Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected? Bitedefender Threat on windows Temp folder everyday


  • This topic is locked This topic is locked
14 replies to this topic

#1 SaintVitus

SaintVitus

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario - Canada
  • Local time:05:01 AM

Posted 03 December 2017 - 05:32 PM

"threat Blocked"

item was deleted. threat name: Trojan.Generic.14547548 (or other number)

Path: C:\Windows\Temp\tmp00006 (or similar)

 

 

Hello!, I'm having this  issues since one week ago, tried all I know (malwarebytes, adwcleaner, Emsisoft anti-malware, zemana anitmalware, Sophos Virus Removal Tool, hitman, roguekiller). but  the threat still appearing,

 

is it a false alarm from Bitedefender or something else?

 

Thank you in advance! :)

 

I'm posting FRST64 and Addition logs:

Attached Files

  • Attached File  FRST.txt   135.7KB   5 downloads


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:01 AM

Posted 04 December 2017 - 08:53 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\Run: [AdobeBridge] => [X]
GroupPolicy: Restriction <==== ATTENTION
FF Plugin: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [No File]
FF Plugin-x32: wacom.com/WacomTabletPlugin -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [No File]
R2 Winstep Xtreme Service; C:\Program Files (x86)\Winstep\WsxService [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and include for my review the Addition.txt file that was created by the Farbar tool.
====

Your computer is populated with these temporary folders Tempzxpsigndxxxxxx...
Such as this one.
C:\Users\ghost\AppData\Local\Tempzxpsignde4a5fc9646d7ca9

Refer to this article. You can decide how and when you want to delete them.
https://forums.adobe.com/thread/2180330

===

Please let me know what problem persists with this computer.

#3 SaintVitus

SaintVitus
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario - Canada
  • Local time:05:01 AM

Posted 04 December 2017 - 06:56 PM

Thank you nasdaq for your  help!

 

I will come tomorrow with the results,  I was  busy all day long today :smash:

 

 

 

Edited, I Alreday made time for the fixings :)


Edited by SaintVitus, 04 December 2017 - 07:21 PM.


#4 SaintVitus

SaintVitus
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario - Canada
  • Local time:05:01 AM

Posted 04 December 2017 - 07:14 PM

FIXLOG.txt  :

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 30-11-2017
Ran by ghost (04-12-2017 19:06:58) Run:1
Running from C:\Users\ghost\OneDrive\Desktop
Loaded Profiles: ghost (Available Profiles: ghost)
Boot Mode: Normal
==============================================

fixlist content:
*****************

Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\Run: [AdobeBridge] => [X]
GroupPolicy: Restriction <==== ATTENTION
FF Plugin: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [No File]
FF Plugin-x32: wacom.com/WacomTabletPlugin -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [No File]
R2 Winstep Xtreme Service; C:\Program Files (x86)\Winstep\WsxService [X]

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKU\S-1-5-21-2911849683-2750717567-257648535-1001\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value removed successfully
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\Software\MozillaPlugins\wacom.com/WacomTabletPlugin => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\wacom.com/WacomTabletPlugin => key removed successfully
HKLM\System\CurrentControlSet\Services\Winstep Xtreme Service => key removed successfully
Winstep Xtreme Service => service removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 7888896 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 81839312 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 247848 B
Edge => 39002 B
Chrome => 0 B
Firefox => 39085755 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 3666 B
ghost => 375220583 B

RecycleBin => 0 B
EmptyTemp: => 481 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 19:08:10 ====



#5 SaintVitus

SaintVitus
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario - Canada
  • Local time:05:01 AM

Posted 04 December 2017 - 07:19 PM

this is the addition.txt  from the same day when i made the  first FRST report:

