Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mom's Computer Strike's Again -- Malware, Viruses, Ransomware?


  • This topic is locked This topic is locked
12 replies to this topic

#1 art_vandelay

art_vandelay

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 23 January 2018 - 11:50 PM

Hi all,

 

Mom's computer is hosed up again with malware, viruses, and possibly even ransomware.  Thank you very much in advance!

 

here is the FRST Log

==============================

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-12-2015
Ran by sheila (administrator) on SHEILA-PC (23-01-2018 20:35:22)
Running from C:\Users\sheila\Desktop\Spyware Tools
Loaded Profiles: sheila (Available Profiles: sheila)
Platform: Windows 10 Home Version 1703 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(LogMeIn, Inc.) C:\Program Files (x86)\GoToMyPC\g2svc.exe
() C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe
(Microsoft Corporation) C:\Windows\System32\SecurityHealthService.exe
(Microsoft) C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe
Failed to access process -> Memory Compression
(LogMeIn, Inc.) C:\Program Files (x86)\GoToMyPC\g2comm.exe
(LogMeIn, Inc.) C:\Program Files (x86)\GoToMyPC\g2pre.exe
(Microsoft Corporation) C:\Windows\System32\wimserv.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avguard.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avshadow.exe
(LogMeIn, Inc.) C:\Program Files (x86)\GoToMyPC\g2tray.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.13.274.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(CANON INC.) C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avgnt.exe
(CANON INC.) C:\Program Files (x86)\Canon\Quick Menu\CNQMUPDT.EXE
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(LogMeIn, Inc.) C:\Program Files (x86)\GoToMyPC\g2mainh.exe
(LogMeIn, Inc.) C:\Program Files (x86)\GoToMyPC\g2host.exe
(LogMeIn, Inc.) C:\Program Files (x86)\GoToMyPC\g2audioh.exe
(LogMeIn, Inc.) C:\Program Files (x86)\GoToMyPC\g2printh.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [629152 2017-03-18] (Microsoft Corporation)
HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1285704 2014-08-08] (CANON INC.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [598552 2016-06-22] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-0-0\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [517120 2017-03-18] (Microsoft Corporation)
HKU\S-1-5-21-2534099351-527031699-1384085060-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [570880 2017-07-10] (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.1.1
Tcpip\..\Interfaces\{71c6a0b2-eadd-44b5-ace8-e6b9c8664eeb}: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.1.1
 
Internet Explorer:
==================
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-11-16] (Google Inc.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-07-28] (Oracle Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-11-16] (Google Inc.)
BHO-x32: AviraBrowserSafety.BrowserSafety -> {c3c77255-42c0-499f-b664-6e981a0b1647} -> C:\WINDOWS\SysWOW64\mscoree.dll [2017-03-18] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-07-28] (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-11-16] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-11-16] (Google Inc.)
Toolbar: HKU\S-1-5-21-2534099351-527031699-1384085060-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-11-16] (Google Inc.)
Handler-x32: abs - {E00957BD-D0E1-4eb9-A025-7743FDC8B27B} - C:\WINDOWS\SysWOW64\mscoree.dll [2017-03-18] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\sheila\AppData\Roaming\Mozilla\Firefox\Profiles\AjXNNDfR.default
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-07-28] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-07-28] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-11-04] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2534099351-527031699-1384085060-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\sheila\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2016-10-25] (Unity Technologies ApS)
FF Extension: Avira Browser Safety - C:\Users\sheila\AppData\Roaming\Mozilla\Firefox\Profiles\AjXNNDfR.default\Extensions\abs@avira.com [2015-12-05] [not signed]
 
Chrome: 
=======
CHR Profile: C:\Users\sheila\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\sheila\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-21]
CHR Extension: (Google Drive) - C:\Users\sheila\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-12-02]
CHR Extension: (YouTube) - C:\Users\sheila\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-04]
CHR Extension: (Google Search) - C:\Users\sheila\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-12-02]
CHR Extension: (Google Docs Offline) - C:\Users\sheila\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-08-04]
CHR Extension: (Gmail) - C:\Users\sheila\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-05-26]
CHR Extension: (Chrome Media Router) - C:\Users\sheila\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-27]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AntiVirMailService; C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe [1128944 2017-12-13] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\Antivirus\sched.exe [492560 2018-01-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\Antivirus\avguard.exe [492560 2018-01-04] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe [1526832 2017-12-13] (Avira Operations GmbH & Co. KG)
S2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [434248 2017-11-06] (Avira Operations GmbH & Co. KG)
S2 CDPUserSvc; C:\Windows\System32\CDPUserSvc.dll [524288 2017-03-18] (Microsoft Corporation)
R2 CDPUserSvc_2133b379; C:\WINDOWS\system32\svchost.exe [47664 2017-03-18] (Microsoft Corporation)
R2 CDPUserSvc_2133b379; C:\WINDOWS\SysWOW64\svchost.exe [40904 2017-03-18] (Microsoft Corporation)
S3 DevicesFlowUserSvc; C:\Windows\System32\DevicesFlowBroker.dll [689152 2017-03-18] (Microsoft Corporation)
S3 DevicesFlowUserSvc_2133b379; C:\WINDOWS\system32\svchost.exe [47664 2017-03-18] (Microsoft Corporation)
S3 DevicesFlowUserSvc_2133b379; C:\WINDOWS\SysWOW64\svchost.exe [40904 2017-03-18] (Microsoft Corporation)
R2 DusmSvc; C:\Windows\System32\dusmsvc.dll [304640 2017-11-29] (Microsoft Corporation)
S3 FrameServer; C:\Windows\system32\FrameServer.dll [600576 2017-08-27] (Microsoft Corporation)
R2 GoToMyPC; C:\Program Files (x86)\GoToMyPC\g2svc.exe [1892824 2017-11-27] (LogMeIn, Inc.)
S3 HvHost; C:\Windows\System32\hvhostsvc.dll [59800 2017-03-18] (Microsoft Corporation)
R2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [84616 2014-05-15] ()
S3 IpxlatCfgSvc; C:\Windows\System32\IpxlatCfg.dll [64000 2017-03-18] (Microsoft Corporation)
S3 NaturalAuthentication; C:\Windows\System32\NaturalAuth.dll [723968 2017-03-18] (Microsoft Corporation)
R2 NovaPdfServer; C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe [51112 2016-06-17] (Microsoft)
S3 RmSvc; C:\Windows\System32\RMapi.dll [153088 2017-11-01] (Microsoft Corporation)
R2 SecurityHealthService; C:\Windows\system32\SecurityHealthService.exe [336320 2017-09-29] (Microsoft Corporation)
S3 SEMgrSvc; C:\Windows\system32\SEMgrSvc.dll [1191424 2017-03-18] (Microsoft Corporation)
S4 shpamsvc; C:\Windows\system32\Windows.SharedPC.AccountManager.dll [192512 2017-07-10] (Microsoft Corporation)
S3 spectrum; C:\Windows\system32\spectrum.exe [891904 2017-03-18] (Microsoft Corporation)
R3 TimeBrokerSvc; C:\Windows\System32\TimeBrokerServer.dll [165888 2017-03-18] (Microsoft Corporation)
R3 TokenBroker; C:\Windows\System32\TokenBroker.dll [1052672 2017-09-28] (Microsoft Corporation)
R3 TokenBroker; C:\WINDOWS\SysWOW64\TokenBroker.dll [798720 2017-09-28] (Microsoft Corporation)
S3 vmicrdv; C:\Windows\System32\icsvcext.dll [307712 2017-03-18] (Microsoft Corporation)
S3 vmicvss; C:\Windows\System32\icsvcext.dll [307712 2017-03-18] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [342264 2017-03-18] (Microsoft Corporation)
S3 WFDSConMgrSvc; C:\Windows\System32\wfdsconmgrsvc.dll [555008 2017-07-10] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [102816 2017-07-10] (Microsoft Corporation)
S3 wisvc; C:\Windows\system32\flightsettings.dll [719872 2017-11-01] (Microsoft Corporation)
S3 wlpasvc; C:\Windows\System32\lpasvc.dll [1298432 2017-08-27] (Microsoft Corporation)
S2 WpnUserService; C:\Windows\System32\WpnUserService.dll [72704 2017-03-18] (Microsoft Corporation)
R2 WpnUserService_2133b379; C:\WINDOWS\system32\svchost.exe [47664 2017-03-18] (Microsoft Corporation)
R2 WpnUserService_2133b379; C:\WINDOWS\SysWOW64\svchost.exe [40904 2017-03-18] (Microsoft Corporation)
S3 xbgm; C:\Windows\System32\xbgmsvc.dll [301216 2017-03-18] (Microsoft Corporation)
S3 XboxGipSvc; C:\Windows\System32\XboxGipSvc.dll [18944 2017-03-18] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AcpiDev; C:\Windows\System32\drivers\AcpiDev.sys [20480 2017-03-18] (Microsoft Corporation)
S3 applockerfltr; C:\Windows\System32\drivers\applockerfltr.sys [17920 2017-03-18] (Microsoft Corporation)
R0 avdevprot; C:\Windows\System32\DRIVERS\avdevprot.sys [60920 2017-06-13] (Avira Operations GmbH & Co. KG)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [178840 2017-12-13] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [169376 2017-12-13] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\system32\DRIVERS\avkmgr.sys [44488 2017-03-02] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\system32\DRIVERS\avnetflt.sys [88488 2017-03-02] (Avira Operations GmbH & Co. KG)
S0 b06bdrv; C:\Windows\System32\drivers\bxvbda.sys [533920 2017-03-18] (QLogic Corporation)
S3 CAD; C:\Windows\System32\drivers\CAD.sys [53664 2017-03-18] (Microsoft Corporation)
S3 cht4iscsi; C:\Windows\System32\drivers\cht4sx64.sys [347032 2017-03-18] (Chelsio Communications)
S3 cht4vbd; C:\Windows\System32\drivers\cht4vx64.sys [2104224 2017-03-18] (Chelsio Communications)
S2 CldFlt; C:\Windows\System32\drivers\cldflt.sys [12288 2017-03-18] (Microsoft Corporation)
R2 clreg; C:\Windows\System32\drivers\registry.sys [14336 2017-03-18] (Microsoft Corporation)
S3 hvservice; C:\Windows\System32\drivers\hvservice.sys [74648 2017-03-18] (Microsoft Corporation)
S3 iagpio; C:\Windows\System32\drivers\iagpio.sys [33280 2017-03-18] (Intel® Corporation)
S3 iaLPSS2i_GPIO2; C:\Windows\System32\drivers\iaLPSS2i_GPIO2.sys [70656 2017-03-18] (Intel Corporation)
S3 iaLPSS2i_GPIO2_BXT_P; C:\Windows\System32\drivers\iaLPSS2i_GPIO2_BXT_P.sys [85504 2017-03-18] (Intel Corporation)
S3 iaLPSS2i_I2C_BXT_P; C:\Windows\System32\drivers\iaLPSS2i_I2C_BXT_P.sys [168448 2017-03-18] (Intel Corporation)
S3 IndirectKmd; C:\Windows\System32\drivers\IndirectKmd.sys [36864 2017-03-18] (Microsoft Corporation)
R0 iorate; C:\Windows\System32\drivers\iorate.sys [49568 2017-03-18] (Microsoft Corporation)
S3 mausbhost; C:\Windows\System32\drivers\mausbhost.sys [405408 2017-03-18] (Microsoft Corporation)
S3 mausbip; C:\Windows\System32\drivers\mausbip.sys [51104 2017-03-18] (Microsoft Corporation)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-05-24] (Malwarebytes)
S0 megasas2i; C:\Windows\System32\drivers\MegaSas2i.sys [64416 2017-03-18] (Avago Technologies)
R2 monblanking; C:\Windows\system32\DRIVERS\monblanking.sys [47696 2017-11-27] (LogMeIn, Inc)
S3 NetAdapterCx; C:\Windows\System32\drivers\NetAdapterCx.sys [122368 2017-03-18] (Microsoft Corporation)
S3 nvdimmn; C:\Windows\System32\drivers\nvdimmn.sys [80896 2017-03-18] (Microsoft Corporation)
S0 percsas2i; C:\Windows\System32\drivers\percsas2i.sys [58784 2017-03-18] (Avago Technologies)
S3 pmem; C:\Windows\System32\drivers\pmem.sys [101376 2017-03-18] (Microsoft Corporation)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [604160 2017-03-18] (Realtek                                            )
S0 scmbus; C:\Windows\System32\drivers\scmbus.sys [91040 2017-03-18] (Microsoft Corporation)
S3 SDFRd; C:\Windows\System32\drivers\SDFRd.sys [31128 2017-03-18] ()
S3 SpatialGraphFilter; C:\Windows\System32\drivers\SpatialGraphFilter.sys [40352 2017-03-18] (Microsoft Corporation)
S3 UcmTcpciCx0101; C:\Windows\System32\Drivers\UcmTcpciCx.sys [179200 2017-03-18] (Microsoft Corporation)
S3 vmgid; C:\Windows\System32\drivers\vmgid.sys [10240 2017-03-18] (Microsoft Corporation)
R0 volume; C:\Windows\System32\drivers\volume.sys [16288 2017-03-18] (Microsoft Corporation)
R2 wcifs; C:\Windows\system32\drivers\wcifs.sys [142752 2017-07-10] (Microsoft Corporation)
S3 wcnfs; C:\Windows\system32\drivers\wcnfs.sys [72192 2017-03-18] (Microsoft Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44632 2017-03-18] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [294816 2017-03-18] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [121248 2017-03-18] (Microsoft Corporation)
S3 WinNat; C:\Windows\System32\drivers\winnat.sys [217088 2017-03-18] (Microsoft Corporation)
U4 aspnet_state; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVC: shpamsvc -> C:\Windows\system32\Windows.SharedPC.AccountManager.dll (Microsoft Corporation)
NETSVC: NaturalAuthentication -> C:\Windows\System32\NaturalAuth.dll (Microsoft Corporation)
NETSVC: xbgm -> C:\Windows\System32\xbgmsvc.dll (Microsoft Corporation)
NETSVC: TokenBroker -> C:\Windows\System32\TokenBroker.dll (Microsoft Corporation)
NETSVC: wisvc -> C:\Windows\system32\flightsettings.dll (Microsoft Corporation)
NETSVC: WpnService -> C:\Windows\system32\WpnService.dll (Microsoft Corporation)
NETSVC: XboxGipSvc -> C:\Windows\System32\XboxGipSvc.dll (Microsoft Corporation)
NETSVCx32: TokenBroker -> C:\Windows\SysWOW64\TokenBroker.dll (Microsoft Corporation)
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-01-11 20:24 - 2018-01-19 12:25 - 00000000 ____D C:\Program Files\rempl
2018-01-09 13:31 - 2018-01-09 13:31 - 00000000 ___HD C:\ProgramData\CanonIJEGV
2017-12-30 00:25 - 2017-12-30 00:25 - 00000000 ____D C:\Windows.old
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-01-23 20:35 - 2015-06-30 20:13 - 00000000 ____D C:\FRST
2018-01-23 20:29 - 2017-08-27 14:08 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2018-01-23 15:31 - 2017-08-27 14:24 - 00004156 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{C2F9ADDE-17FA-4D6D-8533-F4AE1D3156F4}
2018-01-23 12:20 - 2017-03-18 13:01 - 00000000 ____D C:\WINDOWS\INF
2018-01-23 06:27 - 2017-03-18 13:03 - 00000000 ____D C:\WINDOWS\AppReadiness
2018-01-22 21:23 - 2016-02-01 17:02 - 00000000 ____D C:\ProgramData\CanonIJPLM
2018-01-21 09:11 - 2017-03-18 13:03 - 00000000 ___HD C:\Program Files\WindowsApps
2018-01-09 23:06 - 2014-10-04 20:31 - 00000000 ____D C:\WINDOWS\system32\MRT
2018-01-09 23:04 - 2017-10-11 02:59 - 129365736 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT-KB890830.exe
2018-01-09 23:04 - 2014-10-04 20:31 - 129365736 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2018-01-09 23:03 - 2017-03-18 12:51 - 00000000 ____D C:\WINDOWS\CbsTemp
2018-01-08 18:55 - 2014-10-05 15:19 - 00002272 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-01-08 18:55 - 2014-10-05 15:19 - 00002260 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-12-31 18:15 - 2017-03-18 13:03 - 00000000 ____D C:\WINDOWS\rescache
2017-12-30 02:52 - 2017-08-09 13:50 - 00000000 ___DC C:\WINDOWS\Panther
2017-12-30 02:43 - 2017-08-27 14:29 - 00041913 _____ C:\WINDOWS\diagwrn.xml
2017-12-30 02:43 - 2017-08-27 14:29 - 00041913 _____ C:\WINDOWS\diagerr.xml
2017-12-30 02:08 - 2017-03-18 13:03 - 00000000 ____D C:\WINDOWS\Registration
2017-12-30 02:07 - 2017-09-29 07:04 - 00000000 ___HD C:\$WINDOWS.~BT
2017-12-29 23:44 - 2017-08-27 14:25 - 01018504 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-12-29 23:40 - 2016-02-13 05:20 - 00000000 __RHD C:\Users\Public\AccountPictures
2017-12-29 23:39 - 2017-08-27 14:11 - 00000000 ____D C:\Users\sheila
2017-12-29 23:38 - 2017-08-27 14:08 - 00217000 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-12-29 23:37 - 2017-08-27 14:24 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-12-29 23:37 - 2017-03-18 03:40 - 03407872 _____ C:\WINDOWS\system32\config\BBI
2017-12-29 23:36 - 2017-07-12 07:45 - 00000000 ___SD C:\WINDOWS\UpdateAssistantV2
2017-12-29 23:36 - 2017-03-18 13:03 - 00000000 ____D C:\WINDOWS\system32\oobe
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
 
