Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with PUP


  • This topic is locked This topic is locked
17 replies to this topic

#1 Dimera

Dimera

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 29 December 2017 - 05:13 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 26-12-2017
Ran by Admin (administrator) on PC (29-12-2017 12:35:02)
Running from C:\Users\Admin\Downloads
Loaded Profiles: Admin (Available Profiles: Admin & DefaultAppPool)
Platform: Windows 10 Pro Version 1703 15063.786 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: "C:\Program Files\Waterfox\waterfox.exe" -osint -url "%1")
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(VL) C:\Program Files (x86)\ShopTracker\Scheduler\AmazonMeter.Scheduler.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Reason Software Company Inc.) C:\Program Files\Reason\Security\rsEngineSvc.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe
(Copyright 2017.) F:\Zemana AntiMalware\ZAM.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\NisSrv.exe
(Malwarebytes) F:\Malwarebytes Anti-Malware\Anti-Malware\MBAMService.exe
(Malwarebytes) F:\Malwarebytes Anti-Malware\Anti-Malware\mbamtray.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Copyright 2017.) F:\Zemana AntiMalware\ZAM.exe
(Ruiware) C:\Program Files (x86)\Ruiware\WinPatrol\WinPatrol.exe
(Piriform Ltd) F:\CC\CCleaner64.exe
() C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [629152 2017-03-18] (Microsoft Corporation)
HKLM\...\Run: [ZAM] => F:\Zemana AntiMalware\ZAM.exe [15775888 2017-08-09] (Copyright 2017.)
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-09-05] (Oracle Corporation)
HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\Run: [CCleaner Monitoring] => F:\CC\CCleaner64.exe [9288408 2016-12-06] (Piriform Ltd)
HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\Run: [WinPatrol] => C:\Program Files (x86)\Ruiware\WinPatrol\winpatrol.exe [1223560 2017-05-07] (Ruiware)
Startup: C:\Users\Owners\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk [2014-03-09]
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{0d8ce48a-75f5-47e6-98eb-050a46b686c2}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{e608f57e-cd42-479e-9c6c-ed19dfa577cc}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{e9f4f0a1-f81d-4612-976e-b8a5df110409}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617911&ResetID=130896097070380092&GUID=7A267B58-D50F-4A26-A599-FFAFF9D28876
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-473581126-2895704609-3995012257-1002\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
BHO-x32: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
BHO-x32: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

FireFox:
========
FF DefaultProfile: o4xql8yh.default
FF ProfilePath: C:\Users\Admin\AppData\Roaming\Waterfox\Profiles\o4xql8yh.default [2017-12-28]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_28_0_0_126.dll [2017-12-16] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_28_0_0_126.dll [2017-12-16] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\dtplugin\npDeployJava1.dll [No File]
FF Plugin-x32: @java.com/JavaPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\plugin2\npjp2.dll [No File]
FF Plugin HKU\S-1-5-21-473581126-2895704609-3995012257-1002: @talk.google.com/GoogleTalkPlugin -> C:\Users\Admin\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-473581126-2895704609-3995012257-1002: @talk.google.com/O1DPlugin -> C:\Users\Admin\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-473581126-2895704609-3995012257-1002: @tools.google.com/Google Update;version=3 -> C:\Users\Admin\AppData\Local\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin HKU\S-1-5-21-473581126-2895704609-3995012257-1002: @tools.google.com/Google Update;version=9 -> C:\Users\Admin\AppData\Local\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Admin\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Admin\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google)
StartMenuInternet: Firefox-6F940AC27A98DD61 - C:\Program Files\Waterfox\waterfox.exe

