Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

USB Infection (Recycler folder and open to shortcut (1)..(4))


  • This topic is locked This topic is locked
9 replies to this topic

#1 alvaro0114

alvaro0114

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 05 April 2018 - 08:50 AM

Hello BleeepingComputer:

 

Before anything I want to say thank you in advanced.

I believe my USB got infected yesterday when i used it elsewhere to download a program because once i got home , I open up the USB and i not only have the new program but also the RECYCLER and open to short cut (1) (2)(3) (4) ink files., my antivirus was off on purpose to download.

I did not drag it to my desktop but i did open the Recycler folder with bunch of folders and files with rare names , i knew it was something else so what i did was turn on my antivirus again (windows defender) telling me that open to short cut(1)..(4) are infected, so i deleted it.

Then i use the cmd and attrib. once i did that it popped up and autorun,inf file inside my usb (H:) and then I did another one and New folder was also in it called System Volume Information. could not delete that one so I used cmd.

I want to be sure my computer is not vulnerable or infected.

 

Thank you

 

Here are the FRST logs both:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14.03.2018
Ran by Alvaro (administrator) on DESKTOP-IFHSKRC (05-04-2018 09:30:58)
Running from C:\Users\Alvaro\Downloads
Loaded Profiles: Alvaro (Available Profiles: Alvaro & Administrator)
Platform: Windows 10 Home Version 1709 16299.192 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(HP) C:\Windows\System32\HP3DDGService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Broadcom Corporation.) C:\Windows\System32\BtwRSupportService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe
() C:\Program Files\CyberLink\Shared files\RichVideo64.exe
() C:\Program Files\AVAST Software\SecureLine\vpnsvc.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.18022-0\MsMpEng.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17007.18022-0\NisSrv.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(HP Inc.) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE
(Power Software Ltd) C:\Program Files\PowerISO\PWRISOVM.EXE
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam6\YouCamService6.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(AVAST Software) C:\Program Files\AVAST Software\SecureLine\secureline.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [630168 2017-09-29] (Microsoft Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8520448 2015-08-17] (Realtek Semiconductor)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\HP\HP System Event\HPMSGSVC.exe [653576 2015-06-29] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [PowerDVD14Agent] => C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe [795336 2015-07-23] (CyberLink Corp.)
HKLM-x32\...\Run: [PWRISOVM.EXE] => C:\Program Files\PowerISO\PWRISOVM.EXE [455816 2017-02-02] (Power Software Ltd)
HKU\S-1-5-21-1371854649-3712086544-3624237114-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9856176 2017-09-20] (Piriform Ltd)
HKU\S-1-5-21-1371854649-3712086544-3624237114-1001\...\MountPoints2: E - "E:\instalar.exe"
Startup: C:\Users\Alvaro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enviar a OneNote.lnk [2017-08-21]
ShortcutTarget: Enviar a OneNote.lnk -> C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE (Microsoft Corporation)
GroupPolicy: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.10.1
Tcpip\..\Interfaces\{754fd046-b70d-4ceb-9bb3-7cf05b297ad9}: [DhcpNameServer] 192.168.10.1
Tcpip\..\Interfaces\{75a584d6-cb16-49f7-aa32-c07a646d425d}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{f00246df-988a-443d-92c2-e2778a910538}: [DhcpNameServer] 40.23.1.11

