Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirected to phising sites on Chrome - dodgy certificates?


  • Please log in to reply
5 replies to this topic

#1 lunaluna108

lunaluna108

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 23 July 2018 - 01:07 PM

Hi guys - new to the site. I would greatly appreciate any advice on what the heck is going on with my laptop. My Chrome browser keeps redirecting me to phising sites. This has been going on for a while. My family member and I keep having to order new cards as we keep getting random charges (now totalling over 600). Earlier this year I took it to an IT guy who replaced the entire hardrive. Laptop was alright for a month but it started redirecting again. Recently I bought an item on my family members eBay, URL seemed legit, order went through, I clicked on view order details and was redirected to https://vod.ebay.com.au. The page looked different to the legit eBay site. Another example - When I clicked on login on the official Norton site, the URL changed, not sure if I'm allowed to post the whole URL but it contained this - /sso/idp/SAML2?SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&SAML. I don't know much about computers, but there are invalid and suspicious looking certificates on my laptop and heaps of tasks running. One of the odd things I've noticed is that when I click on a certificate it says invalid, but under certifcation path there is another certificate attatched to it that is trusted. There are a few of these. I run Norton on my computer. My operating system is Windows 10 (64x). I have attached screenshots of some of the certs and tasks I'm concerned about. Thanks!

Attached Files



BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,893 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:10 AM

Posted 23 July 2018 - 01:41 PM

Please post the FRST data requested at Preparation Guide, Before Using Malware Removal Tools and Requesting Help - http://www.bleepingcomputer.com/forums/topic34773.html .

 

Moved from W10 Spt to MRA.

 

Louis



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:10 AM

Posted 24 July 2018 - 08:56 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please post the logs suggested in the Link posted by the Moderator.

I will review them and advise.

p.s.

If not able to run the programs in Noraml Mode, Boot to Safe Mode with Networking and run the Farbar program.

Is successful post the FRST.TXT and the Addition.txt logs for my review.

#4 lunaluna108

lunaluna108
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 25 July 2018 - 03:54 AM

Hi guys - new to the site. I would greatly appreciate any advice on what the heck is going on with my laptop. My Chrome browser keeps redirecting me to phising sites. This has been going on for a while. My family member and I keep having to order new cards as we keep getting random charges (now totalling over 600). Earlier this year I took it to an IT guy who replaced the entire hardrive. Laptop was alright for a month but it started redirecting again. Recently I bought an item on my family members eBay, URL seemed legit, order went through, I clicked on view order details and was redirected to https://vod.ebay.com.au. The page looked different to the legit eBay site. Another example - When I clicked on login on the official Norton site, the URL changed, not sure if I'm allowed to post the whole URL but it contained this - /sso/idp/SAML2?SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&SAML. I don't know much about computers, but there are invalid and suspicious looking certificates on my laptop and heaps of tasks running. One of the odd things I've noticed is that when I click on a certificate it says invalid, but under certifcation path there is another certificate attatched to it that is trusted. There are a few of these. I run Norton on my computer. My operating system is Windows 10 (64x). I've copy and pasted FarBar results below. Thanks!