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 30-11-2017
Ran by ghost (03-12-2017 17:20:28)
Running from C:\Users\ghost\OneDrive\Desktop
Windows 10 Home Version 1709 16299.98 (X64) (2017-11-08 18:38:43)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2911849683-2750717567-257648535-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-2911849683-2750717567-257648535-503 - Limited - Disabled)
ghost (S-1-5-21-2911849683-2750717567-257648535-1001 - Administrator - Enabled) => C:\Users\ghost
Guest (S-1-5-21-2911849683-2750717567-257648535-501 - Limited - Disabled)
WDAGUtilityAccount (S-1-5-21-2911849683-2750717567-257648535-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Emsisoft Anti-Malware (Enabled - Up to date) {701CB209-EBBC-AADC-11E6-DE73E7AF4C9D}
AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AV: Bitdefender Antivirus Free Antimalware (Enabled - Up to date) {3FB17364-4FCC-0FA7-6BBF-973897395371}
AS: Bitdefender Antivirus Free Antimalware (Enabled - Up to date) {84D09280-69F6-0029-510F-AC4AECBE19CC}
AS: Emsisoft Anti-Malware (Enabled - Up to date) {CB7D53ED-CD86-A552-2B56-E5019C280620}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat DC (HKLM-x32\...\{AC76BA86-1033-FFFF-7760-0C0F074E4100}) (Version: 18.009.20050 - Adobe Systems Incorporated)
Adobe Bridge CC 2018 (HKLM\...\{44B7D893-EE0B-410F-B700-7889DCCAB028}) (Version: 1.0.0000 - Adobe Systems Incorporated) Hidden
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 4.3.0.256 - Adobe Systems Incorporated)
Adobe Dimension CC (HKLM-x32\...\ESHR_1_0) (Version: 1.0 - Adobe Systems Incorporated)
Adobe Illustrator CC 2018 (HKLM\...\{7A5547B8-82DB-4461-8331-48BEFA485925}) (Version: 1.0.0000 - Adobe Systems Incorporated) Hidden
Adobe Illustrator CC 2018 (HKLM-x32\...\ILST_22_0_1) (Version: 22.0.1 - Adobe Systems Incorporated)
Adobe InCopy CC 2018 (HKLM\...\{DCD71714-CC2F-4582-A5C7-244ED3DFC3F3}) (Version: 1.0.0000 - Adobe Systems Incorporated) Hidden
Adobe InCopy CC 2018 (HKLM-x32\...\AICY_13_0) (Version: 13.0 - Adobe Systems Incorporated)
Adobe InDesign CC 2018 (HKLM\...\{17B79E25-9699-4A8E-80F7-AB8A3D01B6A2}) (Version: 1.0.0000 - Adobe Systems Incorporated) Hidden
Adobe InDesign CC 2018 (HKLM-x32\...\IDSN_13_0) (Version: 13.0 - Adobe Systems Incorporated)
Adobe Muse CC 2018 (HKLM\...\{E23C62C8-8FF3-4F04-AD08-D6B59E2B2F9E}) (Version: 1.0.0000 - Adobe Systems Incorporated) Hidden
Adobe Muse CC 2018 (HKLM-x32\...\MUSE_2018_0) (Version: 2018.0.0.685 - Adobe Systems Incorporated)
Adobe Photoshop (HKLM\...\{9B08B2EC-C82E-4D24-A3E0-57646E2CE480}) (Version: 1.0.0000 - Adobe Systems Incorporated) Hidden
Adobe Photoshop CC 2018 (HKLM\...\{65627652-1535-451C-A31B-ACAF785F5812}) (Version: 1.0.0000 - Adobe Systems Incorporated) Hidden
Adobe Photoshop CC 2018 (HKLM-x32\...\PHSP_19_0) (Version: 19.0 - Adobe Systems Incorporated)
Adobe XD CC 2018 (HKLM\...\{D2169C07-0CA0-4468-836B-C45E6F64AF56}) (Version: 1.0.0000 - Adobe Systems Incorporated) Hidden
Bitdefender Agent (HKLM\...\Bitdefender Agent) (Version: 21.0.25.59 - Bitdefender)
Bitdefender Antivirus Free (HKLM\...\{1FCCF41D-5F00-4FE2-9653-162D0486C8B4}) (Version: 1.0.8.33 - Bitdefender)
CCleaner (HKLM\...\CCleaner) (Version: 5.37 - Piriform)
Emsisoft Anti-Malware (HKLM\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 2017.4 - Emsisoft Ltd.)
Extensis Suitcase Fusion (HKLM-x32\...\{5BE65A3D-D717-417A-B675-E58FC4E7FB3D}) (Version: 18.2.4 - 2017 Celartem, Inc. d.b.a Extensis All rights reserved)
foobar2000 v1.3.16 (HKLM-x32\...\foobar2000) (Version: 1.3.16 - Peter Pawlowski)
FxSound Enhancer (HKLM-x32\...\DFX) (Version: 13.006.0.0 - FxSound)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.20.286 - SurfRight B.V.)
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 14.8.16.1063 - Intel Corporation)
K-Lite Mega Codec Pack 13.6.0 (HKLM-x32\...\KLiteCodecPack_is1) (Version: 13.6.0 - KLCP)
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Microsoft OneDrive (HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\OneDriveSetup.exe) (Version: 17.3.7076.1026 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23918 (HKLM-x32\...\{dab68466-3a7d-41a8-a5cf-415e3ff8ef71}) (Version: 14.0.23918.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23918 (HKLM-x32\...\{2e085fd2-a3e4-4b39-8e10-6b8d35f55244}) (Version: 14.0.23918.0 - Microsoft Corporation)
Mozilla Firefox 57.0 (x64 en-US) (HKLM\...\Mozilla Firefox 57.0 (x64 en-US)) (Version: 57.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 57.0 - Mozilla)
Nexus 17.1 (HKLM-x32\...\Winstep Xtreme_is1) (Version:  - )
NVIDIA 3D Vision Controller Driver 369.04 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 369.04 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 388.43 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 388.43 - NVIDIA Corporation)
NVIDIA GeForce Experience 3.11.0.73 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 3.11.0.73 - NVIDIA Corporation)
NVIDIA Graphics Driver 388.43 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 388.43 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.17.0524 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.17.0524 - NVIDIA Corporation)
qBittorrent 4.0.2 (HKLM-x32\...\qBittorrent) (Version: 4.0.2 - The qBittorrent project)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7836 - Realtek Semiconductor Corp.)
Revo Uninstaller Pro 3.1.8 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 3.1.8 - VS Revo Group, Ltd.)
RogueKiller version 12.11.26.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.11.26.0 - Adlice Software)
Snip (HKLM-x32\...\{DE935EF7-6CE4-471E-9C73-0AE1A2E7D0D6}) (Version: 0.1.5119.0 - Microsoft) Hidden
Snip (HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\{525d439e-e22a-4221-8fd1-25b845fe0038}) (Version: 0.1.5119.0 - Microsoft Corporation)