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://ar.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_17&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dar%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0BtDyD0A0D0A0D0B0CzyyDyEtCtDtCtAtN0D0Tzu0StCzyyEyCtN1L2XzutAtFtBzytFtAtFyCtCtN1L1Czu1ByCtN1L1G1B1V1N2Y1L1Qzu2SyD0A0EyC0B0DyDyEtGtByE0E0DtG0Dzy0FtBtGtC0ByD0EtGzzyBtB0FyB0CtDzytBtC0E0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAyDtD0FyBzyyEtCtGzz0EyDtBtGyE0AtA0AtG0A0D0DtAtGzz0FtDtDzy0AtCyD0EtAyE0B2QtN0A0LzuyE%26cr%3D1505578800%26a%3Dwbf_ir_17_17%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp15-comm.msn.com/?pc=HRTE
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp15-comm.msn.com/?pc=HRTE
HKU\S-1-5-21-1371854649-3712086544-3624237114-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://ar.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_17&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dar%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0BtDyD0A0D0A0D0B0CzyyDyEtCtDtCtAtN0D0Tzu0StCzyyEyCtN1L2XzutAtFtBzytFtAtFyCtCtN1L1Czu1ByCtN1L1G1B1V1N2Y1L1Qzu2SyD0A0EyC0B0DyDyEtGtByE0E0DtG0Dzy0FtBtGtC0ByD0EtGzzyBtB0FyB0CtDzytBtC0E0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAyDtD0FyBzyyEtCtGzz0EyDtBtGyE0AtA0AtG0A0D0DtAtGzz0FtDtDzy0AtCyD0EtAyE0B2QtN0A0LzuyE%26cr%3D1505578800%26a%3Dwbf_ir_17_17%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
HKU\S-1-5-21-1371854649-3712086544-3624237114-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp15-comm.msn.com/?pc=HRTE
SearchScopes: HKLM -> {2211d4a5-48d0-47f5-a7cd-81e861470f7f} URL = hxxps://ar.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_17&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dar%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0BtDyD0A0D0A0D0B0CzyyDyEtCtDtCtAtN0D0Tzu0StCzyyEyCtN1L2XzutAtFtBzytFtAtFyCtCtN1L1Czu1ByCtN1L1G1B1V1N2Y1L1Qzu2SyD0A0EyC0B0DyDyEtGtByE0E0DtG0Dzy0FtBtGtC0ByD0EtGzzyBtB0FyB0CtDzytBtC0E0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAyDtD0FyBzyyEtCtGzz0EyDtBtGyE0AtA0AtG0A0D0DtAtGzz0FtDtDzy0AtCyD0EtAyE0B2QtN0A0LzuyE%26cr%3D1505578800%26a%3Dwbf_ir_17_17%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ar.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_17&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dar%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0BtDyD0A0D0A0D0B0CzyyDyEtCtDtCtAtN0D0Tzu0StCzyyEyCtN1L2XzutAtFtBzytFtAtFyCtCtN1L1Czu1ByCtN1L1G1B1V1N2Y1L1Qzu2SyD0A0EyC0B0DyDyEtGtByE0E0DtG0Dzy0FtBtGtC0ByD0EtGzzyBtB0FyB0CtDzytBtC0E0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAyDtD0FyBzyyEtCtGzz0EyDtBtGyE0AtA0AtG0A0D0DtAtGzz0FtDtDzy0AtCyD0EtAyE0B2QtN0A0LzuyE%26cr%3D1505578800%26a%3Dwbf_ir_17_17%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ar.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_17&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dar%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0BtDyD0A0D0A0D0B0CzyyDyEtCtDtCtAtN0D0Tzu0StCzyyEyCtN1L2XzutAtFtBzytFtAtFyCtCtN1L1Czu1ByCtN1L1G1B1V1N2Y1L1Qzu2SyD0A0EyC0B0DyDyEtGtByE0E0DtG0Dzy0FtBtGtC0ByD0EtGzzyBtB0FyB0CtDzytBtC0E0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAyDtD0FyBzyyEtCtGzz0EyDtBtGyE0AtA0AtG0A0D0DtAtGzz0FtDtDzy0AtCyD0EtAyE0B2QtN0A0LzuyE%26cr%3D1505578800%26a%3Dwbf_ir_17_17%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM-x32 -> {484F7148-2235-431A-8995-35D2FDEAE44F} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-1371854649-3712086544-3624237114-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ar.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_17&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dar%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0BtDyD0A0D0A0D0B0CzyyDyEtCtDtCtAtN0D0Tzu0StCzyyEyCtN1L2XzutAtFtBzytFtAtFyCtCtN1L1Czu1ByCtN1L1G1B1V1N2Y1L1Qzu2SyD0A0EyC0B0DyDyEtGtByE0E0DtG0Dzy0FtBtGtC0ByD0EtGzzyBtB0FyB0CtDzytBtC0E0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAyDtD0FyBzyyEtCtGzz0EyDtBtGyE0AtA0AtG0A0D0DtAtGzz0FtDtDzy0AtCyD0EtAyE0B2QtN0A0LzuyE%26cr%3D1505578800%26a%3Dwbf_ir_17_17%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1371854649-3712086544-3624237114-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ar.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_17&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dar%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0BtDyD0A0D0A0D0B0CzyyDyEtCtDtCtAtN0D0Tzu0StCzyyEyCtN1L2XzutAtFtBzytFtAtFyCtCtN1L1Czu1ByCtN1L1G1B1V1N2Y1L1Qzu2SyD0A0EyC0B0DyDyEtGtByE0E0DtG0Dzy0FtBtGtC0ByD0EtGzzyBtB0FyB0CtDzytBtC0E0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAyDtD0FyBzyyEtCtGzz0EyDtBtGyE0AtA0AtG0A0D0DtAtGzz0FtDtDzy0AtCyD0EtAyE0B2QtN0A0LzuyE%26cr%3D1505578800%26a%3Dwbf_ir_17_17%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1371854649-3712086544-3624237114-1001 -> {484F7148-2235-431A-8995-35D2FDEAE44F} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2018-01-24] (Microsoft Corporation)
BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll [2015-04-30] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2016-07-21] (HP Inc.)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-01-24] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-01-24] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-01-24] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2018-01-24] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: n2jy4c4q.default
FF ProfilePath: C:\Users\Alvaro\AppData\Roaming\Mozilla\Firefox\Profiles\n2jy4c4q.default [2018-04-05]
FF Homepage: Mozilla\Firefox\Profiles\n2jy4c4q.default -> google.com/
FF Extension: (All Aboard) - C:\Users\Alvaro\AppData\Roaming\Mozilla\Firefox\Profiles\n2jy4c4q.default\Extensions\@all-aboard-v1-5.xpi [2017-05-14] [Legacy]
FF Extension: (MEGA) - C:\Users\Alvaro\AppData\Roaming\Mozilla\Firefox\Profiles\n2jy4c4q.default\Extensions\firefox@mega.co.nz.xpi [2018-03-29]
FF SearchPlugin: C:\Users\Alvaro\AppData\Roaming\Mozilla\Firefox\Profiles\n2jy4c4q.default\searchplugins\yahoo! powered.xml [2017-04-30]
FF Extension: (All Aboard) - C:\Program Files (x86)\Mozilla Firefox\distribution\extensions\@all-aboard-v1-5 [2016-12-05] [Legacy]
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1217157.dll [2015-02-05] (Adobe Systems, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.68 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2015-04-21] (Intel Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2018-01-24] (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-11-27] (Adobe Systems Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 BcmBtRSupport; C:\WINDOWS\system32\BtwRSupportService.exe [2286848 2016-12-03] (Broadcom Corporation.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [7780528 2018-01-15] (Microsoft Corporation)
R2 hp3ddgsrv; C:\WINDOWS\system32\HP3DDGService.exe [130072 2018-01-13] (HP)
R2 HPSupportSolutionsFrameworkService; c:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [332144 2017-11-21] (HP Inc.)
R2 HPWMISVC; c:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe [602888 2015-06-29] (Hewlett-Packard Development Company, L.P.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [18856 2015-06-23] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [350312 2015-07-27] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [881152 2015-05-22] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [223520 2015-07-11] (Intel Corporation)
R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [389896 2014-04-14] ()
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [306944 2015-08-17] (Realtek Semiconductor)
R2 SecureLine; C:\Program Files\AVAST Software\SecureLine\VpnSvc.exe [592392 2017-08-16] ()
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [278616 2018-01-13] (Synaptics Incorporated)
R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18022-0\NisSrv.exe [356152 2018-03-29] (Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18022-0\MsMpEng.exe [106280 2018-03-29] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 Accelerometer; C:\WINDOWS\system32\DRIVERS\Accelerometer.sys [53760 2017-12-18] (HP)
R3 bcbtums; C:\WINDOWS\system32\drivers\bcbtums.sys [208176 2016-12-03] (Broadcom Corporation.)
R3 BCMWL63A; C:\WINDOWS\system32\DRIVERS\bcmwl63a.sys [11794376 2018-01-13] (Broadcom Corp)
R3 clwvd6; C:\WINDOWS\system32\DRIVERS\clwvd6.sys [41704 2013-10-29] (CyberLink Corporation)
R0 hpdskflt; C:\WINDOWS\System32\DRIVERS\hpdskflt.sys [39936 2017-12-18] (HP)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [886528 2015-07-19] (Realtek )
R3 RTSPER; C:\WINDOWS\system32\DRIVERS\RtsPer.sys [752856 2015-07-19] (Realsil Semiconductor Corporation)
S3 SmbDrv; C:\WINDOWS\System32\drivers\Smb_driver_AMDASF.sys [33448 2015-07-27] (Synaptics Incorporated)
R3 SmbDrvI; C:\WINDOWS\system32\DRIVERS\Smb_driver_Intel.sys [55384 2018-01-13] (Synaptics Incorporated)
S3 usbrndis6; C:\WINDOWS\System32\drivers\usb80236.sys [23040 2017-09-29] (Microsoft Corporation)
R3 VBoxNetAdp; C:\WINDOWS\system32\DRIVERS\VBoxNetAdp6.sys [200832 2018-01-15] (Oracle Corporation)
R1 VBoxNetLwf; C:\WINDOWS\system32\DRIVERS\VBoxNetLwf.sys [211704 2018-01-15] (Oracle Corporation)
R3 VirtualButtons; C:\WINDOWS\System32\drivers\VirtualButtons.sys [41992 2018-01-13] (Intel Corporation)
S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [46072 2018-03-29] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [288296 2018-03-29] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [129568 2018-03-29] (Microsoft Corporation)
