Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected by adware / redirect virus


  • This topic is locked This topic is locked
9 replies to this topic

#1 natich1

natich1

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 17 December 2017 - 05:57 AM

hello

my computer has been infected by a virus who opens new tabs and inject iframe adds. 

I have managed to block the browser (chrome) from entering those site by using block software (malwarebytes) but i cant seem to remove it!. all antiviruses and malwareprotection softaware cant find it, i have no sespicious installed prgrammes, nothing...
 

the sites that are beeing blocked are fpr example: popcash.com, adubqazar.ru, syndication.exdynsrc.com etc.

 

attaching here the log from hijackthis:

 

 

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 12:25:30, on 17/12/2017
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v11.0 (11.00.15063.0608)
 
 
Boot mode: Normal
 
Running processes:
C:\Program Files (x86)\Fortinet\FortiClient\FortiTray.exe
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
C:\Users\User\AppData\Local\Microsoft\OneDrive\OneDrive.exe
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
C:\Program Files (x86)\CheckPoint\Endpoint Security\TPCommon\Cipolla\ZAAR.exe
C:\Users\User\Downloads\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = %11%\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_151\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_151\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ZaAntiRansomware] "C:\Program Files (x86)\CheckPoint\Endpoint Security\TPCommon\Cipolla\ZAAR.exe"
O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: ה&ערות מקושרות של OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: ה&ערות מקושרות של OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O18 - Protocol: windows.tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Check Point Endpoint EFR (CPEFR) - Check Point Software Technologies Ltd. - C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRService.exe
O23 - Service: Intel® Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\System32\DriverStore\FileRepository\ki124538.inf_amd64_38801626506e1429\IntelCpHeciSvc.exe
O23 - Service: Intel® Content Protection HDCP Service (cplspcon) - Intel Corporation - C:\Windows\System32\DriverStore\FileRepository\ki124538.inf_amd64_38801626506e1429\IntelCpHDCPSvc.exe
O23 - Service: Check Point Sandblast Agent Cipolla (CpSbaCipolla) - Unknown owner - C:\Program Files (x86)\CheckPoint\Endpoint Security\TPCommon\Cipolla\SBACipollaSrvHost.exe
O23 - Service: Check Point Sandblast Agent Updater (CpSbaUpdater) - Unknown owner - C:\Program Files (x86)\CheckPoint\Endpoint Security\TPCommon\Cipolla\SBACipollaSrvHost.exe
O23 - Service: @%SystemRoot%\system32\DiagSvcs\DiagnosticsHub.StandardCollector.ServiceRes.dll,-1000 (diagnosticshub.standardcollector.service) - Unknown owner - C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @oem6.inf,%ServiceDisplayName%;ESIF Upper Framework Service (esifsvc) - Unknown owner - C:\Windows\system32\Intel\DPTF\esif_uf.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FortiClient Service Scheduler (FA_Scheduler) - Fortinet Inc. - C:\Program Files (x86)\Fortinet\FortiClient\scheduler.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: @oem25.inf,%SERVICE_NAME%;Intel Bluetooth Service (ibtsiva) - Unknown owner - C:\Windows\system32\ibtsiva (file missing)
O23 - Service: Intel® HD Graphics Control Panel Service (igfxCUIService2.0.0.0) - Intel Corporation - C:\Windows\System32\DriverStore\FileRepository\ki124538.inf_amd64_38801626506e1429\igfxCUIService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Malwarebytes Service (MBAMService) - Malwarebytes - C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Check Point Endpoint Remediation (RemediationService) - Check Point Software Technologies Ltd. - C:\Program Files (x86)\CheckPoint\Endpoint Security\Remediation\RemediationService.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: Realtek Audio Service (RtkAudioService) - Realtek Semiconductor - C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\SecurityHealthAgent.dll,-1002 (SecurityHealthService) - Unknown owner - C:\Windows\system32\SecurityHealthService.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender Advanced Threat Protection\MsSense.exe,-1001 (Sense) - Unknown owner - C:\Program Files (x86)\Windows Defender Advanced Threat Protection\MsSense.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SensorDataService.exe,-101 (SensorDataService) - Unknown owner - C:\Windows\System32\SensorDataService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spectrum.exe,-101 (spectrum) - Unknown owner - C:\Windows\system32\spectrum.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: SynTPEnh Caller Service (SynTPEnhService) - Synaptics Incorporated - C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
O23 - Service: @%SystemRoot%\system32\TieringEngineService.exe,-702 (TieringEngineService) - Unknown owner - C:\Windows\system32\TieringEngineService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Synaptics WBF Policy Service (valWBFPolicyService) - Unknown owner - C:\Windows\system32\valWBFPolicyService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: Waves Audio Services (WavesSysSvc) - Waves Audio Ltd. - C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: ZAAR Update Service (ZAARUpdateService) - Unknown owner - C:\Program Files (x86)\CheckPoint\Endpoint Security\TPCommon\Cipolla\ZAARUpdateService.exe
 
--
End of file - 11890 bytes
 


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,548 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:28 AM

Posted 17 December 2017 - 08:37 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

HijackThis is no longer supported and not ready for your Operating system.
I suggest your remove via the Control panel > Programs > Programs and Features.
Use the Farbar Recovery Scan Tool from now on to report problems.
<<<>>>

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===


Please post the logs for my review.

Wait for further instructions.

#3 natich1

natich1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 17 December 2017 - 04:14 PM

Hi Nasdaq and thank you for your help!

