Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I need help with a possible infection please


  • This topic is locked This topic is locked
14 replies to this topic

#1 Da_Momma

Da_Momma

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 10 January 2018 - 03:57 AM

Hi,

 

New hard drive installed.

I see a file running multiple of it and the folder it is in is showing locked, and empty however when you open it with file assassin it shows files and such.

 

There are actually two folders like this and I can not remove them, make them quit , get permission to them nada.

 

I have spent two weeks on trying to get rid of this or solve this and am at a loss.

 

Windows 7 Ultimate

 

The exe that runs multiple times are

 

sbkpazx.exe*32 ( sometimes up to 20 is showing as running in task manager ) and snrucmo.exe*32

 

they are in the locked folders and I have tried the following:

 

esetp - came up clean

rkill - have a file

avast premium - comes up clean

malwarebytes - comes up clean

Sbybot Search and Destroy - comes up clean

fileasassin - can not remove the folders files or change permissions

 

Also installed the emsisoftantimalware and ran it due to following the prep guide

Ran FRST

 

it seems to be worse when I am online with the desktop so right now I am posting from my laptop.

 

Thank you to anyone who is willing to help.

GBU:o)
Da_momma

 

My Logs:

 

FRST:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02.01.2018
Ran by EllenH (administrator) on ELLEN-PC (10-01-2018 02:19:48)
Running from C:\Users\EllenH\Desktop
Loaded Profiles: EllenH (Available Profiles: EllenH & Administrator)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(TOSHIBA CORPORATION) C:\Windows\System32\pcntdgxsvc.exe
(Logitech Inc.) C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\afwServ.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
() C:\Users\EllenH\AppData\Local\snrucmo\snrucmo.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
() C:\Users\EllenH\AppData\Local\snrucmo\sbkpazx.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2service.exe
(Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2start.exe
(Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2guard.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
() C:\Users\EllenH\AppData\Local\snrucmo\sbkpazx.exe
() C:\Users\EllenH\AppData\Local\snrucmo\sbkpazx.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [246120 2018-01-05] (AVAST Software)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [emsisoft anti-malware] => c:\program files\emsisoft anti-malware\a2guard.exe [8887688 2018-01-03] (Emsisoft Ltd)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-09-05] (Oracle Corporation)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-2560976529-4060327175-241808890-1003\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [10024624 2017-11-08] (Piriform Ltd)
HKU\S-1-5-21-2560976529-4060327175-241808890-1003\...\Run: [RoboForm] => C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [110376 2018-01-05] (Siber Systems)
HKU\S-1-5-21-2560976529-4060327175-241808890-1003\...\MountPoints2: K - "K:\WD SmartWare.exe" autoplay=true
HKU\S-1-5-21-2560976529-4060327175-241808890-1003\...\MountPoints2: {f990d030-c6b9-11e7-8304-e0cb4e9f64c4} - "K:\WD SmartWare.exe" autoplay=true
HKU\S-1-5-18\...\RunOnce: [SPReview] => "C:\Windows\System32\SPReview\SPReview.exe" /sp:1 /errorfwlink:"hxxp://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
BootExecute: autocheck autochk * sdnclean64.exe
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\Parameters: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{1F3677E7-7FA4-4BBE-AD63-B18445AD1811}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{1F3677E7-7FA4-4BBE-AD63-B18445AD1811}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-2560976529-4060327175-241808890-1003\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
BHO: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2018-01-05] (Siber Systems Inc.)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_151\bin\ssv.dll [2017-11-13] (Oracle Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2017-11-11] (AVAST Software)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_151\bin\jp2ssv.dll [2017-11-13] (Oracle Corporation)
BHO-x32: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll [2018-01-05] (Siber Systems Inc.)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2017-11-11] (AVAST Software)
Toolbar: HKLM - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2018-01-05] (Siber Systems Inc.)
Toolbar: HKLM-x32 - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll [2018-01-05] (Siber Systems Inc.)

FireFox:
========
FF DefaultProfile: l8mnz9bv.default
FF ProfilePath: C:\Users\EllenH\AppData\Roaming\Mozilla\Firefox\Profiles\l8mnz9bv.default [2018-01-09]
FF Homepage: Mozilla\Firefox\Profiles\l8mnz9bv.default -> hxxps://www.google.com/?gws_rd=ssl
FF Extension: (RoboForm Password Manager) - C:\Users\EllenH\AppData\Roaming\Mozilla\Firefox\Profiles\l8mnz9bv.default\Extensions\rf-firefox@siber.com.xpi [2018-01-05]
FF Extension: (SwagButton) - C:\Users\EllenH\AppData\Roaming\Mozilla\Firefox\Profiles\l8mnz9bv.default\Extensions\shopearn@prodege.com.xpi [2017-12-03]
FF Extension: (Unbranded Search Test) - C:\Users\EllenH\AppData\Roaming\Mozilla\Firefox\Profiles\l8mnz9bv.default\Extensions\unbrandedsearchtest131@mozilla.com.xpi [2017-11-16] [Legacy]
FF Extension: (Avast Online Security) - C:\Users\EllenH\AppData\Roaming\Mozilla\Firefox\Profiles\l8mnz9bv.default\Extensions\wrc@avast.com.xpi [2017-11-11]
FF Extension: (Adblock Plus) - C:\Users\EllenH\AppData\Roaming\Mozilla\Firefox\Profiles\l8mnz9bv.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2018-01-05]
FF Extension: (Disable JavaScript Shared Memory) - C:\Users\EllenH\AppData\Roaming\Mozilla\Firefox\Profiles\l8mnz9bv.default\features\{a6b6259e-10ea-44f8-abe6-9ae75080d905}\disable-js-shared-memory@mozilla.org.xpi [2018-01-05] [Legacy]
FF Extension: (Unbranded Search Test) - C:\Program Files (x86)\Mozilla Firefox\distribution\extensions\unbrandedsearchtest131@mozilla.com.xpi [2017-10-10] [Legacy]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_28_0_0_126.dll [2018-01-07] ()
FF Plugin: @java.com/DTPlugin,version=11.151.2 -> C:\Program Files\Java\jre1.8.0_151\bin\dtplugin\npDeployJava1.dll [2017-11-13] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.151.2 -> C:\Program Files\Java\jre1.8.0_151\bin\plugin2\npjp2.dll [2017-11-13] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_28_0_0_126.dll [2018-01-07] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [No File]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

HKLM\SYSTEM\CurrentControlSet\Services\lvtnzasb <==== ATTENTION (Rootkit!)