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AmazonMeterService; C:\Program Files (x86)\ShopTracker\Scheduler\AmazonMeter.Scheduler.exe [32664 2017-12-12] (VL)
R2 MBAMService; F:\Malwarebytes Anti-Malware\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
R2 mfevtp; C:\WINDOWS\system32\mfevtps.exe [343544 2017-05-24] (McAfee, Inc.)
R2 rsEngineSvc; C:\Program Files\Reason\Security\rsEngineSvc.exe [80144 2015-08-12] (Reason Software Company Inc.)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [3913064 2017-03-18] (Microsoft Corporation)
R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\NisSrv.exe [356176 2017-12-08] (Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe [105792 2017-12-08] (Microsoft Corporation)
R2 ZAMSvc; F:\Zemana AntiMalware\ZAM.exe [15775888 2017-08-09] (Copyright 2017.)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [55232 2017-12-27] ()
S3 massfilter_hs; C:\WINDOWS\system32\drivers\massfilter_hs.sys [20232 2012-06-20] (HandSet Incorporated)
R3 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [253880 2017-12-28] (Malwarebytes)
R0 mfehidk; C:\WINDOWS\System32\drivers\mfehidk.sys [917008 2017-05-24] (McAfee, Inc.)
S3 mferkdet; C:\WINDOWS\System32\drivers\mferkdet.sys [124432 2017-05-24] (McAfee, Inc.)
R1 MpKsl8ed25cde; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7647FDA8-364E-46B0-8DA2-9C5A128B0C08}\MpKsl8ed25cde.sys [58120 2017-12-27] (Microsoft Corporation)
R1 MpKsld376687f; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{7AF1A7EC-DF6F-48CB-94E0-29E1440F4E0F}\MpKsld376687f.sys [58120 2017-12-28] (Microsoft Corporation)
S3 SDFRd; C:\WINDOWS\System32\drivers\SDFRd.sys [31128 2017-03-18] ()
S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [46072 2017-12-08] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [288848 2017-12-08] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [129616 2017-12-08] (Microsoft Corporation)
R1 ZAM; C:\WINDOWS\System32\drivers\zam64.sys [203680 2017-12-21] (Zemana Ltd.)
R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard64.sys [203680 2017-06-03] (Zemana Ltd.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-12-29 12:10 - 2017-12-29 12:36 - 000009776 ____C C:\Users\Admin\Downloads\FRST.txt
2017-12-29 12:10 - 2017-12-29 12:10 - 000000000 ___DC C:\Users\Admin\Downloads\FRST-OlderVersion
2017-12-28 14:09 - 2017-12-28 14:09 - 000253880 ____C (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2017-12-28 14:09 - 2017-12-28 14:09 - 000000900 ____C C:\Users\Public\Desktop\Malwarebytes.lnk
2017-12-28 14:09 - 2017-12-28 14:09 - 000000000 ___DC C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-12-28 14:09 - 2017-11-29 09:11 - 000077432 ____C C:\WINDOWS\system32\Drivers\mbae64.sys
2017-12-28 14:07 - 2017-12-28 14:07 - 000000000 ___DC C:\ProgramData\MB3CoreBackup
2017-12-28 13:27 - 2017-12-28 19:03 - 000000000 ___DC C:\WINDOWS\system32\Drivers\wd
2017-12-27 11:34 - 2017-12-27 11:34 - 000055232 ____C C:\WINDOWS\system32\Drivers\hitmanpro37.sys
2017-12-21 16:14 - 2017-12-21 16:14 - 000203680 ____C (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zam64.sys
2017-12-21 16:14 - 2017-12-21 16:14 - 000000689 ____C C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2017-12-21 16:14 - 2017-12-21 16:14 - 000000000 ___DC C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2017-12-21 16:12 - 2017-12-21 16:13 - 006625600 ____C (Zemana Ltd. ) C:\Users\Admin\Downloads\Zemana.AntiMalware.Setup.exe
2017-12-20 10:11 - 2017-12-28 16:09 - 000000000 ___DC C:\WINDOWS\Panther
2017-12-12 13:56 - 2017-11-29 19:33 - 000038808 ____C (Microsoft Corporation) C:\WINDOWS\system32\OOBEUpdater.exe
2017-12-12 13:56 - 2017-11-29 19:00 - 002166808 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2017-12-12 13:56 - 2017-11-29 18:58 - 006763128 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.Protection.PlayReady.dll
2017-12-12 13:56 - 2017-11-29 18:58 - 000702032 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\winhttp.dll
2017-12-12 13:56 - 2017-11-29 18:57 - 001123968 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetcore.dll
2017-12-12 13:56 - 2017-11-29 18:45 - 000119808 ____C (Microsoft Corporation) C:\WINDOWS\system32\UserDataTimeUtil.dll
2017-12-12 13:56 - 2017-11-29 18:43 - 000095232 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\UserDataTimeUtil.dll
2017-12-12 13:56 - 2017-11-29 18:43 - 000002560 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\tzres.dll
2017-12-12 13:56 - 2017-11-29 18:42 - 000148992 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\itss.dll
2017-12-12 13:56 - 2017-11-29 18:42 - 000100864 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\msscript.ocx
2017-12-12 13:56 - 2017-11-29 18:41 - 000146944 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\wscript.exe
2017-12-12 13:56 - 2017-11-29 18:40 - 000585216 ____C (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2017-12-12 13:56 - 2017-11-29 18:40 - 000528384 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\iprtrmgr.dll
2017-12-12 13:56 - 2017-11-29 18:40 - 000206336 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\scrobj.dll
2017-12-12 13:56 - 2017-11-29 18:40 - 000143360 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\cscript.exe
2017-12-12 13:56 - 2017-11-29 18:38 - 001248768 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\AzureSettingSyncProvider.dll
2017-12-12 13:56 - 2017-11-29 18:38 - 000636416 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\WpcWebFilter.dll
2017-12-12 13:56 - 2017-11-29 18:38 - 000497152 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2017-12-12 13:56 - 2017-11-29 18:37 - 002859520 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2017-12-12 13:56 - 2017-11-29 18:36 - 001019904 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\aadtb.dll
2017-12-12 13:56 - 2017-11-29 18:36 - 000755200 ____C (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2017-12-12 13:56 - 2017-11-29 18:35 - 001627136 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2017-12-12 13:56 - 2017-11-29 18:34 - 004559360 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\dbgeng.dll
2017-12-12 13:56 - 2017-11-17 01:31 - 000223640 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\aepic.dll
2017-12-12 13:56 - 2017-11-17 01:00 - 002953216 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\win32kfull.sys
2017-12-12 13:55 - 2017-11-29 19:29 - 008319384 ____C (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2017-12-12 13:55 - 2017-11-29 19:23 - 001194248 ____C (Microsoft Corporation) C:\WINDOWS\system32\mfnetcore.dll
2017-12-12 13:55 - 2017-11-29 18:59 - 023678464 ____C (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2017-12-12 13:55 - 2017-11-29 18:44 - 023679488 ____C (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2017-12-12 13:55 - 2017-11-29 18:44 - 019334144 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2017-12-12 13:55 - 2017-11-29 18:44 - 000110592 ____C (Microsoft Corporation) C:\WINDOWS\system32\Chakradiag.dll
2017-12-12 13:55 - 2017-11-29 18:43 - 020511232 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2017-12-12 13:55 - 2017-11-29 18:42 - 000560640 ____C (Microsoft Corporation) C:\WINDOWS\system32\iprtrmgr.dll
2017-12-12 13:55 - 2017-11-29 18:42 - 000080896 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakradiag.dll
2017-12-12 13:55 - 2017-11-29 18:41 - 000225792 ____C (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2017-12-12 13:55 - 2017-11-29 18:40 - 012803072 ____C (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2017-12-12 13:55 - 2017-11-29 18:39 - 011888640 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2017-12-12 13:55 - 2017-11-29 18:38 - 008195584 ____C (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2017-12-12 13:55 - 2017-11-29 18:37 - 006252544 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
2017-12-12 13:55 - 2017-11-29 18:36 - 005557760 ____C (Microsoft Corporation) C:\WINDOWS\system32\dbgeng.dll
2017-12-12 13:55 - 2017-11-29 18:36 - 004726784 ____C (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2017-12-12 13:55 - 2017-11-29 18:36 - 003652096 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2017-12-12 13:55 - 2017-11-29 18:36 - 000658432 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2017-12-12 13:54 - 2017-11-29 19:33 - 001144728 ____C (Microsoft Corporation) C:\WINDOWS\system32\hvix64.exe
2017-12-12 13:54 - 2017-11-29 19:33 - 001015704 ____C (Microsoft Corporation) C:\WINDOWS\system32\hvax64.exe
2017-12-12 13:54 - 2017-11-29 19:26 - 002647216 ____C (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2017-12-12 13:54 - 2017-11-29 19:24 - 000870896 ____C (Microsoft Corporation) C:\WINDOWS\system32\winhttp.dll
2017-12-12 13:54 - 2017-11-29 19:23 - 007910960 ____C (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.Protection.PlayReady.dll
2017-12-12 13:54 - 2017-11-29 18:45 - 000002560 ____C (Microsoft Corporation) C:\WINDOWS\system32\tzres.dll
2017-12-12 13:54 - 2017-11-29 18:44 - 000171008 ____C (Microsoft Corporation) C:\WINDOWS\system32\itss.dll
2017-12-12 13:54 - 2017-11-29 18:44 - 000042496 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\vwifimp.sys
2017-12-12 13:54 - 2017-11-29 18:43 - 000164352 ____C (Microsoft Corporation) C:\WINDOWS\system32\wscript.exe
2017-12-12 13:54 - 2017-11-29 18:42 - 001878016 ____C (Microsoft Corporation) C:\WINDOWS\system32\AzureSettingSyncProvider.dll
2017-12-12 13:54 - 2017-11-29 18:42 - 000304640 ____C (Microsoft Corporation) C:\WINDOWS\system32\dusmsvc.dll
2017-12-12 13:54 - 2017-11-29 18:42 - 000164352 ____C (Microsoft Corporation) C:\WINDOWS\system32\cscript.exe
2017-12-12 13:54 - 2017-11-29 18:41 - 000527360 ____C (Microsoft Corporation) C:\WINDOWS\system32\aadcloudap.dll
2017-12-12 13:54 - 2017-11-29 18:41 - 000414720 ____C (Microsoft Corporation) C:\WINDOWS\system32\provhandlers.dll
2017-12-12 13:54 - 2017-11-29 18:41 - 000222208 ____C (Microsoft Corporation) C:\WINDOWS\system32\scrobj.dll
2017-12-12 13:54 - 2017-11-29 18:39 - 003206656 ____C (Microsoft Corporation) C:\WINDOWS\system32\Microsoft.Bluetooth.Profiles.Gatt.dll
2017-12-12 13:54 - 2017-11-29 18:39 - 002809344 ____C (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentServer.dll
2017-12-12 13:54 - 2017-11-29 18:39 - 000925696 ____C (Microsoft Corporation) C:\WINDOWS\system32\WpcWebFilter.dll
2017-12-12 13:54 - 2017-11-29 18:38 - 000684544 ____C (Microsoft Corporation) C:\WINDOWS\system32\usocore.dll
2017-12-12 13:54 - 2017-11-29 18:37 - 003306496 ____C (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2017-12-12 13:54 - 2017-11-29 18:37 - 001293824 ____C (Microsoft Corporation) C:\WINDOWS\system32\aadtb.dll
2017-12-12 13:54 - 2017-11-29 18:36 - 001802240 ____C (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2017-12-12 13:54 - 2017-11-29 18:36 - 001398784 ____C (Microsoft Corporation) C:\WINDOWS\system32\wwansvc.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 002032536 ____C (Microsoft Corporation) C:\WINDOWS\system32\aitstatic.exe
2017-12-12 13:54 - 2017-11-17 01:46 - 001578904 ____C (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 000821656 ____C (Microsoft Corporation) C:\WINDOWS\system32\hvloader.exe
2017-12-12 13:54 - 2017-11-17 01:46 - 000678808 ____C (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 000613784 ____C (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 000612248 ____C (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 000484248 ____C (Microsoft Corporation) C:\WINDOWS\system32\dcntel.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 000379288 ____C (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 000259992 ____C (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 000190360 ____C (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 000136088 ____C (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2017-12-12 13:54 - 2017-11-17 01:46 - 000067992 ____C (Microsoft Corporation) C:\WINDOWS\system32\win32appinventorycsp.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 000034712 ____C (Microsoft Corporation) C:\WINDOWS\system32\DeviceCensus.exe
2017-12-12 13:54 - 2017-11-17 01:41 - 000503704 ____C (Microsoft Corporation) C:\WINDOWS\system32\pcasvc.dll
2017-12-12 13:54 - 2017-11-17 01:39 - 005477088 ____C (Microsoft Corporation) C:\WINDOWS\system32\OneCoreUAPCommonProxyStub.dll
2017-12-12 13:54 - 2017-11-17 01:39 - 000643200 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2017-12-12 13:54 - 2017-11-17 01:37 - 021353200 ____C (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
2017-12-12 13:54 - 2017-11-17 01:03 - 003668992 ____C (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
2017-12-12 13:54 - 2017-11-17 00:59 - 000064512 ____C (Microsoft Corporation) C:\WINDOWS\system32\winsrv.dll
2017-12-12 13:54 - 2017-11-17 00:56 - 000757248 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\WdiWiFi.sys
2017-12-03 09:59 - 2017-12-13 14:39 - 000000000 ___DC C:\Program Files\Waterfox
2017-12-03 09:59 - 2017-12-03 09:59 - 000000963 ____C C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Waterfox.lnk
2017-12-03 09:59 - 2017-12-03 09:59 - 000000951 ____C C:\Users\Public\Desktop\Waterfox.lnk
2017-12-03 09:59 - 2017-12-03 09:59 - 000000000 ___DC C:\Users\Admin\AppData\Roaming\Waterfox
2017-12-03 09:59 - 2017-12-03 09:59 - 000000000 ___DC C:\Users\Admin\AppData\Local\Waterfox
2017-12-03 09:56 - 2017-12-03 09:57 - 073861816 ____C (Mozilla) C:\Users\Admin\Downloads\Waterfox 56.0 Setup.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-12-29 12:36 - 2017-06-03 21:02 - 000159466 ____C C:\WINDOWS\ZAM_Guard.krnl.trace
2017-12-29 12:35 - 2017-06-03 21:02 - 001476967 ____C C:\WINDOWS\ZAM.krnl.trace
2017-12-29 12:10 - 2017-11-09 19:38 - 000000000 ___DC C:\FRST
2017-12-29 12:10 - 2017-11-09 19:37 - 002391552 ____C (Farbar) C:\Users\Admin\Downloads\FRST64.exe
2017-12-29 12:09 - 2017-08-03 13:23 - 000000000 ___DC C:\WINDOWS\system32\SleepStudy
2017-12-29 11:43 - 2017-03-18 13:03 - 000000000 ___HD C:\Program Files\WindowsApps
2017-12-29 11:43 - 2017-03-18 13:03 - 000000000 ___DC C:\WINDOWS\AppReadiness
2017-12-29 11:39 - 2017-08-03 13:47 - 000004140 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{FDD11F41-16E8-4C41-BDFF-A55C76C3574A}
2017-12-28 20:35 - 2016-11-26 15:44 - 000000000 ___DC C:\Users\Admin\AppData\LocalLow\Mozilla
2017-12-28 16:09 - 2017-09-29 07:05 - 000000000 ___HD C:\$WINDOWS.~BT
2017-12-28 13:27 - 2017-08-03 13:47 - 000000006 ___HC C:\WINDOWS\Tasks\SA.DAT
2017-12-27 15:39 - 2016-10-29 23:22 - 000000000 ___DC C:\Users\Admin\AppData\Local\CrashDumps
2017-12-27 12:40 - 2017-03-18 03:40 - 000524288 _____ C:\WINDOWS\system32\config\BBI
2017-12-27 12:20 - 2017-03-18 13:01 - 000000000 ___DC C:\WINDOWS\INF
2017-12-27 12:18 - 2016-10-20 12:16 - 000001137 ____C C:\Users\Public\Desktop\Reason Core Security.lnk
2017-12-27 11:08 - 2016-10-21 11:18 - 000000214 ____C C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2017-12-25 12:08 - 2017-08-03 13:27 - 001256184 ____C C:\WINDOWS\system32\PerfStringBackup.INI
2017-12-22 18:24 - 2017-03-18 13:03 - 000000000 ___DC C:\WINDOWS\system32\NDF
2017-12-22 17:36 - 2017-08-03 13:28 - 000000000 ___DC C:\Users\Admin
2017-12-21 16:14 - 2017-06-03 21:02 - 000000000 ___DC C:\Users\Admin\AppData\Local\Zemana
2017-12-21 14:22 - 2017-08-06 09:39 - 000003350 ____C C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-473581126-2895704609-3995012257-1002
2017-12-21 14:22 - 2017-08-03 14:06 - 000002363 ____C C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-12-21 14:22 - 2016-07-27 06:23 - 000000000 __RDC C:\Users\Admin\OneDrive
2017-12-20 15:52 - 2016-08-10 10:42 - 000000000 ___DC C:\Users\Admin\AmazonMeter
2017-12-20 15:51 - 2016-08-10 10:41 - 000001244 ____C C:\Users\Public\Desktop\ShopTracker.lnk
2017-12-17 13:21 - 2017-03-18 13:03 - 000000000 ____D C:\WINDOWS\rescache
2017-12-16 19:45 - 2016-07-21 14:52 - 000000000 ___DC C:\Users\Admin\AppData\Local\Adobe
2017-12-16 19:44 - 2017-03-18 13:03 - 000000000 ___DC C:\WINDOWS\SysWOW64\Macromed
2017-12-16 19:44 - 2017-03-18 13:03 - 000000000 ___DC C:\WINDOWS\system32\Macromed
2017-12-14 13:20 - 2016-04-26 22:42 - 000000000 _RHDC C:\Users\Public\AccountPictures
2017-12-14 13:18 - 2017-08-03 13:22 - 000391384 ____C C:\WINDOWS\system32\FNTCACHE.DAT
2017-12-14 11:21 - 2017-06-22 20:13 - 000000000 __SDC C:\WINDOWS\UpdateAssistantV2
2017-12-14 11:21 - 2017-03-18 13:03 - 000000000 ___DC C:\WINDOWS\system32\oobe
2017-12-13 14:52 - 2017-03-18 12:51 - 000000000 ___DC C:\WINDOWS\CbsTemp
2017-12-13 14:41 - 2013-07-19 16:42 - 000000000 ___DC C:\WINDOWS\system32\MRT
2017-12-13 14:37 - 2017-10-21 16:27 - 133326408 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT-KB890830.exe
2017-12-13 14:37 - 2013-03-17 15:46 - 133326408 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-12-12 16:15 - 2016-07-27 06:17 - 000000000 ___DC C:\Users\Admin\AppData\Local\Packages
2017-12-03 10:06 - 2016-07-13 14:13 - 000000000 ___DC C:\Users\Admin\AppData\Roaming\Mozilla
2017-12-03 10:06 - 2016-07-13 14:13 - 000000000 ___DC C:\Users\Admin\AppData\Local\Mozilla
2017-12-02 19:48 - 2017-08-03 13:47 - 000004386 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2017-12-01 18:25 - 2017-03-18 13:06 - 000835576 ____C (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2017-12-01 18:25 - 2017-03-18 13:06 - 000177656 ____C (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl

==================== Files in the root of some directories =======

2017-05-17 14:31 - 2017-05-17 14:31 - 000003326 ____C () C:\Users\Admin\AppData\Local\recently-used.xbel

Some files in TEMP:
====================
2014-07-14 00:20 - 2014-07-14 00:21 - 021074920 _____ () C:\Users\Owners\AppData\Local\Temp\7DFF_HiDefMedia-1.1.12-win32C.exe
2014-01-09 15:55 - 2014-01-09 15:56 - 021074920 _____ () C:\Users\Owners\AppData\Local\Temp\8C6_HiDefMedia-1.1.12-win32.exe
2014-01-09 15:55 - 2014-01-09 15:55 - 021074920 _____ () C:\Users\Owners\AppData\Local\Temp\air4E4F.exe
2014-07-14 00:21 - 2014-07-14 00:20 - 021074920 _____ () C:\Users\Owners\AppData\Local\Temp\airC2AD.exe
2013-04-24 00:14 - 2013-04-24 00:14 - 000006144 _____ (Microsoft) C:\Users\Owners\AppData\Local\Temp\PreferencesJson.exe
2013-09-19 19:15 - 2013-09-19 19:15 - 000000006 _____ () C:\Users\Owners\AppData\Local\Temp\propsys.dll
2013-11-27 15:40 - 2013-11-27 15:40 - 000008704 _____ (Microsoft Corporation) C:\Users\Owners\AppData\Local\Temp\SpOrder.dll
2011-11-01 04:32 - 2011-11-01 04:32 - 000465408 _____ () C:\Users\Owners\AppData\Local\Temp\sqlite3.exe
2014-02-18 00:03 - 2014-02-18 00:03 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite.dll
2014-02-19 17:59 - 2014-02-19 17:59 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite51014.dll
2014-02-24 00:03 - 2014-02-24 00:03 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite58102.dll
2014-02-23 00:03 - 2014-02-23 00:03 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite65752.dll
2014-02-26 20:25 - 2014-02-26 20:25 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite78710.dll
2014-02-21 00:03 - 2014-02-21 00:03 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite84533.dll
2014-02-26 16:35 - 2014-02-26 16:35 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite87875.dll
2014-02-22 00:03 - 2014-02-22 00:03 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite89133.dll
2014-02-25 14:22 - 2014-02-25 14:22 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite93774.dll
2014-02-20 16:50 - 2014-02-20 16:50 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite95812.dll
2013-10-24 12:44 - 2013-10-23 18:34 - 000104174 _____ () C:\Users\Owners\AppData\Local\Temp\Uninstall.exe
2014-01-09 15:56 - 2014-01-09 15:57 - 004961800 _____ (Microsoft Corporation) C:\Users\Owners\AppData\Local\Temp\vcredist_x64.exe
2015-08-02 15:58 - 2015-08-02 15:58 - 000118784 _____ () C:\Users\Owners\AppData\Local\Temp\xmlUpdater.exe
2015-10-30 19:02 - 2015-10-30 19:02 - 000833864 _____ (Yahoo! Inc.) C:\Users\Owners\AppData\Local\Temp\ytb.exe
2013-10-09 17:46 - 1999-12-31 16:00 - 000455600 _____ (Macrovision Corporation) C:\Users\Owners\AppData\Local\Temp\_is6602.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-12-28 16:12

