____ C:\Windows\MEMORY.DMP
2017-09-19 15:29 - 2017-04-26 02:54 - 000000000 ____D C:\Windows\Minidump
2017-09-19 15:29 - 2017-04-10 18:03 - 000303280 _____ C:\Windows\system32\FNTCACHE.DAT
2017-09-19 15:29 - 2017-04-10 18:03 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-09-19 11:37 - 2017-03-18 23:03 - 000000000 ____D C:\Windows\AppReadiness
2017-09-19 11:22 - 2017-04-11 23:37 - 000007666 _____ C:\Users\Christer\AppData\Local\resmon.resmoncfg
2017-09-19 11:22 - 2017-03-18 13:40 - 001048576 _____ C:\Windows\system32\config\BBI
2017-09-19 09:59 - 2017-03-18 23:03 - 000000000 ___HD C:\Program Files\WindowsApps
2017-09-19 00:11 - 2017-04-17 22:19 - 000000000 ____D C:\Windows\Microsoft Antimalware
2017-09-18 23:22 - 2017-04-12 16:07 - 000000000 ____D C:\AdwCleaner
2017-09-18 22:56 - 2017-04-11 23:20 - 000000000 ____D C:\Users\Christer\Desktop\BSOD
2017-09-18 22:51 - 2017-04-10 18:17 - 000000000 __RHD C:\Users\Public\AccountPictures
2017-09-18 22:30 - 2017-03-18 23:01 - 000000000 ____D C:\Windows\INF
2017-09-18 21:43 - 2017-04-19 11:09 - 010921961 _____ C:\Users\Bach\Documents\Multi Product_CFDs.bs2
2017-09-18 18:36 - 2017-04-15 17:35 - 000000000 ____D C:\Users\Bach\AppData\Local\Spotify
2017-09-18 17:47 - 2017-04-15 17:35 - 000000000 ____D C:\Users\Bach\AppData\Roaming\Spotify
2017-09-18 17:42 - 2017-04-12 14:38 - 000000000 ____D C:\Users\Christer\AppData\Roaming\MusicBee
2017-09-18 15:36 - 2017-04-12 15:03 - 000000000 ____D C:\Users\Bach\AppData\Roaming\MusicBee
2017-09-17 21:03 - 2017-03-18 23:03 - 000000000 ____D C:\Windows\rescache
2017-09-17 14:01 - 2017-04-12 01:43 - 000000000 ____D C:\Users\Bach\Desktop\Säkerhet
2017-09-16 10:03 - 2017-04-21 00:06 - 000000000 ____D C:\Users\Bach\AppData\Local\CrashDumps
2017-09-15 17:11 - 2017-03-20 06:03 - 000000000 ____D C:\Windows\system32\sv
2017-09-15 17:11 - 2017-03-18 23:03 - 000000000 ___SD C:\Windows\SysWOW64\F12
2017-09-15 17:11 - 2017-03-18 23:03 - 000000000 ___SD C:\Windows\system32\F12
2017-09-15 17:11 - 2017-03-18 23:03 - 000000000 ____D C:\Windows\SysWOW64\setup
2017-09-15 17:11 - 2017-03-18 23:03 - 000000000 ____D C:\Windows\system32\WinBioPlugIns
2017-09-15 17:11 - 2017-03-18 23:03 - 000000000 ____D C:\Windows\system32\setup
2017-09-15 17:11 - 2017-03-18 23:03 - 000000000 ____D C:\Windows\ShellExperiences
2017-09-15 17:11 - 2017-03-18 23:03 - 000000000 ____D C:\Program Files\Windows Photo Viewer
2017-09-15 17:11 - 2017-03-18 23:03 - 000000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2017-09-15 15:53 - 2017-04-10 18:32 - 000000000 ____D C:\Windows\system32\MRT
2017-09-15 15:51 - 2017-04-10 18:32 - 138202976 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-09-15 15:51 - 2017-03-18 22:51 - 000000000 ____D C:\Windows\CbsTemp
2017-09-15 08:16 - 2017-04-12 00:32 - 000002360 _____ C:\Users\Bach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-09-15 08:16 - 2017-04-12 00:32 - 000000000 ___RD C:\Users\Bach\OneDrive
2017-09-15 08:14 - 2017-03-18 23:03 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2017-09-15 08:14 - 2017-03-18 23:03 - 000000000 ____D C:\Windows\system32\Macromed
2017-09-04 13:31 - 2017-04-27 13:26 - 000000000 ____D C:\Users\Bach\Documents\Båt
2017-09-04 02:10 - 2017-04-11 23:21 - 000000000 ____D C:\Users\Christer\Desktop\Nätskanning
2017-09-04 00:04 - 2017-04-14 21:18 - 000000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2017-09-03 12:21 - 2017-08-17 21:27 - 000000000 ____D C:\ProgramData\opencpn
2017-09-02 17:15 - 2017-03-18 23:06 - 000835576 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-09-02 17:15 - 2017-03-18 23:06 - 000177656 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-08-31 00:32 - 2017-04-14 17:53 - 000000000 ____D C:\Program Files\SUPERAntiSpyware
2017-08-30 15:51 - 2017-04-18 22:28 - 000000000 ____D C:\Users\Bach\AppData\Roaming\BankID
2017-08-30 15:48 - 2017-04-15 14:45 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BankID säkerhetsprogram
2017-08-30 15:48 - 2017-04-15 14:45 - 000000000 ____D C:\Program Files (x86)\BankID
2017-08-28 10:04 - 2017-04-23 11:37 - 000000000 ____D C:\Program Files\Mozilla Firefox
2017-08-28 10:04 - 2017-04-13 22:57 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-08-26 01:57 - 2017-04-15 12:39 - 000000000 ____D C:\Users\Bach\AppData\LocalLow\Mozilla
2017-08-20 02:42 - 2017-08-18 00:35 - 000000000 ____D C:\Users\Bach\Documents\Charts

==================== Files in the root of some directories =======

2017-04-13 00:28 - 2017-04-28 20:10 - 000000031 _____ () C:\Program Files\plugins.dat
2017-04-11 23:37 - 2017-09-19 11:22 - 000007666 _____ () C:\Users\Christer\AppData\Local\resmon.resmoncfg
2017-04-10 18:30 - 2017-04-10 18:30 - 000000000 ____H () C:\ProgramData\DP45977C.lfl                (new clean installation)

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-09-16 14:46

==================== End of FRST.txt ============================

 

