Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PUP.Optional.Legacy will not go away.


  • This topic is locked This topic is locked
7 replies to this topic

#1 nomorepupsplz

nomorepupsplz

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 03 August 2018 - 08:59 PM

Hello, I recently ran into a strange installation prompt for WebCompanion yesterday and although I declined it seems to have installed itself in my computer. I removed the program but noticed that my default search engine was changed to Bing on Firefox. There have also been messages of a program installing the MSN Homepage & Bing search engine extension on Chrome. I ran Malwarebytes and it had found 88 initial threats and removed them. I then ran AdwCleaner and it found a few more threats which I removed. One threat keeps being persistent: PUP.Optional.Legacy (MSN & Bing search engine). RKill found no threats and Zenama found one threat in the Firefox folder. I tried to run a system restore but have not been successful due to an error message. I fear that I may be infected by something very serious.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02.08.2018
Ran by Luque (administrator) on LUQUE-PC (03-08-2018 18:33:55)
Running from C:\Users\Luque\Desktop
Loaded Profiles: Luque (Available Profiles: Luque & maxim_000)
Platform: Windows 10 Home Version 1709 16299.492 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGMService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe
(Samsung Electronics Co., Ltd.) C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Samsung Electronics CO., LTD.) C:\Program Files (x86)\Samsung\Settings\CmdServer\EasyLauncher.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
() C:\Program Files (x86)\Samsung\Settings\CmdServer\EasySettingsCmdServer.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDTouch.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Samsung Electronics CO., LTD.) C:\Program Files (x86)\Samsung\Settings\sSettings.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Hewlett-Packard Development Company, LP) C:\Program Files\HP\HP ENVY 4500 series\Bin\ScanToPCActivationApp.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(© 2015 Microsoft Corporation) C:\Users\Luque\AppData\Local\Microsoft\BingSvc\BingSvc.exe
(Spotify Ltd) C:\Users\Luque\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\onenotem.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Samsung Electronics Co., Ltd.) C:\Program Files\Samsung\S Agent\CommonAgent.exe
(HP Inc.) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(HP Inc.) C:\Program Files\HP\HP Touchpoint Analytics Client\TouchpointAnalyticsClientService.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files\rempl\sedsvc.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1807.18075-0\MsMpEng.exe
(Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1807.18075-0\NisSrv.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Microsoft Corporation) C:\Windows\SoftwareDistribution\Download\Install\Windows-KB890830-x64-V5.62-delta.exe
(Microsoft Corporation) C:\Windows\System32\MRT.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [630168 2017-09-29] (Microsoft Corporation)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [3242200 2016-11-11] (ELAN Microelectronics Corp.)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [14040296 2015-09-19] (Realtek Semiconductor)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-07] (Intel Corporation)
HKLM\...\Run: [AdobeGCInvoker-1.0] => C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe [316392 2018-05-11] (Adobe Systems, Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [298296 2018-04-08] (Apple Inc.)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [630168 2017-09-29] (Microsoft Corporation)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2015-07-21] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-12-12] (Oracle Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll [X]
HKLM\...\Policies\Explorer: [NoViewOnDrive] 0
HKLM\...\Policies\Explorer: [DisableLocalMachineRun] 0
HKLM\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
HKLM\...\Policies\Explorer: [DisableCurrentUserRun] 0
HKLM\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
HKLM\...\Policies\Explorer: [NoViewContextMenu] 0
HKLM\...\Policies\Explorer: [NoShellSearchButton] 0
HKLM\...\Policies\Explorer: [NoFind] 0
HKLM\...\Policies\Explorer: [NoFile] 0
HKLM\...\Policies\Explorer: [HideClock] 0
HKLM\...\Policies\Explorer: [NoTrayContextMenu] 0
HKLM\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKLM\...\Policies\Explorer: [NoSetFolders] 0
HKLM\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKLM\...\Policies\Explorer: [NoSetTaskbar] 0
HKLM\...\Policies\Explorer: [NoDeletePrinter] 0
HKLM\...\Policies\Explorer: [NoDFSTab] 0
HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0
HKLM\...\Policies\Explorer: [NoLogoff] 0
HKLM\...\Policies\Explorer: [NoWindowsUpdate] 0
HKLM\...\Policies\Explorer: [NoEncryptOnMove] 0
HKLM\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKLM\...\Policies\Explorer: [NoResolveSearch] 0
HKLM\...\Policies\Explorer: [NoSaveSettings] 0
HKLM\...\Policies\Explorer: [NoHardwareTab] 0
HKLM\...\Policies\Explorer: [NoStartMenuSubFolders] 0
HKLM\...\Policies\Explorer: [NoDesktop] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Run: [HP ENVY 4500 series (NET)] => C:\Program Files\HP\HP ENVY 4500 series\Bin\ScanToPCActivationApp.exe [3487240 2014-07-21] (Hewlett-Packard Development Company, LP)
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Run: [BingSvc] => C:\Users\Luque\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-12] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Run: [McAfeeSafeConnect] => C:\Program Files (x86)\McAfee Safe Connect\McAfee Safe Connect.exe
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Run: [Spotify Web Helper] => C:\Users\Luque\AppData\Roaming\Spotify\SpotifyWebHelper.exe [781712 2018-06-10] (Spotify Ltd)
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\system: [DisableCMD] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\system: [NoDispAppearancePage] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\system: [NoDispBackgroundPage] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\system: [NoDispSettingsPage] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoViewOnDrive] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [DisableLocalMachineRun] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [DisableCurrentUserRun] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoViewContextMenu] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoShellSearchButton] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoFind] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoFile] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [HideClock] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoTrayContextMenu] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoTrayItemsDisplay] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoSetFolders] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoDevMgrUpdate] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoSetTaskbar] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoDeletePrinter] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoDFSTab] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoChangeStartMenu] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoLogoff] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoEncryptOnMove] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoRunasInstallPrompt] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoResolveSearch] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoSaveSettings] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoHardwareTab] 0
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Policies\Explorer: [NoStartMenuSubFolders] 0
Startup: C:\Users\Luque\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2018-01-03]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\onenotem.exe (Microsoft Corporation)
Startup: C:\Users\maxim_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uninstall Webroot RunOnce.lnk [2018-08-03]
ShortcutTarget: Uninstall Webroot RunOnce.lnk -> C:\Program Files (x86)\Common Files\wruninstall.exe (Webroot Software, Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: 0.0.0.1 mssplus.mcafee.com
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254
Tcpip\..\Interfaces\{07a7cfd4-0ad3-4223-82b9-2a024f17aefb}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{9c70d52c-e77f-41ac-8dc3-71c0cc6b2689}: [DhcpNameServer] 168.94.0.14 168.94.0.15
Tcpip\..\Interfaces\{c0e0d263-b1d8-4fb7-a789-d6b877326b4c}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{cfef529e-7c39-4e04-91d3-6ec9e61aeff3}: [DhcpNameServer] 192.168.254.254
 