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 26-12-2017
Ran by Admin (29-12-2017 12:37:58)
Running from C:\Users\Admin\Downloads
Windows 10 Pro Version 1703 15063.786 (X64) (2017-08-03 21:58:10)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Admin (S-1-5-21-473581126-2895704609-3995012257-1002 - Administrator - Enabled) => C:\Users\Admin
Administrator (S-1-5-21-473581126-2895704609-3995012257-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-473581126-2895704609-3995012257-503 - Limited - Disabled)
Guest (S-1-5-21-473581126-2895704609-3995012257-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 23.0.0.257 - Adobe Systems Incorporated)
Adobe Flash Player 28 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 28.0.0.126 - Adobe Systems Incorporated)
Belkin Wireless Micro USB Adapter (HKLM-x32\...\{B20F9D1C-A0A5-4cd8-8306-DA03872311B1}) (Version: 1.00.0155 - Belkin International, Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.25 - Piriform)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
Java 8 Update 111 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)
Junk Mail filter update (HKLM-x32\...\{400C31E4-796F-4E86-8FDC-C3C4FACC6847}) (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\OneDriveSetup.exe) (Version: 17.3.7131.1115 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026 (HKLM-x32\...\{e46eca4f-393b-40df-9f49-076faf788d83}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft Visual Studio Community 2015 (HKLM-x32\...\{50b32652-69d2-4b93-9316-edcd12067b8b}) (Version: 14.0.23107.10 - Microsoft Corporation)
Reason Core Security (HKLM-x32\...\Reason Core Security) (Version: 1.1.0.0 - Reason Software Company Inc.)
Revo Uninstaller 2.0.3 (HKLM\...\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1) (Version: 2.0.3 - VS Revo Group, Ltd.)
ShopTracker 1.1.31 (HKLM-x32\...\AmazonMeter) (Version: 1.1.31 - Nielsen)
Sophos Virus Removal Tool (HKLM-x32\...\{B829E117-D072-41EA-9606-9826A38D34C1}) (Version: 2.5.6 - Sophos Limited)
SpywareBlaster 5.5 (HKLM-x32\...\SpywareBlaster_is1) (Version: 5.5.0 - BrightFort LLC)
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Waterfox 56.0.1 (x64 en-US) (HKLM\...\Waterfox 56.0.1 (x64 en-US)) (Version: 56.0.1 - Waterfox Ltd)
Windows 10 Update and Privacy Settings (HKLM\...\{4DFCD818-036A-4229-A67D-CF17DC461D92}) (Version: 1.0.14.0 - Microsoft Corporation)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)
WinPatrol (HKLM-x32\...\{6A206A04-6BC1-411B-AA04-4E52EDEEADF2}) (Version: 35.5.2017.8 - Ruiware)
Zemana AntiMalware (HKLM-x32\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.74.0.150 - Zemana Ltd.)
ZTE Handset USB Driver (HKLM\...\{01D42BF0-ED08-463f-8A28-99EB6FEE962B}) (Version:  - ZTE Corporation)
ZTE Handset USB Driver (HKLM\...\{D2D77DC2-8299-11D1-8949-444553540000}_is1) (Version: 5.2088.1.A02B06 - ZTE Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-473581126-2895704609-3995012257-1002_Classes\CLSID\{91A41FCC-BC02-42D8-A36E-0D27FF9BFFC8}\InprocServer32 -> C:\Users\Admin\AppData\Local\Google\Update\1.3.33.7\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-473581126-2895704609-3995012257-1002_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Admin\AppData\Local\Google\Update\1.3.33.7\psuser_64.dll (Google Inc.)
ContextMenuHandlers1: [2.0 Zemana AntiMalware] -> {6ABB1C11-E261-4CEA-BBB5-3836225689DD} => F:\Zemana AntiMalware\ZAMShellExt64.dll [2017-12-21] ()
ContextMenuHandlers1: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\ShellExt.dll [2017-03-18] (Microsoft Corporation)
ContextMenuHandlers2: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\ShellExt.dll [2017-03-18] (Microsoft Corporation)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => F:\Malwarebytes Anti-Malware\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers4: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\ShellExt.dll [2017-03-18] (Microsoft Corporation)
ContextMenuHandlers6: [2.0 Zemana AntiMalware] -> {6ABB1C11-E261-4CEA-BBB5-3836225689DD} => F:\Zemana AntiMalware\ZAMShellExt64.dll [2017-12-21] ()
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => F:\Malwarebytes Anti-Malware\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {04DC094E-7627-4E70-B466-2603B833F592} - System32\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {0711AE3A-AEB7-41FF-B850-C22E96CC2089} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1 => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {07125905-5268-48E5-971A-289EE0160249} - System32\Tasks\Microsoft\Windows\Media Center\RecordingRestart => C:\WINDOWS\ehome\ehrec.exe
Task: {19F02864-1037-4FB6-AA13-D8B2F4CD32BD} - System32\Tasks\Microsoft\Windows\Media Center\OCURActivate => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {1E267608-AE5C-4D06-9692-BB7BB3C93CD8} - System32\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {25628EFD-0279-449D-9DE3-778A67F5FC7B} - System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-473581126-2895704609-3995012257-1000 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe
Task: {29B538DE-ECA4-48A4-97E9-4AD903E5ADD3} - System32\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {2C12E84D-60DC-4250-8670-8A0BA3636850} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscovery => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {2F674873-FC1C-4AD6-9DB3-B04A99A39534} - System32\Tasks\Norton Product InstallerIdle => C:\Windows\SysWOW64\Adobe\Shockwave 12\SymInstallStub.exe
Task: {3DD7FF79-95A6-46B7-953C-F1EA8E8289CB} - System32\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry => C:\WINDOWS\ehome\MCUpdate.exe
Task: {4BCF904D-FD3A-40A4-8089-49C46EE5D0A0} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2 => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {4E358B6B-FF61-4BEA-8578-8702AA93779E} - System32\Tasks\ReasonSecurityScheduledScan => C:\Program Files\Reason\Security\rsUI.exe [2015-08-12] (Reason Software Company Inc.)
Task: {526CCA3B-3BBB-445A-8CE4-0DF701C808B3} - System32\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {5BEF0256-0A74-4BEA-88B7-8FA658EF2EB2} - System32\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {65DEFF6E-CAF8-4E5F-B3E5-419F7D44EDB9} - System32\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {68201ED3-9C26-4F73-A4ED-3DD5A9EA47E3} - System32\Tasks\Microsoft\Windows\Media Center\ehDRMInit => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {68B67517-AD2C-4859-AFE8-8F4089074050} - System32\Tasks\Microsoft\Windows\Media Center\OCURDiscovery => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {71DC3F2F-2597-484D-946A-F675232C9C16} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWoW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-12-16] (Adobe Systems Incorporated)
Task: {737F2717-E574-486C-9BA8-1D850456C821} - System32\Tasks\GlaryOneClickOptimizer => C:\Program Files (x86)\Glary Utilities\oneclickoptimizer.exe
Task: {7776785A-D981-426F-A127-20BD7756B03F} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => C:\WINDOWS\ehome\mcupdate.exe
Task: {79FE633D-F518-422C-BC34-D49A97EB00D9} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {8A8E14C4-7C54-4853-BAC3-CF1AADD0E27C} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => c:\Program Files\Microsoft Security Client\MpCmdRun.exe
Task: {8FE89DCE-BEFD-416D-8301-A5C1DE9DC3C9} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate => C:\WINDOWS\ehome\mcupdate.exe
Task: {957760D5-50E2-4235-8DB9-FD8ABDAE4BC7} - System32\Tasks\Microsoft\Windows\Media Center\RegisterSearch => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {A4908103-331B-4761-B789-F9B8BCA14F56} - System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-473581126-2895704609-3995012257-1000 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe
Task: {A553A59F-F7AC-4FE6-85E8-13AA616B4EBF} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-473581126-2895704609-3995012257-1002Core => C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2017-07-17] (Google Inc.)
Task: {A5B07A38-0A65-4D95-87C7-038AA3FE6183} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {AC3C7B7F-DC3C-475F-9652-95FC03131DA8} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {B6E5A2EA-7D81-46EE-8C6F-FCFCBD36C5FB} - System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {B99FBF30-49BB-40C2-A8A5-6D194B32AB96} - System32\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {C4184362-C735-446C-AA8E-B10AF3290968} - System32\Tasks\Microsoft\Windows\Media Center\StartRecording => C:\WINDOWS\ehome\ehrec.exe
Task: {CA62A1FE-10C2-45EC-B2F6-C11AD1DC0403} - System32\Tasks\Microsoft\Windows\Media Center\InstallPlayReady => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {CCCF0843-5CD1-4CDC-856D-D3D25E3672B9} - System32\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {CDDB0D27-83AA-414B-99BE-433A0ED1FE4F} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {DB06231B-0F44-4BA3-8C80-30768BAA1192} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-473581126-2895704609-3995012257-1002UA => C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2017-07-17] (Google Inc.)
Task: {E0E19367-B86F-4EFF-B391-CB5DE517BFD0} - System32\Tasks\CCleanerSkipUAC => F:\CC\CCleaner.exe [2016-12-06] (Piriform Ltd)
Task: {F978FC1C-D748-437B-9BD8-B58FA154A38C} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
Task: C:\WINDOWS\Tasks\GlaryOneClickOptimizer.job => C:\Program Files (x86)\Glary Utilities\oneclickoptimizer.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2017-12-28 14:09 - 2017-11-29 09:11 - 002301384 _____ () F:\MALWAREBYTES ANTI-MALWARE\ANTI-MALWARE\SelfProtectionSdk.dll
2017-03-18 12:58 - 2017-03-18 12:58 - 000138000 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll
2017-03-18 12:59 - 2017-03-18 18:30 - 001731072 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-01-06 08:41 - 2016-01-06 08:41 - 000062168 _____ () F:\CC\branding.dll
2017-12-12 12:22 - 2017-12-12 12:26 - 000477184 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
2017-12-12 12:22 - 2017-12-12 12:26 - 058590720 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.Photos.dll
2017-10-05 17:05 - 2017-10-05 17:06 - 002523136 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\UnityEngineDelegates.dll
2017-11-13 13:13 - 2017-11-13 13:19 - 000164864 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\VideoPlugin.dll
2017-10-05 17:05 - 2017-10-05 17:06 - 000675328 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\IPPNativePlugin.dll
2017-12-12 12:22 - 2017-12-12 12:26 - 003727360 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\MediaEngineCSWrapper.dll
2017-12-12 12:22 - 2017-12-12 12:26 - 002270720 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\TrackingDLLUWP.dll
2017-12-12 12:22 - 2017-12-12 12:26 - 016395264 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\PhotosApp.Windows.dll
2017-12-12 12:22 - 2017-12-12 12:26 - 003579904 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\MediaEngine.dll
2017-12-12 12:22 - 2017-12-12 12:26 - 003204096 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\AppCore.Windows.dll
2017-08-30 08:08 - 2017-08-30 08:09 - 003553704 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml.dll
2017-12-12 12:22 - 2017-12-12 12:26 - 000043520 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.Photos.Edit.Services.dll
2017-12-12 12:22 - 2017-12-12 12:26 - 004038144 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.People.PeoplePicker.dll
2017-12-12 12:22 - 2017-12-12 12:26 - 001367040 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.RichMedia.Ink.Controls.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\camsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dps => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lfsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\semgrsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\shellhwdetection => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TokenBroker => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WSService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\camsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dps => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\lfsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SamSs => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\semgrsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\shellhwdetection => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv2 => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srvnet => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TokenBroker => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WSService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\008k.com -> 008k.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\00hq.com -> 00hq.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\0190-dialers.com -> 0190-dialers.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\01i.info -> 01i.info
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\0411dd.com -> 0411dd.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\0511zfhl.com -> 0511zfhl.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\05p.com -> 05p.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\0632qyw.com -> 0632qyw.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\0calories.net -> 0calories.net
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\0cj.net -> 0cj.net
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\0scan.com -> 0scan.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\1-britney-spears-nude.com -> 1-britney-spears-nude.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\1-domains-registrations.com -> 1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\1-se.com -> 1-se.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\1001movie.com -> 1001movie.com

There are 6091 more sites.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 18:34 - 2017-10-22 13:46 - 000004507 ____C C:\WINDOWS\system32\Drivers\etc\hosts