R2 a2AntiMalware; C:\Program Files\Emsisoft Anti-Malware\a2service.exe [9236912 2018-01-03] (Emsisoft Ltd)
S3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7538536 2018-01-05] (AVAST Software)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [301168 2018-01-05] (AVAST Software)
R2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [351552 2018-01-05] (AVAST Software)
S4 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2009-08-04] ()
R1 aswArPot; C:\Windows\System32\drivers\aswArPot.sys [185096 2018-01-05] (AVAST Software)
R1 aswbidsdriver; C:\Windows\System32\drivers\aswbidsdrivera.sys [321512 2018-01-05] (AVAST Software)
R0 aswbidsh; C:\Windows\System32\drivers\aswbidsha.sys [199448 2018-01-05] (AVAST Software)
R0 aswblog; C:\Windows\System32\drivers\aswbloga.sys [343768 2018-01-05] (AVAST Software)
R0 aswbuniv; C:\Windows\System32\drivers\aswbuniva.sys [57696 2018-01-05] (AVAST Software)
S3 aswHwid; C:\Windows\System32\drivers\aswHwid.sys [46976 2018-01-05] (AVAST Software)
R2 aswMonFlt; C:\Windows\System32\drivers\aswMonFlt.sys [146664 2018-01-05] (AVAST Software)
R1 aswNetSec; C:\Windows\System32\drivers\aswNetSec.sys [580480 2018-01-05] (AVAST Software)
R1 aswRdr; C:\Windows\System32\drivers\aswRdr2.sys [110336 2018-01-05] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\drivers\aswRvrt.sys [84384 2018-01-05] (AVAST Software)
R1 aswSnx; C:\Windows\System32\drivers\aswSnx.sys [1025176 2018-01-05] (AVAST Software)
R1 aswSP; C:\Windows\System32\drivers\aswSP.sys [457400 2018-01-05] (AVAST Software)
R2 aswStm; C:\Windows\System32\drivers\aswStm.sys [204456 2018-01-05] (AVAST Software)
R0 aswVmm; C:\Windows\System32\drivers\aswVmm.sys [358672 2018-01-05] (AVAST Software)
R1 epp; C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\epp.sys [124552 2016-11-23] (Emsisoft Ltd)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
S3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-16] ()
S3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [48064 2017-09-19] (NVIDIA Corporation)
S3 nvvhci; C:\Windows\System32\DRIVERS\nvvhci.sys [57792 2017-09-19] (NVIDIA Corporation)
S4 rjaty; C:\Windows\System32\drivers\imofugc.sys [79064 2017-11-12] (Malwarebytes)
S4 SMR501; System32\drivers\SMR501.SYS [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-10 02:19 - 2018-01-10 02:20 - 000011994 _____ C:\Users\EllenH\Desktop\FRST.txt
2018-01-10 02:18 - 2018-01-10 00:12 - 002393088 _____ (Farbar) C:\Users\EllenH\Desktop\FRST64.exe
2018-01-10 02:17 - 2018-01-10 02:19 - 000000000 ____D C:\FRST
2018-01-10 00:29 - 2018-01-10 00:31 - 000000000 ____D C:\Users\EllenH\Desktop\dclone1
2018-01-10 00:17 - 2018-01-10 00:17 - 000001107 _____ C:\Users\Public\Desktop\DriveImage XML.lnk
2018-01-10 00:17 - 2018-01-10 00:17 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Runtime Software
2018-01-10 00:17 - 2018-01-10 00:17 - 000000000 ____D C:\Program Files (x86)\Runtime Software
2018-01-09 23:41 - 2018-01-10 00:00 - 000000000 ____D C:\ProgramData\Emsisoft
2018-01-09 23:36 - 2018-01-09 23:36 - 000000896 _____ C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2018-01-09 23:36 - 2018-01-09 23:36 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2018-01-09 23:35 - 2018-01-10 02:06 - 000000000 ____D C:\Program Files\Emsisoft Anti-Malware
2018-01-09 03:52 - 2018-01-10 02:08 - 000202264 _____ C:\Windows\ntbtlog.txt
2018-01-09 03:52 - 2018-01-09 03:52 - 000000000 ____D C:\ProgramData\SWCUTemp
2018-01-09 03:50 - 2018-01-09 03:50 - 000116560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\scatwzcg.sys
2018-01-09 00:00 - 2018-01-09 00:01 - 000005158 _____ C:\Users\EllenH\Desktop\Rkill.txt
2018-01-09 00:00 - 2018-01-09 00:00 - 000000000 ____D C:\Users\EllenH\Desktop\rkill
2018-01-08 00:51 - 2018-01-08 00:51 - 000000000 ____D C:\Users\EllenH\AppData\Local\Macromedia
2018-01-07 23:12 - 2018-01-07 23:12 - 000023373 _____ C:\Users\EllenH\Desktop\michaels-bca.txt
2018-01-07 21:46 - 2018-01-07 21:46 - 000432398 _____ C:\Users\EllenH\Downloads\document.pdf
2018-01-07 21:41 - 2018-01-07 21:41 - 000113179 _____ C:\Users\EllenH\Documents\duo-payment.xps
2018-01-07 21:41 - 2018-01-07 21:41 - 000000000 ____D C:\Users\EllenH\AppData\LocalLow\Temp
2018-01-07 18:53 - 2018-01-07 18:53 - 000001074 _____ C:\Users\EllenH\Desktop\oes-star.txt
2018-01-07 18:29 - 2018-01-07 18:29 - 000000000 ____D C:\Users\EllenH\Documents\My Web Galleries
2018-01-07 18:28 - 2018-01-07 22:16 - 000000000 ____D C:\Users\EllenH\AppData\Local\ApplicationHistory
2018-01-07 18:28 - 2018-01-07 18:28 - 000000094 _____ C:\Users\EllenH\AppData\Local\fusioncache.dat
2018-01-07 16:50 - 2018-01-07 16:50 - 000000000 ____D C:\Users\EllenH\AppData\Local\Adobe
2018-01-07 16:38 - 2018-01-07 16:39 - 081965578 _____ C:\Users\EllenH\Downloads\octwcc.zip
2018-01-07 16:38 - 2018-01-07 16:39 - 050882217 _____ C:\Users\EllenH\Downloads\septwcc.zip
2018-01-07 16:38 - 2018-01-07 16:38 - 035548607 _____ C:\Users\EllenH\Downloads\janwc.zip
2018-01-07 16:37 - 2018-01-07 16:40 - 187536693 _____ C:\Users\EllenH\Downloads\stock-photos.zip
2018-01-07 16:37 - 2018-01-07 16:40 - 107978458 _____ C:\Users\EllenH\Downloads\wcfeb08.zip
2018-01-07 16:37 - 2018-01-07 16:39 - 083333326 _____ C:\Users\EllenH\Downloads\wcnov.zip
2018-01-07 16:37 - 2018-01-07 16:39 - 080526097 _____ C:\Users\EllenH\Downloads\wcdec.zip
2018-01-07 16:37 - 2018-01-07 16:38 - 033430331 _____ C:\Users\EllenH\Downloads\wcclubmay.zip
2018-01-07 16:37 - 2018-01-07 16:38 - 033344888 _____ C:\Users\EllenH\Downloads\wrapcandyapril.zip
2018-01-07 16:36 - 2018-01-07 16:37 - 107656578 _____ C:\Users\EllenH\Downloads\Wrapcandy74BetaPatch4.zip
2018-01-07 16:36 - 2018-01-07 16:36 - 020786812 _____ C:\Users\EllenH\Downloads\stseasideresize.zip
2018-01-07 16:36 - 2018-01-07 16:36 - 010733185 _____ C:\Users\EllenH\Downloads\mydadresize.zip
2018-01-07 16:36 - 2018-01-07 16:36 - 003240508 _____ C:\Users\EllenH\Downloads\twi-ca-spookycats1.zip
2018-01-07 16:36 - 2018-01-07 16:36 - 003165649 _____ C:\Users\EllenH\Downloads\twi-ca-witchybears1.zip
2018-01-07 16:36 - 2018-01-07 16:36 - 002857981 _____ C:\Users\EllenH\Downloads\twi-ca-hellocrows1.zip
2018-01-07 16:36 - 2018-01-07 16:36 - 002759051 _____ C:\Users\EllenH\Downloads\twi-ca-notbearyscary1.zip
2018-01-07 16:35 - 2018-01-07 16:36 - 052159578 _____ C:\Users\EllenH\Downloads\wc74beta3.zip
2018-01-07 16:34 - 2018-01-07 16:34 - 000337939 _____ C:\Users\EllenH\Downloads\WCPM2.zip
2018-01-07 16:33 - 2018-01-07 16:42 - 710125333 _____ C:\Users\EllenH\Downloads\WC-Templates-Graphics.zip
2018-01-07 16:32 - 2018-01-07 16:33 - 049293891 _____ C:\Users\EllenH\Downloads\WrapCandy73minimal.zip
2018-01-06 02:33 - 2018-01-06 02:33 - 000000000 ____D C:\Users\EllenH\AppData\Roaming\Jasc Software Inc
2018-01-05 16:53 - 2018-01-06 02:30 - 000000000 ____D C:\Users\EllenH\Desktop\dollar-mart1
