Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

X (H) Key User Infection


  • Please log in to reply
13 replies to this topic

#1 fred04

fred04

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 12 June 2018 - 06:50 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 06.06.2018 01
Ran by grand (administrator) on DESKTOP-GDI4K0I (12-06-2018 19:39:47)
Running from C:\Users\grand\Desktop
Loaded Profiles: grand (Available Profiles: grand)
Platform: Windows 10 Home Version 1803 17134.48 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\nortonsecurity.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\nortonsecurity.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\Speech_OneCore\common\SpeechRuntime.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
(Microsoft Corporation) C:\Windows\System32\browser_broker.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.9330.20915.0_x64__8wekyb3d8bbwe\HxTsr.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(DearMob) C:\Program Files (x86)\DearMob\5KPlayer\5KPlayer.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart Plus B210 series\Bin\ScanToPCActivationApp.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiLogger Free\AntiLogger Free.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\System32\MicrosoftEdgeSH.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\System32\DataExchangeHost.exe
(thinkorswim, Inc) C:\Program Files\thinkorswim\thinkorswim.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart Plus B210 series\Bin\HPNetworkCommunicator.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.WindowsStore_11804.1001.10.0_x64__8wekyb3d8bbwe\WinStore.App.exe
() C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1805.1201.0_x64__8wekyb3d8bbwe\Calculator.exe
() C:\Program Files\WindowsApps\Microsoft.BingNews_4.24.11382.0_x64__8wekyb3d8bbwe\Microsoft.Msn.News.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
==================== Registry (Whitelisted) ===========================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [638872 2018-04-11] (Microsoft Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13261456 2012-12-10] (Realtek Semiconductor)
HKLM-x32\...\Run: [ZALFree] => C:\Program Files (x86)\Zemana AntiLogger Free\AntiLogger Free.exe [8980016 2015-11-05] (Zemana Ltd.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [588704 2018-03-28] (Oracle Corporation)
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <==== ATTENTION
HKU\S-1-5-19\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [518144 2018-04-11] (Microsoft Corporation)
HKU\S-1-5-20\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [518144 2018-04-11] (Microsoft Corporation)
HKU\S-1-5-21-1505520954-2184210599-2817046693-1001\...\Run: [5KPlayer] => C:\Program Files (x86)\DearMob\5KPlayer\5KPlayer.exe [27831752 2018-02-06] (DearMob)
HKU\S-1-5-21-1505520954-2184210599-2817046693-1001\...\Run: [HP Photosmart Plus B210 series (NET)] => C:\Program Files\HP\HP Photosmart Plus B210 series\Bin\ScanToPCActivationApp.exe [2573416 2012-10-17] (Hewlett-Packard Co.)
HKU\S-1-5-21-1505520954-2184210599-2817046693-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [8887216 2018-04-18] (SUPERAntiSpyware)
AppInit_DLLs: C:\PROGRA~2\KEYCRY~1\KEYCRY~4.DLL => C:\Program Files (x86)\KeyCryptSDK\KeyCrypt64(1).dll [95712 2015-11-05] (Zemana Ltd.)
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{2740dd2d-6396-4cc6-a676-6fb9345d18d6}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{8db418e7-12ca-4456-b341-9ffc5c5b0473}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
HKU\S-1-5-21-1505520954-2184210599-2817046693-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://go.microsoft.com/fwlink/p/?LinkId=619797&pc=UE03&ocid=UE03DHP
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02
SearchScopes: HKU\.DEFAULT -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02
SearchScopes: HKU\S-1-5-21-1505520954-2184210599-2817046693-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE04
SearchScopes: HKU\S-1-5-21-1505520954-2184210599-2817046693-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE04
BHO: Norton Identity Safety -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\coIEPlg.dll [2018-05-29] (Symantec Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Norton Identity Safety -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security Suite\Engine32\22.14.2.13\coIEPlg.dll [2018-05-29] (Symantec Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_171\bin\ssv.dll [2018-04-21] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_171\bin\jp2ssv.dll [2018-04-21] (Oracle Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\coIEPlg.dll [2018-05-29] (Symantec Corporation)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine32\22.14.2.13\coIEPlg.dll [2018-05-29] (Symantec Corporation)
FireFox:
========
FF DefaultProfile: 96gbbjqr.default-1514727354943
FF ProfilePath: C:\Users\grand\AppData\Roaming\Mozilla\Firefox\Profiles\96gbbjqr.default-1514727354943 [2018-06-12]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_30_0_0_113.dll [2018-06-07] ()
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_30_0_0_113.dll [2018-06-07] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.171.2 -> C:\Program Files (x86)\Java\jre1.8.0_171\bin\dtplugin\npDeployJava1.dll [2018-04-21] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.171.2 -> C:\Program Files (x86)\Java\jre1.8.0_171\bin\plugin2\npjp2.dll [2018-04-21] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin HKU\S-1-5-21-1505520954-2184210599-2817046693-1001: tdameritrade.com/thinkorswim -> C:\Program Files\thinkorswim\npthinkorswim.dll [2018-06-12] (TD Ameritrade)
FF Plugin HKU\S-1-5-21-1505520954-2184210599-2817046693-1001: tdameritrade.com/tossc -> C:\Program Files\thinkorswim\nptossc.dll [2018-06-12] (TD Ameritrade)
Chrome:
=======
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\Exts\Chrome.crx <not found>
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [looohgelibjoplmkhecmalapkgadkfcc] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\Exts\Chrome.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [looohgelibjoplmkhecmalapkgadkfcc] - hxxps://clients2.google.com/service/update2/crx
==================== Services (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2017-01-30] (SUPERAntiSpyware.com)
R2 igfxCUIService1.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [337888 2016-05-04] (Intel Corporation)
R2 NortonSecurity; C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\NortonSecurity.exe [328648 2018-05-30] (Symantec Corporation)
S3 ssh-agent; C:\WINDOWS\System32\OpenSSH\ssh-agent.exe [495616 2018-03-10] ()
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [4451616 2018-04-11] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [105344 2018-04-11] (Microsoft Corporation)
S2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [X]
===================== Drivers (Whitelisted) ======================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 avgntflt; C:\WINDOWS\System32\DRIVERS\avgntflt.sys [151352 2016-10-14] (Avira Operations GmbH & Co. KG)
S1 avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [153392 2016-10-14] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\WINDOWS\system32\DRIVERS\avkmgr.sys [35488 2016-10-14] (Avira Operations GmbH & Co. KG)
R1 BHDrvx64; C:\Program Files (x86)\Norton Security Suite\NortonData\22.10.0.85\Definitions\BASHDefs\20180611.001\BHDrvx64.sys [1879632 2018-04-30] (Symantec Corporation)
R1 ccSet_NGC; C:\WINDOWS\system32\drivers\NGCx64\160E020.00D\ccSetx64.sys [187520 2018-05-29] (Symantec Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [507984 2018-03-22] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [153168 2018-04-01] (Symantec Corporation)
R1 IDSVia64; C:\Program Files (x86)\Norton Security Suite\NortonData\22.10.0.85\Definitions\IPSDefs\20180611.061\IDSvia64.sys [1298000 2018-05-22] (Symantec Corporation)
R3 keycrypt; C:\WINDOWS\System32\DRIVERS\KeyCrypt64.sys [143904 2015-11-05] (Zemana Ltd.)
R3 NETwNe64; C:\WINDOWS\System32\drivers\NETwew01.sys [3343872 2018-04-11] (Intel Corporation)
S3 RSP2STOR; C:\WINDOWS\system32\DRIVERS\RtsP2Stor.sys [310528 2015-09-24] (Realtek Semiconductor Corp.)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [604160 2018-04-11] (Realtek )