R3 WirelessButtonDriver64; C:\WINDOWS\System32\drivers\WirelessButtonDriver64.sys [30368 2018-01-13] (HP)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-04-05 09:30 - 2018-04-05 09:32 - 000018175 _____ C:\Users\Alvaro\Downloads\FRST.txt
2018-04-05 09:29 - 2018-04-05 09:30 - 000000000 ____D C:\FRST
2018-04-05 09:26 - 2018-04-05 09:26 - 002403328 _____ (Farbar) C:\Users\Alvaro\Downloads\FRST64.exe
2018-04-04 22:40 - 2018-04-04 22:40 - 000242992 _____ C:\WINDOWS\ntbtlog.txt
2018-04-04 22:40 - 2018-04-04 22:40 - 000000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2018-04-04 10:47 - 2018-04-04 10:47 - 000000000 ____H C:\Users\Alvaro\BIT8FEA.tmp
2018-03-30 11:50 - 2018-03-30 11:50 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PyScripter-x64
2018-03-30 11:49 - 2018-03-30 12:07 - 000000000 ____D C:\Users\Alvaro\AppData\Roaming\PyScripter
2018-03-30 11:49 - 2018-03-30 11:49 - 000000000 ____D C:\Program Files\PyScripter
2018-03-30 11:46 - 2018-03-30 11:47 - 009159494 _____ (PyScripter ) C:\Users\Alvaro\Downloads\PyScripter-v3.3.1-x64-Setup.exe
2018-03-29 14:54 - 2018-03-29 14:54 - 000001487 _____ C:\Users\Alvaro\Desktop\Python 3.6 (64-bit) (2).lnk
2018-03-29 10:32 - 2018-03-29 14:54 - 000000000 ____D C:\Users\Alvaro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Python 3.6
2018-03-29 10:31 - 2018-03-29 10:31 - 000000000 ____D C:\Users\Alvaro\AppData\Local\Package Cache
2018-03-29 10:14 - 2018-03-29 10:17 - 031776112 _____ (Python Software Foundation) C:\Users\Alvaro\Downloads\python-3.6.5-amd64.exe
2018-03-28 16:08 - 2018-03-28 16:08 - 000897688 _____ (Python Software Foundation) C:\WINDOWS\pyw.exe
2018-03-28 16:08 - 2018-03-28 16:08 - 000897688 _____ (Python Software Foundation) C:\WINDOWS\py.exe
2018-03-23 11:13 - 2018-03-23 11:13 - 000000017 _____ C:\Users\Alvaro\AppData\Local\resmon.resmoncfg
2018-03-14 03:13 - 2018-03-14 03:13 - 000059040 _____ (Python Software Foundation) C:\WINDOWS\pyshellext.amd64.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-04-05 09:21 - 2018-01-13 18:34 - 000004170 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{6B761E5F-8B8F-424F-B5CA-6381A9B2A25F}
2018-04-05 09:21 - 2017-09-29 09:46 - 000000000 ____D C:\WINDOWS\AppReadiness
2018-04-05 09:20 - 2016-12-07 01:13 - 000000000 ____D C:\Users\Alvaro\AppData\LocalLow\Mozilla
2018-04-05 09:18 - 2016-12-03 17:13 - 000000000 ____D C:\Users\Alvaro\Documents\YouCam
2018-04-05 09:17 - 2018-01-13 19:37 - 000000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2018-04-05 09:17 - 2016-12-03 17:12 - 000000000 __SHD C:\Users\Alvaro\IntelGraphicsProfiles
2018-04-04 22:50 - 2015-07-16 02:09 - 001233348 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2018-04-04 22:45 - 2018-01-13 18:34 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2018-04-04 22:44 - 2017-09-29 04:45 - 000524288 _____ C:\WINDOWS\system32\config\BBI
2018-04-04 22:37 - 2018-01-13 15:29 - 000000000 ___DC C:\WINDOWS\Panther
2018-04-04 21:58 - 2017-09-29 09:44 - 000000000 ____D C:\WINDOWS\INF
2018-04-04 13:27 - 2017-09-29 09:46 - 000000000 ___HD C:\Program Files\WindowsApps
2018-04-04 13:27 - 2016-12-03 17:12 - 000000000 ____D C:\Users\Alvaro\AppData\Local\Packages
2018-04-04 13:25 - 2018-01-24 13:04 - 000000368 _____ C:\WINDOWS\Tasks\HPCeeScheduleForAlvaro.job
2018-04-04 13:25 - 2017-09-29 09:46 - 000000000 ____D C:\WINDOWS\DeliveryOptimization
2018-04-04 13:25 - 2015-10-28 19:56 - 000000000 ____D C:\ProgramData\mcafee
2018-04-04 13:19 - 2017-09-29 04:45 - 000032768 _____ C:\WINDOWS\system32\config\ELAM
2018-04-04 12:46 - 2018-01-24 22:43 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd
2018-04-04 10:47 - 2018-01-24 13:04 - 000003264 _____ C:\WINDOWS\System32\Tasks\HPCeeScheduleForAlvaro
2018-04-04 10:47 - 2018-01-13 18:19 - 000000000 ____D C:\Users\Alvaro
2018-03-30 14:34 - 2018-01-24 13:19 - 000000000 ____D C:\Users\Alvaro\.VirtualBox
2018-03-30 11:44 - 2017-09-29 09:37 - 000000000 ____D C:\WINDOWS\CbsTemp
2018-03-30 11:37 - 2018-01-13 18:34 - 000003380 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1371854649-3712086544-3624237114-1001
2018-03-30 11:37 - 2016-12-03 17:17 - 000002377 _____ C:\Users\Alvaro\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2018-03-30 11:37 - 2016-12-03 17:17 - 000000000 ___RD C:\Users\Alvaro\OneDrive
2018-03-29 13:45 - 2018-01-13 18:11 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2018-03-29 10:31 - 2015-08-27 20:51 - 000000000 ____D C:\ProgramData\Package Cache
2018-03-29 10:27 - 2017-09-29 09:46 - 000000000 ____D C:\Program Files\Windows Defender
2018-03-21 10:50 - 2016-12-07 02:07 - 000000000 ____D C:\WINDOWS\system32\MRT
2018-03-21 10:34 - 2018-01-15 21:32 - 130067560 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT-KB890830.exe
2018-03-21 10:34 - 2016-12-07 02:06 - 130067560 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe

==================== Files in the root of some directories =======

2018-03-23 11:13 - 2018-03-23 11:13 - 000000017 _____ () C:\Users\Alvaro\AppData\Local\resmon.resmoncfg
2017-08-26 21:02 - 2017-08-26 21:02 - 000000000 _____ () C:\Users\Alvaro\AppData\Local\{E1BC75FA-F7F3-4CD7-8F6B-DED5DCC1866B}

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-01-24 16:03

==================== End of FRST.txt ============================

 

ADDITIONAL**** FILE

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by Alvaro (05-04-2018 09:33:17)
Running from C:\Users\Alvaro\Downloads
Windows 10 Home Version 1709 16299.192 (X64) (2018-01-13 22:37:33)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1371854649-3712086544-3624237114-500 - Administrator - Disabled) => C:\Users\Administrator
Alvaro (S-1-5-21-1371854649-3712086544-3624237114-1001 - Administrator - Enabled) => C:\Users\Alvaro
DefaultAccount (S-1-5-21-1371854649-3712086544-3624237114-503 - Limited - Disabled)
Guest (S-1-5-21-1371854649-3712086544-3624237114-501 - Limited - Disabled)
WDAGUtilityAccount (S-1-5-21-1371854649-3712086544-3624237114-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.009.20050 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.7.157 - Adobe Systems, Inc.)
Avast SecureLine (HKLM\...\{2CD3C92F-EDC5-4B02-9B0A-9C1D37C58EF5}_is1) (Version: 1.0.239.2 - AVAST Software)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Broadcom 802.11 Network Adapter (HKLM\...\Broadcom 802.11 Network Adapter) (Version:  - Broadcom Corporation)
Broadcom Bluetooth Drivers (HKLM\...\{0A1B4690-E176-4533-8058-939480AEE1D0}) (Version: 12.0.1.695 - Broadcom Corporation)
CCleaner (HKLM\...\CCleaner) (Version: 5.35 - Piriform)
CyberLink PhotoDirector (HKLM\...\{5A454EC5-217A-42a5-8CE1-2DDEC4E70E01}) (Version: 5.0.5.6713 - CyberLink Corp.) Hidden
CyberLink PhotoDirector (HKLM-x32\...\InstallShield_{5A454EC5-217A-42a5-8CE1-2DDEC4E70E01}) (Version: 5.0.5.6713 - CyberLink Corp.)
CyberLink Power Media Player 14 (HKLM-x32\...\{32C8E300-BDB4-4398-92C2-E9B7D8A233DB}) (Version: 14.0.1.5523 - CyberLink Corp.)
CyberLink PowerDirector 12 (HKLM\...\{E1646825-D391-42A0-93AA-27FA810DA093}) (Version: 12.0.4.4301 - CyberLink Corp.) Hidden
CyberLink PowerDirector 12 (HKLM-x32\...\InstallShield_{E1646825-D391-42A0-93AA-27FA810DA093}) (Version: 12.0.4.4301 - CyberLink Corp.)
CyberLink YouCam (HKLM-x32\...\{A9CEDD6E-4792-493e-BB35-D86D2E188A5A}) (Version: 6.0.1.4301 - CyberLink Corp.)
DisableMSDefender (HKLM\...\{74FE39A0-FB76-47CD-84BA-91E2BBB17EF2}) (Version: 1.0.0 - Hewlett-Packard Company) Hidden
Dropbox 25 GB (HKLM-x32\...\{597A58EC-42D6-4940-8739-FB94491B013C}) (Version: 1.0.8.2 - Dropbox, Inc.)
Energy Star (HKLM\...\{465CA2B6-98AF-4E77-BE22-A908C34BB9EC}) (Version: 1.0.9 - Hewlett-Packard Company)
Evernote v. 5.8.6 (HKLM-x32\...\{FEDC7C10-EF67-11E4-9B07-00505695D7B0}) (Version: 5.8.6.7519 - Evernote Corp.)
HP 3D DriveGuard (HKLM-x32\...\{E8D0E2B8-B64B-44BC-8E01-00DDACBDF78A}) (Version: 6.0.28.1 - Hewlett-Packard Company)
HP CoolSense (HKLM-x32\...\{1504CF6F-8139-497F-86FC-46174B67CF7F}) (Version: 2.20.51 - Hewlett-Packard Company)
HP Documentation (HKLM\...\HP_Documentation) (Version: 1.0.0.1 - HP)
HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.8305.5282 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{61EB474B-67A6-47F4-B1B7-386851BAB3D0}) (Version: 8.5.37.19 - Hewlett-Packard Company)
HP Support Solutions Framework (HKLM-x32\...\{D7D5F438-26EF-45AB-AB89-C476FBCF8584}) (Version: 12.8.47.1 - Hewlett-Packard Company)
HP System Event Utility (HKLM-x32\...\{8B4EE87E-6D40-4C91-B5E8-0DC77DC412F1}) (Version: 1.4.1 - Hewlett-Packard Company)
HP Welcome (HKLM\...\HPWelcome) (Version: 1.0 - Hewlett-Packard Company)
HP Wireless Button Driver (HKLM-x32\...\{EFA01423-3857-468C-B7B6-F30AA08E50BC}) (Version: 1.1.5.1 - Hewlett-Packard)
Intel® Chipset Device Software (HKLM-x32\...\{c7f54569-0018-439c-809a-48046a4d4ebc}) (Version: 10.1.1.9 - Intel® Corporation) Hidden
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.0.0.1158 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.15.4256 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 14.5.0.1081 - Intel Corporation)
Intel® Virtual Buttons (HKLM-x32\...\1992736F-C90A-481C-B21B-EE34CAD07387) (Version: 1.1.0.21 - Intel Corporation)
KB4023057 (HKLM\...\{ED06689A-33B7-4D35-8F76-36A82CD03406}) (Version: 2.3.0.0 - Microsoft Corporation)
Microsoft Expression Web 4 (HKLM-x32\...\Web_4.0.1460.0) (Version: 4.0.1460.0 - Microsoft Corporation)
Microsoft Office Hogar y Estudiantes 2016 - es-es (HKLM\...\HomeStudentRetail - es-es) (Version: 16.0.8827.2148 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1371854649-3712086544-3624237114-1001\...\OneDriveSetup.exe) (Version: 18.025.0204.0009 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Preview Redistributable (x64) - 12.0.20617 (HKLM-x32\...\{448652c1-f5f3-4230-98c6-68c10c88b1fb}) (Version: 12.0.20617.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Mozilla Firefox 57.0.4 (x64 en-US) (HKLM\...\Mozilla Firefox 57.0.4 (x64 en-US)) (Version: 57.0.4 - Mozilla)
Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.8827.2148 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component 64-bit Registration (HKLM\...\{90160000-00DD-0000-1000-0000000FF1CE}) (Version: 16.0.8827.2148 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.8827.2148 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0C0A-0000-0000000FF1CE}) (Version: 16.0.8827.2148 - Microsoft Corporation) Hidden
Oracle VM VirtualBox 5.2.6 (HKLM\...\{EA9602E3-0184-45B9-9E15-028776CD7A6E}) (Version: 5.2.6 - Oracle Corporation)
PowerISO (HKLM-x32\...\PowerISO) (Version: 6.8 - Power Software Ltd)
PyScripter 3.3.1 (HKLM\...\PyScripter_is1) (Version: 3.3.1 - PyScripter)
Python 3.6.5 (64-bit) (HKU\S-1-5-21-1371854649-3712086544-3624237114-1001\...\{9d1b786e-0fd4-4386-abc1-4b920ab32da9}) (Version: 3.6.5150.0 - Python Software Foundation)
Python 3.6.5 Core Interpreter (64-bit) (HKLM\...\{CCE23D38-AE4C-41EE-867C-7DF7DCB52E7F}) (Version: 3.6.5150.0 - Python Software Foundation) Hidden
Python 3.6.5 Development Libraries (64-bit) (HKLM\...\{6A7E897E-3F28-41DE-8EA7-FD3325FA881A}) (Version: 3.6.5150.0 - Python Software Foundation) Hidden
Python 3.6.5 Documentation (64-bit) (HKLM\...\{B85E198A-D267-47DB-8F8C-1E5A95F77305}) (Version: 3.6.5150.0 - Python Software Foundation) Hidden
Python 3.6.5 Executables (64-bit) (HKLM\...\{B145D381-BCBE-408A-BDFA-0871790EC59D}) (Version: 3.6.5150.0 - Python Software Foundation) Hidden
Python 3.6.5 pip Bootstrap (64-bit) (HKLM\...\{E828E9CB-111D-4185-AA7E-DD61923A61ED}) (Version: 3.6.5150.0 - Python Software Foundation) Hidden
Python 3.6.5 Standard Library (64-bit) (HKLM\...\{1A3684F6-CDA3-461A-83BA-186C525DA86F}) (Version: 3.6.5150.0 - Python Software Foundation) Hidden