2018-01-05 16:51 - 2018-01-05 16:51 - 000366660 _____ C:\Users\EllenH\Desktop\dollar-mart1.zip
2018-01-05 15:57 - 2017-11-16 22:23 - 003222528 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2018-01-05 15:57 - 2017-11-14 19:27 - 000395968 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2018-01-05 15:57 - 2017-11-14 18:36 - 000347336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2018-01-05 15:57 - 2017-11-13 21:57 - 025731072 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2018-01-05 15:57 - 2017-11-13 21:43 - 002724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2018-01-05 15:57 - 2017-11-13 21:43 - 000004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2018-01-05 15:57 - 2017-11-13 21:32 - 002903552 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2018-01-05 15:57 - 2017-11-13 21:31 - 000066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2018-01-05 15:57 - 2017-11-13 21:31 - 000048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2018-01-05 15:57 - 2017-11-13 21:30 - 000577024 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2018-01-05 15:57 - 2017-11-13 21:30 - 000417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2018-01-05 15:57 - 2017-11-13 21:30 - 000088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2018-01-05 15:57 - 2017-11-13 21:25 - 005925888 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2018-01-05 15:57 - 2017-11-13 21:24 - 000054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2018-01-05 15:57 - 2017-11-13 21:24 - 000034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2018-01-05 15:57 - 2017-11-13 21:21 - 000615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2018-01-05 15:57 - 2017-11-13 21:20 - 000817152 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2018-01-05 15:57 - 2017-11-13 21:20 - 000814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2018-01-05 15:57 - 2017-11-13 21:20 - 000144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2018-01-05 15:57 - 2017-11-13 21:20 - 000116224 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2018-01-05 15:57 - 2017-11-13 21:15 - 000968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2018-01-05 15:57 - 2017-11-13 21:12 - 000489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2018-01-05 15:57 - 2017-11-13 21:06 - 000087552 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
2018-01-05 15:57 - 2017-11-13 21:06 - 000077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2018-01-05 15:57 - 2017-11-13 21:05 - 000107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2018-01-05 15:57 - 2017-11-13 21:03 - 000199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2018-01-05 15:57 - 2017-11-13 21:02 - 000092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2018-01-05 15:57 - 2017-11-13 21:00 - 000315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2018-01-05 15:57 - 2017-11-13 20:59 - 000152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2018-01-05 15:57 - 2017-11-13 20:51 - 000262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2018-01-05 15:57 - 2017-11-13 20:48 - 015267328 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2018-01-05 15:57 - 2017-11-13 20:48 - 000807936 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2018-01-05 15:57 - 2017-11-13 20:48 - 000726528 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2018-01-05 15:57 - 2017-11-13 20:47 - 001359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2018-01-05 15:57 - 2017-11-13 20:46 - 002134528 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2018-01-05 15:57 - 2017-11-13 20:39 - 003241472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2018-01-05 15:57 - 2017-11-13 20:27 - 001544192 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2018-01-05 15:57 - 2017-11-13 20:16 - 000800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2018-01-05 15:57 - 2017-11-13 19:37 - 013679616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2018-01-05 15:57 - 2017-11-13 19:15 - 000416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2018-01-05 15:57 - 2017-11-13 19:15 - 000279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2018-01-05 15:57 - 2017-11-13 19:15 - 000076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2018-01-05 15:57 - 2017-11-13 19:10 - 020269056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2018-01-05 15:57 - 2017-11-13 18:32 - 000499200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2018-01-05 15:57 - 2017-11-13 18:31 - 000064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2018-01-05 15:57 - 2017-11-07 14:56 - 002724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2018-01-05 15:57 - 2017-11-07 14:46 - 000341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2018-01-05 15:57 - 2017-11-07 14:46 - 000062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2018-01-05 15:57 - 2017-11-07 14:46 - 000047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2018-01-05 15:57 - 2017-11-07 14:44 - 002293760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2018-01-05 15:57 - 2017-11-07 14:41 - 000047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2018-01-05 15:57 - 2017-11-07 14:41 - 000030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2018-01-05 15:57 - 2017-11-07 14:40 - 000476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2018-01-05 15:57 - 2017-11-07 14:39 - 000662016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2018-01-05 15:57 - 2017-11-07 14:38 - 000620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2018-01-05 15:57 - 2017-11-07 14:38 - 000115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2018-01-05 15:57 - 2017-11-07 14:29 - 000060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2018-01-05 15:57 - 2017-11-07 14:28 - 000091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2018-01-05 15:57 - 2017-11-07 14:28 - 000073216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2018-01-05 15:57 - 2017-11-07 14:27 - 004509696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2018-01-05 15:57 - 2017-11-07 14:26 - 000168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2018-01-05 15:57 - 2017-11-07 14:24 - 000130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2018-01-05 15:57 - 2017-11-07 14:19 - 000230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2018-01-05 15:57 - 2017-11-07 14:18 - 000694272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2018-01-05 15:57 - 2017-11-07 14:17 - 002058752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2018-01-05 15:57 - 2017-11-07 14:17 - 001155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2018-01-05 15:57 - 2017-11-07 14:04 - 002767872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2018-01-05 15:57 - 2017-11-07 14:01 - 001313280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2018-01-05 15:57 - 2017-11-07 13:58 - 000710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2018-01-05 15:57 - 2017-11-07 10:31 - 000002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2018-01-05 15:57 - 2017-11-07 10:13 - 000002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2018-01-05 15:57 - 2017-11-04 09:31 - 000194048 _____ (Microsoft Corporation) C:\Windows\system32\itircl.dll
