Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack this


  • This topic is locked This topic is locked
8 replies to this topic

#1 barterb

barterb

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario Canada
  • Local time:03:39 PM

Posted 08 April 2018 - 10:18 AM

Hi there!

 

I appreciate any help I can get with this.  Can't seem to get rid of whatever malware/virus this is and I'm not schooled enough with hijack this to be comfortable deleting things so here goes my very first post in this forum  lol  Here is my HijackThis log and thanks if you can help

 

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 11:16:01 AM, on 4/8/2018
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.18858)
 
 
Boot mode: Normal
 
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\mmrtkrnl.exe
C:\Windows\RTHDCPL.EXE
C:\Program Files\Ralink\Common\RaUI.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\Explorer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Bernadette\Desktop\HijackThis.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Lync Click to Call BHO - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\root\Office16\OCHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.8.0_161\bin\ssv.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.8.0_161\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Wondershare Helper Compact.exe] C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
O4 - HKLM\..\Run: [Dropbox] "C:\Program Files\Dropbox\Client\Dropbox.exe" /systemstartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AdobeGCInvoker-1.0] "C:\Program Files\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe"
O4 - HKLM\..\Run: [Realtime Audio Engine] "mmrtkrnl.exe" /i
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [chrome] "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --disable-gpu --remote-debugging-port=9222 http://de-mi-nis-ner.info/cdn-38.html?t=0.4
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\Ralink\Common\RaUI.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\root\Office16\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\root\Office16\ONBttnIE.dll
O9 - Extra button: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\root\Office16\OCHelper.dll
O9 - Extra 'Tools' menuitem: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\root\Office16\OCHelper.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: *.dell.com
O15 - ESC Trusted Zone: http://*.connectify.me
O15 - ESC Trusted Zone: http://*.fastspring.com
O15 - ESC Trusted Zone: http://*.connectify.me (HKLM)
O15 - ESC Trusted Zone: http://*.fastspring.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{166026FE-A82C-41AE-8EE4-5D8E2F155DB2}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DE8D293-68B0-4E3E-B0D8-F910D0D57500}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{28E2F2C1-1DC1-4154-966C-8DE9868C4200}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{40758318-75B6-430F-9D6E-CB00771C13CD}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D46AEDE-5F8A-4143-A39D-73269E560772}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{59337049-5361-4C57-BDD4-D193C2818AD7}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EBA6C5D-390E-481F-8172-52EE368E5A56}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{73A15C56-0EAF-4A18-BD41-3607005D047B}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CD32C92-C558-4AD5-8041-9B41EFF09CC3}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D4D1AAB-B52D-4385-A6B6-1A81EB934340}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{7ECEADB7-C90A-4AB2-A334-E1F70CBB86A7}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{9312FFBE-CA8C-4000-8E51-3A9755168F5F}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A2A265E-2BEB-40FA-B103-2378C8798D1B}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0FC7FAE-72AD-40FA-9602-A713BE2177BC}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5A94F68-B0AB-4C07-916D-8DAA63AA58EB}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5CEA6D0-00E9-4D71-ABD7-4F4D1AD5447A}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{F893F54C-BA69-4B98-903E-F6C183528BB2}: NameServer = 8.8.8.8
O18 - Protocol: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL
O18 - Protocol: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL
O18 - Protocol: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL
O18 - Protocol: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Adobe Genuine Software Integrity Service (AGSService) - Adobe Systems, Incorporated - C:\Program Files\Common Files\Adobe\AdobeGCClient\AGSService.exe
O23 - Service: Dropbox Update Service (dbupdate) (dbupdate) - Dropbox, Inc. - C:\Program Files\Dropbox\Update\DropboxUpdate.exe
O23 - Service: Dropbox Update Service (dbupdatem) (dbupdatem) - Dropbox, Inc. - C:\Program Files\Dropbox\Update\DropboxUpdate.exe
O23 - Service: DbxSvc - Dropbox, Inc. - C:\Windows\system32\DbxSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HitmanPro Scheduler (HitmanProScheduler) - SurfRight B.V. - C:\Program Files\HitmanPro\hmpsched.exe
O23 - Service: Malwarebytes Service (MBAMService) - Malwarebytes - C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
O23 - Service: RalinkRegistryWriter - Ralink Technology, Corp. - C:\Program Files\Ralink\Common\RaRegistry.exe
O23 - Service: Ralink UPnP Media Server (RaMediaServer) - Ralink - C:\Program Files\Ralink\Common\RaMediaServer.exe
O23 - Service: TeamViewer 13 (TeamViewer) - TeamViewer GmbH - C:\Program Files\TeamViewer\TeamViewer_Service.exe
O23 - Service: Wondershare Application Framework Service (WsAppService) - Wondershare - C:\Program Files\Wondershare\WAF\WsAppService.exe
O23 - Service: Wondershare Driver Install Service (WsDrvInst) - Unknown owner - C:\Program Files\Wondershare\TunesGo\DriverInstall.exe (file missing)
 

 

 



BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:39 PM

Posted 08 April 2018 - 10:56 AM

barterb:


:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum. My name is Phil. May I address you by your first name?

I will be assisting you with your computer issues. I will endeavor to respond within a reasonable time. Forum policy requires that I post within 48 hours after your last post, but I do endeavor to post within 24 hours of your last post.

I would ask that you please continue to copy and paste the contents of all requested log files directly into your replies. Please do not use "code" or "quote" boxes. Thank you for your anticipated cooperation.

HijackThis is old technology and not used as our primary scanner. Please comply with the instructions in Step :step6: of this post, and copy and paste the FRST scan files into your next post.

I will need some time to review your FRST logs. That could take a day or two, but I do hope to respond later today with an initial FRST "fixlist" script.

PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues. It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#3 barterb

barterb
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario Canada
  • Local time:03:39 PM

Posted 08 April 2018 - 12:17 PM

Thanks for the quick response Phil...I'm Bernadette and hopefully I've done what you needed and here is my FRST scan results

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14.03.2018
Ran by Bernadette (administrator) on BERNADETTE-PC (08-04-2018 12:39:37)
Running from C:\Users\Bernadette\Desktop
Loaded Profiles: Bernadette (Available Profiles: Bernadette)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Adobe Systems, Incorporated) C:\Program Files\Common Files\Adobe\AdobeGCClient\AGSService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
(Wondershare) C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(AlcaTech) C:\Windows\System32\mmrtkrnl.exe
(Realtek Semiconductor Corp.) C:\Windows\RTHDCPL.EXE
(Ralink Technology, Corp.) C:\Program Files\Ralink\Common\RaUI.exe
(Ralink Technology, Corp.) C:\Program Files\Ralink\Common\RaRegistry.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\TeamViewer_Service.exe
(Wondershare) C:\Program Files\Wondershare\WAF\WsAppService.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
() C:\Program Files\CompanyExpertChange\ExpertChange\laika.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(SurfRight B.V.) C:\Users\Bernadette\Desktop\HitmanPro.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Piriform Ltd) C:\Program Files\Speccy\Speccy.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2133216 2017-03-23] (Wondershare)
HKLM\...\Run: [Dropbox] => C:\Program Files\Dropbox\Client\Dropbox.exe [3639616 2018-03-28] (Dropbox, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [587288 2017-12-19] (Oracle Corporation)
HKLM\...\Run: [AdobeGCInvoker-1.0] => C:\Program Files\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe [315880 2018-01-05] (Adobe Systems, Incorporated)
HKLM\...\Run: [Realtime Audio Engine] => "mmrtkrnl.exe" /i
HKLM\...\Run: [RTHDCPL] => C:\Windows\RTHDCPL.EXE [16132608 2007-04-26] (Realtek Semiconductor Corp.)
HKLM\...\Run: [SkyTel] => C:\Windows\SkyTel.EXE [1822720 2007-04-13] (Realtek Semiconductor Corp.)
HKLM\...\Run: [SoundMan] => C:\Windows\SOUNDMAN.EXE [86016 2006-07-21] (Realtek Semiconductor Corp.)
HKLM\...\Run: [AlcWzrd] => C:\Windows\ALCWZRD.EXE [2808832 2006-05-04] (RealTek Semicoductor Corp.)
HKLM\...\Run: [chrome] => C:\Program Files\Google\Chrome\Application\chrome.exe [1456984 2018-03-20] (Google Inc.)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-3557944169-877454972-121373122-1000\...\Run: [BitTorrent] => C:\Users\Bernadette\AppData\Roaming\BitTorrent\BitTorrent.exe [2155456 2018-04-08] (BitTorrent Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk [2018-03-16]
ShortcutTarget: Ralink Wireless Utility.lnk -> C:\Program Files\Ralink\Common\RaUI.exe (Ralink Technology, Corp.)
Startup: C:\Users\Bernadette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.bat [2018-04-08] ()
BootExecute: autocheck autochk * bootdelete
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicy\User: Restriction ? <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{166026FE-A82C-41AE-8EE4-5D8E2F155DB2}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{1DE8D293-68B0-4E3E-B0D8-F910D0D57500}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{28E2F2C1-1DC1-4154-966C-8DE9868C4200}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{40758318-75B6-430F-9D6E-CB00771C13CD}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{4D46AEDE-5F8A-4143-A39D-73269E560772}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{59337049-5361-4C57-BDD4-D193C2818AD7}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{5EBA6C5D-390E-481F-8172-52EE368E5A56}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{73A15C56-0EAF-4A18-BD41-3607005D047B}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{7CD32C92-C558-4AD5-8041-9B41EFF09CC3}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{7D4D1AAB-B52D-4385-A6B6-1A81EB934340}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{7ECEADB7-C90A-4AB2-A334-E1F70CBB86A7}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{8BA7D3BE-C524-47F0-B6C3-651A93DA2A35}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{9312FFBE-CA8C-4000-8E51-3A9755168F5F}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{9A2A265E-2BEB-40FA-B103-2378C8798D1B}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{C0FC7FAE-72AD-40FA-9602-A713BE2177BC}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{D5A94F68-B0AB-4C07-916D-8DAA63AA58EB}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{D5CEA6D0-00E9-4D71-ABD7-4F4D1AD5447A}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{F893F54C-BA69-4B98-903E-F6C183528BB2}: [NameServer] 8.8.8.8
 
Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3557944169-877454972-121373122-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3557944169-877454972-121373122-1000 -> DefaultScope {2f23ab71-4ac6-41f2-a955-ea576e553146} URL = 
SearchScopes: HKU\S-1-5-21-3557944169-877454972-121373122-1000 -> {297A759F-A0BB-435D-AFF8-402044DCD0D1} URL = hxxps://ca.search.yahoo.com/search?p={searchTerms}&intl=ca&fr=yset_ie_syc_oracle&type=orcl_default&partnerexternal-oracle=external-oracle
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\Office16\OCHelper.dll [2018-03-14] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_161\bin\ssv.dll [2018-01-19] (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL [2018-03-25] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_161\bin\jp2ssv.dll [2018-01-19] (Oracle Corporation)
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-14] (Microsoft Corporation)
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-14] (Microsoft Corporation)
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-14] (Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-14] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Bernadette\AppData\Roaming\Mozilla\Firefox\Profiles\41crgh26.default-1468609211346 [2018-04-08]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_29_0_0_113.dll [2018-03-13] ()
FF Plugin: @java.com/DTPlugin,version=11.161.2 -> C:\Program Files\Java\jre1.8.0_161\bin\dtplugin\npDeployJava1.dll [2018-01-19] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.161.2 -> C:\Program Files\Java\jre1.8.0_161\bin\plugin2\npjp2.dll [2018-01-19] (Oracle Corporation)
FF Plugin: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2018-03-14] (Microsoft Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2018-02-14] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-04-07] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-04-07] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.2.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> inline.go.mail.ru
CHR StartupUrls: Default -> "hxxp://www.facebook.com/"
CHR DefaultSearchURL: Default -> hxxps://inline.go.mail.ru/search?inline_comp=dse&q={searchTerms}&fr=chxtn12.0.23
CHR DefaultSearchKeyword: Default -> inline.go.mail.ru
CHR DefaultSuggestURL: Default -> hxxp://suggests.go.mail.ru/chrome?q={searchTerms}
CHR Profile: C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default [2018-04-08]
CHR Extension: (Google Drive) - C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-07-15]
CHR Extension: (YouTube) - C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-07-15]
CHR Extension: (Rock-FM - DJ ZONE) - C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkppoppjoabpifheegngaedodlnhlcn [2016-12-14]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-04-04]
CHR Extension: (Audio Converter) - C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojfphighcpfimfhblaigjckljcoeipga [2016-09-18]
CHR Extension: (Gmail) - C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-07-15]
CHR Extension: (Chrome Media Router) - C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-03-23]
CHR Extension: (Audio Cutter) - C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default\Extensions\plimnkafgoiilijmlbnfoafihjjijbfp [2017-08-28]
CHR Extension: (ProxyCrime) - C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default\Extensions\pohhhgpookhmdgjnngkgkbhklplbompp [2017-03-21]
CHR Profile: C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\System Profile [2018-04-07]
CHR HKLM\...\Chrome\Extension: [fabhkdeopjkcpkmofliimbjckmocfiom] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [ibbfklbaljofpaanmpaeadejijfdddco] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [kpdmjodecdegfglgaapafjleomjjlpnh] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3557944169-877454972-121373122-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AGSService; C:\Program Files\Common Files\Adobe\AdobeGCClient\AGSService.exe [2319848 2018-01-05] (Adobe Systems, Incorporated)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [5700272 2018-03-24] (Microsoft Corporation)
S2 dbupdate; C:\Program Files\Dropbox\Update\DropboxUpdate.exe [143144 2017-05-09] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files\Dropbox\Update\DropboxUpdate.exe [143144 2017-05-09] (Dropbox, Inc.)
R2 DbxSvc; C:\Windows\system32\DbxSvc.exe [43344 2018-03-28] (Dropbox, Inc.)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [113624 2018-04-08] (SurfRight B.V.)
S3 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4430792 2017-08-07] (Malwarebytes)
R2 RalinkRegistryWriter; C:\Program Files\Ralink\Common\RaRegistry.exe [391472 2013-06-26] (Ralink Technology, Corp.)
S2 RaMediaServer; C:\Program Files\Ralink\Common\RaMediaServer.exe [1863680 2012-07-06] (Ralink) [File not signed]
R2 TeamViewer; C:\Program Files\TeamViewer\TeamViewer_Service.exe [11294448 2018-03-09] (TeamViewer GmbH)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
R2 WsAppService; C:\Program Files\Wondershare\WAF\WsAppService.exe [351744 2015-09-09] (Wondershare) [File not signed]
S3 WsDrvInst; C:\Program Files\Wondershare\TunesGo\DriverInstall.exe [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 cpuz143; C:\Users\Bernadette\AppData\Local\temp\cpuz143\cpuz143_x32.sys [49592 2018-04-08] (CPUID)
S3 DDDriver; C:\Windows\System32\drivers\DDDriver32Dcsa.sys [30912 2017-06-20] (Dell Inc.)
S3 DellProf; C:\Windows\System32\drivers\DellProf.sys [30520 2017-06-20] (Dell Computer Corporation)
R3 e1express; C:\Windows\System32\DRIVERS\e1e6232.sys [232312 2017-12-14] (Intel Corporation)
R3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [47552 2018-04-08] ()
S3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [221112 2018-04-08] (Malwarebytes)
R1 ndisrd; C:\Windows\System32\DRIVERS\ndisrd.sys [37408 2014-08-14] (NT Kernel Resources)
S3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [1549000 2013-11-21] (Ralink Technology Corp.)
R3 npf; C:\Windows\system32\drivers\npf.sys [36600 2018-01-30] (Riverbed Technology, Inc.)
S3 RtlWlanu; C:\Windows\System32\DRIVERS\rtwlanu.sys [5407744 2017-12-14] (Realtek Semiconductor Corporation )
S3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [30696 2017-01-18] (The OpenVPN Project)
S3 WsAudioDevice_383; C:\Windows\System32\drivers\WsAudioDevice_383.sys [25632 2015-02-02] (Wondershare)
S3 AndNetDiag; system32\DRIVERS\lgandnetdiag.sys [X]
S3 ANDNetModem; system32\DRIVERS\lgandnetmodem.sys [X]
S3 andnetndis; system32\DRIVERS\lgandnetndis.sys [X]
S3 catchme; \??\C:\Users\BERNAD~1\AppData\Local\Temp\catchme.sys [X]
S3 cpuz140; \??\C:\Users\BERNAD~1\AppData\Local\Temp\cpuz140\cpuz140_x32.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2099-11-12 04:37 - 30826-11-12 04:37 - 000186368 ____N (Microsoft Corporation) C:\Program Files\Common Files\UkaehOr.exe
2099-11-12 04:37 - 30826-11-12 04:37 - 000073216 ____N (Microsoft Corporation) C:\Windows\oIoeafARb.exe
2018-04-08 12:53 - 2018-04-08 12:53 - 000009625 _____ C:\Users\Bernadette\Documents\DECRYPT_INFORMATION.html
2018-04-08 12:39 - 2018-04-08 12:44 - 000016910 _____ C:\Users\Bernadette\Desktop\FRST.txt
2018-04-08 12:38 - 2018-04-08 12:38 - 001764352 _____ (Farbar) C:\Users\Bernadette\Desktop\FRST.exe
2018-04-08 12:21 - 2018-04-08 12:21 - 000000938 _____ C:\Users\Public\Desktop\Speccy.lnk
2018-04-08 12:21 - 2018-04-08 12:21 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Speccy
2018-04-08 12:21 - 2018-04-08 12:21 - 000000000 ____D C:\Program Files\Speccy
2018-04-08 12:20 - 2018-04-08 12:20 - 006299336 _____ (Piriform Ltd) C:\Users\Bernadette\Desktop\spsetup131.exe
2018-04-08 12:12 - 2018-04-08 12:12 - 000009625 _____ C:\Users\Bernadette\Desktop\DECRYPT_INFORMATION.html
2018-04-08 12:11 - 2018-04-08 12:11 - 000145808 _____ C:\Users\Bernadette\AppData\Local\GDIPFONTCACHEV1.DAT
2018-04-08 12:09 - 2018-04-08 12:09 - 000009625 _____ C:\Users\Bernadette\AppData\Roaming\DECRYPT_INFORMATION.html
2018-04-08 12:09 - 2018-04-08 12:09 - 000009625 _____ C:\Users\Bernadette\AppData\LocalLow\DECRYPT_INFORMATION.html
2018-04-08 12:08 - 2018-04-08 12:08 - 000009625 _____ C:\Users\Bernadette\DECRYPT_INFORMATION.html
2018-04-08 12:08 - 2018-04-08 12:08 - 000009625 _____ C:\Users\Bernadette\AppData\Local\DECRYPT_INFORMATION.html
2018-04-08 12:08 - 2018-04-08 12:08 - 000009625 _____ C:\Users\Bernadette\AppData\Local\Apps\DECRYPT_INFORMATION.html
2018-04-08 12:08 - 2018-04-08 12:08 - 000009625 _____ C:\Users\Bernadette\AppData\DECRYPT_INFORMATION.html
2018-04-08 12:06 - 2018-04-08 12:06 - 000009625 _____ C:\Users\DECRYPT_INFORMATION.html
2018-04-08 12:01 - 2018-04-08 12:01 - 000047552 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2018-04-08 12:00 - 2018-04-08 12:00 - 000009625 _____ C:\ProgramData\DECRYPT_INFORMATION.html
2018-04-08 11:57 - 2018-04-08 11:57 - 000009625 _____ C:\Program Files\DECRYPT_INFORMATION.html
2018-04-08 11:57 - 2018-04-08 11:57 - 000009625 _____ C:\Program Files\Common Files\DECRYPT_INFORMATION.html
2018-04-08 11:57 - 2018-04-08 11:57 - 000009625 _____ C:\DECRYPT_INFORMATION.html
2018-04-08 11:57 - 2018-04-08 11:57 - 000001444 _____ C:\Users\Public\UNIQUE_ID_DO_NOT_REMOVE
2018-04-08 11:56 - 2018-04-08 11:57 - 000000000 ____D C:\Program Files\CompanyExpertChange
2018-04-08 11:52 - 2018-04-08 12:09 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\BitTorrent
2018-04-08 11:52 - 2018-04-08 11:58 - 000000000 ____D C:\Users\Bernadette\AppData\LocalLow\BitTorrent
2018-04-08 11:52 - 2018-04-08 11:52 - 000000881 _____ C:\Users\Bernadette\Desktop\BitTorrent.lnk
2018-04-08 11:52 - 2018-04-08 11:52 - 000000861 _____ C:\Users\Bernadette\AppData\Roaming\Microsoft\Windows\Start Menu\BitTorrent.lnk
2018-04-08 11:28 - 2018-04-08 11:57 - 000000000 ____D C:\Program Files\FileASSASSIN
2018-04-08 11:28 - 2018-04-08 11:28 - 000167034 _____ C:\Users\Bernadette\Desktop\fileassassin-setup-1.06.exe
2018-04-08 11:28 - 2018-04-08 11:28 - 000001014 _____ C:\Users\Public\Desktop\FileASSASSIN.lnk
2018-04-08 11:28 - 2018-04-08 11:28 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileASSASSIN
2018-04-08 10:43 - 2018-04-08 10:43 - 000388608 _____ (Trend Micro Inc.) C:\Users\Bernadette\Desktop\HijackThis.exe
2018-04-08 09:50 - 2018-04-08 09:50 - 002716608 ____R (Systems Incorporated) C:\Users\Bernadette\Downloads\Easy_Recovery_Essentials_Free_Download_Crack_For_Windows_7.exe
2018-04-08 09:48 - 2018-04-08 12:12 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\uTorrent
2018-04-08 09:47 - 2018-04-08 09:47 - 003114288 _____ (BitTorrent Inc.) C:\Users\Bernadette\Desktop\uTorrent.exe
2018-04-08 09:16 - 2018-04-08 09:16 - 000012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2018-04-08 09:16 - 2018-04-08 09:16 - 000000158 _____ C:\Windows\system32\bootdelete.lst
2018-04-08 09:09 - 2018-04-08 12:01 - 000001894 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2018-04-08 09:09 - 2018-04-08 12:01 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2018-04-08 09:09 - 2018-04-08 09:09 - 000000000 ____D C:\Program Files\HitmanPro
2018-04-08 08:18 - 2018-04-08 12:33 - 001802994 _____ C:\Users\Bernadette\Desktop\rkill.com.HRM
2018-04-08 08:17 - 2018-04-08 08:19 - 010993872 _____ (SurfRight B.V.) C:\Users\Bernadette\Desktop\HitmanPro.exe
2018-04-08 08:02 - 2018-04-08 11:57 - 000018866 _____ C:\ComboFix.txt.HRM
2018-04-08 07:58 - 2018-02-08 23:25 - 000282360 _____ (Riverbed Technology, Inc.) C:\Windows\system32\wpcap.dll
2018-04-08 07:58 - 2018-02-08 23:24 - 000098040 _____ (Riverbed Technology, Inc.) C:\Windows\system32\Packet.dll
2018-04-08 07:58 - 2018-01-30 23:16 - 000036600 _____ (Riverbed Technology, Inc.) C:\Windows\system32\Drivers\npf.sys
2018-04-08 07:51 - 2018-04-08 12:08 - 000000000 ____D C:\Users\Bernadette\AppData\Local\ElevatedDiagnostics
2018-04-08 01:28 - 2018-04-08 12:08 - 000146098 _____ C:\Users\Bernadette\AppData\Local\GDIPFONTCACHEV1.DAT.HRM
2018-04-08 00:49 - 2018-04-08 12:08 - 004348386 _____ C:\Users\Bernadette\AppData\Local\IconCache.db.HRM
2018-04-07 20:37 - 2018-04-08 12:08 - 000000000 ____D C:\Users\Bernadette\AppData\Local\ESET
2018-04-07 20:37 - 2018-04-07 20:37 - 006968952 _____ (ESET spol. s r.o.) C:\Users\Bernadette\Desktop\esetonlinescanner_enu.exe
2018-04-07 20:32 - 2018-04-07 20:32 - 000002243 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-04-07 20:32 - 2018-04-07 20:32 - 000002202 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-04-07 20:31 - 2018-04-08 11:57 - 000000000 ____D C:\Program Files\Google
2018-04-07 20:28 - 2018-04-07 20:28 - 000002017 _____ C:\Users\Public\Desktop\HouseCall for Home Networks.lnk
2018-04-07 20:28 - 2018-04-07 20:28 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HouseCall for Home Networks
2018-04-07 17:55 - 2018-04-07 17:55 - 008222496 _____ (Malwarebytes) C:\Users\Bernadette\Desktop\adwcleaner_7.0.8.0.exe
2018-04-07 17:41 - 2018-04-08 12:00 - 000000000 ____D C:\ProgramData\adaware
2018-04-07 17:34 - 2018-04-08 01:12 - 000069576 _____ C:\Windows\ntbtlog.txt
2018-04-07 17:34 - 2018-04-07 17:34 - 290985682 _____ C:\Windows\MEMORY.DMP
2018-04-07 17:34 - 2018-04-07 17:34 - 000143672 _____ C:\Windows\Minidump\040718-26691-01.dmp
2018-04-07 17:34 - 2018-04-07 17:34 - 000000000 ____D C:\Windows\Minidump
2018-04-07 16:58 - 2018-04-08 12:53 - 001612226 _____ C:\Users\Bernadette\Downloads\keygen.HRM
2018-04-07 16:56 - 2018-04-07 16:56 - 000000012 _____ C:\Windows\b60479666
2018-04-07 16:46 - 2018-04-08 12:00 - 000000000 ____D C:\ProgramData\AlcaTech
2018-04-07 16:46 - 2018-04-07 18:49 - 000102400 _____ (AlcaTech) C:\Windows\system32\Setup.dll
2018-04-07 16:36 - 2018-04-07 16:37 - 000000000 ____D C:\Users\Bernadette\AppData\LocalLow\Unity
2018-04-07 15:33 - 2018-04-07 15:35 - 008222496 _____ (Malwarebytes) C:\Users\Bernadette\Downloads\adwcleaner_7.0.8.0.exe
2018-04-07 14:52 - 2018-04-08 07:21 - 000221112 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-04-07 12:50 - 2018-04-08 12:31 - 000000000 ____D C:\Users\Bernadette\Desktop\Burntfield
2018-04-07 03:52 - 2018-04-08 12:32 - 009972574 _____ C:\Users\Bernadette\Desktop\Double Shot Rock & Metal Monday on www.rock-fm.ca.mp4.HRM
2018-04-07 03:52 - 2018-04-08 12:32 - 007127246 _____ C:\Users\Bernadette\Desktop\Double Shot Indie Wednesday on www.rock-fm.ca.mp4.HRM
2018-04-06 22:49 - 2018-04-08 12:31 - 000000000 ____D C:\Users\Bernadette\Desktop\Bernie's stuff
2018-04-06 10:42 - 2018-04-08 12:33 - 000000754 _____ C:\Users\Bernadette\Desktop\Radio station startup to do list.txt.HRM
2018-04-05 12:18 - 2018-03-14 13:18 - 000116928 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2018-04-05 12:18 - 2018-03-14 13:14 - 000535040 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2018-04-05 12:18 - 2018-03-14 09:04 - 001893376 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2018-04-05 12:18 - 2018-03-14 09:04 - 001319424 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2018-04-05 12:18 - 2018-03-14 09:04 - 000594944 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2018-04-05 12:18 - 2018-03-14 09:04 - 000507392 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2018-04-05 12:18 - 2018-03-14 09:04 - 000338432 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2018-04-05 12:18 - 2018-03-14 09:04 - 000338432 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2018-04-05 12:18 - 2018-03-14 09:04 - 000238592 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2018-04-05 12:18 - 2018-03-14 09:04 - 000190976 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2018-04-01 18:17 - 2018-04-08 12:12 - 000239394 _____ C:\Users\Bernadette\Desktop\#MusicMonday VAIN.pub.HRM
2018-04-01 18:17 - 2018-04-08 12:12 - 000216642 _____ C:\Users\Bernadette\Desktop\#MusicMonday VAIN.jpg.HRM
2018-04-01 00:04 - 2018-04-08 12:32 - 083863286 _____ C:\Users\Bernadette\Desktop\Double Shot Prog Alt Friday  promo.mp4.HRM
2018-03-31 23:03 - 2018-04-08 12:53 - 001188578 _____ C:\Users\Bernadette\Desktop\VE Project 2.wve.HRM
2018-03-31 22:58 - 2018-04-08 12:33 - 000209186 _____ C:\Users\Bernadette\Desktop\prog alt friday last slide.jpg.HRM
2018-03-31 22:58 - 2018-04-08 12:33 - 000116002 _____ C:\Users\Bernadette\Desktop\prog alt last slide.pub.HRM
2018-03-31 22:39 - 2018-04-08 12:53 - 001188962 _____ C:\Users\Bernadette\Desktop\VE Project 1.wve.HRM
2018-03-31 22:32 - 2018-04-08 12:33 - 000003602 _____ C:\Users\Bernadette\Desktop\Prog Alt Friday video promo.vpj.HRM
2018-03-31 21:05 - 2018-04-08 12:32 - 000341282 _____ C:\Users\Bernadette\Desktop\Mohai thank you.jpg.HRM
2018-03-31 20:29 - 2018-03-31 20:29 - 000001089 _____ C:\Users\Public\Desktop\WavePad Sound Editor.lnk
2018-03-31 17:48 - 2018-04-08 12:33 - 000091938 _____ C:\Users\Bernadette\Desktop\Prog alt slide one.pub.HRM
2018-03-29 19:57 - 2018-03-29 19:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2018-03-28 10:31 - 2018-03-28 10:31 - 000043344 _____ (Dropbox, Inc.) C:\Windows\system32\DbxSvc.exe
2018-03-28 10:31 - 2018-03-28 10:31 - 000035432 _____ (Dropbox, Inc.) C:\Windows\system32\Drivers\dbx-dev.sys
2018-03-28 10:31 - 2018-03-28 10:31 - 000035432 _____ (Dropbox, Inc.) C:\Windows\system32\Drivers\dbx-canary.sys
2018-03-28 10:31 - 2018-03-28 10:31 - 000035408 _____ (Dropbox, Inc.) C:\Windows\system32\Drivers\dbx-stable.sys
2018-03-27 10:49 - 2018-04-08 12:53 - 000123170 _____ C:\Users\Bernadette\Documents\Rock and Metal slide.pub.HRM
2018-03-27 06:19 - 2018-04-08 11:57 - 000000000 ____D C:\Program Files\Common Files\DESIGNER
2018-03-27 01:05 - 2018-03-27 01:05 - 000008434 _____ C:\Users\Bernadette\motherbleep work.vpj
2018-03-27 00:37 - 2018-04-08 12:09 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\AVS4YOU
2018-03-27 00:37 - 2018-04-08 12:00 - 000000000 ____D C:\ProgramData\AVS4YOU
2018-03-27 00:37 - 2018-03-27 00:37 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AVS4YOU
2018-03-27 00:36 - 2018-04-08 11:57 - 000000000 ____D C:\Program Files\Common Files\AVSMedia
2018-03-27 00:36 - 2018-04-08 11:57 - 000000000 ____D C:\Program Files\AVS4YOU
2018-03-27 00:36 - 2018-03-27 00:37 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVS4YOU
2018-03-27 00:36 - 2018-03-27 00:36 - 000001160 _____ C:\Users\Bernadette\Desktop\AVS Audio Editor.lnk
2018-03-27 00:36 - 2010-05-11 13:17 - 001700352 _____ (Microsoft Corporation) C:\Windows\system32\GdiPlus.dll
2018-03-27 00:36 - 2010-05-11 13:17 - 000024576 _____ (Microsoft Corporation) C:\Windows\system32\msxml3a.dll
2018-03-26 19:57 - 2018-03-26 19:57 - 000000000 ____D C:\Users\Bernadette\Documents\VideoPad Projects
2018-03-26 16:23 - 2018-03-26 16:23 - 000000000 ____D C:\Wondershare Video Converter Ultimate
2018-03-26 16:23 - 2018-03-26 16:23 - 000000000 ____D C:\Program Files\WondershareUpdate
2018-03-26 16:22 - 2018-03-26 16:22 - 000001386 _____ C:\Users\Public\Desktop\Wondershare Video Converter Ultimate.lnk
2018-03-26 16:22 - 2018-03-26 16:22 - 000000000 ____D C:\Users\Bernadette\Documents\Wondershare MediaServer
2018-03-26 16:22 - 2018-03-26 16:22 - 000000000 ____D C:\ProgramData\GraphicsType
2018-03-26 16:21 - 2018-04-08 12:11 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\TransferSupport
2018-03-26 16:13 - 2018-03-26 16:13 - 000001117 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoPad Video Editor.lnk
2018-03-26 16:13 - 2018-03-26 16:13 - 000001105 _____ C:\Users\Public\Desktop\VideoPad Video Editor.lnk
2018-03-26 16:13 - 2018-03-26 16:13 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Video Related Programs
2018-03-26 14:19 - 2018-04-08 12:53 - 000213554 _____ C:\Users\Bernadette\Documents\starburn.txt.HRM
2018-03-26 14:19 - 2018-03-26 16:22 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare
2018-03-26 14:19 - 2018-03-26 14:19 - 000001188 _____ C:\Users\Public\Desktop\Wondershare Filmora.lnk
2018-03-26 14:18 - 2018-04-08 12:53 - 000000000 ____D C:\Users\Bernadette\Documents\Wondershare Filmora
2018-03-26 14:18 - 2018-04-08 12:05 - 000000000 ____D C:\ProgramData\Wondershare Video Editor
2018-03-26 14:17 - 2018-03-26 16:22 - 000000000 ____D C:\Users\Public\Documents\Wondershare
2018-03-12 11:47 - 2018-04-08 12:32 - 000000000 ____D C:\Users\Bernadette\Desktop\New VAIN mixes
2018-03-12 11:46 - 2018-04-08 12:53 - 078106162 _____ C:\Users\Bernadette\Desktop\Violent Attitude If Noticed - Studio Syndrome.zip.HRM
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-04-08 12:53 - 2018-02-03 19:49 - 000001282 _____ C:\Users\Bernadette\Desktop\Weekly Notes.txt.HRM
2018-04-08 12:53 - 2018-01-07 14:30 - 000000000 ____D C:\Users\Bernadette\Desktop\Widetrack new album tracks
2018-04-08 12:53 - 2017-10-16 09:52 - 000000000 ____D C:\Users\Bernadette\Desktop\Violent Divine - Louder Than Love
2018-04-08 12:53 - 2017-09-13 16:22 - 000000000 ___RD C:\Users\Bernadette\Documents\Scanned Documents
2018-04-08 12:53 - 2017-09-13 16:22 - 000000000 ____D C:\Users\Bernadette\Documents\Fax
2018-04-08 12:53 - 2017-06-12 20:09 - 000000000 ____D C:\Users\Bernadette\Desktop\Twitter tag Pics
2018-04-08 12:53 - 2017-04-21 07:41 - 000000000 ____D C:\Users\Bernadette\Documents\Outlook Files
2018-04-08 12:53 - 2017-03-23 19:42 - 000000000 ____D C:\Users\Bernadette\Documents\My Kindle Content
2018-04-08 12:53 - 2016-12-13 23:14 - 000024466 _____ C:\Users\Bernadette\Documents\Logfile.odt.HRM
2018-04-08 12:53 - 2016-07-23 20:56 - 006354126 _____ C:\Users\Bernadette\Downloads\Love Bomb by The Space Sharks.mp3.HRM
2018-04-08 12:53 - 2016-07-22 15:41 - 000000642 _____ C:\Users\Bernadette\Documents\test document.html.HRM
2018-04-08 12:53 - 2016-07-19 12:52 - 066329755 _____ C:\Users\Bernadette\Downloads\Something Like Kites - Time Is Valuable.zip.HRM
2018-04-08 12:53 - 2016-07-15 18:03 - 000000000 ____D C:\Users\Bernadette\Documents\AdobeStockPhotos
2018-04-08 12:53 - 2016-07-15 07:37 - 000000000 ____D C:\Users\Bernadette\Documents\BitLord
2018-04-08 12:53 - 2016-06-09 16:18 - 000000000 ____D C:\Users\Bernadette\Documents\Freemake
2018-04-08 12:53 - 2016-06-05 15:26 - 000081586 _____ C:\Users\Bernadette\Documents\Untitled (4).wma.HRM
2018-04-08 12:53 - 2016-05-30 20:53 - 000000000 ___RD C:\Users\Bernadette\Documents\Notes
2018-04-08 12:53 - 2016-05-30 20:39 - 000077106 _____ C:\Users\Bernadette\Documents\Untitled (3).wma.HRM
2018-04-08 12:53 - 2016-05-30 20:38 - 000122002 _____ C:\Users\Bernadette\Documents\Untitled (2).wma.HRM
2018-04-08 12:53 - 2016-05-30 20:36 - 000113026 _____ C:\Users\Bernadette\Documents\Untitled.wma.HRM
2018-04-08 12:53 - 2016-01-07 00:09 - 000082930 _____ C:\Users\Bernadette\Downloads\CYFsWM4WQAAHJsh.jpg-large.HRM
2018-04-08 12:53 - 2015-08-12 07:29 - 010145851 _____ C:\Users\Bernadette\Downloads\Duran Duran -  Paper Gods _AUDIO_.mp3.HRM
2018-04-08 12:53 - 2015-07-21 09:42 - 001394450 _____ C:\Users\Bernadette\Downloads\pink_floyd-learning_to_fly_v2.mp3.HRM
2018-04-08 12:53 - 2015-07-16 12:51 - 000007458 _____ C:\Users\Bernadette\Downloads\11249699_10155848798005088_3071978181660926980_n.jpg.HRM
2018-04-08 12:52 - 2018-01-10 12:58 - 000000370 _____ C:\Users\Bernadette\Desktop\Submission address.txt.HRM
2018-04-08 12:52 - 2015-09-08 00:59 - 003775266 _____ C:\Users\Bernadette\Desktop\Thumbs.db.HRM
2018-04-08 12:52 - 2015-09-05 19:13 - 000000000 ____D C:\Users\Bernadette\Desktop\Rock fm music part 1
2018-04-08 12:39 - 2017-10-25 22:20 - 000000000 ____D C:\FRST
2018-04-08 12:33 - 2016-11-06 19:48 - 000000000 ____D C:\Users\Bernadette\Desktop\Playlists
2018-04-08 12:32 - 2018-02-19 17:47 - 000000000 ____D C:\Users\Bernadette\Desktop\Final Coil radio drops
2018-04-08 12:32 - 2018-02-12 11:42 - 000007122 _____ C:\Users\Bernadette\Desktop\Olav thoughts to develop interview questions from.txt.HRM
2018-04-08 12:32 - 2018-01-06 19:42 - 000023490 _____ C:\Users\Bernadette\Desktop\Folder.jpg.HRM
2018-04-08 12:32 - 2017-10-20 21:10 - 000000000 ____D C:\Users\Bernadette\Desktop\Now Playing pics 280
2018-04-08 12:32 - 2017-06-26 09:43 - 000000000 ____D C:\Users\Bernadette\Desktop\Pic tags for Twitter
2018-04-08 12:32 - 2017-06-19 14:15 - 000000000 ____D C:\Users\Bernadette\Desktop\Dream Theater two
2018-04-08 12:32 - 2017-06-14 17:41 - 000000000 ____D C:\Users\Bernadette\Desktop\Double Shot Prog Alt Friday Twitter pics
2018-04-08 12:32 - 2017-06-13 16:58 - 000004274 _____ C:\Users\Bernadette\Desktop\Header for twitter tags.txt.HRM
2018-04-08 12:32 - 2017-06-12 19:29 - 000000000 ____D C:\Users\Bernadette\Desktop\Double Shot Indie Wed. Twitter tags
2018-04-08 12:32 - 2017-06-11 17:25 - 000000000 ____D C:\Users\Bernadette\Desktop\Double Shot Rock & Metal Monday tag promo pics
2018-04-08 12:32 - 2017-02-23 23:25 - 000001138 _____ C:\Users\Bernadette\Desktop\interview questions.txt.HRM
2018-04-08 12:32 - 2015-06-21 05:19 - 000000850 _____ C:\Users\Bernadette\Desktop\New Text Document.txt.HRM
2018-04-08 12:31 - 2017-06-14 17:41 - 000000000 ____D C:\Users\Bernadette\Desktop\Double Shot Indie Friday Twitter tags
2018-04-08 12:23 - 2009-07-14 00:34 - 000031280 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-04-08 12:23 - 2009-07-14 00:34 - 000031280 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-04-08 12:12 - 2018-02-14 14:53 - 000014306 _____ C:\Users\Bernadette\Desktop\AlbumArt_{296EB473-E2D1-4970-9CC1-E88A908634EC}_Large.jpg.HRM
2018-04-08 12:12 - 2018-02-14 14:53 - 000003730 _____ C:\Users\Bernadette\Desktop\AlbumArt_{296EB473-E2D1-4970-9CC1-E88A908634EC}_Small.jpg.HRM
2018-04-08 12:12 - 2018-01-06 19:42 - 000039042 _____ C:\Users\Bernadette\Desktop\AlbumArt_{18BBE200-7A41-4581-8928-F9A4643DBC41}_Large.jpg.HRM
2018-04-08 12:12 - 2018-01-06 19:42 - 000008146 _____ C:\Users\Bernadette\Desktop\AlbumArt_{18BBE200-7A41-4581-8928-F9A4643DBC41}_Small.jpg.HRM
2018-04-08 12:12 - 2018-01-06 19:42 - 000004770 _____ C:\Users\Bernadette\Desktop\AlbumArtSmall.jpg.HRM
2018-04-08 12:12 - 2017-12-20 18:51 - 000001218 _____ C:\Users\Bernadette\bern.txt.HRM
2018-04-08 12:12 - 2017-02-05 09:42 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\vlc
2018-04-08 12:12 - 2016-08-31 09:16 - 000000000 ____D C:\Users\Bernadette\Desktop\Artist pics
2018-04-08 12:12 - 2015-10-11 12:37 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Wondershare
2018-04-08 12:12 - 2015-07-16 12:19 - 000000322 _____ C:\Users\Bernadette\AppData\Roaming\WB.CFG.HRM
2018-04-08 12:12 - 2015-06-19 11:47 - 000000000 ____D C:\Users\Bernadette
2018-04-08 12:11 - 2017-12-21 18:25 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\TeamViewer
2018-04-08 12:11 - 2016-12-24 10:50 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\streamWriter
2018-04-08 12:11 - 2016-05-21 17:28 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Skype
2018-04-08 12:11 - 2015-08-29 15:17 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Sun
2018-04-08 12:09 - 2017-12-27 16:17 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\InstallShield
2018-04-08 12:09 - 2017-12-09 04:19 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Trend Micro
2018-04-08 12:09 - 2017-10-25 17:17 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\AGData
2018-04-08 12:09 - 2017-05-24 18:46 - 000000000 ____D C:\Users\Bernadette\AppData\LocalLow\Adobe
2018-04-08 12:09 - 2017-05-09 16:54 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Dropbox
2018-04-08 12:09 - 2017-04-06 08:38 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\NCH Software
2018-04-08 12:09 - 2017-02-23 20:44 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\FastStone
2018-04-08 12:09 - 2016-12-13 22:46 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\LibreOffice
2018-04-08 12:09 - 2016-11-05 15:47 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\OpenOffice
2018-04-08 12:09 - 2016-07-15 08:34 - 000000000 ____D C:\Users\Bernadette\AppData\Local\VS Revo Group
2018-04-08 12:09 - 2016-07-15 07:39 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\BitLord
2018-04-08 12:09 - 2015-12-20 00:05 - 000000000 ____D C:\Users\Bernadette\AppData\Local\VMware
2018-04-08 12:09 - 2015-12-19 23:56 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Andy
2018-04-08 12:09 - 2015-10-24 19:43 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\dvdcss
2018-04-08 12:09 - 2015-10-21 14:35 - 000000000 ____D C:\Users\Bernadette\AppData\Local\VirtualRouterPlus
2018-04-08 12:09 - 2015-10-11 12:37 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Wondershare
2018-04-08 12:09 - 2015-10-03 09:45 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Baidu
2018-04-08 12:09 - 2015-08-14 07:53 - 000000000 ____D C:\Users\Bernadette\AppData\LocalLow\Apple Computer
2018-04-08 12:09 - 2015-07-17 16:23 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Macromedia
2018-04-08 12:09 - 2015-07-17 15:29 - 000000000 ____D C:\Users\Bernadette\AppData\LocalLow\Oracle
2018-04-08 12:09 - 2015-07-17 15:20 - 000000000 ____D C:\Users\Bernadette\AppData\LocalLow\Sun
2018-04-08 12:09 - 2015-07-16 18:51 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Apple Computer
2018-04-08 12:09 - 2015-06-27 11:52 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Adobe
2018-04-08 12:09 - 2015-06-19 11:47 - 000000000 ____D C:\Users\Bernadette\AppData\Local\VirtualStore
2018-04-08 12:08 - 2017-12-21 18:27 - 000000000 ____D C:\Users\Bernadette\AppData\Local\TeamViewer
2018-04-08 12:08 - 2017-07-17 18:40 - 000000000 ____D C:\Users\Bernadette\AppData\Local\iTunes
2018-04-08 12:08 - 2017-05-09 16:49 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Dropbox
2018-04-08 12:08 - 2017-03-23 19:42 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Amazon
2018-04-08 12:08 - 2016-12-10 19:58 - 000000000 ____D C:\Users\Bernadette\AppData\Local\CrashRpt
2018-04-08 12:08 - 2016-09-29 17:40 - 000000000 ____D C:\Users\Bernadette\.fontconfig
2018-04-08 12:08 - 2016-09-29 17:39 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Movavi
2018-04-08 12:08 - 2016-09-29 17:39 - 000000000 ____D C:\Users\Bernadette\AppData\Local\converter
2018-04-08 12:08 - 2016-09-14 18:17 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Apps\2.0
2018-04-08 12:08 - 2016-07-31 06:09 - 000000000 ____D C:\Users\Bernadette\30 Below
2018-04-08 12:08 - 2016-07-15 07:39 - 000000000 ____D C:\Users\Bernadette\AppData\Local\BitLord
2018-04-08 12:08 - 2016-03-09 22:09 - 000000000 ____D C:\Users\Bernadette\AppData\Local\FacebookGames
2018-04-08 12:08 - 2016-03-09 22:09 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Facebook
2018-04-08 12:08 - 2015-12-19 23:57 - 000000000 ____D C:\Users\Bernadette\Andy
2018-04-08 12:08 - 2015-10-21 20:20 - 000000000 ____D C:\Users\Bernadette\AppData\Local\1BN_Software_&_IT_Solutio
2018-04-08 12:08 - 2015-10-21 20:14 - 000000000 ____D C:\Users\Bernadette\AppData\Local\1BN_(www.1bn.in)
2018-04-08 12:08 - 2015-10-17 07:56 - 000000000 ____D C:\Users\Bernadette\.android
2018-04-08 12:08 - 2015-08-29 15:17 - 000000000 ____D C:\Users\Bernadette\.oracle_jre_usage
2018-04-08 12:08 - 2015-08-27 07:57 - 000000000 ____D C:\Users\Bernadette\AppData\Local\CEF
2018-04-08 12:08 - 2015-07-18 14:31 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Macromedia
2018-04-08 12:08 - 2015-07-18 09:17 - 000000000 ____D C:\Users\Bernadette\AppData\Local\GWX
2018-04-08 12:08 - 2015-07-17 23:45 - 000007938 _____ C:\Users\Bernadette\AppData\Local\Resmon.ResmonCfg.HRM
2018-04-08 12:08 - 2015-07-16 23:00 - 000000322 _____ C:\Users\Bernadette\AppData\Local\housecall.guid.cache.HRM
2018-04-08 12:08 - 2015-07-16 21:43 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Adobe
2018-04-08 12:08 - 2015-07-16 18:51 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Apple Computer
2018-04-08 12:08 - 2015-07-16 18:35 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Apple
2018-04-08 12:08 - 2015-07-16 15:06 - 000000354 _____ C:\Users\Bernadette\AppData\Local\0197ae781343cb89915ac55c09d94c33.HRM
2018-04-08 12:08 - 2015-07-16 11:19 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Google
2018-04-08 12:06 - 2016-12-10 21:13 - 000000000 ____D C:\Qoobox
2018-04-08 12:06 - 2015-09-30 05:54 - 000000498 _____ C:\setup.log.HRM
2018-04-08 12:05 - 2017-12-27 16:18 - 000000000 ____D C:\ProgramData\Ralink Driver
2018-04-08 12:05 - 2017-10-07 20:14 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2018-04-08 12:05 - 2017-09-13 18:06 - 000000000 ____D C:\ProgramData\regid.1986-12.com.adobe
2018-04-08 12:05 - 2016-07-15 08:34 - 000000000 ____D C:\ProgramData\VS Revo Group
2018-04-08 12:05 - 2016-05-21 17:28 - 000000000 ____D C:\ProgramData\Skype
2018-04-08 12:05 - 2016-05-17 16:21 - 000000000 ____D C:\ProgramData\Trend Micro
2018-04-08 12:05 - 2015-12-19 23:58 - 000000000 ____D C:\ProgramData\VMware
2018-04-08 12:05 - 2015-10-21 14:45 - 000000000 ____D C:\ProgramData\Thinix
2018-04-08 12:05 - 2015-10-17 07:57 - 000000000 ____D C:\ProgramData\wondershare
2018-04-08 12:05 - 2015-06-27 06:10 - 000000000 ____D C:\ProgramData\Pure Networks
2018-04-08 12:04 - 2017-10-09 16:19 - 000000000 ____D C:\ProgramData\MB2Migration
2018-04-08 12:04 - 2017-06-23 19:35 - 000000000 ____D C:\ProgramData\PCDr
2018-04-08 12:04 - 2017-04-06 08:38 - 000000000 ____D C:\ProgramData\NCH Software
2018-04-08 12:04 - 2016-09-29 17:38 - 000000000 ____D C:\ProgramData\Movavi
2018-04-08 12:04 - 2016-04-16 19:45 - 000000000 ____D C:\ProgramData\McAfee
2018-04-08 12:04 - 2015-08-16 15:36 - 000000000 ____D C:\ProgramData\Package Cache
2018-04-08 12:04 - 2015-07-17 15:20 - 000000000 ____D C:\ProgramData\Oracle
2018-04-08 12:01 - 2016-12-11 00:06 - 000000000 ____D C:\ProgramData\HitmanPro
2018-04-08 12:00 - 2017-12-14 22:12 - 000000000 ____D C:\ProgramData\Intel
2018-04-08 12:00 - 2017-06-23 19:28 - 000000000 ____D C:\ProgramData\Dell
2018-04-08 12:00 - 2017-05-09 16:49 - 000000000 ____D C:\ProgramData\Dropbox
2018-04-08 12:00 - 2017-02-04 22:23 - 000000000 ____D C:\ProgramData\Avira
2018-04-08 12:00 - 2016-07-14 21:27 - 000000000 ____D C:\ProgramData\FLEXnet
2018-04-08 12:00 - 2016-07-14 21:22 - 000000000 ____D C:\ProgramData\Adobe
2018-04-08 12:00 - 2015-07-16 23:09 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-04-08 12:00 - 2015-07-16 18:50 - 000000000 ____D C:\ProgramData\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
2018-04-08 12:00 - 2015-07-16 18:50 - 000000000 ____D C:\ProgramData\Apple Computer
2018-04-08 12:00 - 2015-07-16 18:35 - 000000000 ____D C:\ProgramData\Apple
2018-04-08 11:59 - 2016-07-15 08:34 - 000000000 ____D C:\Program Files\VS Revo Group
2018-04-08 11:59 - 2015-12-19 23:57 - 000000000 ____D C:\Program Files\VMware
2018-04-08 11:59 - 2015-10-17 07:56 - 000000000 ____D C:\Program Files\Wondershare
2018-04-08 11:59 - 2015-07-16 16:42 - 000000000 ____D C:\Program Files\WinRAR
2018-04-08 11:58 - 2017-12-27 16:17 - 000000000 ____D C:\Program Files\Ralink
2018-04-08 11:58 - 2017-12-21 18:25 - 000000000 ____D C:\Program Files\TeamViewer
2018-04-08 11:58 - 2017-12-09 04:20 - 000000000 ____D C:\Program Files\Trend Micro
2018-04-08 11:58 - 2017-04-06 08:38 - 000000000 ____D C:\Program Files\NCH Software
2018-04-08 11:58 - 2015-09-05 19:08 - 000000000 ____D C:\Program Files\MP3Gain
2018-04-08 11:58 - 2015-07-16 20:22 - 000000000 ____D C:\Program Files\VideoLAN
2018-04-08 11:57 - 2018-01-19 11:49 - 000000000 ____D C:\Program Files\Common Files\Java
2018-04-08 11:57 - 2017-12-27 16:17 - 000000000 ____D C:\Program Files\Cisco
2018-04-08 11:57 - 2017-10-09 16:19 - 000000000 ____D C:\Program Files\Malwarebytes
2018-04-08 11:57 - 2017-09-13 18:06 - 000000322 _____ C:\97C68FD56E45.HRM
2018-04-08 11:57 - 2017-08-28 22:35 - 000000000 ____D C:\Intel
2018-04-08 11:57 - 2017-08-28 22:33 - 000000000 ____D C:\Program Files\Common Files\InstallShield
2018-04-08 11:57 - 2017-08-28 22:32 - 000000000 ____D C:\dell
2018-04-08 11:57 - 2017-08-21 19:34 - 000000000 ____D C:\Program Files\IrfanView
2018-04-08 11:57 - 2017-06-23 19:34 - 000000000 ____D C:\Program Files\Dell
2018-04-08 11:57 - 2017-05-09 16:49 - 000000000 ____D C:\Program Files\Dropbox
2018-04-08 11:57 - 2017-04-26 12:36 - 000000000 ____D C:\Program Files\DiskInternals
2018-04-08 11:57 - 2017-02-04 22:23 - 000000000 ____D C:\Program Files\Avira
2018-04-08 11:57 - 2016-12-11 00:06 - 000000000 ____D C:\AdwCleaner
2018-04-08 11:57 - 2016-10-10 15:23 - 000000000 ____D C:\Program Files\iPod
2018-04-08 11:57 - 2016-07-15 14:51 - 000000000 ____D C:\Program Files\Adware Removal Tool by TSA
2018-04-08 11:57 - 2015-12-29 00:10 - 000000000 ____D C:\Program Files\Kodi
2018-04-08 11:57 - 2015-10-18 16:28 - 000000000 ____D C:\Program Files\Java
2018-04-08 11:57 - 2015-10-11 12:37 - 000000000 ____D C:\Program Files\Common Files\Wondershare
2018-04-08 11:57 - 2015-09-18 09:38 - 000000000 ____D C:\Program Files\iTunes
2018-04-08 11:57 - 2015-09-06 21:54 - 000000000 ____D C:\Program Files\Hewlett-Packard
2018-04-08 11:57 - 2015-07-18 09:43 - 000000000 ____D C:\LGMobileUpgrade
2018-04-08 11:57 - 2015-07-16 18:58 - 000000000 ___HD C:\Program Files\InstallShield Installation Information
2018-04-08 11:57 - 2015-07-16 16:44 - 000375666 _____ C:\PNQBE.HRM
2018-04-08 11:57 - 2015-06-27 11:52 - 000000000 ____D C:\Program Files\Common Files\Adobe
2018-04-08 11:57 - 2015-06-27 11:52 - 000000000 ____D C:\Program Files\Adobe
2018-04-08 11:57 - 2015-06-19 15:40 - 000008482 _____ C:\BOOTSECT.BAK.HRM
2018-04-08 11:57 - 2009-07-14 00:52 - 000000000 ____D C:\Program Files\DVD Maker
2018-04-08 11:57 - 2009-07-13 22:37 - 000000000 ____D C:\Program Files\Common Files\System
2018-04-08 11:57 - 2009-07-13 22:37 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2018-04-08 11:57 - 2009-07-13 22:37 - 000000000 ____D C:\PerfLogs
2018-04-08 11:54 - 2017-05-09 16:49 - 000000904 _____ C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job
2018-04-08 09:09 - 2010-11-20 17:01 - 000781790 _____ C:\Windows\system32\PerfStringBackup.INI
2018-04-08 09:09 - 2009-07-13 22:37 - 000000000 ____D C:\Windows\inf
2018-04-08 09:00 - 2017-05-09 16:49 - 000000900 _____ C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job
2018-04-08 09:00 - 2009-07-14 00:53 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-04-08 08:39 - 2017-05-09 17:09 - 000000000 ___RD C:\Users\Bernadette\Dropbox
2018-04-08 07:58 - 2009-07-13 22:04 - 000000215 _____ C:\Windows\system.ini
2018-04-08 07:51 - 2017-08-28 22:33 - 000000000 ____D C:\Windows\system32\RTCOM
2018-04-08 07:27 - 2017-08-28 22:33 - 000319456 _____ (Microsoft Corporation) C:\Windows\DIFxAPI.dll
2018-04-08 01:12 - 2016-12-10 21:13 - 000000000 ____D C:\Windows\erdnt
2018-04-08 01:12 - 2009-07-13 22:03 - 071303168 _____ C:\Windows\system32\config\SOFTWARE.bak
2018-04-08 01:12 - 2009-07-13 22:03 - 017301504 _____ C:\Windows\system32\config\SYSTEM.bak
2018-04-08 01:12 - 2009-07-13 22:03 - 001835008 _____ C:\Windows\system32\config\DEFAULT.bak
2018-04-08 01:12 - 2009-07-13 22:03 - 000262144 _____ C:\Windows\system32\config\SECURITY.bak
2018-04-08 01:12 - 2009-07-13 22:03 - 000028672 _____ C:\Windows\system32\config\SAM.bak
2018-04-07 23:45 - 2015-07-16 15:00 - 000000000 ____D C:\Program Files\Windows Loader
2018-04-07 21:33 - 2016-05-30 19:34 - 000000000 ____D C:\Users\Bernadette\AppData\Local\CrashDumps
2018-04-07 16:35 - 2016-12-10 20:45 - 000000258 __RSH C:\Users\Bernadette\ntuser.pol
2018-04-07 15:51 - 2009-07-14 00:33 - 001857184 _____ C:\Windows\system32\FNTCACHE.DAT
2018-04-07 15:04 - 2016-01-31 15:39 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Vuze Leap
2018-04-05 12:19 - 2015-07-16 16:38 - 000000000 ____D C:\Windows\system32\appraiser
2018-03-31 20:29 - 2018-01-30 10:13 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite
2018-03-31 20:29 - 2017-04-06 08:38 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audio Related Programs
2018-03-27 06:17 - 2017-10-07 19:02 - 000000000 ____D C:\Program Files\Microsoft Office
2018-03-16 17:34 - 2017-12-21 18:25 - 000000930 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 13.lnk
2018-03-16 17:34 - 2017-12-21 18:25 - 000000918 _____ C:\Users\Public\Desktop\TeamViewer 13.lnk
2018-03-14 17:50 - 2017-10-07 20:16 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools
2018-03-14 17:06 - 2015-07-16 15:29 - 000000000 ____D C:\Windows\system32\MRT
2018-03-14 17:03 - 2017-10-11 17:13 - 127391104 ____C (Microsoft Corporation) C:\Windows\system32\MRT-KB890830.exe
2018-03-14 17:03 - 2015-07-16 15:29 - 127391104 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2018-03-13 08:15 - 2015-07-17 16:22 - 000804352 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2018-03-13 08:15 - 2015-07-17 16:22 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2018-03-13 08:15 - 2015-07-17 16:22 - 000000000 ____D C:\Windows\system32\Macromed
 