ATTENTION: ==> Could not access BCD. 
 
 
LastRegBack: 2018-01-18 11:07
 
==================== End of FRST.txt ============================
 
 
And here is addition.txt
==================================
Additional scan result of Farbar Recovery Scan Tool (x64) Version:05-12-2015
Ran by sheila (2018-01-23 20:36:18)
Running from C:\Users\sheila\Desktop\Spyware Tools
Windows 10 Home (X64) (2017-08-27 22:33:23)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2534099351-527031699-1384085060-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-2534099351-527031699-1384085060-503 - Limited - Disabled)
Guest (S-1-5-21-2534099351-527031699-1384085060-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2534099351-527031699-1384085060-1002 - Limited - Enabled)
sheila (S-1-5-21-2534099351-527031699-1384085060-1000 - Administrator - Enabled) => C:\Users\sheila
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Avira Antivirus (Enabled - Up to date) {B3F630BD-538D-1B4A-14FA-14B63235278F}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avira Antivirus (Enabled - Up to date) {0897D159-75B7-14C4-2E4A-2FC449B26D32}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.009.20050 - Adobe Systems Incorporated)
ATI Catalyst Install Manager (HKLM\...\{6E3D4FFE-9614-4E58-9DE2-F9A036EAD491}) (Version: 3.0.808.0 - ATI Technologies, Inc.)
Avira (HKLM-x32\...\{638c58eb-e71e-4b96-8f16-c5a7dbc4293f}) (Version: 1.2.100.18354 - Avira Operations GmbH & Co. KG)
Avira (x32 Version: 1.2.100.18354 - Avira Operations GmbH & Co. KG) Hidden
Avira Antivirus (HKLM-x32\...\Avira Antivirus) (Version: 15.0.34.17 - Avira Operations GmbH & Co. KG)
Avira Browser Safety (HKLM-x32\...\{9E10EA90-5E97-43B7-A246-FC7B4F5E9493}) (Version: 1.4.5.509 - Avira Operations GmbH & Co KG)
Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version: 1.1.15.23 - Canon Inc.)
Canon Inkjet Printer/Scanner/Fax Extended Survey Program (HKLM-x32\...\CANONIJPLM100) (Version: 4.3.0 - Canon Inc.)
Canon MX490 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX490_series) (Version: 1.00 - Canon Inc.)
Canon MX490 series On-screen Manual (HKLM-x32\...\Canon MX490 series On-screen Manual) (Version: 7.7.1 - Canon Inc.)
Canon MX490 series User Registration (HKLM-x32\...\Canon MX490 series User Registration) (Version:  - ‭Canon Inc.)
Canon My Printer (HKLM-x32\...\CanonMyPrinter) (Version: 3.2.1 - Canon Inc.)
Canon Quick Menu (HKLM-x32\...\CanonQuickMenu) (Version: 2.5.0 - Canon Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 63.0.3239.132 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.8231.2252 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.33.7 - Google Inc.) Hidden
GoToMyPC (HKLM\...\{A8C0EB0A-D66F-487B-8BA7-2A859268DC35}) (Version: 9.6.2220 - LogMeIn, Inc.)
GoToMyPC Print Assistant (HKLM\...\{57414DD3-55A7-4D2E-916F-2F1407AABE91}) (Version: 8.6.942 - Softland)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.3347 - Intel Corporation)
Java 8 Update 101 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
Microsoft OneDrive (HKU\S-1-5-21-2534099351-527031699-1384085060-1000\...\OneDriveSetup.exe) (Version: 17.3.7131.1115 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50907.0 - Microsoft Corporation)
novaPDF 8 Printer Driver (HKLM\...\{1A9E9E77-B29B-47C6-ADEB-9E7D6F7A08CE}) (Version: 8.6.942 - Softland)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.46.610.2011 - Realtek)
Unity Web Player (HKU\S-1-5-21-2534099351-527031699-1384085060-1000\...\UnityWebPlayer) (Version: 5.3.7f1 - Unity Technologies ApS)
Update for Windows 10 for x64-based Systems (KB4023057) (HKLM\...\{EC5A6438-850E-4AD1-9169-DD071C8EFFEF}) (Version: 2.10.0.0 - Microsoft Corporation)
Windows 10 Update and Privacy Settings (HKLM\...\{4DFCD818-036A-4229-A67D-CF17DC461D92}) (Version: 1.0.14.0 - Microsoft Corporation)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-2534099351-527031699-1384085060-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\localserver32 -> C:\Users\sheila\AppData\Local\Microsoft\OneDrive\17.3.7131.1115\FileCoAuth.exe (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2534099351-527031699-1384085060-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\localserver32 -> C:\Users\sheila\AppData\Local\Microsoft\OneDrive\17.3.7131.1115\FileCoAuth.exe (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2534099351-527031699-1384085060-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\sheila\AppData\Local\Microsoft\OneDrive\17.3.7131.1115\FileCoAuth.exe (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2534099351-527031699-1384085060-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\localserver32 -> C:\Users\sheila\AppData\Local\Microsoft\OneDrive\17.3.7131.1115\FileCoAuth.exe (Microsoft Corporation)
 
