Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possibly infected with +44-800-086-9374 scam virus


  • This topic is locked This topic is locked
31 replies to this topic

#1 duffsparky

duffsparky

  • Members
  • 223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 25 October 2017 - 06:19 AM

Extracted from https://www.bleepingcomputer.com/forums/t/660726/have-i-been-infected/

 

A few days ago, whilst using Firefox 56.0 on an Acer 5920 laptop running Win 10, I wanted to use the Dogpile search engine so I thought I typed in www.dogplie.com into the address bar. What came up was ww2.digpile.(no sure what the extension was) and the page changed to black background warning me that my data was being stolen and I needed to contact them and if I closed the page the PC would be locked. Note: W & 2 and O & I are adjacent to each other on the keyboard so maybe I typed the address in wrong. 

 

Unfortunately, I panicked and pulled the USB WiFi dongle out. I'm not sure what happened next, whether I closed Firefox and rebooted the PC or just rebooted the PC but which ever I did the PC and Firefox started OK and did not seem to have any issues.

 

I then ran several anti-malware/virus programs including:

 

Avast Free anti-virus

SUPERAntiSpyware Free Edition

Malwarebytes

JRT

AdwCleaner

Hitman Pro

Zemana AntiMalware

Housecall

 

All of which only found a few tracking type cookies.

 

 

Thinking the PC was OK I continued using it, however, I am now not so sure I got off so lightly as Windows Update was switched off and once switched back on it freezes at different places. I've run the Windows Update Diagnostic tool several times but it seems to repeatedly report the same results fixing the same issues.

 

I checked the browser history following a suggestion by Demonslay335 to check for any redirecting. The following is an extract from the browser history immediately after the incident:

 

Name:       Microsoft - Official Security Alert Page

 
 
Name:       Redirecting...
 
 
Name:       ww2.digpile.com/
 
 

I've ended up back at the same warning page only this time I took details and a screenshot before pulling the plug (without closing anything down). However, unlike last time, when the PC was rebooted the Popup page, in Firefox, was Pinned to the Task Bar, which I duly unpinned. And after shutting down the PC using the Shutdown command (again without closing anything down) and rebooting the webpage was pinned back to the Task Bar. So I guess there may be some sort of infection.

 

 

The instructions on the webpage were to phone +44-800-086-9374. An internet search of this number suggests it's a scam virus but I've not seen the websites detailing it before so I've not gone to them just in case they are part of the same scam.

 

Pinning of the Warning webpage to the Task Bar seems to have stopped but I am still concerned that the PC is infected. As requested, please find below Farbar reports. I have also included the screen shot of the Warning webpage.

 

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-10-2017 01
Ran by Anne (administrator) on ANNE-PC (25-10-2017 11:33:41)
Running from C:\Users\Anne\Desktop
Loaded Profiles: Anne (Available Profiles: Anne)
Platform: Microsoft Windows 10 Pro Version 1703 15063.674 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(AVAST Software s.r.o.) C:\Program Files\AVAST Software\Avast\aswidsagent.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.7.597.0_x86__kzf8qxf38zg5c\SkypeHost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
() C:\Windows\PLFSetI.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Realtek Semiconductor Corp.) C:\Users\Anne\AppData\Local\Temp\RtkBtMnt.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [485280 2017-03-18] (Microsoft Corporation)
HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe
HKLM\...\Run: [HotKeysCmds] => C:\Windows\system32\hkcmd.exe
HKLM\...\Run: [Persistence] => C:\Windows\system32\igfxpers.exe
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [253344 2017-10-10] (AVAST Software)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7625248 2009-07-23] (Realtek Semiconductor)
HKLM\...\Run: [PLFSetI] => C:\WINDOWS\PLFSetI.exe [200704 2008-07-29] ()
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [150840 2017-08-13] (IvoSoft)
HKLM\...\Run: [VmbNotifierRouter] => C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\VmbNotifier.exe [818744 2015-11-30] (Vodafone)
HKLM\...\Run: [MobileBroadband] => C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe [72760 2015-11-30] (Vodafone)
HKLM\...\Run: [ZAM] => C:\Program Files\Zemana AntiMalware\ZAM.exe [15775888 2017-08-09] (Copyright 2017.)
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
HKU\S-1-5-21-2535615256-755552922-3930986355-1001\...\Run: [Sony Ericsson PC Suite] => C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe [466944 2011-06-17] (Sony Ericsson Mobile Communications AB)
HKU\S-1-5-21-2535615256-755552922-3930986355-1001\...\MountPoints2: {ea0d4d59-8360-11e7-8e1b-78d38d095503} - "F:\setup_vmb_lite.exe" /checkApplicationPresence
HKU\S-1-5-21-2535615256-755552922-3930986355-1001\...\MountPoints2: {ea0d4ea2-8360-11e7-8e1b-001e6881780e} - "F:\setup_vmb_lite.exe" /checkApplicationPresence
HKU\S-1-5-21-2535615256-755552922-3930986355-1001\...\MountPoints2: {ea0d5006-8360-11e7-8e1b-001e6881780e} - "H:\setup_vmc_lite.exe" /checkApplicationPresence
HKU\S-1-5-21-2535615256-755552922-3930986355-1001\...\MountPoints2: {ea0d5114-8360-11e7-8e1b-001e6881780e} - "F:\setup_vmb_lite.exe" /checkApplicationPresence
HKU\S-1-5-21-2535615256-755552922-3930986355-1001\...\MountPoints2: {ea0d5237-8360-11e7-8e1b-001e6881780e} - "F:\setup_vmb_lite.exe" /checkApplicationPresence
HKU\S-1-5-21-2535615256-755552922-3930986355-1001\...\MountPoints2: {ea0d54b7-8360-11e7-8e1b-001e6881780e} - "F:\setup_vmb_lite.exe" /checkApplicationPresence
HKU\S-1-5-21-2535615256-755552922-3930986355-1001\...\MountPoints2: {ea0d56da-8360-11e7-8e1b-001e6881780e} - "F:\setup_vmc_lite.exe" /checkApplicationPresence
HKU\S-1-5-21-2535615256-755552922-3930986355-1001\...\MountPoints2: {ea0d580f-8360-11e7-8e1b-001e6881780e} - "F:\setup_vmb_lite.exe" /checkApplicationPresence
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk [2017-10-04]
ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.22.22 192.168.22.23
Tcpip\..\Interfaces\{7db42ce3-6a17-43ab-9e36-cd4738a44fed}: [DhcpNameServer] 192.168.22.22 192.168.22.23
Tcpip\..\Interfaces\{804d46ec-e900-428c-8a83-696130490871}: [DhcpNameServer] 192.168.22.22 192.168.22.23
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-2535615256-755552922-3930986355-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE04
SearchScopes: HKU\S-1-5-21-2535615256-755552922-3930986355-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE04
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2017-08-13] (IvoSoft)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2006-10-27] (Microsoft Corporation)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2017-08-13] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2017-08-13] (IvoSoft)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2006-10-27] (Microsoft Corporation)
 