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 SRTSP; C:\WINDOWS\System32\Drivers\NGCx64\160E020.00D\SRTSP64.SYS [838224 2018-05-29] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\system32\drivers\NGCx64\160E020.00D\SRTSPX64.SYS [49232 2018-05-29] (Symantec Corporation)
R0 SymEFASI; C:\WINDOWS\System32\drivers\NGCx64\160E020.00D\SYMEFASI64.SYS [1942096 2018-05-29] (Symantec Corporation)
S0 SymELAM; C:\WINDOWS\System32\drivers\NGCx64\160E020.00D\SymELAM.sys [24584 2018-05-29] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT64x86.SYS [99920 2018-06-06] (Symantec Corporation)
R1 SymIRON; C:\WINDOWS\system32\drivers\NGCx64\160E020.00D\Ironx64.SYS [307792 2018-05-29] (Symantec Corporation)
R1 SymNetS; C:\WINDOWS\System32\Drivers\NGCx64\160E020.00D\SYMNETS.SYS [566912 2018-05-29] (Symantec Corporation)
R3 Thotkey; C:\WINDOWS\System32\drivers\Thotkey.sys [44952 2017-04-27] (Toshiba Client Solutions Co., Ltd.)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44616 2018-04-11] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [331680 2018-04-11] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [44032 2018-04-11] (Microsoft Corporation)
S3 wpCtrlDrv_NGC; C:\WINDOWS\System32\Drivers\NGCx64\160E020.00D\wpCtrlDrv.sys [1015592 2018-05-29] (Symantec Corporation)
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2018-06-12 19:39 - 2018-06-12 19:40 - 000015656 _____ C:\Users\grand\Desktop\FRST.txt
2018-06-12 19:39 - 2018-06-12 19:39 - 002413056 _____ (Farbar) C:\Users\grand\Desktop\FRST64.exe
2018-06-12 19:39 - 2018-06-12 19:39 - 000000000 ____D C:\FRST
2018-06-12 18:31 - 2018-06-12 18:31 - 000000000 ____D C:\WINDOWS\System32\Tasks\Remediation
2018-06-12 18:11 - 2018-06-12 18:11 - 000000000 ___HD C:\OneDriveTemp
2018-06-09 10:32 - 2018-06-12 19:09 - 000169352 _____ C:\WINDOWS\ntbtlog.txt
2018-06-06 17:53 - 2018-06-06 17:53 - 000003400 _____ C:\WINDOWS\System32\Tasks\Norton WSC Integration
2018-06-06 17:53 - 2018-06-06 17:53 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Security Suite
2018-06-06 17:48 - 2018-06-06 17:48 - 007372496 _____ (Malwarebytes) C:\Users\grand\Desktop\adwcleaner_7.2.0.exe
2018-06-06 17:47 - 2018-06-06 17:52 - 036685936 _____ (Adlice Software ) C:\Users\grand\Desktop\RogueKiller_setup.exe
2018-06-02 22:15 - 2018-06-02 22:15 - 000000000 ____H C:\Users\grand\Documents\Default.rdp
2018-06-01 08:16 - 2018-06-01 08:16 - 003823849 _____ C:\Users\grand\Desktop\HFS-Program-Cheatsheets.pdf
2018-06-01 08:16 - 2018-06-01 08:16 - 002344138 _____ C:\Users\grand\Desktop\HFS-MasterManual.pdf
2018-06-01 08:16 - 2018-06-01 08:16 - 000142324 _____ C:\Users\grand\Desktop\HFS-Implementation-Guide.pdf
2018-06-01 08:15 - 2018-06-01 08:15 - 004966487 _____ C:\Users\grand\Desktop\HFS-Technique-Manual.pdf
2018-05-22 19:52 - 2018-06-06 17:55 - 000000899 _____ C:\Users\Public\Desktop\RogueKiller.lnk
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2018-06-12 19:38 - 2018-02-14 09:51 - 000000000 ____D C:\Users\grand\.thinkorswim
2018-06-12 19:38 - 2018-02-14 09:51 - 000000000 ____D C:\Program Files\thinkorswim
2018-06-12 19:37 - 2018-04-11 19:38 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2018-06-12 19:09 - 2018-04-11 19:38 - 000000000 ____D C:\WINDOWS\AppReadiness
2018-06-12 18:47 - 2018-05-09 14:47 - 000004168 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{4056B3C7-366F-47C8-B2BF-70512B5FB191}
2018-06-12 18:42 - 2018-05-09 14:44 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2018-06-12 18:11 - 2017-11-30 21:36 - 000000000 ____D C:\Users\grand\AppData\Roaming\5KPlayer
2018-06-12 18:11 - 2017-11-17 13:31 - 000000000 ___RD C:\Users\grand\OneDrive
2018-06-12 18:11 - 2017-11-17 13:29 - 000000000 __SHD C:\Users\grand\IntelGraphicsProfiles
2018-06-12 17:45 - 2017-11-17 13:29 - 000000000 ___HD C:\Users\grand\MicrosoftEdgeBackups
2018-06-12 17:35 - 2018-05-09 14:47 - 000000000 ____D C:\WINDOWS\System32\Tasks\Norton 360
2018-06-12 17:09 - 2017-11-20 08:42 - 000028272 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2018-06-11 22:32 - 2018-04-11 19:38 - 000000000 ___HD C:\Program Files\WindowsApps
2018-06-10 19:10 - 2017-11-20 18:12 - 000000000 ____D C:\Users\grand\AppData\Local\CrashDumps
2018-06-09 10:39 - 2018-05-09 14:50 - 000793700 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2018-06-09 10:39 - 2018-04-11 19:36 - 000000000 ____D C:\WINDOWS\INF
2018-06-09 10:34 - 2018-04-11 17:04 - 000032768 _____ C:\WINDOWS\system32\config\ELAM
2018-06-09 10:33 - 2017-12-09 10:24 - 000000000 ____D C:\Users\grand\AppData\Local\NPE
2018-06-09 10:32 - 2018-05-09 14:47 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2018-06-09 10:32 - 2018-04-11 17:04 - 000786432 _____ C:\WINDOWS\system32\config\BBI
2018-06-09 10:32 - 2017-12-09 10:24 - 000000000 ____D C:\NPE
2018-06-08 23:18 - 2018-05-09 14:45 - 000000000 ____D C:\Users\grand
2018-06-08 16:39 - 2017-11-21 20:00 - 000000662 _____ C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-1505520954-2184210599-2817046693-1001.job
2018-06-08 16:39 - 2017-11-21 20:00 - 000000566 _____ C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1505520954-2184210599-2817046693-1001.job
2018-06-07 22:21 - 2018-04-11 19:30 - 000000000 ____D C:\WINDOWS\CbsTemp
2018-06-07 11:19 - 2018-05-09 14:47 - 000004588 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player NPAPI Notifier
2018-06-07 11:19 - 2018-05-09 14:47 - 000004422 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2018-06-07 11:19 - 2018-04-11 19:38 - 000000000 ____D C:\WINDOWS\SysWOW64\Macromed
2018-06-07 11:19 - 2018-04-11 19:38 - 000000000 ____D C:\WINDOWS\system32\Macromed
2018-06-07 08:35 - 2018-05-09 14:47 - 000003832 _____ C:\WINDOWS\System32\Tasks\G2MUploadTask-S-1-5-21-1505520954-2184210599-2817046693-1001
2018-06-07 08:35 - 2018-05-09 14:47 - 000003736 _____ C:\WINDOWS\System32\Tasks\G2MUpdateTask-S-1-5-21-1505520954-2184210599-2817046693-1001
2018-06-07 08:35 - 2017-11-21 20:00 - 000000000 ____D C:\Users\grand\AppData\Local\GoToMeeting
2018-06-06 18:46 - 2017-12-09 10:09 - 000000000 ____D C:\Program Files\Common Files\AV
2018-06-06 18:17 - 2017-11-18 04:27 - 000000555 _____ C:\Users\grand\Desktop\JRT.txt
2018-06-06 17:55 - 2017-11-20 08:42 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2018-06-06 17:55 - 2017-11-20 08:42 - 000000000 ____D C:\Program Files\RogueKiller
2018-06-06 17:53 - 2018-05-09 14:29 - 000099920 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SYMEVENT64x86.SYS
2018-06-06 17:53 - 2018-05-09 14:29 - 000010396 _____ C:\WINDOWS\system32\Drivers\SYMEVENT64x86.CAT
2018-06-06 17:53 - 2018-04-11 19:38 - 000000000 ___HD C:\WINDOWS\ELAMBKUP
2018-06-06 17:53 - 2018-02-16 07:47 - 000002434 _____ C:\Users\Public\Desktop\Norton Security.lnk
2018-06-06 17:53 - 2018-02-16 07:45 - 000000000 ____D C:\WINDOWS\system32\Drivers\NGCx64
2018-06-05 19:29 - 2018-04-11 19:41 - 000835056 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2018-06-05 19:29 - 2018-04-11 19:41 - 000179704 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2018-06-05 09:08 - 2018-05-09 14:47 - 000003378 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1505520954-2184210599-2817046693-1001
2018-06-05 09:08 - 2018-05-09 14:45 - 000002367 _____ C:\Users\grand\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2018-06-04 07:24 - 2018-02-11 15:07 - 000000000 ____D C:\Users\grand\AppData\Local\JxBrowser
2018-05-28 15:11 - 2018-03-17 12:30 - 413503661 _____ C:\Users\grand\Desktop\powerDOJO-scap-strength-workouts-Level+1-HDss.zip
2018-05-19 04:02 - 2018-04-11 19:38 - 000000000 ____D C:\WINDOWS\LiveKernelReports
2018-05-16 15:38 - 2018-04-11 19:38 - 000000000 ____D C:\WINDOWS\system32\WinBioPlugIns
2018-05-13 16:19 - 2017-11-17 13:46 - 000000000 ____D C:\Users\grand\AppData\Local\PlaceholderTileLogoFolder
Some files in TEMP:
====================
2018-06-12 17:09 - 2018-04-11 19:34 - 001946304 _____ (Microsoft Corporation) C:\Users\grand\AppData\Local\Temp\dllnt_dump.dll
==================== Bamital & volsnap ======================
(There is no automatic fix for files that do not pass verification.)
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2018-05-09 14:44
==================== End of FRST.txt ============================
 