2018-01-05 15:57 - 2017-11-04 09:31 - 000170496 _____ (Microsoft Corporation) C:\Windows\system32\itss.dll
2018-01-05 15:57 - 2017-11-04 09:10 - 000158720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\itircl.dll
2018-01-05 15:57 - 2017-11-04 09:10 - 000142336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\itss.dll
2018-01-05 15:57 - 2017-11-02 10:55 - 000281600 _____ (Microsoft Corporation) C:\Windows\system32\iprtrmgr.dll
2018-01-05 15:57 - 2017-11-02 10:55 - 000138240 _____ (Microsoft Corporation) C:\Windows\system32\rtm.dll
2018-01-05 15:57 - 2017-11-02 10:55 - 000097792 _____ (Microsoft Corporation) C:\Windows\system32\mprdim.dll
2018-01-05 15:57 - 2017-11-02 10:55 - 000009728 _____ (Microsoft Corporation) C:\Windows\system32\iprtprio.dll
2018-01-05 15:57 - 2017-11-02 09:11 - 000271360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iprtrmgr.dll
2018-01-05 15:57 - 2017-11-02 09:11 - 000115200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rtm.dll
2018-01-05 15:57 - 2017-11-02 09:11 - 000075264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mprdim.dll
2018-01-05 15:57 - 2017-11-02 08:56 - 000008192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iprtprio.dll
2018-01-05 15:57 - 2017-10-16 17:04 - 001001984 _____ (Microsoft Corporation) C:\Windows\system32\gpedit.dll
2018-01-05 15:57 - 2017-10-16 16:46 - 000953344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gpedit.dll
2018-01-05 15:57 - 2017-10-11 18:20 - 000317440 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdbss.sys
2018-01-05 15:51 - 2018-01-05 15:51 - 000003594 _____ C:\Windows\System32\Tasks\Run RoboForm TaskBar Icon
2018-01-05 15:51 - 2018-01-05 15:51 - 000000000 ____D C:\Windows\System32\Tasks\Avast Software
2018-01-05 15:51 - 2018-01-05 15:51 - 000000000 ____D C:\Program Files\Common Files\Avast Software
2018-01-05 15:50 - 2018-01-05 15:48 - 000365680 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-10 02:20 - 2009-07-13 20:34 - 017301504 _____ C:\Windows\system32\config\HARDWARE
2018-01-10 01:43 - 2017-10-16 17:25 - 000005744 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-01-10 01:43 - 2017-10-16 17:25 - 000005744 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-01-10 00:39 - 2017-11-26 01:24 - 000000000 ____D C:\Users\EllenH\AppData\Local\snrucmo
2018-01-10 00:28 - 2017-11-26 13:11 - 000000000 ____D C:\Users\EllenH\AppData\Local\CrashDumps
2018-01-10 00:23 - 2009-07-13 23:13 - 000006182 _____ C:\Windows\system32\PerfStringBackup.INI
2018-01-10 00:21 - 2017-11-30 03:01 - 000000000 _____ C:\Windows\system32\Drivers\lvuvc.hs
2018-01-09 23:59 - 2017-11-16 15:20 - 000000000 ____D C:\Users\EllenH\AppData\LocalLow\Mozilla
2018-01-09 23:40 - 2017-10-16 11:28 - 002843648 _____ (TOSHIBA CORPORATION) C:\Windows\system32\pcntdgxsvc.exe
2018-01-09 23:40 - 2009-07-13 23:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-01-09 22:00 - 2017-11-25 07:33 - 000004130 _____ C:\Windows\System32\Tasks\CCleaner Update
2018-01-09 22:00 - 2017-11-11 02:43 - 000004172 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2018-01-09 21:34 - 2009-07-13 21:20 - 000000000 ____D C:\Windows\inf
2018-01-08 03:15 - 2017-11-28 15:16 - 000007629 _____ C:\Users\EllenH\AppData\Local\resmon.resmoncfg
2018-01-08 02:07 - 2017-11-26 01:24 - 000000000 ____D C:\Users\EllenH\AppData\Local\zarkioh
2018-01-07 18:30 - 2017-11-16 15:10 - 000000000 ____D C:\Users\EllenH\AppData\Local\VirtualStore
2018-01-07 18:26 - 2017-11-16 15:14 - 000000000 ____D C:\Users\EllenH\Desktop\Designers
2018-01-07 16:50 - 2017-10-16 11:22 - 000803328 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2018-01-07 16:50 - 2017-10-16 11:22 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2018-01-07 16:50 - 2017-10-16 11:22 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2018-01-07 16:50 - 2017-10-16 11:22 - 000000000 ____D C:\Windows\system32\Macromed
2018-01-07 16:23 - 2017-11-27 19:04 - 000058416 _____ C:\Users\EllenH\AppData\Local\GDIPFONTCACHEV1.DAT
2018-01-06 03:08 - 2009-07-13 21:20 - 000000000 ____D C:\Windows\rescache
2018-01-06 02:33 - 2017-11-16 15:15 - 000000000 ____D C:\Users\EllenH\Documents\My PSP Files
2018-01-05 20:46 - 2009-07-13 22:45 - 000268392 _____ C:\Windows\system32\FNTCACHE.DAT
2018-01-05 20:44 - 2009-07-13 21:20 - 000000000 ____D C:\Windows\SysWOW64\Setup
2018-01-05 20:44 - 2009-07-13 21:20 - 000000000 ____D C:\Windows\system32\Setup
2018-01-05 17:36 - 2017-11-26 06:13 - 000000000 ____D C:\Users\EllenH\AppData\Local\ElevatedDiagnostics
2018-01-05 16:14 - 2017-11-11 03:55 - 000000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2018-01-05 16:00 - 2017-11-11 02:37 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2018-01-05 15:51 - 2017-11-12 13:58 - 000004104 _____ C:\Windows\System32\Tasks\Open URL by RoboForm
2018-01-05 15:50 - 2017-11-12 13:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RoboForm
2018-01-05 15:49 - 2017-11-11 02:43 - 000457400 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2018-01-05 15:49 - 2017-11-11 02:43 - 000358672 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2018-01-05 15:49 - 2017-11-11 02:43 - 000204456 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2018-01-05 15:49 - 2017-11-11 02:43 - 000146664 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2018-01-05 15:49 - 2017-11-11 02:43 - 000084384 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2018-01-05 15:49 - 2017-11-11 02:43 - 000046976 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2018-01-05 15:48 - 2017-11-11 02:43 - 000185096 _____ (AVAST Software) C:\Windows\system32\Drivers\aswArPot.sys
2018-01-05 15:48 - 2017-11-11 02:43 - 000110336 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2018-01-05 15:47 - 2017-11-11 02:43 - 001025176 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2018-01-05 15:46 - 2017-11-13 01:06 - 000580480 _____ (AVAST Software) C:\Windows\system32\Drivers\aswNetSec.sys
2018-01-05 15:46 - 2017-11-11 02:43 - 000343768 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbloga.sys
2018-01-05 15:46 - 2017-11-11 02:43 - 000321512 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsdrivera.sys
2018-01-05 15:46 - 2017-11-11 02:43 - 000199448 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsha.sys
2018-01-05 15:46 - 2017-11-11 02:43 - 000057696 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbuniva.sys
2018-01-05 14:17 - 2017-11-16 18:04 - 000000000 ____D C:\Users\EllenH\AppData\Local\RoboForm