FireFox:
========
FF DefaultProfile: h26g76of.default-1506359682440
FF ProfilePath: C:\Users\Anne\AppData\Roaming\Mozilla\Firefox\Profiles\h26g76of.default-1506359682440 [2017-10-24]
FF Extension: (HTTPS Everywhere) - C:\Users\Anne\AppData\Roaming\Mozilla\Firefox\Profiles\h26g76of.default-1506359682440\Extensions\https-everywhere@eff.org.xpi [2017-10-06]
FF Extension: (Privacy Badger) - C:\Users\Anne\AppData\Roaming\Mozilla\Firefox\Profiles\h26g76of.default-1506359682440\Extensions\jid1-MnnxcxisBPnSXQ@jetpack.xpi [2017-09-25]
FF Extension: (Avast Online Security) - C:\Users\Anne\AppData\Roaming\Mozilla\Firefox\Profiles\h26g76of.default-1506359682440\Extensions\wrc@avast.com.xpi [2017-10-11]
FF Extension: (NoScript) - C:\Users\Anne\AppData\Roaming\Mozilla\Firefox\Profiles\h26g76of.default-1506359682440\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2017-10-14]
FF Extension: (Adblock Plus) - C:\Users\Anne\AppData\Roaming\Mozilla\Firefox\Profiles\h26g76of.default-1506359682440\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2017-09-25]
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-12] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-08-12] (Google Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default [2017-10-25]
CHR Extension: (Docs) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-17]
CHR Extension: (Google Drive) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-09-07]
CHR Extension: (YouTube) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-09-07]
CHR Extension: (Avast SafePrice) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2017-10-18]
CHR Extension: (Google Analytics Opt-out Add-on (by Google)) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\fllaojicojecljbmefodhfapmkghcbnh [2017-10-18]
CHR Extension: (IBA Opt-out (by Google)) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbiekjoijknlhijdjbaadobpkdhmoebb [2017-10-18]
CHR Extension: (HTTPS Everywhere) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\gcbommkclmclpchllfjekcdonpmejbdp [2017-10-06]
CHR Extension: (Google Docs Offline) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-09-07]
CHR Extension: (AdBlock) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2017-10-20]
CHR Extension: (Avast Online Security) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-10-18]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-09-07]
CHR Extension: (Gmail) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-09-07]
CHR Extension: (Chrome Media Router) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-09-17]
CHR Extension: (Privacy Badger) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkehgijcmpdhfbdbbnkijodmdjhbjlgp [2017-09-17]
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [143776 2017-01-31] (SUPERAntiSpyware.com)
R3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\aswidsagent.exe [5828816 2017-10-10] (AVAST Software s.r.o.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [281416 2017-10-10] (AVAST Software)
S3 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4430792 2017-08-21] (Malwarebytes)
S3 OMSI download service; C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [90112 2009-04-30] () [File not signed]
S3 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [1570520 2016-02-02] (Secunia)
S3 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [837848 2016-02-02] (Secunia)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [2545848 2017-03-18] (Microsoft Corporation)
S3 VmbService; C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [15416 2015-11-30] (Vodafone)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [265352 2017-03-18] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [82488 2017-07-11] (Microsoft Corporation)
S3 ZAMSvc; C:\Program Files\Zemana AntiMalware\ZAM.exe [15775888 2017-08-09] (Copyright 2017.)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 aswbidsdriver; C:\WINDOWS\system32\drivers\aswbidsdriverx.sys [255624 2017-10-10] (AVAST Software s.r.o.)
R0 aswbidsh; C:\WINDOWS\system32\drivers\aswbidshx.sys [157416 2017-10-10] (AVAST Software s.r.o.)
R0 aswblog; C:\WINDOWS\system32\drivers\aswblogx.sys [276736 2017-10-10] (AVAST Software s.r.o.)
R0 aswbuniv; C:\WINDOWS\system32\drivers\aswbunivx.sys [50384 2017-10-10] (AVAST Software s.r.o.)
S3 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [42856 2017-10-10] (AVAST Software)
R1 aswKbd; C:\WINDOWS\system32\drivers\aswKbd.sys [39784 2017-09-05] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [124952 2017-10-10] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr2.sys [99560 2017-10-10] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\drivers\aswRvrt.sys [70864 2017-10-10] (AVAST Software)
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [777952 2017-10-10] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [499560 2017-10-10] (AVAST Software)
R2 aswStm; C:\WINDOWS\system32\drivers\aswStm.sys [149824 2017-10-10] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\drivers\aswVmm.sys [297840 2017-10-10] (AVAST Software)
S3 dot4; C:\WINDOWS\system32\DRIVERS\Dot4.sys [137632 2012-10-19] (Windows ® Win 7 DDK provider)
S3 Dot4Print; C:\WINDOWS\System32\drivers\Dot4Prt.sys [22432 2012-10-19] (Windows ® Win 7 DDK provider)
S3 Dot4Scan; C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys [16800 2012-10-19] (Microsoft Corporation)
R3 netr28u; C:\WINDOWS\System32\drivers\netr28u.sys [1824256 2017-03-18] (MediaTek Inc.)
R3 netwlv32; C:\WINDOWS\System32\drivers\netwlv32.sys [6637056 2017-03-18] (Intel Corporation)
S3 nuvotoncir; C:\WINDOWS\system32\DRIVERS\nuvotoncir.sys [44544 2009-06-24] (Nuvoton Technology Corporation) [File not signed]
S3 PSI; C:\WINDOWS\System32\DRIVERS\psi_mf_x86.sys [16024 2016-02-02] (Secunia)
S3 s0016bus; C:\WINDOWS\System32\drivers\s0016bus.sys [89256 2008-05-16] (MCCI Corporation)
S3 s0016mdfl; C:\WINDOWS\system32\DRIVERS\s0016mdfl.sys [15016 2008-05-16] (MCCI Corporation)
S3 s0016mdm; C:\WINDOWS\system32\DRIVERS\s0016mdm.sys [120744 2008-05-16] (MCCI Corporation)
S3 s0016mgmt; C:\WINDOWS\system32\DRIVERS\s0016mgmt.sys [114216 2008-05-16] (MCCI Corporation)
S3 s0016nd5; C:\WINDOWS\System32\drivers\s0016nd5.sys [25512 2008-05-16] (MCCI Corporation)
S3 s0016obex; C:\WINDOWS\system32\DRIVERS\s0016obex.sys [110632 2008-05-16] (MCCI Corporation)
S3 s0016unic; C:\WINDOWS\System32\drivers\s0016unic.sys [115752 2008-05-16] (MCCI Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 vodafone_K3805-z_dc_enum; C:\WINDOWS\System32\drivers\vodafone_K3805-z_dc_enum.sys [61952 2010-09-01] (Vodafone)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [37464 2017-03-18] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [243104 2017-03-18] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [96672 2017-03-18] (Microsoft Corporation)
S3 winbondcir; C:\WINDOWS\system32\DRIVERS\winbondcir.sys [43008 2007-03-28] (Winbond Electronics Corporation)
R1 ZAM; C:\WINDOWS\System32\drivers\zam32.sys [181496 2017-09-25] (Zemana Ltd.)
R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard32.sys [181496 2017-09-25] (Zemana Ltd.)
U3 idsvc; no ImagePath
S3 NPF; system32\drivers\NPF.sys [X]
U3 wpcsvc; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-10-25 11:33 - 2017-10-25 11:34 - 000017138 _____ C:\Users\Anne\Desktop\FRST.txt
2017-10-25 11:32 - 2017-10-25 11:33 - 000000000 ____D C:\FRST
2017-10-25 11:14 - 2017-10-25 11:14 - 000000000 ____D C:\Users\Anne\Documents\FeedbackHub
2017-10-25 10:58 - 2017-10-25 10:58 - 001799680 _____ (Farbar) C:\Users\Anne\Desktop\FRST.exe
2017-10-24 11:05 - 2017-10-24 11:05 - 002704123 _____ C:\Users\Anne\Downloads\Installaton guide-iflo_lo-res.pdf
2017-10-23 18:04 - 2017-10-23 18:04 - 000200177 _____ C:\Users\Anne\Downloads\Iflo turboshower waste GPID_1010001462_TECH_0
2017-10-23 18:03 - 2017-10-23 18:03 - 000632818 _____ C:\Users\Anne\Downloads\Iflo turbo shower waste GPID_1010001462_TECH_1
2017-10-22 12:07 - 2017-10-22 12:07 - 000000989 _____ C:\Users\Anne\Desktop\Malware scanners - Shortcut.lnk
2017-10-21 11:41 - 2017-10-21 11:41 - 000319205 _____ C:\Users\Anne\Documents\WindowsUpdateDiagnosticReport-2.pdf
2017-10-21 11:11 - 2017-10-21 11:11 - 000348489 _____ C:\Users\Anne\Documents\WindowsUpdateDiagnosticReport-1.pdf
2017-10-21 11:11 - 2017-10-21 11:11 - 000000000 ____D C:\Users\Anne\AppData\LocalLow\Temp
2017-10-21 10:46 - 2017-10-21 10:46 - 000313366 _____ C:\Users\Anne\Downloads\WindowsUpdate.diagcab
2017-10-21 10:16 - 2017-10-21 10:16 - 000313366 _____ C:\Users\Anne\Downloads\WindowsUpdateDiagnostic.diagcab
2017-10-21 00:24 - 2017-10-21 00:25 - 000000000 ___HD C:\$WINDOWS.~BT
2017-10-20 23:52 - 2017-10-20 23:52 - 000000000 ____D C:\ProgramData\SWCUTemp
2017-10-20 23:43 - 2017-10-20 23:43 - 000000000 ____D C:\WINDOWS\LastGood.Tmp
2017-10-20 22:17 - 2017-10-20 22:17 - 000000749 _____ C:\Users\Anne\Downloads\Printerdiagnostic10.diagcab
2017-10-20 21:43 - 2017-10-21 10:31 - 000000000 ____D C:\Users\Anne\AppData\Local\ElevatedDiagnostics
2017-10-20 21:03 - 2017-10-20 22:20 - 000000000 ____D C:\ProgramData\Samsung
2017-10-20 21:03 - 2017-10-20 21:51 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Samsung Printers
2017-10-20 21:02 - 2014-05-22 14:22 - 002738496 ____N C:\WINDOWS\TotalUninstaller.exe
2017-10-20 21:01 - 2014-12-26 05:57 - 000000359 _____ C:\WINDOWS\system32\usp02l.smt
2017-10-20 21:01 - 2014-04-16 09:22 - 000025600 _____ () C:\WINDOWS\system32\usp02l.dll
2017-10-20 21:01 - 2013-05-10 10:48 - 000162136 _____ C:\WINDOWS\system32\usp02ci.exe
2017-10-20 21:01 - 2010-10-20 09:49 - 000065536 _____ (SS) C:\WINDOWS\system32\usp02ci.dll
2017-10-20 20:59 - 2017-10-20 21:00 - 022373168 _____ C:\Users\Anne\Downloads\SamsungUniversalPrintDriver2.exe
2017-10-20 16:20 - 2017-10-20 16:20 - 000000000 ____D C:\ProgramData\HP
2017-10-20 16:19 - 2017-10-21 00:30 - 000002043 _____ C:\Users\Public\Desktop\HP Print and Scan Doctor.lnk
2017-10-20 16:19 - 2017-10-20 16:19 - 000000000 ____D C:\Users\Anne\AppData\Roaming\HPPSDr
2017-10-20 16:16 - 2017-10-20 16:16 - 000000000 ____D C:\Users\Anne\AppData\Local\HP
2017-10-20 16:16 - 2017-10-20 16:16 - 000000000 ____D C:\Program Files\HP
2017-10-20 16:15 - 2017-10-20 16:15 - 011097040 _____ C:\Users\Anne\Downloads\HPPSdr.exe
2017-10-20 14:43 - 2017-10-21 11:58 - 000000000 ___RD C:\Users\Anne\Documents\Scanned Documents
2017-10-20 14:43 - 2017-10-20 14:43 - 000000000 ____D C:\Users\Anne\Documents\Fax
2017-10-18 17:40 - 2017-10-18 17:40 - 000001533 _____ C:\Users\Anne\Desktop\Can I Paint Water Based Over Oil Based Paint _ Grants Painting.html - Shortcut.lnk
2017-10-18 17:39 - 2017-10-18 17:39 - 000210985 _____ C:\Users\Anne\Downloads\Can I Paint Water Based Over Oil Based Paint _ Grants Painting.html
2017-10-18 17:39 - 2017-10-18 17:39 - 000000000 ____D C:\Users\Anne\Downloads\Can I Paint Water Based Over Oil Based Paint _ Grants Painting_files
2017-10-18 16:56 - 2017-10-18 16:56 - 000694786 _____ C:\Users\Anne\Downloads\10Y29_2015.pdf
2017-10-18 13:02 - 2017-10-18 13:02 - 000001298 _____ C:\Users\Anne\Documents\malwarebytes scan 17oct17@16.04.txt
2017-10-17 17:49 - 2017-10-17 17:49 - 000000010 _____ C:\Users\Anne\AppData\Local\sponge.last.runtime.cache
2017-10-17 17:38 - 2017-10-17 17:38 - 000000000 ____D C:\WINDOWS\Trend Micro
2017-10-17 17:38 - 2017-10-17 17:38 - 000000000 ____D C:\Users\Anne\AppData\Local\Trend Micro
2017-10-17 17:38 - 2017-10-17 17:38 - 000000000 ____D C:\ProgramData\Trend Micro
2017-10-17 17:35 - 2015-05-29 08:43 - 000303744 _____ (Trend Micro Inc.) C:\WINDOWS\system32\Drivers\tmcomm.sys
2017-10-17 17:23 - 2017-10-17 17:23 - 006334880 _____ (AVAST Software) C:\Users\Anne\Downloads\avast_free_antivirus_setup_online.exe
2017-10-17 16:48 - 2017-10-22 12:07 - 000000000 ____D C:\Users\Anne\Desktop\Antimalware
2017-10-17 15:18 - 2017-10-22 00:50 - 000001490 _____ C:\Users\Anne\Documents\Ransomeware warning.txt
2017-10-17 10:55 - 2017-10-17 10:56 - 044400378 _____ (PortableApps.com) C:\Users\Anne\Downloads\FirefoxPortableESR_52.4.1_English.paf.exe.part
2017-10-17 10:49 - 2017-10-17 10:50 - 045172584 _____ (Mozilla) C:\Users\Anne\Downloads\Firefox Setup 52.4.1esr.exe
2017-10-13 15:31 - 2017-09-30 03:04 - 004215184 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.StateRepository.dll
2017-10-13 15:31 - 2017-09-30 03:04 - 000438096 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.ApplicationModel.dll
2017-10-13 15:31 - 2017-09-30 03:04 - 000259856 _____ (Microsoft Corporation) C:\WINDOWS\system32\SecurityHealthService.exe
2017-10-13 15:31 - 2017-09-30 03:03 - 006768288 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.Protection.PlayReady.dll
2017-10-13 15:31 - 2017-09-29 08:38 - 002671616 _____ (Microsoft Corporation) C:\WINDOWS\system32\tquery.dll
2017-10-13 15:31 - 2017-09-29 08:38 - 000370688 _____ (Microsoft Corporation) C:\WINDOWS\system32\FirewallAPI.dll
2017-10-13 15:31 - 2017-09-29 08:33 - 000772096 _____ (Microsoft Corporation) C:\WINDOWS\system32\MPSSVC.dll
2017-10-13 15:30 - 2017-09-30 03:29 - 000804784 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.dll
2017-10-13 15:30 - 2017-09-30 03:26 - 001333136 _____ (Microsoft Corporation) C:\WINDOWS\system32\msctf.dll
2017-10-13 15:30 - 2017-09-30 03:26 - 001241240 _____ (Microsoft Corporation) C:\WINDOWS\system32\user32.dll
2017-10-13 15:30 - 2017-09-30 03:10 - 001150776 _____ (Microsoft Corporation) C:\WINDOWS\system32\ucrtbase.dll
2017-10-13 15:30 - 2017-09-30 03:05 - 001266544 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinapi.appcore.dll
2017-10-13 15:30 - 2017-09-30 03:05 - 000750488 _____ (Microsoft Corporation) C:\WINDOWS\system32\WWAHost.exe
2017-10-13 15:30 - 2017-09-30 03:04 - 000249016 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotifyIcon.exe
2017-10-13 15:30 - 2017-09-30 03:01 - 002077592 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\tcpip.sys
2017-10-13 15:30 - 2017-09-29 08:45 - 002953216 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