0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
0.0.0.0 media.opencandy.com
0.0.0.0 cdn.opencandy.com
0.0.0.0 tracking.opencandy.com
0.0.0.0 api.opencandy.com
0.0.0.0 api.recommendedsw.com
0.0.0.0 rp.yefeneri2.com
0.0.0.0 os.yefeneri2.com
0.0.0.0 os2.yefeneri2.com
0.0.0.0 installer.betterinstaller.com
0.0.0.0 installer.filebulldog.com
0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
0.0.0.0 inno.bisrv.com
0.0.0.0 nsis.bisrv.com
0.0.0.0 cdn.file2desktop.com
0.0.0.0 cdn.goateastcach.us
0.0.0.0 cdn.guttastatdk.us
0.0.0.0 cdn.inskinmedia.com
0.0.0.0 cdn.insta.oibundles2.com
0.0.0.0 cdn.insta.playbryte.com
0.0.0.0 cdn.llogetfastcach.us
0.0.0.0 cdn.montiera.com
0.0.0.0 cdn.msdwnld.com
0.0.0.0 cdn.mypcbackup.com
0.0.0.0 cdn.ppdownload.com
0.0.0.0 cdn.riceateastcach.us
0.0.0.0 cdn.shyapotato.us
0.0.0.0 cdn.solimba.com
0.0.0.0 cdn.tuto4pc.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-473581126-2895704609-3995012257-1002\Control Panel\Desktop\\Wallpaper -> c:\windows\web\wallpaper\windows\img0.jpg
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Warn)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: MozillaMaintenance => 3
MSCONFIG\Services: ZAMSvc => 2
HKLM\...\StartupApproved\Run32: => "GrooveMonitor"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKLM\...\StartupApproved\Run32: => "QuickTime Task"
HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\StartupApproved\Run: => "OneDrive"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [UDP Query User{2A56A360-63F9-4AB6-B4E9-3773F8A78EFE}C:\program files (x86)\microsoft office\office12\groove.exe] => (Block) C:\program files (x86)\microsoft office\office12\groove.exe
FirewallRules: [TCP Query User{4220342B-783C-474E-9F89-74CC1D2DD04C}C:\program files (x86)\microsoft office\office12\groove.exe] => (Block) C:\program files (x86)\microsoft office\office12\groove.exe
FirewallRules: [TCP Query User{7D7BEC9E-84AB-450A-885E-8B20C3B96D20}C:9\cricut-craft room\ccrbridge.exe] => (Allow) C:9\cricut-craft room\ccrbridge.exe
FirewallRules: [UDP Query User{1FB4883E-E90F-4BAF-B8C0-A369B84A76BD}C:9\cricut-craft room\ccrbridge.exe] => (Allow) C:9\cricut-craft room\ccrbridge.exe
FirewallRules: [{97C000C8-6426-4501-A34E-AF1519493F2B}] => (Allow) C:\Program Files\Waterfox\waterfox.exe
FirewallRules: [{AD0BCD88-059F-4761-8A0F-0C7F9C745F84}] => (Allow) C:\Program Files\Waterfox\waterfox.exe

==================== Restore Points =========================

20-12-2017 16:39:33 Scheduled Checkpoint
23-12-2017 18:46:25 Windows Update
27-12-2017 09:59:14 Windows Update

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (12/29/2017 12:34:38 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program FRST64.exe version 26.12.2017.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Process ID: 1a04

Start Time: 01d380e112d7efe3

Termination Time: 20

Application Path: C:\Users\Admin\Downloads\FRST64.exe

Report Id: 3666aa15-35ce-4586-8d3e-bf8ac74a4778

Faulting package full name:

Faulting package-relative application ID:

Error: (12/28/2017 08:35:37 PM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Windows Search Service failed to process the list of included and excluded locations with the error <30, 0x80040d07, "iehistory://{S-1-5-21-473581126-2895704609-3995012257-1002}/">.

Error: (12/28/2017 07:12:13 PM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Windows Search Service failed to process the list of included and excluded locations with the error <30, 0x80040d07, "iehistory://{S-1-5-21-473581126-2895704609-3995012257-1002}/">.

Error: (12/27/2017 03:39:05 PM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Windows Search Service failed to process the list of included and excluded locations with the error <30, 0x80040d07, "iehistory://{S-1-5-21-473581126-2895704609-3995012257-1002}/">.

Error: (12/27/2017 02:24:41 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: PC)
Description: Package Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe+App was terminated because it took too long to suspend.

Error: (12/27/2017 02:16:39 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: The Open Procedure for service "BITS" in DLL "C:\Windows\System32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.

Error: (12/27/2017 12:40:06 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 512) (User: )
Description: The Cryptographic Services service failed to initialize the VSS backup "System Writer" object.

Details:
Could not query the status of the EventSystem service.

System Error:
A system shutdown is in progress.
.

Error: (12/27/2017 12:02:19 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: HitmanPro_x64.exe, version: 3.7.20.286, time stamp: 0x58e5ec3b
Faulting module name: HitmanPro_x64.exe, version: 3.7.20.286, time stamp: 0x58e5ec3b
Exception code: 0xc0000005
Fault offset: 0x00000000002bfb49
Faulting process id: 0xde8
Faulting application start time: 0x01d37f49a2abbffd
Faulting application path: F:\HitmanPro_x64.exe
Faulting module path: F:\HitmanPro_x64.exe
Report Id: eb1bad0f-a41c-4bc3-b7ad-544b9d428eae
Faulting package full name:
Faulting package-relative application ID:

Error: (12/27/2017 11:25:22 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: PC)
Description: Package Microsoft.Windows.ShellExperienceHost_10.0.15063.675_neutral_neutral_cw5n1h2txyewy+App was terminated because it took too long to suspend.

Error: (12/27/2017 11:24:48 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Users\Admin\AppData\Local\Temp\jrt\CreateRestorePoint.exe  "JRT Pre-Junkware Removal"; Description = JRT Pre-Junkware Removal; Error = 0x8007043c).


System errors:
=============
Error: (12/29/2017 11:43:08 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Connected User Experiences and Telemetry service terminated with the following error:
General access denied error

Error: (12/29/2017 11:42:57 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Connected User Experiences and Telemetry service terminated with the following error:
General access denied error

Error: (12/29/2017 11:39:29 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Connected User Experiences and Telemetry service terminated with the following error:
General access denied error

Error: (12/29/2017 11:39:13 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Connected User Experiences and Telemetry service terminated with the following error:
General access denied error

Error: (12/28/2017 05:39:35 PM) (Source: Schannel) (EventID: 4114) (User: NT AUTHORITY)
Description: The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The TLS connection request has failed. The attached data contains the server certificate.

Error: (12/28/2017 05:39:24 PM) (Source: Schannel) (EventID: 4114) (User: NT AUTHORITY)
Description: The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The TLS connection request has failed. The attached data contains the server certificate.

Error: (12/28/2017 04:17:26 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Connected User Experiences and Telemetry service terminated with the following error:
General access denied error

Error: (12/28/2017 04:16:47 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Connected User Experiences and Telemetry service terminated with the following error:
General access denied error

Error: (12/28/2017 04:12:15 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Connected User Experiences and Telemetry service terminated with the following error:
General access denied error

Error: (12/28/2017 04:10:11 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070020: Feature update to Windows 10, version 1709.


CodeIntegrity:
===================================
  Date: 2017-12-28 16:14:48.480
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-12-23 17:46:40.231
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-12-21 17:14:56.949
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-12-15 15:24:30.931
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume2\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.StdFormat.dll that did not meet the Microsoft signing level requirements.

  Date: 2017-12-15 15:24:30.859
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume2\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\ADODB.dll that did not meet the Microsoft signing level requirements.

  Date: 2017-12-15 15:24:30.797
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume2\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\MSDATASRC.dll that did not meet the Microsoft signing level requirements.

  Date: 2017-12-15 15:24:30.677
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume2\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.StdFormat.dll that did not meet the Microsoft signing level requirements.

  Date: 2017-12-15 15:24:30.625
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume2\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\ADODB.dll that did not meet the Microsoft signing level requirements.

  Date: 2017-12-15 15:24:30.587
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume2\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\MSDATASRC.dll that did not meet the Microsoft signing level requirements.

  Date: 2017-12-15 15:24:27.737
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume2\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll that did not meet the Microsoft signing level requirements.


==================== Memory info ===========================

Processor: Intel® Core™2 CPU 6300 @ 1.86GHz
Percentage of memory in use: 64%
Total physical RAM: 2037.61 MB
Available physical RAM: 730.1 MB
Total Virtual: 3637.61 MB
Available Virtual: 1811.71 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:73.96 GB) (Free:14.72 GB) NTFS
Drive f: (TOSHIBA EXT) (Fixed) (Total:931.51 GB) (Free:869.61 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 74.5 GB) (Disk ID: 92EF78FE)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=74 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=450 MB) - (Type=27)

========================================================
Disk: 1 (MBR Code: Windows 7 or Vista) (Size: 931.5 GB) (Disk ID: 733E660D)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/29/17
Scan Time: 12:58 PM
Log File: ffd96e16-ecda-11e7-a5da-0019b9432dcd.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3585
License: Free

-System Information-
OS: Windows 10 (Build 15063.786)
CPU: x64
File System: NTFS
User: PC\Admin

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 401527
Threats Detected: 1
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 1 hr, 0 min, 53 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
PUP.Optional.Linkury, C:\USERS\OWNERS\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, [292], [455237],1.0.3585

Physical Sector: 0
(No malicious items detected)


(end)



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,947 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:41 PM

Posted 31 December 2017 - 08:52 PM

Greetings Dimera and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Please do this.

Rerun Malwarebytes and choose to delete the identified PUP.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time
Start::
CreateRestorePoint:
CloseProcesses:
BHO-x32: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
BHO-x32: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
Task: C:\WINDOWS\Tasks\GlaryOneClickOptimizer.job => C:\Program Files (x86)\Glary Utilities\oneclickoptimizer.exe
C:\Program Files (x86)\Glary Utilities
emptytemp:
End::
  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Malwarebytes AdwCleaner

-------------------
  • Please download AdwCleaner and save it on your desktop.
  • Close all open programs and browsers
  • Double click on AdwCleaner.exe, click Run, then select I agree if it appears
  • Click Scan
  • Once the scan has completed if there are threats found you will see Found 3 threats or something similar above the progress bar
  • Click each tab under Results and uncheck any items you want to keep
  • Click on Clean
  • Confirm the cleaning and rebooting of your computer by clicking OK
  • Click OK twice to finish the removal process by automatically rebooting your computer
  • Once completed an AdwCleaner document will open on your desktop
  • Copy and paste the contents in your reply
=================

Malwarebytes Junkware Removal Tool

-------------------
  • Please download Junkware Removal Tool and save it to your Desktop
  • Right click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Press any key to start the scan
  • Once completed a JRT.txt document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Malwarebytes deletion?
  • Fixlog
  • AdwCleaner log
  • Junkware log
  • Update on computer performance

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Dimera

Dimera
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 01 January 2018 - 08:09 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 01.01.2018
Ran by Admin (01-01-2018 14:46:57) Run:1
Running from F:\
Loaded Profiles: Admin (Available Profiles: Admin & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
BHO-x32: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
BHO-x32: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
Task: C:\WINDOWS\Tasks\GlaryOneClickOptimizer.job => C:\Program Files (x86)\Glary Utilities\oneclickoptimizer.exe
C:\Program Files (x86)\Glary Utilities
emptytemp:

*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => key not found
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key not found
C:\WINDOWS\Tasks\GlaryOneClickOptimizer.job => moved successfully
"C:\Program Files (x86)\Glary Utilities" => not found

=========== EmptyTemp: ==========

BITS transfer queue => 7888896 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 24614997 B
Java, Flash, Steam htmlcache => 1184 B
Windows/system/drivers => 496344 B
Edge => 197 B
Chrome => 0 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 54317 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 21617936 B
Admin => 2490003 B
DefaultAppPool => 0 B

RecycleBin => 0 B
EmptyTemp: => 54.5 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 14:48:52 ====

 

 

# AdwCleaner 7.0.6.0 - Logfile created on Mon Jan 01 23:01:39 2018
# Updated on 2017/21/12 by Malwarebytes
# Database: 01-01-2018.1
# Running on Windows 10 Pro (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************



########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt ##########

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 10 Pro x64
Ran by Admin (Administrator) on Mon 01/01/2018 at 15:15:29.24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 01/01/2018 at 15:19:31.99
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 1/1/18
Scan Time: 3:33 PM
Log File: 3cca9692-ef4c-11e7-a477-0019b9432dcd.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3604
License: Free

-System Information-
OS: Windows 10 (Build 15063.786)
CPU: x64
File System: NTFS
User: PC\Admin

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 401738
Threats Detected: 1
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 55 min, 9 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
PUP.Optional.Linkury, C:\USERS\OWNERS\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, [293], [455237],1.0.3604

Physical Sector: 0
(No malicious items detected)


(end)



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,947 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:41 PM

Posted 01 January 2018 - 09:35 PM

Greetings.

It looks like you chose not to delete the Malwarebytes detection. Did you want to keep this entry?
 

PUP.Optional.Linkury, C:\USERS\OWNERS\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, [293], [455237],1.0.3604

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Dimera

Dimera
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 02 January 2018 - 03:38 PM

I want to delete.  All I can do in Malwarebytes is quarantine it.