Sophos Virus Removal Tool (HKLM-x32\...\{B829E117-D072-41EA-9606-9826A38D34C1}) (Version: 2.6.1 - Sophos Limited)
SpywareBlaster 5.5 (HKLM-x32\...\SpywareBlaster_is1) (Version: 5.5.0 - BrightFort LLC)
Suitcase Fusion version 18.2.4 (HKLM-x32\...\{A86D5A7F-3E71-4D1D-99EC-289BF42367E2}_is1) (Version: 18.2.4 - Extensis)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1250 - SUPERAntiSpyware.com)
Telegram Desktop version 1.1.23 (HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1) (Version: 1.1.23 - Telegram Messenger LLP)
Vulkan Run Time Libraries 1.0.61.0 (HKLM\...\VulkanRT1.0.61.0) (Version: 1.0.61.0 - LunarG, Inc.) Hidden
Wacom Tablet (HKLM\...\Wacom Tablet Driver) (Version: 6.3.25-5 - Wacom Technology Corp.)
WhatsApp (HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\WhatsApp) (Version: 0.2.6968 - WhatsApp)
WinRAR 5.50 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.50.0 - win.rar GmbH)
Wondershare Helper Compact 2.5.3 (HKLM-x32\...\{5363CE84-5F09-48A1-8B6C-6BB590FFEDF2}_is1) (Version: 2.5.3 - Wondershare)
Wondershare Video Converter Ultimate(Build 10.1.3.141) (HKLM-x32\...\Video Converter Ultimate_is1) (Version: 10.1.3.141 - Wondershare Software)
YACReader 8.5.0 (HKLM-x32\...\YACReader_is1) (Version:  - )
Zemana AntiMalware (HKLM-x32\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.74.0.150 - Zemana Ltd.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2911849683-2750717567-257648535-1001_Classes\CLSID\{e8c77137-e224-5791-b6e9-ff0305797a13}\InprocServer32 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Systems)
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2017-09-26] ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2017-09-26] ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2017-09-26] ()
ContextMenuHandlers1: [2.0 Zemana AntiMalware] -> {6ABB1C11-E261-4CEA-BBB5-3836225689DD} => C:\Program Files (x86)\Zemana AntiMalware\ZAMShellExt64.dll [2017-11-10] ()
ContextMenuHandlers1: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2017-09-26] ()
ContextMenuHandlers1: [Adobe.Acrobat.ContextMenu] -> {A6595CD1-BF77-430A-A452-18696685F7C7} => C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat Elements\ContextMenuShim64.dll [2015-03-17] (Adobe Systems Inc.)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers2-x32: [Emsisoft Shell Extension] -> {AB77609F-2178-4E6F-9C4B-44AC179D937A} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2contmenu.dll [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers2-x32: [Emsisoft Shell Extension x64] -> {E3F21FC7-6D65-48E7-B62B-E9ED8200C764} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\A2CONTMENU64.DLL [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers3-x32: [Emsisoft Shell Extension] -> {AB77609F-2178-4E6F-9C4B-44AC179D937A} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2contmenu.dll [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers3-x32: [Emsisoft Shell Extension x64] -> {E3F21FC7-6D65-48E7-B62B-E9ED8200C764} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\A2CONTMENU64.DLL [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers3-x32: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\WINDOWS\system32\nvshext.dll [2017-11-27] (NVIDIA Corporation)
ContextMenuHandlers6: [2.0 Zemana AntiMalware] -> {6ABB1C11-E261-4CEA-BBB5-3836225689DD} => C:\Program Files (x86)\Zemana AntiMalware\ZAMShellExt64.dll [2017-11-10] ()
ContextMenuHandlers6: [AccExt] -> {2A118EB5-5797-4F5E-8B3D-F4ECBA3C98E4} => C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll [2017-09-26] ()
ContextMenuHandlers6: [Adobe.Acrobat.ContextMenu] -> {A6595CD1-BF77-430A-A452-18696685F7C7} => C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat Elements\ContextMenuShim64.dll [2015-03-17] (Adobe Systems Inc.)
ContextMenuHandlers6-x32: [Emsisoft Shell Extension] -> {AB77609F-2178-4E6F-9C4B-44AC179D937A} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2contmenu.dll [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers6-x32: [Emsisoft Shell Extension x64] -> {E3F21FC7-6D65-48E7-B62B-E9ED8200C764} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\A2CONTMENU64.DLL [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers6-x32: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers6-x32: [RUShellExt] -> {2C5515DC-2A7E-4BFD-B813-CACC2B685EB7} => C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll [2016-12-15] (VS Revo Group)
ContextMenuHandlers6-x32: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2017-08-11] (Alexander Roshal)
ContextMenuHandlers6-x32-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2017-08-11] (Alexander Roshal)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {03D936CA-F12B-4896-BE5E-6E9C5E5FF912} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2017-11-08] (Piriform Ltd)
Task: {0B94C093-1476-479D-A7C6-E539F84B7805} - System32\Tasks\klcp_update => C:\Program Files (x86)\K-Lite Codec Pack\Tools\CodecTweakTool.exe [2017-10-18] ()
Task: {1481856A-0630-40EF-BA80-E7E1F028AED1} - System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [2017-11-15] (NVIDIA Corporation)
Task: {1CD87814-B2D6-4BB5-9CBF-0E811D0F77DB} - System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [2017-11-15] (NVIDIA Corporation)
Task: {1FD00E62-3270-455D-81BB-B793F8885F7A} - System32\Tasks\Bitdefender Agent WatchDog_65D6944A0EF74FDAB96E31112AD39864 => C:\Program Files\Bitdefender Agent\WatchDog.exe [2017-06-21] (Bitdefender)
Task: {318D6D87-AA3C-4A28-A52F-608262B2DC8B} - System32\Tasks\NVIDIA GeForce Experience SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe [2017-11-15] (NVIDIA Corporation)