2017-10-13 15:30 - 2017-09-29 08:43 - 000060928 _____ (Microsoft Corporation) C:\WINDOWS\system32\usoapi.dll
2017-10-13 15:30 - 2017-09-29 08:42 - 000247808 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotification.exe
2017-10-13 15:30 - 2017-09-29 08:42 - 000041984 _____ (Microsoft Corporation) C:\WINDOWS\system32\musdialoghandlers.dll
2017-10-13 15:30 - 2017-09-29 08:41 - 000150016 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotificationUx.exe
2017-10-13 15:30 - 2017-09-29 08:41 - 000095744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuuhosdeployment.dll
2017-10-13 15:30 - 2017-09-29 08:41 - 000036864 _____ (Microsoft Corporation) C:\WINDOWS\system32\TpmTasks.dll
2017-10-13 15:30 - 2017-09-29 08:40 - 006728192 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinui.dll
2017-10-13 15:30 - 2017-09-29 08:40 - 000086528 _____ (Microsoft Corporation) C:\WINDOWS\system32\updatepolicy.dll
2017-10-13 15:30 - 2017-09-29 08:39 - 000558592 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusUpdateHandlers.dll
2017-10-13 15:30 - 2017-09-29 08:39 - 000065536 _____ (Microsoft Corporation) C:\WINDOWS\system32\wpdbusenum.dll
2017-10-13 15:30 - 2017-09-29 08:38 - 000471040 _____ (Microsoft Corporation) C:\WINDOWS\system32\TpmCoreProvisioning.dll
2017-10-13 15:30 - 2017-09-29 08:38 - 000463360 _____ (Microsoft Corporation) C:\WINDOWS\system32\webio.dll
2017-10-13 15:30 - 2017-09-29 08:37 - 000351744 _____ (Microsoft Corporation) C:\WINDOWS\system32\updatehandlers.dll
2017-10-13 15:30 - 2017-09-29 08:37 - 000306688 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Graphics.dll
2017-10-13 15:30 - 2017-09-29 08:35 - 001832448 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinui.pcshell.dll
2017-10-13 15:30 - 2017-09-29 08:34 - 001339904 _____ (Microsoft Corporation) C:\WINDOWS\system32\UserDataService.dll
2017-10-13 15:30 - 2017-09-29 08:34 - 001089536 _____ (Microsoft Corporation) C:\WINDOWS\system32\wwansvc.dll
2017-10-13 15:30 - 2017-09-29 08:34 - 000787456 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2017-10-13 15:30 - 2017-09-29 08:34 - 000535040 _____ (Microsoft Corporation) C:\WINDOWS\system32\usocore.dll
2017-10-13 15:30 - 2017-09-29 08:34 - 000434176 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinapi.dll
2017-10-13 15:30 - 2017-09-29 08:33 - 007598080 _____ (Microsoft Corporation) C:\WINDOWS\system32\mstscax.dll
2017-10-13 15:30 - 2017-09-29 08:33 - 004559360 _____ (Microsoft Corporation) C:\WINDOWS\system32\dbgeng.dll
2017-10-13 15:30 - 2017-09-29 08:33 - 002123264 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2017-10-13 15:30 - 2017-09-29 08:32 - 001244160 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Xaml.Phone.dll
2017-10-13 15:30 - 2017-09-29 08:32 - 000316416 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuuhext.dll
2017-10-13 15:30 - 2017-09-29 08:31 - 003107328 _____ (Microsoft Corporation) C:\WINDOWS\system32\mstsc.exe
2017-10-13 15:30 - 2017-09-29 08:31 - 000134656 _____ (Microsoft Corporation) C:\WINDOWS\system32\TabSvc.dll
2017-10-13 15:30 - 2017-09-29 08:29 - 001460736 _____ (Microsoft Corporation) C:\WINDOWS\system32\wsp_fs.dll
2017-10-13 15:30 - 2017-09-29 08:29 - 001318912 _____ (Microsoft Corporation) C:\WINDOWS\system32\wsp_health.dll
2017-10-13 15:29 - 2017-09-30 03:07 - 000815608 _____ (Microsoft Corporation) C:\WINDOWS\system32\rpcrt4.dll
2017-10-13 15:29 - 2017-09-30 03:05 - 000559000 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingSyncHost.exe
2017-10-13 15:29 - 2017-09-30 03:04 - 000347544 _____ (Microsoft Corporation) C:\WINDOWS\system32\msv1_0.dll
2017-10-13 15:29 - 2017-09-30 03:04 - 000186776 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb20.sys
2017-10-13 15:29 - 2017-09-30 03:03 - 020373408 _____ (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
2017-10-13 15:29 - 2017-09-30 03:02 - 000175512 _____ (Microsoft Corporation) C:\WINDOWS\system32\basecsp.dll
2017-10-13 15:29 - 2017-09-29 08:43 - 000142336 _____ (Microsoft Corporation) C:\WINDOWS\system32\smartscreenps.dll
2017-10-13 15:29 - 2017-09-29 08:42 - 000018944 _____ (Microsoft Corporation) C:\WINDOWS\system32\mgmtapi.dll
2017-10-13 15:29 - 2017-09-29 08:39 - 000330240 _____ (Microsoft Corporation) C:\WINDOWS\system32\NgcCtnr.dll
2017-10-13 15:29 - 2017-09-29 08:38 - 000359424 _____ (Microsoft Corporation) C:\WINDOWS\system32\aadcloudap.dll
2017-10-13 15:29 - 2017-09-29 08:38 - 000308224 _____ (Microsoft Corporation) C:\WINDOWS\system32\cryptngc.dll
2017-10-13 15:29 - 2017-09-29 08:38 - 000229376 _____ (Microsoft Corporation) C:\WINDOWS\system32\scksp.dll
2017-10-13 15:29 - 2017-09-29 08:37 - 000309760 _____ (Microsoft Corporation) C:\WINDOWS\system32\fveapibase.dll
2017-10-13 15:29 - 2017-09-29 08:37 - 000038400 _____ (Microsoft Corporation) C:\WINDOWS\system32\TokenBrokerUI.dll
2017-10-13 15:29 - 2017-09-29 08:36 - 002957824 _____ (Microsoft Corporation) C:\WINDOWS\system32\StartTileData.dll
2017-10-13 15:29 - 2017-09-29 08:35 - 003654656 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2017-10-13 15:29 - 2017-09-29 08:35 - 001993216 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Shell.UnifiedTile.CuratedTileCollections.dll
2017-10-13 15:29 - 2017-09-29 08:34 - 006255616 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2017-10-13 15:29 - 2017-09-29 08:34 - 001918464 _____ (Microsoft Corporation) C:\WINDOWS\system32\smartscreen.exe
2017-10-13 15:29 - 2017-09-29 08:34 - 000798720 _____ (Microsoft Corporation) C:\WINDOWS\system32\TokenBroker.dll
2017-10-13 15:29 - 2017-09-29 08:34 - 000665088 _____ (Microsoft Corporation) C:\WINDOWS\system32\fveapi.dll
2017-10-13 15:29 - 2017-09-29 08:33 - 000658944 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2017-10-13 15:29 - 2017-09-29 08:33 - 000471552 _____ (Microsoft Corporation) C:\WINDOWS\system32\RDXService.dll
2017-10-13 15:29 - 2017-09-29 08:31 - 000625664 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv2.sys
2017-10-13 15:29 - 2017-09-29 08:31 - 000117248 _____ (Microsoft Corporation) C:\WINDOWS\system32\regsvc.dll
2017-10-13 15:29 - 2017-09-29 08:30 - 000342528 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv.sys
2017-10-13 15:29 - 2017-09-29 08:30 - 000228864 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb10.sys
2017-10-13 15:29 - 2017-09-29 08:29 - 000767488 _____ (Microsoft Corporation) C:\WINDOWS\system32\fvewiz.dll
2017-10-13 15:29 - 2017-09-29 08:29 - 000329216 _____ (Microsoft Corporation) C:\WINDOWS\system32\bdesvc.dll
2017-10-13 15:29 - 2017-09-29 08:29 - 000310272 _____ (Microsoft Corporation) C:\WINDOWS\system32\fvecpl.dll
2017-10-13 15:29 - 2017-09-29 08:29 - 000282624 _____ (Microsoft Corporation) C:\WINDOWS\system32\fveui.dll
2017-10-13 15:29 - 2017-09-29 08:29 - 000161792 _____ (Microsoft Corporation) C:\WINDOWS\system32\wscsvc.dll
2017-10-13 15:29 - 2017-09-29 08:29 - 000157696 _____ (Microsoft Corporation) C:\WINDOWS\system32\rpchttp.dll
2017-10-13 15:29 - 2017-09-29 08:28 - 001926656 _____ (Microsoft Corporation) C:\WINDOWS\system32\ResetEngine.dll
2017-10-13 15:29 - 2017-09-29 08:28 - 001244672 _____ (Microsoft Corporation) C:\WINDOWS\system32\RecoveryDrive.exe
2017-10-13 15:29 - 2017-09-29 08:28 - 000351744 _____ (Microsoft Corporation) C:\WINDOWS\system32\bdechangepin.exe
2017-10-13 15:29 - 2017-09-29 08:28 - 000190976 _____ (Microsoft Corporation) C:\WINDOWS\system32\manage-bde.exe
2017-10-13 15:29 - 2017-09-29 08:28 - 000130560 _____ (Microsoft Corporation) C:\WINDOWS\system32\BitLockerDeviceEncryption.exe
2017-10-13 15:29 - 2017-09-29 08:28 - 000104448 _____ (Microsoft Corporation) C:\WINDOWS\system32\Robocopy.exe
2017-10-13 15:28 - 2017-09-30 03:10 - 005862296 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2017-10-13 15:28 - 2017-09-30 03:10 - 001971232 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ntfs.sys
2017-10-13 15:28 - 2017-09-30 03:10 - 001855336 _____ (Microsoft Corporation) C:\WINDOWS\system32\KernelBase.dll
2017-10-13 15:28 - 2017-09-30 03:10 - 000606072 _____ (Microsoft Corporation) C:\WINDOWS\system32\oleaut32.dll
2017-10-13 15:28 - 2017-09-30 03:10 - 000103320 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecdd.sys
2017-10-13 15:28 - 2017-09-30 03:07 - 000144176 _____ (Microsoft Corporation) C:\WINDOWS\system32\sspicli.dll
2017-10-13 15:28 - 2017-09-30 03:06 - 002022808 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgkrnl.sys
2017-10-13 15:28 - 2017-09-30 03:06 - 000582552 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms2.sys
2017-10-13 15:28 - 2017-09-30 03:05 - 005827744 _____ (Microsoft Corporation) C:\WINDOWS\system32\windows.storage.dll
2017-10-13 15:28 - 2017-09-30 03:05 - 002603744 _____ (Microsoft Corporation) C:\WINDOWS\system32\OneCoreUAPCommonProxyStub.dll
2017-10-13 15:28 - 2017-09-30 03:03 - 001439032 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfsrcsnk.dll
2017-10-13 15:28 - 2017-09-30 03:01 - 000044008 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsass.exe
2017-10-13 15:28 - 2017-09-29 08:42 - 000018944 _____ (Microsoft Corporation) C:\WINDOWS\system32\sspisrv.dll
2017-10-13 15:28 - 2017-09-29 08:40 - 000432128 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\nwifi.sys
2017-10-13 15:28 - 2017-09-29 08:40 - 000391680 _____ (Microsoft Corporation) C:\WINDOWS\system32\wlansec.dll
2017-10-13 15:28 - 2017-09-29 08:40 - 000042496 _____ (Microsoft Corporation) C:\WINDOWS\system32\ServiceWorkerHost.exe
2017-10-13 15:28 - 2017-09-29 08:39 - 020511232 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2017-10-13 15:28 - 2017-09-29 08:39 - 011888640 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2017-10-13 15:28 - 2017-09-29 08:39 - 000364032 _____ (Microsoft Corporation) C:\WINDOWS\system32\msIso.dll
2017-10-13 15:28 - 2017-09-29 08:38 - 005721600 _____ (Microsoft Corporation) C:\WINDOWS\system32\BingMaps.dll
2017-10-13 15:28 - 2017-09-29 08:36 - 000590336 _____ (Microsoft Corporation) C:\WINDOWS\system32\PCPKsp.dll
2017-10-13 15:28 - 2017-09-29 08:34 - 002859520 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2017-10-13 15:28 - 2017-09-29 08:33 - 001137152 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2017-10-13 15:28 - 2017-09-29 08:32 - 002782720 _____ (Microsoft Corporation) C:\WINDOWS\system32\msftedit.dll
2017-10-13 15:28 - 2017-09-29 08:28 - 000297984 _____ (Microsoft Corporation) C:\WINDOWS\system32\mcbuilder.exe
2017-10-13 15:28 - 2017-09-20 16:08 - 000640512 _____ (Microsoft Corporation) C:\WINDOWS\system32\mswstr10.dll
2017-10-13 15:28 - 2017-09-20 16:08 - 000345088 _____ (Microsoft Corporation) C:\WINDOWS\system32\msexcl40.dll
2017-10-13 15:28 - 2017-09-20 16:08 - 000008704 _____ (Microsoft Corporation) C:\WINDOWS\system32\msjint40.dll
2017-10-13 15:27 - 2017-09-30 03:29 - 001427656 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32full.dll
2017-10-13 15:27 - 2017-09-30 03:10 - 000508344 _____ (Microsoft Corporation) C:\WINDOWS\system32\dnsapi.dll
2017-10-13 15:27 - 2017-09-30 03:09 - 002259760 _____ (Microsoft Corporation) C:\WINDOWS\system32\CoreUIComponents.dll
2017-10-13 15:27 - 2017-09-30 03:05 - 000755608 _____ (Microsoft Corporation) C:\WINDOWS\system32\efscore.dll
2017-10-13 15:27 - 2017-09-30 03:04 - 000612120 _____ (Microsoft Corporation) C:\WINDOWS\system32\wer.dll
2017-10-13 15:27 - 2017-09-29 08:44 - 000133120 _____ (Microsoft Corporation) C:\WINDOWS\system32\t2embed.dll
2017-10-13 15:27 - 2017-09-29 08:43 - 002199552 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Xaml.Resources.dll
2017-10-13 15:27 - 2017-09-29 08:41 - 013844992 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Xaml.dll
2017-10-13 15:27 - 2017-09-29 08:41 - 000110080 _____ (Microsoft Corporation) C:\WINDOWS\system32\BitLockerCsp.dll
2017-10-13 15:27 - 2017-09-29 08:41 - 000037888 _____ (Microsoft Corporation) C:\WINDOWS\system32\efssvc.dll
2017-10-13 15:27 - 2017-09-29 08:40 - 000213504 _____ (Microsoft Corporation) C:\WINDOWS\system32\dusmsvc.dll
2017-10-13 15:27 - 2017-09-29 08:38 - 001135616 ____R (The ICU Project) C:\WINDOWS\system32\icuuc.dll
2017-10-13 15:27 - 2017-09-29 08:38 - 000193536 _____ (Microsoft Corporation) C:\WINDOWS\system32\domgmt.dll
2017-10-13 15:27 - 2017-09-29 08:36 - 019337216 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2017-10-13 15:27 - 2017-09-29 08:36 - 000905216 _____ (Microsoft Corporation) C:\WINDOWS\system32\enterprisecsps.dll
2017-10-13 15:27 - 2017-09-29 08:34 - 000963584 _____ (Microsoft Corporation) C:\WINDOWS\system32\dosvc.dll
2017-10-13 15:27 - 2017-09-29 08:33 - 001560064 _____ (Microsoft Corporation) C:\WINDOWS\system32\FntCache.dll
2017-10-13 15:27 - 2017-09-29 08:33 - 001506816 _____ (Microsoft Corporation) C:\WINDOWS\system32\quartz.dll
2017-10-13 15:27 - 2017-09-29 08:32 - 002340864 _____ (Microsoft Corporation) C:\WINDOWS\system32\DWrite.dll
2017-10-13 15:27 - 2017-09-29 08:32 - 001627136 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2017-10-13 15:27 - 2017-09-29 08:31 - 000242688 _____ (Microsoft Corporation) C:\WINDOWS\system32\DeviceEnroller.exe
2017-10-13 15:27 - 2017-09-29 08:30 - 000116224 _____ (Microsoft Corporation) C:\WINDOWS\system32\iscsiexe.dll
2017-10-13 15:27 - 2017-09-29 08:28 - 000681472 _____ (Microsoft Corporation) C:\WINDOWS\system32\clusapi.dll
2017-10-13 15:27 - 2017-09-29 08:28 - 000473088 _____ (Microsoft Corporation) C:\WINDOWS\system32\resutils.dll
2017-10-13 15:27 - 2017-09-29 08:28 - 000040448 _____ (Microsoft Corporation) C:\WINDOWS\system32\cipher.exe
2017-10-13 15:27 - 2017-09-29 06:40 - 000804312 _____ C:\WINDOWS\system32\locale.nls
2017-10-13 15:26 - 2017-09-30 03:10 - 000480920 _____ (Microsoft Corporation) C:\WINDOWS\system32\advapi32.dll
2017-10-13 15:26 - 2017-09-30 03:04 - 001520536 _____ (Microsoft Corporation) C:\WINDOWS\system32\UpdateAgent.dll
2017-10-13 15:26 - 2017-09-30 03:04 - 000519680 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentClient.dll