==================== Restore Points =========================
 
05-01-2018 04:01:11 Windows Update
09-01-2018 23:02:25 Windows Update
09-01-2018 23:03:15 Windows Update
13-01-2018 19:57:01 Windows Update
16-01-2018 21:06:23 Windows Update
21-01-2018 11:28:33 Windows Update
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 18:34 - 2015-12-03 08:56 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
 
127.0.0.1       localhost
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0554F263-AE1F-4A38-9456-993516B21680} - System32\Tasks\Microsoft\Windows\DeviceDirectoryClient\HandleCommand
Task: {05632703-FCFB-42CB-8059-FD6BF29B7F8D} - System32\Tasks\Avira SystrayStartTrigger => Avira.SystrayStartTrigger.exe
Task: {05E2082C-D22E-4C31-BFAB-672A358AD81A} - System32\Tasks\Microsoft\Windows\Shell\FamilySafetyRefreshTask
Task: {07DA66D6-EA60-4F49-98E4-60154777B94D} - System32\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask => C:\Windows\ehome\mcupdate.exe
Task: {0BECEC76-D850-4690-AC6D-CC28C5EA2A26} - System32\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask => C:\Windows\ehome\mcupdate.exe
Task: {0C518199-F01B-42CF-9CB7-16710B002812} - System32\Tasks\Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask => C:\Windows\system32\MDMAgent.exe [2017-03-18] (Microsoft Corporation)
Task: {0DC9C025-C19C-46E5-B16C-327F1D03D3C1} - System32\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry => C:\Windows\ehome\MCUpdate.exe
Task: {133AABA0-51E1-40FB-B384-00CEF8C502E0} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1 => C:\Windows\ehome\ehPrivJob.exe
Task: {1CD4D5B6-9E36-400B-806F-3EE5625427AF} - System32\Tasks\Microsoft\Windows\rempl\shell-compact => C:\Program Files\rempl\remsh.exe [2018-01-13] (Microsoft Corporation)
Task: {210E27B5-0A31-4547-87BC-29BD68D546CB} - System32\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath => C:\Windows\ehome\ehPrivJob.exe
Task: {2D44101B-F886-4625-878D-03CE78A02185} - System32\Tasks\Microsoft\Windows\Media Center\OCURDiscovery => C:\Windows\ehome\ehPrivJob.exe
Task: {335924CF-DD36-41BA-BC31-F3708E1E6EA0} - System32\Tasks\Microsoft\Windows\Media Center\RecordingRestart => C:\Windows\ehome\ehrec.exe
Task: {33D1E219-5083-4240-94E3-7046EC2096D8} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => C:\Windows\ehome\mcupdate.exe
Task: {3778E6DB-ABB5-4588-B69B-D9F7F9B49354} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscovery => C:\Windows\ehome\ehPrivJob.exe
Task: {3797DAAC-2FA9-437A-A069-A0981BF9DD68} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
Task: {3EDAF9A0-CC33-4FD4-B705-9B2F01B8F349} - System32\Tasks\Microsoft\Windows\DeviceDirectoryClient\LocateCommandUserSession
Task: {434DFEB0-9EB6-4FBE-87C5-D9AEAC7B47D7} - System32\Tasks\Microsoft\Windows\DeviceDirectoryClient\RegisterDeviceLocationRightsChange
Task: {440120DA-B254-43D2-82AC-70CF01182F26} - System32\Tasks\Microsoft\Windows\Media Center\RegisterSearch => C:\Windows\ehome\ehPrivJob.exe
Task: {52CCD7F1-7681-4887-862A-A8ADA8A6CF05} - System32\Tasks\Avira_Antivirus_Systray => C:\Program Files (x86)\Avira\Antivirus\avgnt.exe [2017-12-13] (Avira Operations GmbH & Co. KG)
Task: {5B48937C-2786-49D8-98DD-F6C2226D1BF8} - System32\Tasks\Microsoft\Windows\rempl\shell-unlock => C:\Program Files\rempl\remsh.exe [2018-01-13] (Microsoft Corporation)
Task: {5C326114-085E-444C-9B7A-D3E2E59C549E} - System32\Tasks\Microsoft\Windows\Device Information\Device => C:\Windows\system32\devicecensus.exe [2017-11-17] (Microsoft Corporation)
Task: {5C43827A-D8C9-495B-AC43-3E0C135AA98D} - System32\Tasks\Microsoft\Windows\DeviceDirectoryClient\RegisterDevicePolicyChange
Task: {60ECA01D-DA53-442F-B332-6A3FC93FF4C4} - System32\Tasks\Microsoft\Windows\EDP\EDP Auth Task
Task: {63ABBE93-A1B0-4DE1-BCDE-66EE049F6343} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-05-12] (Adobe Systems Incorporated)
Task: {64D227A1-CAF2-4F62-893C-CB71B7F5593F} - System32\Tasks\Microsoft\Windows\EDP\EDP Inaccessible Credentials Task
Task: {6772AC65-7600-4DF2-9BD5-F17292FAAE4B} - System32\Tasks\Microsoft\Windows\Speech\SpeechModelDownloadTask => C:\Windows\system32\speech_onecore\common\SpeechModelDownload.exe [2017-03-18] (Microsoft Corporation)
Task: {68311F76-4593-4460-8549-175B1EB9E20A} - System32\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask => C:\Windows\ehome\mcupdate.exe
Task: {68861600-8DE1-4D43-8F44-847C6947AA70} - System32\Tasks\Microsoft\Windows\EDP\EDP App Launch Task
Task: {693F02EA-12F7-4661-8730-A5DF1AFD642F} - System32\Tasks\Microsoft\Windows\BitLocker\BitLocker MDM policy Refresh
Task: {6BD9FDA3-C8EE-4C02-95CB-1B221BF24F79} - System32\Tasks\Microsoft\Windows\DeviceDirectoryClient\RegisterDeviceProtectionStateChanged
Task: {6EB571F4-CD0B-447D-87B6-F71A502FB818} - System32\Tasks\Microsoft\Windows\rempl\shell-restore => C:\Program Files\rempl\remsh.exe [2018-01-13] (Microsoft Corporation)
Task: {7072963F-3763-4E9F-A1F5-DE9703BAE827} - System32\Tasks\Microsoft\Windows\Shell\FamilySafetyMonitorToastTask
Task: {786E9D92-5BB1-4399-958E-2550B6CEEFA8} - System32\Tasks\Microsoft\Windows\DeviceDirectoryClient\HandleWnsCommand
Task: {78F76D6D-0B70-46A9-8DEB-4FCB650A6627} - System32\Tasks\Microsoft\Windows\SharedPC\Account Cleanup => Rundll32.exe %windir%\System32\Windows.SharedPC.AccountManager.dll,StartMaintenance
Task: {7E48EB16-2459-437A-B3B5-DD91866302CC} - System32\Tasks\Microsoft\Windows\EDP\StorageCardEncryption Task
Task: {8478C771-AE7D-47EA-9D79-22DC82C4E3F6} - System32\Tasks\Microsoft\Windows\DiskFootprint\StorageSense
Task: {88E18EB0-E633-47C9-8FE5-84CEAB8F5EF7} - System32\Tasks\microsoft\windows\applicationdata\appuriverifierdaily => C:\Windows\system32\AppHostRegistrationVerifier.exe [2017-03-18] (Microsoft Corporation)
Task: {895E5EEE-2D15-417F-B381-BD1289C26B05} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => C:\Windows\ehome\mcupdate.exe
Task: {8A0AC17B-DDF7-4E74-BE79-6FD6B767A22E} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-09-27] (Adobe Systems Incorporated)
Task: {8C5D1608-0748-4414-AF40-A403264AAF6B} - System32\Tasks\Microsoft\Windows\Subscription\EnableLicenseAcquisition => C:\Windows\system32\ClipRenew.exe [2017-03-18] (Microsoft Corporation)
Task: {905FAF0A-B8FE-4D7E-A406-879060FE6F28} - System32\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask => C:\Windows\ehome\mcupdate.exe
Task: {943E96FA-4B63-4F35-A5BB-87CDBC450959} - System32\Tasks\Microsoft\Windows\Media Center\ehDRMInit => C:\Windows\ehome\ehPrivJob.exe
Task: {9BFBFF63-27D1-4C7C-ADFA-AE5B98B90F78} - System32\Tasks\Microsoft\Windows\BrokerInfrastructure\BgTaskRegistrationMaintenanceTask
Task: {A9F28423-9083-4ACE-8B94-09246BAF6236} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
Task: {AAF93311-FCB4-4532-9F73-698CA0ACCBBA} - System32\Tasks\Microsoft\Windows\Media Center\OCURActivate => C:\Windows\ehome\ehPrivJob.exe
Task: {AE7B1C8E-BC34-4D9C-A6D5-E51A660FE8E3} - System32\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot => C:\Windows\ehome\ehPrivJob.exe
Task: {BAAB00E1-CF1A-47D4-85EA-48793FE16FF4} - System32\Tasks\Microsoft\Windows\rempl\shell-unlock-sih => C:\Program Files\rempl\remsh.exe [2018-01-13] (Microsoft Corporation)
Task: {BD69C6ED-AD55-467C-B787-533200C3B376} - System32\Tasks\Microsoft\XblGameSave\XblGameSaveTask => C:\Windows\System32\XblGameSaveTask.exe [2017-03-18] (Microsoft Corporation)
Task: {BD95C1FD-87C8-4697-BFB3-BBA9524A89EE} - System32\Tasks\Avira Browser Safety Updater Task => C:\Program Files (x86)\Avira\Browser Safety\AviraBrowserSafetyUpdater.exe [2015-03-11] (Avira Operations GmbH & Co. KG)
Task: {BF229E97-C8E8-4622-97C3-0905CCED380A} - System32\Tasks\Microsoft\Windows\UNP\RunCampaignManager => C:\Windows\System32\UNP\UNPCampaignManager.exe [2017-05-19] (Microsoft Corporation)
Task: {C05E2FFD-7D0D-4F6B-952B-A3318F829D19} - System32\Tasks\Microsoft\Windows\Management\Provisioning\Cellular => C:\Windows\system32\ProvTool.exe [2017-03-18] (Microsoft Corporation)
Task: {C0B2A3C7-43E2-4C76-9ADB-E74B08AC7E7F} - System32\Tasks\Microsoft\Windows\Subscription\LicenseAcquisition => C:\Windows\system32\ClipRenew.exe [2017-03-18] (Microsoft Corporation)
Task: {CEAB9AC9-96BF-45ED-ADB6-A63292F7EE6C} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate => C:\Windows\ehome\mcupdate.exe
Task: {CFE9501D-B60F-45DB-B48F-19C572F7F30E} - System32\Tasks\microsoft\windows\applicationdata\appuriverifierinstall => C:\Windows\system32\AppHostRegistrationVerifier.exe [2017-03-18] (Microsoft Corporation)
Task: {D5F76246-8A00-47F6-8479-48DF5D7B6D2C} - System32\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService => C:\Windows\ehome\ehPrivJob.exe
Task: {DD54A3A0-9F24-4E92-9EB2-C3A5952E0F08} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2 => C:\Windows\ehome\ehPrivJob.exe
Task: {E1830EF2-3A71-4953-A81F-5D5AFE10C4A4} - System32\Tasks\Microsoft\Windows\Media Center\InstallPlayReady => C:\Windows\ehome\ehPrivJob.exe
Task: {E59E24E6-740E-459D-BFE1-D73596757634} - System32\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch => C:\Windows\ehome\ehPrivJob.exe
Task: {E974FF82-6E36-4B3E-BD13-BCB73DA01BFC} - System32\Tasks\Microsoft\XblGameSave\XblGameSaveTaskLogon => C:\Windows\System32\XblGameSaveTask.exe [2017-03-18] (Microsoft Corporation)
Task: {ECEE7BE4-B451-443E-9800-2D2386BEE5C8} - System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2534099351-527031699-1384085060-1000 => C:\Users\sheila\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe [2017-12-08] (Microsoft Corporation)
Task: {F573B34C-4AEF-4328-ACB6-19F601E5028F} - System32\Tasks\Microsoft\Windows\rempl\shell => C:\Program Files\rempl\remsh.exe [2018-01-13] (Microsoft Corporation)
Task: {FA967E7E-058A-4FAA-BBB9-2880A2F1DFCA} - System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks => C:\Windows\ehome\ehPrivJob.exe
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-02-01 17:02 - 2014-05-15 11:25 - 00084616 _____ () C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
2016-06-17 12:43 - 2016-06-17 12:43 - 00145696 _____ () C:\Program Files\Softland\novaPDF 8\Server\AgileDotNetRT64.dll
2017-03-18 12:58 - 2017-03-18 12:58 - 00138000 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll
2017-03-18 12:59 - 2017-03-18 18:31 - 01731072 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2018-01-18 10:54 - 2018-01-18 10:54 - 00086528 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.13.274.0_x64__kzf8qxf38zg5c\SkypeHost.exe
2018-01-18 10:54 - 2018-01-18 10:54 - 00195072 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.13.274.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2018-01-18 10:54 - 2018-01-18 10:54 - 24677376 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.13.274.0_x64__kzf8qxf38zg5c\SkyWrap.dll
2018-01-03 03:00 - 2018-01-03 03:01 - 02550272 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.13.274.0_x64__kzf8qxf38zg5c\skypert.dll
2017-03-09 01:16 - 2017-03-09 01:16 - 00112264 _____ () C:\Windows\System32\IccLibDll_x64.dll
2017-12-08 08:54 - 2017-12-08 08:54 - 00102088 _____ () C:\Users\sheila\AppData\Local\Microsoft\OneDrive\17.3.7131.1115\UpdateRingSettings.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Program Files\Microsoft Silverlight:Win32App_1
AlternateDataStreams: C:\Program Files\rempl:Win32App_1
AlternateDataStreams: C:\Program Files\UNP:Win32App_1
AlternateDataStreams: C:\Program Files (x86)\GoToMyPC:Win32App_1
AlternateDataStreams: C:\Program Files (x86)\Microsoft Silverlight:Win32App_1
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NetSetupSvc => ""="Service"
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-0-0\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Windows\img0.jpg
HKU\S-1-0-0 (1)\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Windows\img0.jpg
HKU\S-1-5-21-2534099351-527031699-1384085060-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\sheila\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [WirelessDisplay-Infra-In-TCP] => (Allow) %systemroot%\system32\CastSrv.exe
FirewallRules: [{0B5A4C9F-0F44-49CF-8BC9-E8EAF3AD9D61}] => (Allow) LPort=8501
FirewallRules: [{AFDCC45A-9E5F-43DB-A217-A6F61934F3AE}] => (Allow) LPort=8501
FirewallRules: [{47911788-771A-4E65-88AF-E6D50B694081}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (01/19/2018 11:35:05 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.15063.608, time stamp: 0x324c3bf4
Faulting module name: CoreMessaging.dll, version: 10.0.15063.675, time stamp: 0x61093a3b
Exception code: 0xc00001ad
Fault offset: 0x00013e36
Faulting process id: 0x1598
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3
Faulting package full name: IEXPLORE.EXE4
Faulting package-relative application ID: IEXPLORE.EXE5
 