 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 06.06.2018 01
Ran by grand (12-06-2018 19:40:19)
Running from C:\Users\grand\Desktop
Windows 10 Home Version 1803 17134.48 (X64) (2018-05-09 18:50:04)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================
Administrator (S-1-5-21-1505520954-2184210599-2817046693-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1505520954-2184210599-2817046693-503 - Limited - Disabled)
grand (S-1-5-21-1505520954-2184210599-2817046693-1001 - Administrator - Enabled) => C:\Users\grand
Guest (S-1-5-21-1505520954-2184210599-2817046693-501 - Limited - Disabled)
WDAGUtilityAccount (S-1-5-21-1505520954-2184210599-2817046693-504 - Limited - Disabled)
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Norton Security Suite (Enabled - Up to date) {E3FDBD9F-8140-1400-F32B-8B58923F7C4D}
AS: Norton Security Suite (Enabled - Up to date) {589C5C7B-A77A-1B8E-C99B-B02AE9B836F0}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton Security Suite (Enabled) {DBC63CBA-CB2F-1558-D874-226D6CEC3B36}
==================== Installed Programs ======================
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
5KPlayer (HKLM-x32\...\5KPlayer) (Version: 4.9 - DearMob, Inc.)
7-Zip 9.20 (HKLM-x32\...\7-Zip) (Version:  - )
Adobe Flash Player 30 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 30.0.0.113 - Adobe Systems Incorporated)
AntiLogger Free version 1.8.2.320 (HKLM-x32\...\{A80DB23D-0618-405B-89D9-28F99814E287}_is1) (Version: 1.8.2.320 - Zemana Ltd.)
Bing Bar (HKLM-x32\...\{3611CA6C-5FCA-4900-A329-6A118123CCFC}) (Version: 7.1.355.0 - Microsoft Corporation)
GoToMeeting 8.29.0.8901 (HKU\S-1-5-21-1505520954-2184210599-2817046693-1001\...\GoToMeeting) (Version: 8.29.0.8901 - LogMeIn, Inc.)
HP Photosmart Plus B210 series Basic Device Software (HKLM\...\{5B17980C-5C44-45D0-80A5-665FD9E776A9}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP Photosmart Plus B210 series Help (HKLM-x32\...\{7F5FDEA1-D0AC-4D80-9D95-59775FCCFA40}) (Version: 140.0.54.54 - Hewlett Packard)
I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
Java 8 Update 171 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180171F0}) (Version: 8.0.1710.11 - Oracle Corporation)
Microsoft Office Home and Student 2010 (HKLM\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1505520954-2184210599-2817046693-1001\...\OneDriveSetup.exe) (Version: 18.091.0506.0006 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Norton Security Suite (HKLM-x32\...\NGC) (Version: 22.14.2.13 - Symantec Corporation)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6794 - Realtek Semiconductor Corp.)
RogueKiller version 12.12.20.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.12.20.0 - Adlice Software)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 64-Bit Edition (HKLM\...\{90140000-003D-0000-1000-0000000FF1CE}_Office14.SingleImage_{A3364707-2F53-4C83-8F68-C9877A9080C7}) (Version:  - Microsoft)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1250 - SUPERAntiSpyware.com)
thinkorswim (HKLM\...\9968-4488-2169-7623) (Version: desktop - thinkorswim, Inc)
==================== Custom CLSID (Whitelisted): ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
CustomCLSID: HKU\S-1-5-21-1505520954-2184210599-2817046693-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\WINDOWS\system32\igfxEM.exe (Intel Corporation)
CustomCLSID: HKU\S-1-5-21-1505520954-2184210599-2817046693-1001_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\grand\AppData\Local\GoToMeeting\7638\G2MOutlookAddin64.dll (LogMeIn, Inc.)
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\buShell.dll [2018-05-29] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\buShell.dll [2018-05-29] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\buShell.dll [2018-05-29] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\buShell.dll [2018-05-29] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\buShell.dll [2018-05-29] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\buShell.dll [2018-05-29] (Symantec Corporation)
ContextMenuHandlers1-x32: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files (x86)\7-Zip\7-zip.dll [2010-11-18] (Igor Pavlov)
ContextMenuHandlers1-x32: [BUContextMenu] -> {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB} => C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\buShell.dll [2018-05-29] (Symantec Corporation)
ContextMenuHandlers1-x32: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\NavShExt.dll [2018-05-30] (Symantec Corporation)
ContextMenuHandlers2: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\NavShExt.dll [2018-05-30] (Symantec Corporation)
ContextMenuHandlers4-x32: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files (x86)\7-Zip\7-zip.dll [2010-11-18] (Igor Pavlov)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\WINDOWS\system32\igfxDTCM.dll [2016-05-04] (Intel Corporation)
ContextMenuHandlers6: [BUContextMenu] -> {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB} => C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\buShell.dll [2018-05-29] (Symantec Corporation)
ContextMenuHandlers6: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\NavShExt.dll [2018-05-30] (Symantec Corporation)
==================== Scheduled Tasks (Whitelisted) =============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
Task: {0BE86D65-EF72-4FB4-86F0-01A0353CA487} - System32\Tasks\G2MUploadTask-S-1-5-21-1505520954-2184210599-2817046693-1001 => C:\Users\grand\AppData\Local\GoToMeeting\8901\g2mupload.exe [2018-06-07] (LogMeIn, Inc.)
Task: {21C811B5-FE15-4C23-915B-6BBE1115C2DE} - System32\Tasks\G2MUpdateTask-S-1-5-21-1505520954-2184210599-2817046693-1001 => C:\Users\grand\AppData\Local\GoToMeeting\8901\g2mupdate.exe [2018-06-07] (LogMeIn, Inc.)
Task: {2224A2B2-A302-40CB-B9B8-D61794919BDC} - System32\Tasks\Norton 360\Norton Security Suite Error Analyzer => C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\SymErr.exe [2018-05-29] (Symantec Corporation)
Task: {4F1EE7F9-E611-4006-B0BA-D060FFB57E8A} - System32\Tasks\Norton 360\Norton Security Suite Autofix => C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\SymErr.exe [2018-05-29] (Symantec Corporation)
Task: {5B9B3E08-6F6B-4044-9DF0-83309A7505B4} - System32\Tasks\Norton 360\Norton Security Suite Error Processor => C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\SymErr.exe [2018-05-29] (Symantec Corporation)
Task: {65B85F6F-35B3-4459-A179-28255D5B7B25} - System32\Tasks\Microsoft\Windows\HelloFace\FODCleanupTask => C:\WINDOWS\System32\WinBioPlugIns\FaceFodUninstaller.exe [2018-04-11] ()
Task: {8783FC7A-31C5-4AAC-A6C7-F9549567D14E} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton Security Suite\Engine\22.14.2.13\WSCStub.exe [2018-05-30] (Symantec Corporation)
Task: {B8F6BBF8-5595-4B0D-B714-609C99B9E08D} - System32\Tasks\Adobe Flash Player NPAPI Notifier => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashUtil32_30_0_0_113_Plugin.exe [2018-06-07] (Adobe Systems Incorporated)
Task: {BB215194-CEF3-470E-91A2-9015BE570085} - System32\Tasks\S-1-5-21-1505520954-2184210599-2817046693-1001\DataSenseLiveTileTask => C:\WINDOWS\System32\DataUsageLiveTileTask.exe [2018-04-11] (Microsoft Corporation)
Task: {E63E9BB4-BC8E-4287-8C73-98767A6DF30E} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton Security Suite\Upgrade.exe [2018-05-30] (Symantec Corporation)