2017-10-13 15:26 - 2017-09-30 03:04 - 000182680 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppxAllUserStore.dll
2017-10-13 15:26 - 2017-09-30 03:04 - 000154520 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\appid.sys
2017-10-13 15:26 - 2017-09-30 03:02 - 001624096 _____ (Microsoft Corporation) C:\WINDOWS\system32\Microsoft.Uev.AppAgent.dll
2017-10-13 15:26 - 2017-09-30 03:02 - 001517464 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppVEntSubsystems32.dll
2017-10-13 15:26 - 2017-09-30 03:02 - 001293856 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppVEntVirtualization.dll
2017-10-13 15:26 - 2017-09-30 03:02 - 001158040 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppVIntegration.dll
2017-10-13 15:26 - 2017-09-30 03:02 - 000960920 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppVEntSubsystemController.dll
2017-10-13 15:26 - 2017-09-30 03:02 - 000649760 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppVClient.exe
2017-10-13 15:26 - 2017-09-30 03:02 - 000635800 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppVOrchestration.dll
2017-10-13 15:26 - 2017-09-30 03:02 - 000498072 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppVPublishing.dll
2017-10-13 15:26 - 2017-09-30 03:02 - 000496024 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppVCatalog.dll
2017-10-13 15:26 - 2017-09-29 08:40 - 000371200 _____ (Microsoft Corporation) C:\WINDOWS\system32\daxexec.dll
2017-10-13 15:26 - 2017-09-29 08:38 - 000498688 _____ (Microsoft Corporation) C:\WINDOWS\system32\Microsoft.Uev.Office2013CustomActions.dll
2017-10-13 15:26 - 2017-09-29 08:38 - 000454144 _____ (Microsoft Corporation) C:\WINDOWS\system32\WindowManagement.dll
2017-10-13 15:26 - 2017-09-29 08:38 - 000414720 _____ (Microsoft Corporation) C:\WINDOWS\system32\TileDataRepository.dll
2017-10-13 15:26 - 2017-09-29 08:37 - 001513984 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentExtensions.onecore.dll
2017-10-13 15:26 - 2017-09-29 08:37 - 000793088 _____ (Microsoft Corporation) C:\WINDOWS\system32\ApplySettingsTemplateCatalog.exe
2017-10-13 15:26 - 2017-09-29 08:37 - 000513024 _____ (Microsoft Corporation) C:\WINDOWS\system32\Microsoft.Uev.PrinterCustomActions.dll
2017-10-13 15:26 - 2017-09-29 08:36 - 001208320 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentExtensions.desktop.dll
2017-10-13 15:26 - 2017-09-29 08:36 - 000834560 _____ (Microsoft Corporation) C:\WINDOWS\system32\Microsoft.Uev.CommonBridge.dll
2017-10-13 15:26 - 2017-09-29 08:36 - 000457216 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppReadiness.dll
2017-10-13 15:26 - 2017-09-29 08:34 - 000841728 _____ (Microsoft Corporation) C:\WINDOWS\system32\AgentService.exe
2017-10-13 15:26 - 2017-09-29 08:32 - 002373632 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentServer.dll
2017-10-13 15:26 - 2017-09-29 08:32 - 001490944 _____ (Microsoft Corporation) C:\WINDOWS\system32\Microsoft.Uev.ModernAppAgent.dll
2017-10-13 15:25 - 2017-09-30 03:10 - 000370072 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\usbhub.sys
2017-10-13 15:25 - 2017-09-30 03:04 - 000127384 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\usbccgp.sys
2017-10-13 15:25 - 2017-09-29 08:42 - 000027648 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\BasicRender.sys
2017-10-13 15:05 - 2017-10-13 15:05 - 002494637 _____ C:\Users\Anne\Downloads\KA52NE.pdf
2017-10-13 10:56 - 2017-10-13 10:56 - 124059592 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT-KB890830.exe
2017-10-10 14:48 - 2017-10-10 14:48 - 000304816 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2017-10-05 14:44 - 2017-10-05 14:44 - 000016096 _____ C:\Users\Anne\Desktop\blank.html
2017-10-04 17:26 - 2017-10-04 17:26 - 000000272 _____ C:\Users\Anne\Desktop\4 Simple Steps for removing Spyware, Hijackers, Viruses, and other Malware.URL
2017-10-04 17:25 - 2017-10-04 17:25 - 000000000 ____D C:\Users\Anne\AppData\Roaming\SUPERAntiSpyware.com
2017-10-04 17:24 - 2017-10-04 17:25 - 000000000 ____D C:\Program Files\SUPERAntiSpyware
2017-10-04 17:24 - 2017-10-04 17:24 - 000000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2017-10-04 17:24 - 2017-10-04 17:24 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2017-10-04 16:53 - 2017-10-22 13:15 - 000702262 _____ C:\Users\Anne\AppData\Local\census.cache
2017-10-04 16:52 - 2017-10-22 13:15 - 000174491 _____ C:\Users\Anne\AppData\Local\ars.cache
2017-10-04 16:37 - 2017-10-04 16:37 - 000000036 _____ C:\Users\Anne\AppData\Local\housecall.guid.cache
2017-10-04 16:13 - 2017-10-04 16:13 - 000001104 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Secunia PSI.lnk
2017-10-04 16:13 - 2017-10-04 16:13 - 000000000 ____D C:\Program Files\Secunia
2017-10-04 16:12 - 2017-10-04 16:12 - 004002104 _____ (Secunia) C:\Users\Anne\Downloads\PSISetup.exe
2017-10-04 15:54 - 2017-10-17 18:07 - 000000553 _____ C:\Users\Anne\Desktop\JRT.txt
2017-10-04 12:41 - 2017-10-04 12:41 - 000000040 _____ C:\Users\Anne\Documents\Win version.txt
2017-10-04 12:15 - 2017-10-04 12:15 - 000000282 _____ C:\Users\Anne\Desktop\How to Block Third-Party Cookies in Every Web Browser.URL
2017-10-04 11:38 - 2017-10-04 11:38 - 000001297 _____ C:\Users\Anne\Desktop\Malwarebytes scan 100417.txt
2017-10-03 16:37 - 2017-10-03 16:41 - 000002204 _____ C:\Users\Anne\Desktop\Edge BTinternet.lnk
2017-10-03 16:00 - 2017-10-03 16:00 - 000000236 _____ C:\Users\Anne\Desktop\Welcome to BT Wi-fi.URL
2017-10-03 15:56 - 2017-10-03 15:56 - 000000263 _____ C:\Users\Anne\Desktop\Create a desktop shortcut to a website Firefox Help.URL
2017-10-02 16:43 - 2017-10-02 16:43 - 000000000 ____D C:\Program Files\HitmanPro
2017-10-01 11:35 - 2017-09-18 23:40 - 000877984 _____ (Microsoft Corporation) C:\WINDOWS\system32\SecConfig.efi
2017-10-01 11:34 - 2017-09-18 23:15 - 000648704 _____ (Microsoft Corporation) C:\WINDOWS\system32\MbaeApiPublic.dll
2017-10-01 11:33 - 2017-09-18 23:50 - 000902896 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.efi
2017-10-01 11:33 - 2017-09-18 23:50 - 000790816 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.exe
2017-10-01 11:33 - 2017-09-18 23:47 - 001089344 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.efi
2017-10-01 11:33 - 2017-09-18 23:47 - 000954592 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.exe
2017-10-01 11:33 - 2017-09-18 23:37 - 000434592 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\USBHUB3.SYS
2017-10-01 11:33 - 2017-09-18 23:20 - 000049664 _____ (Microsoft Corporation) C:\WINDOWS\system32\tetheringclient.dll
2017-10-01 11:33 - 2017-09-18 23:19 - 000096768 _____ (Microsoft Corporation) C:\WINDOWS\system32\eShims.dll
2017-10-01 11:33 - 2017-09-18 23:18 - 000175616 _____ (Microsoft Corporation) C:\WINDOWS\system32\tetheringservice.dll
2017-09-25 20:00 - 2017-09-25 20:00 - 000221632 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\344463BB.sys
2017-09-25 18:40 - 2017-10-22 12:07 - 000000000 ____D C:\Users\Anne\Downloads\Malware scanners
2017-09-25 18:14 - 2017-09-25 18:14 - 000000000 ____D C:\Users\Anne\Desktop\Old Firefox Data
2017-09-25 18:08 - 2017-09-25 18:08 - 000000090 _____ C:\Users\Anne\Desktop\Floxif removal guide.txt
2017-09-25 18:00 - 2017-09-25 18:37 - 000000000 ____D C:\ProgramData\HitmanPro
2017-09-25 17:48 - 2017-10-22 11:20 - 000000000 ____D C:\AdwCleaner
2017-09-25 14:26 - 2017-10-02 17:33 - 000000000 ____D C:\WINDOWS\Minidump
2017-09-25 14:26 - 2017-09-25 14:26 - 345217240 _____ C:\WINDOWS\MEMORY.DMP
2017-09-25 14:26 - 2017-09-25 14:26 - 000254244 _____ C:\WINDOWS\Minidump\092517-33375-01.dmp
2017-09-25 13:10 - 2017-10-25 11:34 - 000051517 _____ C:\WINDOWS\ZAM_Guard.krnl.trace
2017-09-25 13:10 - 2017-10-25 11:33 - 000082879 _____ C:\WINDOWS\ZAM.krnl.trace
2017-09-25 13:10 - 2017-09-25 13:10 - 000181496 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zamguard32.sys
2017-09-25 13:10 - 2017-09-25 13:10 - 000181496 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zam32.sys
2017-09-25 13:10 - 2017-09-25 13:10 - 000000000 ____D C:\Users\Anne\AppData\Local\Zemana
2017-09-25 13:10 - 2017-09-25 13:10 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2017-09-25 13:10 - 2017-09-25 13:10 - 000000000 ____D C:\Program Files\Zemana AntiMalware
2017-09-25 12:47 - 2017-09-25 14:33 - 000002288 _____ C:\Users\Anne\Desktop\Rkill.txt
2017-09-25 11:39 - 2017-09-25 11:39 - 000002516 _____ C:\Users\Anne\Desktop\malwarebytes scan 250917.txt
2017-09-25 10:43 - 2017-09-25 10:43 - 000000685 _____ C:\Users\Anne\Desktop\chipex malwarebytes.txt
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-10-25 11:29 - 2017-08-16 14:01 - 000000000 ____D C:\Users\Anne\AppData\Local\ClassicShell
2017-10-25 11:01 - 2017-03-18 19:23 - 000000000 ___HD C:\Program Files\WindowsApps
2017-10-25 11:01 - 2017-03-18 19:23 - 000000000 ____D C:\WINDOWS\AppReadiness
2017-10-25 10:54 - 2017-08-12 20:30 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2017-10-24 14:12 - 2017-08-12 20:44 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-10-24 12:45 - 2017-09-05 11:09 - 000000000 ____D C:\Users\Anne\AppData\LocalLow\Mozilla
2017-10-24 12:27 - 2017-08-12 20:36 - 000000000 ____D C:\Users\Anne
2017-10-23 12:14 - 2017-08-12 19:25 - 000000000 ___DC C:\WINDOWS\Panther
2017-10-21 10:57 - 2017-03-18 19:23 - 000000000 ____D C:\WINDOWS\system32\NDF
2017-10-21 09:32 - 2017-08-12 20:46 - 001021050 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-10-21 01:00 - 2017-07-23 19:07 - 000000000 ____D C:\Windows10Upgrade
2017-10-21 00:12 - 2017-03-18 19:21 - 000000000 ____D C:\WINDOWS\INF
2017-10-20 23:46 - 2017-03-18 07:02 - 001048576 _____ C:\WINDOWS\system32\config\BBI
2017-10-20 21:14 - 2017-08-12 21:29 - 000002401 _____ C:\Users\Anne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-10-20 21:14 - 2017-08-12 21:29 - 000000000 ___RD C:\Users\Anne\OneDrive
2017-10-20 15:57 - 2017-08-12 21:22 - 000000000 ____D C:\Users\Anne\AppData\Local\Packages
2017-10-20 14:43 - 2017-03-18 19:23 - 000000000 ____D C:\WINDOWS\ModemLogs
2017-10-20 14:04 - 2017-03-18 19:14 - 000000000 ____D C:\WINDOWS\CbsTemp
2017-10-17 14:14 - 2017-03-18 19:23 - 000000000 ____D C:\WINDOWS\rescache
2017-10-16 12:34 - 2017-08-12 21:22 - 000000000 __RHD C:\Users\Public\AccountPictures
2017-10-14 17:43 - 2017-08-12 20:30 - 000382696 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-10-14 17:40 - 2017-03-18 19:23 - 000000000 ____D C:\WINDOWS\ShellExperiences
2017-10-14 17:40 - 2017-03-18 19:23 - 000000000 ____D C:\WINDOWS\Provisioning
2017-10-14 17:40 - 2017-03-18 19:23 - 000000000 ____D C:\WINDOWS\PolicyDefinitions
2017-10-14 17:39 - 2017-03-18 19:23 - 000207872 _____ (Microsoft Corporation) C:\WINDOWS\system32\msclmd.dll
2017-10-14 10:43 - 2017-03-18 19:23 - 000000000 ____D C:\WINDOWS\LiveKernelReports
2017-10-13 11:01 - 2017-08-13 00:45 - 000000000 ____D C:\WINDOWS\system32\MRT
2017-10-13 10:56 - 2017-08-13 00:45 - 124059592 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-10-13 01:21 - 2017-03-18 19:25 - 000835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2017-10-13 01:21 - 2017-03-18 19:25 - 000177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2017-10-10 16:55 - 2017-09-05 11:08 - 000000000 ____D C:\Program Files\Mozilla Maintenance Service
2017-10-10 16:55 - 2017-09-05 11:08 - 000000000 ____D C:\Program Files\Mozilla Firefox
2017-10-10 14:49 - 2017-08-12 21:36 - 000055160 _____ () C:\WINDOWS\system32\Drivers\lpsport.sys
2017-10-10 14:48 - 2017-08-12 21:36 - 000777952 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys
2017-10-10 14:48 - 2017-08-12 21:36 - 000499560 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2017-10-10 14:48 - 2017-08-12 21:36 - 000297840 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswVmm.sys
2017-10-10 14:48 - 2017-08-12 21:36 - 000276736 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswblogx.sys
2017-10-10 14:48 - 2017-08-12 21:36 - 000255624 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbidsdriverx.sys
2017-10-10 14:48 - 2017-08-12 21:36 - 000157416 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbidshx.sys
2017-10-10 14:48 - 2017-08-12 21:36 - 000149824 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStm.sys
2017-10-10 14:48 - 2017-08-12 21:36 - 000124952 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2017-10-10 14:48 - 2017-08-12 21:36 - 000099560 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr2.sys
2017-10-10 14:48 - 2017-08-12 21:36 - 000070864 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRvrt.sys
2017-10-10 14:48 - 2017-08-12 21:36 - 000050384 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbunivx.sys
2017-10-10 14:48 - 2017-08-12 21:36 - 000042856 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswHwid.sys
2017-10-10 14:48 - 2017-08-12 21:31 - 000000000 ____D C:\ProgramData\AVAST Software
2017-10-03 16:52 - 2017-09-05 12:36 - 000059904 _____ C:\WINDOWS\system32\Drivers\mbae.sys
2017-10-03 16:15 - 2017-09-05 11:49 - 000001252 _____ C:\Users\Anne\Desktop\Firefox BTinternet.lnk
2017-10-02 17:33 - 2012-08-21 00:44 - 000290515 ____N C:\WINDOWS\Minidump\100217-32187-01.dmp
2017-09-30 17:29 - 2017-09-06 15:13 - 000000000 ____D C:\Users\Anne\AppData\Local\Microsoft Games
2017-09-30 03:10 - 2011-06-11 18:11 - 000395312 __RSH C:\bootmgr
2017-09-25 17:53 - 2012-08-21 00:44 - 000293139 ____N C:\WINDOWS\Minidump\092517-30750-01.dmp
2017-09-25 15:08 - 2012-08-21 00:44 - 000292883 ____N C:\WINDOWS\Minidump\092517-33906-01.dmp
2017-09-25 14:57 - 2012-08-21 00:44 - 000287763 ____N C:\WINDOWS\Minidump\092517-29906-01.dmp
2017-09-25 14:47 - 2012-08-21 00:44 - 000286739 ____N C:\WINDOWS\Minidump\092517-38671-01.dmp
2017-09-25 14:36 - 2012-08-21 00:44 - 000289491 ____N C:\WINDOWS\Minidump\092517-32062-01.dmp
2017-09-25 11:22 - 2017-09-05 12:37 - 000075712 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys
2017-09-25 11:22 - 2017-09-05 12:36 - 000040352 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
 