Error: (01/17/2018 09:06:41 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 11.0.15063.608 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
 
Process ID: 2284
 
Start Time: 01d38fb56945ddac
 
Termination Time: 58
 
Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
 
Report Id: 3667bc78-7b16-4fc7-a6fd-b1e41bcc41a1
 
Faulting package full name: 
 
Faulting package-relative application ID:
 
Error: (01/16/2018 08:22:42 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.15063.608, time stamp: 0x324c3bf4
Faulting module name: CoreMessaging.dll, version: 10.0.15063.675, time stamp: 0x61093a3b
Exception code: 0xc00001ad
Fault offset: 0x00013e36
Faulting process id: 0x1174
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3
Faulting package full name: IEXPLORE.EXE4
Faulting package-relative application ID: IEXPLORE.EXE5
 
Error: (01/13/2018 10:43:46 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.15063.608, time stamp: 0x324c3bf4
Faulting module name: CoreMessaging.dll, version: 10.0.15063.675, time stamp: 0x61093a3b
Exception code: 0xc00001ad
Fault offset: 0x00013e36
Faulting process id: 0x1710
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3
Faulting package full name: IEXPLORE.EXE4
Faulting package-relative application ID: IEXPLORE.EXE5
 
Error: (01/13/2018 03:45:21 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.15063.608, time stamp: 0x324c3bf4
Faulting module name: MSHTML.dll, version: 11.0.15063.786, time stamp: 0x1f4483fb
Exception code: 0xc0000005
Fault offset: 0x0057f2d8
Faulting process id: 0x2048
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3
Faulting package full name: IEXPLORE.EXE4
Faulting package-relative application ID: IEXPLORE.EXE5
 
Error: (01/11/2018 10:48:31 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.15063.608, time stamp: 0x324c3bf4
Faulting module name: jscript9.dll, version: 11.0.15063.786, time stamp: 0x421e432c
Exception code: 0xc0000005
Fault offset: 0x0015df51
Faulting process id: 0x17e4
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3
Faulting package full name: IEXPLORE.EXE4
Faulting package-relative application ID: IEXPLORE.EXE5
 
Error: (01/09/2018 11:06:39 PM) (Source: Perflib) (EventID: 1023) (User: )
Description: W3SVC8
 
Error: (01/09/2018 11:06:38 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: aspnet_stateC:\Windows\System32\aspnet_counters.dll8
 
Error: (01/09/2018 11:06:38 PM) (Source: Perflib) (EventID: 1023) (User: )
Description: ASP.NET_64_2.0.507278
 
Error: (01/09/2018 11:06:38 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: ASP.NET_4.0.30319C:\Windows\System32\aspnet_counters.dll8
 
 
System errors:
=============
Error: (01/19/2018 12:25:16 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
%%1
 
Error: (01/19/2018 12:25:16 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
%%1
 
Error: (01/19/2018 12:25:16 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
%%1
 
Error: (01/19/2018 12:25:16 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
%%1
 
Error: (01/19/2018 12:25:16 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
%%1
 
Error: (01/19/2018 12:25:16 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
%%1
 
Error: (01/19/2018 12:25:15 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
%%1
 
Error: (01/19/2018 12:25:15 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
%%1
 
Error: (01/19/2018 12:25:15 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
%%1
 
Error: (01/19/2018 12:25:15 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
%%1
 
 
==================== Memory info =========================== 
 
Processor: Intel® Pentium® CPU G630 @ 2.70GHz
Percentage of memory in use: 52%
Total physical RAM: 4008.64 MB
Available physical RAM: 1901.07 MB
Total Virtual: 8104.64 MB
Available Virtual: 5436.14 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:464.84 GB) (Free:406.06 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 2F15F158)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=464.8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=846 MB) - (Type=27)
 
==================== End of Addition.txt ============================

 



BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:43 PM

Posted 26 January 2018 - 06:55 AM

art_vendelay:

 
:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum.  My name is Phil.  May I address you by your first name?
 
I will be assisting you with your computer issues.  I will endeavor to respond within a reasonable time.   Forum policy requires that I post within 48 hours after your last post, but I do endeavor to post within 24 hours of your last post.
 
I would ask that you please continue to copy and paste the contents of all requested log files directly into your replies.   Please do not use "code" or "quote" boxes.  Thank you for your anticipated cooperation.
 
I will need some time to review your FRST logs.  That could take a day or two.
 
PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues.  It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.
 
Thank you and have a great day.
 
Regards,
-Phil

Member of the Unified Network of Instructors and Trusted Eliminators


#3 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:43 PM

Posted 26 January 2018 - 07:57 AM

art_vandelay:
 
I just started to analyze your FRST log.  We have a problem. :(
 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-12-2015

 
You ran a version of FRST64.exe that is over two years old!

FRST should have updated itself to the current version before you ran it.  Please go here and download the newest version of FRST and run a scan again.
 
Please copy and paste the contents of both the "FRST.txt" and "Addition.txt" scan files into your next reply.
 
Standing by.  Thank you and have a great day.
 
Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#4 art_vandelay

art_vandelay
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 26 January 2018 - 09:35 AM

OK thanks.  Here is FRST Log

===============================

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21.01.2018
Ran by sheila (administrator) on SHEILA-PC (26-01-2018 06:29:11)
Running from C:\Users\sheila\Desktop\Spyware Tools
Loaded Profiles: sheila (Available Profiles: sheila)
Platform: Windows 10 Home Version 1703 15063.786 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(LogMeIn, Inc.) C:\Program Files (x86)\GoToMyPC\g2svc.exe
() C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe
(Microsoft) C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe
(LogMeIn, Inc.) C:\Program Files (x86)\GoToMyPC\g2comm.exe
(LogMeIn, Inc.) C:\Program Files (x86)\GoToMyPC\g2pre.exe
(Microsoft Corporation) C:\Windows\System32\wimserv.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avguard.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avshadow.exe
(LogMeIn, Inc.) C:\Program Files (x86)\GoToMyPC\g2tray.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.13.274.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(CANON INC.) C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avgnt.exe
(CANON INC.) C:\Program Files (x86)\Canon\Quick Menu\CNQMUPDT.EXE
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(LogMeIn, Inc.) C:\Program Files (x86)\GoToMyPC\g2mainh.exe
(LogMeIn, Inc.) C:\Program Files (x86)\GoToMyPC\g2host.exe
(LogMeIn, Inc.) C:\Program Files (x86)\GoToMyPC\g2audioh.exe
(LogMeIn, Inc.) C:\Program Files (x86)\GoToMyPC\g2printh.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [629152 2017-03-18] (Microsoft Corporation)
HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1285704 2014-08-08] (CANON INC.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [598552 2016-06-22] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-0-0\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [517120 2017-03-18] (Microsoft Corporation)
HKU\S-1-5-21-2534099351-527031699-1384085060-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [570880 2017-07-10] (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.1.1
Tcpip\..\Interfaces\{71c6a0b2-eadd-44b5-ace8-e6b9c8664eeb}: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.1.1
 
Internet Explorer:
==================
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-11-16] (Google Inc.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-07-28] (Oracle Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-11-16] (Google Inc.)
BHO-x32: AviraBrowserSafety.BrowserSafety -> {c3c77255-42c0-499f-b664-6e981a0b1647} -> C:\WINDOWS\system32\mscoree.dll [2017-03-18] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-07-28] (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-11-16] (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-11-16] (Google Inc.)
Toolbar: HKU\S-1-5-21-2534099351-527031699-1384085060-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-11-16] (Google Inc.)
Handler-x32: abs - {E00957BD-D0E1-4eb9-A025-7743FDC8B27B} - C:\WINDOWS\system32\mscoree.dll [2017-03-18] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\sheila\AppData\Roaming\Mozilla\Firefox\Profiles\AjXNNDfR.default [2014-12-07]
FF Extension: (Avira Browser Safety) - C:\Users\sheila\AppData\Roaming\Mozilla\Firefox\Profiles\AjXNNDfR.default\Extensions\abs@avira.com [2015-12-05] [Legacy] [not signed]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-07-28] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-07-28] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-11-04] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2534099351-527031699-1384085060-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\sheila\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2016-10-25] (Unity Technologies ApS)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR Profile: C:\Users\sheila\AppData\Local\Google\Chrome\User Data\Default [2017-12-16]
CHR Extension: (Google Docs) - C:\Users\sheila\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-21]
CHR Extension: (Google Drive) - C:\Users\sheila\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-12-02]
CHR Extension: (YouTube) - C:\Users\sheila\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-04]
CHR Extension: (Google Search) - C:\Users\sheila\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-12-02]
CHR Extension: (Google Docs Offline) - C:\Users\sheila\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-08-04]
CHR Extension: (Gmail) - C:\Users\sheila\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-05-26]
CHR Extension: (Chrome Media Router) - C:\Users\sheila\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-27]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AntiVirMailService; C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe [1128944 2017-12-13] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\Antivirus\sched.exe [492560 2018-01-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\Antivirus\avguard.exe [492560 2018-01-04] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe [1526832 2017-12-13] (Avira Operations GmbH & Co. KG)
S2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [434248 2017-11-06] (Avira Operations GmbH & Co. KG)
R2 GoToMyPC; C:\Program Files (x86)\GoToMyPC\g2svc.exe [1892824 2017-11-27] (LogMeIn, Inc.)
R2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [84616 2014-05-15] ()
R2 NovaPdfServer; C:\Program Files\Softland\novaPDF 8\Server\novapdfs.exe [51112 2016-06-17] (Microsoft)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [342264 2017-03-18] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [102816 2017-07-10] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 avdevprot; C:\WINDOWS\System32\DRIVERS\avdevprot.sys [60920 2017-06-13] (Avira Operations GmbH & Co. KG)
R2 avgntflt; C:\WINDOWS\System32\DRIVERS\avgntflt.sys [178840 2017-12-13] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [169376 2017-12-13] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\WINDOWS\system32\DRIVERS\avkmgr.sys [44488 2017-03-02] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\WINDOWS\system32\DRIVERS\avnetflt.sys [88488 2017-03-02] (Avira Operations GmbH & Co. KG)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-05-24] (Malwarebytes)
R2 monblanking; C:\WINDOWS\system32\DRIVERS\monblanking.sys [47696 2017-11-27] (LogMeIn, Inc)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [604160 2017-03-18] (Realtek )
S3 SDFRd; C:\WINDOWS\System32\drivers\SDFRd.sys [31128 2017-03-18] ()
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44632 2017-03-18] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [294816 2017-03-18] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [121248 2017-03-18] (Microsoft Corporation)
U4 aspnet_state; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-01-11 20:24 - 2018-01-19 12:25 - 000000000 ____D C:\Program Files\rempl
2018-01-09 13:31 - 2018-01-09 13:31 - 000000000 ___HD C:\ProgramData\CanonIJEGV
2017-12-30 00:25 - 2017-12-30 00:25 - 000000000 ____D C:\Windows.old
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-01-26 06:29 - 2015-06-30 20:13 - 000000000 ____D C:\FRST
2018-01-26 06:28 - 2015-06-30 20:13 - 000000000 ____D C:\Users\sheila\Desktop\Spyware Tools
2018-01-26 06:26 - 2017-08-27 14:08 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2018-01-26 04:57 - 2017-08-27 14:24 - 000004156 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{C2F9ADDE-17FA-4D6D-8533-F4AE1D3156F4}
2018-01-26 03:09 - 2017-03-18 13:03 - 000000000 ___HD C:\Program Files\WindowsApps
2018-01-26 03:09 - 2017-03-18 13:03 - 000000000 ____D C:\WINDOWS\AppReadiness
2018-01-25 12:47 - 2017-03-18 13:01 - 000000000 ____D C:\WINDOWS\INF
2018-01-22 21:23 - 2016-02-01 17:02 - 000000000 ____D C:\ProgramData\CanonIJPLM
2018-01-09 23:06 - 2014-10-04 20:31 - 000000000 ____D C:\WINDOWS\system32\MRT
2018-01-09 23:04 - 2017-10-11 02:59 - 129365736 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT-KB890830.exe
2018-01-09 23:04 - 2014-10-04 20:31 - 129365736 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2018-01-09 23:03 - 2017-03-18 12:51 - 000000000 ____D C:\WINDOWS\CbsTemp
2018-01-08 18:55 - 2014-10-05 15:19 - 000002272 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-01-08 18:55 - 2014-10-05 15:19 - 000002260 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-12-31 18:15 - 2017-03-18 13:03 - 000000000 ____D C:\WINDOWS\rescache
2017-12-30 02:52 - 2017-08-09 13:50 - 000000000 ___DC C:\WINDOWS\Panther
2017-12-30 02:43 - 2017-08-27 14:29 - 000041913 _____ C:\WINDOWS\diagwrn.xml
2017-12-30 02:43 - 2017-08-27 14:29 - 000041913 _____ C:\WINDOWS\diagerr.xml
2017-12-30 02:08 - 2017-03-18 13:03 - 000000000 ____D C:\WINDOWS\Registration
2017-12-30 02:07 - 2017-09-29 07:04 - 000000000 ___HD C:\$WINDOWS.~BT
2017-12-29 23:44 - 2017-08-27 14:25 - 001018504 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-12-29 23:40 - 2016-02-13 05:20 - 000000000 __RHD C:\Users\Public\AccountPictures
2017-12-29 23:39 - 2017-08-27 14:11 - 000000000 ____D C:\Users\sheila
2017-12-29 23:38 - 2017-08-27 14:08 - 000217000 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-12-29 23:37 - 2017-08-27 14:24 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-12-29 23:37 - 2017-03-18 03:40 - 003407872 _____ C:\WINDOWS\system32\config\BBI
2017-12-29 23:36 - 2017-07-12 07:45 - 000000000 ___SD C:\WINDOWS\UpdateAssistantV2
2017-12-29 23:36 - 2017-03-18 13:03 - 000000000 ____D C:\WINDOWS\system32\oobe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
 
ATTENTION: ==> Could not access BCD. 
 