I have downloaded FRST , attach here are the logs + the addition.txt file

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-12-2017
Ran by User (administrator) on DESKTOP-2PMI1UD (17-12-2017 23:10:37)
Running from C:\Users\User\Downloads
Loaded Profiles: User (Available Profiles: User)
Platform: Windows 10 Pro Version 1703 15063.786 (X64) Language: Hebrew (Israel)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\ki124538.inf_amd64_38801626506e1429\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Fortinet Inc.) C:\Program Files (x86)\Fortinet\FortiClient\scheduler.exe
(Fortinet Inc.) C:\Program Files (x86)\Fortinet\FortiClient\FCDBLog.exe
(Fortinet Inc.) C:\Program Files (x86)\Fortinet\FortiClient\fcappdb.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(FortiClient System Helper) C:\Program Files (x86)\Fortinet\FortiClient\FCHelper64.exe
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\ki124538.inf_amd64_38801626506e1429\IntelCpHDCPSvc.exe
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\ki124538.inf_amd64_38801626506e1429\igfxEM.exe
(Intel Corporation) C:\Windows\System32\Intel\DPTF\esif_uf.exe
(Intel Corporation) C:\Windows\System32\ibtsiva.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Synaptics Incorporated) C:\Windows\System32\valWBFPolicyService.exe
(Waves Audio Ltd.) C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe
(Intel Corporation) C:\Windows\Temp\DPTF\esif_assist_64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Fortinet Inc.) C:\Program Files (x86)\Fortinet\FortiClient\FortiTray.exe
(Fortinet Inc.) C:\Program Files (x86)\Fortinet\FortiClient\FortiESNAC.exe
(Fortinet Inc.) C:\Program Files (x86)\Fortinet\FortiClient\FortiSSLVPNdaemon.exe
(Fortinet Inc.) C:\Program Files (x86)\Fortinet\FortiClient\fortiae.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\ki124538.inf_amd64_38801626506e1429\IntelCpHeciSvc.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Waves Audio Ltd.) C:\Program Files\Waves\MaxxAudio\WavesSvc64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe
() C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
(Fortinet Inc.) C:\Program Files (x86)\Fortinet\FortiClient\fmon.exe
(Fortinet Inc.) C:\Program Files (x86)\Fortinet\FortiClient\av_task.exe
(Fortinet Inc.) C:\Program Files (x86)\Fortinet\FortiClient\av_task.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files (x86)\CheckPoint\Endpoint Security\TPCommon\Cipolla\SBACipollaSrvHost.exe
(Check Point Software Technologies Ltd.) C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRService.exe
(Check Point Software Technologies Ltd.) C:\Program Files (x86)\CheckPoint\Endpoint Security\Remediation\RemediationService.exe
() C:\Program Files (x86)\CheckPoint\Endpoint Security\TPCommon\Cipolla\ZAARUpdateService.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Check Point Software Technologies Ltd.) C:\Program Files (x86)\CheckPoint\Endpoint Security\TPCommon\Cipolla\ZAAR.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Fortinet Inc.) C:\Program Files (x86)\Fortinet\FortiClient\FortiProxy.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.15063.724_none_9e8a868b2d8a538d\TiWorker.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Farbar) C:\Users\User\Downloads\FRST64 (1).exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [629152 2017-03-18] (Microsoft Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [9072128 2016-11-17] (Realtek Semiconductor)
HKLM\...\Run: [WavesSvc] => C:\Program Files\Waves\MaxxAudio\WavesSvc64.exe [940976 2016-11-19] (Waves Audio Ltd.)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [112512 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [36760 2011-09-05] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [2904984 2011-09-05] (Adobe Systems Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-09-05] (Oracle Corporation)
HKLM-x32\...\Run: [ZaAntiRansomware] => C:\Program Files (x86)\CheckPoint\Endpoint Security\TPCommon\Cipolla\ZAAR.exe [4447544 2017-12-05] (Check Point Software Technologies Ltd.)
HKU\S-1-5-21-3551900373-3674177650-280572333-1001\...\MountPoints2: {1c0cfce8-7dda-11e7-83dd-7c67a2c93631} - "D:\HiSuiteDownLoader.exe" 
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2017-11-08]
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 10.0.0.138
Tcpip\..\Interfaces\{0166bbb7-ea97-40e0-80f8-ffd3cbb3f7c2}: [DhcpNameServer] 10.0.0.138
Tcpip\..\Interfaces\{6fb30e58-0b63-4eea-b29e-d253f6951d95}: [DhcpNameServer] 10.0.0.138
 
Internet Explorer:
==================
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2011-09-05] (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-25] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\ssv.dll [2017-12-14] (Oracle Corporation)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2011-09-05] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\jp2ssv.dll [2017-12-14] (Oracle Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2011-09-05] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2011-09-05] (Adobe Systems Incorporated)
 