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21.07.2018

Ran by user (administrator) on DESKTOP-UC4DKGM (25-07-2018 18:50:11)
Running from C:\Users\user\Downloads
Loaded Profiles: user (Available Profiles: user)
Platform: Windows 10 Home Version 1709 16299.431 (X64) Language: English (United Kingdom)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\120322.inf_amd64_496b556827a662cb\igfxCUIService.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Windows\System32\ibtsiva.exe
(Symantec Corporation) C:\Program Files\Norton Security\Engine\22.14.2.13\NortonSecurity.exe
(Intel Corporation) C:\Windows\System32\Intel\DPTF\esif_uf.exe
(Microsoft Corporation) C:\Program Files\rempl\sedsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\120322.inf_amd64_496b556827a662cb\igfxEM.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Symantec Corporation) C:\Program Files\Norton Security\Engine\22.14.2.13\coNatHst.exe
(Symantec Corporation) C:\Program Files\Norton Security\Engine\22.14.2.13\NortonSecurity.exe
(Spotify Ltd) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.85.259.0_x86__zpdnekdrzrea0\SpotifyWebHelper.exe
(Spotify Ltd) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.85.259.0_x86__zpdnekdrzrea0\Spotify.exe
(Spotify Ltd) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.85.259.0_x86__zpdnekdrzrea0\Spotify.exe
(Spotify Ltd) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.85.259.0_x86__zpdnekdrzrea0\Spotify.exe
(Spotify Ltd) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.85.259.0_x86__zpdnekdrzrea0\Spotify.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Windows\Temp\DPTF\esif_assist_64.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [630168 2017-09-29] (Microsoft Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [298296 2018-01-22] (Apple Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{130b8365-ebe8-463c-9c11-9be187b84e64}: [NameServer] 199.85.126.10,199.85.127.10
Tcpip\..\Interfaces\{130b8365-ebe8-463c-9c11-9be187b84e64}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{69a90d94-09cf-4666-857b-b25536a4a8fc}: [NameServer] 199.85.126.10,199.85.127.10
Tcpip\..\Interfaces\{69a90d94-09cf-4666-857b-b25536a4a8fc}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
BHO: Norton Identity Safety -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Security\Engine\22.14.2.13\coIEPlg.dll [2018-05-30] (Symantec Corporation)
BHO-x32: Norton Identity Safety -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Security\Engine32\22.14.2.13\coIEPlg.dll [2018-05-30] (Symantec Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security\Engine\22.14.2.13\coIEPlg.dll [2018-05-30] (Symantec Corporation)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security\Engine32\22.14.2.13\coIEPlg.dll [2018-05-30] (Symantec Corporation)
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-18] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-18] (Google Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com
CHR Profile: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default [2018-07-25]
CHR Extension: (Google Drive) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-04-24]
CHR Extension: (YouTube) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-04-24]
CHR Extension: (Norton Security Toolbar) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe [2018-06-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-04-24]
CHR Extension: (Gmail) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-04-24]
CHR Extension: (Chrome Media Router) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-06-14]
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files\Norton Security\Engine\22.14.2.13\Exts\Chrome.crx <not found>
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files\Norton Security\Engine\22.14.2.13\Exts\Chrome.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 esifsvc; C:\WINDOWS\system32\Intel\DPTF\esif_uf.exe [2215168 2016-08-13] (Intel Corporation)
R2 ibtsiva; C:\WINDOWS\system32\ibtsiva.exe [542320 2017-12-07] (Intel Corporation)
R2 NortonSecurity; C:\Program Files\Norton Security\Engine\22.14.2.13\NortonSecurity.exe [328648 2018-05-30] (Symantec Corporation)
R2 osrss; C:\WINDOWS\system32\osrss.dll [130808 2018-06-08] (Microsoft Corporation)
R2 sedsvc; C:\Program Files\rempl\sedsvc.exe [295976 2018-07-16] (Microsoft Corporation)
S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.16.17656.18052-0\NisSrv.exe [4682552 2018-05-31] (Microsoft Corporation)