LastRegBack: 2018-01-18 11:07
 
==================== End of FRST.txt ============================
 
 
Addition.txt Log
==================================
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 21.01.2018
Ran by sheila (26-01-2018 06:30:30)
Running from C:\Users\sheila\Desktop\Spyware Tools
Windows 10 Home Version 1703 15063.786 (X64) (2017-08-27 22:33:23)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2534099351-527031699-1384085060-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-2534099351-527031699-1384085060-503 - Limited - Disabled)
Guest (S-1-5-21-2534099351-527031699-1384085060-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2534099351-527031699-1384085060-1002 - Limited - Enabled)
sheila (S-1-5-21-2534099351-527031699-1384085060-1000 - Administrator - Enabled) => C:\Users\sheila
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Avira Antivirus (Enabled - Up to date) {B3F630BD-538D-1B4A-14FA-14B63235278F}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avira Antivirus (Enabled - Up to date) {0897D159-75B7-14C4-2E4A-2FC449B26D32}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.009.20050 - Adobe Systems Incorporated)
ATI Catalyst Install Manager (HKLM\...\{6E3D4FFE-9614-4E58-9DE2-F9A036EAD491}) (Version: 3.0.808.0 - ATI Technologies, Inc.)
Avira (HKLM-x32\...\{4BC30143-FC17-4BA0-96C3-11F21F026099}) (Version: 1.2.100.18354 - Avira Operations GmbH & Co. KG) Hidden
Avira (HKLM-x32\...\{638c58eb-e71e-4b96-8f16-c5a7dbc4293f}) (Version: 1.2.100.18354 - Avira Operations GmbH & Co. KG)
Avira Antivirus (HKLM-x32\...\Avira Antivirus) (Version: 15.0.34.17 - Avira Operations GmbH & Co. KG)
Avira Browser Safety (HKLM-x32\...\{9E10EA90-5E97-43B7-A246-FC7B4F5E9493}) (Version: 1.4.5.509 - Avira Operations GmbH & Co KG)
Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version: 1.1.15.23 - Canon Inc.)
Canon Inkjet Printer/Scanner/Fax Extended Survey Program (HKLM-x32\...\CANONIJPLM100) (Version: 4.3.0 - Canon Inc.)
Canon MX490 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX490_series) (Version: 1.00 - Canon Inc.)
Canon MX490 series On-screen Manual (HKLM-x32\...\Canon MX490 series On-screen Manual) (Version: 7.7.1 - Canon Inc.)
Canon MX490 series User Registration (HKLM-x32\...\Canon MX490 series User Registration) (Version:  - ‭Canon Inc.)
Canon My Printer (HKLM-x32\...\CanonMyPrinter) (Version: 3.2.1 - Canon Inc.)
Canon Quick Menu (HKLM-x32\...\CanonQuickMenu) (Version: 2.5.0 - Canon Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 63.0.3239.132 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{18455581-E099-4BA8-BC6B-F34B2F06600C}) (Version: 1.0.0 - Google Inc.) Hidden
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.8231.2252 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
GoToMyPC (HKLM\...\{A8C0EB0A-D66F-487B-8BA7-2A859268DC35}) (Version: 9.6.2220 - LogMeIn, Inc.)
GoToMyPC Print Assistant (HKLM\...\{57414DD3-55A7-4D2E-916F-2F1407AABE91}) (Version: 8.6.942 - Softland)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.3347 - Intel Corporation)
Java 8 Update 101 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
Microsoft OneDrive (HKU\S-1-5-21-2534099351-527031699-1384085060-1000\...\OneDriveSetup.exe) (Version: 17.3.7131.1115 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50907.0 - Microsoft Corporation)
novaPDF 8 Printer Driver (HKLM\...\{1A9E9E77-B29B-47C6-ADEB-9E7D6F7A08CE}) (Version: 8.6.942 - Softland)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.46.610.2011 - Realtek)
Unity Web Player (HKU\S-1-5-21-2534099351-527031699-1384085060-1000\...\UnityWebPlayer) (Version: 5.3.7f1 - Unity Technologies ApS)
Update for Windows 10 for x64-based Systems (KB4023057) (HKLM\...\{EC5A6438-850E-4AD1-9169-DD071C8EFFEF}) (Version: 2.10.0.0 - Microsoft Corporation)
Windows 10 Update and Privacy Settings (HKLM\...\{4DFCD818-036A-4229-A67D-CF17DC461D92}) (Version: 1.0.14.0 - Microsoft Corporation)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ContextMenuHandlers1: [Shell Extension for Malware scanning] -> {45AC2688-0253-4ED8-97DE-B5370FA7D48A} => C:\Program Files (x86)\Avira\Antivirus\shlext64.dll [2017-12-13] (Avira Operations GmbH & Co. KG)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\WINDOWS\system32\igfxpph.dll [2017-03-09] (Intel Corporation)
ContextMenuHandlers6: [Shell Extension for Malware scanning] -> {45AC2688-0253-4ED8-97DE-B5370FA7D48A} => C:\Program Files (x86)\Avira\Antivirus\shlext64.dll [2017-12-13] (Avira Operations GmbH & Co. KG)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {05632703-FCFB-42CB-8059-FD6BF29B7F8D} - System32\Tasks\Avira SystrayStartTrigger => Avira.SystrayStartTrigger.exe
Task: {07DA66D6-EA60-4F49-98E4-60154777B94D} - System32\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {0BECEC76-D850-4690-AC6D-CC28C5EA2A26} - System32\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {0DC9C025-C19C-46E5-B16C-327F1D03D3C1} - System32\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry => C:\WINDOWS\ehome\MCUpdate.exe
Task: {133AABA0-51E1-40FB-B384-00CEF8C502E0} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1 => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {210E27B5-0A31-4547-87BC-29BD68D546CB} - System32\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {2D44101B-F886-4625-878D-03CE78A02185} - System32\Tasks\Microsoft\Windows\Media Center\OCURDiscovery => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {335924CF-DD36-41BA-BC31-F3708E1E6EA0} - System32\Tasks\Microsoft\Windows\Media Center\RecordingRestart => C:\WINDOWS\ehome\ehrec.exe
Task: {33D1E219-5083-4240-94E3-7046EC2096D8} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {3778E6DB-ABB5-4588-B69B-D9F7F9B49354} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscovery => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {3797DAAC-2FA9-437A-A069-A0981BF9DD68} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
Task: {440120DA-B254-43D2-82AC-70CF01182F26} - System32\Tasks\Microsoft\Windows\Media Center\RegisterSearch => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {52CCD7F1-7681-4887-862A-A8ADA8A6CF05} - System32\Tasks\Avira_Antivirus_Systray => C:\Program Files (x86)\Avira\Antivirus\avgnt.exe [2017-12-13] (Avira Operations GmbH & Co. KG)
Task: {63ABBE93-A1B0-4DE1-BCDE-66EE049F6343} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-05-12] (Adobe Systems Incorporated)
Task: {68311F76-4593-4460-8549-175B1EB9E20A} - System32\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {895E5EEE-2D15-417F-B381-BD1289C26B05} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => C:\WINDOWS\ehome\mcupdate.exe
Task: {8A0AC17B-DDF7-4E74-BE79-6FD6B767A22E} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-09-27] (Adobe Systems Incorporated)
Task: {905FAF0A-B8FE-4D7E-A406-879060FE6F28} - System32\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {943E96FA-4B63-4F35-A5BB-87CDBC450959} - System32\Tasks\Microsoft\Windows\Media Center\ehDRMInit => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {A9F28423-9083-4ACE-8B94-09246BAF6236} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
Task: {AAF93311-FCB4-4532-9F73-698CA0ACCBBA} - System32\Tasks\Microsoft\Windows\Media Center\OCURActivate => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {AE7B1C8E-BC34-4D9C-A6D5-E51A660FE8E3} - System32\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {BD95C1FD-87C8-4697-BFB3-BBA9524A89EE} - System32\Tasks\Avira Browser Safety Updater Task => C:\Program Files (x86)\Avira\Browser Safety\AviraBrowserSafetyUpdater.exe [2015-03-11] (Avira Operations GmbH & Co. KG)
Task: {CEAB9AC9-96BF-45ED-ADB6-A63292F7EE6C} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate => C:\WINDOWS\ehome\mcupdate.exe
Task: {D5F76246-8A00-47F6-8479-48DF5D7B6D2C} - System32\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {DD54A3A0-9F24-4E92-9EB2-C3A5952E0F08} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2 => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {E1830EF2-3A71-4953-A81F-5D5AFE10C4A4} - System32\Tasks\Microsoft\Windows\Media Center\InstallPlayReady => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {E59E24E6-740E-459D-BFE1-D73596757634} - System32\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {FA967E7E-058A-4FAA-BBB9-2880A2F1DFCA} - System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks => C:\WINDOWS\ehome\ehPrivJob.exe
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-02-01 17:02 - 2014-05-15 11:25 - 000084616 _____ () C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
2016-06-17 12:43 - 2016-06-17 12:43 - 000145696 _____ () C:\Program Files\Softland\novaPDF 8\Server\AgileDotNetRT64.dll
2017-03-18 12:58 - 2017-03-18 12:58 - 000138000 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll
2017-03-18 12:59 - 2017-03-18 18:31 - 001731072 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2018-01-18 10:54 - 2018-01-18 10:54 - 000086528 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.13.274.0_x64__kzf8qxf38zg5c\SkypeHost.exe
2018-01-18 10:54 - 2018-01-18 10:54 - 000195072 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.13.274.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2018-01-18 10:54 - 2018-01-18 10:54 - 024677376 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.13.274.0_x64__kzf8qxf38zg5c\SkyWrap.dll
2018-01-03 03:00 - 2018-01-03 03:01 - 002550272 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.13.274.0_x64__kzf8qxf38zg5c\skypert.dll
2017-03-09 01:16 - 2017-03-09 01:16 - 000112264 _____ () C:\Windows\System32\IccLibDll_x64.dll
2017-12-08 08:54 - 2017-12-08 08:54 - 000102088 _____ () C:\Users\sheila\AppData\Local\Microsoft\OneDrive\17.3.7131.1115\UpdateRingSettings.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 18:34 - 2015-12-03 08:56 - 000000027 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
127.0.0.1       localhost
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-0-0\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Windows\img0.jpg
HKU\S-1-0-0 (1)\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Windows\img0.jpg
HKU\S-1-5-21-2534099351-527031699-1384085060-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\sheila\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{0B5A4C9F-0F44-49CF-8BC9-E8EAF3AD9D61}] => (Allow) LPort=8501
FirewallRules: [{AFDCC45A-9E5F-43DB-A217-A6F61934F3AE}] => (Allow) LPort=8501
FirewallRules: [{47911788-771A-4E65-88AF-E6D50B694081}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
09-01-2018 23:03:15 Windows Update
13-01-2018 19:57:01 Windows Update
16-01-2018 21:06:23 Windows Update
21-01-2018 11:28:33 Windows Update
24-01-2018 14:34:29 Windows Update
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (01/25/2018 11:31:18 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.15063.608, time stamp: 0x324c3bf4
Faulting module name: ntdll.dll, version: 10.0.15063.608, time stamp: 0x802f667e
Exception code: 0xc0000374
Fault offset: 0x000d9aba
Faulting process id: 0x1db4
Faulting application start time: 0x01d39664db390c65
Faulting application path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 9c9b4d3d-4e80-43b0-bd87-6540d5fb0cbb
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (01/24/2018 05:23:11 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.15063.608, time stamp: 0x324c3bf4
Faulting module name: MSHTML.dll, version: 11.0.15063.786, time stamp: 0x1f4483fb
Exception code: 0xc0000005
Fault offset: 0x0069ad86
Faulting process id: 0xc3c
Faulting application start time: 0x01d39579242dbfa4
Faulting application path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Faulting module path: C:\WINDOWS\SYSTEM32\MSHTML.dll
Report Id: 0963aa05-0631-40f2-92a1-e572b65d35fd
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (01/24/2018 05:09:18 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.15063.608, time stamp: 0x324c3bf4
Faulting module name: MSHTML.dll, version: 11.0.15063.786, time stamp: 0x1f4483fb
Exception code: 0xc0000005
Fault offset: 0x0069ad86
Faulting process id: 0x1a94
Faulting application start time: 0x01d395735b6d7995
Faulting application path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Faulting module path: C:\WINDOWS\SYSTEM32\MSHTML.dll
Report Id: f357cd66-f0ea-4600-b9d4-1a4ce4e5d632
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (01/24/2018 01:48:49 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 11.0.15063.608 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
 
Process ID: 280
 
Start Time: 01d3955c5c7c638c
 
Termination Time: 45
 
Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
 
Report Id: eb1aa923-14b3-4b9b-9e0c-9e007101c344
 
Faulting package full name: 
 
Faulting package-relative application ID:
 