==================== Files in the root of some directories =======
 
2017-10-04 16:52 - 2017-10-22 13:15 - 000174491 _____ () C:\Users\Anne\AppData\Local\ars.cache
2017-10-04 16:53 - 2017-10-22 13:15 - 000702262 _____ () C:\Users\Anne\AppData\Local\census.cache
2017-10-04 16:37 - 2017-10-04 16:37 - 000000036 _____ () C:\Users\Anne\AppData\Local\housecall.guid.cache
2017-08-12 21:49 - 2017-08-12 22:36 - 000024992 _____ () C:\Users\Anne\AppData\Local\HWVendorDetection.log
2017-10-17 17:49 - 2017-10-17 17:49 - 000000010 _____ () C:\Users\Anne\AppData\Local\sponge.last.runtime.cache
2017-09-01 09:14 - 2017-09-01 09:14 - 000148736 _____ (Avanquest Software) C:\ProgramData\hpeBF34.dll
 
Files to move or delete:
====================
C:\ProgramData\hpeBF34.dll
 
 
Some files in TEMP:
====================
2017-10-04 19:21 - 2017-10-04 19:21 - 000204800 _____ (Realtek Semiconductor Corp.) C:\Users\Anne\AppData\Local\Temp\RtkBtMnt.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-10-24 10:57
 