==================== Files in the root of some directories =======
 
2018-04-08 11:57 - 2018-04-08 11:57 - 000009625 _____ () C:\Program Files\DECRYPT_INFORMATION.html
2018-04-08 11:57 - 2018-04-08 11:57 - 000009625 _____ () C:\Program Files\Common Files\DECRYPT_INFORMATION.html
30826-11-12 04:37 - 30826-11-12 04:37 - 000186368 ____N (Microsoft Corporation) C:\Program Files\Common Files\UkaehOr.exe
2018-04-08 12:09 - 2018-04-08 12:09 - 000009625 _____ () C:\Users\Bernadette\AppData\Roaming\DECRYPT_INFORMATION.html
2015-07-16 12:19 - 2018-04-08 12:12 - 000000322 _____ () C:\Users\Bernadette\AppData\Roaming\WB.CFG.HRM
2015-07-16 15:06 - 2018-04-08 12:08 - 000000354 _____ () C:\Users\Bernadette\AppData\Local\0197ae781343cb89915ac55c09d94c33.HRM
2018-04-08 12:08 - 2018-04-08 12:08 - 000009625 _____ () C:\Users\Bernadette\AppData\Local\DECRYPT_INFORMATION.html
2015-07-16 23:00 - 2018-04-08 12:08 - 000000322 _____ () C:\Users\Bernadette\AppData\Local\housecall.guid.cache.HRM
2015-07-17 23:45 - 2018-04-08 12:08 - 000007938 _____ () C:\Users\Bernadette\AppData\Local\Resmon.ResmonCfg.HRM
2017-10-02 17:36 - 2017-10-02 17:37 - 000000000 ____N () C:\Users\Bernadette\AppData\Local\{5FDD3239-5A96-4B00-95E9-06D0CA634EF0}
2017-10-06 17:17 - 2017-10-06 17:17 - 000000000 ____N () C:\Users\Bernadette\AppData\Local\{658E15DF-F511-4FCE-853E-305CD2AAC901}
2017-10-06 17:20 - 2017-10-06 17:20 - 000000000 ____N () C:\Users\Bernadette\AppData\Local\{A4E707B3-4AA4-4F40-94B2-D7BA5806E024}
2017-08-31 17:07 - 2017-08-31 17:07 - 000000000 ____N () C:\Users\Bernadette\AppData\Local\{FD302A62-D134-44D5-AC9B-F7E4EB9914CA}
 
Some files in TEMP:
====================
2018-04-08 11:56 - 2018-04-08 11:56 - 002603053 _____ (CompanyExpertChange                                         ) C:\Users\Bernadette\AppData\Local\temp\expertchange.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
additional file created for FRST
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14.03.2018
Ran by Bernadette (administrator) on BERNADETTE-PC (08-04-2018 12:39:37)
Running from C:\Users\Bernadette\Desktop
Loaded Profiles: Bernadette (Available Profiles: Bernadette)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Adobe Systems, Incorporated) C:\Program Files\Common Files\Adobe\AdobeGCClient\AGSService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
(Wondershare) C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(AlcaTech) C:\Windows\System32\mmrtkrnl.exe
(Realtek Semiconductor Corp.) C:\Windows\RTHDCPL.EXE
(Ralink Technology, Corp.) C:\Program Files\Ralink\Common\RaUI.exe
(Ralink Technology, Corp.) C:\Program Files\Ralink\Common\RaRegistry.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\TeamViewer_Service.exe
(Wondershare) C:\Program Files\Wondershare\WAF\WsAppService.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
() C:\Program Files\CompanyExpertChange\ExpertChange\laika.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(SurfRight B.V.) C:\Users\Bernadette\Desktop\HitmanPro.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Piriform Ltd) C:\Program Files\Speccy\Speccy.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2133216 2017-03-23] (Wondershare)
HKLM\...\Run: [Dropbox] => C:\Program Files\Dropbox\Client\Dropbox.exe [3639616 2018-03-28] (Dropbox, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [587288 2017-12-19] (Oracle Corporation)
HKLM\...\Run: [AdobeGCInvoker-1.0] => C:\Program Files\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe [315880 2018-01-05] (Adobe Systems, Incorporated)
HKLM\...\Run: [Realtime Audio Engine] => "mmrtkrnl.exe" /i
HKLM\...\Run: [RTHDCPL] => C:\Windows\RTHDCPL.EXE [16132608 2007-04-26] (Realtek Semiconductor Corp.)
HKLM\...\Run: [SkyTel] => C:\Windows\SkyTel.EXE [1822720 2007-04-13] (Realtek Semiconductor Corp.)
HKLM\...\Run: [SoundMan] => C:\Windows\SOUNDMAN.EXE [86016 2006-07-21] (Realtek Semiconductor Corp.)
HKLM\...\Run: [AlcWzrd] => C:\Windows\ALCWZRD.EXE [2808832 2006-05-04] (RealTek Semicoductor Corp.)
HKLM\...\Run: [chrome] => C:\Program Files\Google\Chrome\Application\chrome.exe [1456984 2018-03-20] (Google Inc.)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-3557944169-877454972-121373122-1000\...\Run: [BitTorrent] => C:\Users\Bernadette\AppData\Roaming\BitTorrent\BitTorrent.exe [2155456 2018-04-08] (BitTorrent Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk [2018-03-16]
ShortcutTarget: Ralink Wireless Utility.lnk -> C:\Program Files\Ralink\Common\RaUI.exe (Ralink Technology, Corp.)
Startup: C:\Users\Bernadette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.bat [2018-04-08] ()
BootExecute: autocheck autochk * bootdelete
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicy\User: Restriction ? <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{166026FE-A82C-41AE-8EE4-5D8E2F155DB2}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{1DE8D293-68B0-4E3E-B0D8-F910D0D57500}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{28E2F2C1-1DC1-4154-966C-8DE9868C4200}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{40758318-75B6-430F-9D6E-CB00771C13CD}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{4D46AEDE-5F8A-4143-A39D-73269E560772}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{59337049-5361-4C57-BDD4-D193C2818AD7}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{5EBA6C5D-390E-481F-8172-52EE368E5A56}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{73A15C56-0EAF-4A18-BD41-3607005D047B}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{7CD32C92-C558-4AD5-8041-9B41EFF09CC3}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{7D4D1AAB-B52D-4385-A6B6-1A81EB934340}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{7ECEADB7-C90A-4AB2-A334-E1F70CBB86A7}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{8BA7D3BE-C524-47F0-B6C3-651A93DA2A35}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{9312FFBE-CA8C-4000-8E51-3A9755168F5F}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{9A2A265E-2BEB-40FA-B103-2378C8798D1B}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{C0FC7FAE-72AD-40FA-9602-A713BE2177BC}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{D5A94F68-B0AB-4C07-916D-8DAA63AA58EB}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{D5CEA6D0-00E9-4D71-ABD7-4F4D1AD5447A}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{F893F54C-BA69-4B98-903E-F6C183528BB2}: [NameServer] 8.8.8.8
 
Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3557944169-877454972-121373122-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3557944169-877454972-121373122-1000 -> DefaultScope {2f23ab71-4ac6-41f2-a955-ea576e553146} URL = 
SearchScopes: HKU\S-1-5-21-3557944169-877454972-121373122-1000 -> {297A759F-A0BB-435D-AFF8-402044DCD0D1} URL = hxxps://ca.search.yahoo.com/search?p={searchTerms}&intl=ca&fr=yset_ie_syc_oracle&type=orcl_default&partnerexternal-oracle=external-oracle
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\Office16\OCHelper.dll [2018-03-14] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_161\bin\ssv.dll [2018-01-19] (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL [2018-03-25] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_161\bin\jp2ssv.dll [2018-01-19] (Oracle Corporation)
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-14] (Microsoft Corporation)
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-14] (Microsoft Corporation)
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-14] (Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2018-03-14] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Bernadette\AppData\Roaming\Mozilla\Firefox\Profiles\41crgh26.default-1468609211346 [2018-04-08]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_29_0_0_113.dll [2018-03-13] ()
FF Plugin: @java.com/DTPlugin,version=11.161.2 -> C:\Program Files\Java\jre1.8.0_161\bin\dtplugin\npDeployJava1.dll [2018-01-19] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.161.2 -> C:\Program Files\Java\jre1.8.0_161\bin\plugin2\npjp2.dll [2018-01-19] (Oracle Corporation)
FF Plugin: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2018-03-14] (Microsoft Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50907.0\npctrl.dll [2017-05-03] ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2018-02-14] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-04-07] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2018-04-07] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.2.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> inline.go.mail.ru
CHR StartupUrls: Default -> "hxxp://www.facebook.com/"
CHR DefaultSearchURL: Default -> hxxps://inline.go.mail.ru/search?inline_comp=dse&q={searchTerms}&fr=chxtn12.0.23
CHR DefaultSearchKeyword: Default -> inline.go.mail.ru
CHR DefaultSuggestURL: Default -> hxxp://suggests.go.mail.ru/chrome?q={searchTerms}
CHR Profile: C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default [2018-04-08]
CHR Extension: (Google Drive) - C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-07-15]
CHR Extension: (YouTube) - C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-07-15]
CHR Extension: (Rock-FM - DJ ZONE) - C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkppoppjoabpifheegngaedodlnhlcn [2016-12-14]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-04-04]
CHR Extension: (Audio Converter) - C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojfphighcpfimfhblaigjckljcoeipga [2016-09-18]
CHR Extension: (Gmail) - C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-07-15]
CHR Extension: (Chrome Media Router) - C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-03-23]
CHR Extension: (Audio Cutter) - C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default\Extensions\plimnkafgoiilijmlbnfoafihjjijbfp [2017-08-28]
CHR Extension: (ProxyCrime) - C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default\Extensions\pohhhgpookhmdgjnngkgkbhklplbompp [2017-03-21]
CHR Profile: C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\System Profile [2018-04-07]
CHR HKLM\...\Chrome\Extension: [fabhkdeopjkcpkmofliimbjckmocfiom] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [ibbfklbaljofpaanmpaeadejijfdddco] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [kpdmjodecdegfglgaapafjleomjjlpnh] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3557944169-877454972-121373122-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AGSService; C:\Program Files\Common Files\Adobe\AdobeGCClient\AGSService.exe [2319848 2018-01-05] (Adobe Systems, Incorporated)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [5700272 2018-03-24] (Microsoft Corporation)
S2 dbupdate; C:\Program Files\Dropbox\Update\DropboxUpdate.exe [143144 2017-05-09] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files\Dropbox\Update\DropboxUpdate.exe [143144 2017-05-09] (Dropbox, Inc.)
R2 DbxSvc; C:\Windows\system32\DbxSvc.exe [43344 2018-03-28] (Dropbox, Inc.)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [113624 2018-04-08] (SurfRight B.V.)
S3 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4430792 2017-08-07] (Malwarebytes)
R2 RalinkRegistryWriter; C:\Program Files\Ralink\Common\RaRegistry.exe [391472 2013-06-26] (Ralink Technology, Corp.)
S2 RaMediaServer; C:\Program Files\Ralink\Common\RaMediaServer.exe [1863680 2012-07-06] (Ralink) [File not signed]
R2 TeamViewer; C:\Program Files\TeamViewer\TeamViewer_Service.exe [11294448 2018-03-09] (TeamViewer GmbH)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
R2 WsAppService; C:\Program Files\Wondershare\WAF\WsAppService.exe [351744 2015-09-09] (Wondershare) [File not signed]
S3 WsDrvInst; C:\Program Files\Wondershare\TunesGo\DriverInstall.exe [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 cpuz143; C:\Users\Bernadette\AppData\Local\temp\cpuz143\cpuz143_x32.sys [49592 2018-04-08] (CPUID)
S3 DDDriver; C:\Windows\System32\drivers\DDDriver32Dcsa.sys [30912 2017-06-20] (Dell Inc.)
S3 DellProf; C:\Windows\System32\drivers\DellProf.sys [30520 2017-06-20] (Dell Computer Corporation)
R3 e1express; C:\Windows\System32\DRIVERS\e1e6232.sys [232312 2017-12-14] (Intel Corporation)
R3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [47552 2018-04-08] ()
S3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [221112 2018-04-08] (Malwarebytes)
R1 ndisrd; C:\Windows\System32\DRIVERS\ndisrd.sys [37408 2014-08-14] (NT Kernel Resources)
S3 netr28u; C:\Windows\System32\DRIVERS\netr28u.sys [1549000 2013-11-21] (Ralink Technology Corp.)
R3 npf; C:\Windows\system32\drivers\npf.sys [36600 2018-01-30] (Riverbed Technology, Inc.)
S3 RtlWlanu; C:\Windows\System32\DRIVERS\rtwlanu.sys [5407744 2017-12-14] (Realtek Semiconductor Corporation )
S3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [30696 2017-01-18] (The OpenVPN Project)
S3 WsAudioDevice_383; C:\Windows\System32\drivers\WsAudioDevice_383.sys [25632 2015-02-02] (Wondershare)
S3 AndNetDiag; system32\DRIVERS\lgandnetdiag.sys [X]
S3 ANDNetModem; system32\DRIVERS\lgandnetmodem.sys [X]
S3 andnetndis; system32\DRIVERS\lgandnetndis.sys [X]
S3 catchme; \??\C:\Users\BERNAD~1\AppData\Local\Temp\catchme.sys [X]
S3 cpuz140; \??\C:\Users\BERNAD~1\AppData\Local\Temp\cpuz140\cpuz140_x32.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2099-11-12 04:37 - 30826-11-12 04:37 - 000186368 ____N (Microsoft Corporation) C:\Program Files\Common Files\UkaehOr.exe
2099-11-12 04:37 - 30826-11-12 04:37 - 000073216 ____N (Microsoft Corporation) C:\Windows\oIoeafARb.exe
2018-04-08 12:53 - 2018-04-08 12:53 - 000009625 _____ C:\Users\Bernadette\Documents\DECRYPT_INFORMATION.html
2018-04-08 12:39 - 2018-04-08 12:44 - 000016910 _____ C:\Users\Bernadette\Desktop\FRST.txt
2018-04-08 12:38 - 2018-04-08 12:38 - 001764352 _____ (Farbar) C:\Users\Bernadette\Desktop\FRST.exe
2018-04-08 12:21 - 2018-04-08 12:21 - 000000938 _____ C:\Users\Public\Desktop\Speccy.lnk
2018-04-08 12:21 - 2018-04-08 12:21 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Speccy
2018-04-08 12:21 - 2018-04-08 12:21 - 000000000 ____D C:\Program Files\Speccy
2018-04-08 12:20 - 2018-04-08 12:20 - 006299336 _____ (Piriform Ltd) C:\Users\Bernadette\Desktop\spsetup131.exe
2018-04-08 12:12 - 2018-04-08 12:12 - 000009625 _____ C:\Users\Bernadette\Desktop\DECRYPT_INFORMATION.html
2018-04-08 12:11 - 2018-04-08 12:11 - 000145808 _____ C:\Users\Bernadette\AppData\Local\GDIPFONTCACHEV1.DAT
2018-04-08 12:09 - 2018-04-08 12:09 - 000009625 _____ C:\Users\Bernadette\AppData\Roaming\DECRYPT_INFORMATION.html
2018-04-08 12:09 - 2018-04-08 12:09 - 000009625 _____ C:\Users\Bernadette\AppData\LocalLow\DECRYPT_INFORMATION.html
2018-04-08 12:08 - 2018-04-08 12:08 - 000009625 _____ C:\Users\Bernadette\DECRYPT_INFORMATION.html
2018-04-08 12:08 - 2018-04-08 12:08 - 000009625 _____ C:\Users\Bernadette\AppData\Local\DECRYPT_INFORMATION.html
2018-04-08 12:08 - 2018-04-08 12:08 - 000009625 _____ C:\Users\Bernadette\AppData\Local\Apps\DECRYPT_INFORMATION.html
2018-04-08 12:08 - 2018-04-08 12:08 - 000009625 _____ C:\Users\Bernadette\AppData\DECRYPT_INFORMATION.html
2018-04-08 12:06 - 2018-04-08 12:06 - 000009625 _____ C:\Users\DECRYPT_INFORMATION.html
2018-04-08 12:01 - 2018-04-08 12:01 - 000047552 _____ C:\Windows\system32\Drivers\hitmanpro37.sys
2018-04-08 12:00 - 2018-04-08 12:00 - 000009625 _____ C:\ProgramData\DECRYPT_INFORMATION.html
2018-04-08 11:57 - 2018-04-08 11:57 - 000009625 _____ C:\Program Files\DECRYPT_INFORMATION.html
2018-04-08 11:57 - 2018-04-08 11:57 - 000009625 _____ C:\Program Files\Common Files\DECRYPT_INFORMATION.html
2018-04-08 11:57 - 2018-04-08 11:57 - 000009625 _____ C:\DECRYPT_INFORMATION.html
2018-04-08 11:57 - 2018-04-08 11:57 - 000001444 _____ C:\Users\Public\UNIQUE_ID_DO_NOT_REMOVE
2018-04-08 11:56 - 2018-04-08 11:57 - 000000000 ____D C:\Program Files\CompanyExpertChange
2018-04-08 11:52 - 2018-04-08 12:09 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\BitTorrent
2018-04-08 11:52 - 2018-04-08 11:58 - 000000000 ____D C:\Users\Bernadette\AppData\LocalLow\BitTorrent
2018-04-08 11:52 - 2018-04-08 11:52 - 000000881 _____ C:\Users\Bernadette\Desktop\BitTorrent.lnk
2018-04-08 11:52 - 2018-04-08 11:52 - 000000861 _____ C:\Users\Bernadette\AppData\Roaming\Microsoft\Windows\Start Menu\BitTorrent.lnk
2018-04-08 11:28 - 2018-04-08 11:57 - 000000000 ____D C:\Program Files\FileASSASSIN
2018-04-08 11:28 - 2018-04-08 11:28 - 000167034 _____ C:\Users\Bernadette\Desktop\fileassassin-setup-1.06.exe
2018-04-08 11:28 - 2018-04-08 11:28 - 000001014 _____ C:\Users\Public\Desktop\FileASSASSIN.lnk
2018-04-08 11:28 - 2018-04-08 11:28 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileASSASSIN
2018-04-08 10:43 - 2018-04-08 10:43 - 000388608 _____ (Trend Micro Inc.) C:\Users\Bernadette\Desktop\HijackThis.exe
2018-04-08 09:50 - 2018-04-08 09:50 - 002716608 ____R (Systems Incorporated) C:\Users\Bernadette\Downloads\Easy_Recovery_Essentials_Free_Download_Crack_For_Windows_7.exe
2018-04-08 09:48 - 2018-04-08 12:12 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\uTorrent
2018-04-08 09:47 - 2018-04-08 09:47 - 003114288 _____ (BitTorrent Inc.) C:\Users\Bernadette\Desktop\uTorrent.exe
2018-04-08 09:16 - 2018-04-08 09:16 - 000012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2018-04-08 09:16 - 2018-04-08 09:16 - 000000158 _____ C:\Windows\system32\bootdelete.lst
2018-04-08 09:09 - 2018-04-08 12:01 - 000001894 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2018-04-08 09:09 - 2018-04-08 12:01 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2018-04-08 09:09 - 2018-04-08 09:09 - 000000000 ____D C:\Program Files\HitmanPro
2018-04-08 08:18 - 2018-04-08 12:33 - 001802994 _____ C:\Users\Bernadette\Desktop\rkill.com.HRM
2018-04-08 08:17 - 2018-04-08 08:19 - 010993872 _____ (SurfRight B.V.) C:\Users\Bernadette\Desktop\HitmanPro.exe
2018-04-08 08:02 - 2018-04-08 11:57 - 000018866 _____ C:\ComboFix.txt.HRM
2018-04-08 07:58 - 2018-02-08 23:25 - 000282360 _____ (Riverbed Technology, Inc.) C:\Windows\system32\wpcap.dll
2018-04-08 07:58 - 2018-02-08 23:24 - 000098040 _____ (Riverbed Technology, Inc.) C:\Windows\system32\Packet.dll
2018-04-08 07:58 - 2018-01-30 23:16 - 000036600 _____ (Riverbed Technology, Inc.) C:\Windows\system32\Drivers\npf.sys
2018-04-08 07:51 - 2018-04-08 12:08 - 000000000 ____D C:\Users\Bernadette\AppData\Local\ElevatedDiagnostics
2018-04-08 01:28 - 2018-04-08 12:08 - 000146098 _____ C:\Users\Bernadette\AppData\Local\GDIPFONTCACHEV1.DAT.HRM
2018-04-08 00:49 - 2018-04-08 12:08 - 004348386 _____ C:\Users\Bernadette\AppData\Local\IconCache.db.HRM
2018-04-07 20:37 - 2018-04-08 12:08 - 000000000 ____D C:\Users\Bernadette\AppData\Local\ESET
2018-04-07 20:37 - 2018-04-07 20:37 - 006968952 _____ (ESET spol. s r.o.) C:\Users\Bernadette\Desktop\esetonlinescanner_enu.exe
2018-04-07 20:32 - 2018-04-07 20:32 - 000002243 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-04-07 20:32 - 2018-04-07 20:32 - 000002202 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-04-07 20:31 - 2018-04-08 11:57 - 000000000 ____D C:\Program Files\Google
2018-04-07 20:28 - 2018-04-07 20:28 - 000002017 _____ C:\Users\Public\Desktop\HouseCall for Home Networks.lnk
2018-04-07 20:28 - 2018-04-07 20:28 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HouseCall for Home Networks
2018-04-07 17:55 - 2018-04-07 17:55 - 008222496 _____ (Malwarebytes) C:\Users\Bernadette\Desktop\adwcleaner_7.0.8.0.exe
2018-04-07 17:41 - 2018-04-08 12:00 - 000000000 ____D C:\ProgramData\adaware
2018-04-07 17:34 - 2018-04-08 01:12 - 000069576 _____ C:\Windows\ntbtlog.txt
2018-04-07 17:34 - 2018-04-07 17:34 - 290985682 _____ C:\Windows\MEMORY.DMP
2018-04-07 17:34 - 2018-04-07 17:34 - 000143672 _____ C:\Windows\Minidump\040718-26691-01.dmp
2018-04-07 17:34 - 2018-04-07 17:34 - 000000000 ____D C:\Windows\Minidump
2018-04-07 16:58 - 2018-04-08 12:53 - 001612226 _____ C:\Users\Bernadette\Downloads\keygen.HRM
2018-04-07 16:56 - 2018-04-07 16:56 - 000000012 _____ C:\Windows\b60479666
2018-04-07 16:46 - 2018-04-08 12:00 - 000000000 ____D C:\ProgramData\AlcaTech
2018-04-07 16:46 - 2018-04-07 18:49 - 000102400 _____ (AlcaTech) C:\Windows\system32\Setup.dll
2018-04-07 16:36 - 2018-04-07 16:37 - 000000000 ____D C:\Users\Bernadette\AppData\LocalLow\Unity
2018-04-07 15:33 - 2018-04-07 15:35 - 008222496 _____ (Malwarebytes) C:\Users\Bernadette\Downloads\adwcleaner_7.0.8.0.exe
2018-04-07 14:52 - 2018-04-08 07:21 - 000221112 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-04-07 12:50 - 2018-04-08 12:31 - 000000000 ____D C:\Users\Bernadette\Desktop\Burntfield
2018-04-07 03:52 - 2018-04-08 12:32 - 009972574 _____ C:\Users\Bernadette\Desktop\Double Shot Rock & Metal Monday on www.rock-fm.ca.mp4.HRM
2018-04-07 03:52 - 2018-04-08 12:32 - 007127246 _____ C:\Users\Bernadette\Desktop\Double Shot Indie Wednesday on www.rock-fm.ca.mp4.HRM
2018-04-06 22:49 - 2018-04-08 12:31 - 000000000 ____D C:\Users\Bernadette\Desktop\Bernie's stuff
2018-04-06 10:42 - 2018-04-08 12:33 - 000000754 _____ C:\Users\Bernadette\Desktop\Radio station startup to do list.txt.HRM
2018-04-05 12:18 - 2018-03-14 13:18 - 000116928 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2018-04-05 12:18 - 2018-03-14 13:14 - 000535040 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2018-04-05 12:18 - 2018-03-14 09:04 - 001893376 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2018-04-05 12:18 - 2018-03-14 09:04 - 001319424 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2018-04-05 12:18 - 2018-03-14 09:04 - 000594944 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2018-04-05 12:18 - 2018-03-14 09:04 - 000507392 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2018-04-05 12:18 - 2018-03-14 09:04 - 000338432 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2018-04-05 12:18 - 2018-03-14 09:04 - 000338432 _____ (Microsoft Corporation) C:\Windows\system32\centel.dll
2018-04-05 12:18 - 2018-03-14 09:04 - 000238592 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2018-04-05 12:18 - 2018-03-14 09:04 - 000190976 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2018-04-01 18:17 - 2018-04-08 12:12 - 000239394 _____ C:\Users\Bernadette\Desktop\#MusicMonday VAIN.pub.HRM
2018-04-01 18:17 - 2018-04-08 12:12 - 000216642 _____ C:\Users\Bernadette\Desktop\#MusicMonday VAIN.jpg.HRM
2018-04-01 00:04 - 2018-04-08 12:32 - 083863286 _____ C:\Users\Bernadette\Desktop\Double Shot Prog Alt Friday  promo.mp4.HRM
2018-03-31 23:03 - 2018-04-08 12:53 - 001188578 _____ C:\Users\Bernadette\Desktop\VE Project 2.wve.HRM
2018-03-31 22:58 - 2018-04-08 12:33 - 000209186 _____ C:\Users\Bernadette\Desktop\prog alt friday last slide.jpg.HRM
2018-03-31 22:58 - 2018-04-08 12:33 - 000116002 _____ C:\Users\Bernadette\Desktop\prog alt last slide.pub.HRM
2018-03-31 22:39 - 2018-04-08 12:53 - 001188962 _____ C:\Users\Bernadette\Desktop\VE Project 1.wve.HRM
2018-03-31 22:32 - 2018-04-08 12:33 - 000003602 _____ C:\Users\Bernadette\Desktop\Prog Alt Friday video promo.vpj.HRM
2018-03-31 21:05 - 2018-04-08 12:32 - 000341282 _____ C:\Users\Bernadette\Desktop\Mohai thank you.jpg.HRM
2018-03-31 20:29 - 2018-03-31 20:29 - 000001089 _____ C:\Users\Public\Desktop\WavePad Sound Editor.lnk
2018-03-31 17:48 - 2018-04-08 12:33 - 000091938 _____ C:\Users\Bernadette\Desktop\Prog alt slide one.pub.HRM
2018-03-29 19:57 - 2018-03-29 19:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2018-03-28 10:31 - 2018-03-28 10:31 - 000043344 _____ (Dropbox, Inc.) C:\Windows\system32\DbxSvc.exe
2018-03-28 10:31 - 2018-03-28 10:31 - 000035432 _____ (Dropbox, Inc.) C:\Windows\system32\Drivers\dbx-dev.sys
2018-03-28 10:31 - 2018-03-28 10:31 - 000035432 _____ (Dropbox, Inc.) C:\Windows\system32\Drivers\dbx-canary.sys
2018-03-28 10:31 - 2018-03-28 10:31 - 000035408 _____ (Dropbox, Inc.) C:\Windows\system32\Drivers\dbx-stable.sys
2018-03-27 10:49 - 2018-04-08 12:53 - 000123170 _____ C:\Users\Bernadette\Documents\Rock and Metal slide.pub.HRM
2018-03-27 06:19 - 2018-04-08 11:57 - 000000000 ____D C:\Program Files\Common Files\DESIGNER
2018-03-27 01:05 - 2018-03-27 01:05 - 000008434 _____ C:\Users\Bernadette\motherbleep work.vpj
2018-03-27 00:37 - 2018-04-08 12:09 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\AVS4YOU
2018-03-27 00:37 - 2018-04-08 12:00 - 000000000 ____D C:\ProgramData\AVS4YOU
2018-03-27 00:37 - 2018-03-27 00:37 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AVS4YOU
2018-03-27 00:36 - 2018-04-08 11:57 - 000000000 ____D C:\Program Files\Common Files\AVSMedia
2018-03-27 00:36 - 2018-04-08 11:57 - 000000000 ____D C:\Program Files\AVS4YOU
2018-03-27 00:36 - 2018-03-27 00:37 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVS4YOU
2018-03-27 00:36 - 2018-03-27 00:36 - 000001160 _____ C:\Users\Bernadette\Desktop\AVS Audio Editor.lnk
2018-03-27 00:36 - 2010-05-11 13:17 - 001700352 _____ (Microsoft Corporation) C:\Windows\system32\GdiPlus.dll
2018-03-27 00:36 - 2010-05-11 13:17 - 000024576 _____ (Microsoft Corporation) C:\Windows\system32\msxml3a.dll
2018-03-26 19:57 - 2018-03-26 19:57 - 000000000 ____D C:\Users\Bernadette\Documents\VideoPad Projects
2018-03-26 16:23 - 2018-03-26 16:23 - 000000000 ____D C:\Wondershare Video Converter Ultimate
2018-03-26 16:23 - 2018-03-26 16:23 - 000000000 ____D C:\Program Files\WondershareUpdate
2018-03-26 16:22 - 2018-03-26 16:22 - 000001386 _____ C:\Users\Public\Desktop\Wondershare Video Converter Ultimate.lnk
2018-03-26 16:22 - 2018-03-26 16:22 - 000000000 ____D C:\Users\Bernadette\Documents\Wondershare MediaServer
2018-03-26 16:22 - 2018-03-26 16:22 - 000000000 ____D C:\ProgramData\GraphicsType
2018-03-26 16:21 - 2018-04-08 12:11 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\TransferSupport
2018-03-26 16:13 - 2018-03-26 16:13 - 000001117 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoPad Video Editor.lnk
2018-03-26 16:13 - 2018-03-26 16:13 - 000001105 _____ C:\Users\Public\Desktop\VideoPad Video Editor.lnk
2018-03-26 16:13 - 2018-03-26 16:13 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Video Related Programs
2018-03-26 14:19 - 2018-04-08 12:53 - 000213554 _____ C:\Users\Bernadette\Documents\starburn.txt.HRM
2018-03-26 14:19 - 2018-03-26 16:22 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare
2018-03-26 14:19 - 2018-03-26 14:19 - 000001188 _____ C:\Users\Public\Desktop\Wondershare Filmora.lnk
2018-03-26 14:18 - 2018-04-08 12:53 - 000000000 ____D C:\Users\Bernadette\Documents\Wondershare Filmora
2018-03-26 14:18 - 2018-04-08 12:05 - 000000000 ____D C:\ProgramData\Wondershare Video Editor
2018-03-26 14:17 - 2018-03-26 16:22 - 000000000 ____D C:\Users\Public\Documents\Wondershare
2018-03-12 11:47 - 2018-04-08 12:32 - 000000000 ____D C:\Users\Bernadette\Desktop\New VAIN mixes
2018-03-12 11:46 - 2018-04-08 12:53 - 078106162 _____ C:\Users\Bernadette\Desktop\Violent Attitude If Noticed - Studio Syndrome.zip.HRM