S3 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.16.17656.18052-0\MsMpEng.exe [101096 2018-05-31] (Microsoft Corporation)
R2 NVDisplay.ContainerLocalSystem; "C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe" -s NVDisplay.ContainerLocalSystem -f "C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\LocalSystem" -r -p 30000
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 Accelerometer; C:\WINDOWS\System32\drivers\Accelerometer.sys [53760 2017-12-19] (HP)
S3 AppleLowerFilter; C:\WINDOWS\System32\drivers\AppleLowerFilter.sys [35560 2018-04-26] (Apple Inc.)
R1 BHDrvx64; C:\Program Files\Norton Security\NortonData\22.14.2.13\Definitions\BASHDefs\20180723.007\BHDrvx64.sys [1919568 2018-07-02] (Symantec Corporation)
R1 ccSet_NGC; C:\WINDOWS\system32\drivers\NGCx64\160E020.00D\ccSetx64.sys [187520 2018-05-30] (Symantec Corporation)
R3 dptf_cpu; C:\WINDOWS\System32\drivers\dptf_cpu.sys [66624 2016-08-13] (Intel Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [507984 2018-04-26] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [153168 2018-06-25] (Symantec Corporation)
S3 esif_lf; C:\WINDOWS\system32\DRIVERS\esif_lf.sys [350272 2016-08-13] (Intel Corporation)
R0 hpdskflt; C:\WINDOWS\System32\drivers\hpdskflt.sys [39936 2017-12-19] (HP)
R3 ibtusb; C:\WINDOWS\system32\DRIVERS\ibtusb.sys [136128 2017-12-07] (Intel Corporation)
R1 IDSVia64; C:\Program Files\Norton Security\NortonData\22.14.2.13\Definitions\IPSDefs\20180724.062\IDSvia64.sys [1298000 2018-06-20] (Symantec Corporation)
R3 Netwtw04; C:\WINDOWS\System32\drivers\Netwtw04.sys [8623128 2018-04-04] (Intel Corporation)
R3 nvlddmkm; C:\WINDOWS\System32\DriverStore\FileRepository\nvhm.inf_amd64_c8a41364c1b3daa8\nvlddmkm.sys [17036560 2018-01-16] (NVIDIA Corporation)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [604160 2017-09-29] (Realtek )
S3 RTSPER; C:\WINDOWS\system32\DRIVERS\RtsPer.sys [787968 2016-12-30] (Realsil Semiconductor Corporation)
R3 SRTSP; C:\WINDOWS\system32\drivers\NGCx64\160E020.00D\SRTSP64.SYS [838224 2018-05-30] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\system32\drivers\NGCx64\160E020.00D\SRTSPX64.SYS [49232 2018-05-30] (Symantec Corporation)
R0 SymEFASI; C:\WINDOWS\System32\drivers\NGCx64\160E020.00D\SYMEFASI64.SYS [1942096 2018-05-30] (Symantec Corporation)
S0 SymELAM; C:\WINDOWS\System32\drivers\NGCx64\160E020.00D\SymELAM.sys [24584 2018-05-30] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT64x86.SYS [99920 2018-06-20] (Symantec Corporation)
R1 SymIRON; C:\WINDOWS\system32\drivers\NGCx64\160E020.00D\Ironx64.SYS [307792 2018-05-30] (Symantec Corporation)
R1 SymNetS; C:\WINDOWS\system32\drivers\NGCx64\160E020.00D\SYMNETS.SYS [566912 2018-05-30] (Symantec Corporation)
S3 USBAAPL64; C:\WINDOWS\System32\Drivers\usbaapl64.sys [54784 2015-06-17] (Apple, Inc.) [File not signed]
S3 WdBoot; C:\WINDOWS\system32\drivers\wd\WdBoot.sys [46072 2018-05-31] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\wd\WdFilter.sys [313384 2018-05-31] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [61992 2018-05-31] (Microsoft Corporation)
R3 WirelessButtonDriver64; C:\WINDOWS\System32\drivers\WirelessButtonDriver64.sys [30368 2017-06-22] (HP)
S3 wpCtrlDrv_NGC; C:\WINDOWS\system32\drivers\NGCx64\160E020.00D\wpCtrlDrv.sys [1015592 2018-05-30] (Symantec Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-07-25 18:50 - 2018-07-25 18:50 - 000012747 _____ C:\Users\user\Downloads\FRST.txt
2018-07-25 18:49 - 2018-07-25 18:50 - 000000000 ____D C:\FRST
2018-07-25 18:49 - 2018-07-25 18:49 - 002412544 _____ (Farbar) C:\Users\user\Downloads\FRST64.exe
2018-07-24 22:14 - 2018-07-24 22:14 - 000000000 ____D C:\WINDOWS\System32\Tasks\Remediation
2018-07-16 17:59 - 2018-07-16 17:59 - 000224577 _____ C:\Users\user\Downloads\Application_for_transfer_of_registration.pdf
2018-07-13 15:43 - 2018-07-25 14:27 - 000000000 ____D C:\Program Files\rempl
2018-07-08 00:15 - 2018-07-08 00:15 - 000060512 _____ C:\Users\user\Downloads\astro_w2gw_jayne_coggin.51329.14951.pdf
2018-07-07 17:36 - 2018-06-08 14:09 - 000130808 _____ (Microsoft Corporation) C:\WINDOWS\system32\osrss.dll
2018-07-06 01:29 - 2018-07-06 01:29 - 000523821 _____ C:\Users\user\Downloads\student-cover-letter-guide.pdf
2018-07-06 00:50 - 2018-07-06 00:50 - 000000624 _____ C:\Users\user\Downloads\coverletter (8).txt