FireFox:
========
FF DefaultProfile: v2wsaxxn.default
FF ProfilePath: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\v2wsaxxn.default [2017-12-17]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: (Adobe Acrobat - Create PDF) - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2017-08-05] [Legacy] [not signed]
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.151.2 -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\dtplugin\npDeployJava1.dll [2017-12-14] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.151.2 -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\plugin2\npjp2.dll [2017-12-14] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-17] (Google Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll [2011-09-05] (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-11-04] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\Default [2017-12-17]
CHR Extension: (Slides) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-18]
CHR Extension: (Docs) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-18]
CHR Extension: (Google Drive) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-07-31]
CHR Extension: (YouTube) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-07-31]
CHR Extension: (Session Buddy) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\edacconmaakjimmfgnblocblbcdcpbko [2017-08-05]
CHR Extension: (Adobe Acrobat) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2017-09-18]
CHR Extension: (Sheets) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-18]
CHR Extension: (Kompyte - Time Machine) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffdnamoeimmbmcnfnmglihdlakddfigi [2017-09-11]
CHR Extension: (Google Docs Offline) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-07-31]
CHR Extension: (AdBlock) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2017-12-17]
CHR Extension: (Google Keep - notes and lists) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmjkmjkepdijhoojdojkdfohbdgmmhki [2017-12-12]
CHR Extension: (Chrome Web Store Payments) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-28]
CHR Extension: (DIY Cement Candle) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\ooialhjmccmllnifoiblbjgcnbgdejpm [2017-12-13]
CHR Extension: (Gmail) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-07-31]
CHR Extension: (Chrome Media Router) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-12-12]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 CPEFR; C:\Program Files (x86)\CheckPoint\Endpoint Security\EFR\EFRService.exe [2368248 2017-11-21] (Check Point Software Technologies Ltd.)
R2 CpSbaCipolla; C:\Program Files (x86)\CheckPoint\Endpoint Security\TPCommon\Cipolla\SBACipollaSrvHost.exe [35064 2017-10-17] ()
R2 CpSbaUpdater; C:\Program Files (x86)\CheckPoint\Endpoint Security\TPCommon\Cipolla\SBACipollaSrvHost.exe [35064 2017-10-17] ()
R2 esifsvc; C:\Windows\system32\Intel\DPTF\esif_uf.exe [2210424 2016-12-27] (Intel Corporation)
R2 FA_Scheduler; C:\Program Files (x86)\Fortinet\FortiClient\scheduler.exe [128320 2017-11-10] (Fortinet Inc.)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
R2 RemediationService; C:\Program Files (x86)\CheckPoint\Endpoint Security\Remediation\RemediationService.exe [17656 2017-06-13] (Check Point Software Technologies Ltd.)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [321024 2016-11-17] (Realtek Semiconductor)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [3913064 2017-03-20] (Microsoft Corporation)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [252504 2016-09-19] (Synaptics Incorporated)
R2 valWBFPolicyService; C:\Windows\system32\valWBFPolicyService.exe [67584 2015-07-16] (Synaptics Incorporated) [File not signed]
R2 WavesSysSvc; C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe [410032 2016-11-19] (Waves Audio Ltd.)
S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\NisSrv.exe [356176 2017-12-10] (Microsoft Corporation)
S3 WinDefend; C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe [105792 2017-12-10] (Microsoft Corporation)
R2 ZAARUpdateService; C:\Program Files (x86)\CheckPoint\Endpoint Security\TPCommon\Cipolla\ZAARUpdateService.exe [55096 2017-12-05] ()
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 cpbak; C:\Windows\System32\DRIVERS\cpbak.sys [59632 2017-06-12] (Check Point Software Technologies Ltd.)
R1 CPEPMon; C:\Windows\System32\DRIVERS\CPEPMon.sys [56080 2017-11-02] (Check Point Software Technologies Ltd.)
R1 cposfw; C:\Windows\System32\DRIVERS\cposfw.sys [115256 2017-12-04] (Check Point Software Technologies Ltd.)
R3 DellRbtn; C:\Windows\System32\drivers\DellRbtn.sys [22864 2016-10-27] (OSR Open Systems Resources, Inc.)
R3 dptf_acpi; C:\Windows\System32\drivers\dptf_acpi.sys [72576 2016-12-27] (Intel Corporation)
R3 dptf_cpu; C:\Windows\System32\drivers\dptf_cpu.sys [67968 2016-12-27] (Intel Corporation)
R1 epnetflt; C:\Windows\system32\drivers\epnetflt.sys [115440 2017-06-05] (Check Point Software Technologies)
R1 epregflt; C:\Windows\system32\drivers\epregflt.sys [101656 2017-02-01] (Check Point Software Technologies)
R3 esif_lf; C:\Windows\system32\DRIVERS\esif_lf.sys [355200 2016-12-27] (Intel Corporation)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77432 2017-11-29] ()
R3 fortiapd; C:\Windows\System32\drivers\fortiapd.sys [18000 2017-11-10] (Fortinet Inc)
R1 FortiAptFilter; C:\Windows\System32\drivers\FortiAptFilter.sys [56912 2017-11-10] (Fortinet Inc)
R1 FortiFilter; C:\Windows\system32\DRIVERS\FortiFilter.sys [45792 2017-11-10] (Fortinet Inc)
S1 FortiFW; C:\Windows\System32\drivers\FortiFW2.sys [37456 2017-11-10] (Fortinet Inc)
R0 fortiloader; C:\Windows\System32\drivers\fortiloader.sys [12368 2017-11-10] (Fortinet Inc)
R1 fortimon3; C:\Windows\System32\drivers\fortimon3.sys [56912 2017-11-10] (Fortinet Inc)
S3 Fortips; C:\Windows\System32\drivers\fortips.sys [147536 2017-11-10] (Fortinet Inc)
R1 FortiShield; C:\Windows\System32\drivers\FortiShield.sys [72272 2017-11-10] (Fortinet Inc)
S3 fortisniff; C:\Windows\System32\drivers\fortisniff2.sys [111184 2017-11-10] (Fortinet Inc)
R3 ftsvnic; C:\Windows\System32\drivers\ftsvnic.sys [66600 2017-11-10] (Fortinet Inc.)