==================== Files in the root of some directories =======

2017-11-11 02:44 - 2017-11-11 06:40 - 004096000 _____ () C:\Program Files (x86)\GUTD9FA.tmp
2017-12-06 11:32 - 2017-12-06 11:44 - 000013312 _____ () C:\Users\EllenH\AppData\Roaming\Settings.cfg
2018-01-07 18:28 - 2018-01-07 18:28 - 000000094 _____ () C:\Users\EllenH\AppData\Local\fusioncache.dat
2017-11-28 15:16 - 2018-01-08 03:15 - 000007629 _____ () C:\Users\EllenH\AppData\Local\resmon.resmoncfg

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll
[2017-10-13 16:23] - [2017-10-16 11:35] - 001008640 _____ (Microsoft Corporation) 2C353B6CE0C8D03225CAA2AF33B68D79

C:\Windows\SysWOW64\User32.dll
[2017-10-13 16:23] - [2017-10-16 11:35] - 000833024 _____ (Microsoft Corporation) 861C4346F9281DC0380DE72C8D55D6BE

C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-01-08 01:22

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02.01.2018
Ran by EllenH (10-01-2018 02:20:35)
Running from C:\Users\EllenH\Desktop
Windows 7 Ultimate Service Pack 1 (X64) (2017-10-13 19:32:09)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2560976529-4060327175-241808890-500 - Administrator - Disabled) => C:\Users\Administrator
EllenH (S-1-5-21-2560976529-4060327175-241808890-1003 - Administrator - Enabled) => C:\Users\EllenH
Guest (S-1-5-21-2560976529-4060327175-241808890-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2560976529-4060327175-241808890-1002 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avast Antivirus (Enabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AV: Emsisoft Anti-Malware (Enabled - Up to date) {701CB209-EBBC-AADC-11E6-DE73E7AF4C9D}
AS: Emsisoft Anti-Malware (Enabled - Up to date) {CB7D53ED-CD86-A552-2B56-E5019C280620}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Enabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}
FW: Avast Antivirus (Enabled) {B693136B-F6EE-DD1C-A0EF-229B8B0B29C4}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 27 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 27.0.0.183 - Adobe Systems Incorporated)
Adobe Flash Player 28 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 28.0.0.126 - Adobe Systems Incorporated)
Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 1.0.0.18 - Atheros Communications Inc.)
ATI Catalyst Install Manager (HKLM\...\{3428D45E-785A-147C-9BB6-018C1D9EAF43}) (Version: 3.0.732.0 - ATI Technologies, Inc.)
Avast Premier (HKLM-x32\...\Avast Antivirus) (Version: 17.9.2322 - AVAST Software)
CCleaner (HKLM\...\CCleaner) (Version: 5.37 - Piriform)
DDTitle (HKLM-x32\...\DDTitle) (Version:  - )
DriveImage XML (Private Edition) (HKLM-x32\...\{F7E1CA14-B39D-452A-960B-39423DDDD933}) (Version: 2.60.000 - Runtime Software)
Emsisoft Anti-Malware (HKLM\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 2017.4 - Emsisoft Ltd.)
FileASSASSIN (HKLM-x32\...\FileASSASSIN) (Version: 1.06 - Malwarebytes)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
HydraVision (HKLM-x32\...\{B3491D28-DCF7-0D3E-1B3F-28E6FCDE659F}) (Version: 4.2.108.0 - ATI Technologies Inc.) Hidden
Java 8 Update 144 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180144F0}) (Version: 8.0.1440.1 - Oracle Corporation)
Java 8 Update 151 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180151F0}) (Version: 8.0.1510.12 - Oracle Corporation)
LockHunter 3.2, 32/64 bit (HKLM\...\LockHunter_is1) (Version:  - Crystal Rich Ltd)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 4.7 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.02053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
MozBackup 1.5.1 (HKLM-x32\...\MozBackup) (Version:  - Pavel Cvrcek)
Mozilla Firefox 57.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 57.0 (x86 en-US)) (Version: 57.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 56.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 57.0.0.6525 - Mozilla)
Mozilla Thunderbird 52.5.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 52.5.0 (x86 en-US)) (Version: 52.5.0 - Mozilla)
Platform (HKLM-x32\...\{20D4A895-748C-4D88-871C-FDB1695B0169}) (Version: 1.34 - VIA Technologies, Inc.) Hidden
RoboForm 8-4-6-6 (All Users) (HKLM-x32\...\AI RoboForm) (Version: 8-4-6-6 - Siber Systems)
VIA Platform Device Manager (HKLM-x32\...\InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}) (Version: 1.34 - VIA Technologies, Inc.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-01-05] (AVAST Software)
ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-01-05] (AVAST Software)
ContextMenuHandlers1: [LockHunterShellExt] -> {0BB27CDA-7029-4C0E-9C56-D922B229F0EB} => C:\Program Files\LockHunter\LHShellExt64.dll [2017-07-20] (Crystal Rich Ltd)
ContextMenuHandlers2-x32: [Emsisoft Shell Extension] -> {AB77609F-2178-4E6F-9C4B-44AC179D937A} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2contmenu.dll [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers2-x32: [Emsisoft Shell Extension x64] -> {E3F21FC7-6D65-48E7-B62B-E9ED8200C764} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\A2CONTMENU64.DLL [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers2-x32: [LockHunterShellExt] -> {0BB27CDA-7029-4C0E-9C56-D922B229F0EB} => C:\Program Files\LockHunter\LHShellExt64.dll [2017-07-20] (Crystal Rich Ltd)
ContextMenuHandlers3: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-01-05] (AVAST Software)
ContextMenuHandlers3-x32: [Emsisoft Shell Extension] -> {AB77609F-2178-4E6F-9C4B-44AC179D937A} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2contmenu.dll [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers3-x32: [Emsisoft Shell Extension x64] -> {E3F21FC7-6D65-48E7-B62B-E9ED8200C764} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\A2CONTMENU64.DLL [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers3-x32-x32: [FAExt] -> {05672D66-9736-42F5-8BEB-FA1DD3CA51C4} => C:\Program Files (x86)\FileASSASSIN\FileASSASSINExt.dll [2007-03-30] (Malwarebytes)
ContextMenuHandlers3-x32-x32: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamext.dll [2016-03-10] (Malwarebytes)
ContextMenuHandlers4: [LockHunterShellExt] -> {0BB27CDA-7029-4C0E-9C56-D922B229F0EB} => C:\Program Files\LockHunter\LHShellExt64.dll [2017-07-20] (Crystal Rich Ltd)
ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2018-01-05] (AVAST Software)
ContextMenuHandlers6-x32: [Emsisoft Shell Extension] -> {AB77609F-2178-4E6F-9C4B-44AC179D937A} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2contmenu.dll [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers6-x32: [Emsisoft Shell Extension x64] -> {E3F21FC7-6D65-48E7-B62B-E9ED8200C764} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\A2CONTMENU64.DLL [2015-10-21] (Emsisoft Ltd)
ContextMenuHandlers6-x32: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamext.dll [2016-03-10] (Malwarebytes)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {18EB81F1-56B5-45DB-B5EA-BF30E3A324E5} - System32\Tasks\Open URL by RoboForm => C:\Windows\system32\rundll32.exe url.dll,FileProtocolHandler "hxxps://www.roboform.com/test-pass.html?aaa=KICMNMPMPMNJKJMMKJHMCNOJNJJMLJCNLMOMKJNJCNNJKMJMKMCNHMJMPMOJOJJMLJMMIMOJPMMJJNJICMHMCNLMCNJMFMOMOMCNPMCNGMJMPMPMFMJMCNOMCNIMJMPMOMCNNMJNPICMOMFMEKMICNJJCKFMKMLMJNHICMEKMICNJJCKJNBJCMKLDJDJKJBJHLJNKJCMJNNICMJNDJCMKJBJJNMJCMPMFMP (the data entry has 40 more characters).
Task: {2BD24786-C8D3-457B-8F76-D3FDBF9422C8} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [2017-11-08] (Piriform Ltd)
Task: {49AB7935-42A9-40E0-9216-BDBFA9BD90C8} - System32\Tasks\ASUS\i-Setup145942 => C:\Windows\AMD_Chipset_Win7_V307320\AsusSetup.exe [2017-10-13] (ASUSTek)
Task: {5C48E4D3-95DC-42AA-BFC7-ABD9B9325C6E} - System32\Tasks\ASUS\i-Setup120816 => C:\Windows\AMD_Chipset_Win7_V307320\AsusSetup.exe [2017-10-13] (ASUSTek)
Task: {71A3E551-5D2C-4E56-9232-7E9AA75E2578} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\Avast Software\Overseer\overseer.exe [2018-01-05] (AVAST Software)
Task: {94702BDF-0866-4F58-88E3-C2288E8D84F8} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe [2018-01-05] (AVAST Software)
Task: {A79FA951-F7B2-413F-8D40-F681C698F930} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2017-11-08] (Piriform Ltd)
Task: {AA5D2241-CC66-4F97-B6B2-AE37A8048DFC} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: {B5E1F361-2C29-4D70-B21F-0768E58C83B4} - System32\Tasks\Run RoboForm TaskBar Icon => C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [2018-01-05] (Siber Systems)
Task: {EFD17813-E0A5-4C1D-95BC-5C3F2669B0C1} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2017-10-27 21:21 - 2017-10-27 21:21 - 000927744 _____ () C:\Users\EllenH\AppData\Local\snrucmo\snrucmo.exe
2017-10-19 12:18 - 2017-10-19 12:18 - 001089536 _____ () C:\Users\EllenH\AppData\Local\snrucmo\sbkpazx.exe
2018-01-05 15:47 - 2018-01-05 15:47 - 000058016 _____ () C:\Program Files\AVAST Software\Avast\module_lifetime.dll
2018-01-05 15:47 - 2018-01-05 15:47 - 000057504 _____ () C:\Program Files\AVAST Software\Avast\dll_loader.dll
2018-01-05 15:47 - 2018-01-05 15:47 - 000206152 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2018-01-05 15:47 - 2018-01-05 15:47 - 000289272 _____ () C:\Program Files\AVAST Software\Avast\tasks_core.dll
2018-01-05 15:47 - 2018-01-05 15:47 - 000196248 _____ () C:\Program Files\AVAST Software\Avast\network_notifications.dll
2018-01-08 02:31 - 2018-01-08 02:31 - 005768336 _____ () C:\Program Files\AVAST Software\Avast\defs\18010800\algo.dll
2018-01-05 15:47 - 2018-01-05 15:47 - 000745408 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2018-01-05 15:47 - 2018-01-05 15:47 - 000148936 _____ () C:\Program Files\AVAST Software\Avast\hns_tools.dll
2018-01-05 15:47 - 2018-01-05 15:47 - 000293944 _____ () C:\Program Files\AVAST Software\Avast\streamback.dll
2018-01-09 23:42 - 2018-01-09 23:42 - 005768336 _____ () C:\Program Files\AVAST Software\Avast\defs\18010902\algo.dll
2017-11-11 02:43 - 2017-11-11 02:43 - 067109376 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2018-01-05 15:46 - 2018-01-05 15:46 - 000282560 _____ () C:\Program Files\AVAST Software\Avast\gaming_mode_ui.dll
2017-08-02 21:40 - 2017-08-02 21:40 - 053460480 _____ () C:\Users\EllenH\AppData\Local\snrucmo\libcef.dll
2016-05-31 11:43 - 2016-05-31 11:43 - 001976832 _____ () C:\Users\EllenH\AppData\Local\snrucmo\libglesv2.dll
2016-05-31 11:44 - 2016-05-31 11:44 - 000075264 _____ () C:\Users\EllenH\AppData\Local\snrucmo\libegl.dll
2016-06-15 17:15 - 2016-06-15 17:15 - 017599640 _____ () C:\Users\EllenH\AppData\Local\snrucmo\pepflashplayer.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMR501 => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMR501.SYS => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 20:34 - 2017-10-16 12:22 - 000000850 ____N C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2560976529-4060327175-241808890-1003\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 8.8.8.8 - 8.8.4.4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
MpsSvc => Firewall Service is not running.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: MBAMService => 2
MSCONFIG\startupreg: SDTray => "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{165D0EC8-6332-4E34-93B3-90E1A9A52715}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{1F7656AA-032C-408A-96CA-51A370F8CF6D}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{41DD6A44-C9AC-4A1F-AA0E-30FFF255982F}N:\fs7\program\app2.exe] => (Allow) N:\fs7\program\app2.exe
FirewallRules: [UDP Query User{A97FFDB6-D5B8-4085-A9EC-22BA875ED10B}N:\fs7\program\app2.exe] => (Allow) N:\fs7\program\app2.exe
FirewallRules: [TCP Query User{EBCA2E81-4FC1-4A56-9482-6FBA68D380A5}N:\fs7\program\app.exe] => (Allow) N:\fs7\program\app.exe
FirewallRules: [UDP Query User{8926326A-D4C6-4CB1-8628-8BCC10464254}N:\fs7\program\app.exe] => (Allow) N:\fs7\program\app.exe