Error: (01/19/2018 11:35:05 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.15063.608, time stamp: 0x324c3bf4
Faulting module name: CoreMessaging.dll, version: 10.0.15063.675, time stamp: 0x61093a3b
Exception code: 0xc00001ad
Fault offset: 0x00013e36
Faulting process id: 0x1598
Faulting application start time: 0x01d391c04ca2d81c
Faulting application path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Faulting module path: C:\WINDOWS\System32\CoreMessaging.dll
Report Id: 308c8156-415f-4066-a587-65340270ec5c
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (01/17/2018 09:06:41 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 11.0.15063.608 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
 
Process ID: 2284
 
Start Time: 01d38fb56945ddac
 
Termination Time: 58
 
Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe
 
Report Id: 3667bc78-7b16-4fc7-a6fd-b1e41bcc41a1
 
Faulting package full name: 
 
Faulting package-relative application ID:
 
Error: (01/16/2018 08:22:42 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.15063.608, time stamp: 0x324c3bf4
Faulting module name: CoreMessaging.dll, version: 10.0.15063.675, time stamp: 0x61093a3b
Exception code: 0xc00001ad
Fault offset: 0x00013e36
Faulting process id: 0x1174
Faulting application start time: 0x01d38f498f23addb
Faulting application path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Faulting module path: C:\WINDOWS\System32\CoreMessaging.dll
Report Id: fc23532f-8b79-4cb2-a9db-c68ded506d98
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (01/13/2018 10:43:46 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.15063.608, time stamp: 0x324c3bf4
Faulting module name: CoreMessaging.dll, version: 10.0.15063.675, time stamp: 0x61093a3b
Exception code: 0xc00001ad
Fault offset: 0x00013e36
Faulting process id: 0x1710
Faulting application start time: 0x01d38d019eabdfbf
Faulting application path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Faulting module path: C:\WINDOWS\System32\CoreMessaging.dll
Report Id: b38ea97a-d938-43f5-90d7-a7dfc4931670
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (01/13/2018 03:45:21 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.15063.608, time stamp: 0x324c3bf4
Faulting module name: MSHTML.dll, version: 11.0.15063.786, time stamp: 0x1f4483fb
Exception code: 0xc0000005
Fault offset: 0x0057f2d8
Faulting process id: 0x2048
Faulting application start time: 0x01d38cc6fd018684
Faulting application path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Faulting module path: C:\WINDOWS\SYSTEM32\MSHTML.dll
Report Id: 6a461700-6b18-43c5-bd48-ae2d34e0f82d
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (01/11/2018 10:48:31 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.15063.608, time stamp: 0x324c3bf4
Faulting module name: jscript9.dll, version: 11.0.15063.786, time stamp: 0x421e432c
Exception code: 0xc0000005
Fault offset: 0x0015df51
Faulting process id: 0x17e4
Faulting application start time: 0x01d38b0bcb2b4f29
Faulting application path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Faulting module path: C:\Windows\System32\jscript9.dll
Report Id: 0538acb9-63dd-4041-af5e-d9eb0c4adf94
Faulting package full name: 
Faulting package-relative application ID:
 
 
System errors:
=============
Error: (01/19/2018 12:25:16 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
Incorrect function.
 
Error: (01/19/2018 12:25:16 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
Incorrect function.
 
Error: (01/19/2018 12:25:16 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
Incorrect function.
 
Error: (01/19/2018 12:25:16 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
Incorrect function.
 
Error: (01/19/2018 12:25:16 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
Incorrect function.
 
Error: (01/19/2018 12:25:16 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
Incorrect function.
 
Error: (01/19/2018 12:25:15 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
Incorrect function.
 
Error: (01/19/2018 12:25:15 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
Incorrect function.
 
Error: (01/19/2018 12:25:15 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
Incorrect function.
 
Error: (01/19/2018 12:25:15 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
Incorrect function.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Pentium® CPU G630 @ 2.70GHz
Percentage of memory in use: 54%
Total physical RAM: 4008.64 MB
Available physical RAM: 1840.95 MB
Total Virtual: 8104.64 MB
Available Virtual: 5418.37 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:464.84 GB) (Free:406.71 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 2F15F158)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=464.8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=846 MB) - (Type=27)
 
==================== End of Addition.txt ============================


#5 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:43 PM

Posted 26 January 2018 - 10:18 AM

art_vandelay:

Thank you for your patience while I analyzed your FRST logs.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I can only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools. Malware removal can cause unpredictable and unintended issues.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post(s), unless otherwise instructed. Please do not use code or quote boxes.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

I am not seeing active malware in the FRST log. There is one file that I would like to check and an "orphaned" driver. The FRST "fixlist" script will cure those problems and also remove temporary files that may have accumulated. Given the specs of this computer, you can expect that it would be slow running Windows 10. It just doesn't have the horsepower to run Windows 10 with any degree of speed.

:step1: Please run a FRST fix for me.

NOTICE: This FRST "fixlist" script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

Start::
CreateRestorePoint:
CloseProcesses:
U4 aspnet_state; no ImagePath
File: C:\Program Files\Softland\novaPDF 8\Server\AgileDotNetRT64.dll
EmptyTemp:
End::
  • Please highlight the entire contents of the code box above, from the "Start::" line to the "End::" line, including both of those lines, right click, and select "Copy", which will copy the "fix" script into the Windows clipboard.
  • Right click FRST64.exe, and select "Run as Administrator".
  • Press Fix button once and wait.
  • Please reboot the computer, if requested.
  • A log file called "fixlog.txt" will be saved in the same folder as the FRST program is located.
  • Please copy and paste the contents of the "fixlog.txt" file into your next reply.

.

:step2: My big concern is the event log errors which indicate that the Windows OS might be corrupted. I also note that the Windows 10 Build is 1703 and it should be Build 1709 (Fall Creators Update). Before we tackle that issue, I would like to run some standard anti-malware scans. There is no point in trying to fix the Windows 10 install, if there is possibly malware on the computer. The possible OS corruption could explain the issues that are being experienced. FRST does not detect all malware, which is why I am asking you to please run the following scans for me.

ESET Online Scanner using Internet Explorer:

Note: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Download esetsmartinstaller_enu.exe and save it to your Desktop.
  • Double click the icon.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Then select: "Enable detection of potentially unwanted applications" - Yes.
  • Click Advanced settings.
  • Check the following items.

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK.
  • Click Start.
  • ESET will then download updates and begin scanning your computer.
  • If no threats are found simply click Uninstall application on close and hit Finish.
  • If threats are found click List of found threats.
  • Click Export to text file.
  • Save the file on your Desktop as ESET.txt.
  • Click Back.
  • Check Uninstall application on close and Delete quarantined files.
  • Click Finish.
  • Close the ESET Online Scanner window.
  • Copy and paste the contents of ESET.txt into your reply, if any threats were detected.

Don't forget to re-enable your antivirus when finished!

.

:step3: Please run a Malwarebytes Anti-Malware scan for me.

  • Please download Malwarebytes to your Desktop.
  • Double-click mb3-setup-{version}.exe and follow the prompts to install the program.
  • Then click Finish.
  • Next, please go to "Settings", "Protection", and turn on "Scan for rootkits", if it is not "On."
  • Ensure that under "Potential Threat Protection", both switches are set to "Always Detect PUPs/PUMs (recommended).
  • Then scroll to the bottom of that page and ensure that "Automatic Quarantine" is turned "On."
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If an update of the definitions is available, it will be downloaded and installed before the scan commences.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.

The Scan log is available through History ->Application logs. Please copy and paste the contents of the log into your next reply.

.

:step4: Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Vista/Windows 7/8/10 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait for it to complete the update.
  • Click on I Agree button.
  • Click on the Scan button.
  • AdwCleaner will begin its scan ... please be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, then make sure that you uncheck it before running the "Clean" process.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
  • After the scan has finished ...
  • Uncheck any PUP and adware applications that you want to keep.


If you are unsure about one or more of the detected programs, then please copy and paste the scan log, with your questions, and I will provide you with advice about those files.
The Scan logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
Do not follow the remaining "Clean" instructions until directed to do so by me, if you have any questions about one or more of the detections.
If you have no questions about any of the detections, then please proceed to the "Clean" steps below.

  • Then click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Please copy and paste the contents of that logfile into your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#6 art_vandelay

art_vandelay
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 28 January 2018 - 10:00 PM

Thanks for the help:

 

**ESET Scanner didn't find anything

 

** Logs below for FRST fixlog, MalwareBytes, AdwCleaner.

 

 

Fixlog.txt

==================

Fix result of Farbar Recovery Scan Tool (x64) Version: 27.01.2018
Ran by sheila (27-01-2018 17:16:51) Run:5
Running from C:\Users\sheila\Desktop\Spyware Tools
Loaded Profiles: sheila (Available Profiles: sheila)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
U4 aspnet_state; no ImagePath
File: C:\Program Files\Softland\novaPDF 8\Server\AgileDotNetRT64.dll
EmptyTemp:
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKLM\System\CurrentControlSet\Services\aspnet_state" => removed successfully
aspnet_state => service removed successfully
 
========================= File: C:\Program Files\Softland\novaPDF 8\Server\AgileDotNetRT64.dll ========================
 
C:\Program Files\Softland\novaPDF 8\Server\AgileDotNetRT64.dll
File is digitally signed
MD5: 27B0885907ABC5A414A92DCACCCD5FE6
Creation and modification date: 2016-06-17 12:43 - 2016-06-17 12:43
Size: 000145696
Attributes: ----A
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 6, 3, 0, 17
Product Version: 6, 3, 0, 17
Copyright: 
 
====== End of File: ======
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 7888896 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 92226377 B
Java, Flash, Steam htmlcache => 113633 B
Windows/system/drivers => 162385658 B
Edge => 30769456 B
Chrome => 310485704 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 128 B
LocalService => 7382 B
NetworkService => 2744 B
sheila => 650264357 B
 
RecycleBin => 0 B
EmptyTemp: => 1.2 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 17:22:16 ====
 
MalWareBytes Log
==============================
Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 1/28/18
Scan Time: 5:49 PM
Log File: b3bc588a-0496-11e8-8e98-d4bed9bea717.json
Administrator: Yes
 
-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3809
License: Trial
 
-System Information-
OS: Windows 10 (Build 15063.786)
CPU: x64
File System: NTFS
User: SHEILA-PC\sheila
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 285624
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 9 min, 5 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 0
(No malicious items detected)
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)
=================================
 
AdwCleaner[S6] Log
==================================
 
 
# AdwCleaner 7.0.7.0 - Logfile created on Mon Jan 29 02:16:37 2018
# Updated on 2018/18/01 by Malwarebytes 
# Database: 01-26-2018.4
# Running on Windows 10 Home (X64)
# Mode: scan
 
***** [ Services ] *****
 
No malicious services found.
 
***** [ Folders ] *****
 
No malicious folders found.
 