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 17-09-2017 01
Ran by Christer (19-09-2017 19:04:18)
Running from C:\Users\Christer\Desktop
Windows 10 Home Version 1703 (X64) (2017-04-10 16:08:20)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administratör (S-1-5-21-2012168036-945120212-3105423917-500 - Administrator - Disabled)
Bach (S-1-5-21-2012168036-945120212-3105423917-1002 - Limited - Enabled) => C:\Users\Bach
Christer (S-1-5-21-2012168036-945120212-3105423917-1001 - Administrator - Enabled) => C:\Users\Christer      (seems hardcoded, can´t change username)
DefaultAccount (S-1-5-21-2012168036-945120212-3105423917-503 - Limited - Disabled)
Gäst (S-1-5-21-2012168036-945120212-3105423917-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Emsisoft Anti-Malware (Enabled - Up to date) {701CB209-EBBC-AADC-11E6-DE73E7AF4C9D}
AS: Emsisoft Anti-Malware (Enabled - Up to date) {CB7D53ED-CD86-A552-2B56-E5019C280620}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 16.04 (x64) (HKLM\...\7-Zip) (Version: 16.04 - Igor Pavlov)
Adobe Flash Player 27 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 27.0.0.130 - Adobe Systems Incorporated)
ASUS Smart Gesture (HKLM-x32\...\{4D3286A6-F6AB-498A-82A4-E4F040529F3D}) (Version: 4.0.18 - ASUS)
ATK Package (HKLM-x32\...\{AB5C933E-5C7D-4D30-B314-9C83A49B94BE}) (Version: 1.0.0039 - ASUS)
BankID säkerhetsprogram (HKLM-x32\...\{77B5BCDC-5496-48DA-8B16-5EE2AF08CA31}) (Version: 7.4.0.26 - Finansiell ID-Teknik BID AB)
CCleaner (HKLM\...\CCleaner) (Version: 5.29 - Piriform)
Citrix Online Launcher (HKLM-x32\...\{48947098-A67C-46D4-90C5-9F2F6F0F96FE}) (Version: 1.0.449 - Citrix)
Emsisoft Anti-Malware (HKLM\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 2017.4 - Emsisoft Ltd.)
Foxit Reader (HKLM-x32\...\Foxit Reader_is1) (Version: 8.2.1.6871 - Foxit Software Inc.)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 20.19.15.4549 - Intel Corporation)
LatencyMon 6.51 (HKLM\...\LatencyMon_is1) (Version:  - Resplendence Software Projects Sp.)
LibreOffice 5.3 Help Pack (Swedish) (HKLM-x32\...\{55A38A46-5265-4918-9A6D-6659CB9040FB}) (Version: 5.3.2.2 - The Document Foundation)
LibreOffice 5.3.2.2 (HKLM-x32\...\{8DA98699-6AD4-49CF-A9A0-B5E7B7981BE6}) (Version: 5.3.2.2 - The Document Foundation)
Malwarebytes Anti-Exploit version 1.10.1.24 (HKLM\...\Malwarebytes Anti-Exploit_is1) (Version: 1.10.1.24 - Malwarebytes)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Mozilla Firefox 55.0.3 (x64 sv-SE) (HKLM\...\Mozilla Firefox 55.0.3 (x64 sv-SE)) (Version: 55.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 55.0.3.6445 - Mozilla)
MSVC80_x64_v2 (HKLM\...\{4D668D4F-FAA2-4726-834C-31F4614F312E}) (Version: 1.0.3.0 - Nokia) Hidden            (my hijacked phone)
MSVC80_x86_v2 (HKLM-x32\...\{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}) (Version: 1.0.3.0 - Nokia) Hidden
MSVC90_x64 (HKLM\...\{AB071C8B-873C-459F-ACA9-9EBE03C3E89B}) (Version: 1.0.1.2 - Nokia) Hidden
MSVC90_x86 (HKLM-x32\...\{AF111648-99A1-453E-81DD-80DBBF6DAD0D}) (Version: 1.0.1.2 - Nokia) Hidden
MusicBee 3.0 (HKLM-x32\...\MusicBee) (Version: 3.0 - Steven Mayall)
Nokia Connectivity Cable Driver (HKLM-x32\...\{29373274-977E-413C-A4DE-DC0F8E80C429}) (Version: 7.1.172.0 - Nokia)
Nokia Suite (HKLM-x32\...\{88B6F9DE-C80F-4A70-ACF6-BEE933679170}) (Version: 3.8.54.0 - Nokia) Hidden       (why hidden?)
Nokia Suite (HKLM-x32\...\Nokia Suite) (Version: 3.8.54.0 - Nokia)
NVIDIA Grafikdrivrutin 359.46 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 359.46 - NVIDIA Corporation)
NVIDIA-uppdatering 10.4.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 10.4.0 - NVIDIA Corporation)
OpenCPN 4.8.0 (HKLM-x32\...\OpenCPN 4.8.0) (Version: 4.8.0 - opencpn.org)
Panda USB Vaccine 1.0.1.16 (HKLM-x32\...\{55A41219-9B22-4098-BAE7-AE289B3C569A}_is1) (Version:  - Panda Security)
PC Connectivity Solution (HKLM-x32\...\{6D01D1B1-17BD-4F10-BB11-F08F0C47D42B}) (Version: 12.0.109.0 - Nokia)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7571 - Realtek Semiconductor Corp.)
Revo Uninstaller 2.0.3 (HKLM\...\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1) (Version: 2.0.3 - VS Revo Group, Ltd.)
SaxoTrader 2 (HKLM-x32\...\{024D66E9-D50C-44A7-92B4-2DFDDD95D228}) (Version: 0.0.0.0 - Saxo Bank)
Squid from Great Circle (HKLM-x32\...\Squid) (Version:  - )
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1240 - SUPERAntiSpyware.com)
WhoCrashed 5.54 (HKLM\...\WhoCrashed_is1) (Version:  - Resplendence Software Projects Sp.)
Windows-drivrutinspaket - Nokia pccsmcfd LegacyDriver  (05/31/2012 7.1.2.0) (HKLM\...\62BBD193ADFDBB228C7E1ADB56463F5732FF7F6F) (Version: 05/31/2012 7.1.2.0 - Nokia)
Zoner Photo Studio 15 (HKLM\...\ZonerPhotoStudio15_DE_is1) (Version: 15.0.1.7 - ZONER software)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov)
ContextMenuHandlers1: [Foxit_ConvertToPDF_Reader] -> {A94757A0-0226-426F-B4F1-4DF381C630D3} => C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\ConvertToPDFShellExtension_x64.dll [2017-02-15] (Foxit Software Inc.)
ContextMenuHandlers2-x32: [Emsisoft Shell Extension] -> {AB77609F-2178-4E6F-9C4B-44AC179D937A} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2contmenu.dll [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers2-x32: [Emsisoft Shell Extension x64] -> {E3F21FC7-6D65-48E7-B62B-E9ED8200C764} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\A2CONTMENU64.DLL [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers3-x32: [Emsisoft Shell Extension] -> {AB77609F-2178-4E6F-9C4B-44AC179D937A} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2contmenu.dll [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers3-x32: [Emsisoft Shell Extension x64] -> {E3F21FC7-6D65-48E7-B62B-E9ED8200C764} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\A2CONTMENU64.DLL [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers3-x32: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamext.dll [2016-03-10] (Malwarebytes)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\Windows\system32\igfxDTCM.dll [2016-11-30] (Intel Corporation)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2016-02-15] (NVIDIA Corporation)
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov)
ContextMenuHandlers6-x32: [Emsisoft Shell Extension] -> {AB77609F-2178-4E6F-9C4B-44AC179D937A} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2contmenu.dll [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers6-x32: [Emsisoft Shell Extension x64] -> {E3F21FC7-6D65-48E7-B62B-E9ED8200C764} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\A2CONTMENU64.DLL [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers6-x32: [Foxit_ConvertToPDF_Reader] -> {A94757A0-0226-426F-B4F1-4DF381C630D3} => C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\ConvertToPDFShellExtension_x64.dll [2017-02-15] (Foxit Software Inc.)
ContextMenuHandlers6-x32: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamext.dll [2016-03-10] (Malwarebytes)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {3D8C9E81-CA7D-4B9D-AAE0-219BEDAD03E9} - System32\Tasks\S-1-5-21-2012168036-945120212-3105423917-1001\DataSenseLiveTileTask => C:\Windows\System32\DataUsageLiveTileTask.exe [2017-03-18] (Microsoft Corporation)
Task: {4AB5627A-C3AF-472D-9712-7231A5F6B039} - System32\Tasks\S-1-5-21-2012168036-945120212-3105423917-1002\DataSenseLiveTileTask => C:\Windows\System32\DataUsageLiveTileTask.exe [2017-03-18] (Microsoft Corporation)
Task: {4DC28994-C5BD-4D63-9F33-FE143F24CCB3} - System32\Tasks\ATK Package 36D18D69AFC3 => C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\SimAppExec.exe [2015-03-10] (ASUSTek Computer Inc.)
Task: {6740FD74-F905-4C72-89C1-7912524C629B} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [2015-11-10] (Realtek Semiconductor)
Task: {7370D6B0-1B13-46C3-BDD2-A56217739B59} - System32\Tasks\PandaUSBVaccine => C:\Program Files (x86)\Panda USB Vaccine\RunInteractiveWin.exe [2010-06-01] ()
Task: {7A215DD8-21B6-4C10-9823-A7F43874D998} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-09-15] (Adobe Systems Incorporated)
Task: {84E8A23D-B25D-499A-870A-680A0B1D60BE} - System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2012168036-945120212-3105423917-1002 => C:\Users\Christer\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
Task: {9A8A039D-AFDD-4BC1-8D62-DDECC3360346} - System32\Tasks\RtHDVBg_ListenToDevice => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2015-11-10] (Realtek Semiconductor)
Task: {9C324904-2ABC-4B3A-89E6-E741C7AF4C00} - System32\Tasks\RtHDVBg => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2015-11-10] (Realtek Semiconductor)
Task: {A29DF642-6A0F-4273-8EAD-8DE0A5E15EAA} - System32\Tasks\ASUS Smart Gesture Launcher => C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLauncher.exe [2017-03-09] (AsusTek)
Task: {F498BCDE-5183-47BF-964B-985D3C76EF01} - System32\Tasks\ATK Package A22126881260 => C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\SimAppExec.exe [2015-03-10] (ASUSTek Computer Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2017-04-10 18:26 - 2016-02-15 09:25 - 000133056 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2017-03-18 22:58 - 2017-03-18 22:58 - 000138000 _____ () C:\Windows\SYSTEM32\inputhost.dll
2016-11-30 21:57 - 2016-11-30 21:57 - 000401888 _____ () C:\Windows\system32\igfxTray.exe
2017-03-18 22:59 - 2017-03-20 06:05 - 001731072 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-04-29 13:59 - 2017-05-09 11:53 - 000112112 _____ () C:\Program Files\WhoCrashed\WhoCrashed32.dll
2017-04-29 13:59 - 2017-05-09 11:53 - 000359408 _____ () C:\Program Files\WhoCrashed\rspSymSrv32.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2017-03-18 23:03 - 2017-03-18 23:01 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2012168036-945120212-3105423917-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Christer\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