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-04-08 12:53 - 2018-02-03 19:49 - 000001282 _____ C:\Users\Bernadette\Desktop\Weekly Notes.txt.HRM
2018-04-08 12:53 - 2018-01-07 14:30 - 000000000 ____D C:\Users\Bernadette\Desktop\Widetrack new album tracks
2018-04-08 12:53 - 2017-10-16 09:52 - 000000000 ____D C:\Users\Bernadette\Desktop\Violent Divine - Louder Than Love
2018-04-08 12:53 - 2017-09-13 16:22 - 000000000 ___RD C:\Users\Bernadette\Documents\Scanned Documents
2018-04-08 12:53 - 2017-09-13 16:22 - 000000000 ____D C:\Users\Bernadette\Documents\Fax
2018-04-08 12:53 - 2017-06-12 20:09 - 000000000 ____D C:\Users\Bernadette\Desktop\Twitter tag Pics
2018-04-08 12:53 - 2017-04-21 07:41 - 000000000 ____D C:\Users\Bernadette\Documents\Outlook Files
2018-04-08 12:53 - 2017-03-23 19:42 - 000000000 ____D C:\Users\Bernadette\Documents\My Kindle Content
2018-04-08 12:53 - 2016-12-13 23:14 - 000024466 _____ C:\Users\Bernadette\Documents\Logfile.odt.HRM
2018-04-08 12:53 - 2016-07-23 20:56 - 006354126 _____ C:\Users\Bernadette\Downloads\Love Bomb by The Space Sharks.mp3.HRM
2018-04-08 12:53 - 2016-07-22 15:41 - 000000642 _____ C:\Users\Bernadette\Documents\test document.html.HRM
2018-04-08 12:53 - 2016-07-19 12:52 - 066329755 _____ C:\Users\Bernadette\Downloads\Something Like Kites - Time Is Valuable.zip.HRM
2018-04-08 12:53 - 2016-07-15 18:03 - 000000000 ____D C:\Users\Bernadette\Documents\AdobeStockPhotos
2018-04-08 12:53 - 2016-07-15 07:37 - 000000000 ____D C:\Users\Bernadette\Documents\BitLord
2018-04-08 12:53 - 2016-06-09 16:18 - 000000000 ____D C:\Users\Bernadette\Documents\Freemake
2018-04-08 12:53 - 2016-06-05 15:26 - 000081586 _____ C:\Users\Bernadette\Documents\Untitled (4).wma.HRM
2018-04-08 12:53 - 2016-05-30 20:53 - 000000000 ___RD C:\Users\Bernadette\Documents\Notes
2018-04-08 12:53 - 2016-05-30 20:39 - 000077106 _____ C:\Users\Bernadette\Documents\Untitled (3).wma.HRM
2018-04-08 12:53 - 2016-05-30 20:38 - 000122002 _____ C:\Users\Bernadette\Documents\Untitled (2).wma.HRM
2018-04-08 12:53 - 2016-05-30 20:36 - 000113026 _____ C:\Users\Bernadette\Documents\Untitled.wma.HRM
2018-04-08 12:53 - 2016-01-07 00:09 - 000082930 _____ C:\Users\Bernadette\Downloads\CYFsWM4WQAAHJsh.jpg-large.HRM
2018-04-08 12:53 - 2015-08-12 07:29 - 010145851 _____ C:\Users\Bernadette\Downloads\Duran Duran -  Paper Gods _AUDIO_.mp3.HRM
2018-04-08 12:53 - 2015-07-21 09:42 - 001394450 _____ C:\Users\Bernadette\Downloads\pink_floyd-learning_to_fly_v2.mp3.HRM
2018-04-08 12:53 - 2015-07-16 12:51 - 000007458 _____ C:\Users\Bernadette\Downloads\11249699_10155848798005088_3071978181660926980_n.jpg.HRM
2018-04-08 12:52 - 2018-01-10 12:58 - 000000370 _____ C:\Users\Bernadette\Desktop\Submission address.txt.HRM
2018-04-08 12:52 - 2015-09-08 00:59 - 003775266 _____ C:\Users\Bernadette\Desktop\Thumbs.db.HRM
2018-04-08 12:52 - 2015-09-05 19:13 - 000000000 ____D C:\Users\Bernadette\Desktop\Rock fm music part 1
2018-04-08 12:39 - 2017-10-25 22:20 - 000000000 ____D C:\FRST
2018-04-08 12:33 - 2016-11-06 19:48 - 000000000 ____D C:\Users\Bernadette\Desktop\Playlists
2018-04-08 12:32 - 2018-02-19 17:47 - 000000000 ____D C:\Users\Bernadette\Desktop\Final Coil radio drops
2018-04-08 12:32 - 2018-02-12 11:42 - 000007122 _____ C:\Users\Bernadette\Desktop\Olav thoughts to develop interview questions from.txt.HRM
2018-04-08 12:32 - 2018-01-06 19:42 - 000023490 _____ C:\Users\Bernadette\Desktop\Folder.jpg.HRM
2018-04-08 12:32 - 2017-10-20 21:10 - 000000000 ____D C:\Users\Bernadette\Desktop\Now Playing pics 280
2018-04-08 12:32 - 2017-06-26 09:43 - 000000000 ____D C:\Users\Bernadette\Desktop\Pic tags for Twitter
2018-04-08 12:32 - 2017-06-19 14:15 - 000000000 ____D C:\Users\Bernadette\Desktop\Dream Theater two
2018-04-08 12:32 - 2017-06-14 17:41 - 000000000 ____D C:\Users\Bernadette\Desktop\Double Shot Prog Alt Friday Twitter pics
2018-04-08 12:32 - 2017-06-13 16:58 - 000004274 _____ C:\Users\Bernadette\Desktop\Header for twitter tags.txt.HRM
2018-04-08 12:32 - 2017-06-12 19:29 - 000000000 ____D C:\Users\Bernadette\Desktop\Double Shot Indie Wed. Twitter tags
2018-04-08 12:32 - 2017-06-11 17:25 - 000000000 ____D C:\Users\Bernadette\Desktop\Double Shot Rock & Metal Monday tag promo pics
2018-04-08 12:32 - 2017-02-23 23:25 - 000001138 _____ C:\Users\Bernadette\Desktop\interview questions.txt.HRM
2018-04-08 12:32 - 2015-06-21 05:19 - 000000850 _____ C:\Users\Bernadette\Desktop\New Text Document.txt.HRM
2018-04-08 12:31 - 2017-06-14 17:41 - 000000000 ____D C:\Users\Bernadette\Desktop\Double Shot Indie Friday Twitter tags
2018-04-08 12:23 - 2009-07-14 00:34 - 000031280 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2018-04-08 12:23 - 2009-07-14 00:34 - 000031280 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2018-04-08 12:12 - 2018-02-14 14:53 - 000014306 _____ C:\Users\Bernadette\Desktop\AlbumArt_{296EB473-E2D1-4970-9CC1-E88A908634EC}_Large.jpg.HRM
2018-04-08 12:12 - 2018-02-14 14:53 - 000003730 _____ C:\Users\Bernadette\Desktop\AlbumArt_{296EB473-E2D1-4970-9CC1-E88A908634EC}_Small.jpg.HRM
2018-04-08 12:12 - 2018-01-06 19:42 - 000039042 _____ C:\Users\Bernadette\Desktop\AlbumArt_{18BBE200-7A41-4581-8928-F9A4643DBC41}_Large.jpg.HRM
2018-04-08 12:12 - 2018-01-06 19:42 - 000008146 _____ C:\Users\Bernadette\Desktop\AlbumArt_{18BBE200-7A41-4581-8928-F9A4643DBC41}_Small.jpg.HRM
2018-04-08 12:12 - 2018-01-06 19:42 - 000004770 _____ C:\Users\Bernadette\Desktop\AlbumArtSmall.jpg.HRM
2018-04-08 12:12 - 2017-12-20 18:51 - 000001218 _____ C:\Users\Bernadette\bern.txt.HRM
2018-04-08 12:12 - 2017-02-05 09:42 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\vlc
2018-04-08 12:12 - 2016-08-31 09:16 - 000000000 ____D C:\Users\Bernadette\Desktop\Artist pics
2018-04-08 12:12 - 2015-10-11 12:37 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Wondershare
2018-04-08 12:12 - 2015-07-16 12:19 - 000000322 _____ C:\Users\Bernadette\AppData\Roaming\WB.CFG.HRM
2018-04-08 12:12 - 2015-06-19 11:47 - 000000000 ____D C:\Users\Bernadette
2018-04-08 12:11 - 2017-12-21 18:25 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\TeamViewer
2018-04-08 12:11 - 2016-12-24 10:50 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\streamWriter
2018-04-08 12:11 - 2016-05-21 17:28 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Skype
2018-04-08 12:11 - 2015-08-29 15:17 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Sun
2018-04-08 12:09 - 2017-12-27 16:17 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\InstallShield
2018-04-08 12:09 - 2017-12-09 04:19 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Trend Micro
2018-04-08 12:09 - 2017-10-25 17:17 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\AGData
2018-04-08 12:09 - 2017-05-24 18:46 - 000000000 ____D C:\Users\Bernadette\AppData\LocalLow\Adobe
2018-04-08 12:09 - 2017-05-09 16:54 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Dropbox
2018-04-08 12:09 - 2017-04-06 08:38 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\NCH Software
2018-04-08 12:09 - 2017-02-23 20:44 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\FastStone
2018-04-08 12:09 - 2016-12-13 22:46 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\LibreOffice
2018-04-08 12:09 - 2016-11-05 15:47 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\OpenOffice
2018-04-08 12:09 - 2016-07-15 08:34 - 000000000 ____D C:\Users\Bernadette\AppData\Local\VS Revo Group
2018-04-08 12:09 - 2016-07-15 07:39 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\BitLord
2018-04-08 12:09 - 2015-12-20 00:05 - 000000000 ____D C:\Users\Bernadette\AppData\Local\VMware
2018-04-08 12:09 - 2015-12-19 23:56 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Andy
2018-04-08 12:09 - 2015-10-24 19:43 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\dvdcss
2018-04-08 12:09 - 2015-10-21 14:35 - 000000000 ____D C:\Users\Bernadette\AppData\Local\VirtualRouterPlus
2018-04-08 12:09 - 2015-10-11 12:37 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Wondershare
2018-04-08 12:09 - 2015-10-03 09:45 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Baidu
2018-04-08 12:09 - 2015-08-14 07:53 - 000000000 ____D C:\Users\Bernadette\AppData\LocalLow\Apple Computer
2018-04-08 12:09 - 2015-07-17 16:23 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Macromedia
2018-04-08 12:09 - 2015-07-17 15:29 - 000000000 ____D C:\Users\Bernadette\AppData\LocalLow\Oracle
2018-04-08 12:09 - 2015-07-17 15:20 - 000000000 ____D C:\Users\Bernadette\AppData\LocalLow\Sun
2018-04-08 12:09 - 2015-07-16 18:51 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Apple Computer
2018-04-08 12:09 - 2015-06-27 11:52 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Adobe
2018-04-08 12:09 - 2015-06-19 11:47 - 000000000 ____D C:\Users\Bernadette\AppData\Local\VirtualStore
2018-04-08 12:08 - 2017-12-21 18:27 - 000000000 ____D C:\Users\Bernadette\AppData\Local\TeamViewer
2018-04-08 12:08 - 2017-07-17 18:40 - 000000000 ____D C:\Users\Bernadette\AppData\Local\iTunes
2018-04-08 12:08 - 2017-05-09 16:49 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Dropbox
2018-04-08 12:08 - 2017-03-23 19:42 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Amazon
2018-04-08 12:08 - 2016-12-10 19:58 - 000000000 ____D C:\Users\Bernadette\AppData\Local\CrashRpt
2018-04-08 12:08 - 2016-09-29 17:40 - 000000000 ____D C:\Users\Bernadette\.fontconfig
2018-04-08 12:08 - 2016-09-29 17:39 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Movavi
2018-04-08 12:08 - 2016-09-29 17:39 - 000000000 ____D C:\Users\Bernadette\AppData\Local\converter
2018-04-08 12:08 - 2016-09-14 18:17 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Apps\2.0
2018-04-08 12:08 - 2016-07-31 06:09 - 000000000 ____D C:\Users\Bernadette\30 Below
2018-04-08 12:08 - 2016-07-15 07:39 - 000000000 ____D C:\Users\Bernadette\AppData\Local\BitLord
2018-04-08 12:08 - 2016-03-09 22:09 - 000000000 ____D C:\Users\Bernadette\AppData\Local\FacebookGames
2018-04-08 12:08 - 2016-03-09 22:09 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Facebook
2018-04-08 12:08 - 2015-12-19 23:57 - 000000000 ____D C:\Users\Bernadette\Andy
2018-04-08 12:08 - 2015-10-21 20:20 - 000000000 ____D C:\Users\Bernadette\AppData\Local\1BN_Software_&_IT_Solutio
2018-04-08 12:08 - 2015-10-21 20:14 - 000000000 ____D C:\Users\Bernadette\AppData\Local\1BN_(www.1bn.in)
2018-04-08 12:08 - 2015-10-17 07:56 - 000000000 ____D C:\Users\Bernadette\.android
2018-04-08 12:08 - 2015-08-29 15:17 - 000000000 ____D C:\Users\Bernadette\.oracle_jre_usage
2018-04-08 12:08 - 2015-08-27 07:57 - 000000000 ____D C:\Users\Bernadette\AppData\Local\CEF
2018-04-08 12:08 - 2015-07-18 14:31 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Macromedia
2018-04-08 12:08 - 2015-07-18 09:17 - 000000000 ____D C:\Users\Bernadette\AppData\Local\GWX
2018-04-08 12:08 - 2015-07-17 23:45 - 000007938 _____ C:\Users\Bernadette\AppData\Local\Resmon.ResmonCfg.HRM
2018-04-08 12:08 - 2015-07-16 23:00 - 000000322 _____ C:\Users\Bernadette\AppData\Local\housecall.guid.cache.HRM
2018-04-08 12:08 - 2015-07-16 21:43 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Adobe
2018-04-08 12:08 - 2015-07-16 18:51 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Apple Computer
2018-04-08 12:08 - 2015-07-16 18:35 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Apple
2018-04-08 12:08 - 2015-07-16 15:06 - 000000354 _____ C:\Users\Bernadette\AppData\Local\0197ae781343cb89915ac55c09d94c33.HRM
2018-04-08 12:08 - 2015-07-16 11:19 - 000000000 ____D C:\Users\Bernadette\AppData\Local\Google
2018-04-08 12:06 - 2016-12-10 21:13 - 000000000 ____D C:\Qoobox
2018-04-08 12:06 - 2015-09-30 05:54 - 000000498 _____ C:\setup.log.HRM
2018-04-08 12:05 - 2017-12-27 16:18 - 000000000 ____D C:\ProgramData\Ralink Driver
2018-04-08 12:05 - 2017-10-07 20:14 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2018-04-08 12:05 - 2017-09-13 18:06 - 000000000 ____D C:\ProgramData\regid.1986-12.com.adobe
2018-04-08 12:05 - 2016-07-15 08:34 - 000000000 ____D C:\ProgramData\VS Revo Group
2018-04-08 12:05 - 2016-05-21 17:28 - 000000000 ____D C:\ProgramData\Skype
2018-04-08 12:05 - 2016-05-17 16:21 - 000000000 ____D C:\ProgramData\Trend Micro
2018-04-08 12:05 - 2015-12-19 23:58 - 000000000 ____D C:\ProgramData\VMware
2018-04-08 12:05 - 2015-10-21 14:45 - 000000000 ____D C:\ProgramData\Thinix
2018-04-08 12:05 - 2015-10-17 07:57 - 000000000 ____D C:\ProgramData\wondershare
2018-04-08 12:05 - 2015-06-27 06:10 - 000000000 ____D C:\ProgramData\Pure Networks
2018-04-08 12:04 - 2017-10-09 16:19 - 000000000 ____D C:\ProgramData\MB2Migration
2018-04-08 12:04 - 2017-06-23 19:35 - 000000000 ____D C:\ProgramData\PCDr
2018-04-08 12:04 - 2017-04-06 08:38 - 000000000 ____D C:\ProgramData\NCH Software
2018-04-08 12:04 - 2016-09-29 17:38 - 000000000 ____D C:\ProgramData\Movavi
2018-04-08 12:04 - 2016-04-16 19:45 - 000000000 ____D C:\ProgramData\McAfee
2018-04-08 12:04 - 2015-08-16 15:36 - 000000000 ____D C:\ProgramData\Package Cache
2018-04-08 12:04 - 2015-07-17 15:20 - 000000000 ____D C:\ProgramData\Oracle
2018-04-08 12:01 - 2016-12-11 00:06 - 000000000 ____D C:\ProgramData\HitmanPro
2018-04-08 12:00 - 2017-12-14 22:12 - 000000000 ____D C:\ProgramData\Intel
2018-04-08 12:00 - 2017-06-23 19:28 - 000000000 ____D C:\ProgramData\Dell
2018-04-08 12:00 - 2017-05-09 16:49 - 000000000 ____D C:\ProgramData\Dropbox
2018-04-08 12:00 - 2017-02-04 22:23 - 000000000 ____D C:\ProgramData\Avira
2018-04-08 12:00 - 2016-07-14 21:27 - 000000000 ____D C:\ProgramData\FLEXnet
2018-04-08 12:00 - 2016-07-14 21:22 - 000000000 ____D C:\ProgramData\Adobe
2018-04-08 12:00 - 2015-07-16 23:09 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-04-08 12:00 - 2015-07-16 18:50 - 000000000 ____D C:\ProgramData\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
2018-04-08 12:00 - 2015-07-16 18:50 - 000000000 ____D C:\ProgramData\Apple Computer
2018-04-08 12:00 - 2015-07-16 18:35 - 000000000 ____D C:\ProgramData\Apple
2018-04-08 11:59 - 2016-07-15 08:34 - 000000000 ____D C:\Program Files\VS Revo Group
2018-04-08 11:59 - 2015-12-19 23:57 - 000000000 ____D C:\Program Files\VMware
2018-04-08 11:59 - 2015-10-17 07:56 - 000000000 ____D C:\Program Files\Wondershare
2018-04-08 11:59 - 2015-07-16 16:42 - 000000000 ____D C:\Program Files\WinRAR
2018-04-08 11:58 - 2017-12-27 16:17 - 000000000 ____D C:\Program Files\Ralink
2018-04-08 11:58 - 2017-12-21 18:25 - 000000000 ____D C:\Program Files\TeamViewer
2018-04-08 11:58 - 2017-12-09 04:20 - 000000000 ____D C:\Program Files\Trend Micro
2018-04-08 11:58 - 2017-04-06 08:38 - 000000000 ____D C:\Program Files\NCH Software
2018-04-08 11:58 - 2015-09-05 19:08 - 000000000 ____D C:\Program Files\MP3Gain
2018-04-08 11:58 - 2015-07-16 20:22 - 000000000 ____D C:\Program Files\VideoLAN
2018-04-08 11:57 - 2018-01-19 11:49 - 000000000 ____D C:\Program Files\Common Files\Java
2018-04-08 11:57 - 2017-12-27 16:17 - 000000000 ____D C:\Program Files\Cisco
2018-04-08 11:57 - 2017-10-09 16:19 - 000000000 ____D C:\Program Files\Malwarebytes
2018-04-08 11:57 - 2017-09-13 18:06 - 000000322 _____ C:\97C68FD56E45.HRM
2018-04-08 11:57 - 2017-08-28 22:35 - 000000000 ____D C:\Intel
2018-04-08 11:57 - 2017-08-28 22:33 - 000000000 ____D C:\Program Files\Common Files\InstallShield
2018-04-08 11:57 - 2017-08-28 22:32 - 000000000 ____D C:\dell
2018-04-08 11:57 - 2017-08-21 19:34 - 000000000 ____D C:\Program Files\IrfanView
2018-04-08 11:57 - 2017-06-23 19:34 - 000000000 ____D C:\Program Files\Dell
2018-04-08 11:57 - 2017-05-09 16:49 - 000000000 ____D C:\Program Files\Dropbox
2018-04-08 11:57 - 2017-04-26 12:36 - 000000000 ____D C:\Program Files\DiskInternals
2018-04-08 11:57 - 2017-02-04 22:23 - 000000000 ____D C:\Program Files\Avira
2018-04-08 11:57 - 2016-12-11 00:06 - 000000000 ____D C:\AdwCleaner
2018-04-08 11:57 - 2016-10-10 15:23 - 000000000 ____D C:\Program Files\iPod
2018-04-08 11:57 - 2016-07-15 14:51 - 000000000 ____D C:\Program Files\Adware Removal Tool by TSA
2018-04-08 11:57 - 2015-12-29 00:10 - 000000000 ____D C:\Program Files\Kodi
2018-04-08 11:57 - 2015-10-18 16:28 - 000000000 ____D C:\Program Files\Java
2018-04-08 11:57 - 2015-10-11 12:37 - 000000000 ____D C:\Program Files\Common Files\Wondershare
2018-04-08 11:57 - 2015-09-18 09:38 - 000000000 ____D C:\Program Files\iTunes
2018-04-08 11:57 - 2015-09-06 21:54 - 000000000 ____D C:\Program Files\Hewlett-Packard
2018-04-08 11:57 - 2015-07-18 09:43 - 000000000 ____D C:\LGMobileUpgrade
2018-04-08 11:57 - 2015-07-16 18:58 - 000000000 ___HD C:\Program Files\InstallShield Installation Information
2018-04-08 11:57 - 2015-07-16 16:44 - 000375666 _____ C:\PNQBE.HRM
2018-04-08 11:57 - 2015-06-27 11:52 - 000000000 ____D C:\Program Files\Common Files\Adobe
2018-04-08 11:57 - 2015-06-27 11:52 - 000000000 ____D C:\Program Files\Adobe
2018-04-08 11:57 - 2015-06-19 15:40 - 000008482 _____ C:\BOOTSECT.BAK.HRM
2018-04-08 11:57 - 2009-07-14 00:52 - 000000000 ____D C:\Program Files\DVD Maker
2018-04-08 11:57 - 2009-07-13 22:37 - 000000000 ____D C:\Program Files\Common Files\System
2018-04-08 11:57 - 2009-07-13 22:37 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2018-04-08 11:57 - 2009-07-13 22:37 - 000000000 ____D C:\PerfLogs
2018-04-08 11:54 - 2017-05-09 16:49 - 000000904 _____ C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job
2018-04-08 09:09 - 2010-11-20 17:01 - 000781790 _____ C:\Windows\system32\PerfStringBackup.INI
2018-04-08 09:09 - 2009-07-13 22:37 - 000000000 ____D C:\Windows\inf
2018-04-08 09:00 - 2017-05-09 16:49 - 000000900 _____ C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job
2018-04-08 09:00 - 2009-07-14 00:53 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-04-08 08:39 - 2017-05-09 17:09 - 000000000 ___RD C:\Users\Bernadette\Dropbox
2018-04-08 07:58 - 2009-07-13 22:04 - 000000215 _____ C:\Windows\system.ini
2018-04-08 07:51 - 2017-08-28 22:33 - 000000000 ____D C:\Windows\system32\RTCOM
2018-04-08 07:27 - 2017-08-28 22:33 - 000319456 _____ (Microsoft Corporation) C:\Windows\DIFxAPI.dll
2018-04-08 01:12 - 2016-12-10 21:13 - 000000000 ____D C:\Windows\erdnt
2018-04-08 01:12 - 2009-07-13 22:03 - 071303168 _____ C:\Windows\system32\config\SOFTWARE.bak
2018-04-08 01:12 - 2009-07-13 22:03 - 017301504 _____ C:\Windows\system32\config\SYSTEM.bak
2018-04-08 01:12 - 2009-07-13 22:03 - 001835008 _____ C:\Windows\system32\config\DEFAULT.bak
2018-04-08 01:12 - 2009-07-13 22:03 - 000262144 _____ C:\Windows\system32\config\SECURITY.bak
2018-04-08 01:12 - 2009-07-13 22:03 - 000028672 _____ C:\Windows\system32\config\SAM.bak
2018-04-07 23:45 - 2015-07-16 15:00 - 000000000 ____D C:\Program Files\Windows Loader
2018-04-07 21:33 - 2016-05-30 19:34 - 000000000 ____D C:\Users\Bernadette\AppData\Local\CrashDumps
2018-04-07 16:35 - 2016-12-10 20:45 - 000000258 __RSH C:\Users\Bernadette\ntuser.pol
2018-04-07 15:51 - 2009-07-14 00:33 - 001857184 _____ C:\Windows\system32\FNTCACHE.DAT
2018-04-07 15:04 - 2016-01-31 15:39 - 000000000 ____D C:\Users\Bernadette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Vuze Leap
2018-04-05 12:19 - 2015-07-16 16:38 - 000000000 ____D C:\Windows\system32\appraiser
2018-03-31 20:29 - 2018-01-30 10:13 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite
2018-03-31 20:29 - 2017-04-06 08:38 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audio Related Programs
2018-03-27 06:17 - 2017-10-07 19:02 - 000000000 ____D C:\Program Files\Microsoft Office
2018-03-16 17:34 - 2017-12-21 18:25 - 000000930 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 13.lnk
2018-03-16 17:34 - 2017-12-21 18:25 - 000000918 _____ C:\Users\Public\Desktop\TeamViewer 13.lnk
2018-03-14 17:50 - 2017-10-07 20:16 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools
2018-03-14 17:06 - 2015-07-16 15:29 - 000000000 ____D C:\Windows\system32\MRT
2018-03-14 17:03 - 2017-10-11 17:13 - 127391104 ____C (Microsoft Corporation) C:\Windows\system32\MRT-KB890830.exe
2018-03-14 17:03 - 2015-07-16 15:29 - 127391104 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2018-03-13 08:15 - 2015-07-17 16:22 - 000804352 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2018-03-13 08:15 - 2015-07-17 16:22 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2018-03-13 08:15 - 2015-07-17 16:22 - 000000000 ____D C:\Windows\system32\Macromed
 