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,947 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:41 PM

Posted 02 January 2018 - 06:35 PM

According to your latest Malwarebytes report the PUP was not moved to Quarantine. If it is now in Quarantine there is no need to worry about it. It has been neutralized and no longer active.

How is your computer running?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 Dimera

Dimera
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 03 January 2018 - 06:46 PM

My computer is still slow.  Every single time I run Malwarebytes it finds the file.  This was today's scan.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 1/3/18
Scan Time: 12:26 PM
Log File: 733afc84-f0c4-11e7-aa52-0019b9432dcd.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3617
License: Free

-System Information-
OS: Windows 10 (Build 15063.786)
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 401368
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 3 hr, 3 min, 45 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
PUP.Optional.Linkury, C:\USERS\OWNERS\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [293], [455237],1.0.3617

Physical Sector: 0
(No malicious items detected)


(end)



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,947 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:41 PM

Posted 03 January 2018 - 07:57 PM

If you run Malwarebytes again it should be gone.

Please describe slow. Boot process, Internet, etc.


Edited by Oh My!, 04 January 2018 - 09:31 AM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 Dimera

Dimera
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 04 January 2018 - 04:38 PM

Today's Malwarebytes report:  Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 1/4/18
Scan Time: 12:12 PM
Log File: a7a5e1ec-f18b-11e7-b06b-0019b9432dcd.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3623
License: Free

-System Information-
OS: Windows 10 (Build 15063.786)
CPU: x64
File System: NTFS
User: PC\Admin

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 402040
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 55 min, 7 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
PUP.Optional.Linkury, C:\USERS\OWNERS\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [293], [455237],1.0.3623

Physical Sector: 0
(No malicious items detected)


(end)

 

 

Any program I click on to open takes anywhere between 45 seconds to a minute to open.  Browser, sites like Facebook take about a minute for the whole thing to download.



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,947 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:41 PM

Posted 04 January 2018 - 05:16 PM

Thank you.

The amount of memory you have is the bare minimum system requirement to run your current operating system. Using the bare minimum gives you very little flexibility in running things in addition to Windows itself. Although there is physical and virtual memory that can be used, when the physical memory is exhausted the computer will utilize the virtual memory which is slower. That, in turn will negatively affect computer performance. I suspect that is what we are dealing with.
 

Percentage of memory in use: 64%
Total physical RAM: 2037.61 MB
Available physical RAM: 730.1 MB
Total Virtual: 3637.61 MB
Available Virtual: 1811.71 MB


Please do this.

===================================================

Checking Chrome Sync Status

--------------------
  • Launch Chrome web browser
  • Type chrome://settings/syncSetup in the address bar and hit Enter
  • Is Sync everything selected on top? If not, list the categories that are being synced
===================================================

Boot into Safe Mode and check your computer performance. In addition, while in Safe Mode run a FRST scan and copy/paste both reports in your reply.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Chrome Sync status?
  • Safe Mode performance?
  • FRST reports (2)

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 Dimera

Dimera
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 05 January 2018 - 02:02 PM

In sync.

 

Boot Mode everything was fine.  No pauses or freezing.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02.01.2018
Ran by Admin (administrator) on PC (05-01-2018 10:51:14)
Running from C:\Users\Admin\Downloads
Loaded Profiles: Admin (Available Profiles: Admin)
Platform: Windows 10 Pro Version 1703 15063.786 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: "C:\Program Files\Waterfox\waterfox.exe" -osint -url "%1")
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe
(Malwarebytes) F:\Malwarebytes Anti-Malware\Anti-Malware\MBAMService.exe
(Malwarebytes) F:\Malwarebytes Anti-Malware\Anti-Malware\mbamtray.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\HelpPane.exe
(Mozilla Corporation) C:\Program Files\Waterfox\waterfox.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Mozilla Corporation) C:\Program Files\Waterfox\waterfox.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [629152 2017-03-18] (Microsoft Corporation)
HKLM\...\Run: [ZAM] => F:\Zemana AntiMalware\ZAM.exe [15775888 2017-08-09] (Copyright 2017.)
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-09-05] (Oracle Corporation)
HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\Run: [CCleaner Monitoring] => F:\CC\CCleaner64.exe [9288408 2016-12-06] (Piriform Ltd)
HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\Run: [WinPatrol] => C:\Program Files (x86)\Ruiware\WinPatrol\winpatrol.exe [1223560 2017-05-07] (Ruiware)
Startup: C:\Users\Owners\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk [2014-03-09]
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{0d8ce48a-75f5-47e6-98eb-050a46b686c2}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{e608f57e-cd42-479e-9c6c-ed19dfa577cc}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{e9f4f0a1-f81d-4612-976e-b8a5df110409}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617911&ResetID=130896097070380092&GUID=7A267B58-D50F-4A26-A599-FFAFF9D28876
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-473581126-2895704609-3995012257-1002\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

FireFox:
========
FF DefaultProfile: o4xql8yh.default
FF ProfilePath: C:\Users\Admin\AppData\Roaming\Waterfox\Profiles\o4xql8yh.default [2018-01-05]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_28_0_0_126.dll [2017-12-16] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_28_0_0_126.dll [2017-12-16] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\dtplugin\npDeployJava1.dll [No File]
FF Plugin-x32: @java.com/JavaPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\plugin2\npjp2.dll [No File]
FF Plugin HKU\S-1-5-21-473581126-2895704609-3995012257-1002: @talk.google.com/GoogleTalkPlugin -> C:\Users\Admin\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-473581126-2895704609-3995012257-1002: @talk.google.com/O1DPlugin -> C:\Users\Admin\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-473581126-2895704609-3995012257-1002: @tools.google.com/Google Update;version=3 -> C:\Users\Admin\AppData\Local\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin HKU\S-1-5-21-473581126-2895704609-3995012257-1002: @tools.google.com/Google Update;version=9 -> C:\Users\Admin\AppData\Local\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Admin\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Admin\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google)
StartMenuInternet: Firefox-6F940AC27A98DD61 - C:\Program Files\Waterfox\waterfox.exe

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AmazonMeterService; C:\Program Files (x86)\ShopTracker\Scheduler\AmazonMeter.Scheduler.exe [32664 2017-12-12] (VL)
R2 MBAMService; F:\Malwarebytes Anti-Malware\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
S2 mfevtp; C:\WINDOWS\system32\mfevtps.exe [343544 2017-05-24] (McAfee, Inc.)
S2 rsEngineSvc; C:\Program Files\Reason\Security\rsEngineSvc.exe [80144 2015-08-12] (Reason Software Company Inc.)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [3913064 2017-03-18] (Microsoft Corporation)
S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\NisSrv.exe [356176 2017-12-08] (Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe [105792 2017-12-08] (Microsoft Corporation)
S2 ZAMSvc; F:\Zemana AntiMalware\ZAM.exe [15775888 2017-08-09] (Copyright 2017.)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [55232 2017-12-27] ()
S3 massfilter_hs; C:\WINDOWS\system32\drivers\massfilter_hs.sys [20232 2012-06-20] (HandSet Incorporated)
R3 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [253880 2018-01-05] (Malwarebytes)
R0 mfehidk; C:\WINDOWS\System32\drivers\mfehidk.sys [917008 2017-05-24] (McAfee, Inc.)
S3 mferkdet; C:\WINDOWS\System32\drivers\mferkdet.sys [124432 2017-05-24] (McAfee, Inc.)
S3 SDFRd; C:\WINDOWS\System32\drivers\SDFRd.sys [31128 2017-03-18] ()
S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [46072 2017-12-08] (Microsoft Corporation)
S0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [288848 2017-12-08] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [129616 2017-12-08] (Microsoft Corporation)
S1 ZAM; C:\WINDOWS\System32\drivers\zam64.sys [203680 2017-12-21] (Zemana Ltd.)
S1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard64.sys [203680 2017-06-03] (Zemana Ltd.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-05 10:50 - 2018-01-05 10:50 - 000000994 ____C C:\Users\Admin\Desktop\FRST64.lnk
2018-01-05 10:48 - 2018-01-05 10:48 - 000141160 ____C C:\WINDOWS\ntbtlog.txt
2018-01-05 10:48 - 2018-01-05 10:48 - 000000000 ___DC C:\WINDOWS\system32\Drivers\wd
2018-01-01 15:14 - 2018-01-01 15:14 - 001790024 ____C (Malwarebytes) C:\Users\Admin\Desktop\JRT.exe
2018-01-01 14:56 - 2018-01-01 15:01 - 000000000 ___DC C:\AdwCleaner
2018-01-01 14:55 - 2018-01-01 14:55 - 008198432 ____C (Malwarebytes) C:\Users\Admin\Downloads\AdwCleaner.exe
2017-12-31 18:13 - 2018-01-05 10:40 - 000000000 ___DC C:\WINDOWS\Panther
2017-12-29 12:37 - 2017-12-29 12:39 - 000037387 ____C C:\Users\Admin\Downloads\Addition.txt
2017-12-29 12:10 - 2018-01-05 10:52 - 000008577 ____C C:\Users\Admin\Downloads\FRST.txt
2017-12-29 12:10 - 2018-01-05 10:51 - 000000000 ___DC C:\Users\Admin\Downloads\FRST-OlderVersion
2017-12-28 14:09 - 2018-01-05 10:48 - 000253880 ____C (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2017-12-28 14:09 - 2017-12-28 14:09 - 000000900 ____C C:\Users\Public\Desktop\Malwarebytes.lnk
2017-12-28 14:09 - 2017-12-28 14:09 - 000000000 ___DC C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-12-28 14:09 - 2017-11-29 09:11 - 000077432 ____C C:\WINDOWS\system32\Drivers\mbae64.sys
2017-12-28 14:07 - 2017-12-28 14:07 - 000000000 ___DC C:\ProgramData\MB3CoreBackup
2017-12-27 11:34 - 2017-12-27 11:34 - 000055232 ____C C:\WINDOWS\system32\Drivers\hitmanpro37.sys
2017-12-21 16:14 - 2017-12-21 16:14 - 000203680 ____C (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zam64.sys
2017-12-21 16:14 - 2017-12-21 16:14 - 000000689 ____C C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2017-12-21 16:14 - 2017-12-21 16:14 - 000000000 ___DC C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2017-12-21 16:12 - 2017-12-21 16:13 - 006625600 ____C (Zemana Ltd. ) C:\Users\Admin\Downloads\Zemana.AntiMalware.Setup.exe
2017-12-12 13:56 - 2017-11-29 19:33 - 000038808 ____C (Microsoft Corporation) C:\WINDOWS\system32\OOBEUpdater.exe
2017-12-12 13:56 - 2017-11-29 19:00 - 002166808 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2017-12-12 13:56 - 2017-11-29 18:58 - 006763128 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.Protection.PlayReady.dll
2017-12-12 13:56 - 2017-11-29 18:58 - 000702032 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\winhttp.dll
2017-12-12 13:56 - 2017-11-29 18:57 - 001123968 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetcore.dll
2017-12-12 13:56 - 2017-11-29 18:45 - 000119808 ____C (Microsoft Corporation) C:\WINDOWS\system32\UserDataTimeUtil.dll
2017-12-12 13:56 - 2017-11-29 18:43 - 000095232 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\UserDataTimeUtil.dll
2017-12-12 13:56 - 2017-11-29 18:43 - 000002560 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\tzres.dll
2017-12-12 13:56 - 2017-11-29 18:42 - 000148992 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\itss.dll
2017-12-12 13:56 - 2017-11-29 18:42 - 000100864 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\msscript.ocx
2017-12-12 13:56 - 2017-11-29 18:41 - 000146944 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\wscript.exe
2017-12-12 13:56 - 2017-11-29 18:40 - 000585216 ____C (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2017-12-12 13:56 - 2017-11-29 18:40 - 000528384 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\iprtrmgr.dll
2017-12-12 13:56 - 2017-11-29 18:40 - 000206336 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\scrobj.dll
2017-12-12 13:56 - 2017-11-29 18:40 - 000143360 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\cscript.exe
2017-12-12 13:56 - 2017-11-29 18:38 - 001248768 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\AzureSettingSyncProvider.dll
2017-12-12 13:56 - 2017-11-29 18:38 - 000636416 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\WpcWebFilter.dll
2017-12-12 13:56 - 2017-11-29 18:38 - 000497152 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2017-12-12 13:56 - 2017-11-29 18:37 - 002859520 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2017-12-12 13:56 - 2017-11-29 18:36 - 001019904 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\aadtb.dll
2017-12-12 13:56 - 2017-11-29 18:36 - 000755200 ____C (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2017-12-12 13:56 - 2017-11-29 18:35 - 001627136 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2017-12-12 13:56 - 2017-11-29 18:34 - 004559360 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\dbgeng.dll
2017-12-12 13:56 - 2017-11-17 01:31 - 000223640 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\aepic.dll
2017-12-12 13:56 - 2017-11-17 01:00 - 002953216 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\win32kfull.sys
2017-12-12 13:55 - 2017-11-29 19:29 - 008319384 ____C (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2017-12-12 13:55 - 2017-11-29 19:23 - 001194248 ____C (Microsoft Corporation) C:\WINDOWS\system32\mfnetcore.dll
2017-12-12 13:55 - 2017-11-29 18:59 - 023678464 ____C (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2017-12-12 13:55 - 2017-11-29 18:44 - 023679488 ____C (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2017-12-12 13:55 - 2017-11-29 18:44 - 019334144 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2017-12-12 13:55 - 2017-11-29 18:44 - 000110592 ____C (Microsoft Corporation) C:\WINDOWS\system32\Chakradiag.dll
2017-12-12 13:55 - 2017-11-29 18:43 - 020511232 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2017-12-12 13:55 - 2017-11-29 18:42 - 000560640 ____C (Microsoft Corporation) C:\WINDOWS\system32\iprtrmgr.dll
2017-12-12 13:55 - 2017-11-29 18:42 - 000080896 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakradiag.dll
2017-12-12 13:55 - 2017-11-29 18:41 - 000225792 ____C (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2017-12-12 13:55 - 2017-11-29 18:40 - 012803072 ____C (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2017-12-12 13:55 - 2017-11-29 18:39 - 011888640 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2017-12-12 13:55 - 2017-11-29 18:38 - 008195584 ____C (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2017-12-12 13:55 - 2017-11-29 18:37 - 006252544 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
2017-12-12 13:55 - 2017-11-29 18:36 - 005557760 ____C (Microsoft Corporation) C:\WINDOWS\system32\dbgeng.dll
2017-12-12 13:55 - 2017-11-29 18:36 - 004726784 ____C (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2017-12-12 13:55 - 2017-11-29 18:36 - 003652096 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2017-12-12 13:55 - 2017-11-29 18:36 - 000658432 ____C (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2017-12-12 13:54 - 2017-11-29 19:33 - 001144728 ____C (Microsoft Corporation) C:\WINDOWS\system32\hvix64.exe
2017-12-12 13:54 - 2017-11-29 19:33 - 001015704 ____C (Microsoft Corporation) C:\WINDOWS\system32\hvax64.exe
2017-12-12 13:54 - 2017-11-29 19:26 - 002647216 ____C (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2017-12-12 13:54 - 2017-11-29 19:24 - 000870896 ____C (Microsoft Corporation) C:\WINDOWS\system32\winhttp.dll
2017-12-12 13:54 - 2017-11-29 19:23 - 007910960 ____C (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.Protection.PlayReady.dll
2017-12-12 13:54 - 2017-11-29 18:45 - 000002560 ____C (Microsoft Corporation) C:\WINDOWS\system32\tzres.dll
2017-12-12 13:54 - 2017-11-29 18:44 - 000171008 ____C (Microsoft Corporation) C:\WINDOWS\system32\itss.dll
2017-12-12 13:54 - 2017-11-29 18:44 - 000042496 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\vwifimp.sys
2017-12-12 13:54 - 2017-11-29 18:43 - 000164352 ____C (Microsoft Corporation) C:\WINDOWS\system32\wscript.exe
2017-12-12 13:54 - 2017-11-29 18:42 - 001878016 ____C (Microsoft Corporation) C:\WINDOWS\system32\AzureSettingSyncProvider.dll
2017-12-12 13:54 - 2017-11-29 18:42 - 000304640 ____C (Microsoft Corporation) C:\WINDOWS\system32\dusmsvc.dll
2017-12-12 13:54 - 2017-11-29 18:42 - 000164352 ____C (Microsoft Corporation) C:\WINDOWS\system32\cscript.exe
2017-12-12 13:54 - 2017-11-29 18:41 - 000527360 ____C (Microsoft Corporation) C:\WINDOWS\system32\aadcloudap.dll
2017-12-12 13:54 - 2017-11-29 18:41 - 000414720 ____C (Microsoft Corporation) C:\WINDOWS\system32\provhandlers.dll
2017-12-12 13:54 - 2017-11-29 18:41 - 000222208 ____C (Microsoft Corporation) C:\WINDOWS\system32\scrobj.dll
2017-12-12 13:54 - 2017-11-29 18:39 - 003206656 ____C (Microsoft Corporation) C:\WINDOWS\system32\Microsoft.Bluetooth.Profiles.Gatt.dll
2017-12-12 13:54 - 2017-11-29 18:39 - 002809344 ____C (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentServer.dll
2017-12-12 13:54 - 2017-11-29 18:39 - 000925696 ____C (Microsoft Corporation) C:\WINDOWS\system32\WpcWebFilter.dll
2017-12-12 13:54 - 2017-11-29 18:38 - 000684544 ____C (Microsoft Corporation) C:\WINDOWS\system32\usocore.dll
2017-12-12 13:54 - 2017-11-29 18:37 - 003306496 ____C (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2017-12-12 13:54 - 2017-11-29 18:37 - 001293824 ____C (Microsoft Corporation) C:\WINDOWS\system32\aadtb.dll
2017-12-12 13:54 - 2017-11-29 18:36 - 001802240 ____C (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2017-12-12 13:54 - 2017-11-29 18:36 - 001398784 ____C (Microsoft Corporation) C:\WINDOWS\system32\wwansvc.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 002032536 ____C (Microsoft Corporation) C:\WINDOWS\system32\aitstatic.exe
2017-12-12 13:54 - 2017-11-17 01:46 - 001578904 ____C (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 000821656 ____C (Microsoft Corporation) C:\WINDOWS\system32\hvloader.exe
2017-12-12 13:54 - 2017-11-17 01:46 - 000678808 ____C (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 000613784 ____C (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 000612248 ____C (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 000484248 ____C (Microsoft Corporation) C:\WINDOWS\system32\dcntel.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 000379288 ____C (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 000259992 ____C (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 000190360 ____C (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 000136088 ____C (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2017-12-12 13:54 - 2017-11-17 01:46 - 000067992 ____C (Microsoft Corporation) C:\WINDOWS\system32\win32appinventorycsp.dll
2017-12-12 13:54 - 2017-11-17 01:46 - 000034712 ____C (Microsoft Corporation) C:\WINDOWS\system32\DeviceCensus.exe
2017-12-12 13:54 - 2017-11-17 01:41 - 000503704 ____C (Microsoft Corporation) C:\WINDOWS\system32\pcasvc.dll
2017-12-12 13:54 - 2017-11-17 01:39 - 005477088 ____C (Microsoft Corporation) C:\WINDOWS\system32\OneCoreUAPCommonProxyStub.dll
2017-12-12 13:54 - 2017-11-17 01:39 - 000643200 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2017-12-12 13:54 - 2017-11-17 01:37 - 021353200 ____C (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
2017-12-12 13:54 - 2017-11-17 01:03 - 003668992 ____C (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
2017-12-12 13:54 - 2017-11-17 00:59 - 000064512 ____C (Microsoft Corporation) C:\WINDOWS\system32\winsrv.dll
2017-12-12 13:54 - 2017-11-17 00:56 - 000757248 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\WdiWiFi.sys