Internet Explorer:
==================
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=SK2K&ocid=SK2KDHP&osmkt=en-us
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://t.msn.com/
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2018-02-13] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2018-03-13] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\ssv.dll [2017-04-03] (Oracle Corporation)
BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll [2014-06-17] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-04-03] (Oracle Corporation)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2017-07-18] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Luque\AppData\Roaming\Mozilla\Firefox\Profiles\fzqeih1x.default [2018-08-03]
FF Homepage: Mozilla\Firefox\Profiles\fzqeih1x.default -> hxxp://google.com/
FF Extension: (ADB Helper) - C:\Users\Luque\AppData\Roaming\Mozilla\Firefox\Profiles\fzqeih1x.default\Extensions\adbhelper@mozilla.org.xpi [2018-02-24] [Legacy]
FF Extension: (Valence) - C:\Users\Luque\AppData\Roaming\Mozilla\Firefox\Profiles\fzqeih1x.default\Extensions\fxdevtools-adapters@mozilla.org [2017-08-05] [Legacy]
FF Extension: (Adblock Plus) - C:\Users\Luque\AppData\Roaming\Mozilla\Firefox\Profiles\fzqeih1x.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2018-07-20]
FF SearchPlugin: C:\Users\Luque\AppData\Roaming\Mozilla\Firefox\Profiles\fzqeih1x.default\searchplugins\bing-lavasoft-ff59.xml [2018-08-01]
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\WINDOWS\SysWOW64\Adobe\Director\np32dsw_1213153.dll [2014-06-24] (Adobe Systems, Inc.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-16] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-16] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-04-03] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-04-03] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2014-04-13] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-21] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-05-21] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2018-05-10] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> msn.com
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR DefaultSearchURL: Default -> hxxp://www.bing.com/search?FORM=__PARAM__DF&PC=__PARAM__&q={searchTerms}
CHR DefaultSearchKeyword: Default -> bing.com
CHR DefaultSuggestURL: Default -> hxxp://www.bing.com/osjson.aspx?FORM=__PARAM__DF&PC=__PARAM__&query={searchTerms}
CHR Profile: C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Default [2018-08-03]
CHR Extension: (Docs) - C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-16]
CHR Extension: (Google Drive) - C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-12]
CHR Extension: (YouTube) - C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-11-12]
CHR Extension: (Adblock Plus) - C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2018-08-03]
CHR Extension: (uBlock Origin) - C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2018-08-03]
CHR Extension: (Google Search) - C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-12]
CHR Extension: (Adobe Acrobat) - C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2018-01-03]
CHR Extension: (Bing) - C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2018-08-03]
CHR Extension: (Google Docs Offline) - C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (AdBlock) - C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2018-08-03]
CHR Extension: (HP Smart Print) - C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmpaiomihcebnclahoknbodeiaiohcdi [2014-11-20]
CHR Extension: (Reddit Enhancement Suite) - C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2018-06-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-04-04]
CHR Extension: (Gmail) - C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-31]
CHR Extension: (Chrome Media Router) - C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-08-03]
CHR Profile: C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Guest Profile [2018-08-03]
CHR Profile: C:\Users\Luque\AppData\Local\Google\Chrome\User Data\System Profile [2018-08-03]
CHR HKU\S-1-5-21-1420173382-84886174-3424915379-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AGMService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGMService.exe [2321384 2018-05-11] (Adobe Systems, Incorporated)
R2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2128872 2018-05-11] (Adobe Systems, Incorporated)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2018-03-29] (Apple Inc.)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [3058392 2017-12-12] (Microsoft Corporation)
R2 Easy Launcher; C:\Program Files (x86)\Samsung\Settings\CmdServer\EasyLauncher.exe [1593664 2015-06-19] (Samsung Electronics CO., LTD.)
R2 ETDService; C:\Program Files\Elantech\ETDService.exe [129752 2016-11-11] (ELAN Microelectronics Corp.)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [332656 2018-05-02] (HP Inc.)
R2 HPTouchpointAnalyticsService; C:\Program Files\HP\HP Touchpoint Analytics Client\TouchpointAnalyticsClientService.exe [332216 2017-11-22] (HP Inc.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-07] (Intel Corporation)
R2 igfxCUIService1.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [337840 2016-10-25] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
R2 Intel® Wireless Bluetooth® 4.0 Radio Management; C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe [157128 2013-09-18] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-16] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6541008 2018-05-09] (Malwarebytes)
R2 osrss; C:\WINDOWS\system32\osrss.dll [130808 2018-06-08] (Microsoft Corporation)
R2 sedsvc; C:\Program Files\rempl\sedsvc.exe [295976 2018-07-16] (Microsoft Corporation)
R2 SWUpdateService; C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe [3296104 2016-11-08] (Samsung Electronics Co., Ltd.)
R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1807.18075-0\NisSrv.exe [3905952 2018-08-03] (Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1807.18075-0\MsMpEng.exe [110944 2018-08-03] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 amdkmpfd; C:\WINDOWS\System32\drivers\amdkmpfd.sys [36096 2013-12-13] (Advanced Micro Devices, Inc.)
S3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.)
R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae64.sys [152688 2018-06-19] (Malwarebytes)
R3 ETDSMBus; C:\WINDOWS\system32\DRIVERS\ETDSMBus.sys [32328 2015-10-11] (ELAN Microelectronic Corp.)
R2 MBAMChameleon; C:\WINDOWS\System32\Drivers\MbamChameleon.sys [191208 2018-08-03] (Malwarebytes)
R3 MBAMFarflt; C:\WINDOWS\System32\DRIVERS\farflt.sys [114920 2018-08-03] (Malwarebytes)
R3 MBAMProtection; C:\WINDOWS\system32\DRIVERS\mbam.sys [48360 2018-08-03] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [253664 2018-08-03] (Malwarebytes)
R3 MBAMWebProtection; C:\WINDOWS\system32\DRIVERS\mwac.sys [102632 2018-08-03] (Malwarebytes)
R3 MEIx64; C:\WINDOWS\system32\DRIVERS\TeeDriverx64.sys [99288 2013-09-16] (Intel Corporation)
R3 NETwNe64; C:\WINDOWS\System32\drivers\NETwew01.sys [3343872 2017-09-29] (Intel Corporation)
R3 RadioHIDMini; C:\WINDOWS\System32\drivers\RadioHIDMini.sys [23408 2012-07-30] (Windows ® Win 7 DDK provider)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [895256 2015-06-23] (Realtek )
R3 RTSUER; C:\WINDOWS\system32\Drivers\RtsUer.sys [416472 2016-05-17] (Realsil Semiconductor Corporation)
S3 ScpVBus; C:\WINDOWS\System32\drivers\ScpVBus.sys [39168 2013-05-19] (Scarlet.Crush Productions)
R3 SensorsAlsDriver; C:\WINDOWS\System32\drivers\WUDFRd.sys [259584 2017-09-29] (Microsoft Corporation)
S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [165504 2016-09-05] (Samsung Electronics Co., Ltd.)
S3 teVirtualMIDI64; C:\WINDOWS\system32\DRIVERS\teVirtualMIDI64.sys [41016 2015-07-12] (Tobias Erichsen)
S3 vjoy; C:\WINDOWS\System32\drivers\vjoy.sys [44784 2015-05-05] (Shaul Eizikovich)
S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [46584 2018-08-03] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [340008 2018-08-03] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [61992 2018-08-03] (Microsoft Corporation)
S3 intaud_WaveExtensible; \SystemRoot\system32\drivers\intelaud.sys [X]
S1 MpKsl15c8c8f4; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{59DB45C9-95B0-4826-918F-413182D09ABD}\MpKsl15c8c8f4.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-08-03 18:33 - 2018-08-03 18:34 - 000026029 _____ C:\Users\Luque\Desktop\FRST.txt
2018-08-03 18:33 - 2018-08-03 18:33 - 000000000 ____D C:\FRST
2018-08-03 18:32 - 2018-08-03 18:32 - 002412544 _____ (Farbar) C:\Users\Luque\Desktop\FRST64.exe
2018-08-03 18:19 - 2018-08-03 18:19 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bluetooth Devices
2018-08-03 18:14 - 2018-06-08 14:09 - 000130808 _____ (Microsoft Corporation) C:\WINDOWS\system32\osrss.dll
2018-08-03 17:12 - 2018-08-03 18:18 - 000000000 ____D C:\Users\Luque\AppData\Local\AVAST Software
2018-08-03 17:11 - 2018-08-03 17:11 - 000000000 ____D C:\WINDOWS\System32\Tasks\Avast Software
2018-08-03 17:10 - 2018-08-03 17:10 - 000000000 ____D C:\Program Files\Common Files\AVAST Software
2018-08-03 17:07 - 2018-08-03 18:18 - 000000000 ____D C:\ProgramData\AVAST Software
2018-08-03 17:06 - 2018-08-03 17:11 - 000000000 ____D C:\Program Files\CCleaner
2018-08-03 17:03 - 2018-08-03 17:03 - 000002373 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2018-08-03 17:03 - 2018-08-03 17:03 - 000002332 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2018-08-03 15:55 - 2018-08-03 18:18 - 000048360 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2018-08-03 15:54 - 2018-08-03 18:18 - 000253664 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2018-08-03 15:54 - 2018-08-03 18:18 - 000114920 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys
2018-08-03 15:54 - 2018-08-03 18:18 - 000102632 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys
2018-08-03 15:54 - 2018-08-03 16:48 - 000191208 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MbamChameleon.sys
2018-08-03 15:54 - 2018-08-03 15:54 - 000001912 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-08-03 15:54 - 2018-08-03 15:54 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-08-03 15:54 - 2018-06-19 14:09 - 000152688 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbae64.sys
2018-08-03 15:53 - 2018-08-03 15:53 - 000003162 _____ C:\WINDOWS\System32\Tasks\AdwCleaner_onReboot
2018-08-03 15:51 - 2018-08-03 15:52 - 007395536 _____ (Malwarebytes) C:\Users\Luque\Desktop\AdwCleaner.exe
2018-08-02 23:49 - 2018-08-03 00:35 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2018-08-02 22:20 - 2018-08-03 01:35 - 000000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2018-08-02 22:17 - 2018-08-02 22:17 - 000000000 ____D C:\Users\Luque\AppData\Local\Zemana
2018-08-02 19:45 - 2018-08-02 19:47 - 000000000 ____D C:\AdwCleaner
2018-07-20 11:21 - 2018-08-01 11:59 - 000000000 ____D C:\ProgramData\Packages
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-08-03 18:26 - 2014-03-23 10:11 - 134675576 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2018-08-03 18:26 - 2014-03-23 10:11 - 000000000 ____D C:\WINDOWS\system32\MRT
2018-08-03 18:24 - 2017-09-29 06:46 - 000000000 ____D C:\WINDOWS\DeliveryOptimization
2018-08-03 18:24 - 2016-11-28 18:57 - 000000000 ____D C:\Users\Luque\AppData\LocalLow\Mozilla
2018-08-03 18:22 - 2017-12-26 00:22 - 002931144 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2018-08-03 18:22 - 2017-12-25 23:37 - 001232950 _____ C:\WINDOWS\system32\perfh00C.dat
2018-08-03 18:22 - 2017-12-25 23:37 - 000277880 _____ C:\WINDOWS\system32\perfc00C.dat
2018-08-03 18:21 - 2017-09-29 06:46 - 000000000 ____D C:\WINDOWS\AppReadiness
2018-08-03 18:19 - 2015-09-12 18:42 - 000000000 __SHD C:\Users\Luque\IntelGraphicsProfiles
2018-08-03 18:18 - 2017-12-26 00:34 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2018-08-03 18:17 - 2017-09-29 06:37 - 000000000 ____D C:\WINDOWS\CbsTemp
2018-08-03 18:17 - 2017-09-29 01:45 - 001048576 _____ C:\WINDOWS\system32\config\BBI
2018-08-03 18:14 - 2017-09-28 21:33 - 000000000 ____D C:\Program Files\rempl
2018-08-03 18:11 - 2017-12-25 23:56 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2018-08-03 18:11 - 2017-09-29 06:44 - 000000000 ____D C:\WINDOWS\INF
2018-08-03 17:10 - 2017-09-29 06:46 - 000000000 ___HD C:\WINDOWS\ELAMBKUP
2018-08-03 17:10 - 2014-04-22 16:13 - 000000000 ____D C:\Program Files (x86)\Steam
2018-08-03 17:09 - 2017-12-04 15:15 - 000000000 ___DC C:\WINDOWS\Panther
2018-08-03 17:09 - 2017-09-29 06:46 - 000000000 ____D C:\WINDOWS\LiveKernelReports
2018-08-03 17:02 - 2014-04-16 20:45 - 000000000 ____D C:\Program Files (x86)\Google
2018-08-03 16:56 - 2014-03-24 22:38 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-08-03 16:51 - 2016-11-25 18:01 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2018-08-03 16:51 - 2014-03-24 22:38 - 000001228 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2018-08-03 16:48 - 2016-02-21 03:11 - 000000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2018-08-03 15:55 - 2017-09-29 06:46 - 000000000 ___HD C:\Program Files\WindowsApps
2018-08-03 14:23 - 2014-03-23 14:24 - 000000000 ____D C:\Program Files\Webroot
2018-08-03 14:22 - 2017-12-26 00:02 - 000000000 ____D C:\Users\Luque
2018-08-03 14:21 - 2014-08-31 21:41 - 000000000 ____D C:\ProgramData\Norton
2018-08-03 14:20 - 2014-03-23 14:24 - 000000000 ____D C:\ProgramData\WRData
2018-08-03 14:18 - 2017-09-29 06:46 - 000000000 ____D C:\WINDOWS\SysWOW64\Macromed
2018-08-03 14:18 - 2017-09-29 06:46 - 000000000 ____D C:\WINDOWS\system32\Macromed
2018-08-03 03:28 - 2017-12-26 00:34 - 000003360 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1420173382-84886174-3424915379-1001
2018-08-03 03:28 - 2017-06-23 11:01 - 000002401 _____ C:\Users\Luque\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2018-08-03 03:28 - 2014-03-27 22:25 - 000000000 __RDL C:\Users\Luque\SkyDrive
2018-08-03 03:07 - 2018-02-23 21:12 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd
2018-08-03 03:00 - 2014-03-23 10:11 - 000563832 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2018-08-03 02:59 - 2018-03-14 21:23 - 000004634 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player NPAPI Notifier
2018-08-03 02:53 - 2017-12-26 00:02 - 000000000 ____D C:\Users\maxim_000
2018-08-03 02:52 - 2017-10-26 22:02 - 000000000 ____D C:\Program Files\Elantech
2018-08-03 02:52 - 2017-09-29 06:46 - 000000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2018-08-03 02:52 - 2017-09-29 06:46 - 000000000 ____D C:\WINDOWS\system32\WinBioPlugIns
2018-08-03 02:52 - 2017-09-29 06:46 - 000000000 ____D C:\WINDOWS\system32\appraiser
2018-08-03 02:52 - 2017-09-29 01:45 - 000000000 ____D C:\WINDOWS\system32\Dism
2018-08-03 02:52 - 2016-05-05 20:16 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Catalyst Control Center
2018-08-03 02:52 - 2014-06-25 21:22 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Evernote
2018-08-03 02:52 - 2014-04-22 16:13 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Steam
2018-08-03 02:52 - 2014-03-23 14:52 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel
2018-08-03 02:51 - 2017-09-29 06:46 - 000000000 ____D C:\WINDOWS\system32\WinBioDatabase
2018-08-03 02:51 - 2017-09-29 01:45 - 000000000 ____D C:\WINDOWS\system32\Sysprep
2018-08-03 02:50 - 2018-05-11 21:38 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2018-08-03 02:50 - 2017-09-29 06:46 - 000000000 ____D C:\WINDOWS\appcompat
2018-08-03 02:50 - 2017-04-03 23:59 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2018-08-03 02:50 - 2016-03-22 04:47 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Notepad++
2018-08-03 02:50 - 2016-02-23 04:15 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2018-08-03 02:50 - 2016-02-15 19:09 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bonjour Print Services
2018-08-03 02:50 - 2015-10-11 18:21 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP Help and Support
2018-08-03 02:50 - 2015-06-19 17:14 - 000000000 ____D C:\Users\Luque\AppData\Roaming\Audacity
2018-08-03 02:50 - 2014-04-16 20:45 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2018-08-03 02:50 - 2014-03-25 16:29 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2018-08-03 02:50 - 2014-03-23 14:32 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Samsung
2018-08-03 02:41 - 2017-09-29 06:46 - 000000000 ____D C:\WINDOWS\InfusedApps
2018-08-03 02:04 - 2017-09-29 06:46 - 000000000 ____D C:\WINDOWS\registration
2018-08-02 23:50 - 2016-02-27 19:54 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-08-02 19:52 - 2016-05-23 20:00 - 000000000 ____D C:\Program Files\Recuva
2018-08-02 19:28 - 2017-04-04 23:05 - 000000000 ____D C:\Program Files\Malwarebytes
2018-07-22 05:09 - 2017-09-29 01:45 - 000032768 _____ C:\WINDOWS\system32\config\ELAM
2018-07-05 19:24 - 2018-04-12 03:19 - 000000000 ___HD C:\$WINDOWS.~BT
 