==================== Files in the root of some directories =======
 
2018-04-08 11:57 - 2018-04-08 11:57 - 000009625 _____ () C:\Program Files\DECRYPT_INFORMATION.html
2018-04-08 11:57 - 2018-04-08 11:57 - 000009625 _____ () C:\Program Files\Common Files\DECRYPT_INFORMATION.html
30826-11-12 04:37 - 30826-11-12 04:37 - 000186368 ____N (Microsoft Corporation) C:\Program Files\Common Files\UkaehOr.exe
2018-04-08 12:09 - 2018-04-08 12:09 - 000009625 _____ () C:\Users\Bernadette\AppData\Roaming\DECRYPT_INFORMATION.html
2015-07-16 12:19 - 2018-04-08 12:12 - 000000322 _____ () C:\Users\Bernadette\AppData\Roaming\WB.CFG.HRM
2015-07-16 15:06 - 2018-04-08 12:08 - 000000354 _____ () C:\Users\Bernadette\AppData\Local\0197ae781343cb89915ac55c09d94c33.HRM
2018-04-08 12:08 - 2018-04-08 12:08 - 000009625 _____ () C:\Users\Bernadette\AppData\Local\DECRYPT_INFORMATION.html
2015-07-16 23:00 - 2018-04-08 12:08 - 000000322 _____ () C:\Users\Bernadette\AppData\Local\housecall.guid.cache.HRM
2015-07-17 23:45 - 2018-04-08 12:08 - 000007938 _____ () C:\Users\Bernadette\AppData\Local\Resmon.ResmonCfg.HRM
2017-10-02 17:36 - 2017-10-02 17:37 - 000000000 ____N () C:\Users\Bernadette\AppData\Local\{5FDD3239-5A96-4B00-95E9-06D0CA634EF0}
2017-10-06 17:17 - 2017-10-06 17:17 - 000000000 ____N () C:\Users\Bernadette\AppData\Local\{658E15DF-F511-4FCE-853E-305CD2AAC901}
2017-10-06 17:20 - 2017-10-06 17:20 - 000000000 ____N () C:\Users\Bernadette\AppData\Local\{A4E707B3-4AA4-4F40-94B2-D7BA5806E024}
2017-08-31 17:07 - 2017-08-31 17:07 - 000000000 ____N () C:\Users\Bernadette\AppData\Local\{FD302A62-D134-44D5-AC9B-F7E4EB9914CA}
 
Some files in TEMP:
====================
2018-04-08 11:56 - 2018-04-08 11:56 - 002603053 _____ (CompanyExpertChange                                         ) C:\Users\Bernadette\AppData\Local\temp\expertchange.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 


#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:39 PM

Posted 08 April 2018 - 12:33 PM

Bernadette:

 

Thank you for your post and for permission to address you by your first name! :thumbup2:

 

Unfortunately, you copied the contents of the "FRST.txt" file into your response twice. :blush:

 

A file called "Addition.txt" should also be located on your desktop here: C:\Users\Bernadette\Desktop\Addition.txt

 

Please copy and paste the contents of that file into your next reply.