Task: {4AF3E682-EF25-446E-AC0C-2BFA6AB49F5F} - System32\Tasks\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmMon.exe [2017-11-15] (NVIDIA Corporation)
Task: {B0F0F039-D5C6-4C4E-B387-E54538EE2E15} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [2017-11-08] (Piriform Ltd)
Task: {C11E0A01-03AF-4C94-939B-AEA858B505F2} - System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NvNode\nvnodejslauncher.exe [2017-11-15] (NVIDIA Corporation)
Task: {C45A4DB8-123C-4C20-86DE-3F1EE1E6AB51} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-09-27] (Adobe Systems Incorporated)
Task: {C475410A-2454-4CA3-8D53-99BBD9DD843A} - System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [2017-11-15] (NVIDIA Corporation)
Task: {D1D18CFD-11D4-4428-939B-C1F7C27C0184} - System32\Tasks\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe [2017-11-15] (NVIDIA Corporation)
Task: {D5FCBF28-8F3C-48F2-8FB9-45FD991C9E8A} - System32\Tasks\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe [2017-11-15] (NVIDIA Corporation)
Task: {DB88A999-E4BE-4B21-A5D0-47799C9FC7B8} - System32\Tasks\AdobeAAMUpdater-1.0-MicrosoftAccount-ghostly.arts@hotmail.com => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2016-07-01] (Adobe Systems Incorporated)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2017-09-29 08:41 - 2017-09-29 08:41 - 000184432 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll
2017-11-08 13:35 - 2017-11-15 20:41 - 001267136 _____ () C:\Program Files\NVIDIA Corporation\NvContainer\libprotobuf.dll
2017-11-08 14:06 - 2017-11-23 14:16 - 000280576 _____ () C:\Program Files\Bitdefender Antivirus Free\txmlutil.dll
2017-11-08 14:06 - 2017-02-07 12:29 - 001008448 _____ () C:\Program Files\Bitdefender Antivirus Free\Signatures\OTEngines\OTEngines_000_000\ashttpbr.mdl
2017-11-08 14:06 - 2017-02-07 12:29 - 000541952 _____ () C:\Program Files\Bitdefender Antivirus Free\Signatures\OTEngines\OTEngines_000_000\ashttpdsp.mdl
2017-11-08 14:06 - 2017-02-07 12:29 - 003243920 _____ () C:\Program Files\Bitdefender Antivirus Free\Signatures\OTEngines\OTEngines_000_000\ashttpph.mdl
2017-11-08 14:06 - 2017-02-07 12:29 - 001544568 _____ () C:\Program Files\Bitdefender Antivirus Free\Signatures\OTEngines\OTEngines_000_000\ashttprbl.mdl
2017-12-02 16:28 - 2017-11-01 08:54 - 002358736 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2017-12-02 16:28 - 2017-11-01 08:55 - 002299344 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2017-11-15 11:01 - 2017-10-18 12:35 - 001658312 _____ () C:\Program Files\Tablet\Wacom\libxml2.dll
2017-09-26 02:52 - 2017-09-26 02:52 - 000491600 _____ () C:\Program Files (x86)\Common Files\Adobe\CoreSyncExtension\CoreSync_x64.dll
2017-12-01 08:15 - 2017-11-26 07:23 - 011044864 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-12-01 08:15 - 2017-11-26 07:01 - 001804288 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-11-29 17:45 - 2017-11-29 17:45 - 000087040 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.9.604.0_x64__kzf8qxf38zg5c\SkypeHost.exe
2017-11-29 17:45 - 2017-11-29 17:45 - 000202752 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.9.604.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2017-11-29 17:45 - 2017-11-29 17:45 - 025600000 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.9.604.0_x64__kzf8qxf38zg5c\SkyWrap.dll
2017-11-29 17:45 - 2017-11-29 17:45 - 002546176 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.9.604.0_x64__kzf8qxf38zg5c\skypert.dll
2017-11-29 17:45 - 2017-11-29 17:45 - 000672256 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.9.604.0_x64__kzf8qxf38zg5c\RtmMvrUap.dll
2017-11-02 12:18 - 2017-11-02 12:18 - 000054488 _____ () C:\Program Files\CCleaner\branding.dll
2017-06-19 17:02 - 2017-11-08 14:44 - 001663480 _____ () C:\Program Files (x86)\DFX\dfx.exe
2017-06-19 15:00 - 2017-06-19 15:00 - 000159224 _____ () C:\Program Files (x86)\DFX\Universal\Apps\DfxSharedApp32.exe
2017-06-19 15:07 - 2017-06-19 15:07 - 000174072 _____ () C:\Program Files (x86)\DFX\Universal\Apps\DfxSharedApp64.exe
2017-06-19 22:04 - 2017-06-19 22:04 - 000096248 _____ () C:\Program Files (x86)\Common Files\DFX\Dlls\dfxShared64.dll
2017-11-08 12:15 - 2017-11-08 12:15 - 003553704 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsStore_11710.1001.27.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml.dll
2017-11-08 12:18 - 2017-11-08 12:18 - 001919680 _____ () C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8700.40675.0_x64__8wekyb3d8bbwe\Microsoft.Applications.Telemetry.Windows.dll
2017-11-08 12:18 - 2017-11-08 12:18 - 001226416 _____ () C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.8700.40675.0_x64__8wekyb3d8bbwe\Office.UI.Xaml.Word.dll
2017-11-30 19:55 - 2017-11-30 19:55 - 024837632 _____ () D:\Downloads\qBit\qBittorrent\qbittorrent.exe
2017-11-14 01:27 - 2017-11-14 01:29 - 000022016 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39091.16340.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
2017-11-14 01:27 - 2017-11-14 01:29 - 055109120 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39091.16340.0_x64__8wekyb3d8bbwe\Microsoft.Photos.dll
2017-11-08 12:16 - 2017-11-08 12:17 - 002523136 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39091.16340.0_x64__8wekyb3d8bbwe\UnityEngineDelegates.dll
2017-11-14 01:27 - 2017-11-14 01:30 - 000164864 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39091.16340.0_x64__8wekyb3d8bbwe\VideoPlugin.dll
2017-11-08 12:16 - 2017-11-08 12:16 - 000675328 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39091.16340.0_x64__8wekyb3d8bbwe\IPPNativePlugin.dll
2017-11-14 01:27 - 2017-11-14 01:29 - 003740160 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39091.16340.0_x64__8wekyb3d8bbwe\MediaEngineCSWrapper.dll
2017-11-14 01:27 - 2017-11-14 01:30 - 002051584 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39091.16340.0_x64__8wekyb3d8bbwe\TrackingDLLUWP.dll