***** [ Files ] *****
 
No malicious files found.
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
***** [ WMI ] *****
 
No malicious WMI found.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts found.
 
***** [ Tasks ] *****
 
No malicious tasks found.
 
***** [ Registry ] *****
 
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ak.staticimgfarm.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\cloudfront.net
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\cmptch.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d10lpsik1i8c69.cloudfront.net
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d2clb17djs2kjo.cloudfront.net
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d2m2wsoho8qq12.cloudfront.net
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d2tga22ew68ie7.cloudfront.net
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d3l3lkinz3f56t.cloudfront.net
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\dotomi.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\getvideoconvert.dl.tb.ask.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\nicerdays.org
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\plarium.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\static.cmptch.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\staticimgfarm.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ttdetect.staticimgfarm.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.azlyrics.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.metrolyrics.com
PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\d1eyd0ubk0bkpv.cloudfront.net
PUP.Optional.Legacy, [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\d1eyd0ubk0bkpv.cloudfront.net
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
PUP.Optional.DriverAgent, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\driversupport.com
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries.
 
*************************
 
C:/AdwCleaner/AdwCleaner[C1].txt - [4358 B] - [2016/7/28 16:29:5]
C:/AdwCleaner/AdwCleaner[C5].txt - [1210 B] - [2015/12/7 5:27:29]
C:/AdwCleaner/AdwCleaner[C6].txt - [775 B] - [2015/12/7 5:51:7]
C:/AdwCleaner/AdwCleaner[S0].txt - [1452 B] - [2015/7/4 4:15:36]
C:/AdwCleaner/AdwCleaner[S1].txt - [5106 B] - [2015/7/4 4:22:22]
C:/AdwCleaner/AdwCleaner[S2].txt - [1466 B] - [2015/7/7 13:49:29]
C:/AdwCleaner/AdwCleaner[S3].txt - [1268 B] - [2015/7/11 15:18:53]
C:/AdwCleaner/AdwCleaner[S5].txt - [1094 B] - [2015/12/7 5:25:59]
C:/AdwCleaner/AdwCleaner[S6].txt - [683 B] - [2015/12/7 5:50:25]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S6].txt ##########
 
# AdwCleaner 7.0.7.0 - Logfile created on Mon Jan 29 02:20:59 2018
# Updated on 2018/18/01 by Malwarebytes 
# Running on Windows 10 Home (X64)
# Mode: clean
 
***** [ Services ] *****
 
No malicious services deleted.
 
***** [ Folders ] *****
 
No malicious folders deleted.
 
***** [ Files ] *****
 
No malicious files deleted.
 
***** [ DLL ] *****
 
No malicious DLLs cleaned.
 
***** [ WMI ] *****
 
No malicious WMI cleaned.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts cleaned.
 
***** [ Tasks ] *****
 
No malicious tasks deleted.
 
***** [ Registry ] *****
 
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ak.staticimgfarm.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\cloudfront.net
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\cmptch.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d10lpsik1i8c69.cloudfront.net
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d2clb17djs2kjo.cloudfront.net
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d2m2wsoho8qq12.cloudfront.net
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d2tga22ew68ie7.cloudfront.net
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d3l3lkinz3f56t.cloudfront.net
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\dotomi.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\getvideoconvert.dl.tb.ask.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\nicerdays.org
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\plarium.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\static.cmptch.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\staticimgfarm.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ttdetect.staticimgfarm.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.azlyrics.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.metrolyrics.com
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\d1eyd0ubk0bkpv.cloudfront.net
Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\d1eyd0ubk0bkpv.cloudfront.net
Deleted: [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\driversupport.com
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries deleted.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries deleted.
 
*************************
 
::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0
 
 
 
*************************
 
C:/AdwCleaner/AdwCleaner[C1].txt - [4358 B] - [2016/7/28 16:29:5]
C:/AdwCleaner/AdwCleaner[C5].txt - [1210 B] - [2015/12/7 5:27:29]
C:/AdwCleaner/AdwCleaner[C6].txt - [775 B] - [2015/12/7 5:51:7]
C:/AdwCleaner/AdwCleaner[S0].txt - [1452 B] - [2015/7/4 4:15:36]
C:/AdwCleaner/AdwCleaner[S1].txt - [5106 B] - [2015/7/4 4:22:22]
C:/AdwCleaner/AdwCleaner[S2].txt - [1466 B] - [2015/7/7 13:49:29]
C:/AdwCleaner/AdwCleaner[S3].txt - [1268 B] - [2015/7/11 15:18:53]
C:/AdwCleaner/AdwCleaner[S5].txt - [1094 B] - [2015/12/7 5:25:59]
C:/AdwCleaner/AdwCleaner[S6].txt - [4317 B] - [2015/12/7 5:50:25]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[C3].txt ##########
 


#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:43 PM

Posted 29 January 2018 - 01:12 PM

art_vandelay:
 
Thank you for your post and for running those scans.  Some nuisance malware was detected and eliminated, but nothing serious.
 
.
 
:step1: Please run a System File Checker (SFC) scan to assess the integrity of the Windows file system.

  • Click on the "Start" button.
  • In the "search" box at the bottom, type cmd.
  • Look for Cmd.exe to appear at the top of the menu.
  • Right-click on cmd.exe and choose Run As Administrator.
  • Type sfc /scannow. Ensure that there is a space between "sfc" and "/scannow"
  • The scan will start and may take from 20 minutes to an hour to run.
  • Please report the results from the System File Checker in your next post. Does it report "No Resource Integrity Violations Found", "Errors Repaired", or "Unable to Repair", or words to that effect?
  • If System File Checker reports that some errors were corrected, and some errors were not corrected, please re-run the System File Checker again, as it does happen that it can not fix all of the errors detected in a single run.
  • If it again reports that some errors were corrected, and some errors were not corrected, please run it a third time.

If SFC continues to report uncorrectable errors, please immediately navigate to the folder: C:\Windows\Logs\CBS, locate the file "CBS.log", and copy, not move it, to your Desktop. That file is "volatile", so we need to ensure that it is not overwritten with new results.

.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#8 art_vandelay

art_vandelay
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 29 January 2018 - 03:19 PM

OK, just ran it.   It did not find any integrity violations.  Created a copy of CBS.log and moved it to the desktop.  Let me know what is next.



#9 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:43 PM

Posted 30 January 2018 - 11:01 AM

art_vandelay:

 

Thank you for your post.  That is GREAT news that the SFC scan did not find any resource integrity violations! :thumbup2:  I was not expecting that result, but I am happy about it.

 

We won't need the CBS log because no problems were detected.  You can just move that log back to the CBS folder.

 

How is your mother's computer working now?  If there are still issues, please describe them in as much detail as possible and provide any possible error codes or error messages.  Are certain programs not working correctly?  Are there browser issues?

 

Any information that you can provide will help me to try to identify a cause, and a solution.

 

Thank you and have a great day.

 

Regards,

-Phil

 

 


Member of the Unified Network of Instructors and Trusted Eliminators


#10 art_vandelay

art_vandelay
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 31 January 2018 - 11:44 AM

You can probably close this for now.  I checked in with her and she said that it seems to be working better.  Thanks for your help.



#11 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:43 PM

Posted 01 February 2018 - 05:37 AM

art_vandelay:
 
Thank you for your post.  That is great news that your mother's computer is working fine.  :thumbup2:

.

:step1: We will now remove the tools we used during this fix using Delfix.

bwebb7v.jpgDownload Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click the Run button.

When the tool is finished, a log will open in notepad. Please copy and paste the log in your next reply.

.

:step2: . . . Some Final Advice . . .

The most common cause of an infected machine is the Trojan Horse, or programs which appear to be legitimate but which contain malicious payloads, or which are simply malicious in and of themselves. No antivirus, firewall, host-based intrusion prevention system (HIPS), or other security software can fully protect you against this kind of attack. The best way to project yourself is not to run email attachments from untrusted sources, and avoid software downloaded from the internet wherever possible. Remember, when you run an application, you are giving that application permission to do to your machine anything you can do to the machine, including create, modify, or destroy files or other data. In the Windows (and most other systems' such as Unix) security model, applications don't have privileges, users do.

The second most common cause of infection is out of date software. Leaving your system unpatched leaves holes through which attackers can execute code on your behalf without your consent. This goes for far more than common targets such as Windows and Internet Explorer. Most recent threats target other third party software, such as Adobe's Adobe Reader, Shockwave Player, or Flash Player, or Oracle's Java browser plugins. You can check your system for out of date software manually, or by using automated tools such as Secunia's Personal Software Inspector. This goes doubly for security applications such as antivirus and other antimalware products based on definition lists, where out-of-date lists mean no detection of newer malware.

Finally, occasionally you will be forced to run some potentially infected binary, or attackers will use a hole which is unpatched by software vendors, so a last line of defense is needed. That means turning on a firewall (Windows Firewall included with Windows Vista or later is fine) and leaving it on, and using and keeping up-to-date an antivirus solution such as Bitdefender. Antiviral solutions don't even have to cost money; later versions of Windows Defender provide perfectly acceptable protection for free. If for some reason you don't like Windows Defender, there are other free products available as well:

  • Avira (shows nag screen to purchase full product when updating, home use only)
  • Bitdefender Free (home use only)

That should be fine for the majority of users. However, if you absolutely want additional protection, consider one or more of the following products:

If you want more information on methods malware uses to infect your computer, consider browsing our How did I get infected? topic.

.

It has been a pleasure assisting you and I hope that your mother will avoid any further infections in the future. Your most important protection step is to ALWAYS HAVE MORE THAN ONE RECENT BACKUP OF YOUR ENTIRE SYSTEM on an external drive that is only connected to your computer long enough to backup or restore. I do system images weekly. With the free backup software out there (Easeus ToDo Backup Home, Macrium Reflect, etc.), and the very reasonable prices for external USB hard drives, there is no reason to not have a backup.

Please copy and paste the contents of the Delfix log into your next reply. If that looks good, then we can conclude your topic.

On behalf of the Bleeping Computer Community, thank you for choosing BC to assist you with your mother's computer issues, I hope that she will stay safe out there in cyberspace, and have a great day.

Regards,
-Phil
 


Member of the Unified Network of Instructors and Trusted Eliminators


#12 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:43 PM

Posted 04 February 2018 - 05:18 AM

art_vandelay:

 
Are you still there?  Do you still require assistance?  It has been three days since I last posted to you.
 
According to Forum policy, topics must be concluded after five days of non-response from the Topic Starter.
 
If I have not heard from you in another two days, I will conclude your topic.  You can always reopen it by sending a Personal Message to a Moderator.
 
Thank you and have a great day.
 
Regards,
-Phil

Member of the Unified Network of Instructors and Trusted Eliminators


#13 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:43 PM

Posted 06 February 2018 - 12:56 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Member of the Unified Network of Instructors and Trusted Eliminators





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users