Task: {ECB27934-63E3-4821-BB48-3382CEE6D5D8} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2018-06-07] (Adobe Systems Incorporated)
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
Task: C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1505520954-2184210599-2817046693-1001.job => C:\Users\grand\AppData\Local\GoToMeeting\8901\g2mupdate.exe
Task: C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-1505520954-2184210599-2817046693-1001.job => C:\Users\grand\AppData\Local\GoToMeeting\8901\g2mupload.exe
==================== Shortcuts & WMI ========================
(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============
2018-04-11 19:34 - 2018-04-11 19:34 - 000491744 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll
2018-04-11 19:34 - 2018-04-11 19:34 - 000472064 _____ () C:\Windows\ShellExperiences\TileControl.dll
2018-04-11 19:34 - 2018-04-11 19:34 - 002759168 _____ () C:\Windows\ShellComponents\TaskFlowUI.dll
2018-04-11 19:35 - 2018-04-12 05:19 - 002184704 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2018-05-22 16:44 - 2018-05-22 16:45 - 000086528 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\SkypeHost.exe
2018-05-22 16:44 - 2018-05-22 16:45 - 000195072 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2018-05-22 16:44 - 2018-05-22 16:45 - 022374400 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\SkyWrap.dll
2018-05-22 16:44 - 2018-05-22 16:45 - 002610176 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\skypert.dll
2018-05-22 16:44 - 2018-05-22 16:45 - 000654848 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.209.0_x64__kzf8qxf38zg5c\RtmMvrUap.dll
2018-05-27 19:29 - 2018-05-27 19:29 - 000013824 _____ () C:\Program Files\thinkorswim\usergui\1928.1.1\jWinAPI64.dll
2018-05-19 10:29 - 2018-05-19 10:29 - 000084992 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsStore_11804.1001.10.0_x64__8wekyb3d8bbwe\WinStore.Preview.dll
2018-05-08 03:24 - 2018-05-08 03:24 - 001873120 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsStore_11804.1001.10.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml.dll
2018-05-17 05:36 - 2018-05-17 05:36 - 004193792 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1805.1201.0_x64__8wekyb3d8bbwe\Calculator.exe
2018-05-03 11:11 - 2018-05-03 11:11 - 000634880 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1805.1201.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.dll
2018-05-19 10:30 - 2018-05-19 10:30 - 000017408 _____ () C:\Program Files\WindowsApps\Microsoft.BingNews_4.24.11382.0_x64__8wekyb3d8bbwe\Microsoft.Msn.News.exe
2018-05-19 10:30 - 2018-05-19 10:30 - 016765952 _____ () C:\Program Files\WindowsApps\Microsoft.BingNews_4.24.11382.0_x64__8wekyb3d8bbwe\Microsoft.Msn.News.dll
2018-06-11 22:32 - 2018-06-11 22:32 - 005392264 _____ () C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1806.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising.dll
2017-09-29 10:44 - 2017-09-29 10:44 - 000291328 _____ () C:\Program Files\WindowsApps\Microsoft.BingNews_4.24.11382.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.dll
2017-11-30 21:35 - 2017-06-20 00:17 - 000119616 _____ () C:\Program Files (x86)\DearMob\5KPlayer\zlib1.dll
2017-11-30 21:35 - 2017-06-20 00:16 - 001552720 _____ () C:\Program Files (x86)\DearMob\5KPlayer\libstdc++-6.dll
2017-11-30 21:35 - 2017-06-20 00:16 - 000132432 _____ () C:\Program Files (x86)\DearMob\5KPlayer\libgcc_s_dw2-1.dll
==================== Alternate Data Streams (Whitelisted) =========
(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== Association (Whitelisted) ===============
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============
(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2017-11-17 16:21 - 2017-08-11 12:57 - 000000734 _____ C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost
==================== Other Areas ============================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-1505520954-2184210599-2817046693-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\grand\Desktop\Screen Shot.jpg
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.
==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ===============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
FirewallRules: [{A77A5973-FFEB-4388-81D2-C3AE78BFD014}] => (Allow) C:\Program Files\HP\HP Photosmart Plus B210 series\Bin\HPNetworkCommunicatorCom.exe
FirewallRules: [{5BBA55FA-7F41-4B94-A57C-79F199F3FE99}] => (Allow) C:\Program Files\HP\HP Photosmart Plus B210 series\Bin\HPNetworkCommunicator.exe
FirewallRules: [{A664D5F0-FCFC-45E3-B5BB-D8A2BC3567C5}] => (Allow) C:\Program Files\HP\HP Photosmart Plus B210 series\Bin\DeviceSetup.exe
FirewallRules: [UDP Query User{AD74EAD5-311D-4EF8-8DDF-A3249B08D206}C:\program files (x86)\dearmob\5kplayer\5kplayer.exe] => (Allow) C:\program files (x86)\dearmob\5kplayer\5kplayer.exe
FirewallRules: [TCP Query User{9F2BEA5E-51F8-4245-870D-69C5B5A99A41}C:\program files (x86)\dearmob\5kplayer\5kplayer.exe] => (Allow) C:\program files (x86)\dearmob\5kplayer\5kplayer.exe
FirewallRules: [{CD59A413-12DC-4D3F-8AEA-270EBAC746AC}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{71BF12CF-0763-452C-BE96-CB50D21D2B59}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
==================== Restore Points =========================
27-05-2018 05:50:47 JRT Pre-Junkware Removal
02-06-2018 23:36:57 JRT Pre-Junkware Removal
06-06-2018 18:16:15 JRT Pre-Junkware Removal
==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================
Application errors:
==================
Error: (06/12/2018 05:24:28 PM) (Source: Microsoft Security Client) (EventID: 5000) (User: )
Description: Event-ID 5000
Error: (06/12/2018 05:24:28 PM) (Source: Microsoft Security Client) (EventID: 5000) (User: )
Description: Event-ID 5000
Error: (06/12/2018 05:24:18 PM) (Source: Microsoft Security Client) (EventID: 5000) (User: )
Description: Event-ID 5000
Error: (06/12/2018 05:24:18 PM) (Source: Microsoft Security Client) (EventID: 5000) (User: )
Description: Event-ID 5000
Error: (06/11/2018 10:53:57 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program MicrosoftEdgeCP.exe version 11.0.17134.48 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
Process ID: 1480
Start Time: 01d401886eae0fbf
Termination Time: 6
Application Path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
Report Id: e9e13aa1-5882-4ef0-9753-a9df5dc05a51
Faulting package full name: Microsoft.MicrosoftEdge_42.17134.1.0_neutral__8wekyb3d8bbwe
Faulting package-relative application ID: ContentProcess
Error: (06/10/2018 07:10:07 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: MicrosoftEdge.exe, version: 11.0.17134.48, time stamp: 0x5ae3f232
Faulting module name: ntdll.dll, version: 10.0.17134.1, time stamp: 0x207580e2
Exception code: 0xc0000409
Fault offset: 0x000000000008aa2f
Faulting process id: 0x152c
Faulting application start time: 0x01d4010ced3978eb
Faulting application path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 8def417c-3bf4-44aa-8ad9-4e4ff65aed73
Faulting package full name: Microsoft.MicrosoftEdge_42.17134.1.0_neutral__8wekyb3d8bbwe
Faulting package-relative application ID: MicrosoftEdge
Error: (06/09/2018 10:48:48 AM) (Source: Microsoft Security Client) (EventID: 5000) (User: )
Description: Event-ID 5000
Error: (06/09/2018 10:48:48 AM) (Source: Microsoft Security Client) (EventID: 5000) (User: )
Description: Event-ID 5000