Python 3.6.5 Tcl/Tk Support (64-bit) (HKLM\...\{20DE5A77-9F46-44D8-BB87-A10325DC493A}) (Version: 3.6.5150.0 - Python Software Foundation) Hidden
Python 3.6.5 Test Suite (64-bit) (HKLM\...\{C1BE25E2-19E0-4148-AE98-7A576D1E1528}) (Version: 3.6.5150.0 - Python Software Foundation) Hidden
Python 3.6.5 Utility Scripts (64-bit) (HKLM\...\{97CD25CA-B289-442B-96F9-D0F17B2617E9}) (Version: 3.6.5150.0 - Python Software Foundation) Hidden
Python Launcher (HKLM-x32\...\{8A66FEC2-E443-4219-B9AC-F9B10607B57C}) (Version: 3.6.6295.0 - Python Software Foundation)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.3.370.87 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 10.1.505.2015 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7581 - Realtek Semiconductor Corp.)
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics ClickPad Driver (HKLM\...\SynTPDeinstKey) (Version: 19.3.31.31 - Synaptics Incorporated)
UpdateAssistant (HKLM-x32\...\{B7AFAF92-D1C8-49A0-B34A-B5DAF9C9D5C6}) (Version: 1.9.0.0 - Microsoft Corporation) Hidden
Windows 10 Update Assistant (HKLM-x32\...\{D5C69738-B486-402E-85AC-2456D98A64E4}) (Version: 1.4.9200.22334 - Microsoft Corporation)
WinRAR 5.40 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers1: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => C:\Program Files\PowerISO\PWRISOSH.DLL [2017-02-02] (Power Software Ltd)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-08-15] (Alexander Roshal)
ContextMenuHandlers1-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2016-08-15] (Alexander Roshal)
ContextMenuHandlers4: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => C:\Program Files\PowerISO\PWRISOSH.DLL [2017-02-02] (Power Software Ltd)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\WINDOWS\system32\igfxDTCM.dll [2015-07-27] (Intel Corporation)
ContextMenuHandlers6: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => C:\Program Files\PowerISO\PWRISOSH.DLL [2017-02-02] (Power Software Ltd)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-64E4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-08-15] (Alexander Roshal)
ContextMenuHandlers6-x32: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext32.dll [2016-08-15] (Alexander Roshal)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {01BDA278-799F-4C7A-AF34-C158BAE32A0A} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-01-24] (Microsoft Corporation)
Task: {0DCBD8F9-77EA-423F-9390-9CA176E8D949} - System32\Tasks\Hewlett-Packard\HP Active Health\HP Active Health Scan (HPSA) => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [2016-11-07] (HP Inc.)
Task: {2EB6C583-D602-4D02-9DC6-D2E8CD500739} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner64.exe [2017-09-20] (Piriform Ltd)
Task: {2F94E7BB-0437-4546-8C0E-468C115F85FF} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-01-24] (Microsoft Corporation)
Task: {308BB62C-34AC-4F06-A730-1F3445C75328} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18022-0\MpCmdRun.exe [2018-03-29] (Microsoft Corporation)
Task: {3E37D7E5-2EF6-488D-912A-430575211589} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Report => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSFReport.exe [2017-06-22] (HP Inc.)
Task: {58162AB3-88BC-4763-9A7F-4287C76C607E} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-09-27] (Adobe Systems Incorporated)
Task: {6C2FE44E-A208-4D4A-BC9C-A9C0AAC6068B} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2017-11-08] (HP Inc.)
Task: {6CD67337-3534-4F50-8C58-ECF1140DA1A4} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18022-0\MpCmdRun.exe [2018-03-29] (Microsoft Corporation)
Task: {6E661F58-AD82-401E-803A-44F820EF4583} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis Install => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2017-09-27] (HP Inc.)
Task: {74DF9640-ECB2-4D0C-B961-CBB34ADC17FC} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_ERROR_HB => C:\WINDOWS\system32\MRT-KB890830.exe [2018-03-21] (Microsoft Corporation)
Task: {751890AC-B9C0-44B7-BFBA-6296D3E369E4} - System32\Tasks\Microsoft\Office\Office Automatic Updates 2.0 => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-01-15] (Microsoft Corporation)
Task: {8FB17BAE-6A9A-4629-B1DA-9743A818A41C} - System32\Tasks\avast! SL Update => C:\Program Files\AVAST Software\SecureLine\SLUpdate.exe [2017-08-16] (AVAST Software)
Task: {9B1A6CF4-BB5F-4F6E-9C3F-BA22A6062A12} - System32\Tasks\Avast SecureLine => C:\Program Files\AVAST Software\SecureLine\SecureLine.exe [2017-08-16] (AVAST Software)
Task: {A652D335-4FC1-4962-88B0-1EB4939463E1} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18022-0\MpCmdRun.exe [2018-03-29] (Microsoft Corporation)
Task: {B1F4CE67-3DDE-4690-8648-555F78E8C66E} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2017-09-20] (HP Inc.)
Task: {B310F574-A020-4579-AEC8-9ED5025551FF} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\platform\4.12.17007.18022-0\MpCmdRun.exe [2018-03-29] (Microsoft Corporation)
Task: {B6B5AFAD-CC17-4A3D-85CD-5C32E192DA3E} - System32\Tasks\HPCeeScheduleForAlvaro => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2015-06-16] (Hewlett-Packard)
Task: {BCD3B476-30AA-460A-8D27-167F1F831ECD} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2017-09-27] (HP Inc.)
Task: {C063C82D-C679-44B0-A97B-512135D92229} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2017-09-27] (HP Inc.)
Task: {D62B93F3-A396-4762-96A6-D7011103D126} - System32\Tasks\Hewlett-Packard\HP CoolSense\HP CoolSense Start at Logon => C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [2015-05-21] (Hewlett-Packard Development Company, L.P.)
Task: {E72539F5-BB26-4152-9DDA-C243C56D4AD5} - System32\Tasks\S-1-5-21-1371854649-3712086544-3624237114-1001\DataSenseLiveTileTask => C:\WINDOWS\System32\DataUsageLiveTileTask.exe [2017-09-29] (Microsoft Corporation)
Task: {EF75299C-F065-4E04-AEF8-903E966BD917} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-01-15] (Microsoft Corporation)
Task: {EFE6DEB6-114C-4EB1-8657-D1889C0C94EC} - System32\Tasks\YCMServiceAgent => C:\Program Files (x86)\CyberLink\YouCam6\YouCamService6.exe [2015-07-01] (CyberLink Corp.)
Task: {F26A7733-D4E1-415D-A0B0-6525D7AFE916} - System32\Tasks\DropboxOEM => C:\Program Files (x86)\Dropbox\DropboxOEM\DropboxOEM.exe [2015-06-19] ()
Task: {F43F0DFC-B783-4E5D-8BC7-F2FDD2F5B687} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Product Configurator => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\ProductConfig.exe [2018-01-10] (HP Inc.)
Task: {FFD3BEC7-0E21-4052-B124-F9D8FA653479} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2017-11-08] (HP Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
Task: C:\WINDOWS\Tasks\HPCeeScheduleForAlvaro.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Priceline.com.lnk -> C:\Program Files (x86)\Hewlett-Packard\Shared\WizLink.exe () -> hxxp://www.priceline.com/?refid=PLHBC6240OPQ&refclickid=square