2018-07-06 00:50 - 2018-07-06 00:50 - 000000584 _____ C:\Users\user\Downloads\coverletter (7).txt
2018-07-06 00:49 - 2018-07-06 00:49 - 000000605 _____ C:\Users\user\Downloads\coverletter (6).txt
2018-07-06 00:49 - 2018-07-06 00:49 - 000000590 _____ C:\Users\user\Downloads\coverletter (5).txt
2018-07-05 23:18 - 2018-07-05 23:18 - 000147547 _____ C:\Users\user\Downloads\Cover Letter Language Examples.pdf
2018-07-05 23:15 - 2018-07-05 23:15 - 000000594 _____ C:\Users\user\Downloads\coverletter (3).txt
2018-07-05 23:15 - 2018-07-05 23:15 - 000000590 _____ C:\Users\user\Downloads\coverletter (4).txt
2018-07-05 23:14 - 2018-07-05 23:14 - 000000636 _____ C:\Users\user\Downloads\coverletter (2).txt
2018-07-05 23:14 - 2018-07-05 23:14 - 000000633 _____ C:\Users\user\Downloads\coverletter (1).txt
2018-07-05 23:13 - 2018-07-05 23:13 - 000000870 _____ C:\Users\user\Downloads\coverletter.txt
2018-07-05 02:57 - 2018-07-05 02:57 - 005156241 _____ C:\Users\user\Downloads\Extract_sample_English_Unit1_sheet (1).pdf
2018-07-05 02:56 - 2018-07-05 02:57 - 005156241 _____ C:\Users\user\Downloads\Extract_sample_English_Unit1_sheet.pdf
2018-07-04 03:32 - 2018-07-04 03:32 - 000927789 _____ C:\Users\user\Downloads\Statement20180630.pdf
2018-07-02 17:48 - 2018-07-02 17:48 - 002470851 _____ C:\Users\user\Downloads\Cuba-Libre.m4a
2018-07-02 17:45 - 2018-07-02 17:46 - 004668444 _____ C:\Users\user\Downloads\Mercy.m4a
2018-06-30 18:26 - 2018-06-30 18:26 - 001464585 _____ C:\Users\user\Downloads\tps-pearl-diameter-guide.pdf
2018-06-30 18:26 - 2018-06-30 18:26 - 001464585 _____ C:\Users\user\Downloads\tps-pearl-diameter-guide (1).pdf
2018-06-27 20:42 - 2018-06-27 20:54 - 000000857 _____ C:\Users\user\Desktop\CLRECEPTION.txt
2018-06-27 10:20 - 2018-06-27 10:20 - 000555220 _____ C:\Users\user\Downloads\wills_indesign_web1.pdf
2018-06-27 10:14 - 2018-06-27 10:14 - 000287511 _____ C:\Users\user\Downloads\2016-08-19-POA-Lodgement-form.pdf
2018-06-25 23:59 - 2018-06-25 23:59 - 000000000 ____D C:\Users\user\AppData\Local\ElevatedDiagnostics
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-07-25 17:41 - 2018-06-20 14:32 - 000000000 ____D C:\WINDOWS\System32\Tasks\Norton Security with Backup
2018-07-25 17:41 - 2018-03-12 16:15 - 001048034 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2018-07-25 17:38 - 2018-03-12 15:32 - 000000000 __SHD C:\Users\user\IntelGraphicsProfiles
2018-07-25 15:04 - 2018-03-13 03:01 - 000032768 _____ C:\WINDOWS\system32\config\ELAM
2018-07-25 15:04 - 2018-03-12 16:12 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2018-07-25 14:42 - 2018-03-13 03:01 - 000524288 _____ C:\WINDOWS\system32\config\BBI
2018-07-25 14:27 - 2018-03-13 03:04 - 000000000 ____D C:\WINDOWS\DeliveryOptimization
2018-07-25 14:26 - 2018-03-13 03:04 - 000000000 ____D C:\WINDOWS\AppReadiness
2018-07-24 21:44 - 2018-03-12 16:09 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2018-07-24 04:05 - 2018-05-18 02:26 - 000000000 ____D C:\Users\user\Desktop\New folder
2018-07-21 22:56 - 2018-03-13 03:04 - 000000000 ___HD C:\Program Files\WindowsApps
2018-07-17 18:53 - 2018-03-13 03:04 - 000000000 ____D C:\WINDOWS\system32\NDF
2018-07-12 12:48 - 2018-02-28 09:12 - 000000000 __RHD C:\Users\Public\AccountPictures
2018-07-12 12:02 - 2018-04-24 19:43 - 000000000 ____D C:\Users\user\AppData\Local\CrashDumps
2018-07-12 00:11 - 2018-03-12 16:22 - 000000000 ____D C:\WINDOWS\system32\MRT
2018-07-12 00:10 - 2018-03-13 03:02 - 000000000 ____D C:\WINDOWS\CbsTemp
2018-07-12 00:10 - 2018-03-12 16:21 - 134675576 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2018-07-08 00:14 - 2018-06-20 14:36 - 000000000 ____D C:\Users\user\AppData\Local\NPE
2018-07-05 20:23 - 2018-03-13 03:03 - 000000000 ____D C:\WINDOWS\INF
2018-07-03 19:35 - 2018-03-12 16:14 - 000000000 ____D C:\Users\user\AppData\Local\Comms
2018-07-03 19:35 - 2018-03-12 16:13 - 000000000 ____D C:\Users\user\AppData\Local\Packages
2018-07-02 17:58 - 2018-03-12 16:56 - 000000000 ____D C:\Users\user\AppData\Local\PlaceholderTileLogoFolder
2018-07-02 17:53 - 2018-03-12 16:13 - 000000000 ____D C:\Users\user\AppData\Local\ConnectedDevicesPlatform
2018-06-29 10:46 - 2018-03-13 03:06 - 000835064 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2018-06-29 10:46 - 2018-03-13 03:06 - 000179704 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2018-06-25 23:56 - 2018-03-12 15:31 - 000000000 ____D C:\Intel
2018-06-25 23:34 - 2018-03-13 03:04 - 000000000 ___HD C:\WINDOWS\ELAMBKUP
 