2017-11-14 01:27 - 2017-11-14 01:30 - 020759040 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39091.16340.0_x64__8wekyb3d8bbwe\PhotosApp.Windows.dll
2017-11-14 01:27 - 2017-11-14 01:29 - 003607040 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39091.16340.0_x64__8wekyb3d8bbwe\MediaEngine.dll
2017-11-14 01:27 - 2017-11-14 01:27 - 003150848 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39091.16340.0_x64__8wekyb3d8bbwe\AppCore.Windows.dll
2017-09-29 09:44 - 2017-09-29 09:44 - 003553704 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39091.16340.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml.dll
2017-11-14 01:27 - 2017-11-14 01:29 - 000046080 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39091.16340.0_x64__8wekyb3d8bbwe\Microsoft.Photos.Edit.Services.dll
2017-11-14 01:27 - 2017-11-14 01:29 - 002493440 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39091.16340.0_x64__8wekyb3d8bbwe\Microsoft.People.AutoSuggest.dll
2017-11-14 01:27 - 2017-11-14 01:29 - 000919040 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39091.16340.0_x64__8wekyb3d8bbwe\Microsoft.People.PeoplePicker.dll
2017-11-14 01:27 - 2017-11-14 01:29 - 001363968 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39091.16340.0_x64__8wekyb3d8bbwe\Microsoft.RichMedia.Ink.Controls.dll
2017-11-14 01:27 - 2017-11-14 01:29 - 000084480 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39091.16340.0_x64__8wekyb3d8bbwe\MediaEngineVideoDataProvider.UWP.dll
2017-11-15 09:18 - 2012-06-08 19:40 - 001086176 _____ () C:\Program Files (x86)\Winstep\wodTelnetDLX.dll
2017-11-08 13:35 - 2017-11-15 20:41 - 001040320 _____ () C:\Program Files (x86)\NVIDIA Corporation\NvContainer\libprotobuf.dll
2017-06-05 18:15 - 2017-06-05 18:15 - 000998912 _____ () C:\Program Files (x86)\Extensis\Suitcase Fusion\libiconv_32.dll
2017-06-05 18:15 - 2017-06-05 18:15 - 001073152 _____ () C:\Program Files (x86)\Extensis\Suitcase Fusion\libxml2_32.dll
2017-06-05 18:15 - 2017-06-05 18:15 - 000041984 _____ () C:\Program Files (x86)\Extensis\Suitcase Fusion\pthreads_32.dll
2017-06-19 21:54 - 2017-06-19 21:54 - 000081912 _____ () C:\Program Files (x86)\Common Files\DFX\Dlls\dfxShared32.dll
2017-01-26 05:02 - 2017-01-26 05:02 - 000071680 _____ () C:\Program Files (x86)\foobar2000\zlib1.dll
2017-07-10 00:20 - 2017-04-07 03:58 - 000156160 _____ () C:\Program Files (x86)\foobar2000\shared.dll
2016-03-30 06:44 - 2016-03-30 06:44 - 000375296 _____ () C:\Program Files (x86)\foobar2000\components\foo_rgscan.dll
2017-07-10 00:22 - 2017-04-07 04:00 - 000250880 _____ () C:\Program Files (x86)\foobar2000\components\foo_dsp_std.dll
2017-07-10 00:22 - 2017-04-07 04:00 - 001442304 _____ () C:\Program Files (x86)\foobar2000\components\foo_input_std.dll
2017-11-08 15:15 - 2017-11-08 15:15 - 000271872 _____ () C:\Users\ghost\AppData\Roaming\foobar2000\user-components\foo_input_monkey\foo_input_monkey.dll
2017-07-10 00:22 - 2017-04-07 04:00 - 000205312 _____ () C:\Program Files (x86)\foobar2000\components\foo_dsp_eq.dll
2017-07-10 00:22 - 2017-04-07 03:59 - 000310272 _____ () C:\Program Files (x86)\foobar2000\components\foo_cdda.dll
2017-11-08 14:47 - 2017-06-19 12:44 - 000456376 _____ () C:\Program Files (x86)\foobar2000\components\foo_dfx.dll
2017-07-10 00:22 - 2017-04-07 03:59 - 000539648 _____ () C:\Program Files (x86)\foobar2000\components\foo_converter.dll
2016-03-30 06:45 - 2016-03-30 06:45 - 000307200 _____ () C:\Program Files (x86)\foobar2000\components\foo_freedb2.dll
2017-07-10 00:21 - 2017-04-07 03:59 - 000306688 _____ () C:\Program Files (x86)\foobar2000\components\foo_fileops.dll
2017-07-10 00:22 - 2017-04-07 04:00 - 000276480 _____ () C:\Program Files (x86)\foobar2000\components\foo_unpack.dll
2017-11-08 14:47 - 2010-01-22 13:40 - 000125440 _____ () C:\Program Files (x86)\foobar2000\components\foo_dsp_dolbyhp.dll
2017-11-08 14:47 - 2011-08-18 19:06 - 001767936 _____ () C:\Program Files (x86)\foobar2000\components\foo_facets.dll
2017-07-10 00:22 - 2017-04-07 04:00 - 000359424 _____ () C:\Program Files (x86)\foobar2000\components\foo_albumlist.dll
2017-07-10 00:22 - 2017-04-07 03:59 - 001089536 _____ () C:\Program Files (x86)\foobar2000\components\foo_ui_std.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\.DEFAULT\...\localhost -> localhost
IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com
IE trusted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\localhost -> localhost
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\008k.com -> 008k.com
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\00hq.com -> 00hq.com
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\0190-dialers.com -> 0190-dialers.com
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\01i.info -> 01i.info
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\0411dd.com -> 0411dd.com
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\0511zfhl.com -> 0511zfhl.com
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\05p.com -> 05p.com
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\0632qyw.com -> 0632qyw.com
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\0calories.net -> 0calories.net
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\0cj.net -> 0cj.net
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\0scan.com -> 0scan.com
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\1-britney-spears-nude.com -> 1-britney-spears-nude.com
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\1-domains-registrations.com -> 1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\1-se.com -> 1-se.com
IE restricted site: HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\1001movie.com -> 1001movie.com