==================== Loaded Modules (Whitelisted) ==============

2015-10-28 20:19 - 2014-04-14 21:59 - 000389896 _____ () C:\Program Files\CyberLink\Shared files\RichVideo64.exe
2017-08-16 12:57 - 2017-08-16 13:00 - 000592392 _____ () C:\Program Files\AVAST Software\SecureLine\VpnSvc.exe
2017-09-29 09:41 - 2017-09-29 09:41 - 000184432 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll
2017-12-13 21:33 - 2017-12-13 21:33 - 011044864 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-12-13 21:33 - 2017-12-13 21:33 - 001804288 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-12-13 21:33 - 2017-12-13 21:33 - 000975872 _____ () c:\windows\system32\FaceProcessor.dll
2017-12-13 21:33 - 2017-12-13 21:33 - 000269696 _____ () c:\windows\system32\FaceProcessorCore.dll
2017-09-29 09:41 - 2017-09-29 09:41 - 001357464 _____ () c:\windows\system32\FaceTrackerInternal.dll
2015-10-28 20:03 - 2015-04-29 20:04 - 038561984 _____ () C:\Program Files\AVAST Software\SecureLine\libcef.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2015-07-10 07:04 - 2017-05-15 12:54 - 000000824 _____ C:\WINDOWS\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1371854649-3712086544-3624237114-1001\Control Panel\Desktop\\Wallpaper -> c:\windows\web\wallpaper\theme1\img2.jpg
DNS Servers: 192.168.10.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Off)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\Run32: => "HPMessageService"
HKU\S-1-5-21-1371854649-3712086544-3624237114-1001\...\StartupApproved\Run: => "OneDrive"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{B1FE2ED3-B947-4F05-9132-9C3199C27B23}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{B01622C6-BCEC-4A08-9E58-3345FBC33BFC}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{93E780CD-632F-4A1C-B618-0B7234D78C5C}] => (Allow) c:\Program Files\CyberLink\PowerDirector12\PDR10.EXE
FirewallRules: [{E0EE016C-90A8-4112-A032-5F22EE076900}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\Movie\PowerDVD Cinema\PowerDVDCinema.exe
FirewallRules: [{ADFA21A6-F292-4A03-9B98-E3FF5A8D7B9E}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\Movie\PowerDVDMovie.exe
FirewallRules: [{DF2E580E-9323-4D59-AB12-F0F30053ED49}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe
FirewallRules: [{3CBEE8C4-C15F-433F-89F0-A82195208143}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\Kernel\DMS\CLMSServerPDVD14.exe
FirewallRules: [{1D9F9FFE-FEBB-4A77-A1F0-D48D08E17CDA}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD.exe
FirewallRules: [{2B9D53FE-F153-4461-8368-65CD1E4E053C}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{F17EB211-4242-42CA-8ED3-437BFC4D1540}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{DFE5E66E-4F45-4C22-B50B-BB6DE5C0B30E}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{E5B05AD0-4F1A-4757-8062-B56D484B2E98}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [TCP Query User{9EA31939-7C49-4407-B226-5C07857DFA26}C:\users\alvaro\appdata\local\programs\python\python36\python.exe] => (Allow) C:\users\alvaro\appdata\local\programs\python\python36\python.exe
FirewallRules: [UDP Query User{C6CAEDC5-139E-4E64-B5D8-383527EE95C8}C:\users\alvaro\appdata\local\programs\python\python36\python.exe] => (Allow) C:\users\alvaro\appdata\local\programs\python\python36\python.exe

==================== Restore Points =========================

21-03-2018 10:30:33 Windows Update
21-03-2018 10:31:59 Windows Update

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (04/04/2018 01:19:04 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: UserEnvState.exe, version: 2.2.3025.0, time stamp: 0x58404cda
Faulting module name: UserEnvState.exe, version: 2.2.3025.0, time stamp: 0x58404cda
Exception code: 0xc0000005
Fault offset: 0x00000000000039e4
Faulting process id: 0x1e50
Faulting application start time: 0x01d3cc3907d0003b
Faulting application path: C:\Program Files\Common Files\McAfee\MSGSDK\UserEnvState.exe
Faulting module path: C:\Program Files\Common Files\McAfee\MSGSDK\UserEnvState.exe
Report Id: bb176cf0-88ac-40e9-9eb9-76302f3ef1ad
Faulting package full name:
Faulting package-relative application ID:

Error: (03/29/2018 10:32:35 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine QueryFullProcessImageNameW.  hr = 0x80070006, The handle is invalid.
.


Operation:
   Executing Asynchronous Operation

Context:
   Current State: DoSnapshotSet

Error: (03/03/2018 01:03:53 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ShellExperienceHost.exe, version: 10.0.16299.15, time stamp: 0x59cda974
Faulting module name: msvcrt.dll, version: 7.0.16299.125, time stamp: 0x20688290
Exception code: 0x40000015
Fault offset: 0x000000000000ad32
Faulting process id: 0x30b0
Faulting application start time: 0x01d3b308d3e33765
Faulting application path: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
Faulting module path: C:\WINDOWS\System32\msvcrt.dll
Report Id: dbeb7a25-3298-4f31-bc03-fc68fda55b3e
Faulting package full name: Microsoft.Windows.ShellExperienceHost_10.0.16299.15_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: App

Error: (01/31/2018 01:42:38 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine QueryFullProcessImageNameW.  hr = 0x80070006, The handle is invalid.
.


Operation:
   Executing Asynchronous Operation

Context:
   Current State: DoSnapshotSet

Error: (01/15/2018 11:05:53 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: HPSupportSolutionsFrameworkService.exe, version: 8.5.32.203, time stamp: 0x58472257
Faulting module name: ntdll.dll, version: 10.0.16299.64, time stamp: 0x493793ea
Exception code: 0xc000070a
Fault offset: 0x000000000010b24d
Faulting process id: 0x19c0
Faulting application start time: 0x01d38cd75fc23ed5
Faulting application path: c:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: ab0d27d3-a527-416e-a827-d114b951a2c4
Faulting package full name:
Faulting package-relative application ID:

Error: (01/15/2018 11:05:52 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: HPSupportSolutionsFrameworkService.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: exception code c000070a, exception address 00007FFAAFD1B24D

Error: (01/13/2018 07:33:46 PM) (Source: ESENT) (EventID: 522) (User: )
Description: ShellExperienceHost (9280,P,0) TILEREPOSITORYS-1-5-21-1371854649-3712086544-3624237114-500: An attempt to open the device with name "\\.\C:" containing "C:\" failed with system error 5 (0x00000005): "Access is denied. ". The operation will fail with error -1032 (0xfffffbf8).

Error: (01/13/2018 07:33:46 PM) (Source: ESENT) (EventID: 522) (User: )
Description: ShellExperienceHost (9280,P,0) TILEREPOSITORYS-1-5-21-1371854649-3712086544-3624237114-500: An attempt to open the device with name "\\.\C:" containing "C:\" failed with system error 5 (0x00000005): "Access is denied. ". The operation will fail with error -1032 (0xfffffbf8).