==================== Files in the root of some directories =======
 
2018-05-22 17:40 - 2018-05-22 17:40 - 000007599 _____ () C:\Users\user\AppData\Local\Resmon.ResmonCfg
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2018-07-03 15:44
 
==================== End of FRST.txt ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 21.07.2018
Ran by user (25-07-2018 18:50:38)
Running from C:\Users\user\Downloads
Windows 10 Home Version 1709 16299.431 (X64) (2018-03-12 06:13:14)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3129136671-2921400953-2474731906-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-3129136671-2921400953-2474731906-503 - Limited - Disabled)
Guest (S-1-5-21-3129136671-2921400953-2474731906-501 - Limited - Disabled)
user (S-1-5-21-3129136671-2921400953-2474731906-1001 - Administrator - Enabled) => C:\Users\user
WDAGUtilityAccount (S-1-5-21-3129136671-2921400953-2474731906-504 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Norton Security (Enabled - Up to date) {E3FDBD9F-8140-1400-F32B-8B58923F7C4D}
AS: Norton Security (Enabled - Up to date) {589C5C7B-A77A-1B8E-C99B-B02AE9B836F0}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton Security (Enabled) {DBC63CBA-CB2F-1558-D874-226D6CEC3B36}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Apple Application Support (32-bit) (HKLM-x32\...\{D4C80B0C-CF67-43A7-90C3-466853543B54}) (Version: 6.3 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{B2A2E8AF-BC48-4191-B2C4-3846A19835CA}) (Version: 6.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{19589375-5C58-4AFA-842F-8B34744CCEAD}) (Version: 2.5.0.1 - Apple Inc.)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 67.0.3396.99 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.17 - Google Inc.) Hidden
iTunes (HKLM\...\{1D7D1271-5258-4F5A-B8C1-7176BF398782}) (Version: 12.7.3.46 - Apple Inc.)
Norton Security (HKLM-x32\...\NGC) (Version: 22.14.2.13 - Symantec Corporation)
Update for Windows 10 for x64-based Systems (KB4023057) (HKLM\...\{479E8CC7-CD68-4EB4-BB04-34A5C2C74102}) (Version: 2.46.0.0 - Microsoft Corporation)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-3129136671-2921400953-2474731906-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\OneDrive\18.044.0301.0006\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3129136671-2921400953-2474731906-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\OneDrive\18.044.0301.0006\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3129136671-2921400953-2474731906-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\user\AppData\Local\Microsoft\OneDrive\18.044.0301.0006\amd64\FileSyncShell64.dll => No File
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files\Norton Security\Engine\22.14.2.13\buShell.dll [2018-05-30] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files\Norton Security\Engine\22.14.2.13\buShell.dll [2018-05-30] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files\Norton Security\Engine\22.14.2.13\buShell.dll [2018-05-30] (Symantec Corporation)
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers-x32: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files\Norton Security\Engine\22.14.2.13\buShell.dll [2018-05-30] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files\Norton Security\Engine\22.14.2.13\buShell.dll [2018-05-30] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files\Norton Security\Engine\22.14.2.13\buShell.dll [2018-05-30] (Symantec Corporation)
ContextMenuHandlers1: [BUContextMenu] -> {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB} => C:\Program Files\Norton Security\Engine\22.14.2.13\buShell.dll [2018-05-30] (Symantec Corporation)
ContextMenuHandlers1: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files\Norton Security\Engine\22.14.2.13\NavShExt.dll [2018-05-30] (Symantec Corporation)
ContextMenuHandlers2: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files\Norton Security\Engine\22.14.2.13\NavShExt.dll [2018-05-30] (Symantec Corporation)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\WINDOWS\System32\DriverStore\FileRepository\120322.inf_amd64_496b556827a662cb\igfxDTCM.dll [2017-02-22] (Intel Corporation)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\WINDOWS\system32\nvshext.dll [2017-12-19] (NVIDIA Corporation)
ContextMenuHandlers6: [BUContextMenu] -> {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB} => C:\Program Files\Norton Security\Engine\22.14.2.13\buShell.dll [2018-05-30] (Symantec Corporation)
ContextMenuHandlers6: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files\Norton Security\Engine\22.14.2.13\NavShExt.dll [2018-05-30] (Symantec Corporation)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0685F5E1-D6E1-4DBE-B565-47D897CDE1A2} - System32\Tasks\Norton Security with Backup\Norton Security Autofix => C:\Program Files\Norton Security\Engine\22.14.2.13\SymErr.exe [2018-05-30] (Symantec Corporation)
Task: {4B783E5D-12D6-481C-A122-96000FD5C3B6} - \GoogleUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {63A77311-EDB6-4A8F-9A9C-6FDA03CA712A} - System32\Tasks\Microsoft\Windows\rempl\shell => C:\Program Files\rempl\sedlauncher.exe [2018-07-16] (Microsoft Corporation)