HKU\S-1-5-21-2012168036-945120212-3105423917-1001\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-2012168036-945120212-3105423917-1001\...\StartupApproved\Run: => "SUPERAntiSpyware"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [TCP Query User{F19D5E75-A88C-4A1E-A0AE-02758375AAFA}C:\users\bach\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\bach\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{B844F69C-E7F0-4E76-895E-4FB63B064235}C:\users\bach\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\bach\appdata\roaming\spotify\spotify.exe
FirewallRules: [{4C53C309-7FF8-4EF7-9273-1328A5DCB65A}] => (Allow) C:\users\bach\appdata\roaming\spotify\spotify.exe
FirewallRules: [{708DA401-FF00-42AB-96E5-FE44E27F181D}] => (Allow) C:\users\bach\appdata\roaming\spotify\spotify.exe
FirewallRules: [{1E9C20F6-B5AE-4EA2-9794-994DE3BE1AB4}] => (Allow) C:\Program Files (x86)\nokia\nokia suite\nokiasuite.exe
FirewallRules: [{8409B4AD-120F-4A1A-964D-49451CF119A4}] => (Allow) C:\Program Files (x86)\Common Files\nokia\service layer\a\nsl_host_process.exe   (my phone´s radio often disturb my computor)
FirewallRules: [TCP Query User{57342529-6AC8-4EEA-BE70-D2C0F8A8D0EF}C:\program files\mozilla firefox\firefox.exe] => (Allow) C:\program files\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{1626D882-7FD2-4731-9226-D6A9E136CE6D}C:\program files\mozilla firefox\firefox.exe] => (Allow) C:\program files\mozilla firefox\firefox.exe
FirewallRules: [TCP Query User{753B8707-D23C-4FE2-84AD-7AA9F599F28F}C:\program files (x86)\opencpn\opencpn.exe] => (Allow) C:\program files (x86)\opencpn\opencpn.exe
FirewallRules: [UDP Query User{8A790CF4-1280-41F4-AD5A-F15CC00FC0C8}C:\program files (x86)\opencpn\opencpn.exe] => (Allow) C:\program files (x86)\opencpn\opencpn.exe
FirewallRules: [{0D72E5A9-4ED7-45F8-BE75-8E01D3DC3253}] => (Allow) C:\Program Files (x86)\Common Files\nokia\service layer\a\nsl_host_process.exe
FirewallRules: [{7B2D5BAF-33E7-4DD8-9A34-864849432DF7}] => (Allow) C:\Program Files (x86)\Common Files\nokia\service layer\a\nsl_host_process.exe
FirewallRules: [{3BB654B6-754C-4F06-A74D-F7BC39956653}] => (Allow) C:\Program Files (x86)\nokia\nokia suite\nokiasuite.exe
FirewallRules: [{2FD0C7A0-00D7-4029-970A-4C9307CF8D61}] => (Allow) C:\Program Files (x86)\nokia\nokia suite\nokiasuite.exe

==================== Restore Points =========================

17-09-2017 14:04:22 JRT Pre-Junkware Removal
18-09-2017 11:00:01 Windows Säkerhetskopiering
18-09-2017 23:50:56 JRT Pre-Junkware Removal

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (09/19/2017 03:42:07 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Felet uppstod i programmet med namn: iexplore.exe.exe, version 2.2.19882.0, tidsstämpel 0x56e2cdca
, felet uppstod i modulen med namn: iexplore.exe.exe, version 2.2.19882.0, tidsstämpel 0x56e2cdca
Undantagskod: 0xc0000005
Felförskjutning: 0x0008de57
Process-ID: 0x199c
Programmets starttid: 0x01d3314c1a583563
Sökväg till program: C:\Users\Christer\Desktop\Säkerhet\iexplore.exe.exe                      (=gmer)
Sökväg till modul: C:\Users\Christer\Desktop\Säkerhet\iexplore.exe.exe
Rapport-ID: 98f1509a-a215-4329-9062-7bb0d5daf38b
Fullständigt namn på felaktigt paket:
Program-ID relativt till felaktigt paket:

Error: (09/19/2017 02:42:43 PM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Det gick inte att bearbeta listan över inkluderade och uteslutna platser med Windows Search-tjänsten. Fel: <30, 0x80040d07, "iehistory://{S-1-5-21-2012168036-945120212-3105423917-1001}/">

Error: (09/19/2017 01:42:53 AM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Det gick inte att bearbeta listan över inkluderade och uteslutna platser med Windows Search-tjänsten. Fel: <30, 0x80040d07, "iehistory://{S-1-5-21-2012168036-945120212-3105423917-1001}/">

Error: (09/18/2017 11:27:11 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Fel i tjänsten Volume Shadow Copy: Oväntat fel när rutinen QueryFullProcessImageNameW anropades. hr = 0x80070006, Referensen (handle) är felaktig.
.


Åtgärd:
   Utför asynkron åtgärd

Kontext:
   Aktuell status: DoSnapshotSet

Error: (09/18/2017 11:25:11 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Fel i tjänsten Volume Shadow Copy: Oväntat fel när rutinen QueryFullProcessImageNameW anropades. hr = 0x80070006, Referensen (handle) är felaktig.
.