 

Unfortunately also, we are under an Environment Canada "Snowfall Warning" here in Cape Breton, expecting high winds and about 8 to 10 inches of snow between now and tomorrow AM.  So I could be facing power interruptions and loss of Internet connectivity.  Once the storm eases off tomorrow morning, then I have clear my large rural property, so if there are some delays in my response times, I request your patience and understanding.

 

I might not get you an initial FRST "fixlist" script today, but I will start working on analyzing your "FRST.txt" log file right away.

 

Thank you and have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#5 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:39 PM

Posted 08 April 2018 - 02:03 PM

Bernadette:

 

I am still awaiting the content of the "Addition.txt" file.

 

In reviewing your "FRST.txt" scan log file, I have concluded that your computer is infected with HERMES ransomware, among other less serious malware.  See this link for more information about HERMES ransomware.

 

Sorry to be the bearer of bad news. :(

 

Do you have any backups?

 

Do you intend to pay the ransom to the ransomware criminals?  This is not recommended here at Bleeping Computer, but it is YOUR choice because it is YOUR data?

 

Once again, I am very sorry about your situation.  I can "nuke" the ransomware program files, but IF your files are encrypted by the newer variant of the HERMES ransomware, your encrypted files cannot be decrypted, at this time, without the decryption key being provided by the criminals.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#6 barterb

barterb
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario Canada
  • Local time:03:39 PM

Posted 08 April 2018 - 03:23 PM

Sorry about that...here is the other file created and no I don't have any backups...I think I'm gonna cry  :(

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 14.03.2018
Ran by Bernadette (08-04-2018 12:54:42)
Running from C:\Users\Bernadette\Desktop
Microsoft Windows 7 Professional  Service Pack 1 (X86) (2015-06-19 15:47:24)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3557944169-877454972-121373122-500 - Administrator - Disabled)
Bernadette (S-1-5-21-3557944169-877454972-121373122-1000 - Administrator - Enabled) => C:\Users\Bernadette
Guest (S-1-5-21-3557944169-877454972-121373122-501 - Limited - Enabled)
HomeGroupUser$ (S-1-5-21-3557944169-877454972-121373122-1024 - Limited - Enabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Flash Player 29 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 29.0.0.113 - Adobe Systems Incorporated)
Adobe Flash Player 29 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 29.0.0.113 - Adobe Systems Incorporated)
Adobe Flash Player 29 PPAPI (HKLM\...\Adobe Flash Player PPAPI) (Version: 29.0.0.113 - Adobe Systems Incorporated)
Amazon Kindle (HKU\S-1-5-21-3557944169-877454972-121373122-1000\...\Amazon Kindle) (Version: 1.19.3.46099 - Amazon)
AVS Audio Editor 8.4.4 (HKLM\...\AVS Audio Editor_is1) (Version: 8.4.4.521 - Online Media Technologies Ltd.)
BitTorrent (HKU\S-1-5-21-3557944169-877454972-121373122-1000\...\BitTorrent) (Version: 7.10.3.44359 - BitTorrent Inc.)
Cisco EAP-FAST Module (HKLM\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM\...\{51C7AD07-C3F6-4635-8E8A-231306D810FE}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM\...\{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}) (Version: 1.1.6 - Cisco Systems, Inc.)
Dropbox (HKLM\...\Dropbox) (Version: 46.4.65 - Dropbox, Inc.)
Dropbox Update Helper (HKLM\...\{099218A5-A723-43DC-8DB5-6173656A1E94}) (Version: 1.3.65.1 - Dropbox, Inc.) Hidden
ExpertChange 1.21 (HKLM\...\ExpertChange 1.21) (Version: 1.21 - CompanyExpertChange)
FileASSASSIN (HKLM\...\FileASSASSIN) (Version: 1.06 - Malwarebytes)
Google Chrome (HKLM\...\Google Chrome) (Version: 65.0.3325.181 - Google Inc.)
Google Update Helper (HKLM\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.20.286 - SurfRight B.V.)
HitmanPro 3.8 (HKLM\...\HitmanPro38) (Version: 3.8.0.292 - SurfRight B.V.)
HouseCall for Home Networks (HKLM\...\DRScanner) (Version: 5.0.1066 - Trend Micro Inc.)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
IrfanView 4.44 (32-bit) (HKLM\...\IrfanView) (Version: 4.44 - Irfan Skiljan)
Java 8 Update 161 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F32180161F0}) (Version: 8.0.1610.12 - Oracle Corporation)
Malwarebytes version 3.2.2.2029 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.2.2.2029 - Malwarebytes)
Microsoft .NET Framework 4.7.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.02558 - Microsoft Corporation)
Microsoft Office Professional Plus 2016 - en-us (HKLM\...\ProplusRetail - en-us) (Version: 16.0.9126.2116 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50907.0 - Microsoft Corporation)
Microsoft Visio Professional 2016 - en-us (HKLM\...\VisioProRetail - en-us) (Version: 16.0.9126.2116 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM\...\{CA8A885F-E95B-3FC6-BB91-F4D9377C7686}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x86) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x86)) (Version: 10.0.50903 - Microsoft Corporation)
Office 16 Click-to-Run Extensibility Component (HKLM\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.9126.2116 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-007E-0000-0000-0000000FF1CE}) (Version: 16.0.9126.2116 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM\...\{90160000-008C-0409-0000-0000000FF1CE}) (Version: 16.0.9126.2116 - Microsoft Corporation) Hidden
Ralink RT2870 Wireless LAN Card (HKLM\...\{28DA7D8B-F9A4-4F18-8AA0-551B1E084D0D}) (Version: 1.5.31.3 - Ralink)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version:  - )
Speccy (HKLM\...\Speccy) (Version: 1.31 - Piriform)
Switch Sound File Converter (HKLM\...\Switch) (Version: 5.36 - NCH Software)
TeamViewer 13 (HKLM\...\TeamViewer) (Version: 13.1.1548 - TeamViewer)
VideoPad Video Editor (HKLM\...\VideoPad) (Version: 6.01 - NCH Software)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.4 - VideoLAN)
WavePad Sound Editor (HKLM\...\WavePad) (Version: 8.02 - NCH Software)
WinRAR 5.21 (32-bit) (HKLM\...\WinRAR archiver) (Version: 5.21.0 - win.rar GmbH)
Wondershare Filmora(Build 7.8.9) (HKLM\...\Wondershare Filmora_is1) (Version:  - Wondershare Software)
Wondershare Helper Compact 2.5.3 (HKLM\...\{5363CE84-5F09-48A1-8B6C-6BB590FFEDF2}_is1) (Version: 2.5.3 - Wondershare)
Wondershare Video Converter Ultimate(Build 10.2.3.163) (HKLM\...\Video Converter Ultimate_is1) (Version: 10.2.3.163 - Wondershare Software)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{144DF3B2-2402-47AE-9583-5A045929A8D4}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.33.5\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Microsoft\OneDrive\17.3.7010.0912\FileCoAuthLib.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Microsoft\OneDrive\17.3.7101.1018\FileSyncShell.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.30.3\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.31.5\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.28.1\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.28.13\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.29.5\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Microsoft\OneDrive\17.3.7101.1018\FileSyncShell.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Microsoft\OneDrive\17.3.7101.1018\FileSyncShell.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.33.3\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.32.7\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.29.1\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.28.15\psuser.dll => No File
ShellIconOverlayIdentifiers: [   DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.19.0.dll [2018-03-28] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.19.0.dll [2018-03-28] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.19.0.dll [2018-03-28] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.19.0.dll [2018-03-28] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.19.0.dll [2018-03-28] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.19.0.dll [2018-03-28] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.19.0.dll [2018-03-28] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.19.0.dll [2018-03-28] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.19.0.dll [2018-03-28] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files\Dropbox\Client\DropboxExt.19.0.dll [2018-03-28] (Dropbox, Inc.)
ContextMenuHandlers1: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Program Files\Dropbox\Client\DropboxExt.19.0.dll [2018-03-28] (Dropbox, Inc.)
ContextMenuHandlers1: [ShellConverter] -> {30A4E07E-068A-4d91-8F05-691283A1336B} => C:\Program Files\Common Files\AVSMedia\ActiveX\AVSShellConverter.dll [2017-12-18] (Online Media Technologies Ltd.)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2015-02-16] (Alexander Roshal)
ContextMenuHandlers1: [_Movavivc11] -> {1C604495-4D32-476e-8D7E-FBF50F6C80BF} => C:\Program Files\Movavi Video Converter 16\vcContext\vcContext.dll -> No File
ContextMenuHandlers3: [FAExt] -> {05672D66-9736-42F5-8BEB-FA1DD3CA51C4} => C:\Program Files\FileASSASSIN\FileASSASSINExt.dll [2007-03-30] (Malwarebytes)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-08-30] (Malwarebytes)
ContextMenuHandlers4: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Program Files\Dropbox\Client\DropboxExt.19.0.dll [2018-03-28] (Dropbox, Inc.)
ContextMenuHandlers5: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Program Files\Dropbox\Client\DropboxExt.19.0.dll [2018-03-28] (Dropbox, Inc.)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2009-09-23] (Intel Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-08-30] (Malwarebytes)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2015-02-16] (Alexander Roshal)
ContextMenuHandlers6: [_Movavivc11] -> {1C604495-4D32-476e-8D7E-FBF50F6C80BF} => C:\Program Files\Movavi Video Converter 16\vcContext\vcContext.dll -> No File
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {07E6FAAC-FC68-4315-B5DB-03977B924918} - System32\Tasks\Saraping dissuaderaping dissuade => C:\Program Files\Berjaya\ala.exe
Task: {0B332C76-391E-4A5A-AA2B-21BDC8A695B3} - System32\Tasks\DropboxUpdateTaskMachineUA => C:\Program Files\Dropbox\Update\DropboxUpdate.exe [2017-05-09] (Dropbox, Inc.)
Task: {0E8ED9D2-101C-4DB3-A956-4CEF28ECCB45} - System32\Tasks\sap => C:\Program Files\Myna\Thaw.exe
Task: {103B344B-F0E5-4799-8614-89DACACE7AC2} - System32\Tasks\DropboxUpdateTaskMachineCore => C:\Program Files\Dropbox\Update\DropboxUpdate.exe [2017-05-09] (Dropbox, Inc.)
Task: {13313023-2A38-4B25-9A87-599E6E99E6C3} - System32\Tasks\eda_deport => C:\Users\Bernadette\AppData\Local\ala.exe
Task: {1C8D7985-D0F4-4857-AB7D-C7A382055843} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files\Microsoft Office\root\Office16\msoia.exe [2018-03-27] (Microsoft Corporation)
Task: {1D373090-EBC5-4D3B-9380-BEE03DBD15B4} - System32\Tasks\Saeda_deporteda_deport => C:\Users\Bernadette\AppData\Local\ala.exe
Task: {1E847DBA-94A3-4377-BC42-EA22D29A1FA5} - System32\Tasks\shortchanges_colorful => C:\Program Files\Berjaya\Thaw.exe
Task: {21F7C797-55A2-48C8-AA3F-FD950D23EF88} - System32\Tasks\{B514A695-882D-4D04-A739-A1A1B40E4C49} => C:\Program Files\REALTEK\USB Wireless LAN Utility\ReStart.exe
Task: {25B1D005-300C-4F88-9B51-2C7B71CDC9A1} - System32\Tasks\{4B8D05F7-2389-4B64-9160-F0591FB76617} => C:\Windows\system32\pcalua.exe -a C:\Users\Bernadette\Desktop\B2CAppSetup.exe -d C:\Users\Bernadette\Desktop
Task: {2AEA3048-C5D7-4237-9C92-2ED916C66648} - System32\Tasks\hotivitnetoiqe => "C:\Program Files\Google\Chrome\Application\chrome.exe" hotivit.net/oiqe <==== ATTENTION
Task: {33495DE2-36A6-445F-8F6B-95B3B12C7A5D} - System32\Tasks\Adobe Flash Player NPAPI Notifier => C:\Windows\system32\Macromed\Flash\FlashUtil32_29_0_0_113_Plugin.exe [2018-03-13] (Adobe Systems Incorporated)
Task: {3D2AFD1F-5D8E-4B53-9CD5-54C29AC79B7C} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2018-04-07] (Google Inc.)
Task: {4246BE9D-EDD7-41BB-A99F-4C7FA6C522D6} - System32\Tasks\Samast-eamonnmast-eamonn => C:\Program Files\hai\ala.exe
Task: {47E1B75E-279D-40DC-8953-969DE3B14E6B} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-03-24] (Microsoft Corporation)
Task: {4BC0F6B6-B639-4167-A3DF-C2CA25882CBF} - System32\Tasks\raping dissuade => C:\Program Files\Berjaya\ala.exe
Task: {5E8C8B4D-1A56-458A-AD68-6D31853860D2} - System32\Tasks\mast-eamonn => C:\Program Files\hai\ala.exe
Task: {6632E273-CBA1-44A4-8BEA-BC39E6DD483A} - System32\Tasks\DRScanner Startup => C:\Program Files\Trend Micro\DRScanner\DRScanner.exe [2018-03-20] (Trend Micro Inc.)
Task: {674C1AE2-2159-4E03-BF6C-7B1A95AA9DEA} - System32\Tasks\Microsoft\Office\Office Automatic Updates 2.0 => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2018-03-24] (Microsoft Corporation)
Task: {69F27B5F-0B5A-4F05-8B0A-50BA12217CD3} - System32\Tasks\{1CA02130-D283-4F40-BCAF-0B3DED55B598} => C:\Windows\system32\pcalua.exe -a "C:\Program Files\REALTEK\USB Wireless LAN Utility\UserCom.exe" -d "C:\Program Files\REALTEK\USB Wireless LAN Utility"
Task: {78075066-2F8F-4459-AB09-DBA406EE2267} - System32\Tasks\AdobeGCInvoker-1.0-Bernadette-PC-Bernadette => C:\Program Files\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe [2018-01-05] (Adobe Systems, Incorporated)
Task: {986A1513-6276-4E03-A82F-E2ACF4EC9477} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-03-27] (Microsoft Corporation)
Task: {A20E0CA0-D796-4367-B3E3-A333C9FC09DA} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files\Microsoft Office\root\Office16\msoia.exe [2018-03-27] (Microsoft Corporation)
Task: {A9413562-DBA5-4FB2-8018-F910918FD1BD} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2018-04-07] (Google Inc.)
Task: {ACFDFDA2-5B85-44FC-A43C-929D1BED8FA2} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2018-03-13] (Adobe Systems Incorporated)
Task: {AE1EF26F-545E-4767-BFD2-72DEAE33DCF5} - System32\Tasks\{4FB65CC8-BB7A-4454-930E-5230E4CC39C9} => C:\Program Files\REALTEK\USB Wireless LAN Utility\ReStart.exe
Task: {BEF8F78C-A778-47F0-9136-88AEF79A6DDA} - System32\Tasks\Sashortchanges_colorfulshortchanges_colorful => C:\Program Files\Berjaya\Thaw.exe
Task: {C227C1A5-8044-4348-A484-7D8EAE98CD2D} - System32\Tasks\Satryouts busy chimneytryouts busy chimney => C:\Users\Bernadette\AppData\Local\Thaw.exe
Task: {D7C6DD22-29EB-4A19-A417-F72D734CDB3E} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2018-03-27] (Microsoft Corporation)
Task: {DCFF01C7-7814-43F8-9C54-26AF74D03203} - System32\Tasks\Sasapsap => C:\Program Files\Myna\Thaw.exe
Task: {E6342B84-17BF-48F1-8C90-6678822467E7} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\Windows\system32\Macromed\Flash\FlashUtil32_29_0_0_113_pepper.exe [2018-03-13] (Adobe Systems Incorporated)
Task: {E66A7019-6CE3-4B1C-AB0B-76859D2137CC} - System32\Tasks\tryouts busy chimney => C:\Users\Bernadette\AppData\Local\Thaw.exe
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job => C:\Program Files\Dropbox\Update\DropboxUpdate.exe
Task: C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job => C:\Program Files\Dropbox\Update\DropboxUpdate.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
Shortcut: C:\Users\Bernadette\Favorites\NCH Software Download Site.lnk -> hxxp://www.nch.com.au/index.htm
 
ShortcutWithArgument: C:\Users\Bernadette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Rock-FM - DJ ZONE (1).lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --profile-directory=Default --app-id=ikkppoppjoabpifheegngaedodlnhlcn --disable-http2
ShortcutWithArgument: C:\Users\Bernadette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Rock-FM - DJ ZONE (2).lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --profile-directory=Default --app-id=ikkppoppjoabpifheegngaedodlnhlcn --disable-http2
 
==================== Loaded Modules (Whitelisted) ==============
 
2018-03-26 14:19 - 2017-03-23 09:49 - 001506304 _____ () C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\DAQExp.dll
2018-03-26 14:19 - 2016-07-21 10:54 - 000137728 _____ () C:\Program Files\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll
2017-12-27 16:18 - 2013-09-23 17:48 - 001210672 _____ () C:\Program Files\Ralink\Common\RaWLAPI.dll
2018-04-07 20:32 - 2018-03-20 02:07 - 002253144 _____ () C:\Program Files\Google\Chrome\Application\65.0.3325.181\swiftshader\libglesv2.dll
2018-04-07 20:32 - 2018-03-20 02:07 - 000108888 _____ () C:\Program Files\Google\Chrome\Application\65.0.3325.181\swiftshader\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE trusted site: HKU\S-1-5-21-3557944169-877454972-121373122-1000\...\dell.com -> dell.com
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 22:04 - 2018-04-08 07:58 - 000000027 _____ C:\Windows\system32\Drivers\etc\hosts
 