Task: {68A6D0F7-D711-49B6-959F-FAC5122538E9} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton Security\Upgrade.exe [2018-05-30] (Symantec Corporation)
Task: {6AB29844-6A8B-4C04-89A0-72433430471D} - System32\Tasks\Norton Security\Norton Security Error Processor => C:\Program Files\Norton Security\Norton Security\Engine\22.14.0.54\SymErr.exe
Task: {A1700F96-4F3D-433B-9CAD-684998988777} - System32\Tasks\Norton WSC Integration => C:\Program Files\Norton Security\Engine\22.14.2.13\WSCStub.exe [2018-05-30] (Symantec Corporation)
Task: {C606B459-1647-4F2A-A40C-F8F0B7BD42D0} - System32\Tasks\Norton Security\Norton Security Autofix => C:\Program Files\Norton Security\Norton Security\Engine\22.14.0.54\SymErr.exe
Task: {C69AD389-0746-448F-9D6B-8841000A0AD5} - System32\Tasks\Norton Security with Backup\Norton Security Error Analyzer => C:\Program Files\Norton Security\Engine\22.14.2.13\SymErr.exe [2018-05-30] (Symantec Corporation)
Task: {E3354573-4270-4380-B546-E8A124F1E70A} - System32\Tasks\Norton Security\Norton Security Error Analyzer => C:\Program Files\Norton Security\Norton Security\Engine\22.14.0.54\SymErr.exe
Task: {ED262D9D-3CD3-47AA-822E-3DD92A49D91B} - \Apple\AppleSoftwareUpdate -> No File <==== ATTENTION
Task: {F859E6BA-BF3F-48FF-8256-6135DC5EE2EA} - System32\Tasks\Norton Security with Backup\Norton Security Error Processor => C:\Program Files\Norton Security\Engine\22.14.2.13\SymErr.exe [2018-05-30] (Symantec Corporation)
Task: {FBC4E854-EE1F-4C6E-890D-F3190E662AEC} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-04-24] (Google Inc.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2018-04-04 18:03 - 2018-04-04 18:03 - 000173760 _____ () C:\WINDOWS\system32\IntelWifiIhv04.dll
2017-09-29 23:41 - 2017-09-29 23:41 - 000184432 ____N () C:\WINDOWS\SYSTEM32\inputhost.dll
2018-03-12 16:10 - 2017-12-19 12:43 - 000134456 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2018-04-24 16:29 - 2018-02-22 10:26 - 011044864 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2018-04-24 16:28 - 2018-02-22 10:21 - 001804288 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2018-06-26 13:15 - 2018-06-23 05:15 - 004608856 _____ () C:\Program Files (x86)\Google\Chrome\Application\67.0.3396.99\libglesv2.dll
2018-06-26 13:15 - 2018-06-23 05:15 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\67.0.3396.99\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2018-03-13 03:04 - 2018-03-13 03:03 - 000000824 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3129136671-2921400953-2474731906-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 199.85.126.10 - 199.85.127.10
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\Run: => "SecurityHealth"
HKLM\...\StartupApproved\Run: => "iTunesHelper"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{C59A66E7-FD90-4676-A2A1-81073D838B1E}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
FirewallRules: [{E965A752-9136-4300-834E-E0E87239E442}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{7F496BCF-C5DF-4B93-9997-5398AFFD7DA5}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{8D3F0216-0EE1-4E0A-A98F-7AE6BBD6C896}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{19C42F32-9B8D-4355-A561-70266CD3D8FE}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{FFA308BD-EBE0-4F9F-B775-5DDB3CED974A}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{90839B84-61AB-469F-9214-3DAD99073B02}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{EEA6E117-39A5-4572-ABF5-FA74F7DFD49F}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.85.259.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{87E05B08-C999-4704-A7A0-0251AED6CB8D}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.85.259.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{DE54D09A-04BC-480C-99D2-CD0578DF5BDC}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.85.259.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{3F334996-E5A5-4FF5-A98B-0476D6AE637A}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.85.259.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{7F4FBF53-20DE-4172-A0BF-C524553B72A7}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.85.259.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{BD3A0DE2-1CFE-4367-BFAF-8DCB05231786}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.85.259.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{93FEE739-1666-4AE0-B51E-EE71EB713FAE}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.85.259.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{6A0E23AC-A111-4516-91A4-6A684249B31F}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.85.259.0_x86__zpdnekdrzrea0\Spotify.exe
FirewallRules: [{6CA4C4E8-13D1-4727-9F36-CCBCA8F90B2D}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.85.259.0_x86__zpdnekdrzrea0\SpotifyWebHelper.exe
FirewallRules: [{97FC0482-4439-4D04-A27D-B62BE69CA679}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.85.259.0_x86__zpdnekdrzrea0\SpotifyWebHelper.exe
 