R3 ft_vnic; C:\Windows\System32\drivers\ftvnic.sys [71928 2017-11-10] (Fortinet Inc)
R3 iaLPSS2_GPIO2; C:\Windows\System32\drivers\iaLPSS2_GPIO2.sys [89912 2016-08-29] (Intel Corporation)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [347912 2016-08-03] (Intel Corporation)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193968 2017-12-14] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\DRIVERS\farflt.sys [110016 2017-12-14] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\DRIVERS\mbam.sys [46008 2017-12-14] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253880 2017-12-14] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\DRIVERS\mwac.sys [94144 2017-12-17] (Malwarebytes)
S3 mdareDriver_62; C:\Users\User\AppData\Local\Temp\FCPreScan\mdare64_62.sys [105344 2017-12-13] (Fortinet Inc.) <==== ATTENTION
R3 mdareDriver_63; C:\Program Files (x86)\Fortinet\FortiClient\mdare64_63.sys [106064 2017-12-14] (Fortinet Inc.)
R3 Netwtw04; C:\Windows\System32\drivers\Netwtw04.sys [7254792 2016-12-03] (Intel Corporation)
R3 pppop; C:\Windows\System32\drivers\pppop64.sys [54344 2017-11-10] (Fortinet Inc.)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [604160 2017-03-18] (Realtek )
R3 RTSUER; C:\Windows\system32\Drivers\RtsUer.sys [436224 2016-12-15] (Realsil Semiconductor Corporation)
S3 SDFRd; C:\Windows\System32\drivers\SDFRd.sys [31128 2017-03-18] ()
R3 ST_ACCEL; C:\Windows\system32\DRIVERS\ST_Accel.sys [154280 2016-10-13] (STMicroelectronics)
S3 SynRMIHID; C:\Windows\system32\DRIVERS\SynRMIHID.sys [57432 2016-09-19] (Synaptics Incorporated)
S3 WdBoot; C:\Windows\system32\drivers\wd\WdBoot.sys [46072 2017-12-10] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\wd\WdFilter.sys [288848 2017-12-10] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\drivers\wd\WdNisDrv.sys [129616 2017-12-10] (Microsoft Corporation)
S3 BtFilter; \SystemRoot\system32\DRIVERS\btfilter.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-12-17 23:10 - 2017-12-17 23:11 - 000021949 _____ C:\Users\User\Downloads\FRST.txt
2017-12-17 23:10 - 2017-12-17 23:10 - 000000000 ____D C:\FRST
2017-12-17 23:09 - 2017-12-17 23:10 - 002392064 _____ (Farbar) C:\Users\User\Downloads\FRST64 (1).exe
2017-12-17 13:03 - 2017-12-17 13:03 - 002392576 _____ (Farbar) C:\Users\User\Downloads\FRST64.exe
2017-12-17 12:18 - 2017-12-17 12:18 - 000388608 _____ (Trend Micro Inc.) C:\Users\User\Downloads\HijackThis.exe
2017-12-17 12:13 - 2017-12-17 12:13 - 001006564 _____ C:\Users\User\Documents\kohzuwueb.txt
2017-12-17 12:13 - 2017-12-17 12:13 - 000121221 _____ C:\Users\Public\Documents\ucyshauw.txt
2017-12-17 12:13 - 2017-12-17 12:13 - 000000000 ____D C:\Users\User\Documents\00Fin
2017-12-17 12:13 - 2017-12-17 12:13 - 000000000 ____D C:\Users\Public\Documents\00Fin
2017-12-17 12:12 - 2017-12-17 12:12 - 000000000 ____D C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ZoneAlarm Anti-Ransomware
2017-12-17 12:11 - 2017-12-17 12:13 - 000000378 _____ C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2017-12-17 12:11 - 2017-12-17 12:11 - 000000000 ___HD C:\SandBlastBackup
2017-12-17 12:11 - 2017-11-02 13:18 - 000056080 _____ (Check Point Software Technologies Ltd.) C:\Windows\system32\Drivers\CPEPMon.sys
2017-12-17 12:11 - 2017-06-12 18:13 - 000059632 _____ (Check Point Software Technologies Ltd.) C:\Windows\system32\Drivers\cpbak.sys
2017-12-17 12:09 - 2017-12-17 12:11 - 000000000 ____D C:\ProgramData\CheckPoint
2017-12-17 12:09 - 2017-12-17 12:09 - 008083816 _____ (Check Point Software Technologies, Ltd.) C:\Users\User\Downloads\ZaarSetupWeb_1_001_0159_000.exe
2017-12-17 12:09 - 2017-12-17 12:09 - 000000000 ____D C:\Program Files (x86)\CheckPoint
2017-12-17 11:35 - 2017-12-17 11:35 - 000000000 _____ C:\Users\User\Downloads\5eeec089-b92e-4d40-a0b2-dc4cfd43fb11.gz
2017-12-14 12:09 - 2017-12-14 12:12 - 083316440 _____ (Malwarebytes ) C:\Users\User\Downloads\mb3-setup-consumer-3.3.1.2183-1.0.262-1.0.3374 (2).exe
2017-12-14 11:58 - 2017-12-17 12:02 - 000000000 ____D C:\AdwCleaner
2017-12-14 11:58 - 2017-12-14 11:58 - 008187336 _____ (Malwarebytes) C:\Users\User\Downloads\adwcleaner_7.0.5.0.exe
2017-12-14 11:24 - 2017-12-14 11:29 - 083316440 _____ (Malwarebytes ) C:\Users\User\Downloads\mb3-setup-consumer-3.3.1.2183-1.0.262-1.0.3374 (1).exe
2017-12-14 11:21 - 2017-12-17 23:07 - 000094144 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-12-14 11:21 - 2017-12-14 12:08 - 000253880 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2017-12-14 11:21 - 2017-12-14 12:08 - 000110016 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-12-14 11:21 - 2017-12-14 12:08 - 000046008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-12-14 11:21 - 2017-12-14 11:21 - 000193968 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2017-12-14 11:21 - 2017-12-14 11:21 - 000001912 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-12-14 11:21 - 2017-12-14 11:21 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-12-14 11:20 - 2017-12-14 11:20 - 000000000 ____D C:\ProgramData\Malwarebytes
2017-12-14 11:20 - 2017-12-14 11:20 - 000000000 ____D C:\Program Files\Malwarebytes
2017-12-14 11:20 - 2017-11-29 09:11 - 000077432 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-12-14 11:18 - 2017-12-14 11:19 - 083316440 _____ (Malwarebytes ) C:\Users\User\Downloads\mb3-setup-consumer-3.3.1.2183-1.0.262-1.0.3374.exe
2017-12-14 10:57 - 2017-12-17 23:08 - 000004018 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{28D7B265-9215-4001-B375-CF858C856617}
2017-12-14 10:51 - 2017-12-14 10:56 - 512783022 _____ C:\Users\User\Downloads\AIRSDK_Compiler (1).zip
2017-12-14 10:50 - 2017-12-14 10:55 - 512783022 _____ C:\Users\User\Downloads\AIRSDK_Compiler.zip
2017-12-14 10:46 - 2017-12-14 10:46 - 000000000 ____D C:\Users\Default\AppData\Roaming\Sun
2017-12-14 10:46 - 2017-12-14 10:46 - 000000000 ____D C:\Users\Default User\AppData\Roaming\Sun
2017-12-13 17:37 - 2017-12-13 17:37 - 000002111 _____ C:\Users\Public\Desktop\FortiClient.lnk
2017-12-13 17:37 - 2017-12-13 17:37 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FortiClient
2017-12-13 17:37 - 2017-12-13 17:37 - 000000000 ____D C:\Program Files\Common Files\Fortinet
2017-12-13 17:37 - 2017-12-13 17:37 - 000000000 ____D C:\Program Files (x86)\Fortinet