==================== Files in the root of some directories =======
 
2012-03-12 13:16 - 2012-03-12 13:16 - 002003456 _____ (Image-Line) C:\Users\Luque\Wasp VSTi.dll
2014-03-23 14:25 - 2014-03-23 14:25 - 010395072 _____ (Webroot Software, Inc.) C:\Program Files (x86)\Common Files\wruninstall.exe
2016-04-21 00:19 - 2017-05-08 15:35 - 000000033 _____ () C:\Users\Luque\AppData\Roaming\AdobeWLCMCache.dat
2014-03-23 15:02 - 2014-03-23 15:02 - 000010659 _____ () C:\Users\Luque\AppData\Local\WiDiSetupLog.20140323.150221.txt
 
Some files in TEMP:
====================
2018-08-03 15:54 - 2018-08-03 15:54 - 078657976 _____ (Malwarebytes                                                ) C:\Users\Luque\AppData\Local\Temp\mb3-setup-adwc.adwc1003.5.1.2522-1.0.391-1.0.6183.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2018-08-03 03:09
 
==================== End of FRST.txt ============================


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,208 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:36 AM

Posted 04 August 2018 - 07:58 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

(© 2015 Microsoft Corporation) C:\Users\Luque\AppData\Local\Microsoft\BingSvc\BingSvc.exe
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Run: [BingSvc] => C:\Users\Luque\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-12] (© 2015 Microsoft Corporation)
CHR DefaultSearchURL: Default -> hxxp://www.bing.com/search?FORM=__PARAM__DF&PC=__PARAM__&q={searchTerms}
CHR DefaultSearchKeyword: Default -> bing.com
CHR DefaultSuggestURL: Default -> hxxp://www.bing.com/osjson.aspx?FORM=__PARAM__DF&PC=__PARAM__&query={searchTerms}
CHR Extension: (Bing) - C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2018-08-03]
CHR HKU\S-1-5-21-1420173382-84886174-3424915379-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
S1 MpKsl15c8c8f4; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{59DB45C9-95B0-4826-918F-413182D09ABD}\MpKsl15c8c8f4.sys [X]

Reboot:


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If the problem persists please post that Addition.txt file that was also created by the Farbar program.