System errors:
=============
Error: (06/12/2018 07:09:33 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Error: (06/12/2018 06:11:07 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Error: (06/12/2018 06:11:07 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Error: (06/12/2018 06:11:07 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Error: (06/12/2018 04:57:42 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Error: (06/12/2018 12:00:44 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Error: (06/11/2018 07:28:41 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Error: (06/11/2018 07:28:41 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

CodeIntegrity:
===================================
Date: 2018-06-12 19:40:28.738
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\KeyCryptSDK\KeyCrypt64(1).dll that did not meet the Store signing level requirements.
Date: 2018-06-12 19:40:27.739
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\KeyCryptSDK\KeyCrypt64(1).dll that did not meet the Store signing level requirements.
Date: 2018-06-12 19:40:26.737
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\KeyCryptSDK\KeyCrypt64(1).dll that did not meet the Store signing level requirements.
Date: 2018-06-12 19:40:25.742
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\KeyCryptSDK\KeyCrypt64(1).dll that did not meet the Store signing level requirements.
Date: 2018-06-12 19:40:24.736
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\KeyCryptSDK\KeyCrypt64(1).dll that did not meet the Store signing level requirements.
Date: 2018-06-12 19:40:23.738
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\KeyCryptSDK\KeyCrypt64(1).dll that did not meet the Store signing level requirements.
Date: 2018-06-12 19:40:22.738
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\KeyCryptSDK\KeyCrypt64(1).dll that did not meet the Store signing level requirements.
Date: 2018-06-12 19:40:21.743
Description:
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\KeyCryptSDK\KeyCrypt64(1).dll that did not meet the Store signing level requirements.
==================== Memory info ===========================
Processor: Intel® Core™ i7-3630QM CPU @ 2.40GHz
Percentage of memory in use: 55%
Total physical RAM: 8079.92 MB
Available physical RAM: 3579.4 MB
Total Virtual: 9359.92 MB
Available Virtual: 4184.46 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:232.28 GB) (Free:178.09 GB) NTFS
\\?\Volume{3c550e54-45c4-42dd-a3c6-45548231efff}\ (Recovery) (Fixed) (Total:0.49 GB) (Free:0.11 GB) NTFS
\\?\Volume{89492fb8-af87-43bd-b405-7a94c9811322}\ () (Fixed) (Total:0.09 GB) (Free:0.07 GB) FAT32
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Protective MBR) (Size: 232.9 GB) (Disk ID: 00000000)
Partition: GPT.
==================== End of Addition.txt ============================