==================== End of FRST.txt ============================
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 23-10-2017 01
Ran by Anne (25-10-2017 11:36:03)
Running from C:\Users\Anne\Desktop
Microsoft Windows 10 Pro Version 1703 15063.674 (X86) (2017-08-12 20:21:28)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2535615256-755552922-3930986355-500 - Administrator - Disabled)
Anne (S-1-5-21-2535615256-755552922-3930986355-1001 - Administrator - Enabled) => C:\Users\Anne
DefaultAccount (S-1-5-21-2535615256-755552922-3930986355-503 - Limited - Disabled)
Guest (S-1-5-21-2535615256-755552922-3930986355-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2535615256-755552922-3930986355-1002 - Limited - Enabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Avast Antivirus (Enabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Enabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Acer Crystal Eye Webcam (HKLM\...\{7760D94E-B1B5-40A0-9AA0-ABF942108755}) (Version: 5.2.7.1 - Suyin Optronics Corp)
Avanquest update (HKLM\...\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}) (Version: 1.34 - Avanquest Software)
Avast Free Antivirus (HKLM\...\Avast Antivirus) (Version: 17.7.2314 - AVAST Software)
Classic Shell (HKLM\...\{8A99142D-5D6E-40B6-AF88-8BD46F0C5CB4}) (Version: 4.3.1 - IvoSoft)
Google Chrome (HKLM\...\Google Chrome) (Version: 61.0.3163.100 - Google Inc.)
Google Update Helper (HKLM\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
Intel® TV Wizard (HKLM\...\TVWiz) (Version:  - Intel Corporation)
Malwarebytes version 3.2.2.2018 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.2.2.2018 - Malwarebytes)
Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-2535615256-755552922-3930986355-1001\...\OneDriveSetup.exe) (Version: 17.3.7073.1013 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Mozilla Firefox 56.0 (x86 en-GB) (HKLM\...\Mozilla Firefox 56.0 (x86 en-GB)) (Version: 56.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 56.0.0.6478 - Mozilla)
Nuvoton CIR Device Driver (HKLM\...\{2D3858B1-226A-420D-9C9D-B51864E85429}) (Version: 8.60.1000 - Nuvoton Technology Corporation)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.7 - )
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5901 - Realtek Semiconductor Corp.)
SafeZone Stable 4.58.2552.909 (HKLM\...\SafeZone 4.58.2552.909) (Version: 4.58.2552.909 - Avast Software) Hidden
Secunia PSI (3.0.0.11005) (HKLM\...\Secunia PSI) (Version: 3.0.0.11005 - Secunia)
Sony Ericsson PC Suite 6.012.00 (HKLM\...\{2FFE93F0-BB72-4E52-8761-354D1AAA9387}) (Version: 6.012.00 - Sony Ericsson)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1248 - SUPERAntiSpyware.com)
Vodafone Mobile Broadband (HKLM\...\{6BD14859-6B50-4283-99DA-E172B2F2D1B7}) (Version: 11.2.0.52566 - Vodafone)
Vodafone Mobile Broadband Additional Drivers Package (HKLM\...\{6A202677-20C8-42A7-B50F-4CEB657CB152}) (Version: 11.1.1.52318 - Vodafone)
Windows 10 Update Assistant (HKLM\...\{D5C69738-B486-402E-85AC-2456D98A64E4}) (Version: 1.4.9200.22243 - Microsoft Corporation)
Windows 7 Games for Windows 8 and 10 (HKLM\...\MicrosoftGamesForWin8) (Version: 2.0.0.0 - )
WinMerge 2.14.0 (HKLM\...\WinMerge_is1) (Version: 2.14.0 - Thingamahoochie Software)
WinRAR 5.50 (32-bit) (HKLM\...\WinRAR archiver) (Version: 5.50.0 - win.rar GmbH)
Zemana AntiMalware (HKLM\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.74.0.150 - Zemana Ltd.)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-2535615256-755552922-3930986355-1001_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocServer32 -> C:\Users\Anne\AppData\Local\Microsoft\OneDrive\17.3.7073.1013\FileCoAuthLib.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2017-10-10] (AVAST Software)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2017-08-13] (IvoSoft)
ContextMenuHandlers1: [2.0 Zemana AntiMalware] -> {6ABB1C11-E261-4CEA-BBB5-3836225689DD} => C:\Program Files\Zemana AntiMalware\ZAMShellExt32.dll [2017-09-25] ()
ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2017-10-10] (AVAST Software)
ContextMenuHandlers1: [WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} => C:\Program Files\WinMerge\ShellExtensionU.dll [2013-02-02] (hxxp://winmerge.org)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers2: [WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} => C:\Program Files\WinMerge\ShellExtensionU.dll [2013-02-02] (hxxp://winmerge.org)
ContextMenuHandlers3: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2017-10-10] (AVAST Software)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-08-21] (Malwarebytes)
ContextMenuHandlers4: [WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} => C:\Program Files\WinMerge\ShellExtensionU.dll [2013-02-02] (hxxp://winmerge.org)
ContextMenuHandlers5: [WinMerge] -> {4E716236-AA30-4C65-B225-D68BBA81E9C2} => C:\Program Files\WinMerge\ShellExtensionU.dll [2013-02-02] (hxxp://winmerge.org)
ContextMenuHandlers6: [2.0 Zemana AntiMalware] -> {6ABB1C11-E261-4CEA-BBB5-3836225689DD} => C:\Program Files\Zemana AntiMalware\ZAMShellExt32.dll [2017-09-25] ()
ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2017-10-10] (AVAST Software)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-08-21] (Malwarebytes)
ContextMenuHandlers6: [StartMenuExt] -> {E595F05F-903F-4318-8B0A-7F633B520D2B} => C:\WINDOWS\system32\StartMenuHelper32.dll [2017-08-13] (IvoSoft)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-08-11] (Alexander Roshal)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {13062A75-2F58-4D47-A33F-D77818A519CE} - System32\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {1A2F5470-7D65-4E9D-B7BB-8D774B4D178B} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2017-08-12] (Google Inc.)
Task: {2440375D-D374-4439-A3C2-2E704BB6947A} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate => C:\WINDOWS\ehome\mcupdate.exe
Task: {2A742508-18DC-4298-B65C-B97E428BCF53} - System32\Tasks\SafeZone scheduled Autoupdate 1502570431 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2017-08-04] (Avast Software)
Task: {2ABEA7D8-3F18-4967-BC24-97056165B219} - System32\Tasks\Microsoft\Windows\Media Center\OCURActivate => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {3D155188-D5E2-4141-89E6-F9FA03EB1370} - System32\Tasks\Microsoft\Windows\Media Center\ehDRMInit => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {46F55565-F113-45DE-BC6D-2D3DD2F620B2} - System32\Tasks\Microsoft\Windows\Media Center\InstallPlayReady => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {6BBED2A2-CA3C-479A-87FF-AE68D7CF1CC3} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2017-08-12] (Google Inc.)
Task: {78A4795A-0A55-4C98-8D81-2504167E0BBB} - System32\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {7A30BBB1-33E7-4B4E-97B4-A603C0ED0D4F} - System32\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {829521B4-04A8-4B32-8975-4195F4C68985} - System32\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry => C:\WINDOWS\ehome\MCUpdate.exe
Task: {8C99C83F-B977-4512-88EF-5DBE5BC29C46} - System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {9EC25354-6B88-4AF3-9173-4BC8A7A663A1} - System32\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {A8D1933E-87CB-4D13-94F1-992A68A6109B} - System32\Tasks\Games\UpdateCheck_S-1-5-21-2535615256-755552922-3930986355-1001
Task: {AE5F75A6-A82C-47C7-B363-226875469E65} - System32\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {AF629BC6-F38B-46ED-847E-94B99AACE1E5} - System32\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {B866EBFD-4624-40C8-86A8-C8F06B95C424} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2 => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {BC5B4535-3C1C-4897-85B5-518246470988} - System32\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {BC8D548E-A6FC-488B-9444-64DC1A95554B} - System32\Tasks\Chess Titans => C:\Users\Anne\AppData\Local\Temp\is-GDBI7.tmp\prsetup.exe <==== ATTENTION
Task: {BD3796A2-7635-41E4-8328-DC6795C6AE6B} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscovery => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {BE38F963-086B-4272-BA59-92EFCBCCFF2F} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1 => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {D2AB0A47-373B-4296-B410-2EB4A1A9A12E} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {D553DD07-DFAF-4A52-8E65-30577F6EF839} - System32\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {DA0D340D-292D-4ADC-87EC-AD2EEBBBC25D} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe [2017-10-10] (AVAST Software)
Task: {EF37FEBB-6E8B-486F-821C-B497A378B0F7} - System32\Tasks\S-1-5-21-2535615256-755552922-3930986355-1001\DataSenseLiveTileTask => C:\WINDOWS\System32\DataUsageLiveTileTask.exe [2017-03-18] (Microsoft Corporation)
Task: {EFF81F00-ADB7-4F3F-859B-79F3758DCC86} - System32\Tasks\Microsoft\Windows\Media Center\OCURDiscovery => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {F7FF844C-BF88-4B1F-B8EB-4DF87E6D7C70} - System32\Tasks\Microsoft\Windows\Media Center\RecordingRestart => C:\WINDOWS\ehome\ehrec.exe
Task: {F83ECC7B-218A-4616-9147-7B869CA3F41F} - System32\Tasks\Microsoft\Windows\Media Center\RegisterSearch => C:\WINDOWS\ehome\ehPrivJob.exe
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
ShortcutWithArgument: C:\Users\Anne\Desktop\Edge BTinternet.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> microsoft-edge: hxxps://www.btopenzone.com:8443/home
ShortcutWithArgument: C:\Users\Anne\Desktop\Firefox BTinternet.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxps://www.btopenzone.com:8443/home
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-02-15 21:02 - 2016-02-15 21:02 - 000027160 _____ () C:\WINDOWS\System32\us008lm.dll
2017-10-20 21:01 - 2014-04-16 09:22 - 000025600 _____ () C:\WINDOWS\System32\usp02l.dll
2017-10-10 14:48 - 2017-10-10 14:48 - 000059040 _____ () C:\Program Files\AVAST Software\Avast\module_lifetime.dll
2017-09-25 13:10 - 2017-09-25 13:10 - 000131952 _____ () C:\Program Files\Zemana AntiMalware\ZAMShellExt32.dll
2017-03-18 19:19 - 2017-03-18 19:19 - 000116824 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll
2017-03-18 19:19 - 2017-03-18 21:23 - 001456128 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-10-20 14:05 - 2017-10-20 14:07 - 000075264 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.7.597.0_x86__kzf8qxf38zg5c\SkypeHost.exe
2017-10-20 14:05 - 2017-10-20 14:07 - 000173568 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.7.597.0_x86__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2017-10-20 14:05 - 2017-10-20 14:06 - 018153984 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.7.597.0_x86__kzf8qxf38zg5c\SkyWrap.dll
2017-10-20 14:05 - 2017-10-20 14:07 - 001788416 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.7.597.0_x86__kzf8qxf38zg5c\skypert.dll
2017-10-10 14:48 - 2017-10-10 14:48 - 000167096 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2017-08-12 21:34 - 2017-08-12 21:34 - 067109376 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2017-10-10 14:48 - 2017-10-10 14:48 - 000217088 _____ () C:\Program Files\AVAST Software\Avast\event_routing_rpc.dll
2017-10-10 14:48 - 2017-10-10 14:48 - 000244584 _____ () C:\Program Files\AVAST Software\Avast\tasks_core.dll
2017-10-10 14:48 - 2017-10-10 14:48 - 000234280 _____ () C:\Program Files\AVAST Software\Avast\gaming_mode_ui.dll
2017-10-10 14:48 - 2017-10-10 14:48 - 000700656 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2017-08-12 22:01 - 2008-07-29 19:29 - 000200704 _____ () C:\Windows\PLFSetI.exe
2017-09-22 10:45 - 2017-09-21 05:57 - 003011928 _____ () C:\Program Files\Google\Chrome\Application\61.0.3163.100\libglesv2.dll
2017-09-22 10:45 - 2017-09-21 05:57 - 000086872 _____ () C:\Program Files\Google\Chrome\Application\61.0.3163.100\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 03:04 - 2009-06-10 22:39 - 000000824 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2535615256-755552922-3930986355-1001\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Windows\img0.jpg
DNS Servers: 192.168.22.22 - 192.168.22.23
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\StartupFolder: => "Secunia PSI Tray.lnk"
HKLM\...\StartupApproved\Run: => "MobileBroadband"
HKLM\...\StartupApproved\Run: => "VmbNotifierRouter"
HKLM\...\StartupApproved\Run: => "ZAM"
HKU\S-1-5-21-2535615256-755552922-3930986355-1001\...\StartupApproved\Run: => "CCleaner Monitoring"
HKU\S-1-5-21-2535615256-755552922-3930986355-1001\...\StartupApproved\Run: => "Sony Ericsson PC Suite"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{D680AABB-C333-488B-AEF7-338861E28CE4}] => (Allow) C:\Program Files\AVAST Software\SZBrowser\4.58.2552.909\SZBrowser.exe
FirewallRules: [{26DDDD2D-CB80-4239-AF22-07AFF7FB01EA}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{632E6C17-C9A2-4CB9-B67D-641AA4907631}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{97D91448-0FF6-4471-8317-6B9DAA8DAEF1}] => (Allow) C:\Program Files\AVAST Software\SZBrowser\4.58.2552.909_0\SZBrowser.exe
FirewallRules: [{29D3F2E8-A40B-4B48-96A6-D41D93F05A15}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe
FirewallRules: [{3B509D44-714B-42DA-8C0D-93E26BE80A0E}] => (Allow) C:\Users\Anne\AppData\Local\Temp\HouseCall\tmase\nmap\bonjour.exe
FirewallRules: [{38947A5D-3183-4690-A83C-0E917C516526}] => (Allow) C:\Users\Anne\AppData\Local\Temp\HouseCall\tmase\drs\DrScaner.exe
FirewallRules: [{40D38AEE-0CFF-4B6C-ACA2-DEFAE31AE3DC}] => (Allow) C:\Users\Anne\AppData\Local\Temp\HouseCall\tmase\drs\DrScaner.exe
FirewallRules: [{91C4A90B-AC06-43B1-828A-2F6197DA256A}] => (Allow) C:\Users\Anne\AppData\Local\Temp\7zS593B\HPDiagnosticCoreUI.exe
FirewallRules: [{35CD2EFC-F9B7-47AD-A6E7-C16E66365805}] => (Allow) C:\Users\Anne\AppData\Local\Temp\7zS593B\HPDiagnosticCoreUI.exe
FirewallRules: [{4B106019-93D8-486F-B2EF-730DCEE1208D}] => (Allow) C:\Users\Anne\AppData\Local\Temp\7zS669E\HPDiagnosticCoreUI.exe
FirewallRules: [{9555B850-FC38-453C-BCA9-59C4CA712833}] => (Allow) C:\Users\Anne\AppData\Local\Temp\7zS669E\HPDiagnosticCoreUI.exe
FirewallRules: [{FD8F427D-2924-4DF7-9123-AD54C4144540}] => (Allow) C:\Users\Anne\AppData\Local\Temp\7zS37EC\HPDiagnosticCoreUI.exe
FirewallRules: [{9414305C-5F9F-4DFB-85AA-F1F2150DFBF5}] => (Allow) C:\Users\Anne\AppData\Local\Temp\7zS37EC\HPDiagnosticCoreUI.exe
 