#3 nomorepupsplz

nomorepupsplz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 04 August 2018 - 01:09 PM

I ran the fixlog but on reboot I now got prompts that something is trying to install the Skype and Adobe Acrobat extensions to my browser. Here is the fixlog

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.08.2018
Ran by Luque (04-08-2018 10:46:40) Run:1
Running from C:\Users\Luque\Desktop
Loaded Profiles: Luque &  (Available Profiles: Luque & maxim_000)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
CloseProcesses:
 
(� 2015 Microsoft Corporation) C:\Users\Luque\AppData\Local\Microsoft\BingSvc\BingSvc.exe
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Run: [BingSvc] => C:\Users\Luque\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-12] (� 2015 Microsoft Corporation)
CHR DefaultSearchURL: Default -> hxxp://www.bing.com/search?FORM=__PARAM__DF&PC=__PARAM__&q={searchTerms}
CHR DefaultSearchKeyword: Default -> bing.com
CHR DefaultSuggestURL: Default -> hxxp://www.bing.com/osjson.aspx?FORM=__PARAM__DF&PC=__PARAM__&query={searchTerms}
CHR Extension: (Bing) - C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2018-08-03]
CHR HKU\S-1-5-21-1420173382-84886174-3424915379-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
S1 MpKsl15c8c8f4; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{59DB45C9-95B0-4826-918F-413182D09ABD}\MpKsl15c8c8f4.sys [X]
 
Reboot:
 
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Users\Luque\AppData\Local\Microsoft\BingSvc\BingSvc.exe => Could not close process
"HKU\S-1-5-21-1420173382-84886174-3424915379-1001\Software\Microsoft\Windows\CurrentVersion\Run\\BingSvc" => removed successfully
"Chrome DefaultSearchURL" => removed successfully
"Chrome DefaultSearchKeyword" => removed successfully
"Chrome DefaultSuggestURL" => removed successfully
CHR Extension: (Bing) - C:\Users\Luque\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2018-08-03] => Error: No automatic fix found for this entry.
"HKU\S-1-5-21-1420173382-84886174-3424915379-1001\SOFTWARE\Google\Chrome\Extensions\fcfenmboojpjinhpgggodefccipikbpd" => removed successfully
"HKLM\System\CurrentControlSet\Services\MpKsl15c8c8f4" => removed successfully
MpKsl15c8c8f4 => service removed successfully
 
 
The system needed a reboot.
 
==== End of Fixlog 10:47:40 ====
 
 
 