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:31 PM

Posted 13 June 2018 - 07:45 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

p.s.
If your problem persists please explain what you mean by:
X (H) Key User Infection

#3 fred04

fred04
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 13 June 2018 - 12:08 PM

Problem still persists whenever I run Rogue Killer. 2 detections from Registry are still picked up. X (64) HKEY_USER S-1-5-21 and X(86) HKEY_USER S-1-5-21.

PUM search page / search bar. Fixlog results are below.

.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 06.06.2018 01
Ran by grand (13-06-2018 11:47:36) Run:1
Running from C:\Users\grand\Desktop
Loaded Profiles: grand (Available Profiles: grand)
Boot Mode: Normal
==============================================
fixlist content:
*****************
start
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
End
*****************
Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" => removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => removed successfully
=========== EmptyTemp: ==========
BITS transfer queue => 7364608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 39308105 B
Java, Flash, Steam htmlcache => 1102 B
Windows/system/drivers => 102318 B
Edge => 55951980 B
Chrome => 0 B
Firefox => 230113999 B
Opera => 0 B
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 10026 B
LocalService => 0 B
NetworkService => 912 B
NetworkService => 0 B
grand => 145248356 B
RecycleBin => 0 B
EmptyTemp: => 456 MB temporary data Removed.
================================

The system needed a reboot.
==== End of Fixlog 11:47:55 ====


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:31 PM

Posted 13 June 2018 - 12:53 PM

Hi,

Please post the RogueKille log for my review

#5 fred04

fred04
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 17 June 2018 - 06:45 AM

Here is the Rogue Killer Log

 

 

RogueKiller V12.12.21.0 (x64) [Jun 11 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 10 (10.0.17134) 64 bits version
Started in : Normal mode
User : grand [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 06/17/2018 07:26:20 (Duration : 00:14:55)
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 2 ¤¤¤
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-1505520954-2184210599-2817046693-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-1505520954-2184210599-2817046693-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ WMI : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Crucial_CT250MX200SSD1 +++++
--- User ---
[MBR] 4441e9188f7ee0bcfcad848eccbda8ca
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 499 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1024000 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1228800 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1261568 | Size: 237859 MB
User = LL1 ... OK
User = LL2 ... OK


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:31 PM

Posted 17 June 2018 - 08:38 AM

Hi,

Both entries with Search Bar : Preserve -> Found can be removed.

They are not required.