2017-12-13 17:26 - 2017-12-13 17:26 - 000492840 _____ (Fortinet Inc.) C:\Users\User\Downloads\FortiClientOnlineInstaller.exe
2017-12-13 01:13 - 2017-12-13 01:13 - 000000000 ____D C:\Windows\system32\Drivers\wd
2017-12-13 01:12 - 2017-12-13 01:12 - 000000000 ___SD C:\Windows\UpdateAssistantV2
2017-12-12 22:36 - 2017-11-30 05:33 - 000038808 _____ (Microsoft Corporation) C:\Windows\system32\OOBEUpdater.exe
2017-12-12 22:36 - 2017-11-30 05:00 - 002166808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2017-12-12 22:36 - 2017-11-30 04:58 - 006763128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Media.Protection.PlayReady.dll
2017-12-12 22:36 - 2017-11-30 04:58 - 000702032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winhttp.dll
2017-12-12 22:36 - 2017-11-30 04:57 - 001123968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfnetcore.dll
2017-12-12 22:36 - 2017-11-30 04:45 - 000119808 _____ (Microsoft Corporation) C:\Windows\system32\UserDataTimeUtil.dll
2017-12-12 22:36 - 2017-11-30 04:44 - 023679488 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2017-12-12 22:36 - 2017-11-30 04:44 - 019334144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2017-12-12 22:36 - 2017-11-30 04:44 - 000110592 _____ (Microsoft Corporation) C:\Windows\system32\Chakradiag.dll
2017-12-12 22:36 - 2017-11-30 04:43 - 020511232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\edgehtml.dll
2017-12-12 22:36 - 2017-11-30 04:43 - 000095232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UserDataTimeUtil.dll
2017-12-12 22:36 - 2017-11-30 04:43 - 000002560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2017-12-12 22:36 - 2017-11-30 04:42 - 000148992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\itss.dll
2017-12-12 22:36 - 2017-11-30 04:42 - 000100864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msscript.ocx
2017-12-12 22:36 - 2017-11-30 04:42 - 000080896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Chakradiag.dll
2017-12-12 22:36 - 2017-11-30 04:41 - 000146944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe
2017-12-12 22:36 - 2017-11-30 04:40 - 000585216 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2017-12-12 22:36 - 2017-11-30 04:40 - 000528384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iprtrmgr.dll
2017-12-12 22:36 - 2017-11-30 04:40 - 000206336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scrobj.dll
2017-12-12 22:36 - 2017-11-30 04:40 - 000143360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cscript.exe
2017-12-12 22:36 - 2017-11-30 04:38 - 008195584 _____ (Microsoft Corporation) C:\Windows\system32\Chakra.dll
2017-12-12 22:36 - 2017-11-30 04:38 - 001248768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AzureSettingSyncProvider.dll
2017-12-12 22:36 - 2017-11-30 04:38 - 000636416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WpcWebFilter.dll
2017-12-12 22:36 - 2017-11-30 04:38 - 000497152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2017-12-12 22:36 - 2017-11-30 04:37 - 006252544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Chakra.dll
2017-12-12 22:36 - 2017-11-30 04:37 - 002859520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2017-12-12 22:36 - 2017-11-30 04:36 - 004726784 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2017-12-12 22:36 - 2017-11-30 04:36 - 003652096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2017-12-12 22:36 - 2017-11-30 04:36 - 001019904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aadtb.dll
2017-12-12 22:36 - 2017-11-30 04:36 - 000755200 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2017-12-12 22:36 - 2017-11-30 04:36 - 000658432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2017-12-12 22:36 - 2017-11-30 04:35 - 001627136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2017-12-12 22:36 - 2017-11-30 04:34 - 004559360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dbgeng.dll
2017-12-12 22:36 - 2017-11-17 11:31 - 000223640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aepic.dll
2017-12-12 22:36 - 2017-11-17 11:00 - 002953216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\win32kfull.sys
2017-12-12 22:35 - 2017-11-30 05:33 - 001144728 _____ (Microsoft Corporation) C:\Windows\system32\hvix64.exe
2017-12-12 22:35 - 2017-11-30 05:33 - 001015704 _____ (Microsoft Corporation) C:\Windows\system32\hvax64.exe
2017-12-12 22:35 - 2017-11-30 05:29 - 008319384 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2017-12-12 22:35 - 2017-11-30 05:26 - 002647216 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2017-12-12 22:35 - 2017-11-30 05:24 - 000870896 _____ (Microsoft Corporation) C:\Windows\system32\winhttp.dll
2017-12-12 22:35 - 2017-11-30 05:23 - 007910960 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Media.Protection.PlayReady.dll
2017-12-12 22:35 - 2017-11-30 05:23 - 001194248 _____ (Microsoft Corporation) C:\Windows\system32\mfnetcore.dll
2017-12-12 22:35 - 2017-11-30 04:59 - 023678464 _____ (Microsoft Corporation) C:\Windows\system32\edgehtml.dll
2017-12-12 22:35 - 2017-11-30 04:45 - 000002560 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2017-12-12 22:35 - 2017-11-30 04:44 - 000171008 _____ (Microsoft Corporation) C:\Windows\system32\itss.dll
2017-12-12 22:35 - 2017-11-30 04:44 - 000042496 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\vwifimp.sys
2017-12-12 22:35 - 2017-11-30 04:43 - 000164352 _____ (Microsoft Corporation) C:\Windows\system32\wscript.exe
2017-12-12 22:35 - 2017-11-30 04:42 - 001878016 _____ (Microsoft Corporation) C:\Windows\system32\AzureSettingSyncProvider.dll
2017-12-12 22:35 - 2017-11-30 04:42 - 000560640 _____ (Microsoft Corporation) C:\Windows\system32\iprtrmgr.dll
2017-12-12 22:35 - 2017-11-30 04:42 - 000304640 _____ (Microsoft Corporation) C:\Windows\system32\dusmsvc.dll
2017-12-12 22:35 - 2017-11-30 04:42 - 000164352 _____ (Microsoft Corporation) C:\Windows\system32\cscript.exe
2017-12-12 22:35 - 2017-11-30 04:41 - 000527360 _____ (Microsoft Corporation) C:\Windows\system32\aadcloudap.dll
2017-12-12 22:35 - 2017-11-30 04:41 - 000414720 _____ (Microsoft Corporation) C:\Windows\system32\provhandlers.dll