Åtgärd:
   Utför asynkron åtgärd

Kontext:
   Aktuell status: DoSnapshotSet

Error: (09/18/2017 10:57:35 PM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Det gick inte att bearbeta listan över inkluderade och uteslutna platser med Windows Search-tjänsten. Fel: <30, 0x80040d07, "iehistory://{S-1-5-21-2012168036-945120212-3105423917-1001}/">

Error: (09/17/2017 02:26:30 PM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Det gick inte att bearbeta listan över inkluderade och uteslutna platser med Windows Search-tjänsten. Fel: <30, 0x80040d07, "iehistory://{S-1-5-21-2012168036-945120212-3105423917-1002}/">

Error: (09/16/2017 10:10:41 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Felet uppstod i programmet med namn: svchost.exe, version 10.0.15063.0, tidsstämpel 0x02799ef5
, felet uppstod i modulen med namn: ntdll.dll, version 10.0.15063.608, tidsstämpel 0x8274fd8b
Undantagskod: 0xc0000409
Felförskjutning: 0x00000000000aa020
Process-ID: 0x1310
Programmets starttid: 0x01d32ec19a172b55
Sökväg till program: c:\windows\system32\svchost.exe
Sökväg till modul: C:\Windows\SYSTEM32\ntdll.dll
Rapport-ID: ca809ee8-15ca-4463-8323-b326e14587d8
Fullständigt namn på felaktigt paket:
Program-ID relativt till felaktigt paket:

Error: (09/16/2017 10:03:13 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Felet uppstod i programmet med namn: SearchUI.exe, version 10.0.15063.332, tidsstämpel 0x591fdafc
, felet uppstod i modulen med namn: EdgeManager.dll, version 11.0.15063.0, tidsstämpel 0x58a670ce
Undantagskod: 0xc0000005
Felförskjutning: 0x000000000000983d
Process-ID: 0x1870
Programmets starttid: 0x01d32ec23e15561f
Sökväg till program: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
Sökväg till modul: C:\Windows\SYSTEM32\EdgeManager.dll
Rapport-ID: 089351bd-6012-431f-9d45-d938ec538c2c
Fullständigt namn på felaktigt paket: Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy
Program-ID relativt till felaktigt paket: CortanaUI

Error: (09/16/2017 10:03:10 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Felet uppstod i programmet med namn: svchost.exe_AppReadiness, version 10.0.15063.0, tidsstämpel 0x02799ef5
, felet uppstod i modulen med namn: ntdll.dll, version 10.0.15063.608, tidsstämpel 0x8274fd8b
Undantagskod: 0xc0000374
Felförskjutning: 0x00000000000f775f
Process-ID: 0x15e0
Programmets starttid: 0x01d32ec237cab1ff
Sökväg till program: C:\Windows\System32\svchost.exe
Sökväg till modul: C:\Windows\SYSTEM32\ntdll.dll
Rapport-ID: a3267735-d739-41be-90f6-5cec3cd721a9
Fullständigt namn på felaktigt paket:
Program-ID relativt till felaktigt paket:


System errors:
=============
Error: (09/19/2017 04:19:41 PM) (Source: DCOM) (EventID: 10016) (User: NOTEBOOK-1F9FAJ)
Description: Behörighetsinställningarna programspecifik ger inte Lokal behörigheten Aktivering för COM-serverprogrammet med CLSID
{9E175B6D-F52A-11D8-B9A5-505054503030}
 och APPID
{9E175B9C-F52A-11D8-B9A5-505054503030}
 till användaren NOTEBOOK-1F9FAJ\Christer SID (S-1-5-21-2012168036-945120212-3105423917-1001) från adress LocalHost (med LRPC) som körs i programbehållaren Inte tillgänglig SID (Inte tillgänglig). Det går att ändra säkerhetsbehörigheten med hjälp av administrationsverktyget Komponenttjänster.

Error: (09/19/2017 04:19:41 PM) (Source: DCOM) (EventID: 10016) (User: NOTEBOOK-1F9FAJ)
Description: Behörighetsinställningarna programspecifik ger inte Lokal behörigheten Aktivering för COM-serverprogrammet med CLSID
{9E175B6D-F52A-11D8-B9A5-505054503030}
 och APPID
{9E175B9C-F52A-11D8-B9A5-505054503030}
 till användaren NOTEBOOK-1F9FAJ\Christer SID (S-1-5-21-2012168036-945120212-3105423917-1001) från adress LocalHost (med LRPC) som körs i programbehållaren Inte tillgänglig SID (Inte tillgänglig). Det går att ändra säkerhetsbehörigheten med hjälp av administrationsverktyget Komponenttjänster.

Error: (09/19/2017 04:19:41 PM) (Source: DCOM) (EventID: 10016) (User: NOTEBOOK-1F9FAJ)
Description: Behörighetsinställningarna programspecifik ger inte Lokal behörigheten Aktivering för COM-serverprogrammet med CLSID
{9E175B6D-F52A-11D8-B9A5-505054503030}
 och APPID
{9E175B9C-F52A-11D8-B9A5-505054503030}
 till användaren NOTEBOOK-1F9FAJ\Christer SID (S-1-5-21-2012168036-945120212-3105423917-1001) från adress LocalHost (med LRPC) som körs i programbehållaren Inte tillgänglig SID (Inte tillgänglig). Det går att ändra säkerhetsbehörigheten med hjälp av administrationsverktyget Komponenttjänster.

Error: (09/19/2017 04:19:41 PM) (Source: DCOM) (EventID: 10016) (User: NOTEBOOK-1F9FAJ)
Description: Behörighetsinställningarna programspecifik ger inte Lokal behörigheten Aktivering för COM-serverprogrammet med CLSID
{9E175B6D-F52A-11D8-B9A5-505054503030}
 och APPID
{9E175B9C-F52A-11D8-B9A5-505054503030}
 till användaren NOTEBOOK-1F9FAJ\Christer SID (S-1-5-21-2012168036-945120212-3105423917-1001) från adress LocalHost (med LRPC) som körs i programbehållaren Inte tillgänglig SID (Inte tillgänglig). Det går att ändra säkerhetsbehörigheten med hjälp av administrationsverktyget Komponenttjänster.

Error: (09/19/2017 04:19:41 PM) (Source: DCOM) (EventID: 10016) (User: NOTEBOOK-1F9FAJ)
Description: Behörighetsinställningarna programspecifik ger inte Lokal behörigheten Aktivering för COM-serverprogrammet med CLSID
{9E175B6D-F52A-11D8-B9A5-505054503030}
 och APPID
{9E175B9C-F52A-11D8-B9A5-505054503030}
 till användaren NOTEBOOK-1F9FAJ\Christer SID (S-1-5-21-2012168036-945120212-3105423917-1001) från adress LocalHost (med LRPC) som körs i programbehållaren Inte tillgänglig SID (Inte tillgänglig). Det går att ändra säkerhetsbehörigheten med hjälp av administrationsverktyget Komponenttjänster.

Error: (09/19/2017 04:19:41 PM) (Source: DCOM) (EventID: 10016) (User: NOTEBOOK-1F9FAJ)
Description: Behörighetsinställningarna programspecifik ger inte Lokal behörigheten Aktivering för COM-serverprogrammet med CLSID
{9E175B6D-F52A-11D8-B9A5-505054503030}
 och APPID
{9E175B9C-F52A-11D8-B9A5-505054503030}
 till användaren NOTEBOOK-1F9FAJ\Christer SID (S-1-5-21-2012168036-945120212-3105423917-1001) från adress LocalHost (med LRPC) som körs i programbehållaren Inte tillgänglig SID (Inte tillgänglig). Det går att ändra säkerhetsbehörigheten med hjälp av administrationsverktyget Komponenttjänster.

Error: (09/19/2017 04:12:44 PM) (Source: DCOM) (EventID: 10016) (User: NOTEBOOK-1F9FAJ)
Description: Behörighetsinställningarna programspecifik ger inte Lokal behörigheten Aktivering för COM-serverprogrammet med CLSID
{9E175B6D-F52A-11D8-B9A5-505054503030}
 och APPID
{9E175B9C-F52A-11D8-B9A5-505054503030}
 till användaren NOTEBOOK-1F9FAJ\Christer SID (S-1-5-21-2012168036-945120212-3105423917-1001) från adress LocalHost (med LRPC) som körs i programbehållaren Inte tillgänglig SID (Inte tillgänglig). Det går att ändra säkerhetsbehörigheten med hjälp av administrationsverktyget Komponenttjänster.

Error: (09/19/2017 04:12:44 PM) (Source: DCOM) (EventID: 10016) (User: NOTEBOOK-1F9FAJ)
Description: Behörighetsinställningarna programspecifik ger inte Lokal behörigheten Aktivering för COM-serverprogrammet med CLSID
{9E175B6D-F52A-11D8-B9A5-505054503030}
 och APPID
{9E175B9C-F52A-11D8-B9A5-505054503030}
 till användaren NOTEBOOK-1F9FAJ\Christer SID (S-1-5-21-2012168036-945120212-3105423917-1001) från adress LocalHost (med LRPC) som körs i programbehållaren Inte tillgänglig SID (Inte tillgänglig). Det går att ändra säkerhetsbehörigheten med hjälp av administrationsverktyget Komponenttjänster.