127.0.0.1       localhost
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3557944169-877454972-121373122-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Bernadette\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: ) (ConsentPromptBehaviorUser: ) (EnableLUA: )
Windows Firewall is disabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [WMP-In-UDP-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [WMP-Out-UDP-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [WMP-Out-TCP-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [{E926E57D-011D-4F63-BCC5-FFCFDC28D091}] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [{CE504808-152F-4073-8BB9-0F8E7C4D30C6}] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [{AB3FBA72-52C3-4476-9A38-230DBE05659B}] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{BD4EC77D-BF80-4694-B932-6B58D9F57CDF}] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{758966B5-74D3-4404-A24D-6820EF0D58A9}] => (Allow) C:\ProgramData\DhmReu\socahen.exe
FirewallRules: [{5CCAB7D2-E9B8-4B90-B4D5-D814FF3FD8C4}] => (Allow) C:\ProgramData\DhmReu\socahen.exe
FirewallRules: [{0C54895B-AE41-42D0-A3E0-FEBDD8F8D98C}] => (Allow) C:\ProgramData\DhmReu\socahen.exe
FirewallRules: [{9CDF23F6-0845-4706-81D8-DE2FBC06D6A1}] => (Allow) C:\ProgramData\DhmReu\socahen.exe
FirewallRules: [{4A5A4EEB-CA05-4504-A421-A833B620BEEB}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [TCP Query User{F65A4093-DD88-4B00-AC82-62464674D2E7}C:\program files\lg electronics\lg pc suite\smartsharera.exe] => (Allow) C:\program files\lg electronics\lg pc suite\smartsharera.exe
FirewallRules: [UDP Query User{1392BC5A-9E04-4E3E-863D-27BD880915B5}C:\program files\lg electronics\lg pc suite\smartsharera.exe] => (Allow) C:\program files\lg electronics\lg pc suite\smartsharera.exe
FirewallRules: [{AA4FD9FB-812D-4612-9FAC-877A112CD196}] => (Allow) C:\Program Files\Google\Google Talk\googletalk.exe
FirewallRules: [{2FB1E568-D8A2-4A85-8D2F-026A475AF61E}] => (Allow) C:\Program Files\Google\Google Talk\googletalk.exe
FirewallRules: [TCP Query User{8A5B7448-C1D2-4854-99B3-A39B168408D3}C:\users\bernadette\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\bernadette\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{80969522-C756-414B-8E2C-04A43F521E09}C:\users\bernadette\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\bernadette\appdata\roaming\spotify\spotify.exe
FirewallRules: [{7F6130BD-C439-4F7A-8D29-61BD08EB22F7}] => (Allow) C:\Program Files\Thinix\Thinix WiFi Hotspot\ThinixWiFiHotspot.exe
FirewallRules: [{3607BFD1-CE80-4A7D-9826-2432535FF33E}] => (Allow) C:\Program Files\Thinix\Thinix WiFi Hotspot\ThinixWiFiHotspot.exe
FirewallRules: [{0746EED5-518F-4684-8DCE-C8F8F6098F58}] => (Allow) C:\Program Files\mHotspot\mHotspot.exe
FirewallRules: [{3E158BF4-84C9-4112-9FC9-9A841E7370B4}] => (Allow) C:\Program Files\mHotspot\mHotspot.exe
FirewallRules: [{785E8F11-8EA4-4948-A964-42816616BBD8}] => (Allow) C:\Program Files\Andy\andy.exe
FirewallRules: [{AE47B741-F949-4716-A3B2-4816BB721D0A}] => (Allow) C:\Program Files\Andy\andy.exe
FirewallRules: [{8C45DBE2-3DD2-4F72-A836-5655881E25F9}] => (Allow) C:\Program Files\Andy\HandyAndy.exe
FirewallRules: [{CB478E80-BB42-466A-BE41-B486741AABA2}] => (Allow) C:\Program Files\Andy\HandyAndy.exe
FirewallRules: [{08CD1CBC-400D-4D5E-A52B-512F477BC784}] => (Allow) C:\Users\Bernadette\AppData\Roaming\Andy\Setup.exe
FirewallRules: [{4D1AFE78-F8D7-4955-981D-11FAAD1F7939}] => (Allow) C:\Users\Bernadette\AppData\Roaming\Andy\Setup.exe
FirewallRules: [TCP Query User{6FB65D75-F020-4D99-9A0E-5206F354D8BC}C:\program files\kodi\kodi.exe] => (Allow) C:\program files\kodi\kodi.exe
FirewallRules: [UDP Query User{137564A8-8607-47A3-9053-846B91225862}C:\program files\kodi\kodi.exe] => (Allow) C:\program files\kodi\kodi.exe
FirewallRules: [{D90D10FB-D4C8-4FAE-8532-D1351445B15F}] => (Allow) C:\Users\Bernadette\AppData\Roaming\Vuze Leap\VuzeLeap.exe
FirewallRules: [{3DF88919-CA9D-42D5-987C-05F8BDC9E3FB}] => (Allow) C:\Users\Bernadette\AppData\Roaming\Vuze Leap\VuzeLeap.exe
FirewallRules: [{8518D2F9-7ED6-4AE4-B47A-8DFFC3CD207D}] => (Allow) C:\Users\Bernadette\AppData\Roaming\Vuze Leap\VuzeLeap.exe
FirewallRules: [{A5661BE1-3279-4404-9288-3341482A7D1B}] => (Allow) C:\Users\Bernadette\AppData\Roaming\Vuze Leap\VuzeLeap.exe
FirewallRules: [{A6C6AA56-CE18-4D03-B53A-EFC4901A98EC}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [{0F325137-1EB7-4137-9B5A-20A1D38ABB87}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{1AA30944-FEB8-4EC6-94AB-468858F47851}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{8BF6B378-3A73-470F-8B80-B386A5FE51E7}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{250834D6-A0C0-4672-966A-382A8914D486}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{EFAD3D4F-2002-471F-982B-6B3386113977}] => (Allow) C:\Program Files\Dropbox\Client\Dropbox.exe
FirewallRules: [{7B441A86-56F1-4851-BDD2-BE6BD2200B9C}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe
FirewallRules: [{00F51145-311B-4AFF-A86E-BFBC73980D6B}] => (Allow) C:\PROGRA~1\REALTEK\USBWIR~1\RtWlan.exe
FirewallRules: [{3DE561ED-AF99-4DBF-8CA3-045395D9CF28}] => (Allow) LPort=1542
FirewallRules: [{9F9FCACA-2CF5-459C-B3DC-4A1618713F01}] => (Allow) LPort=1542
FirewallRules: [{B83069BE-922F-49B6-AD4E-65AC2BAF83B4}] => (Allow) LPort=53
FirewallRules: [{9B62F5F0-C028-40BA-A463-A2060142F026}] => (Allow) LPort=67
FirewallRules: [{67A07F2C-A755-4CEC-A974-5FDAEF47B415}] => (Allow) LPort=68
FirewallRules: [{1EDBB11B-2D6E-4DB4-8D05-7D0DE888A3DC}] => (Allow) LPort=53
FirewallRules: [{68498DC1-BF3C-4F12-8CED-5BDB14804BBE}] => (Allow) LPort=53
FirewallRules: [{122F97FA-8940-41D6-9B97-7EE7C53B328A}] => (Allow) C:\Program Files\REALTEK\USB Wireless LAN Utility\Rtldhcp.exe
FirewallRules: [{1CEFEDF4-9C10-4678-9C0A-16C7982B5DA0}] => (Allow) C:\Users\Bernadette\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{ED9F0407-DB1E-484C-801F-D0FCDD021A6F}] => (Allow) C:\Users\Bernadette\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{A49CDEFD-94F9-4ED9-A289-DDB3AD7588C9}] => (Allow) C:\Users\Bernadette\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{3E3EF79A-8136-4121-96F3-53E71985FCDD}] => (Allow) C:\Users\Bernadette\AppData\Roaming\BitTorrent\BitTorrent.exe
 
==================== Restore Points =========================
 
ATTENTION: System Restore is disabled
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (04/08/2018 12:58:21 PM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(\\?\Volume{ce41abdb-16b2-11e5-bd56-806e6f6e6963} - 0000011C,0x00530024,00000000,0,00C91048,4096,[0]).  hr = 0x80070001, Incorrect function.
.
 
 
Operation:
   Changing diff-area maximum size
 
Context:
   Volume Name: d:\
   Diff-area volume: d:\
   Diff-area maximum size: 18446744073709551615
 
Error: (04/08/2018 12:58:21 PM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(\\?\Volume{ce41abdb-16b2-11e5-bd56-806e6f6e6963} - 0000011C,0x00530024,00000000,0,00C90048,4096,[0]).  hr = 0x80070001, Incorrect function.
.
 
Error: (04/08/2018 12:58:21 PM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(\\?\Volume{ce41abdb-16b2-11e5-bd56-806e6f6e6963} - 0000011C,0x00530024,00000000,0,00C90048,4096,[0]).  hr = 0x80070001, Incorrect function.
.
 
 
Operation:
   Changing diff-area maximum size
 
Context:
   Volume Name: d:\
   Diff-area volume: d:\
   Diff-area maximum size: 420478976
 
Error: (04/08/2018 12:58:21 PM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(\\?\Volume{ce41abdb-16b2-11e5-bd56-806e6f6e6963} - 0000011C,0x00530024,00000000,0,00C90048,4096,[0]).  hr = 0x80070001, Incorrect function.
.
 
Error: (04/08/2018 11:45:48 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program FileASSASSIN.exe version 1.6.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: f8c
 
Start Time: 01d3cf5004c943e4
 
Termination Time: 53748
 
Application Path: C:\Program Files\FileASSASSIN\FileASSASSIN.exe
 
Report Id: be4197a9-3b43-11e8-ac15-001aa095c456
 
Error: (04/08/2018 11:36:06 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program FileASSASSIN.exe version 1.6.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 404
 
Start Time: 01d3cf4eeb257fce
 
Termination Time: 10784
 
Application Path: C:\Program Files\FileASSASSIN\FileASSASSIN.exe
 
Report Id: 7c6118cf-3b42-11e8-ac15-001aa095c456
 
Error: (04/08/2018 10:16:49 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Explorer.exe version 6.1.7601.23537 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 1164
 
Start Time: 01d3cf43c83b6d5f
 
Termination Time: 24615
 
Application Path: C:\Windows\Explorer.exe
 
Report Id: 60748684-3b37-11e8-ac15-001aa095c456
 
Error: (04/08/2018 10:13:35 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Explorer.EXE version 6.1.7601.23537 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 640
 
Start Time: 01d3cf399983d7c7
 
Termination Time: 21139
 
Application Path: C:\Windows\Explorer.EXE
 
Report Id: ef47ebca-3b36-11e8-ac15-001aa095c456
 
 
System errors:
=============
Error: (04/08/2018 12:21:00 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 40.
 
Error: (04/08/2018 12:20:59 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 70.
 
Error: (04/08/2018 11:55:56 AM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.
 
Error: (04/08/2018 11:48:54 AM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.
 
Error: (04/08/2018 11:45:48 AM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.
 
Error: (04/08/2018 11:45:46 AM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.
 
Error: (04/08/2018 11:45:45 AM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.
 
Error: (04/08/2018 11:45:43 AM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™2 CPU 6600 @ 2.40GHz
Percentage of memory in use: 60%
Total physical RAM: 3317.18 MB
Available physical RAM: 1295.73 MB
Total Virtual: 6632.68 MB
Available Virtual: 4649.14 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:465.76 GB) (Free:338.93 GB) NTFS ==>[drive with boot components (obtained from BCD)]
 
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 465.8 GB) (Disk ID: 2A2EB279)
Partition 1: (Active) - (Size=465.8 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ==========================


#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:39 PM

Posted 09 April 2018 - 01:22 PM

Bernadette:

Thank you for your patience while I analyzed your FRST logs.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I can only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools. Malware removal can cause unpredictable and unintended issues. Also you should be aware that some of the tools and scripts that will be used, will remove malware detected, without notice.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only the tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post(s), unless otherwise instructed. Please do not use code or quote boxes.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started ...

.

:step1: Your computer has been the victim of a ransomware attack, most probably the HERMES ransomware. Please see this link for more information about this type of ransomware. The original version of this ransomware could be decrypted, but the new version is not decryptable, at this time, except by paying the criminals for a decryption key.

To confirm that the ransomware that attacked your computer is HERMES and which version it is, please upload a copy of a DECRYPT_INFORMATION.html ransom note file, and also a copy of an encrypted file with the extension: .HRM to the ID Ransomware website, which can be found at this link.
 

C:\Users\Bernadette\Documents\DECRYPT_INFORMATION.html
C:\Users\Bernadette\Desktop\DECRYPT_INFORMATION.html
C:\Users\Bernadette\AppData\Roaming\DECRYPT_INFORMATION.html
...
C:\Users\Bernadette\Desktop\prog alt friday last slide.jpg.HRM
C:\Users\Bernadette\Desktop\prog alt last slide.pub.HRM
C:\Users\Bernadette\Desktop\VE Project 1.wve.HRM


It is recommended that you DO NOT pay the ransomware payment demanded, but if you decide to do so, then DO NOT run the FRST "fixlist" script in Step :step5:. The reason is that the script will exterminate files that might be necessary for your files to be decrypted, assuming that you ever receive a decryption key from the criminals after paying them.

.

:step2: Your System Restore Point protection is disabled. If you did not disable it, then it is highly probable that this was done by the ransomware program. Please re-enable your System Restore Points.

  • Click the Start button, right-click Computer, and then click Properties.
  • In the left pane, click System Protection. An Administrator permission may be required. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
  • Under Protection Settings, click the disk, and then click Configure.
  • Do one of the following:
  • To be able to restore system settings and previous versions of files, click Restore system settings and previous versions of files.
  • To be able to only restore previous versions of files, click Only restore previous versions of files.
  • Assign the amount of disk space you want to designate for System Restore Points (normally 5 percent or less).
  • Click OK, and then click OK again.

For more information, you can go to this website: https://helpdeskgeek.com/windows-7/windows-7-enable-system-restore/

.

:step3: In going over your logs I noticed that you have BitTorrent installed. Please consider the following advice to reduce the possibility of being infected when surfing the web.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, your computer will get infected again.
I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

.

:step4: You have a program installed on your computer that I regard as possibly suspicious. If you are not aware of this program and/or did not install it, then you should uninstall it using the Control Panel, Programs, Uninstall a Program."
 

ExpertChange 1.21 (HKLM\...\ExpertChange 1.21) (Version: 1.21 - CompanyExpertChange)


If you know what this program is, and you intentionally installed it, then please leave it alone and please let me know what this program does. Thank you.

.

:step5: Please run a FRST fix for me, ONLY if you are NOT going to pay the ransom, because the script will "nuke" the ransomware program files that I have detected in your FRST scan logs.

NOTICE: This FRST "fixlist" script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.
 

Start::
CreateRestorePoint:
CloseProcesses:
VirusTotal: C:\Program Files\CompanyExpertChange\ExpertChange\laika.exe
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicy\User: Restriction ? <==== ATTENTION
CHR HomePage: Default -> inline.go.mail.ru
CHR DefaultSearchURL: Default -> hxxps://inline.go.mail.ru/search?inline_comp=dse&q={searchTerms}&fr=chxtn12.0.23
CHR DefaultSearchKeyword: Default -> inline.go.mail.ru
CHR DefaultSuggestURL: Default -> hxxp://suggests.go.mail.ru/chrome?q={searchTerms}
CHR Extension: (Rock-FM - DJ ZONE) - C:\Users\Bernadette\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkppoppjoabpifheegngaedodlnhlcn [2016-12-14]
CHR HKLM\...\Chrome\Extension: [fabhkdeopjkcpkmofliimbjckmocfiom] - hxxps://clients2.google.com/service/update2/crx
S3 WsDrvInst; C:\Program Files\Wondershare\TunesGo\DriverInstall.exe [X]
S3 AndNetDiag; system32\DRIVERS\lgandnetdiag.sys [X]
S3 ANDNetModem; system32\DRIVERS\lgandnetmodem.sys [X]
S3 andnetndis; system32\DRIVERS\lgandnetndis.sys [X]
S3 catchme; \??\C:\Users\BERNAD~1\AppData\Local\Temp\catchme.sys [X]
S3 cpuz140; \??\C:\Users\BERNAD~1\AppData\Local\Temp\cpuz140\cpuz140_x32.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
Folder: C:\Program Files\CompanyExpertChange
2099-11-12 04:37 - 30826-11-12 04:37 - 000186368 ____N (Microsoft Corporation) C:\Program Files\Common Files\UkaehOr.exe
2099-11-12 04:37 - 30826-11-12 04:37 - 000073216 ____N (Microsoft Corporation) C:\Windows\oIoeafARb.exe
Folder: C:\ComboFix
File: C:\Users\Bernadette\Downloads\keygen.HRM
Folder: C:\Qoobox
30826-11-12 04:37 - 30826-11-12 04:37 - 000186368 ____N (Microsoft Corporation) C:\Program Files\Common Files\UkaehOr.exe
VirusTotal: C:\Users\Bernadette\AppData\Local\temp\expertchange.exe
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{144DF3B2-2402-47AE-9583-5A045929A8D4}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.33.5\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Microsoft\OneDrive\17.3.7010.0912\FileCoAuthLib.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Microsoft\OneDrive\17.3.7101.1018\FileSyncShell.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.30.3\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.31.5\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.28.1\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.28.13\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.29.5\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Microsoft\OneDrive\17.3.7101.1018\FileSyncShell.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Microsoft\OneDrive\17.3.7101.1018\FileSyncShell.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.33.3\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.32.7\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.29.1\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-3557944169-877454972-121373122-1000_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Bernadette\AppData\Local\Google\Update\1.3.28.15\psuser.dll => No File
ContextMenuHandlers1: [_Movavivc11] -> {1C604495-4D32-476e-8D7E-FBF50F6C80BF} => C:\Program Files\Movavi Video Converter 16\vcContext\vcContext.dll -> No File
ContextMenuHandlers6: [_Movavivc11] -> {1C604495-4D32-476e-8D7E-FBF50F6C80BF} => C:\Program Files\Movavi Video Converter 16\vcContext\vcContext.dll -> No File
VirusTotal: C:\Program Files\Berjaya\ala.exe;C:\Program Files\Myna\Thaw.exe
Task: {2AEA3048-C5D7-4237-9C92-2ED916C66648} - System32\Tasks\hotivitnetoiqe => "C:\Program Files\Google\Chrome\Application\chrome.exe" hotivit.net/oiqe <==== ATTENTION
FirewallRules: [{758966B5-74D3-4404-A24D-6820EF0D58A9}] => (Allow) C:\ProgramData\DhmReu\socahen.exe
FirewallRules: [{5CCAB7D2-E9B8-4B90-B4D5-D814FF3FD8C4}] => (Allow) C:\ProgramData\DhmReu\socahen.exe
FirewallRules: [{0C54895B-AE41-42D0-A3E0-FEBDD8F8D98C}] => (Allow) C:\ProgramData\DhmReu\socahen.exe
FirewallRules: [{9CDF23F6-0845-4706-81D8-DE2FBC06D6A1}] => (Allow) C:\ProgramData\DhmReu\socahen.exe
End::
  • Please highlight the entire contents of the code box above, from the "Start::" line to the "End::" line, including both of those lines, right click, and select "Copy", which will copy the "fix" script into the Windows clipboard.
  • Right click FRST.exe, and select "Run as Administrator".
  • Press Fix button once and wait.
  • Please reboot the computer, if requested.
  • A log file called "fixlog.txt" will be saved in the same folder as the FRST program is located.
  • Please copy and paste the contents of the "fixlog.txt" file into your next reply.

.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#8 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:39 PM

Posted 12 April 2018 - 06:33 AM

Bernadette:

 
Are you still there?  Do you still require assistance?  It has been three days since I last posted to you.
 
According to Forum policy, topics must be concluded after five days of non-response from the Topic Starter.
 
If I have not heard from you in another two days, I will conclude your topic.  You can always reopen it by sending a Personal Message to me or to a Moderator.
 
Thank you and have a great day.
 
Regards,
-Phil

Member of the Unified Network of Instructors and Trusted Eliminators


#9 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,693 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:04:39 PM

Posted 14 April 2018 - 11:45 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Member of the Unified Network of Instructors and Trusted Eliminators





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users