2017-12-12 22:35 - 2017-11-30 04:41 - 000225792 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2017-12-12 22:35 - 2017-11-30 04:41 - 000222208 _____ (Microsoft Corporation) C:\Windows\system32\scrobj.dll
2017-12-12 22:35 - 2017-11-30 04:40 - 012803072 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2017-12-12 22:35 - 2017-11-30 04:39 - 011888640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2017-12-12 22:35 - 2017-11-30 04:39 - 003206656 _____ (Microsoft Corporation) C:\Windows\system32\Microsoft.Bluetooth.Profiles.Gatt.dll
2017-12-12 22:35 - 2017-11-30 04:39 - 002809344 _____ (Microsoft Corporation) C:\Windows\system32\AppXDeploymentServer.dll
2017-12-12 22:35 - 2017-11-30 04:39 - 000925696 _____ (Microsoft Corporation) C:\Windows\system32\WpcWebFilter.dll
2017-12-12 22:35 - 2017-11-30 04:38 - 000684544 _____ (Microsoft Corporation) C:\Windows\system32\usocore.dll
2017-12-12 22:35 - 2017-11-30 04:37 - 003306496 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2017-12-12 22:35 - 2017-11-30 04:37 - 001293824 _____ (Microsoft Corporation) C:\Windows\system32\aadtb.dll
2017-12-12 22:35 - 2017-11-30 04:36 - 005557760 _____ (Microsoft Corporation) C:\Windows\system32\dbgeng.dll
2017-12-12 22:35 - 2017-11-30 04:36 - 001802240 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2017-12-12 22:35 - 2017-11-30 04:36 - 001398784 _____ (Microsoft Corporation) C:\Windows\system32\wwansvc.dll
2017-12-12 22:35 - 2017-11-17 11:46 - 002032536 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2017-12-12 22:35 - 2017-11-17 11:46 - 001578904 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2017-12-12 22:35 - 2017-11-17 11:46 - 000821656 _____ (Microsoft Corporation) C:\Windows\system32\hvloader.exe
2017-12-12 22:35 - 2017-11-17 11:46 - 000678808 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2017-12-12 22:35 - 2017-11-17 11:46 - 000613784 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2017-12-12 22:35 - 2017-11-17 11:46 - 000612248 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2017-12-12 22:35 - 2017-11-17 11:46 - 000484248 _____ (Microsoft Corporation) C:\Windows\system32\dcntel.dll
2017-12-12 22:35 - 2017-11-17 11:46 - 000379288 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2017-12-12 22:35 - 2017-11-17 11:46 - 000259992 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2017-12-12 22:35 - 2017-11-17 11:46 - 000190360 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2017-12-12 22:35 - 2017-11-17 11:46 - 000136088 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2017-12-12 22:35 - 2017-11-17 11:46 - 000067992 _____ (Microsoft Corporation) C:\Windows\system32\win32appinventorycsp.dll
2017-12-12 22:35 - 2017-11-17 11:46 - 000034712 _____ (Microsoft Corporation) C:\Windows\system32\DeviceCensus.exe
2017-12-12 22:35 - 2017-11-17 11:41 - 000503704 _____ (Microsoft Corporation) C:\Windows\system32\pcasvc.dll
2017-12-12 22:35 - 2017-11-17 11:39 - 005477088 _____ (Microsoft Corporation) C:\Windows\system32\OneCoreUAPCommonProxyStub.dll
2017-12-12 22:35 - 2017-11-17 11:39 - 000643200 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2017-12-12 22:35 - 2017-11-17 11:37 - 021353200 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2017-12-12 22:35 - 2017-11-17 11:03 - 003668992 _____ (Microsoft Corporation) C:\Windows\system32\win32kfull.sys
2017-12-12 22:35 - 2017-11-17 10:59 - 000064512 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2017-12-12 22:35 - 2017-11-17 10:56 - 000757248 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdiWiFi.sys
2017-12-11 23:38 - 2017-12-11 23:38 - 000008659 _____ C:\Users\User\Downloads\מחירי דירות- מחיר למשתכן.xlsx
2017-12-10 11:57 - 2017-12-10 11:57 - 000934949 _____ C:\Users\User\Downloads\CertificateOfCompletion_DiscoveringYourStrengths.pdf
2017-12-05 13:21 - 2017-12-05 13:21 - 000029751 _____ C:\Users\User\Downloads\פירוט פיקדון - חיסכ 05-12-2017.xls
2017-12-05 11:07 - 2017-12-05 11:07 - 000003075 _____ C:\Users\User\Downloads\image010.emz
2017-12-05 10:42 - 2017-12-05 10:42 - 000178580 _____ C:\Users\User\Downloads\Pheonix letter to Check Point employees.pdf
2017-12-05 10:39 - 2017-12-05 10:39 - 000003115 _____ C:\Users\User\Downloads\image008.emz
2017-12-05 10:20 - 2017-12-05 10:20 - 000000000 ___HD C:\Users\User\Downloads\PicaCache
2017-12-05 03:32 - 2017-12-05 03:32 - 000259319 _____ C:\Windows\system32\Drivers\cposfw.xml
2017-12-04 20:22 - 2017-12-04 20:22 - 000115256 _____ (Check Point Software Technologies Ltd.) C:\Windows\system32\Drivers\cposfw.sys
2017-11-29 16:07 - 2017-11-29 16:08 - 000738999 _____ C:\Users\User\Downloads\DMR_Q3_2017 (1).pdf
2017-11-29 16:07 - 2017-11-29 16:07 - 000738999 _____ C:\Users\User\Downloads\DMR_Q3_2017.pdf
2017-11-28 23:21 - 2017-11-28 23:21 - 000245398 _____ C:\Users\User\Downloads\midtown.pdf
2017-11-26 20:12 - 2017-12-07 10:32 - 000051506 _____ C:\Users\User\Downloads\English_Double_Cal_NH5.bml
2017-11-26 20:08 - 2017-11-26 20:10 - 000000000 ____D C:\Users\User\AppData\Roaming\PicABook
2017-11-26 20:08 - 2017-11-26 20:08 - 000001968 _____ C:\Users\User\Desktop\Picabook Designer.lnk
2017-11-26 20:08 - 2017-11-26 20:08 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picabook
2017-11-26 20:08 - 2017-11-26 20:08 - 000000000 ____D C:\Program Files (x86)\PicABook
2017-11-26 20:08 - 2008-11-13 11:26 - 001070408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscomctl.OCX
2017-11-26 20:08 - 2008-11-13 11:26 - 000616024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comctl32.Ocx
2017-11-26 20:08 - 2008-11-13 11:25 - 000222536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TabCtl32.Ocx
2017-11-26 20:08 - 2008-11-13 11:25 - 000219464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\richtx32.Ocx
2017-11-26 20:08 - 2008-04-28 08:50 - 000061440 _____ C:\Windows\SysWOW64\PicaText.dll
2017-11-26 20:00 - 2017-11-26 20:00 - 000001020 _____ C:\Users\Public\Desktop\lupa.lnk
2017-11-26 20:00 - 2017-11-26 20:00 - 000000000 ____D C:\Users\User\Documents\lupa
2017-11-26 20:00 - 2017-11-26 20:00 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\lupa
2017-11-26 19:59 - 2017-11-26 20:06 - 107581089 _____ (Picabook Ltd. ) C:\Users\User\Downloads\PicaSetup_40900_675837B0CC10481BF4FE57B013D50EFEEAF6BAAB42BBAA5A345A22DDC6E2799B.exe