===
If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#7 fred04

fred04
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 18 June 2018 - 04:19 AM

Could you assist me with the removal of  "Both entries with Search Bar : Preserve -> Found can be removed." I would appreciate your assistance.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:31 PM

Posted 18 June 2018 - 06:47 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

If these key return after you have deleted them with RogueKiller and have restarted the computer normally after let try this.

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

DeleteValue:  HKEY_USERS\S-1-5-21-1505520954-2184210599-2817046693-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
DeleteValue:  HKEY_USERS\S-1-5-21-1505520954-2184210599-2817046693-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

I'm not sure but it can be a sync issue if your are syncing IE with other Devices.
Check this article to find out and set it to OFF.
After a restart of the computer if all is well then turn it ON

How to:
https://answers.microsoft.com/en-us/mobiledevices/forum/mdlumia-mdtips/how-can-i-sync-internet-explorer-11-favorites/1bf4d16c-e467-4922-ad85-36c7bb44bcf7

Edited by nasdaq, 18 June 2018 - 06:52 AM.


#9 fred04

fred04
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 18 June 2018 - 01:39 PM

Here is the Fixlog. txt

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 06.06.2018 01
Ran by grand (18-06-2018 14:05:48) Run:2
Running from C:\Users\grand\Desktop
Loaded Profiles: grand (Available Profiles: grand)
Boot Mode: Normal
==============================================
fixlist content:
*****************
start
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
DeleteValue:  HKEY_USERS\S-1-5-21-1505520954-2184210599-2817046693-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
DeleteValue:  HKEY_USERS\S-1-5-21-1505520954-2184210599-2817046693-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
End
*****************
Restore point was successfully created.
Processes closed successfully.
"HKEY_USERS\S-1-5-21-1505520954-2184210599-2817046693-1001\Software\Microsoft\Internet Explorer\Main \\ Search Bar : Preserve  -> Found" => not found
"HKEY_USERS\S-1-5-21-1505520954-2184210599-2817046693-1001\Software\Microsoft\Internet Explorer\Main \\ Search Bar : Preserve  -> Found" => not found
=========== EmptyTemp: ==========
BITS transfer queue => 7364608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 14845024 B
Java, Flash, Steam htmlcache => 1102 B
Windows/system/drivers => 70666 B
Edge => 515730657 B
Chrome => 0 B
Firefox => 0 B
Opera => 0 B
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 4532 B
LocalService => 0 B
NetworkService => 0 B
NetworkService => 0 B
grand => 243278046 B
RecycleBin => 53292 B
EmptyTemp: => 745.2 MB temporary data Removed.
================================

The system needed a reboot.
==== End of Fixlog 14:06:12 ====


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:31 PM

Posted 19 June 2018 - 08:03 AM


Let's look at this registry key.


Download the Sustemlook appropriate for you system.

SystemLook (32-Bit Version) or SystemLook (64-Bit Version)
  • Double-click SystemLook.exe/SystemLook_x64.exe
  • to run it.
  • Copy and paste the content of the following bold text into the main textfield:
  • :reg
    HKEY_USERS\S-1-5-21-1505520954-2184210599-2817046693-1001\Software\Microsoft\Internet Explorer\Main
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
  • ===




#11 fred04

fred04
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 19 June 2018 - 03:08 PM

Here is the SystemLook Log.

 

 