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-05 10:52 - 2016-10-29 23:22 - 000000000 ___DC C:\Users\Admin\AppData\Local\CrashDumps
2018-01-05 10:51 - 2017-11-09 19:38 - 000000000 ___DC C:\FRST
2018-01-05 10:51 - 2017-11-09 19:37 - 002393088 ____C (Farbar) C:\Users\Admin\Downloads\FRST64.exe
2018-01-05 10:50 - 2016-11-26 15:44 - 000000000 ___DC C:\Users\Admin\AppData\LocalLow\Mozilla
2018-01-05 10:49 - 2016-10-21 11:18 - 000000214 ____C C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2018-01-05 10:45 - 2017-03-18 03:40 - 000524288 _____ C:\WINDOWS\system32\config\BBI
2018-01-05 10:42 - 2017-08-03 13:47 - 000000006 ___HC C:\WINDOWS\Tasks\SA.DAT
2018-01-05 10:42 - 2017-06-03 21:02 - 002238285 ____C C:\WINDOWS\ZAM.krnl.trace
2018-01-05 10:42 - 2017-06-03 21:02 - 000289163 ____C C:\WINDOWS\ZAM_Guard.krnl.trace
2018-01-05 10:41 - 2017-09-29 07:05 - 000000000 ___HD C:\$WINDOWS.~BT
2018-01-05 10:38 - 2017-03-18 13:03 - 000000000 ___DC C:\WINDOWS\AppReadiness
2018-01-05 10:37 - 2017-03-18 13:03 - 000000000 ___HD C:\Program Files\WindowsApps
2018-01-05 10:35 - 2017-08-03 13:47 - 000004140 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{FDD11F41-16E8-4C41-BDFF-A55C76C3574A}
2018-01-04 19:30 - 2017-08-03 13:23 - 000000000 ___DC C:\WINDOWS\system32\SleepStudy
2017-12-31 18:15 - 2017-08-03 13:28 - 000000000 ___DC C:\Users\Admin
2017-12-27 12:20 - 2017-03-18 13:01 - 000000000 ___DC C:\WINDOWS\INF
2017-12-27 12:18 - 2016-10-20 12:16 - 000001137 ____C C:\Users\Public\Desktop\Reason Core Security.lnk
2017-12-25 12:08 - 2017-08-03 13:27 - 001256184 ____C C:\WINDOWS\system32\PerfStringBackup.INI
2017-12-22 18:24 - 2017-03-18 13:03 - 000000000 ___DC C:\WINDOWS\system32\NDF
2017-12-21 16:14 - 2017-06-03 21:02 - 000000000 ___DC C:\Users\Admin\AppData\Local\Zemana
2017-12-21 14:22 - 2017-08-06 09:39 - 000003350 ____C C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-473581126-2895704609-3995012257-1002
2017-12-21 14:22 - 2017-08-03 14:06 - 000002363 ____C C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-12-21 14:22 - 2016-07-27 06:23 - 000000000 __RDC C:\Users\Admin\OneDrive
2017-12-20 15:52 - 2016-08-10 10:42 - 000000000 ___DC C:\Users\Admin\AmazonMeter
2017-12-20 15:51 - 2016-08-10 10:41 - 000001244 ____C C:\Users\Public\Desktop\ShopTracker.lnk
2017-12-17 13:21 - 2017-03-18 13:03 - 000000000 ____D C:\WINDOWS\rescache
2017-12-16 19:45 - 2016-07-21 14:52 - 000000000 ___DC C:\Users\Admin\AppData\Local\Adobe
2017-12-16 19:44 - 2017-03-18 13:03 - 000000000 ___DC C:\WINDOWS\SysWOW64\Macromed
2017-12-16 19:44 - 2017-03-18 13:03 - 000000000 ___DC C:\WINDOWS\system32\Macromed
2017-12-14 13:20 - 2016-04-26 22:42 - 000000000 _RHDC C:\Users\Public\AccountPictures
2017-12-14 13:18 - 2017-08-03 13:22 - 000391384 ____C C:\WINDOWS\system32\FNTCACHE.DAT
2017-12-14 11:21 - 2017-06-22 20:13 - 000000000 __SDC C:\WINDOWS\UpdateAssistantV2
2017-12-14 11:21 - 2017-03-18 13:03 - 000000000 ___DC C:\WINDOWS\system32\oobe
2017-12-13 14:52 - 2017-03-18 12:51 - 000000000 ___DC C:\WINDOWS\CbsTemp
2017-12-13 14:41 - 2013-07-19 16:42 - 000000000 ___DC C:\WINDOWS\system32\MRT
2017-12-13 14:39 - 2017-12-03 09:59 - 000000000 ___DC C:\Program Files\Waterfox
2017-12-13 14:37 - 2017-10-21 16:27 - 133326408 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT-KB890830.exe
2017-12-13 14:37 - 2013-03-17 15:46 - 133326408 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-12-12 16:15 - 2016-07-27 06:17 - 000000000 ___DC C:\Users\Admin\AppData\Local\Packages

==================== Files in the root of some directories =======

2017-05-17 14:31 - 2017-05-17 14:31 - 000003326 ____C () C:\Users\Admin\AppData\Local\recently-used.xbel