2017-11-26 19:59 - 2017-11-26 19:59 - 000000000 ____D C:\ProgramData\lupa
2017-11-26 19:59 - 2017-11-26 19:59 - 000000000 ____D C:\Program Files (x86)\lupa
2017-11-26 19:57 - 2017-11-26 19:58 - 084058488 _____ (lupa ) C:\Users\User\Downloads\lupa.exe
2017-11-23 10:30 - 2017-11-23 10:31 - 000000000 ____D C:\Users\User\Downloads\Sublime Text Build 3126 x64
2017-11-22 12:01 - 2017-11-22 12:01 - 001695651 _____ C:\Users\User\Downloads\Google Interview prep doc.pdf
2017-11-20 16:10 - 2017-11-20 16:10 - 1212682840 _____ C:\Users\User\Downloads\Landsmark Live in Concert- Foo Fighters.mp4
2017-11-20 11:39 - 2017-11-20 11:40 - 007854736 _____ C:\Users\User\Downloads\Ex_Files_Disc_Stength.zip
2017-11-19 21:40 - 2017-11-19 21:40 - 000661216 _____ C:\Users\User\Downloads\קורות חיים- ליאת וקס נובמבר 2017 (1).pdf
2017-11-19 21:29 - 2017-11-19 21:29 - 000794065 _____ C:\Users\User\Downloads\CV- Liat Vax .pdf
2017-11-19 21:29 - 2017-11-19 21:29 - 000661216 _____ C:\Users\User\Downloads\קורות חיים- ליאת וקס נובמבר 2017.pdf
2017-11-17 18:49 - 2017-11-17 18:49 - 000059873 _____ C:\Users\User\Downloads\tnuot_2017-11-17.pdf
2017-11-17 14:57 - 2017-11-17 14:57 - 000279916 _____ C:\Users\User\Downloads\תעודת זהות יניב - ספח מעודכן.pdf
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-12-17 23:06 - 2017-06-05 04:44 - 000000000 ____D C:\Windows\system32\SleepStudy
2017-12-17 13:15 - 2017-09-07 12:52 - 000000000 ____D C:\Users\User\AppData\LocalLow\Mozilla
2017-12-17 12:22 - 2017-06-05 04:55 - 000000000 ____D C:\Users\User\AppData\Local\VirtualStore
2017-12-17 12:10 - 2017-06-05 05:01 - 000000000 ____D C:\ProgramData\Package Cache
2017-12-17 11:35 - 2017-09-07 12:50 - 000000000 ____D C:\Users\User\AppData\Roaming\Mozilla
2017-12-17 00:19 - 2017-03-18 23:03 - 000000000 ____D C:\Windows\rescache
2017-12-16 17:19 - 2017-03-18 23:03 - 000000000 ___HD C:\Program Files\WindowsApps
2017-12-16 17:19 - 2017-03-18 23:03 - 000000000 ____D C:\Windows\AppReadiness
2017-12-14 20:00 - 2017-06-05 04:55 - 000000000 ____D C:\Users\User\AppData\Local\Packages
2017-12-14 12:14 - 2017-07-31 15:04 - 000274708 _____ C:\Windows\system32\perfh00D.dat
2017-12-14 12:14 - 2017-07-31 15:04 - 000080920 _____ C:\Windows\system32\perfc00D.dat
2017-12-14 12:14 - 2017-06-05 04:55 - 001514234 _____ C:\Windows\system32\PerfStringBackup.INI
2017-12-14 12:08 - 2017-09-07 12:50 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-12-14 12:08 - 2017-06-06 03:11 - 000000000 __SHD C:\Users\User\IntelGraphicsProfiles
2017-12-14 12:08 - 2017-06-06 03:10 - 000000000 ____D C:\ProgramData\Synaptics
2017-12-14 12:08 - 2017-06-05 04:44 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-12-14 12:07 - 2017-03-18 13:40 - 001835008 _____ C:\Windows\system32\config\BBI
2017-12-14 10:47 - 2017-09-07 12:50 - 000001005 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2017-12-14 10:47 - 2017-09-07 12:50 - 000000993 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2017-12-14 10:47 - 2017-09-07 12:50 - 000000000 ____D C:\Program Files\Mozilla Firefox
2017-12-14 10:46 - 2017-09-29 13:01 - 000097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2017-12-14 10:46 - 2017-09-29 13:01 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2017-12-14 10:46 - 2017-09-29 13:01 - 000000000 ____D C:\Program Files (x86)\Java
2017-12-13 21:57 - 2017-03-18 23:03 - 000000000 ____D C:\Windows\LiveKernelReports
2017-12-13 17:37 - 2017-03-18 23:01 - 000000000 ____D C:\Windows\INF
2017-12-13 01:13 - 2017-06-05 04:55 - 000000000 __RHD C:\Users\Public\AccountPictures
2017-12-13 01:13 - 2017-06-05 04:44 - 005114352 _____ C:\Windows\system32\FNTCACHE.DAT
2017-12-13 01:12 - 2017-03-18 23:03 - 000000000 ____D C:\Windows\system32\oobe
2017-12-12 22:47 - 2017-03-18 22:51 - 000000000 ____D C:\Windows\CbsTemp
2017-12-12 22:45 - 2017-07-31 09:22 - 000000000 ____D C:\Windows\system32\MRT
2017-12-12 22:36 - 2017-10-11 16:06 - 133326408 ____C (Microsoft Corporation) C:\Windows\system32\MRT-KB890830.exe
2017-12-12 22:36 - 2017-07-31 09:22 - 133326408 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-12-10 11:59 - 2017-08-04 12:04 - 000000000 ____D C:\Users\User\Documents\מיקצועי
2017-12-08 21:48 - 2017-06-05 04:58 - 000002360 _____ C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-12-08 21:48 - 2017-06-05 04:58 - 000000000 ___RD C:\Users\User\OneDrive
2017-12-07 10:52 - 2017-07-31 13:23 - 000002266 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-12-07 10:52 - 2017-07-31 13:23 - 000002254 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-12-07 10:39 - 2017-08-04 13:18 - 000000000 ____D C:\Users\User\Documents\בירוקרטיות
2017-12-02 04:25 - 2017-03-18 23:06 - 000835576 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-12-02 04:25 - 2017-03-18 23:06 - 000177656 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-12-01 00:19 - 2017-09-13 14:43 - 000002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-11-26 23:29 - 2017-09-16 14:41 - 000000000 ____D C:\Users\User\Documents\סיום העסקה K Logic
2017-11-26 23:06 - 2017-08-03 10:18 - 000000000 ____D C:\Users\User\Documents\תמונות
2017-11-26 22:50 - 2017-03-18 23:03 - 000000000 ____D C:\Windows\system32\appraiser
2017-11-26 22:50 - 2017-03-18 23:03 - 000000000 ____D C:\Windows\ShellExperiences
2017-11-26 22:50 - 2017-03-18 23:03 - 000000000 ____D C:\Windows\Provisioning
2017-11-26 22:50 - 2017-03-18 23:03 - 000000000 ____D C:\Program Files\Windows Photo Viewer
2017-11-26 22:50 - 2017-03-18 23:03 - 000000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2017-11-26 20:03 - 2017-03-18 23:03 - 000000000 ____D C:\Windows\system32\FxsTmp
2017-11-22 17:09 - 2017-08-03 11:08 - 000000000 ____D C:\Users\User\Documents\קורות חיים
2017-11-22 10:47 - 2017-07-31 09:24 - 000545440 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2017-11-17 19:52 - 2017-07-31 13:23 - 000003446 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2017-11-17 19:52 - 2017-07-31 13:23 - 000003322 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2017-11-17 15:29 - 2017-08-04 13:21 - 000000000 ____D C:\Users\User\Documents\משרד הפנים
2017-11-17 15:28 - 2017-08-28 12:01 - 000000000 ____D C:\Users\User\AppData\Local\ElevatedDiagnostics
 