Error: (09/19/2017 04:12:44 PM) (Source: DCOM) (EventID: 10016) (User: NOTEBOOK-1F9FAJ)
Description: Behörighetsinställningarna programspecifik ger inte Lokal behörigheten Aktivering för COM-serverprogrammet med CLSID
{9E175B6D-F52A-11D8-B9A5-505054503030}
 och APPID
{9E175B9C-F52A-11D8-B9A5-505054503030}
 till användaren NOTEBOOK-1F9FAJ\Christer SID (S-1-5-21-2012168036-945120212-3105423917-1001) från adress LocalHost (med LRPC) som körs i programbehållaren Inte tillgänglig SID (Inte tillgänglig). Det går att ändra säkerhetsbehörigheten med hjälp av administrationsverktyget Komponenttjänster.

Error: (09/19/2017 04:12:44 PM) (Source: DCOM) (EventID: 10016) (User: NOTEBOOK-1F9FAJ)
Description: Behörighetsinställningarna programspecifik ger inte Lokal behörigheten Aktivering för COM-serverprogrammet med CLSID
{9E175B6D-F52A-11D8-B9A5-505054503030}
 och APPID
{9E175B9C-F52A-11D8-B9A5-505054503030}
 till användaren NOTEBOOK-1F9FAJ\Christer SID (S-1-5-21-2012168036-945120212-3105423917-1001) från adress LocalHost (med LRPC) som körs i programbehållaren Inte tillgänglig SID (Inte tillgänglig). Det går att ändra säkerhetsbehörigheten med hjälp av administrationsverktyget Komponenttjänster.


CodeIntegrity:
===================================
  Date: 2017-09-19 18:16:47.173
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.

  Date: 2017-09-19 17:07:59.079
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.

  Date: 2017-09-19 17:02:55.034
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.

  Date: 2017-09-19 16:26:25.798
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.

  Date: 2017-09-19 16:07:17.732
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.

  Date: 2017-09-19 15:39:36.698
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.

  Date: 2017-09-19 15:39:36.640
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.

  Date: 2017-09-19 15:30:06.162
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\dllhost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Microsoft signing level requirements.

  Date: 2017-09-19 14:58:54.138
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.

  Date: 2017-09-19 12:02:26.064
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.


==================== Memory info ===========================

Processor: Intel® Core™ i7-4710HQ CPU @ 2.50GHz
Percentage of memory in use: 40%
Total physical RAM: 8075 MB
Available physical RAM: 4783.17 MB
Total Virtual: 9355 MB
Available Virtual: 6218.43 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:280 GB) (Free:232.22 GB) NTFS
Drive d: (Data) (Fixed) (Total:398.07 GB) (Free:369 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 698.6 GB) (Disk ID: 73330889)

Partition: GPT.

========================================================
Disk: 1 (Size: 22.4 GB) (Disk ID: 73330895)

Partition: GPT.

==================== End of Addition.txt ============================



BC AdBot (Login to Remove)

 


#2 rogerthat69

rogerthat69
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 AM

Posted 20 September 2017 - 09:35 AM

Some more info:

 

* Tried today to download run TDSSKiller. Renamed in different ways incl iexplore.com/exe. Never started with or without AV or Internet. Have not tried safe-boot yet though.

 

* Amazing to get wifi-problems when I today tried to connect to Bleeping Computer. Could be a coincidence oc!

 

* Did reinstall my wifi-netadapter. Went well but download-speed is still awfully low. "Max" 2-5 Mbit/s measured. Real DL-speed is often around 100-200 Kbit/s from i.e the US.

  Upload-speed is 10-20 times higher!!

 

* System makes it hard for me to manually connect to internet. If I uncheck the box "connect automatically" the system(after re-installation) won´t let me connect manually. When

  I did som error-searching and forced not to accept "automatic connectivity" all network-adapters disappeared with a notice of a forced computer restart. After restart adapters  

  were re-installed. But wifi demanded again "automatic connectivity". Do I have to go into the registry to get a manual connection?

 

* In the Farbar-reports above I mentioned a non contracted or networking-used ISP regarding phone-hijacking. This ISP(Bredbandsbolaget) was the receiver(same company is also a 

cellphone-operator)of data from my phone. Data was sent as a text-message on a text-message number(short number). All tracks/links i registry is of course deleted(but copied for the

police as is my phone-data).



#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:23 PM

Posted 24 September 2017 - 05:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/657897 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 rogerthat69

rogerthat69
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 AM

Posted 28 September 2017 - 01:38 PM

Hi Bleeping-Robot and thank you for responding to my problems,

 

Step 2:     Item 1     a clear description of the problems you're having, along with any steps you may have performed so far.

 

My computer-system is showing signs of instability. I.e latency-problems, programs suddenly shutting down but also different BSOD´s.

 

A)

But the first and most important measure is to confirm that my computer is(or not) compromised by "alien" remote connections. If confirmed I

would like help to disable those connection and secure my computer. Even though I am hardly a computer-expert some events does

not look like typical runtime or syntax-errors. Especially when you see certain kinds of basic settings change and you are sure you are

not guilty yourself. I.e: My machine was suddenly set up as a Wifi-Hot Spot but even worse, "at least as many as 5" MS Wifi Direct Virtual

Adapters(Ethernet 802.3) have been installed on my system as drivers for a hosted network. I guess that is a confirmation that my

internet have been shared i.e. !! I have not only disallowed/disabled wifi-direct. I have removed it using NETSH. Still all 5 adapters are

installed. One of them show a MAC-address that I am not familiar with! The strangest thing is that none of the wifi-adapters incl. a Teredo

Tunneling Adapter and a RAS Async Adapter(showed by the service "Systeminfo") shows up in "Device Manager"?? Could that be a corre-

lated sign my ndis-driver is not working properly(confirmed with severe interupt-latency)? Other drivers also show serious latency-problems.

Here is one of the "intruders"(interface-adapters) that I spotted in Network and Sharing Center(info from registry): Direct-QiNotebook-1F9FAJmsSH.

By the way, I never connect to external/other wifi-networks with this computer.

 

I am also worried about my general wifi-security. When I am changing my ASUS wifi-router settings my wifi-passwords are displayed in

public on screen direct upon the wifi-disconnection/log-out. ASUS(routers) don´t use https by the way. Have seen an "alien" computer-name

in the router-log.

 

Another sign of "security-failure" is when my normal user-account Bach can share(i.e read) all files of the Administrator-account. I have

changed back to my default-settings(from re-installation in April) again but this is the second time I noticed that "someone(-thing) else"

changed the settings.

 

As said in my first post I have not found any malware or viruses(only some PUPs). But I mentioned that many security-programs could not

start at all now lately. I had to re-install them. The root-kit programs from Avast and GMER could not run at all??? Now I have noticed

that other non-security-programs not runned for some time also have running problems(i.e Foxit and Libreoffice). They seem to work again

after reinstallation.

 

So what is to be said about my Remote Desktop Plugin(first post above) RDS AppX Plugin? I have not installed it. How do I get rid of it?

I guess it is a ActiveX-based program not possible to run on my browser Firefox(not seen anything there). Active X has to run on Internet

Explorer(11)I suppose. The first thing I did was to remove IE from Windows 8.1 but still IE runs somewhere!! I have a rather small IE folder

were I find an installation of an IE-add-on from 2017-05-20(ieinstall.exe 472 Kb). I have, as far as I know, only one program that needs IE.