Some files in TEMP:
====================
2014-07-14 00:20 - 2014-07-14 00:21 - 021074920 _____ () C:\Users\Owners\AppData\Local\Temp\7DFF_HiDefMedia-1.1.12-win32C.exe
2014-01-09 15:55 - 2014-01-09 15:56 - 021074920 _____ () C:\Users\Owners\AppData\Local\Temp\8C6_HiDefMedia-1.1.12-win32.exe
2014-01-09 15:55 - 2014-01-09 15:55 - 021074920 _____ () C:\Users\Owners\AppData\Local\Temp\air4E4F.exe
2014-07-14 00:21 - 2014-07-14 00:20 - 021074920 _____ () C:\Users\Owners\AppData\Local\Temp\airC2AD.exe
2013-04-24 00:14 - 2013-04-24 00:14 - 000006144 _____ (Microsoft) C:\Users\Owners\AppData\Local\Temp\PreferencesJson.exe
2013-09-19 19:15 - 2013-09-19 19:15 - 000000006 _____ () C:\Users\Owners\AppData\Local\Temp\propsys.dll
2013-11-27 15:40 - 2013-11-27 15:40 - 000008704 _____ (Microsoft Corporation) C:\Users\Owners\AppData\Local\Temp\SpOrder.dll
2011-11-01 04:32 - 2011-11-01 04:32 - 000465408 _____ () C:\Users\Owners\AppData\Local\Temp\sqlite3.exe
2014-02-18 00:03 - 2014-02-18 00:03 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite.dll
2014-02-19 17:59 - 2014-02-19 17:59 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite51014.dll
2014-02-24 00:03 - 2014-02-24 00:03 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite58102.dll
2014-02-23 00:03 - 2014-02-23 00:03 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite65752.dll
2014-02-26 20:25 - 2014-02-26 20:25 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite78710.dll
2014-02-21 00:03 - 2014-02-21 00:03 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite84533.dll
2014-02-26 16:35 - 2014-02-26 16:35 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite87875.dll
2014-02-22 00:03 - 2014-02-22 00:03 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite89133.dll
2014-02-25 14:22 - 2014-02-25 14:22 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite93774.dll
2014-02-20 16:50 - 2014-02-20 16:50 - 001053184 _____ (Robert Simpson, et al.) C:\Users\Owners\AppData\Local\Temp\System.Data.SQLite95812.dll
2013-10-24 12:44 - 2013-10-23 18:34 - 000104174 _____ () C:\Users\Owners\AppData\Local\Temp\Uninstall.exe
2014-01-09 15:56 - 2014-01-09 15:57 - 004961800 _____ (Microsoft Corporation) C:\Users\Owners\AppData\Local\Temp\vcredist_x64.exe
2015-08-02 15:58 - 2015-08-02 15:58 - 000118784 _____ () C:\Users\Owners\AppData\Local\Temp\xmlUpdater.exe
2015-10-30 19:02 - 2015-10-30 19:02 - 000833864 _____ (Yahoo! Inc.) C:\Users\Owners\AppData\Local\Temp\ytb.exe
2013-10-09 17:46 - 1999-12-31 16:00 - 000455600 _____ (Macrovision Corporation) C:\Users\Owners\AppData\Local\Temp\_is6602.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-12-28 16:12

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by Admin (05-01-2018 10:53:38)
Running from C:\Users\Admin\Downloads
Windows 10 Pro Version 1703 15063.786 (X64) (2017-08-03 21:58:10)
Boot Mode: Safe Mode (with Networking)
==========================================================


==================== Accounts: =============================

Admin (S-1-5-21-473581126-2895704609-3995012257-1002 - Administrator - Enabled) => C:\Users\Admin
Administrator (S-1-5-21-473581126-2895704609-3995012257-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-473581126-2895704609-3995012257-503 - Limited - Disabled)
Guest (S-1-5-21-473581126-2895704609-3995012257-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 23.0.0.257 - Adobe Systems Incorporated)
Adobe Flash Player 28 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 28.0.0.126 - Adobe Systems Incorporated)
Belkin Wireless Micro USB Adapter (HKLM-x32\...\{B20F9D1C-A0A5-4cd8-8306-DA03872311B1}) (Version: 1.00.0155 - Belkin International, Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.25 - Piriform)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
Java 8 Update 111 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)
Junk Mail filter update (HKLM-x32\...\{400C31E4-796F-4E86-8FDC-C3C4FACC6847}) (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\OneDriveSetup.exe) (Version: 17.3.7131.1115 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026 (HKLM-x32\...\{e46eca4f-393b-40df-9f49-076faf788d83}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft Visual Studio Community 2015 (HKLM-x32\...\{50b32652-69d2-4b93-9316-edcd12067b8b}) (Version: 14.0.23107.10 - Microsoft Corporation)
Reason Core Security (HKLM-x32\...\Reason Core Security) (Version: 1.1.0.0 - Reason Software Company Inc.)
Revo Uninstaller 2.0.3 (HKLM\...\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1) (Version: 2.0.3 - VS Revo Group, Ltd.)
ShopTracker 1.1.31 (HKLM-x32\...\AmazonMeter) (Version: 1.1.31 - Nielsen)
Sophos Virus Removal Tool (HKLM-x32\...\{B829E117-D072-41EA-9606-9826A38D34C1}) (Version: 2.5.6 - Sophos Limited)
SpywareBlaster 5.5 (HKLM-x32\...\SpywareBlaster_is1) (Version: 5.5.0 - BrightFort LLC)
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Waterfox 56.0.1 (x64 en-US) (HKLM\...\Waterfox 56.0.1 (x64 en-US)) (Version: 56.0.1 - Waterfox Ltd)
Windows 10 Update and Privacy Settings (HKLM\...\{4DFCD818-036A-4229-A67D-CF17DC461D92}) (Version: 1.0.14.0 - Microsoft Corporation)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)
WinPatrol (HKLM-x32\...\{6A206A04-6BC1-411B-AA04-4E52EDEEADF2}) (Version: 35.5.2017.8 - Ruiware)
Zemana AntiMalware (HKLM-x32\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.74.0.150 - Zemana Ltd.)
ZTE Handset USB Driver (HKLM\...\{01D42BF0-ED08-463f-8A28-99EB6FEE962B}) (Version:  - ZTE Corporation)
ZTE Handset USB Driver (HKLM\...\{D2D77DC2-8299-11D1-8949-444553540000}_is1) (Version: 5.2088.1.A02B06 - ZTE Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-473581126-2895704609-3995012257-1002_Classes\CLSID\{91A41FCC-BC02-42D8-A36E-0D27FF9BFFC8}\InprocServer32 -> C:\Users\Admin\AppData\Local\Google\Update\1.3.33.7\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-473581126-2895704609-3995012257-1002_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Admin\AppData\Local\Google\Update\1.3.33.7\psuser_64.dll (Google Inc.)
ContextMenuHandlers1: [2.0 Zemana AntiMalware] -> {6ABB1C11-E261-4CEA-BBB5-3836225689DD} => F:\Zemana AntiMalware\ZAMShellExt64.dll [2017-12-21] ()
ContextMenuHandlers1: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\ShellExt.dll [2017-03-18] (Microsoft Corporation)
ContextMenuHandlers2: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\ShellExt.dll [2017-03-18] (Microsoft Corporation)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => F:\Malwarebytes Anti-Malware\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers4: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\ShellExt.dll [2017-03-18] (Microsoft Corporation)
ContextMenuHandlers6: [2.0 Zemana AntiMalware] -> {6ABB1C11-E261-4CEA-BBB5-3836225689DD} => F:\Zemana AntiMalware\ZAMShellExt64.dll [2017-12-21] ()
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => F:\Malwarebytes Anti-Malware\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {04DC094E-7627-4E70-B466-2603B833F592} - System32\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {0711AE3A-AEB7-41FF-B850-C22E96CC2089} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1 => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {07125905-5268-48E5-971A-289EE0160249} - System32\Tasks\Microsoft\Windows\Media Center\RecordingRestart => C:\WINDOWS\ehome\ehrec.exe
Task: {19F02864-1037-4FB6-AA13-D8B2F4CD32BD} - System32\Tasks\Microsoft\Windows\Media Center\OCURActivate => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {1E267608-AE5C-4D06-9692-BB7BB3C93CD8} - System32\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {25628EFD-0279-449D-9DE3-778A67F5FC7B} - System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-473581126-2895704609-3995012257-1000 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe
Task: {29B538DE-ECA4-48A4-97E9-4AD903E5ADD3} - System32\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {2C12E84D-60DC-4250-8670-8A0BA3636850} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscovery => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {2F674873-FC1C-4AD6-9DB3-B04A99A39534} - System32\Tasks\Norton Product InstallerIdle => C:\Windows\SysWOW64\Adobe\Shockwave 12\SymInstallStub.exe
Task: {3DD7FF79-95A6-46B7-953C-F1EA8E8289CB} - System32\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry => C:\WINDOWS\ehome\MCUpdate.exe
Task: {4BCF904D-FD3A-40A4-8089-49C46EE5D0A0} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2 => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {4E358B6B-FF61-4BEA-8578-8702AA93779E} - System32\Tasks\ReasonSecurityScheduledScan => C:\Program Files\Reason\Security\rsUI.exe [2015-08-12] (Reason Software Company Inc.)
Task: {526CCA3B-3BBB-445A-8CE4-0DF701C808B3} - System32\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {5BEF0256-0A74-4BEA-88B7-8FA658EF2EB2} - System32\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {65DEFF6E-CAF8-4E5F-B3E5-419F7D44EDB9} - System32\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {68201ED3-9C26-4F73-A4ED-3DD5A9EA47E3} - System32\Tasks\Microsoft\Windows\Media Center\ehDRMInit => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {68B67517-AD2C-4859-AFE8-8F4089074050} - System32\Tasks\Microsoft\Windows\Media Center\OCURDiscovery => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {71DC3F2F-2597-484D-946A-F675232C9C16} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWoW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-12-16] (Adobe Systems Incorporated)
Task: {737F2717-E574-486C-9BA8-1D850456C821} - System32\Tasks\GlaryOneClickOptimizer => C:\Program Files (x86)\Glary Utilities\oneclickoptimizer.exe
Task: {7776785A-D981-426F-A127-20BD7756B03F} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => C:\WINDOWS\ehome\mcupdate.exe
Task: {79FE633D-F518-422C-BC34-D49A97EB00D9} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {8A8E14C4-7C54-4853-BAC3-CF1AADD0E27C} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => c:\Program Files\Microsoft Security Client\MpCmdRun.exe
Task: {8FE89DCE-BEFD-416D-8301-A5C1DE9DC3C9} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate => C:\WINDOWS\ehome\mcupdate.exe
Task: {957760D5-50E2-4235-8DB9-FD8ABDAE4BC7} - System32\Tasks\Microsoft\Windows\Media Center\RegisterSearch => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {A4908103-331B-4761-B789-F9B8BCA14F56} - System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-473581126-2895704609-3995012257-1000 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe
Task: {A553A59F-F7AC-4FE6-85E8-13AA616B4EBF} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-473581126-2895704609-3995012257-1002Core => C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2017-07-17] (Google Inc.)
Task: {A5B07A38-0A65-4D95-87C7-038AA3FE6183} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {AC3C7B7F-DC3C-475F-9652-95FC03131DA8} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {B6E5A2EA-7D81-46EE-8C6F-FCFCBD36C5FB} - System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {B99FBF30-49BB-40C2-A8A5-6D194B32AB96} - System32\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {C4184362-C735-446C-AA8E-B10AF3290968} - System32\Tasks\Microsoft\Windows\Media Center\StartRecording => C:\WINDOWS\ehome\ehrec.exe
Task: {CA62A1FE-10C2-45EC-B2F6-C11AD1DC0403} - System32\Tasks\Microsoft\Windows\Media Center\InstallPlayReady => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {CCCF0843-5CD1-4CDC-856D-D3D25E3672B9} - System32\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {CDDB0D27-83AA-414B-99BE-433A0ED1FE4F} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MpCmdRun.exe [2017-12-08] (Microsoft Corporation)
Task: {DB06231B-0F44-4BA3-8C80-30768BAA1192} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-473581126-2895704609-3995012257-1002UA => C:\Users\Admin\AppData\Local\Google\Update\GoogleUpdate.exe [2017-07-17] (Google Inc.)
Task: {E0E19367-B86F-4EFF-B391-CB5DE517BFD0} - System32\Tasks\CCleanerSkipUAC => F:\CC\CCleaner.exe [2016-12-06] (Piriform Ltd)
Task: {F978FC1C-D748-437B-9BD8-B58FA154A38C} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2017-12-28 14:09 - 2017-11-29 09:11 - 002301384 _____ () F:\MALWAREBYTES ANTI-MALWARE\ANTI-MALWARE\SelfProtectionSdk.dll
2017-12-21 16:15 - 2017-12-21 16:15 - 000155504 _____ () F:\Zemana AntiMalware\ZAMShellExt64.dll
2017-03-18 12:59 - 2017-03-18 18:30 - 001731072 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-03-18 12:58 - 2017-03-18 12:58 - 000138000 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\camsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dps => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lfsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\semgrsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\shellhwdetection => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TokenBroker => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WSService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\camsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dps => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\lfsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SamSs => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\semgrsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\shellhwdetection => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv2 => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srvnet => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TokenBroker => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WSService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\008k.com -> 008k.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\00hq.com -> 00hq.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\0190-dialers.com -> 0190-dialers.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\01i.info -> 01i.info
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\0411dd.com -> 0411dd.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\0511zfhl.com -> 0511zfhl.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\05p.com -> 05p.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\0632qyw.com -> 0632qyw.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\0calories.net -> 0calories.net
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\0cj.net -> 0cj.net
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\0scan.com -> 0scan.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\1-britney-spears-nude.com -> 1-britney-spears-nude.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\1-domains-registrations.com -> 1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\1-se.com -> 1-se.com
IE restricted site: HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\1001movie.com -> 1001movie.com

There are 6091 more sites.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 18:34 - 2017-10-22 13:46 - 000004507 ____C C:\WINDOWS\system32\Drivers\etc\hosts