 
Here is the Addition.txt:
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02.08.2018
Ran by Luque (04-08-2018)
Running from C:\Users\Luque\Desktop
Windows 10 Home Version 1709 16299.492 (X64) (2017-12-26 07:36:43)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1420173382-84886174-3424915379-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-1420173382-84886174-3424915379-503 - Limited - Disabled)
Guest (S-1-5-21-1420173382-84886174-3424915379-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1420173382-84886174-3424915379-1003 - Limited - Enabled)
Luque (S-1-5-21-1420173382-84886174-3424915379-1001 - Administrator - Enabled) => C:\Users\Luque
maxim_000 (S-1-5-21-1420173382-84886174-3424915379-1005 - Limited - Enabled) => C:\Users\maxim_000
WDAGUtilityAccount (S-1-5-21-1420173382-84886174-3424915379-504 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7-Zip 15.14 (HKLM-x32\...\7-Zip) (Version: 15.14 - Igor Pavlov)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.011.20040 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 13.0.0.111 - Adobe Systems Incorporated)
Adobe Download Assistant (HKLM-x32\...\com.adobe.downloadassistant.AdobeDownloadAssistant) (Version: 1.2.6 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.3.153 - Adobe Systems, Inc.)
Amazon Kindle (HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Amazon Kindle) (Version: 1.17.1.44183 - Amazon)
AMD Catalyst Control Center (HKLM-x32\...\WUCCCApp) (Version: 1.00.0000 - AMD)
AMD Catalyst Install Manager (HKLM\...\{5D6CDD82-8A1C-1B8C-F785-DC4CB4BCE53D}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
Apple Application Support (32-bit) (HKLM-x32\...\{543F829B-4591-4B2F-AF63-6E6E6AE59EB2}) (Version: 6.4 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{0ECA3BB5-4410-414B-B226-241FF1C12CD0}) (Version: 6.4 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{9E005AAA-81A3-478E-8944-532D350952EE}) (Version: 11.3.1.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{A30EA700-5515-48F0-88B0-9E99DC356B88}) (Version: 2.6.0.1 - Apple Inc.)
Audacity 2.1.0 (HKLM-x32\...\Audacity_is1) (Version: 2.1.0 - Audacity Team)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Bonjour Print Services (HKLM\...\{0DA20600-6130-443B-9D4B-F30520315FA6}) (Version: 2.0.2.0 - Apple Inc.)
ChemAxon Marvin Suite 17.7.0 (HKLM-x32\...\6294-3137-8933-3843) (Version: 17.7.0 - ChemAxon)
ELAN Touchpad driver X64 15.7.9.2_WHQL (HKLM\...\Elantech) (Version: 15.7.9.2 - ELAN Microelectronic Corp.)
Evernote v. 5.4.1 (HKLM-x32\...\{A5F7DF42-F67D-11E3-B7EB-00163E98E7D6}) (Version: 5.4.1.3962 - Evernote Corp.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 68.0.3440.84 - Google Inc.)
Google Earth Plug-in (HKLM-x32\...\{57BB4801-61C8-4E74-9672-2160728A461E}) (Version: 7.1.5.1557 - Google)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.17 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
HP ENVY 4500 series Basic Device Software (HKLM\...\{6915424E-704F-4F5D-9057-9C7B406B36DB}) (Version: 32.3.198.49673 - Hewlett-Packard Co.)
HP ENVY 4500 series Help (HKLM-x32\...\{95BECC50-22B4-4FCA-8A2E-BF77713E6D3A}) (Version: 30.0.0 - Hewlett Packard)
HP FWUpdateEDO2 (HKLM-x32\...\{415FA9AD-DA10-4ABE-97B6-5051D4795C90}) (Version: 1.2.0.0 - Hewlett-Packard)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP Support Assistant (HKLM-x32\...\{61EB474B-67A6-47F4-B1B7-386851BAB3D0}) (Version: 8.6.18.11 - Hewlett-Packard Company)
HP Support Solutions Framework (HKLM-x32\...\{F6A11738-3EE4-4573-AEA5-6CD5D491C167}) (Version: 12.9.24.3 - Hewlett-Packard Company)
HP Touchpoint Analytics Client (HKLM\...\{E5FB98E0-0784-44F0-8CEC-95CD4690C43F}) (Version: 4.0.2.1439 - HP Inc.)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
HPDiagnosticAlert (HKLM-x32\...\{B6465A32-8BE9-4B38-ADC5-4B4BDDC10B0D}) (Version: 1.00.0001 - Microsoft) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.15.1730 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.4276 - Intel Corporation)
Intel® PROSet/Wireless Software for Bluetooth® Technology (HKLM\...\{302600C1-6BDF-4FD1-1309-148929CC1385}) (Version: 3.1.1309.0390 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.0.1016 - Intel Corporation)
Intel® WiDi (HKLM\...\{6097158B-0184-4140-BEC3-7885794D2571}) (Version: 3.5.40.0 - Intel Corporation)
IntelliMemory (HKLM\...\{40320F22-7D70-49DB-9D66-B6FAE5F36B47}) (Version: 1.0.32.0 - Condusiv Technologies)
iTunes (HKLM\...\{3D8C6B05-FE24-4B9C-A57C-B8E1FA39E83D}) (Version: 12.7.4.80 - Apple Inc.)
Java 8 Update 121 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180121F0}) (Version: 8.0.1210.13 - Oracle Corporation)
Malwarebytes version 3.5.1.2522 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.5.1.2522 - Malwarebytes)
Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 15.0.5041.1001 - Microsoft Corporation)
Microsoft Office 校正ツール 2013 - 日本語 (HKLM-x32\...\{90150000-001F-0411-0000-0000000FF1CE}) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\OneDriveSetup.exe) (Version: 18.091.0506.0007 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24123 (HKLM-x32\...\{2cbcedbb-f38c-48a3-a3e1-6c6fd821a7f4}) (Version: 14.0.24123.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23918 (HKLM-x32\...\{2e085fd2-a3e4-4b39-8e10-6b8d35f55244}) (Version: 14.0.23918.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Mozilla Firefox 61.0.1 (x64 en-US) (HKLM\...\Mozilla Firefox 61.0.1 (x64 en-US)) (Version: 61.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 57.0 - Mozilla)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.9 - Notepad++ Team)
Office 15 Click-to-Run Extensibility Component (HKLM-x32\...\{90150000-008C-0000-0000-0000000FF1CE}) (Version: 15.0.5041.1001 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (HKLM\...\{90150000-008F-0000-1000-0000000FF1CE}) (Version: 15.0.5041.1001 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (HKLM-x32\...\{90150000-008C-0409-0000-0000000FF1CE}) (Version: 15.0.5041.1001 - Microsoft Corporation) Hidden
Online Support(S Service) (HKLM-x32\...\{C8996970-A56E-4659-B01B-CCB7097C4E59}) (Version: 1.1 - Samsung Electronics Co., Ltd.)
PreSonus Studio One 3 x64 (HKLM\...\PreSonus Studio One 3) (Version: 3.5.2.44603 - PreSonus Audio Electronics)
Product Improvement Study for HP ENVY 4500 series (HKLM\...\{58139103-BACF-4BDC-B71C-955F9164ADA6}) (Version: 32.3.198.49673 - Hewlett-Packard Co.)
PX Profile Update (HKLM-x32\...\{EE353789-65DF-12E9-F9B6-F4CB9C867239}) (Version: 1.00.1. - AMD) Hidden
Python 2.7.8 (HKLM-x32\...\{61121B12-88BD-4261-A6EE-AB32610A56DD}) (Version: 2.7.8150 - Python Software Foundation)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.10586.31225 - Realtek Semiconduct Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 10.1.505.2015 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7543 - Realtek Semiconductor Corp.)
Rejoice v1.6 (HKLM-x32\...\Rejoice) (Version: v1.6 - Fireball Trailers)
S Agent (HKLM\...\{0052BF58-5307-4F7D-A379-8F4EC9212FA8}) (Version: 1.1.58 - Samsung Electronics Co., Ltd.) Hidden
Samsung Settings (HKLM-x32\...\{8CB5C357-12E5-41B1-A024-D57D4E6F32D9}) (Version: 2.0.1 - Samsung Electronics CO., LTD.)
Samsung Update (HKLM-x32\...\{06E8E156-6993-4A23-805A-B95C0012D743}) (Version: 2.2.44 - Samsung Electronics Co., Ltd.)
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Spotify (HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\Spotify) (Version: 1.0.82.447.g975ad224 - Spotify AB)
SRS Premium Sound (HKLM-x32\...\{E44F8A34-529E-4318-A0E1-1893C337A47F}) (Version: 1.00.4700 - DTS, Inc.)
Steam (HKLM-x32\...\Steam) (Version:  - Valve Corporation)
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Update for Windows 10 for x64-based Systems (KB4023057) (HKLM\...\{479E8CC7-CD68-4EB4-BB04-34A5C2C74102}) (Version: 2.46.0.0 - Microsoft Corporation)
Wasp (HKLM-x32\...\Wasp) (Version:  - Image-Line)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-1420173382-84886174-3424915379-1001_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocServer32 -> C:\Users\Luque\AppData\Local\Microsoft\OneDrive\18.091.0506.0007\amd64\FileCoAuthLib64.dll => No File
CustomCLSID: HKU\S-1-5-21-1420173382-84886174-3424915379-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\WINDOWS\system32\igfxEM.exe (Intel Corporation)
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers1-x32: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files (x86)\7-Zip\7-zip.dll [2015-12-31] (Igor Pavlov)
ContextMenuHandlers1-x32: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => C:\Program Files (x86)\Notepad++\NppShell_06.dll [2016-02-21] ()
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-05-09] (Malwarebytes)
ContextMenuHandlers4-x32: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files (x86)\7-Zip\7-zip.dll [2015-12-31] (Igor Pavlov)
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\atiacm64.dll [2015-07-21] (Advanced Micro Devices, Inc.)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\WINDOWS\system32\igfxpph.dll -> No File
ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\WINDOWS\system32\igfxDTCM.dll [2016-10-25] (Intel Corporation)
ContextMenuHandlers6-x32: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files (x86)\7-Zip\7-zip.dll [2015-12-31] (Igor Pavlov)
ContextMenuHandlers6-x32: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-05-09] (Malwarebytes)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {00F8BF80-F48D-4E10-9040-A8D078355D45} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {06059388-7853-4F97-BB5C-787B40F2556B} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Report => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSFReport.exe [2017-06-22] (HP Inc.)
Task: {06196C6A-5670-4CBF-900E-C53C310EE606} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2017-09-20] (HP Inc.)