That is SaxoTrader2 which runs on remote computers(connected on a certain port+80 and 443). There is no data in IE or Saxo-folder indi-

cating any Remote Desktop application/installation with this plug-in name. In the Saxo-folder lies mainly dll-files. The plug-in is always acti-

vated between Windows-sessions. Only when I resstart(session 0) computer the plug-in has to be re-implemented(according to Terminal

Services). This is happening without calling/starting the Saxo-program(or logging in). There is no trace of the plug-in in the registry except

for this:

 

Dator\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{d2e990da-8504-4702-a5e5-367fc2f823bf}:

%SystemRoot%\system32\RDSAppXHelper.dll. I read RDP-connections normally goes over port 3389 but I have seen no traffic there to my 

knowledge. Searching on the above provider gives nothing. Only this regarding Xml events: about installing-problems for Windows Store Apps.

 

<Provider Name="Microsoft-Windows-All-User-Install-Agent" Guid="{D2E990DA-8504-4702-A5E5-367FC2F823BF}" />

 

I have a lot of Windows Store errors in my Event Viewer. When I search on Google for RDSAppXPlugin or now the above provider name I get 

redirected to the same https Ads page! But only for the first search. Every time when I try to log in to your site(my account) I get redirected with

the message that I use wrong user-data/password. I allways get logged in first on my 2nd try.

 

I tested to inactivate most Remote Services(except i.e RDP)like Remote Registry, Remote Desktop etc but they starts anyway. Hmmm...

 

B)

Latency-questions could be set on hold until A is resolved. Maybe as a separate post under a different headline in this forum. From a Webroot

analyze I also know Firefox have possible memoryleaks.

 

C)

Powershell startup and the(access denied) registry-notations(see first post above) should be investigated. As far as I understand Windows Explorer never lets Powershell

exit according to key-settings in folder&file and drive in "background-menu". It also seems like there is fileownership-startup here which have made changes to encryption-

settings. Very strange indeed. These startups were never there after Win 8.1 or Win 10 installations.

 

 

Step 2: Steps I have taken so far since post 1 and 2 above

 

A)

Contacted Saxo for info about RDSAppXPlugin. No answer.

 

B)

I have run LatencyMon. Several drivers are affected by high(ndis very high) ISR and DPC execution times. Listening to radio or playing back music is accompanied with

buffering interups and constant cracks. Just moving my usb-radio mouse(after being still for a while) disturbs the system(also music). A part from these annoying effects

incl. periods of interuptions in my LAN-connection(adapter) I think most actions in my computer are delayed more or less. I can live with them but I am afraid it is slowly

worsening. Maybe I have real hardware defects? I am going to do more Memory tests as well as tests on my HDD.

 

I done cleanmgr /sageset:1 and cleanmgr /sagerun:1, ran DISM checkhealth and sfc /scannow (nothing), defrag c: /h, chkdsk c: /b (no bad clusters but;

Stage 3: Examining security descriptors ...
Cleaning up 2200 unused index entries from index $SII of file 0x9.
Cleaning up 2200 unused index entries from index $SDH of file 0x9.
Cleaning up 2200 unused security descriptors.
Security descriptor verification completed.

 

I have also ran Driver Verifier on non MS drivers for 3 days. No obvious problems but I can´t tell really. Most important no BSODs.

 

Enclosed you will find my systeminfo by a Speccy txt-file report(adjusted for wifi-access-points and security-settings). Since this is a Home-system it is not easy

to check security(no Manager for Policys i.e.) and understand what is default and normal and what is not.

 

C)

I have temporarily now disabled MalwareBytes anti-rootkit Anti-Exploit64. Some time ago I had problems running this app with Firefox.

 

I have not retried to run anti-root Avast or GMER(normal or in safe-mode).

 

I looked into my wifi-connection and changed my channel from auto to a fixed one incl. reducing span to 20Mhz. This has increased my transmission-speed

considerably. Together with the removing of the Wifi Direct-setting&Hot spot I can now download at a real speed around 10 times of before. 2 Mbit/s instead

of snailling 100-200Kbit/s. That is still slow with only one tab open. Accordning to internet speedtest I have (wifi)DL at 15Mbit/s and UL 35-40. I have a 100Mbit

fiber Ethernet-connection. I have ca 7 wifi-apartment neighbours and I am on top of all at the moment.

 

D)

Looking into the enclosed system-report I noticed the following;

 

Windows Update: Autoupdate not configured     ???

 

NETBIOS Node Type    Hybrid node (not a broadcast type)

 

I wrote in my first post that this is a Workstation-computer. That was not correct.

I am a member of a workgroup. Why is that?

 

"Computer Name
            NetBIOS Name    NOTEBOOK-1F9FAJ
            DNS Name    Notebook-1F9FAJB
            Membership    Part of workgroup
            Workgroup    WORKGROUP
        Remote Desktop
            Enabled
                Console
                    State    Active

                    Domain    NOTEBOOK-1F9FAJ"

 

"Simple File Sharing    Enabled
            Administrative Shares    Enabled"     I guess that is about my 2 user accounts sharing a few programs but not all files etc

 

 

ITEM 2  IN NEXT POST(FRST LOG)

 

 

 

Attached Files



#5 rogerthat69

rogerthat69
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 AM

Posted 28 September 2017 - 03:20 PM

Here comes the 2 FRST logs;

 

 

I sit alone on one single laptop behind a switch and router. No other eq is connected to LAN/WLAN.

 

2 csrss.exe are running but both by SYSTEM.

1 conhost.exe is running by SYSTEM. Error 0x4

 

 

 

 

 

Attached Files



#6 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:53 AM

Posted 29 September 2017 - 03:46 PM

Greetings Rogerthat69,

 

 

My name is Pranav and I would be helping you out with this case. Kindly allow me some time to check out your logs. I will respond within 48 hours of this post.

 

Also, the kind of network problems which you have posted seem to be related to your networking driver. Are you using Wifi or Ethernet (LAN Cable) to connect to the internet? Have you tried switching to the other one?

 

Also, I would need the contents of the following folder - C:\Windows\Minidump . You would not have the permission to directly ZIP up the folder, so copy the entire folder, paste it to Desktop, ZIP up the contents of the folder and upload back. That will help me in helping you with your BSOD problems as well ;)

 

 

Have a nice day!

 

 

Regards,

Pranav


Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#7 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:53 AM

Posted 01 October 2017 - 06:36 PM

Hello Rogerthat69!

 

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only that tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post, unless otherwise instructed.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and that may have been the route the malware used to infect your computer. Do not use any P2P software until we conclude your topic.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

Let's begin!

 

 

Download attached fixlist.txt file and save it to the Desktop.
 
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
 
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 
Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
 
 
 

ESET Online Scanner:
 
Note: You will need to disable your currently installed Anti-Virus, how to do so can be read here.
  • Please go here, download the ESET Smart Installer, and save it to your desktop.
  • Double-click on the esetimage.png you just downloaded.
  • Place a checkmark next to "YES, I accept the Terms of Use" and click the shieldstart.png button.
  • Click "Yes" to the UAC (User Account Control) warning, then ESET will download its components, register itself, and start itself.
  • In the new window that opens, tick the radio button next to Enable detection of potentially unwanted applications.
  • Then click "Advanced settings", and make sure there is a checkmark next to only the following items (uncheck everything else):
  • Remove found threats
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • Now click on: start.png
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. ...The scan may appear to be finished sometimes...if there is a progress bar visible, it is still scanning!
  • When the scan completes, click List Found Threats (only if anything is found).
  • Then click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click back.png, then click finish.png to exit ESET Online Scanner.
 
Don't forget to re-enable your antivirus when finished!
 
 
 
Once you run the FRST Fixlist, you will find a ZIP with the date of running the fixlist. With your next reply, kindly upload that as well by following the below procedure when you are posting your next response -
 
1. Click on More Reply Options.
2. Click on Choose Files... under Attach files.
3. Select the ZIP file and then upload it.
 
 
Let me know how it goes!
 
 
Regards,
Pranav

Attached Files


Edited by blueelvis, 01 October 2017 - 06:37 PM.
It's always the formatting :0)

Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#8 rogerthat69

rogerthat69
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 AM

Posted 03 October 2017 - 10:03 AM

Hallo BlueElvis. Thank you for responding. :thumbup2: Yesterday I engaged in resetting my routor due to "obvious" security-vulnerabilities. I also had to deal with a another breach of permissions when my standard user Bach again were given full access to the Administrator user directory.