System errors:
=============
Error: (04/05/2018 09:32:47 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (04/04/2018 11:00:42 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (04/04/2018 10:44:54 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service dps with arguments "Unavailable" in order to run the server:
{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}

Error: (04/04/2018 10:44:54 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service dps with arguments "Unavailable" in order to run the server:
{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}

Error: (04/04/2018 10:44:47 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-IFHSKRC)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (04/04/2018 10:44:19 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-IFHSKRC)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (04/04/2018 10:44:14 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-IFHSKRC)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (04/04/2018 10:44:09 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-IFHSKRC)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}


Windows Defender:
===================================
Date: 2018-04-04 21:32:00.835
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Exploit:Win32/CplLnk.A&threatid=2147636234&enterprise=0
Name: Exploit:Win32/CplLnk.A
ID: 2147636234
Severity: Severe
Category: Exploit
Path: file:_H:\Copy of Shortcut to (1).lnk;file:_H:\Copy of Shortcut to (2).lnk;file:_H:\Copy of Shortcut to (3).lnk;file:_H:\Copy of Shortcut to (4).lnk
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\explorer.exe
Signature Version: AV: 1.263.113.0, AS: 1.263.113.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14600.4, NIS: 2.1.14202.0

Date: 2018-04-04 21:32:00.768
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Exploit:Win32/CplLnk.A&threatid=2147636234&enterprise=0
Name: Exploit:Win32/CplLnk.A
ID: 2147636234
Severity: Severe
Category: Exploit
Path: file:_H:\Copy of Shortcut to (1).lnk;file:_H:\Copy of Shortcut to (2).lnk;file:_H:\Copy of Shortcut to (3).lnk
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\explorer.exe
Signature Version: AV: 1.263.113.0, AS: 1.263.113.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14600.4, NIS: 2.1.14202.0

Date: 2018-04-04 21:32:00.694
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Exploit:Win32/CplLnk.A&threatid=2147636234&enterprise=0
Name: Exploit:Win32/CplLnk.A
ID: 2147636234
Severity: Severe
Category: Exploit
Path: file:_H:\Copy of Shortcut to (1).lnk;file:_H:\Copy of Shortcut to (2).lnk
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\explorer.exe
Signature Version: AV: 1.263.113.0, AS: 1.263.113.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14600.4, NIS: 2.1.14202.0

Date: 2018-04-04 21:32:00.615
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Exploit:Win32/CplLnk.A&threatid=2147636234&enterprise=0
Name: Exploit:Win32/CplLnk.A
ID: 2147636234
Severity: Severe
Category: Exploit
Path: file:_H:\Copy of Shortcut to (1).lnk
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Windows\explorer.exe
Signature Version: AV: 1.263.113.0, AS: 1.263.113.0, NIS: 118.2.0.0
Engine Version: AM: 1.1.14600.4, NIS: 2.1.14202.0

Date: 2018-01-26 13:15:09.396
Description:
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {6E068A9D-A9B5-4CCD-9284-3716C092A499}
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2018-04-04 23:52:27.239
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.263.113.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.14600.4
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2018-04-04 23:52:27.238
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 118.2.0.0
Update Source: Microsoft Malware Protection Center
Signature Type: Network Inspection System
Update Type: Full
Current Engine Version:
Previous Engine Version: 2.1.14202.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2018-04-04 23:52:27.223
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.263.113.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.14600.4
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2018-04-04 23:52:27.222
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.263.113.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiSpyware
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.14600.4
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2018-04-04 23:52:27.222
Description:
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.263.113.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.14600.4
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

CodeIntegrity:
===================================

Date: 2018-04-05 09:21:54.547
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.

Date: 2018-04-05 09:21:54.541
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.

Date: 2018-04-05 09:21:51.317
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.

Date: 2018-04-05 09:21:51.314
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.

Date: 2018-04-05 09:21:47.050
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.

Date: 2018-04-05 09:21:47.047
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.

Date: 2018-04-05 09:21:43.326
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.

Date: 2018-04-05 09:21:43.250
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.

==================== Memory info ===========================

Processor: Intel® Core™ i3-4030U CPU @ 1.90GHz
Percentage of memory in use: 32%
Total physical RAM: 8120.27 MB
Available physical RAM: 5519.87 MB
Total Virtual: 9400.27 MB
Available Virtual: 6869.07 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:911.45 GB) (Free:839.34 GB) NTFS
Drive d: (RECOVERY) (Fixed) (Total:18.74 GB) (Free:2.19 GB) NTFS ==>[system with boot components (obtained from drive)]

\\?\Volume{e74c2a16-9fe6-4ef3-9fef-fbbb187f9c91}\ (SYSTEM) (Fixed) (Total:0.25 GB) (Free:0.2 GB) FAT32
\\?\Volume{950fbe8d-7961-4454-9382-4b257f298b5c}\ () (Fixed) (Total:0.93 GB) (Free:0.33 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 1473EBFB)

Partition: GPT.

==================== End of Addition.txt ============================



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,453 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:14 AM

Posted 06 April 2018 - 09:37 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Your logs are clean.

===

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#3 alvaro0114

alvaro0114
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 06 April 2018 - 12:38 PM

Thank you Nasdaq
Do i have to have the usb plugged in before running flash desinfector?

#4 alvaro0114

alvaro0114
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 06 April 2018 - 01:16 PM

i download Flash disinfector and its not doing anything.

First a smarscreen in blue opens up saying i have no internet giving me option to run or no run, i press run. Then on user account control i press run again and it just doesnt do anything after that.


Edited by alvaro0114, 06 April 2018 - 01:17 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,453 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:14 AM

Posted 07 April 2018 - 06:49 AM

Hi,

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Do you have an autorun.inf on the Flash drive?

If you plug the USB to the computer does it run automatically?

#6 alvaro0114

alvaro0114
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 07 April 2018 - 08:42 AM

I cannot install the app. Cant run it. My usb is not plugged in. But it works fine. No autorun inf in it.

Edited by alvaro0114, 07 April 2018 - 08:48 AM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,453 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:14 AM

Posted 08 April 2018 - 06:43 AM



Hi,

Looks like you autoplay is disable on this computer.

Check it out.

http://www.thewindowsclub.com/set-autoplay-defaults-windows-10

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#8 alvaro0114

alvaro0114
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 09 April 2018 - 08:06 AM

Hi nasdaq it is ON. I Cant find flash disinfector on the download section from the bleeping computer web site.

Edited by alvaro0114, 09 April 2018 - 08:15 AM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,453 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:14 AM

Posted 09 April 2018 - 12:47 PM



Hi,

As a protection so that your USB is not auto starting when you plug it in set it to OFF

You will then have to navigate to the Computer > This PC and open a file you trust when the USB is mounted.


===

If you go to this page the Flast_Desiinfector.exe fille will be downloaded to your default download folder
http://download.bleepingcomputer.com//sUBs/Flash_Disinfector.exe

#10 alvaro0114

alvaro0114
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 09 April 2018 - 09:43 PM

So i Should set autoplay off. I just wanted to make sure my pc was fine.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users