Task: {0CFD2483-EFE7-42A1-8C23-EB0B66639AE3} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {1256B7CA-8717-47B5-A22E-05E69B50FCA5} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE15\OLicenseHeartbeat.exe [2018-03-13] (Microsoft Corporation)
Task: {13E5E9C6-6436-4406-9599-91F03E120CDA} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2018-05-04] (HP Inc.)
Task: {14BAB4BC-8894-49A5-B24B-5E58F73A26C0} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\AVAST Software\Overseer\overseer.exe [2018-08-03] (AVAST Software)
Task: {15C6B7BE-6A2A-4D0B-B9B6-6368CAD5D84B} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2018-01-08] (Apple Inc.)
Task: {17385735-91D9-4FA1-A2CF-BC3094AF4995} - System32\Tasks\{B061D994-965B-4FF8-925E-62A6FF1CEFD4} => C:\WINDOWS\system32\pcalua.exe -a "C:\Program Files (x86)\Common Files\Adobe\Installers\a04a925a57548091300ada368235fc6\Setup.exe"
Task: {181602AA-FCE7-407C-9AF5-D2934B9BFFAA} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {22B4FF73-FB40-4B4A-A9BF-AFF1F2A27B84} - System32\Tasks\AdwCleaner_onReboot => C:\Users\Luque\Downloads\AdwCleaner.exe
Task: {2E6D61E9-4184-4681-9228-4DE39A402F6D} - System32\Tasks\HP AR Program Upload - c5045b75bd504a0181bb866852c7725c484cb07ce6b94abaaf70f6074b78b086 => C:\Program Files\HP\HP ENVY 4500 series\bin\HPRewards.exe [2014-07-21] (TODO: <Company name>)
Task: {352E6CA0-7314-4DF4-89C4-682368D80D57} - System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => C:\WINDOWS\System32\AutoWorkplace.exe
Task: {3DD40326-57C9-4654-94E6-7C19BFC0354C} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {42AB749C-ED56-4EB1-9E6B-59F5B198432C} - System32\Tasks\Microsoft\Windows\rempl\shell => C:\Program Files\rempl\sedlauncher.exe [2018-07-16] (Microsoft Corporation)
Task: {474417B3-F673-4273-ABDD-163AB3D88D24} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: {4A562535-52C7-44E8-B3F7-422BE0DD1DAE} - System32\Tasks\Norton Security Scan for Luque => C:\PROGRA~2\NORTON~2\Engine\430~1.43\Nss.exe
Task: {5A812195-FD3F-4C63-BD16-D54CB4C5C3CF} - System32\Tasks\Adobe Flash Player NPAPI Notifier => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe [2018-08-03] (Adobe Systems Incorporated)
Task: {5BCE298B-4F20-416C-A815-98A0EB1A6C69} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1807.18075-0\MpCmdRun.exe [2018-08-03] (Microsoft Corporation)
Task: {5D75D731-A019-41A8-AD9A-7509D2B1400E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {74CFEAAF-0C02-469C-AF80-7DFC6DCD60C7} - System32\Tasks\RtHDVBg_SRSSA => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2015-09-19] (Realtek Semiconductor)
Task: {7C7595C2-8323-4AF5-B0D4-B74F83F32E99} - System32\Tasks\AdobeAAMUpdater-1.0-MicrosoftAccount-misslaceylu@gmail.com => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe
Task: {7F782ACC-E18E-45CA-B1EA-43855DCC1C6D} - System32\Tasks\SAgent => C:\Program Files\Samsung\S Agent\CommonAgent.exe [2016-02-24] (Samsung Electronics Co., Ltd.)
Task: {881F0C38-8553-49BB-90EB-DFFB58B059E9} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {88761C93-9FF8-49F3-901F-7DABB0636D06} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2017-12-12] (Microsoft Corporation)
Task: {88FAF838-592D-454E-807A-41630D9C61D1} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2018-05-04] (HP Inc.)
Task: {8B90AE91-923C-4EEF-8661-D7178E967536} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-02-09] (Adobe Systems Incorporated)
Task: {961E7D50-86BC-46D5-B95E-3BE90E8104D4} - System32\Tasks\Hewlett-Packard\HP Active Health\HP Active Health Scan (HPSA) => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [2017-11-20] ()
Task: {9B45ED61-FA37-4DF6-A372-5B3901891038} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Product Configurator => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\ProductConfig.exe [2018-05-11] (HP Inc.)
Task: {9D29C81F-7954-402C-8279-864471ADEC00} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {A5E48EDA-A6E4-4E5B-B460-67FD43A9DAA7} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {AD7F9098-D2D6-43EF-A122-E49B0120E26B} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1807.18075-0\MpCmdRun.exe [2018-08-03] (Microsoft Corporation)
Task: {AE5662D5-FD6A-42F3-B446-D4B49CA2EF5B} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {B5D03A83-CBAC-43AC-8548-23EC0BE81A41} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2018-06-28] (HP Inc.)
Task: {B9612A24-F3FB-4F9F-A88F-30AEB79DBEF1} - System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1420173382-84886174-3424915379-1001 => C:\Users\Luque\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe [2018-08-03] ()
Task: {BDF594BC-CB69-4815-A22B-0C922B8626FF} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2017-12-12] (Microsoft Corporation)
Task: {C66041A5-BD57-47F0-B051-DA56284CCBDF} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1807.18075-0\MpCmdRun.exe [2018-08-03] (Microsoft Corporation)
Task: {C882075F-3A9A-47E8-A349-55AABF2AE39F} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [2015-09-19] (Realtek Semiconductor)
Task: {C99A9152-B203-4BF2-BCB6-31F6E047A3A9} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {CA3F51C2-00F8-4A92-BD82-AEF119386431} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {D0CC6C86-708E-447A-BD47-C0FC4564A123} - \WPD\SqmUpload_S-1-5-21-1420173382-84886174-3424915379-1001 -> No File <==== ATTENTION
Task: {D2C2A1B8-B775-4DB9-A07B-5464602663AA} - System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1420173382-84886174-3424915379-1005 => C:\Users\Luque\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe [2018-08-03] ()
Task: {D785B47C-7B97-4BC7-8035-A98A110029EC} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {DCD5CFCB-70BD-428B-A305-3E0354FCCF80} - System32\Tasks\HPCustParticipation HP ENVY 4500 series => C:\Program Files\HP\HP ENVY 4500 series\Bin\HPCustPartic.exe [2014-07-21] (Hewlett-Packard Development Company, LP)
Task: {DF8747ED-9A51-462E-BA4D-C5C0237561BD} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {E04814EB-4277-4C28-B849-9ED729579E66} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {E40773BA-8A7D-411F-9E39-3D4768321B73} - System32\Tasks\AdobeGCInvoker-1.0-MicrosoftAccount-misslaceylu@gmail.com => C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe [2018-05-11] (Adobe Systems, Incorporated)
Task: {E6F14F4D-B20A-434C-A3F2-7A2735EE07ED} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1807.18075-0\MpCmdRun.exe [2018-08-03] (Microsoft Corporation)
Task: {EA285FF5-F352-4948-898E-05D28574F25D} - System32\Tasks\Settings => C:\Program Files (x86)\Samsung\Settings\sSettings.exe [2015-06-19] (Samsung Electronics CO., LTD.)
Task: {F759D792-8C61-4824-B05A-AC0DD9628FCA} - System32\Tasks\RtHDVBg => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2015-09-19] (Realtek Semiconductor)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
2017-09-29 06:41 - 2017-09-29 06:41 - 000184432 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll
2018-03-16 15:19 - 2018-03-16 15:19 - 000088888 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2018-03-16 15:19 - 2018-03-16 15:19 - 001356088 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2014-03-25 16:26 - 2017-01-17 04:25 - 000117440 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2018-08-03 15:54 - 2018-07-03 12:59 - 002535120 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2018-08-03 15:54 - 2018-06-18 13:32 - 002433744 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2015-06-19 15:55 - 2015-06-19 15:55 - 000084800 _____ () C:\Program Files (x86)\Samsung\Settings\CmdServer\EasySettingsCmdServer.exe
2017-03-21 17:32 - 2017-01-31 05:34 - 008909512 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2018-06-22 18:23 - 2018-06-07 23:00 - 011044864 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2018-06-22 18:23 - 2018-06-07 22:56 - 001804288 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2018-04-08 08:04 - 2018-04-08 08:04 - 000088888 _____ () C:\Program Files\iTunes\zlib1.dll
2018-04-08 08:04 - 2018-04-08 08:04 - 001356088 _____ () C:\Program Files\iTunes\libxml2.dll
2015-06-19 15:55 - 2015-06-19 15:55 - 000027968 _____ () C:\Program Files (x86)\Samsung\Settings\CmdServer\EasySettingsCmdWrapper.dll
2015-06-19 15:55 - 2015-06-19 15:55 - 001272128 _____ () C:\Program Files (x86)\Samsung\Settings\CmdServer\EasySettingsCmd.dll
2015-06-19 15:55 - 2015-06-19 15:55 - 000111936 _____ () C:\Program Files (x86)\Samsung\Settings\CmdServer\EasySettingsBase.dll
2015-06-19 15:55 - 2015-06-19 15:55 - 000025920 _____ () C:\Program Files (x86)\Samsung\Settings\CmdServer\EasySettingsAPI.dll
2015-06-19 15:55 - 2015-06-19 15:55 - 000056440 _____ () C:\Program Files (x86)\Samsung\Settings\CmdServer\HookDllPS2.dll
2015-06-19 15:55 - 2015-06-19 15:55 - 000211064 _____ () C:\Program Files (x86)\Samsung\Settings\CmdServer\WinCRT.dll
2015-06-19 15:55 - 2015-06-19 15:55 - 000025920 _____ () C:\Program Files (x86)\Samsung\Settings\EasySettingsAPI.dll
2015-06-19 15:55 - 2015-06-19 15:55 - 000111936 _____ () C:\Program Files (x86)\Samsung\Settings\EasySettingsBase.dll
2015-06-19 15:55 - 2015-06-19 15:55 - 000059712 _____ () C:\Program Files (x86)\Samsung\Settings\EasyMovieEnhancer.dll
2015-06-19 15:55 - 2015-06-19 15:55 - 000102720 _____ () C:\Program Files (x86)\Samsung\Settings\EasySettingsCmdClient.dll
2017-06-19 16:18 - 2017-06-19 16:18 - 000325824 _____ () C:\Program Files\Microsoft Office 15\root\office15\AppVIsvStream32.dll
2014-04-16 13:27 - 2013-09-16 12:20 - 001242584 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mbamchameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mbamchameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\Software\Classes\exefile: "%1" %* <==== ATTENTION
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\Software\Classes\.exe: exefile => "%1" %* <==== ATTENTION
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 06:25 - 2015-07-24 19:14 - 000000854 _____ C:\WINDOWS\system32\Drivers\etc\hosts
 