==================== Restore Points =========================
 
04-10-2017 15:49:41 JRT Pre-Junkware Removal
13-10-2017 10:54:59 Windows Update
17-10-2017 18:02:16 JRT Pre-Junkware Removal
20-10-2017 23:44:02 Windows Update
 
==================== Faulty Device Manager Devices =============
 
Name: Winbond CIR Transceiver
Description: Winbond CIR Transceiver
Class Guid: {745a17a0-74d3-11d0-b6fe-00a0c90f57da}
Manufacturer: Winbond Electronics Corporation
Service: winbondcir
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (10/25/2017 11:01:05 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\Drivers\DPInst64.exe".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (10/24/2017 10:58:24 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: Anne-PC)
Description: Activation of app Microsoft.Windows.Photos_8wekyb3d8bbwe!App failed with error: -2147023170 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (10/24/2017 10:33:00 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\Drivers\DPInst64.exe".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (10/24/2017 10:28:06 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SystemSettingsBroker.exe, version: 10.0.15063.0, time stamp: 0x708cec2a
Faulting module name: ntdll.dll, version: 10.0.15063.608, time stamp: 0x4c143763
Exception code: 0xc0000005
Fault offset: 0x00054d58
Faulting process id: 0x56c
Faulting application start time: 0x01d34c2399ba71e1
Faulting application path: C:\Windows\System32\SystemSettingsBroker.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 4c875908-0b2d-4d2f-84bb-1b6cad4c25be
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (10/23/2017 09:23:55 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: Anne-PC)
Description: Package Microsoft.Windows.Photos_2017.39081.15820.0_x86__8wekyb3d8bbwe+App was terminated because it took too long to suspend.
 
Error: (10/23/2017 03:02:45 PM) (Source: SecurityCenter) (EventID: 16) (User: )
Description: Error while updating Avast Antivirus status to SECURITY_PRODUCT_STATE_ON.
 
Error: (10/23/2017 03:02:44 PM) (Source: SecurityCenter) (EventID: 16) (User: )
Description: Error while updating Avast Antivirus status to SECURITY_PRODUCT_STATE_ON.
 
Error: (10/23/2017 12:39:57 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe, version: 10.0.15063.0, time stamp: 0x4c9dbd90
Faulting module name: ntdll.dll, version: 10.0.15063.608, time stamp: 0x4c143763
Exception code: 0xc0000409
Fault offset: 0x000a60f0
Faulting process id: 0x1a98
Faulting application start time: 0x01d34a4654178063
Faulting application path: C:\WINDOWS\system32\svchost.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 33872ee4-d349-42b0-8ebc-db6dd4d9a841
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (10/23/2017 11:04:45 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\Drivers\DPInst64.exe".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (10/23/2017 11:01:20 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Microsoft.Photos.exe version 2017.39081.15820.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
 
Process ID: 22a0
 
Start Time: 01d34b1a589fc5bf
 
Termination Time: 4294967295
 
Application Path: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39081.15820.0_x86__8wekyb3d8bbwe\Microsoft.Photos.exe
 
Report Id: d539a43e-87d9-45c9-b805-1290b2c53047
 
Faulting package full name: Microsoft.Windows.Photos_2017.39081.15820.0_x86__8wekyb3d8bbwe
 
Faulting package-relative application ID: App
 
 
System errors:
=============
Error: (10/24/2017 02:12:55 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The CldFlt service failed to start due to the following error: 
The request is not supported.
 
Error: (10/24/2017 02:12:56 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 1:46:40 PM on ‎10/‎24/‎2017 was unexpected.
 
Error: (10/24/2017 12:26:39 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The CldFlt service failed to start due to the following error: 
The request is not supported.
 
Error: (10/24/2017 12:26:39 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 12:08:12 PM on ‎10/‎24/‎2017 was unexpected.
 
Error: (10/24/2017 12:08:12 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The CldFlt service failed to start due to the following error: 
The request is not supported.
 
Error: (10/24/2017 12:08:12 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 11:40:14 AM on ‎10/‎24/‎2017 was unexpected.
 
Error: (10/23/2017 12:40:06 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Windows Update service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (10/23/2017 12:40:06 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Windows Push Notifications System Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (10/23/2017 12:40:06 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Windows Insider Service service terminated unexpectedly.  It has done this 3 time(s).
 
Error: (10/23/2017 12:40:06 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Windows Management Instrumentation service terminated unexpectedly.  It has done this 1 time(s).
 
 
CodeIntegrity:
===================================
  Date: 2017-09-15 22:24:25.719
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Program Files\Malwarebytes\Anti-Malware\mbae.dll that did not meet the Store signing level requirements.
 
  Date: 2017-09-15 22:24:24.086
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Program Files\Malwarebytes\Anti-Malware\mbae.dll that did not meet the Store signing level requirements.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™2 Duo CPU T5550 @ 1.83GHz
Percentage of memory in use: 83%
Total physical RAM: 2038.43 MB
Available physical RAM: 343.39 MB
Total Virtual: 3382.43 MB
Available Virtual: 831.01 MB
 
==================== Drives ================================
 
Drive c: (ACER) (Fixed) (Total:111.19 GB) (Free:73.26 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:107.69 GB) (Free:78.38 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: 977078E4)
Partition 1: (Not Active) - (Size=10.7 GB) - (Type=12)
Partition 2: (Active) - (Size=111.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=107.7 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=3.3 GB) - (Type=12)
 
==================== End of Addition.txt ============================

Attached Files


Edited by duffsparky, 25 October 2017 - 08:36 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,558 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:54 AM

Posted 25 October 2017 - 09:02 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
CHR Extension: (Avast SafePrice) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2017-10-18]
CHR Extension: (IBA Opt-out (by Google)) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbiekjoijknlhijdjbaadobpkdhmoebb [2017-10-18]
CHR Extension: (Avast Online Security) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-10-18]
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
U3 idsvc; no ImagePath
S3 NPF; system32\drivers\NPF.sys [X]
U3 wpcsvc; no ImagePath

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#3 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 25 October 2017 - 09:45 AM

I've run the first script and downloaded Zoek. I am restricted to using an unsecure WiFi network (WISP) for my internet connection, therefore, should I disconnect from the internet before disabling any anti-virus/ anti-malware apps and then running Zoek?

 

As far as I'm aware the only anti-virus or anti-malware running is Avast and anything that comes with Win 10 Pro version 1703 build 15063.674

 

I've looked through the "How To Temporarily Disable Your Anti-virus" post by Quietman 7 but can't find anything regarding disabling Win 10 security, Windows Smartscreen, SmartScreen for Microsoft Edge etc.  I had problems running the FRST scan because Windows Smartscreen blocked it until I found the allow button.


Edited by duffsparky, 25 October 2017 - 11:32 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,558 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:54 AM

Posted 25 October 2017 - 12:25 PM

Hi,

Boot to Safe Mode and run the Zoek program from there.

#5 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 25 October 2017 - 05:11 PM

Zoek does not appear to run, I've tried in Safe Mode with and without Networking and Run as Administrator and normally (double clicking its exe file). I've tried repeatedly waiting several minutes each time.

 

Once Safe Mode has started I get an error message, which I've taken a screen shot of and attached below.

 

I could not print your previous instructions because the ability to print has stopped. Note: Just prior to the start of the possible infection I had a lot of trouble installing the printer an old HP PSC750 because Windows update would not work properly. It was only after using different versions of the WindowsUpdateDiagnostic tool and installing an old Samsung ML-1610 printer, which also caused a lot of issues, that I eventually got the HP printer to install.  

 

Update: Printing now appears to be OK


Edited by duffsparky, 26 October 2017 - 06:06 AM.


#6 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 25 October 2017 - 05:22 PM

Here is the FRST Fixlog:

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 23-10-2017 01
Ran by Anne (25-10-2017 15:23:35) Run:1
Running from C:\Users\Anne\Desktop
Loaded Profiles: Anne (Available Profiles: Anne)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
CHR Extension: (Avast SafePrice) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2017-10-18]
CHR Extension: (IBA Opt-out (by Google)) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbiekjoijknlhijdjbaadobpkdhmoebb [2017-10-18]
CHR Extension: (Avast Online Security) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-10-18]
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
U3 idsvc; no ImagePath
S3 NPF; system32\drivers\NPF.sys [X]
U3 wpcsvc; no ImagePath
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION => restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
CHR Extension: (Avast SafePrice) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2017-10-18] => Error: No automatic fix found for this entry.
CHR Extension: (IBA Opt-out (by Google)) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbiekjoijknlhijdjbaadobpkdhmoebb [2017-10-18] => Error: No automatic fix found for this entry.
CHR Extension: (Avast Online Security) - C:\Users\Anne\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-10-18] => Error: No automatic fix found for this entry.
HKLM\SOFTWARE\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck => key removed successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki => key removed successfully.
HKLM\System\CurrentControlSet\Services\idsvc => key removed successfully.
idsvc => service removed successfully.
HKLM\System\CurrentControlSet\Services\NPF => key removed successfully.
NPF => service removed successfully.
HKLM\System\CurrentControlSet\Services\wpcsvc => key removed successfully.
wpcsvc => service removed successfully.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 7364608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 34763603 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 50311641 B
Edge => 519971 B
Chrome => 110760113 B
Firefox => 371796090 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
LocalService => 31330 B
NetworkService => 5496 B
Anne => 742895383 B
 
RecycleBin => 1207947041 B
EmptyTemp: => 2.4 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 15:27:55 ====

 

Attached File  Safe Mode error message.jpg   121.15KB   0 downloads



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,558 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:54 AM

Posted 26 October 2017 - 06:38 AM

Hi.

Run this Malwarebytes Anti-Rootkit.