==================== Restore Points =========================

05-01-2018 20:35:55 Windows Update
07-01-2018 19:00:24 Windows Backup

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (01/10/2018 02:17:52 AM) (Source: Software Protection Platform Service) (EventID: 8193) (User: )
Description: License Activation Scheduler (sppuinotify.dll) failed with the following error code:
0x80070005

Error: (01/10/2018 01:28:55 AM) (Source: Software Protection Platform Service) (EventID: 8193) (User: )
Description: License Activation Scheduler (sppuinotify.dll) failed with the following error code:
0x80070005

Error: (01/10/2018 12:28:55 AM) (Source: Software Protection Platform Service) (EventID: 8193) (User: )
Description: License Activation Scheduler (sppuinotify.dll) failed with the following error code:
0x80070005

Error: (01/10/2018 12:28:21 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: dixml.exe, version: 2.6.0.0, time stamp: 0x2a425e19
Faulting module name: KERNELBASE.dll, version: 6.1.7601.23915, time stamp: 0x59b94abb
Exception code: 0xe06d7363
Fault offset: 0x0000c54f
Faulting process id: 0x1128
Faulting application start time: 0x01d389dad1d01066
Faulting application path: C:\Program Files (x86)\Runtime Software\DriveImage XML\dixml.exe
Faulting module path: C:\Windows\syswow64\KERNELBASE.dll
Report Id: 73a2c060-f5cf-11e7-9fe5-e0cb4e9f64c4

Error: (01/10/2018 12:23:39 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (01/10/2018 12:23:39 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (01/09/2018 11:47:21 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (01/09/2018 11:47:21 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (01/09/2018 11:40:37 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Windows license activation failed. Error 0x80070005.