0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
0.0.0.0 media.opencandy.com
0.0.0.0 cdn.opencandy.com
0.0.0.0 tracking.opencandy.com
0.0.0.0 api.opencandy.com
0.0.0.0 api.recommendedsw.com
0.0.0.0 rp.yefeneri2.com
0.0.0.0 os.yefeneri2.com
0.0.0.0 os2.yefeneri2.com
0.0.0.0 installer.betterinstaller.com
0.0.0.0 installer.filebulldog.com
0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
0.0.0.0 inno.bisrv.com
0.0.0.0 nsis.bisrv.com
0.0.0.0 cdn.file2desktop.com
0.0.0.0 cdn.goateastcach.us
0.0.0.0 cdn.guttastatdk.us
0.0.0.0 cdn.inskinmedia.com
0.0.0.0 cdn.insta.oibundles2.com
0.0.0.0 cdn.insta.playbryte.com
0.0.0.0 cdn.llogetfastcach.us
0.0.0.0 cdn.montiera.com
0.0.0.0 cdn.msdwnld.com
0.0.0.0 cdn.mypcbackup.com
0.0.0.0 cdn.ppdownload.com
0.0.0.0 cdn.riceateastcach.us
0.0.0.0 cdn.shyapotato.us
0.0.0.0 cdn.solimba.com
0.0.0.0 cdn.tuto4pc.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-473581126-2895704609-3995012257-1002\Control Panel\Desktop\\Wallpaper -> c:\windows\web\wallpaper\windows\img0.jpg
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Warn)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: MozillaMaintenance => 3
MSCONFIG\Services: ZAMSvc => 2
HKLM\...\StartupApproved\Run32: => "GrooveMonitor"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKLM\...\StartupApproved\Run32: => "QuickTime Task"
HKU\S-1-5-21-473581126-2895704609-3995012257-1002\...\StartupApproved\Run: => "OneDrive"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [UDP Query User{2A56A360-63F9-4AB6-B4E9-3773F8A78EFE}C:\program files (x86)\microsoft office\office12\groove.exe] => (Block) C:\program files (x86)\microsoft office\office12\groove.exe
FirewallRules: [TCP Query User{4220342B-783C-474E-9F89-74CC1D2DD04C}C:\program files (x86)\microsoft office\office12\groove.exe] => (Block) C:\program files (x86)\microsoft office\office12\groove.exe
FirewallRules: [TCP Query User{7D7BEC9E-84AB-450A-885E-8B20C3B96D20}C:9\cricut-craft room\ccrbridge.exe] => (Allow) C:9\cricut-craft room\ccrbridge.exe
FirewallRules: [UDP Query User{1FB4883E-E90F-4BAF-B8C0-A369B84A76BD}C:9\cricut-craft room\ccrbridge.exe] => (Allow) C:9\cricut-craft room\ccrbridge.exe
FirewallRules: [{97C000C8-6426-4501-A34E-AF1519493F2B}] => (Allow) C:\Program Files\Waterfox\waterfox.exe
FirewallRules: [{AD0BCD88-059F-4761-8A0F-0C7F9C745F84}] => (Allow) C:\Program Files\Waterfox\waterfox.exe

==================== Restore Points =========================

01-01-2018 15:15:36 JRT Pre-Junkware Removal

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (01/05/2018 10:51:53 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: waterfox.exe, version: 56.0.0.6543, time stamp: 0x5a313f9c
Faulting module name: xul.dll, version: 56.0.0.6543, time stamp: 0x5a308348
Exception code: 0x80000003
Fault offset: 0x000000000291625d
Faulting process id: 0x588
Faulting application start time: 0x01d38655f5e869d3
Faulting application path: C:\Program Files\Waterfox\waterfox.exe
Faulting module path: C:\Program Files\Waterfox\xul.dll
Report Id: ad953947-9c47-472c-8a3c-845e338c75bd
Faulting package full name:
Faulting package-relative application ID:

Error: (01/05/2018 10:19:47 AM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Windows Search Service failed to process the list of included and excluded locations with the error <30, 0x80040d07, "iehistory://{S-1-5-21-473581126-2895704609-3995012257-1002}/">.

Error: (01/05/2018 10:16:54 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: PC)
Description: Activation of app Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy!App failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/05/2018 10:16:54 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: PC)
Description: Activation of app Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy!App failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/05/2018 10:16:54 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: PC)
Description: Activation of app Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy!App failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/05/2018 10:16:54 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: PC)
Description: Activation of app Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy!App failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/05/2018 10:16:54 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: PC)
Description: Activation of app Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy!App failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/05/2018 10:16:54 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: PC)
Description: Activation of app Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy!App failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/04/2018 07:17:15 PM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Windows Search Service failed to process the list of included and excluded locations with the error <30, 0x80040d07, "iehistory://{S-1-5-21-473581126-2895704609-3995012257-1002}/">.

Error: (01/04/2018 07:11:33 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: OneDriveStandaloneUpdater.exe, version: 17.3.7131.1115, time stamp: 0x5a0d0bb0
Faulting module name: OneDriveStandaloneUpdater.exe, version: 17.3.7131.1115, time stamp: 0x5a0d0bb0
Exception code: 0xc0000005
Fault offset: 0x0013f214
Faulting process id: 0xa08
Faulting application start time: 0x01d385cd9d36c978
Faulting application path: C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
Faulting module path: C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
Report Id: 1d4699ee-a84f-49a6-9e40-99c2096294a2
Faulting package full name:
Faulting package-relative application ID:


System errors:
=============
Error: (01/05/2018 10:55:16 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service EventSystem with arguments "Unavailable" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (01/05/2018 10:52:00 AM) (Source: DCOM) (EventID: 10005) (User: PC)
Description: DCOM got error "1084" attempting to start the service wisvc with arguments "Unavailable" in order to run the server:
{3185A766-B338-11E4-A71E-12E3F512A338}

Error: (01/05/2018 10:50:57 AM) (Source: DCOM) (EventID: 10005) (User: PC)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}

Error: (01/05/2018 10:50:57 AM) (Source: DCOM) (EventID: 10005) (User: PC)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}

Error: (01/05/2018 10:50:57 AM) (Source: DCOM) (EventID: 10005) (User: PC)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (01/05/2018 10:50:44 AM) (Source: DCOM) (EventID: 10005) (User: PC)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}

Error: (01/05/2018 10:50:44 AM) (Source: DCOM) (EventID: 10005) (User: PC)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}

Error: (01/05/2018 10:50:44 AM) (Source: DCOM) (EventID: 10005) (User: PC)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}

Error: (01/05/2018 10:50:44 AM) (Source: DCOM) (EventID: 10005) (User: PC)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}

Error: (01/05/2018 10:50:44 AM) (Source: DCOM) (EventID: 10005) (User: PC)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}


CodeIntegrity:
===================================
  Date: 2018-01-03 15:34:55.283
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-12-28 16:14:48.480
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-12-23 17:46:40.231
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-12-21 17:14:56.949
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.17123-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-12-15 15:24:30.931
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume2\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.StdFormat.dll that did not meet the Microsoft signing level requirements.

  Date: 2017-12-15 15:24:30.859
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume2\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\ADODB.dll that did not meet the Microsoft signing level requirements.

  Date: 2017-12-15 15:24:30.797
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume2\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\MSDATASRC.dll that did not meet the Microsoft signing level requirements.

  Date: 2017-12-15 15:24:30.677
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume2\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.StdFormat.dll that did not meet the Microsoft signing level requirements.

  Date: 2017-12-15 15:24:30.625
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume2\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\ADODB.dll that did not meet the Microsoft signing level requirements.

  Date: 2017-12-15 15:24:30.587
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe) attempted to load \Device\HarddiskVolume2\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\MSDATASRC.dll that did not meet the Microsoft signing level requirements.


==================== Memory info ===========================

Processor: Intel® Core™2 CPU 6300 @ 1.86GHz
Percentage of memory in use: 41%
Total physical RAM: 2037.61 MB
Available physical RAM: 1201.23 MB
Total Virtual: 3637.61 MB
Available Virtual: 2871.2 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:73.96 GB) (Free:14.9 GB) NTFS
Drive f: (TOSHIBA EXT) (Fixed) (Total:931.51 GB) (Free:869.63 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 74.5 GB) (Disk ID: 92EF78FE)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=74 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=450 MB) - (Type=27)

========================================================
Disk: 1 (MBR Code: Windows 7 or Vista) (Size: 931.5 GB) (Disk ID: 733E660D)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,947 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:41 PM

Posted 05 January 2018 - 02:45 PM

Greetings,

Does In sync mean Chrome Sync is enabled for all categories?

There is a significant difference in available memory when booting into Safe Mode, which loads only the basic operating system components and maybe a few other items. It does appear your issues is simply the lack of sufficient resources.
 

Processor: Intel® Core2 CPU 6300 @ 1.86GHz
Percentage of memory in use: 41%
Total physical RAM: 2037.61 MB
Available physical RAM: 1201.23 MB
Total Virtual: 3637.61 MB
Available Virtual: 2871.2 MB


-----

I am not sure these programs are essential and you might want to consider uninstalling some or all of them.

Reason Core Security
Sophos Virus Removal Tool
WinPatrol
Zemana AntiMalware

-----

In addition, please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows Key + R on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
CreateRestorePoint:
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Clean Boot

--------------------
  • Press the Windows Key + R on your keyboard at the same time.
  • Type msconfig and press Enter
  • If you are prompted for an administrator password or for a confirmation, type the password, or provide confirmation
  • Click the General tab then click Selective Startup
  • Check Load system services
  • Uncheck Load Startup Items
  • Click the Services tab
  • Click to select the Hide All Microsoft Services check box
  • Click Disable All, and then click OK
  • When you are prompted, click Restart and boot into Normal Mode
  • Check your computer performance
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Chrome Sync?
  • Uninstall programs?
  • Fixlog
  • Computer performance?

Edited by Oh My!, 05 January 2018 - 02:46 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Dimera

Dimera
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 05 January 2018 - 11:37 PM

Yeah, I'm going to go buy more memory this weekend.

 

Running a lot better than before.  Not freezing.

 

I uninstalled all the programs you told me to.  Is there any other program I can uninstall?  Like one of the Microsoft Visual C programs.  There are two of them.

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by Admin (05-01-2018 19:50:15) Run:2
Running from F:\FRST-OlderVersion
Loaded Profiles: Admin (Available Profiles: Admin & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
*****************

Restore point was successfully created.

==== End of Fixlog 19:57:12 ====

 

 

 

 

 

 

 

OS Name    Microsoft Windows 10 Pro
Version    10.0.15063 Build 15063
Other OS Description     Not Available
OS Manufacturer    Microsoft Corporation
System Name    PC
System Manufacturer    Dell Inc.
System Model    OptiPlex 745
System Type    x64-based PC
System SKU   
Processor    Intel® Core™2 CPU          6300  @ 1.86GHz, 1862 Mhz, 2 Core(s), 2 Logical Processor(s)
BIOS Version/Date    Dell Inc. 2.6.6, 6/26/2011
SMBIOS Version    2.3
Embedded Controller Version    255.255
BIOS Mode    Legacy
BaseBoard Manufacturer    Dell Inc.
BaseBoard Model    Not Available
BaseBoard Name    Base Board
Platform Role    SOHO Server
Secure Boot State    Unsupported
PCR7 Configuration    Binding Not Possible
Windows Directory    C:\WINDOWS
System Directory    C:\WINDOWS\system32
Boot Device    \Device\HarddiskVolume1
Locale    United States
Hardware Abstraction Layer    Version = "10.0.15063.502"
User Name    PC\Admin
Time Zone    Pacific Standard Time
Installed Physical Memory (RAM)    2.00 GB
Total Physical Memory    1.99 GB
Available Physical Memory    885 MB
Total Virtual Memory    3.55 GB
Available Virtual Memory    2.02 GB
Page File Space    1.56 GB
Page File    C:\pagefile.sys
Device Encryption Support    Reasons for failed automatic device encryption: TPM is not usable, PCR7 binding is not supported, Hardware Security Test Interface failed and device is not InstantGo, Un-allowed DMA capable bus/device(s) detected, Disabled by policy, TPM is not usable
Hyper-V - VM Monitor Mode Extensions    Yes
Hyper-V - Second Level Address Translation Extensions    No
Hyper-V - Virtualization Enabled in Firmware    No
Hyper-V - Data Execution Protection    Yes
 

 



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,947 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:41 PM

Posted 06 January 2018 - 12:53 PM

Greetings.

There is a difference between uninstalling and disabling at startup. I suggested removal of those programs because they are somewhat redundant.

What we did is ask your computer to start up without 3rd party applications (non-Microsoft) running. In doing so the resource demands were substantially minimized. The better performance in this state has further confirmed your issues are resource related.

I would suggest we hold off on anything else until we see how your computer performs with additional memory. There is no need to manipulate things now if there is a possibility nothing needs to be changed with more memory.

You previously said "In sync" regarding Chrome. Does that mean Chrome Sync was enabled and all categories were included?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 Dimera

Dimera
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 06 January 2018 - 02:15 PM

Yes it was in sync in all categories.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users