Follow the instructions in the thread below. Make sure to download the MBAR linked in it. Let me know if you're not able to launch it and run a scan.

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

Before you run the program make sure you follow the instructions under Section 5.
5. Unselect sectors and system below. Hit the scan button.

If you manage to run a scan, delete everything it finds, and then copy/paste the content of the "mbar-log-TODAY'S-DATE.txt" log that is located in the MBAR folder here after.
<<<>>>

Can you nor run the Zoek program?

Any other remaining issues?


Edited.
I have just been made aware that these folders are Created by the program: CybereasonRansomFree
Did you install this application?

Edited by nasdaq, 26 October 2017 - 06:57 AM.


#8 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 26 October 2017 - 07:41 AM

I haven't installed CybereasonRansomFree and a search for it from the Start button comes up with nothing.
 
After clicking the link provided I got the error page included below.
 
I downloaded the software anyway and ran it without problems. The scan finished with no malware found and no cleanup required. Log file as follows:
 
 
Malwarebytes Anti-Rootkit BETA 1.10.2.1001
www.malwarebytes.org
 
Database version:
  main:    v2017.10.26.03
  rootkit: v2017.10.14.01
 
Windows 10 x86 NTFS
Internet Explorer 11.674.15063.0
Anne :: ANNE-PC [administrator]
 
10/26/2017 12:57:01 PM
mbar-log-2017-10-26 (12-57-01).txt
 
Scan type: 
Scan options enabled: Anti-Rootkit | Drivers | MBR
Scan options disabled: Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Objects scanned: 443
Time elapsed: 43 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
 
 

Attached Files



#9 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 26 October 2017 - 07:53 AM

Other issues:

 

Yesterday I had a lot of trouble starting this thread. I kept getting an error message, when submitting the post, detailing a Timeout error telling me to try again later. Each time I tried I got the same message. I then tried a "Test" posting but got the same error.

 

Little did I know that I was actually multi-posting, which resulted in Platypus messaging me to stop. When I explained the issue he suggested that an infection could be the cause of the error.

 

Please see:     https://www.bleepingcomputer.com/forums/index.php? app=members&module=messaging&section=view&do=showConversation&topicID=177369

 

however, he has deleted most of the message exchange.


Edited by duffsparky, 26 October 2017 - 07:55 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,558 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:54 AM

Posted 26 October 2017 - 12:31 PM

Hi,

C:\Users\Anne\Documents\Ransomeware warning.txt

Please attach this .txt file to your next reply.
===

What problem remains?

#11 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 26 October 2017 - 01:04 PM

Ransomeware warning.txt is a file I created in Notepad using the copied entries from the browser history. Perhaps my file naming was misleading. I used this file to create the following in my original post above:

 

 

 

 

I checked the browser history following a suggestion by Demonslay335 to check for any redirecting. The following is an extract from the browser history immediately after the incident:

 

Name:       Microsoft - Official Security Alert Page

 
 
Name:       Redirecting...
 
 
Name:       ww2.digpile.com/
 
 

I have attached the file anyway.

 

Other than not being able to run Zoek I am not aware of any other issues at the moment.

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,558 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:54 AM

Posted 26 October 2017 - 01:43 PM

Delete the file in bold.
C:\Users\Anne\Documents\Ransomeware warning.txt

This is the contents.

http://gethelptodayx0p.cf/gb/demo/?BV_SRCID&BV_ADNAME&BV_CLICKID&BV_KEYWORD
http://webcounsultant.com/?BV_SRCID&BV_ADNAME&BV_CLICKID&BV_KEYWORD
http://secure.calch.gdn/performance/bdv_rd.dbm?enparms2=8668,1909220,2501813,8619,8648,38618,8827,0,0,8623,0,1907336,490642,93444,114551381609,171885968,nlx.13622061vx26z012z7y75615&ioa=0&ncm=1&bd_ref_v=www.bidvertiser.com&TREF=1&WIN_NAME=&Category=1000&ownid=51657b7a210a62ce16022631&u_agnt=&skter=vorktrw&skwdb=ooz_wvvu
https://asia.runtnc.net/tr?id=01f9680eb9d06b5e40753a23bb5a3683d40bfd7cbe.r&tk=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwdWIiOiI1MTFhMzA4YmJlNDdhMzVlZjFhM2Y2OWQiLCJ0cyI6IjEwMTcwODQ4IiwiZCI6ImRpZ3BpbGUuY29tIn0.64KS4cl3DJ6A95LB3UkYf6A4L8Rmc0DFlEXtF5Dbocg
http://ww2.digpile.com/


DO NOT GO TO THESE SITES.

===

Run this fix to reset your DNS.

Press the windows key Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.

You can also clean the History of the browsers you use.

You should be OK.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

#13 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 26 October 2017 - 03:16 PM

When I clicked on the "More Reply Options" to attach some files to this post a warning came up telling me I didn't have permission ???????. The reply to topic box was gone and I was then locked out off replying. I restarted Chrome and was able to redo the reply.

 

I've deleted the file C:\Users\Anne\Documents\Ransomeware warning.txt.

 

After running FRST/Fixlist the PC rebooted, upon restarting Chrome I got the following error message, see attachment: Windows indows Updatewarning.jpg. However, Chrome appears to be working OK.

 

I've cleared the browser history from Chrome, Firefox and Edge. Before clearing the Chrome history I looked at what was to be cleared and there was an entry under "Hosted app data" 5 apps (Cloud print, Gmail, and 3 more). As far as I am aware I haven't used Cloud Print or Gmail and I couldn't find out what the 3 more were), see attachment: Windows warning.jpg.

 

Added 10/27/2017 at 5:14PM.  When I started Chrome after FRST rebooted the PC the messages contained in the attached file: Windows Warning.jpg popped up and after a few minutes the white background changed to the normal Chrome page; Is this normal? Chrome seemed to work ok, I then clicked the "allow access" button and cancelled the Restore pages popup; Chrome continued to work OK.

 

I've remembered that I found Windows Update was switched off when trying to install the printers. Once switched back on it kept sticking, firstly at installing updates 32% and subsequently downloading updates at 16% then repeatedly at 14%. As far as I am aware Windows Update is still not working properly although it did work enough for me to eventually install the printers.

 

Below is the FRST Fixlog:

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 26-10-2017
Ran by Anne (26-10-2017 20:11:56) Run:2
Running from C:\Users\Anne\Desktop
Loaded Profiles: Anne (Available Profiles: Anne)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
start
 
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
 
========= ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
========= IPCONFIG /release =========
 
 
Windows IP Configuration
 
No operation can be performed on Local Area Connection while it has its media disconnected.
No operation can be performed on Wireless Network Connection while it has its media disconnected.
No operation can be performed on Local Area Connection* 11 while it has its media disconnected.
No operation can be performed on Local Area Connection* 14 while it has its media disconnected.
 
Ethernet adapter Local Area Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Wireless Network Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Local Area Connection* 11:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Local Area Connection* 14:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Wi-Fi:
 
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::413f:6bbd:2cab:2a6%15
   Default Gateway . . . . . . . . . : 
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
========= End of CMD: =========
 
 
========= IPCONFIG /renew =========
 
 
Windows IP Configuration
 
No operation can be performed on Local Area Connection while it has its media disconnected.
No operation can be performed on Wireless Network Connection while it has its media disconnected.
No operation can be performed on Local Area Connection* 11 while it has its media disconnected.
No operation can be performed on Local Area Connection* 14 while it has its media disconnected.
 
Ethernet adapter Local Area Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Wireless Network Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Local Area Connection* 11:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Local Area Connection* 14:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Wi-Fi:
 
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::413f:6bbd:2cab:2a6%15
   IPv4 Address. . . . . . . . . . . : 10.146.37.188
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . : 10.146.37.185
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . : 
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:58:95fa:a944:5d54
   Link-local IPv6 Address . . . . . : fe80::58:95fa:a944:5d54%5
   Default Gateway . . . . . . . . . : ::
 
========= End of CMD: =========
 
 
========= netsh advfirewall reset =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= netsh advfirewall set allprofiles state ON =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= netsh winsock reset catalog =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
========= netsh int ip reset c:\resetlog.txt =========
 
Resetting Compartment Forwarding, OK!
Resetting Compartment, OK!
Resetting Control Protocol, OK!
Resetting Echo Sequence Request, OK!
Resetting Global, OK!
Resetting Interface, OK!
Resetting Anycast Address, OK!
Resetting Multicast Address, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Potential, OK!
Resetting Prefix Policy, OK!
Resetting Proxy Neighbor, OK!
Resetting Route, OK!
Resetting Site Prefix, OK!
Resetting Subinterface, OK!
Resetting Wakeup Pattern, OK!
Resetting Resolve Neighbor, OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
========= netsh int ipv4 reset =========
 
Resetting Compartment Forwarding, OK!
Resetting Compartment, OK!
Resetting Control Protocol, OK!
Resetting Echo Sequence Request, OK!
Resetting Global, OK!
Resetting Interface, OK!
Resetting Anycast Address, OK!
Resetting Multicast Address, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Potential, OK!
Resetting Prefix Policy, OK!
Resetting Proxy Neighbor, OK!
Resetting Route, OK!
Resetting Site Prefix, OK!
Resetting Subinterface, OK!
Resetting Wakeup Pattern, OK!
Resetting Resolve Neighbor, OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
========= netsh int ipv6 reset =========
 
Resetting Compartment Forwarding, OK!
Resetting Compartment, OK!
Resetting Control Protocol, OK!
Resetting Echo Sequence Request, OK!
Resetting Global, OK!
Resetting Interface, OK!
Resetting Anycast Address, OK!
Resetting Multicast Address, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Potential, OK!
Resetting Prefix Policy, OK!
Resetting Proxy Neighbor, OK!
Resetting Route, OK!
Resetting Site Prefix, OK!
Resetting Subinterface, OK!
Resetting Wakeup Pattern, OK!
Resetting Resolve Neighbor, OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
========= bitsadmin /reset /allusers =========
 
 
BITSADMIN version 3.0
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
0 out of 0 jobs canceled.
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 7364608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 8476592 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 321124 B
Edge => 0 B
Chrome => 55573815 B
Firefox => 16785006 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
LocalService => 5742 B
NetworkService => 0 B
Anne => 9774039 B
 
RecycleBin => 0 B
EmptyTemp: => 93.7 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 20:13:31 ====

Attached Files


Edited by duffsparky, 27 October 2017 - 11:24 AM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,558 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:54 AM

Posted 28 October 2017 - 06:34 AM

Hi,
 
Sorry for this long delay in replying. I lost my internet connection all day yesterday.
 
Repair these services.
 
Boot with Safe Mode with Networking. Execute the following.
 
Please Download Tweaking.com - Windows Repair from Here
  •  
  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below
  •  
01 - Repair Registry Permissions
03 - Reset Service permissions
04 - Register System Files
05 - Repair WMI
10 - Remove Policies Set By Infections
16 - Repair Windows Updates
20 - Repair MSI (Windows Installer)
25 - Restore Important Windows Services
26 - Set Windows Service to Default Startup
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.
===
 
Restart the computer normally.
 
How is the computer running now?


#15 duffsparky

duffsparky
  • Topic Starter

  • Members
  • 223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 28 October 2017 - 12:37 PM

No apology neccessary, my internet connection regularly drops.
 
Safe Mode still starts with "This app can't open" warning, see attached screenshot: Safe Mode error message.jpg
 
I am unable to access Network Connection List from System Tray when in Safe Mode, therefore, I am unable to establish an internet connection. I had to download Windows Repair in Normal Mode then reboot into Safe Mode. Note: Network Connection List did briefly appear on screen when I first tried to access it in Safe Mode but then promptly disappeared.
 
In Safe Mode Windows Repair does not seem to run, the blue wait circle appears for a while then nothing else happens. The same occurs when Run as Administrator or Normal Run is used.
 
Windows Repair will try to start in Normal Mode, ie not Safe Mode, but is stopped by Windows Defender SmartScreen, see attached screenshot: WindowsRepair message.jpg

Attached Files


Edited by duffsparky, 28 October 2017 - 12:39 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users