==================== Restore Points =========================
 
07-07-2018 17:35:54 Windows Update
12-07-2018 00:10:22 Windows Update
19-07-2018 17:23:46 Scheduled Checkpoint
25-07-2018 14:26:11 Windows Update
 
==================== Faulty Device Manager Devices =============
 
Name: Intel® Dynamic Platform and Thermal Framework Manager
Description: Intel® Dynamic Platform and Thermal Framework Manager
Class Guid: {c3077fcd-9c3c-482f-9317-460712f23efd}
Manufacturer: Intel
Service: esif_lf
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
 This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (07/24/2018 08:01:15 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 6219
 
Error: (07/24/2018 08:01:15 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 6219
 
Error: (07/24/2018 08:01:15 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (07/24/2018 08:01:14 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4563
 
Error: (07/24/2018 08:01:14 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 4563
 
Error: (07/24/2018 08:01:14 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (07/24/2018 08:01:12 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 2875
 
Error: (07/24/2018 08:01:12 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 2875
 
 
System errors:
=============
Error: (07/25/2018 05:56:41 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/25/2018 05:53:25 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/25/2018 05:38:38 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-UC4DKGM)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user DESKTOP-UC4DKGM\user SID (S-1-5-21-3129136671-2921400953-2474731906-1001) from address LocalHost (Using LRPC) running in the application container SpotifyAB.SpotifyMusic_1.85.259.0_x86__zpdnekdrzrea0 SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/25/2018 05:38:29 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-UC4DKGM)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user DESKTOP-UC4DKGM\user SID (S-1-5-21-3129136671-2921400953-2474731906-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/25/2018 05:38:24 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/25/2018 05:38:24 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/25/2018 05:38:24 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (07/25/2018 05:38:24 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
 