There are 6091 more sites.


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2017-09-29 08:46 - 2017-09-29 08:44 - 000000824 _____ C:\WINDOWS\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2911849683-2750717567-257648535-1001\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\Run32: => "Adobe Creative Cloud"
HKLM\...\StartupApproved\Run32: => "Wondershare Helper Compact.exe"
HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\StartupApproved\Run: => "AdobeBridge"
HKU\S-1-5-21-2911849683-2750717567-257648535-1001\...\StartupApproved\Run: => "SUPERAntiSpyware"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{73F8155E-9613-4915-8683-F467FF15E457}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{BBFC873D-4B6F-49CF-AE6E-633BE0C5ADAA}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{E7EF9D2D-E67F-442D-9D99-D57AD006D646}D:\downloads\emule\emule.exe] => (Allow) D:\downloads\emule\emule.exe
FirewallRules: [UDP Query User{0DE64B84-D2B1-48A8-8B74-2CD25BECB0A0}D:\downloads\emule\emule.exe] => (Allow) D:\downloads\emule\emule.exe
FirewallRules: [{CD935A85-6406-441A-8422-B79FF3FB0FE7}] => (Allow) D:\Downloads\qBit\qBittorrent\qbittorrent.exe
FirewallRules: [{C18B263F-6AF2-4C77-9BAD-63A4A93F42F9}] => (Allow) D:\Downloads\qBit\qBittorrent\qbittorrent.exe