Some files in TEMP:
====================
2017-12-13 17:29 - 2017-12-13 17:29 - 010303808 _____ (Fortinet Inc.) C:\Users\User\AppData\Local\Temp\FortiClientOfflineVirusCleaner.exe
2017-11-06 19:23 - 2017-11-06 19:23 - 000065536 ____N () C:\Users\User\AppData\Local\Temp\ICE_JNIRegistry3653880049007782375.dll
2017-11-06 19:24 - 2017-11-06 19:24 - 000065536 ____N () C:\Users\User\AppData\Local\Temp\ICE_JNIRegistry7917663353414717479.dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-12-17 09:06
 
==================== End of FRST.txt ============================


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,548 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:28 AM

Posted 18 December 2017 - 08:29 AM

Hi,

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
CHR Extension: (DIY Cement Candle) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\ooialhjmccmllnifoiblbjgcnbgdejpm [2017-12-13]
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S3 BtFilter; \SystemRoot\system32\DRIVERS\btfilter.sys [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the log and include the Addition.txt file created by the Farbar tool.

Let me know what problem persists with this computer.

#5 natich1

natich1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 18 December 2017 - 10:18 AM

Hi nasdaq

 

here are the log from the fixlog file + addition.txt:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 17-12-2017
Ran by User (18-12-2017 17:01:16) Run:1
Running from C:\Users\User\Downloads
Loaded Profiles: User (Available Profiles: User)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKLM-x32\...\Run: [] => [X]
CHR Extension: (DIY Cement Candle) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\ooialhjmccmllnifoiblbjgcnbgdejpm [2017-12-13]
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S3 BtFilter; \SystemRoot\system32\DRIVERS\btfilter.sys [X]
 
End
*****************
 
Error: (0) Failed to create a restore point.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
CHR Extension: (DIY Cement Candle) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\ooialhjmccmllnifoiblbjgcnbgdejpm [2017-12-13] => Error: No automatic fix found for this entry.
"HKLM\System\CurrentControlSet\Services\ibtsiva" => removed successfully
ibtsiva => service removed successfully
"HKLM\System\CurrentControlSet\Services\BtFilter" => removed successfully
BtFilter => service removed successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 9199616 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 51142607 B
Java, Flash, Steam htmlcache => 343 B
Windows/system/drivers => 21497731 B
Edge => 1046080 B
Chrome => 360451603 B
Firefox => 46697738 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 0 B
LocalService => 2462 B
NetworkService => 299984 B
User => 4411454701 B
 
RecycleBin => 6540799367 B
EmptyTemp: => 10.7 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 17:03:47 ====


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,548 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:28 AM

Posted 18 December 2017 - 01:39 PM

Hi,

Again the file was not attached.

Look at my instructions on how to attach a file.
It's a two step process.

===

If better for you you can copy and paste the contents on your next reply.

---

Let me know if the problem persists on all the browsers you used.

#7 natich1

natich1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 18 December 2017 - 02:15 PM

oh sorry!

now it is attached

 

thank you

 

Attached File  Addition.txt   34.11KB   1 downloads



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,548 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:28 AM

Posted 19 December 2017 - 07:28 AM

Hi.

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR Extension: (DIY Cement Candle) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\ooialhjmccmllnifoiblbjgcnbgdejpm
ContextMenuHandlers1: [Picabookit] -> {A092AB33-6CC1-4A9A-965E-C73025068E4C} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended. (You need to check with Internet Explorer) <- Important.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 151 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180151F0}) (Version: 8.0.1510.12 - Oracle Corporation)
===

If the problem persists then it may be a Syncing issue with Chrome.
To remove it you will have to reset the Sync in Chrome.

Read this article and proceed.

Chrome Secure Preferences detection always comes back
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/
<<<>>>

Please let me know what problem persists with this computer.

#9 natich1

natich1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 20 December 2017 - 06:21 AM

thank you nasdaq

I did this as well and it seem to work, so far no pop ups or new tabs

thanks a lot for your help!!!!!



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,548 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:28 AM

Posted 20 December 2017 - 09:36 AM

Hi,

Glad we could help.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users