SystemLook 04.09.10 by jpshortstuff
Log created at 16:06 on 19/06/2018 by grand
Administrator - Elevation successful
========== reg ==========
[HKEY_USERS\S-1-5-21-1505520954-2184210599-2817046693-1001\Software\Microsoft\Internet Explorer\Main]
"Anchor Underline"="yes"
"Disable Script Debugger"="yes"
"DisableScriptDebuggerIE"="yes"
"Display Inline Images"="yes"
"Do404Search"=01 00 00 00  (REG_BINARY)
"Save_Session_History_On_Exit"="no"
"Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896"
"Show_FullURL"="no"
"Show_StatusBar"="yes"
"Show_ToolBar"="yes"
"Show_URLinStatusBar"="yes"
"Show_URLToolBar"="yes"
"Use_DlgBox_Colors"="yes"
"UseClearType"="no"
"XMLHTTP"= 0x0000000001 (1)
"Cache_Update_Frequency"="Once_Per_Session"
"Local Page"="C:\WINDOWS\system32\blank.htm"
"Enable Browser Extensions"="yes"
"Play_Background_Sounds"="yes"
"Play_Animations"="yes"
"SyncHomePage Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy"=01 00 00 00 49 00 00 00 cc 62 27 c4 37 d2 26 22 d5 dd 53 df b6 90 07 7e 39 40 7d 81 a0 1b 2c d1 64 2f a7 58 ca 07 98 1b 7d 23 63 7b f7 28 fc 53 47 0a 19 cc 5d 97 c3 cf 21 f3 1e 74 5d c2 6e 2e 07 76 e7 b2 eb a3 5b 57 38 91 1c 87 9f 3a 62 18 e6 02 00 00 00 0e 00 00 00 46 53 6a 41 78 4b 6b 76 2f 53 73 25 33 64  (REG_BINARY)
"OperationalData"=0d 00 00 00 00 00 00 00  (REG_QWORD)
"CompatibilityFlags"= 0x0000000000 (0)
"SearchBandMigrationVersion"= 0x0000000000 (0)
"FullScreen"="no"
"Window_Placement"=2c 00 00 00 02 00 00 00 03 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 32 00 00 00 40 00 00 00 87 03 00 00 98 02 00 00  (REG_BINARY)
"ImageStoreRandomFolder"="9g3x8w0"
"IE10RunOncePerInstallCompleted"= 0x0000000000 (0)
"IE10RunOnceCompletionTime"=fb 6f ac e0 80 74 d3 01  (REG_BINARY)
"IE10TourShown"= 0x0000000001 (1)
"IE10TourShownTime"=fb 6f ac e0 80 74 d3 01  (REG_BINARY)
"DownloadWindowPlacement"=2c 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 3b 01 00 00 54 00 00 00 bb 03 00 00 34 02 00 00  (REG_BINARY)
"IE11EdgeNotifyTime"=00 00 00 00 00 00 00 00  (REG_BINARY)
"EdgeReminderRemainingCount"= 0x0000000006 (6)
"Error Dlg Displayed On Every Error"="no"
"ScriptDebugger_EnableHiddenTabs"= 0x0000000000 (0)
"ApplicationTileImmersiveActivation"= 0x0000000001 (1)
"AssociationActivationMode"= 0x0000000000 (0)
"StatusBarWeb"= 0x0000000001 (1)
"HideNewEdgeButton"= 0x0000000001 (1)
"ShowApplicationGuardFirstRunExperienceFromIE"= 0x0000000001 (1)
"ForceGDIPlus"= 0x0000000000 (0)
"AlwaysShowMenus"= 0x0000000000 (0)
"ShutdownWaitForOnUnload"= 0x0000000000 (0)
"DNSPreresolution"= 0x0000000008 (8)
"SpellChecking"= 0x0000000001 (1)
"LangToolsBroker"="{5bbd58bb-993e-4c17-8af6-3af8e908fca8}"
"DisablePasswordReveal"= 0x0000000000 (0)
"EnableLeakDetectionInEdge"= 0x0000000000 (0)
"DisableRequiresActiveXPrompt"=""
"SuppressScriptDebuggerDialog"= 0x0000000000 (0)
"PredictedViewExpansion"= 0x0000000064 (100)
"PredictedViewChangeThreshold"= 0x000000000a (10)
"PredictedViewChangeThresholdPaint"= 0x000000000a (10)
"ContentLayerCacheExpansion"= 0x000000012c (300)
"RenderingLoopMaxTime"= 0x00000000fa (250)
"NscSingleExpand"= 0x0000000000 (0)
"Friendly http errors"="yes"
"CSS_Compat"="doctype"
"Expand Alt Text"="no"
"Display Inline Videos"= 0x0000000001 (1)
"Use Stylesheets"= 0x0000000001 (1)
"SmoothScroll"= 0x0000000001 (1)
"Show image placeholders"= 0x0000000000 (0)
"Disable Diagnostics Mode"="no"
"Move System Caret"="no"
"Enable AutoImageResize"="yes"
"UseThemes"= 0x0000000001 (1)
"UseHR"= 0x0000000000 (0)
"Q300829"= 0x0000000000 (0)
"Cleanup HTCs"= 0x0000000000 (0)
"XDomainRequest"= 0x0000000001 (1)
"DOMStorage"= 0x0000000001 (1)
"EnableAlternativeCodec"="yes"
"JScriptProfileCacheEventDelay"= 0x0000001388 (5000)
"HideLocalHostIP"= 0x0000000000 (0)
"CrossfadeMinTimeoutInMS"= 0x0000007530 (30000)
"CrossfadeMaxTimeoutInMS"= 0x0000007530 (30000)
"CrossfadeCurrentTimeoutInMS"= 0x0000007530 (30000)
"ScrollTimeoutInMS"= 0x0000001770 (6000)
"DisableFirstRunCustomize"= 0x0000000000 (0)
"IE10RunOnceLastShown"= 0x0000000000 (0)
"IE10RunOnceLastShown_TIMESTAMP"=b9 eb 15 9f 2a 06 d4 01  (REG_BINARY)
"IE10RecommendedSettingsNo"= 0x0000000000 (0)
"EdgeReminderURL"="http://go.microsoft.com/fwlink/?LinkId=838604"
"EdgeReminderDuration"= 0x000000001f (31)
"FrameTabWindow"= 0x0000000001 (1)
"AdminTabProcs"= 0x0000000001 (1)
"SessionMerging"= 0x0000000001 (1)
"FrameMerging"= 0x0000000001 (1)
"HangRecovery"= 0x0000000001 (1)
"DesktopTransparentCoverWindowTime"= 0x0000000008 (8)
"TSEnable"= 0x0000000001 (1)
"Isolation"="PMIL"
"Isolation64Bit"= 0x0000000000 (0)
"IsolationImmersive"="PMEM"
"TabShutdownDelay"= 0x000000ea60 (60000)
"NoUpdateCheck"= 0x0000000001 (1)
"Search Bar"="http://search.msn.com/spbasic.htm"
"MinIEEnabled"= 0x0000000001 (1)
"RefcountTracker"= 0x0000000000 (0)
"TabDragOnSingleProc"= 0x0000000000 (0)
"ForceBFCacheCandidacyPass"= 0x0000000000 (0)
"Fasterback"= 0x0000000001 (1)
"BackForwardInstrumentation"= 0x0000000000 (0)
"FormSuggest PW Ask"="yes"
"News Feed First Run Experience"= 0x0000000001 (1)
"Start Page_TIMESTAMP"=f9 c8 3c 9f 2a 06 d4 01  (REG_BINARY)
"Start Page Redirect Cache_TIMESTAMP"=c1 b9 b8 d6 a4 76 d3 01  (REG_BINARY)
"Start Page Redirect Cache AcceptLangs"="en-US"
"Check_Associations"="yes"
"LastClosedWidth"= 0x0000000320 (800)
"LastClosedHeight"= 0x0000000258 (600)
"EnableGetHostEnvironmentValue"= 0x0000000001 (1)
"Start Page"="https://go.microsoft.com/fwlink/p/?LinkId=619797&pc=UE03&ocid=UE03DHP"
[HKEY_USERS\S-1-5-21-1505520954-2184210599-2817046693-1001\Software\Microsoft\Internet Explorer\Main\ApplicationGuard]
[HKEY_USERS\S-1-5-21-1505520954-2184210599-2817046693-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl]
[HKEY_USERS\S-1-5-21-1505520954-2184210599-2817046693-1001\Software\Microsoft\Internet Explorer\Main\Touch]
[HKEY_USERS\S-1-5-21-1505520954-2184210599-2817046693-1001\Software\Microsoft\Internet Explorer\Main\WindowsSearch]

-= EOF =-


#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:31 PM

Posted 20 June 2018 - 06:54 AM


Hi

This entry in the Main key is no longer supported.
"Search Bar"="http://search.msn.com/spbasic.htm"
This fix will remove it.

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

Windows Registry Editor Version 5.00

KEYS FOR THE NEW FILE.......

[HKEY_USERS\S-1-5-21-1505520954-2184210599-2817046693-1001\Software\Microsoft\Internet Explorer\Main]
"Search Bar"=-


Restart the computer when completed.

You can delete the fixme.reg file when done.
---

Hope all is well.

#13 fred04

fred04
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 21 June 2018 - 04:51 PM

So far the Registry is clean. Ran RogueKiller as no detections were picked up and hope it stays this way. Thanks for your help.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:31 PM

Posted 22 June 2018 - 06:34 AM

Hi,

Glad we could help.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users