0.0.0.1 mssplus.mcafee.com
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Luque\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
DNS Servers: 192.168.254.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\StartupApproved\Run: => "Spotify"
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\...\StartupApproved\Run: => "Skype"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{0EA1B43F-7894-4CCE-B222-EDAE36406FD2}] => (Allow) C:\Program Files\PreSonus\Studio One 3\Studio One.exe
FirewallRules: [{BF4E83B2-BB60-48FB-B88F-B8CB822A73C9}] => (Allow) C:\Program Files (x86)\Tobias Erichsen\rtpMIDI\rtpMIDISvc.exe
FirewallRules: [{7AA2F2F8-575C-45C7-AAAB-18F300EDD638}] => (Allow) C:\Program Files (x86)\Tobias Erichsen\rtpMIDI\rtpMIDISvc.exe
FirewallRules: [{2A02E114-B181-4F25-B8BC-90F967D1861B}] => (Allow) C:\Program Files (x86)\Tobias Erichsen\rtpMIDI\rtpMIDISvc.exe
FirewallRules: [{72C283C4-D821-4866-95EA-774E14A5AAC9}] => (Allow) C:\Program Files (x86)\Tobias Erichsen\rtpMIDI\rtpMIDISvc.exe
FirewallRules: [{9970282F-5219-4CED-86D7-CDEB704D9558}] => (Allow) C:\Program Files (x86)\Tobias Erichsen\rtpMIDI\rtpMIDISvc.exe
FirewallRules: [{AFAFA689-CAEA-4E9A-97BA-0CAB086873E7}] => (Allow) C:\Program Files (x86)\Tobias Erichsen\rtpMIDI\rtpMIDISvc.exe
FirewallRules: [{CB046E1E-3C18-4361-9DD3-986BDFFB0B1C}] => (Allow) C:\Program Files (x86)\Tobias Erichsen\rtpMIDI\rtpMIDISvc.exe
FirewallRules: [{BB917196-6561-4E1A-BD0A-DE7CFC355481}] => (Allow) C:\Program Files (x86)\Tobias Erichsen\rtpMIDI\rtpMIDISvc.exe
FirewallRules: [{50A8E6FB-993B-465F-B52C-AC0DB9EF2624}] => (Allow) C:\Program Files (x86)\Tobias Erichsen\rtpMIDI\rtpMIDISvc.exe
FirewallRules: [{13B97D0C-AD0C-412E-B2F3-0053F146CAFE}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{026E92C0-4C4C-4CDF-AE75-6D07D25EE499}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [UDP Query User{47C4D0F2-5BBA-42A2-AC21-D1A267B521D0}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [TCP Query User{BCFA41EA-B9CE-4C6C-A1B4-D59353FA6905}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [UDP Query User{45173894-02DD-4ACF-BFE8-5C27C4B4BE70}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [TCP Query User{FE793F86-9930-490E-8C76-0BB31B8C4759}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [{24A9B3FF-DA89-47E0-AC64-A475D3A2D24B}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{66E2EDE5-26FD-4EE2-8439-D0A8D6313A31}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{60F77D31-98A1-4D68-A214-EFCD0C3F76BF}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Metal Slug 3\mslug3.exe
FirewallRules: [{D36A231F-6AFD-4BE5-85FC-0D891E5F49F6}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Metal Slug 3\mslug3.exe
FirewallRules: [{7F32B156-3683-46B9-97ED-16CC14AD362B}] => (Allow) C:\Program Files\HP\HP ENVY 4500 series\Bin\HPNetworkCommunicatorCom.exe
FirewallRules: [{084C0292-3D96-4E88-BF56-4221FDB25752}] => (Allow) LPort=5357
FirewallRules: [{DE7D9BDB-7114-41CB-9636-30BB9A2075C9}] => (Allow) C:\Program Files\HP\HP ENVY 4500 series\Bin\DeviceSetup.exe
FirewallRules: [{C00E965B-8547-4D7F-ADE1-11654133CD49}] => (Allow) C:\Users\Luque\AppData\Local\Temp\7zS662F\HPDiagnosticCoreUI.exe
FirewallRules: [{F1CEC38F-4A89-4BAF-B332-4B1FC6BB0CCF}] => (Allow) C:\Users\Luque\AppData\Local\Temp\7zS662F\HPDiagnosticCoreUI.exe
FirewallRules: [{B6F75F1C-86FB-474E-AD72-48D0DBB46DE7}] => (Allow) C:\Users\Luque\AppData\Local\Temp\7zS7832\HPDiagnosticCoreUI.exe
FirewallRules: [{65CF7E82-75ED-4C72-A675-EB85631FA626}] => (Allow) C:\Users\Luque\AppData\Local\Temp\7zS7832\HPDiagnosticCoreUI.exe
FirewallRules: [{B669CDEF-F761-40EB-B13E-CA6BDBEB0007}] => (Allow) C:\Users\Luque\AppData\Local\Temp\7zS756D\HPDiagnosticCoreUI.exe
FirewallRules: [{C66A1422-2BFD-4678-B93C-3A090AAAC21C}] => (Allow) C:\Users\Luque\AppData\Local\Temp\7zS756D\HPDiagnosticCoreUI.exe
FirewallRules: [{6DFDDB85-4272-4A1A-8FA3-BBE7B7A0DDFE}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Age2HD\Launcher.exe
FirewallRules: [{783506FE-757F-4D1D-AAE2-142FC4A3FD59}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Age2HD\Launcher.exe
FirewallRules: [{AE1D0075-BB8D-49A5-A612-E14DC76F05E7}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{73FE40E4-7E58-409B-BA46-A45FB2B346B0}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [UDP Query User{83D3C615-5139-4747-8367-3F97F8A4B2FA}C:\users\luque\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\luque\appdata\roaming\spotify\spotify.exe
FirewallRules: [TCP Query User{2E4C4FB2-F4A9-4724-B7F4-D38598E830E0}C:\users\luque\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\luque\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{58AE2073-C32D-4C67-B224-729263E4D47A}C:\users\luque\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\luque\appdata\roaming\spotify\spotify.exe
FirewallRules: [TCP Query User{1B26FBF0-0646-4EFC-86A7-A8BF79255664}C:\users\luque\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\luque\appdata\roaming\spotify\spotify.exe
FirewallRules: [{B930D3AB-E620-42D8-A84E-A4FF5919D886}] => (Allow) C:\Users\Luque\AppData\Local\Temp\7zS4534\hppiw.exe
FirewallRules: [{E11AAA49-C0D1-4642-B90B-47D068A458C7}] => (Allow) C:\Users\Luque\AppData\Local\Temp\7zS4534\hppiw.exe
FirewallRules: [{7EEF32A1-14B1-4DB2-93C9-5B1C2B4F7D86}] => (Allow) C:\Users\Luque\AppData\Local\Temp\7zS44D5\HPDiagnosticCoreUI.exe
FirewallRules: [{6AFFE317-728C-4D75-BA78-79D4DC4A1F34}] => (Allow) C:\Users\Luque\AppData\Local\Temp\7zS44D5\HPDiagnosticCoreUI.exe
FirewallRules: [{E4C845E2-322F-466D-89DD-13942415D170}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\NEStalgia\NEStalgia.exe
FirewallRules: [{5BDB9ED7-CCFB-402A-8386-B758185BF2F3}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\NEStalgia\NEStalgia.exe
FirewallRules: [{F935E97F-2ECC-4559-B2A9-B102DB52BAF8}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{83235D02-CD3A-42E8-8A37-7AD4D27BF006}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{E04ABAA1-FCC4-41B4-8971-9322D32CD8FE}] => (Allow) C:\Users\Luque\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
FirewallRules: [{F02A4BC9-2D23-47D6-ACF4-47A5DC480F8D}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\outlook.exe
FirewallRules: [{64CA82C8-D7F9-46E4-9A0D-D5F6DE6EF9B2}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\WiDiApp.exe
FirewallRules: [{4962EBBC-61E8-490C-8F0B-45F118896221}] => (Allow) C:\Program Files\Condusiv Technologies\IntelliMemory\IntelliMem.exe
FirewallRules: [{2D6A155A-8C72-4E38-AB66-6326B066D758}] => (Allow) C:\Program Files\Condusiv Technologies\IntelliMemory\IntelliMem.exe
FirewallRules: [TCP Query User{AAFEC41C-DC3D-4399-A3BF-D55A178868DE}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [{A1E8EF20-6441-42D0-9A8F-9289F63D865F}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{8304A093-990C-47B4-953B-3401F1D232DC}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{8A9A55B8-AFA2-4DB7-9839-8FE6DB370C0D}C:\program files (x86)\radiant\rising thunder\radiantgames\rising thunder\windowsnoeditor\risingthunder\binaries\win64\risingthunder-win64-shipping.exe] => (Allow) C:\program files (x86)\radiant\rising thunder\radiantgames\rising thunder\windowsnoeditor\risingthunder\binaries\win64\risingthunder-win64-shipping.exe
FirewallRules: [UDP Query User{850F89F7-7B98-4CC1-A4DD-A662FB10B295}C:\program files (x86)\radiant\rising thunder\radiantgames\rising thunder\windowsnoeditor\risingthunder\binaries\win64\risingthunder-win64-shipping.exe] => (Allow) C:\program files (x86)\radiant\rising thunder\radiantgames\rising thunder\windowsnoeditor\risingthunder\binaries\win64\risingthunder-win64-shipping.exe
FirewallRules: [{9110AFF5-E1DE-42D5-AE64-50A047B34F0E}] => (Allow) C:\Program Files\PreSonus\Studio One 3\Studio One.exe
FirewallRules: [TCP Query User{5A622F86-FB7B-4474-902E-2B06CBBBDC49}C:\users\luque\desktop\wiiu_usb_helper.exe] => (Block) C:\users\luque\desktop\wiiu_usb_helper.exe
FirewallRules: [UDP Query User{C8DAC1D7-2B95-4A64-A44B-C20696CCD136}C:\users\luque\desktop\wiiu_usb_helper.exe] => (Block) C:\users\luque\desktop\wiiu_usb_helper.exe
FirewallRules: [TCP Query User{7B5DAEB8-AE7C-4D7C-8624-BAFC8115A980}C:\users\luque\desktop\wiiu\wiiu_usb_helper.exe] => (Allow) C:\users\luque\desktop\wiiu\wiiu_usb_helper.exe
FirewallRules: [UDP Query User{5DDC3AED-7947-4B83-BCF3-61359597C583}C:\users\luque\desktop\wiiu\wiiu_usb_helper.exe] => (Allow) C:\users\luque\desktop\wiiu\wiiu_usb_helper.exe
FirewallRules: [{519463DE-E6FC-4890-AB5D-B6B092162766}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{2A29E3D3-BBAA-4BF1-A8D6-7571121A22D1}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{60EABBB3-BCCB-4FFB-933E-40658C4945D4}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{8A3C9B73-1AF5-464C-8192-489CF8C6FD61}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{4C24771D-A35A-425F-ABEA-B8FFAACA0645}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Cuphead\Cuphead.exe
FirewallRules: [{B2A4B57F-EB54-49CF-81CC-37A34A83770C}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Cuphead\Cuphead.exe
FirewallRules: [{7D0FDEEE-62F9-4D6A-8B94-D2A0EDBFDDC1}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{AA038381-CEA6-41E2-86E7-A4A3223BE993}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [TCP Query User{55F99013-5987-42BB-89A8-0782369DF788}C:\users\luque\desktop\3dscontroller0.6\pc\3dscontroller.exe] => (Allow) C:\users\luque\desktop\3dscontroller0.6\pc\3dscontroller.exe
FirewallRules: [UDP Query User{7922ECD0-107D-4010-ABA4-424269BF1A70}C:\users\luque\desktop\3dscontroller0.6\pc\3dscontroller.exe] => (Allow) C:\users\luque\desktop\3dscontroller0.6\pc\3dscontroller.exe
FirewallRules: [TCP Query User{B122247A-21D0-4C53-8A49-AF58510408E5}C:\users\luque\desktop\3dscontroller0.6\pc\3dscontroller.exe] => (Allow) C:\users\luque\desktop\3dscontroller0.6\pc\3dscontroller.exe
FirewallRules: [UDP Query User{3AED4058-9D63-4FDF-BD2D-A6C9701BBE48}C:\users\luque\desktop\3dscontroller0.6\pc\3dscontroller.exe] => (Allow) C:\users\luque\desktop\3dscontroller0.6\pc\3dscontroller.exe
FirewallRules: [{43FB526E-7262-47F8-91A6-709BF1CEE008}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
FirewallRules: [{1DC1FBD7-7A47-4D47-ADD5-BCB0993F0A12}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [TCP Query User{CC9C6EA6-1102-438D-B75D-246A463C3991}C:\program files\webroot\wrsa.exe] => (Block) C:\program files\webroot\wrsa.exe
FirewallRules: [UDP Query User{27593202-EE2F-4399-ABD9-3AFCD1160F4C}C:\program files\webroot\wrsa.exe] => (Block) C:\program files\webroot\wrsa.exe
FirewallRules: [{48D73420-1EB4-404D-83BF-6BDBDAB5D3B2}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{AB1E85A4-3208-4C5E-A244-94CCA86B7ED4}] => (Allow) C:\Program Files\CCleaner\CCUpdate.exe
FirewallRules: [{D8BF582F-C60A-43C8-B51E-503172F8CC63}] => (Allow) C:\Program Files\CCleaner\CCUpdate.exe
FirewallRules: [{EBC28072-7278-4311-843F-91F54F07251D}] => (Allow) C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe
FirewallRules: [{D778918C-A46E-4CE0-975A-BF91E4FE233F}] => (Allow) C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe
 