Error: (01/09/2018 11:38:47 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.


System errors:
=============
Error: (01/10/2018 12:58:19 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The aswbIDSAgent service terminated with service-specific error %%-536753631.

Error: (01/10/2018 12:28:55 AM) (Source: DCOM) (EventID: 10001) (User: )
Description: Unable to start a DCOM Server: {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} as /. The error:
"5"
Happened while starting this command:
C:\Windows\System32\slui.exe -Embedding

Error: (01/10/2018 12:26:38 AM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom3, has a bad block.

Error: (01/10/2018 12:15:54 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The aswbIDSAgent service terminated with service-specific error %%-536753631.

Error: (01/10/2018 12:15:52 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The aswbIDSAgent service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (01/10/2018 12:15:52 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the aswbIDSAgent service to connect.

Error: (01/09/2018 11:43:56 PM) (Source: DCOM) (EventID: 10001) (User: )
Description: Unable to start a DCOM Server: {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} as /. The error:
"5"
Happened while starting this command:
C:\Windows\System32\slui.exe -Embedding

Error: (01/09/2018 11:40:58 PM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The HomeGroup Listener service terminated with service-specific error %%-2147023143 = There are no more endpoints available from the endpoint mapper..

Error: (01/09/2018 11:40:39 PM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The Windows Firewall service terminated with service-specific error Access is denied.
.

Error: (01/09/2018 11:39:16 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: The server {3EB3C877-1F16-487C-9050-104DBCD66683} did not register with DCOM within the required timeout.


CodeIntegrity:
===================================
  Date: 2017-11-26 23:45:54.391
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.1.7601.17514_none_36e20fd4506111dd\fveapibase.dll because the set of per-page image hashes could not be found on the system.

  Date: 2017-11-26 23:45:54.250
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.1.7601.17514_none_36e20fd4506111dd\fveapibase.dll because the set of per-page image hashes could not be found on the system.

  Date: 2017-11-26 23:45:54.126
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.1.7601.17514_none_36e20fd4506111dd\fveapibase.dll because the set of per-page image hashes could not be found on the system.

  Date: 2017-11-26 23:45:54.001
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.1.7601.17514_none_36e20fd4506111dd\fveapibase.dll because the set of per-page image hashes could not be found on the system.

  Date: 2017-11-26 23:45:53.767
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.1.7600.16385_none_34b0fc0c53728e43\fveapibase.dll because the set of per-page image hashes could not be found on the system.

  Date: 2017-11-26 23:45:53.642
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.1.7600.16385_none_34b0fc0c53728e43\fveapibase.dll because the set of per-page image hashes could not be found on the system.

  Date: 2017-11-26 23:45:53.502
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.1.7600.16385_none_34b0fc0c53728e43\fveapibase.dll because the set of per-page image hashes could not be found on the system.

  Date: 2017-11-26 23:45:53.377
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.1.7600.16385_none_34b0fc0c53728e43\fveapibase.dll because the set of per-page image hashes could not be found on the system.

  Date: 2017-11-26 23:45:43.237
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-s..trics-sensoradapter_31bf3856ad364e35_6.1.7600.16385_none_13881e44d6ccca6b\winbiosensoradapter.dll because the set of per-page image hashes could not be found on the system.

  Date: 2017-11-26 23:45:43.112
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-s..trics-sensoradapter_31bf3856ad364e35_6.1.7600.16385_none_13881e44d6ccca6b\winbiosensoradapter.dll because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: AMD Athlon™ II X4 640 Processor
Percentage of memory in use: 36%
Total physical RAM: 8190.18 MB
Available physical RAM: 5204.71 MB
Total Virtual: 16378.54 MB
Available Virtual: 13384.66 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:1862.92 GB) (Free:1748.68 GB) NTFS
Drive e: (Local Disk) (Fixed) (Total:93.15 GB) (Free:52.15 GB) NTFS
Drive f: (Old_C_Drive) (Fixed) (Total:112.09 GB) (Free:101.74 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive g: (Old_D_Drive) (Fixed) (Total:40.57 GB) (Free:34.78 GB) NTFS
Drive p: () (Removable) (Total:14.53 GB) (Free:14.27 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 93.2 GB) (Disk ID: 1549F232)
Partition 1: (Active) - (Size=93.2 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 152.7 GB) (Disk ID: DC3BDC3B)
Partition 1: (Active) - (Size=112.1 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=40.6 GB) - (Type=OF Extended)

========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: A77D8769)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=1862.9 GB) - (Type=07 NTFS)

========================================================
Disk: 3 (MBR Code: Windows XP) (Size: 14.5 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=14.5 GB) - (Type=0C)

==================== End of Addition.txt ============================

 

Emsisoft Anti-Malware - Version 2017.12.1.8340
Last update: 1/9/2018 11:55:59 PM
Initiated by: Ellen-PC\EllenH
Computer name: ELLEN-PC
OS version: Windows 7x64 Service Pack 1

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
Scan mail archives: Off
ADS Scan: On
File extension filter: Off
Direct disk access: Off

Scan start:    1/9/2018 11:58:34 PM
C:\Windows\System32\Drivers\scatwzcg.sys      Rootkit.SmartService (A) [290143]
C:\ProgramData\trymedia      Application.AppInstall (A) [226672]

Scanned    71251
Found    2

Scan end:    1/10/2018 12:00:22 AM
Scan time:    0:01:48

 

 

rkill

Rkill 2.9.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2018 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/09/2018 12:00:03 AM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * Advanced Explorer Setting Removed:  HideIcons [HKCU]

Backup Registry file created at:
 C:\Users\EllenH\Desktop\rkill\rkill-01-09-2018-12-00-05.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Searching for Missing Digital Signatures:

 * C:\Windows\System32\user32.dll : 1,008,640 : 10/16/2017 11:35 AM : 2c353b6ce0c8d03225caa2af33b68d79 [NoSig]
 +-> C:\Windows\SysWOW64\user32.dll : 833,024 : 10/16/2017 11:35 AM : 861c4346f9281dc0380de72c8d55d6be [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll : 1,008,640 : 07/13/2009 07:41 PM : 72d7b3ea16946e8f0cf7458150031cc6 [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll : 1,008,128 : 11/20/2010 07:27 AM : fe70103391a64039a921dbfff9c7ab1b [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.23594_none_2b915fa59d5abee0\user32.dll : 1,009,152 : 11/10/2016 10:32 AM : 34ba256fbf83457f9d5e51a56db54542 [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll : 833,024 : 07/13/2009 07:11 PM : e8b0ffc209e504cb7e79fc24e6c085f0 [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll : 833,024 : 11/20/2010 06:08 AM : 5e0db2d8b2750543cd2ebb9ea8e6cdd3 [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.23594_none_35e609f7d1bb80db\user32.dll : 833,024 : 11/10/2016 10:19 AM : 3cb074875ac88a7c1010a2a7f9881a8c [Pos Repl]

Checking HOSTS File:

 * No issues found.