==================== Restore Points =========================

03-12-2017 11:17:31 Scheduled Checkpoint

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (12/02/2017 09:49:47 PM) (Source: COM) (EventID: 10031) (User: )
Description: An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {95CABCC9-BC57-4C12-B8DF-BA193232AA01} was rejected

Error: (12/02/2017 09:49:46 PM) (Source: COM) (EventID: 10031) (User: )
Description: An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {95CABCC9-BC57-4C12-B8DF-BA193232AA01} was rejected

Error: (12/02/2017 04:13:39 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine QueryFullProcessImageNameW.  hr = 0x80070006, The handle is invalid.
.


Operation:
   Executing Asynchronous Operation

Context:
   Current State: DoSnapshotSet

Error: (12/02/2017 04:12:49 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {c5f00618-1839-4741-93ab-4126ad8d326f}

Error: (12/02/2017 12:45:50 PM) (Source: COM) (EventID: 10031) (User: )
Description: An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {95CABCC9-BC57-4C12-B8DF-BA193232AA01} was rejected

Error: (12/02/2017 12:45:50 PM) (Source: COM) (EventID: 10031) (User: )
Description: An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {95CABCC9-BC57-4C12-B8DF-BA193232AA01} was rejected

Error: (12/02/2017 12:17:26 PM) (Source: COM) (EventID: 10031) (User: )
Description: An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {41FD88F7-F295-4D39-91AC-A85F3149A05B} was rejected

Error: (12/02/2017 12:17:26 PM) (Source: COM) (EventID: 10031) (User: )
Description: An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {95CABCC9-BC57-4C12-B8DF-BA193232AA01} was rejected

Error: (12/02/2017 12:17:26 PM) (Source: COM) (EventID: 10031) (User: )
Description: An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {95CABCC9-BC57-4C12-B8DF-BA193232AA01} was rejected

Error: (12/02/2017 12:16:55 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: HELLMACHINE)
Description: Package Microsoft.Windows.Photos_2017.39091.16340.0_x64__8wekyb3d8bbwe+App was terminated because it took too long to suspend.


System errors:
=============
Error: (12/03/2017 03:48:58 PM) (Source: DCOM) (EventID: 10016) (User: HELLMACHINE)
Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{C2F03A33-21F5-47FA-B4BB-156362A2F239}
 and APPID
{316CDED5-E4AE-4B15-9113-7055D84DCC97}
 to the user HELLMACHINE\ghost SID (S-1-5-21-2911849683-2750717567-257648535-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.9.6.16299_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool.

Error: (12/03/2017 12:46:57 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (12/03/2017 12:46:57 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (12/03/2017 12:45:45 PM) (Source: Application Popup) (EventID: 56) (User: )
Description: SCSI000000

Error: (12/03/2017 12:44:46 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\WINDOWS\system32\Rtlihvs.dll

Error: (12/03/2017 12:44:46 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\WINDOWS\system32\Rtlihvs.dll

Error: (12/03/2017 12:44:39 PM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: The Emsisoft Protection Service service did not shut down properly after receiving a pre-shutdown control.

Error: (12/03/2017 12:44:22 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10003) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has stopped unexpectedly.

Module Path: C:\WINDOWS\system32\Rtlihvs.dll

Error: (12/03/2017 12:44:19 PM) (Source: DCOM) (EventID: 10010) (User: HELLMACHINE)
Description: The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.

Error: (12/03/2017 12:44:19 PM) (Source: DCOM) (EventID: 10010) (User: HELLMACHINE)
Description: The server {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} did not register with DCOM within the required timeout.


CodeIntegrity:
===================================
  Date: 2017-12-03 16:34:31.120
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.

  Date: 2017-12-03 16:18:14.670
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.

  Date: 2017-12-03 13:06:24.461
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.

  Date: 2017-12-03 13:06:18.160
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.

  Date: 2017-12-03 12:48:46.244
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.

  Date: 2017-12-03 12:47:16.130
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Bitdefender Antivirus Free\agentctrl.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks32.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-12-03 12:46:51.427
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Microsoft signing level requirements.

  Date: 2017-12-03 12:44:13.679
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.

  Date: 2017-12-03 12:44:09.410
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.

  Date: 2017-12-03 11:38:02.564
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.


==================== Memory info ===========================

Processor: Intel® Core™ i7-4790 CPU @ 3.60GHz
Percentage of memory in use: 35%
Total physical RAM: 16323.25 MB
Available physical RAM: 10487.43 MB
Total Virtual: 17347.25 MB
Available Virtual: 10369.51 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:150 GB) (Free:93.82 GB) NTFS
Drive d: (Data) (Fixed) (Total:1693.95 GB) (Free:654.83 GB) NTFS
Drive g: (WD My Book) (Fixed) (Total:2794.49 GB) (Free:576.32 GB) NTFS
Drive k: (Seagate Expansion Drive) (Fixed) (Total:4657.4 GB) (Free:603.06 GB) NTFS
Drive n: (Seagate Expansion Drive) (Fixed) (Total:7451.91 GB) (Free:6420.49 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 1863 GB) (Disk ID: 9F2EFF5E)

Partition: GPT.