 

Regarding networking I always use wifi. Router-position is 5 meter away with no obstacles except maybe my back! For periods, shorter or sometimes longer, my wifi works "ok". Lately though the problems have increased including download-slowness. I can use a (fix) Ethernet-connection but it is un-practical i my case. Ethernet works fine but other problems still occur. I have searched ASUS support for my computer but found no alternative/update-driver. After I emailed them they came back with another driver-proposition(not MS-"signed"). I have not tried it yet though.

 

Yesterday I tried to log in to my router 192.168.1.1 using my standard browser FF. I have connected an iPhone and I wanted to check wifi-connection in the router-interface. Both Mac-addresses were there and running(showing up) fine until I started to change tabs between "IP-address(connections) and MAC-address(interface). Then both disappeared. After a while one of them returned. But not both. Still both phone and computer seemed to function with internet. My router-interface were/is very very slow and looks very unstable. I then tried to log in to my router-interface off-line. It did not work. Then I got cold feets. Not able to log in off-line is said to be a malware-situation or worse.....hijacking?

 

I did a factory-reset of my ASUS router using MS Edge instead of Firefox. Everything worked fine and to my surprise(or?) I was not logged out when changing applying/updating my router user and password names. The same goes for wifi-passwords. I stayed logged in. Last set-up logged me out and displayed my passwords explicitly on http-screen. By the way I am surprised that Asus router-interface keeps wifi-passwords, but not user-password, open(not blank or blacked out) on their respective pages.

 

Next surprise! Now I have access to a full system-log. That was not the case before. And now the log is readable(see encl.)

And it is more. Now I can see info under the tab Port Forwarding. Never seen before(see encl).

 

I will use an Ethernet-cable until we find error-sources. Enclosed are some snapshots regarding certain "newdiscovered" settings. :wink:

 

I can tell wifi signal-strength has has dramatically increased "again"(se above) since resetting router :thumbsup2:

 

I am now sitting by an external computer. Hopefully I can return the minidump-files tonight(local time).

 

Again, thanks for your assistance BlueElvis,

 

//

 

 

 

 

 

  

 

 

Attached Files



#9 rogerthat69

rogerthat69
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 AM

Posted 03 October 2017 - 02:10 PM

Dear Pranav,

 

Her comes the minidumps. Unfortunately I noticed that I accidentally have deleted many dumps during ordinary computer-cleaning :mellow: . Therefore encl 5 files

are the results from only 1 type of BSOD´s, the running of GMER in different set-ups. The latest crasch came today during a safeboot-run by GMER. 

 

I will do a check-up for saved BSOD-reports(type Bluescreen or WhoCrashed).

 

Instead I enclose some reports from recent latency-tests.

 

//

 

 

 

Attached Files



#10 rogerthat69

rogerthat69
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 AM

Posted 03 October 2017 - 03:44 PM

Fix-run went well I suppose. Encl. you will find log.txt and a minidump-zip. Many thanks for correcting the vlc-plugin on FF.

 

Interesting how a smooth running MS Edge "suddenly" have turned into a snail since I now decided to (for a while) stop using FF after the router-"intrusion". Edge made

it possible to reset my router. FF not. On the other hand I think it is viable to look over my firewall-setting. Both browsers are set very different.

 

There are some strange permission-effects again!! Every time I log into Bach(normal user) Emsisoft ask me for Admin-rights. Then nothing seems happening.

When I copy (marked)mulitple files from Admin-account(being at Bach) I have to sign every file copied every time(not as a marked batch).

 

//

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 02-10-2017 01
Ran by Christer (03-10-2017 21:56:50) Run:1
Running from C:\Users\Bach\Desktop
Loaded Profiles: Christer & Bach (Available Profiles: Christer & Bach)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
EmptyTemp:

CMD: verifier.exe /reset

HKU\S-1-5-21-2012168036-945120212-3105423917-1001\...\Run: [] => [X]
GroupPolicy\User: Restriction <==== ATTENTION

FF Plugin-x32: @videolan.org/vlc,version=2.2.0 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]

2017-04-13 00:28 - 2017-04-28 20:10 - 000000031 _____ () C:\Program Files\plugins.dat


StartRegedit:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000005
"ConsentPromptBehaviorUser"=dword:00000003
"EnableLUA"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"SmartScreenEnabled"="RequireAdmin"

EndRegedit:

ZIP: C:\Windows\Minidump


*****************

Processes closed successfully.

========= verifier.exe /reset =========


No settings were changed.

========= End of CMD: =========

HKU\S-1-5-21-2012168036-945120212-3105423917-1001\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
C:\Windows\system32\GroupPolicy\User => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@videolan.org/vlc,version=2.2.0 => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@videolan.org/vlc,version=2.2.1 => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@videolan.org/vlc,version=2.2.2 => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@videolan.org/vlc,version=2.2.3 => key removed successfully
C:\Program Files\plugins.dat => moved successfully

====> Registry
================== Zip: ===================
C:\Windows\Minidump -> copied successfully to C:\Users\Christer\Desktop\03.10.2017_21.56.57.zip
=========== Zip: End ===========

=========== EmptyTemp: ==========

BITS transfer queue => 7364608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 36855628 B
Java, Flash, Steam htmlcache => 291 B
Windows/system/drivers => 97378 B
Edge => 3166198 B
Chrome => 0 B
Firefox => 28076415 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 36748 B
NetworkService => 482530 B
Christer => 6320595 B
Bach => 12718411 B

RecycleBin => 37958 B
EmptyTemp: => 90.7 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 21:57:06 ====

 

 

 

 

 

Attached Files



#11 rogerthat69

rogerthat69
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 AM

Posted 04 October 2017 - 07:08 PM

Hi again Pranav,

 

Your link to ESET is gone. Searched inside ESET but no link to the installer.

 

I have one "installer" from ESET already onboard(esetonlinescanner_enu.exe) but I guess a fresh download would be recommended!

 

 

 

Sorry I didn´t notice that you scripted the Minidump-files. So now you have duplicates!: :rolleyes:

May I have an explanation about the VLC-plugin i FF and your changing of permissions? As I understand the FF-detail was not a security-issue, only a false reference(no file)?
 
Some observations:
 
1. When I log in to my normal/standard user the first thing happening when entering desktop is that Emsisoft asks for LUA/permission(to what?). Permission to run/log in or am I not
   trusted? Never heard of that kind of security! What happens if I don´t care to sign? No protection or.......
 
2. I would say it is undisputed(layman´s opinion) my router have been hijacked. As you can see from Speccy-report "Remote Desktop" is/was enabled and my laptop is defined as a "Domain"
    and "Console" was "Open"("server"!?). Portforwarding(see snapshots) was enabled and my router have problably been scripted in ways we can not recapture. Resetting the router is done
    and the first step forwards security. Unsolved networking-questions are i.e my IP-setting. I have a static IP(actually I never recall this setting when the ISP was contracted). My router is
    configured(default) with dynamic IP(se snapshot). No direct instruction from ISP. If you would run a secret RD I guess your victim´s IP should be static for your convinience! Anyway I am
    a bit surprised my ISP have not reacted. There will be actions...........
 
3. I said yesterday my browser-speed went down considerably some time after I resetted router. Edge were before fast compared to FF.
    Explanation: By mistake I used an old Ethernet Cable. Not my new router RJ-45 Cable. Switched and problems solved :whistle: .
    Using FF is for the time being not a good routine. When connecting the first time(session) computer use my standard-browser FF
    which connects to my earlier "hijacked" router-page(se snapshot). Since resetting router I get the error message(no internet): "Not
    Standardgateway" every time a log in after boot with cable connected to router. After a minute or so computer seems to "fix the gateway"
    and internet-connection works. Running FF(test) tonight for an hour or so(leaving this reply) ended abruptly. Both adapters stopped
    working with no solution(repair). Had to restart computer to get online. Will do a reset of FF as well(or maybe a whole new installation
    from scratch). 
 