Windows Defender:
===================================
Date: 2018-06-12 23:45:12.874
Description: 
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {808ECD4D-2C83-4EBB-9DEF-CFBFD0C3059E}
Scan Type: Antimalware
Scan Parameters: Quick Scan
 
Date: 2018-06-04 11:03:55.667
Description: 
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {F2AFEF31-DC44-49BE-84B0-5396F2581F96}
Scan Type: Antimalware
Scan Parameters: Quick Scan
 
Date: 2018-06-02 01:12:31.557
Description: 
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {E581B844-4652-4C6B-9BC4-CC949C3AAEE8}
Scan Type: Antimalware
Scan Parameters: Quick Scan
 
Date: 2018-05-29 01:01:31.926
Description: 
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {5BE9CE92-7B84-4FC6-89B1-C82244A1C654}
Scan Type: Antimalware
Scan Parameters: Quick Scan
 
Date: 2018-05-29 00:52:13.604
Description: 
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {6CA94270-E416-480D-BEC9-F4861E7A555B}
Scan Type: Antimalware
Scan Parameters: Quick Scan
 
Date: 2018-04-24 16:40:26.323
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.267.256.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.14800.3
Error code: 0x80240016
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support. 
 
Date: 2018-04-24 16:30:24.200
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.263.460.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.14600.4
Error code: 0x80072ee7
Error description: The server name or address could not be resolved 
 
Date: 2018-04-24 16:30:24.200
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 118.5.0.0
Update Source: Microsoft Malware Protection Center
Signature Type: Network Inspection System
Update Type: Full
Current Engine Version: 
Previous Engine Version: 2.1.14202.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved 
 
Date: 2018-04-24 16:30:24.194
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.263.460.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.14600.4
Error code: 0x80072ee7
Error description: The server name or address could not be resolved 
 
Date: 2018-04-24 16:30:24.194
Description: 
Windows Defender Antivirus has encountered an error trying to update signatures.
New Signature Version: 
Previous Signature Version: 1.263.460.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiSpyware
Update Type: Full
Current Engine Version: 
Previous Engine Version: 1.1.14600.4
Error code: 0x80072ee7
Error description: The server name or address could not be resolved 
 
CodeIntegrity:
===================================
 
Date: 2018-07-25 17:56:43.672
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-07-25 17:56:43.671
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-07-25 17:44:15.495
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-07-25 17:44:15.493
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-07-25 17:44:13.791
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-07-25 17:44:13.789
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-07-25 17:44:11.812
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-07-25 17:44:11.811
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-6500U CPU @ 2.50GHz
Percentage of memory in use: 38%
Total physical RAM: 8081.91 MB
Available physical RAM: 4971.13 MB
Total Virtual: 9361.91 MB
Available Virtual: 6315.88 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:237.87 GB) (Free:192.59 GB) NTFS
 
\\?\Volume{a0593307-5615-4c58-8be6-8593d82d65d5}\ (Recovery) (Fixed) (Total:0.49 GB) (Free:0.13 GB) NTFS
\\?\Volume{31485f2a-9346-4e54-835d-84bfab5b24ee}\ () (Fixed) (Total:0.09 GB) (Free:0.07 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 238.5 GB) (Disk ID: BE8849FE)
 
Partition: GPT.
 
==================== End of Addition.txt ============================

Edited by Platypus, 25 July 2018 - 07:57 AM.
Merged reply made as a second topic


#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:10 AM

Posted 25 July 2018 - 08:47 AM

Hi,

Your logs are clean.

Your copy of Chromemay have been compromised

:step1: Remove Chrome from your Computer and reinstall a fresh copy later.

:step2: Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks

:step3: If you sync you account you must remove it before you save your bookmarks etc...
Delete Your Google Chrome Browser Sync Data if you sync with other defices. <- Important ...
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

:step4: Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

:step5: Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

:step6: Re-install Chrome and the Bookmarks.
====

Let me know if the problem persists.

#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:10 AM

Posted 31 July 2018 - 07:46 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users