========================================================
Disk: 2 (Size: 4657.5 GB) (Disk ID: B6B0C054)

Partition: GPT.
Attempted reading MBR returned 0 bytes.
 Could not read MBR for disk 3.

========================================================
Disk: 4 (Size: 7452 GB) (Disk ID: F4E752A8)

Partition: GPT.

==================== End of Addition.txt ============================



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:01 AM

Posted 05 December 2017 - 07:25 AM

Hi,

Your log is clean.

Any other issues with this computer?

#7 SaintVitus

SaintVitus
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario - Canada
  • Local time:05:01 AM

Posted 05 December 2017 - 02:04 PM

Zemana, Emsisoft and Bitedefender reporting again:  :(

 

Emsisoft:

 

2017-12-05 1:48:19 PM
File Guard detected Malware "Trojan.Generic.14547548 ( B)" in "C:\WINDOWS\TEMP\tmp0000013b\tmp000053ea"

2017-12-05 1:51:57 PM
Alert message "The malicious file tmp000053ea has been saved to your computer. Trojan.Generic.14547548 ( B) found!" has been shown

 

Zemana:

 

tmp00001415
Status             : Scanned
Object             : %systemroot%\temp\tmp00007f17\tmp00001415
MD5                : D9032546F7154D629186F955AFA5C7B0
Publisher          : -
Size               : 441856
Version            : -
Detection          : Malware:Win32/Nevoros.B!Ertt
Cleaning Action    : Quarantine
Related Objects    :
                File - %systemroot%\temp\tmp00007f17\tmp00001415

 

 

and attaching a  screenshot of bitedefender:

 

 

 

 

 

Attached Files


Edited by SaintVitus, 05 December 2017 - 02:05 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:01 AM

Posted 06 December 2017 - 08:07 AM



Hi,

If your computer is running well and all that is currently an issue is the BD notifications you should read and proceed with this.

Temp Files are normally created by programs that you execute.
Some of them are not cleaning these files when you close the programs.

I suspect that Bitdefender is informing you of any removal it does.

You can stop these notifications.

Refer to this article.

How to Get Rid of Bitdefender’s Notifications
https://www.howtogeek.com/291574/how-to-get-rid-of-bitdefenders-notifications-and-bundled-software/

Follow the directived under this section.
Disable Most of Bitdefender’s Notifications and Advertisements

Keep me posted.

#9 SaintVitus

SaintVitus
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario - Canada
  • Local time:05:01 AM

Posted 06 December 2017 - 08:25 AM

Thank you again nasdaq for your time and help!

 

"Bitdefender’s free antivirus is very minimal compared to other free antivirus tools and doesn’t show any notifications, although you may see occsional ads for Bitdefender’s paid antivirus software. But you can’t disable them"

 

That's the version I'm using it! :) so I don't have any way to disable settings! :smash:

 

I was an Avast user for the last 3 years but I wanted to give a try to Bitedefender since I reinstall all my OS again.


Edited by SaintVitus, 06 December 2017 - 08:29 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:01 AM

Posted 06 December 2017 - 08:51 AM

Hi,

From what I read about the Free version it cannot be disabled.

You call if you want to keep it or change it.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#11 SaintVitus

SaintVitus
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario - Canada
  • Local time:05:01 AM

Posted 07 December 2017 - 09:50 AM

Hello nasdaq :)

 

What can I do?  is there anyway to  find which app is creating those folders? is driving me crazy :smash: .

 

Emsisoft anti-malware (filegurard engine is ON) is detecting same issue (as Bitedefender) but the Fileguard is making my PC slow when it detect this! ,

scanned with zemana the temp's folders and the same detection.

 

 

 

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:01 AM

Posted 07 December 2017 - 01:48 PM


You should not be running two Antivirus protrams in real mode.

AV: Emsisoft Anti-Malware (Enabled - Up to date) {701CB209-EBBC-AADC-11E6-DE73E7AF4C9D}
AV: Bitdefender Antivirus Free Antimalware (Enabled - Up to date) {3FB17364-4FCC-0FA7-6BBF-973897395371}
AS: Bitdefender Antivirus Free Antimalware (Enabled - Up to date) {84D09280-69F6-0029-510F-AC4AECBE19CC}
AS: Emsisoft Anti-Malware (Enabled - Up to date) {CB7D53ED-CD86-A552-2B56-E5019C280620}


Disable one one them and check if the problem persists.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:01 AM

Posted 13 December 2017 - 08:08 AM

Are you still with me?

#14 SaintVitus

SaintVitus
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario - Canada
  • Local time:05:01 AM

Posted 13 December 2017 - 08:31 PM

Hello nasdaq :)

 

Sorry for the delay!!

 

I was really busy, but you were right!, the conflict was created by the two apps working at the same time, It was checked for the last  days  and never again  more issues! :)

 

a BIG Thank you!!! for your time and help. :bananas: :thumbsup:


Edited by SaintVitus, 13 December 2017 - 08:32 PM.


#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:01 AM

Posted 14 December 2017 - 07:30 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users