4. When reading your instructions for i.e making back-ups I was not surprised that I moments later had Windows-error messages telling
    me my USB-memorysticks had problems(when inserted). Same time Emsisoft doing her test saying nothing(not bad nor ok?). Hook?
 
5. I said earlier some Remote Desktop Services were running in spite of their inactivation. Today I checked the Remote Registry and found
    some unordinary item in registry. Name is "DisableIdleStop" meaning service(which is inactivated) will never end when idle. DWord is
    for the moment 0 but I guess this extra regitry-value is not a default one!! (see snapshot).
 
6. There is something about IP lease-time that does not add up. The same time-numbers(with hundreds of a second) is there after router-reset. 
    (se snapshot).
 
 
That´s it for now,
 
//

Attached Files


Edited by blueelvis, 05 October 2017 - 03:42 PM.
Deleted one screenshot containing MAC address.


#12 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:53 AM

Posted 05 October 2017 - 04:09 PM

Greetings RogerThat69 ^_^,

 

 

The fixlog looks good.

 

 

There are some strange permission-effects again!! Every time I log into Bach(normal user) Emsisoft ask me for Admin-rights. Then nothing seems happening.

 

 

That is probably because I have changed the registry settings (which are default) and have set to the default settings. They were changed so I fixed that. That Regedit part from the Fixlist did that part of fixing. It is good to have UAC since it notifies you when a random program would just ask for Administrator access. It allows you whether to grant those permissions or not.

 

Regarding Emsisoft asking for admin right every time, I think that this would be fixed once we reinstall Emsisoft while you are logged in as user Bach. Kindly do not proceed ahead with the reinstallation until and unless I ask you to do it. Kindly bear with the little hassle for some time.

 

 

When I copy (marked)mulitple files from Admin-account(being at Bach) I have to sign every file copied every time(not as a marked batch).

 

 

What do you mean by signing the files? Is it asking you for Administrator permissions to copy the files?

 

 

Your link to ESET is gone. Searched inside ESET but no link to the installer.

 

I have one "installer" from ESET already onboard(esetonlinescanner_enu.exe) but I guess a fresh download would be recommended!

 

 

Thanks for this notice. Sorry that I did not notice this before. Please find the latest download link over here. Kindly follow the instructions with my previous post about this.

 

 

 

Sorry I didn´t notice that you scripted the Minidump-files. So now you have duplicates!:  :rolleyes:

May I have an explanation about the VLC-plugin i FF and your changing of permissions? As I understand the FF-detail was not a security-issue, only a false reference(no file)?

 

 

No worries about the dumps. 

I checked out the dumps and the crashes were caused by GMER and AswMBR which I believe you have noticed already. GMER has a lot of undocumented Windows functions and that crashing is not strange at all and so is the case with Aswmbr regarding crashing. Going further, please do not run any tools till I ask you explicitly.

 

The VLC Plugin of FF was pointing to a file which was not there. Just general housekeeping.

 

Regarding the permissions, I have explained above. I hope that is enough. In case it is not, please feel free to ask back.

 

 

 I would say it is undisputed(layman´s opinion) my router have been hijacked. As you can see from Speccy-report "Remote Desktop" is/was enabled and my laptop is defined as a "Domain"

    and "Console" was "Open"("server"!?). Portforwarding(see snapshots) was enabled and my router have problably been scripted in ways we can not recapture. Resetting the router is done
    and the first step forwards security. Unsolved networking-questions are i.e my IP-setting. I have a static IP(actually I never recall this setting when the ISP was contracted). My router is
    configured(default) with dynamic IP(se snapshot). No direct instruction from ISP. If you would run a secret RD I guess your victim´s IP should be static for your convinience! Anyway I am
    a bit surprised my ISP have not reacted. There will be actions...........

 

 

Regarding your earlier screenshots,

 

TCP 80 port is used generally for websites. I believe that this is what you are being served over to access the router configuration page ;)

UDP 53 port is used generally for DNS. So, that also seems legit. 

The other rule also seems fine. No issue with that.

 

The other screenshots also look good. The new screenshots also look good from what I can tell.

 

 

3. I said yesterday my browser-speed went down considerably some time after I resetted router. Edge were before fast compared to FF.

    Explanation: By mistake I used an old Ethernet Cable. Not my new router RJ-45 Cable. Switched and problems solved  :whistle: .
    Using FF is for the time being not a good routine. When connecting the first time(session) computer use my standard-browser FF
    which connects to my earlier "hijacked" router-page(se snapshot). Since resetting router I get the error message(no internet): "Not
    Standardgateway" every time a log in after boot with cable connected to router. After a minute or so computer seems to "fix the gateway"
    and internet-connection works. Running FF(test) tonight for an hour or so(leaving this reply) ended abruptly. Both adapters stopped
    working with no solution(repair). Had to restart computer to get online. Will do a reset of FF as well(or maybe a whole new installation
    from scratch). 

 

 

Glad to hear that Edge was not the culprit ;)

 

Regarding the FF test, what did end abruptly? Did your computer crash or something like that? What exactly happened?

 

 

 

4. When reading your instructions for i.e making back-ups I was not surprised that I moments later had Windows-error messages telling
    me my USB-memorysticks had problems(when inserted). Same time Emsisoft doing her test saying nothing(not bad nor ok?). Hook?

 

 

What were the error messages? Did you try inserting your USB memory sticks in some other USB port? When Emsisoft performed the scan, it didn't detect anything right?

 

 

 

5. I said earlier some Remote Desktop Services were running in spite of their inactivation. Today I checked the Remote Registry and found
    some unordinary item in registry. Name is "DisableIdleStop" meaning service(which is inactivated) will never end when idle. DWord is
    for the moment 0 but I guess this extra regitry-value is not a default one!! (see snapshot).

 

 

Please note that the Windows Registry contains several thousand keys and values. These differ from System to system and from Windows install to Windows install. More information on that registry key is over here and it does not mean what can be figured out from its name.

 

 

6. There is something about IP lease-time that does not add up. The same time-numbers(with hundreds of a second) is there after router-reset. 

    (se snapshot).

 

 

That is correct and expected. Your router assigns each of the device connected to it a virtual private IP. Since there are a limited number of IP addresses in a private network, the router checks the IP addresses after the lease time has expired and if a device is not attached to it, it will add it back to the pool of private IP addresses which then later can be reassigned to a new device which connects. Does this explain your query?

 

 

Let me know the results of the ESET Online Scanner scan and we could proceed ahead from there. And just so that you know, there doesn't seem anything wrong with your system as of now and you could relax a bit :hug:

 

We could try troubleshooting your latency issues once your system is deemed clean. Sounds good?

 

 

Have a nice day!

 

 

Regards,

Pranav


Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#13 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:53 AM

Posted 08 October 2017 - 04:28 PM

Greetings,

 

It has been 3 days since my last response. Are you still with me?

 

 

 

-Pranav


Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/

#14 rogerthat69

rogerthat69
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 AM

Posted 10 October 2017 - 10:57 AM

Many thanks for your replies but now I am in bed ill with cold&fever since Sunday...  . Hope to be on my feets tomorrow. I will get back to you ASAP.

 

//



#15 blueelvis

blueelvis

    Bleep Blop Bleep


  • Malware Response Team
  • 1,666 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:53 AM

Posted 10 October 2017 - 04:48 PM

Many thanks for your replies but now I am in bed ill with cold&fever since Sunday...  . Hope to be on my feets tomorrow. I will get back to you ASAP.

 

//

Take care mate. :hug:

 

 

-Pranav


Member of the Bleeping Computer A.I.I. early response team!


In case I have been helping you and you haven't received a reply from me in 48 hours, please feel free to PM me. Anything else? Still feel free to PM me :)

Did you read this? http://omgdebugging.com/5-tips-for-getting-the-best-bang-for-the-buck-at-fast-food-joints/




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users