Program finished at: 01/09/2018 12:01:05 AM
Execution time: 0 hours(s), 1 minute(s), and 2 seconds(s)
 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:08 AM

Posted 10 January 2018 - 09:29 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I have identified a bad SmartService infection.

Item(s) required:

USB Flash Drive
Another clean computer.(You cannot work from the infected computer directly).

You'll need to download the FRST executable on a clean computer, and move it to your USB Flash Drive. That USB can only be inserted in the infected computer if it is either shutdown, or in the Windows Recovery Environment (RE). Otherwise, the infection will mess with the files on the USB and you'll have to restart.

<<<>>>

Lets proceed:

Preparing the USB Flash Drive[/colo]

Using the Clean computer download the right version of Farbar program for your system to Desktop.
64-bit or 32 bit version. Select the one you need.
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Move the executable (FRST.exe or FRST64.exe) to your USB Flash Drive
 

How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system.
https://support.microsoft.com/en-us/help/827218/how-to-determine-whether-a-computer-is-running-a-32-bit-version-or-64

If you System is a Windows 10, it's the same instructions as Windows 7.

===

Boot in the Recovery Environment WINDOWS 7 USERS.

To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
Restart the computer
Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
Use the arrow keys to select Repair your computer, and press on Enter
Select your keyboard layout (US, French, etc.) and click on Next

Once in the command prompt
Plug your USB Flash Drive in the infected computer
---

Click on Command Prompt to open the command prompt

In the command prompt, type notepad and press on Enter
Notepad will open. Click on the File menu and select Open
Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad

In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter

Note: Replace the letter e with the drive letter of your USB Flash Drive

FRST will open

Click on Yes to accept the disclaimer
Click on the Scan button and wait for the scan to complete
A log called fixlog.txt will be saved on your USB Flash Drive. Attach it in your next reply.

Wait for further instructions.

p.s.
If at any time you need additional information please ask before proceeding.

Also,

Note:If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media.
Let me know and I will give you additional information.


#3 Da_Momma

Da_Momma
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 10 January 2018 - 01:29 PM

Hi sorry it took me so long had a hard time getting the laptop to print the instructions.

Thank you for your help the file is attached as you said.

Attached Files

  • Attached File  FRST.txt   14.95KB   4 downloads

Edited by Da_Momma, 10 January 2018 - 01:31 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:08 AM

Posted 10 January 2018 - 02:23 PM

Hi,

The results is not exactly as I suspected.

You have booted to the RECOVERY partition

Boot Mode: Recovery
Default: ControlSet003
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
ATTENTION!:=====> THE OPERATING SYSTEM IS A X86 SYSTEM BUT THE BOOT DISK THAT IS USED TO BOOT TO RECOVERY ENVIRONMENT IS A X64 SYSTEM DISK.


I have modified my instructions.


To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
Restart the computer
Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
Use the arrow keys to select Repair your computer, and press on Enter
Select your keyboard layout (US, French, etc.) and click on Next
Click on Command Prompt to open the command prompt < I have added this line.


Follow the rest or the instructions as listed in my reply.

If you need additional help before proceeding let me know.

If you are not able to enter the BIOS tapping F8 let me know.

#5 Da_Momma

Da_Momma
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 10 January 2018 - 06:39 PM

Hi,

 

F8 only gives me boot devices

F9 gives me the boot screen which then tells me to push F8 to go to Advanced Boot Options which has Repair Your Computer as the top choice so I assume do the F9 again?


Edited by Da_Momma, 10 January 2018 - 06:40 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:08 AM

Posted 11 January 2018 - 08:39 AM



Hi,

Use F9 and Use the arrow keys to select Repair your computer, and continue with the fix.

p.s.
What is the manufacturer's name of this computer?l

#7 Da_Momma

Da_Momma
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 12 January 2018 - 12:48 AM

Hi nasdag,

I am sorry family has kept me away but as of now, tomorrow and Saturday, Sunday I am able to commit time to get this finished.

I am on central time in case you need to know.

 

Asus custom build. Would you like me to use benchmark to get you more info on my system?

 

Forgive my not understanding but I want to be sure I do what you want.

 

I am to go back to F9 - Repair - run the scan again or click on fix?



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:08 AM

Posted 12 January 2018 - 09:40 AM



Hi,

Take all the time you need I will be here.

How to enter the Startup repair on an ASUS computer.
https://www.asus.com/us/support/FAQ/1013965

As you can see if you get a message that you cannot repair your computer you will have to reset to the Factory level.
Make sure you select Keep my files.

That being said make sure you have have a backup of all your important files just in case something goes wrong.

#9 Da_Momma

Da_Momma
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 12 January 2018 - 12:30 PM

My system is running windows 7 Ultimate



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:08 AM

Posted 12 January 2018 - 01:34 PM



The Windows 10 instrucgtions might be very close to you Windows 7.

You can try them and see if you can see you can get to Startup and repair.

===

This is all I could find to reset your desktop with windows 7

https://www.asus.com/support/FAQ/1030348/

===

If you have any other questions before proceeding please ask.

It might help if you can give me the model number of the Asus computer.
I can possibly find additional information on the net.

p.s.
Do you have the restore disk for this computer?

#11 Da_Momma

Da_Momma
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 12 January 2018 - 02:04 PM

Startup Repair could not find a problem nothing repaired

 

Would it be best if I just do a reformat of C?



#12 Da_Momma

Da_Momma
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 13 January 2018 - 03:53 AM

I want to add after trying this over and over all day I just now noticed that instead of System Recovery Options going to the C Drive it is going to G and there is nothing for me to select C



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:08 AM

Posted 13 January 2018 - 09:17 AM



Hi,

Reported by the Addition.txt log.

Drive g: (Old_D_Drive) (Fixed) (Total:40.57 GB) (Free:34.78 GB) NTFS
This G: drive may be the recovery drive.

To me this drive{partition) if the firs one created with the original XP system.
Disk: 3 (MBR Code: Windows XP) (Size: 14.5 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=14.5 GB) - (Type=0C)


This is not what you want.

Startup Repair could not find a problem nothing repaired
Would it be best if I just do a reformat of C?


You will lose everything. All programs and security software will have to be reinstalled.
You need also a good back up of all your important files, pictures etc...

How important is this computer to you?

Which Operating system installation disk do you have.

#14 Da_Momma

Da_Momma
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:08 AM

Posted 17 January 2018 - 11:58 PM

This computer is my lively hood.so very important.

 

No problem on having to reinstall programs etc, as I only need to fix my C drive which is my new hard drive.

 

I have them all but 8, 10, 11

 

I prefer the windows 7 ultimate which I have.

 

Sorry for the late reply I did not get the notice and have been offline dealing with frozen water lines.



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:08 AM

Posted 18 January 2018 - 08:36 AM

Hi,

I would reinstall Windows 7.

You say you have the Installation disk. This if fine.

You can also read and decide if you with to create an installation disk, USB flash drive or a DVD.

https://www.microsoft.com/en-ca/software-download/windows7




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users