==================== Restore Points =========================
 
02-08-2018 23:44:57 Windows Update
03-08-2018 00:48:24 Restore Operation
03-08-2018 16:32:16 JRT Pre-Junkware Removal
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (08/04/2018 10:51:00 AM) (Source: ATIeRecord) (EventID: 16396) (User: )
Description: ATI EEU PnP start/stop failed
 
Error: (08/04/2018 10:48:21 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine QueryFullProcessImageNameW.  hr = 0x80070006, The handle is invalid.
.
 
 
Operation:
   Executing Asynchronous Operation
 
Context:
   Current State: DoSnapshotSet
 
Error: (08/04/2018 10:46:42 AM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.
 
 
Operation:
   Gathering Writer Data
 
Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {d45e22b4-ffcd-49a3-8153-f1d4d5aa8c4f}
 
Error: (08/03/2018 07:38:08 PM) (Source: ATIeRecord) (EventID: 16396) (User: )
Description: ATI EEU PnP start/stop failed
 
Error: (08/03/2018 07:37:59 PM) (Source: ATIeRecord) (EventID: 16396) (User: )
Description: ATI EEU PnP start/stop failed
 
Error: (08/03/2018 07:29:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 1007921
 
Error: (08/03/2018 07:29:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 1007921
 
Error: (08/03/2018 07:29:44 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
 
System errors:
=============
Error: (08/04/2018 10:51:51 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (08/04/2018 10:51:51 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (08/04/2018 10:47:39 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The HP Support Solutions Framework Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (08/04/2018 10:47:39 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Remediation Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.
 
Error: (08/04/2018 10:47:39 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel® Management and Security Application Local Management Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (08/04/2018 10:47:39 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel® Dynamic Application Loader Host Interface Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (08/04/2018 10:47:39 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel® Rapid Storage Technology service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (08/04/2018 10:47:39 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The HP Touchpoint Analytics service terminated unexpectedly.  It has done this 1 time(s).
 
 
Windows Defender:
===================================
Date: 2018-08-03 03:18:00.563
Description: 
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {DA25B793-8C05-4499-A747-906186CDE193}
Scan Type: Antimalware
Scan Parameters: Quick Scan
 
Date: 2018-08-03 03:07:37.706
Description: 
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {DCE87E4B-9E52-4C29-B0A6-C419661E5FBB}
Scan Type: Antimalware
Scan Parameters: Quick Scan
 
Date: 2018-06-25 09:18:18.881
Description: 
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {ACB163A2-FCDB-4A8E-A66D-9EC942D80325}
Scan Type: Antimalware
Scan Parameters: Quick Scan
 
Date: 2018-06-25 09:13:09.919
Description: 
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {525EBB21-5BE5-464F-A1D3-4BED2064F51F}
Scan Type: Antimalware
Scan Parameters: Quick Scan
 
Date: 2018-06-10 10:07:55.673
Description: 
Windows Defender Antivirus scan has been stopped before completion.
Scan ID: {C5DC6192-9C45-47A5-9DA4-0F6AAE38ABFB}
Scan Type: Antimalware
Scan Parameters: Quick Scan
 
Date: 2018-08-03 16:48:03.325
Description: 
Windows Defender Antivirus Real-Time Protection feature has encountered an error and failed.
Feature: On Access
Error Code: 0x8007043c
Error description: This service cannot be started in Safe Mode 
Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
 
Date: 2018-08-03 15:29:14.296
Description: 
Windows Defender Antivirus Real-Time Protection feature has encountered an error and failed.
Feature: On Access
Error Code: 0x8007043c
Error description: This service cannot be started in Safe Mode 
Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
 
Date: 2018-08-03 14:55:23.773
Description: 
Windows Defender Antivirus Real-Time Protection feature has encountered an error and failed.
Feature: On Access
Error Code: 0x8007043c
Error description: This service cannot be started in Safe Mode 
Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
 
Date: 2018-08-03 14:35:56.728
Description: 
Windows Defender Antivirus Real-Time Protection feature has encountered an error and failed.
Feature: On Access
Error Code: 0x8007043c
Error description: This service cannot be started in Safe Mode 
Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
 
Date: 2018-08-03 14:23:32.724
Description: 
Windows Defender Antivirus Real-Time Protection feature has encountered an error and failed.
Feature: On Access
Error Code: 0x8007043c
Error description: This service cannot be started in Safe Mode 
Reason: Antimalware protection has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.
 
CodeIntegrity:
===================================
 
Date: 2018-08-04 10:59:34.739
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-08-04 10:59:34.732
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-08-04 10:54:19.951
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-08-04 10:54:19.946
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-08-04 10:51:47.242
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-08-04 10:51:47.239
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-08-04 10:51:21.612
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
Date: 2018-08-04 10:51:21.610
Description: 
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-3635QM CPU @ 2.40GHz
Percentage of memory in use: 29%
Total physical RAM: 8078.86 MB
Available physical RAM: 5719.94 MB
Total Virtual: 9422.86 MB
Available Virtual: 7125.34 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:929.59 GB) (Free:775.85 GB) NTFS
 
\\?\Volume{8235464e-0d7e-4bc0-a263-1d193833f870}\ (Recovery) (Fixed) (Total:0.29 GB) (Free:0.27 GB) NTFS
\\?\Volume{1fb4a6ad-66ba-47b4-9264-529efe753d93}\ () (Fixed) (Total:0.09 GB) (Free:0.07 GB) FAT32
\\?\Volume{407df2de-4563-4a49-8bb2-ac96b034ad69}\ () (Fixed) (Total:0.96 GB) (Free:0.47 GB) NTFS
\\?\Volume{fbea16e5-0b20-4af4-9840-99b294c592ff}\ () (Fixed) (Total:0.44 GB) (Free:0.11 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Protective MBR) (Size: 931.5 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
==================== End of Addition.txt ============================


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,208 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:36 AM

Posted 04 August 2018 - 01:29 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Do not install the programs that you did not asked for.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

Task: {00F8BF80-F48D-4E10-9040-A8D078355D45} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {0CFD2483-EFE7-42A1-8C23-EB0B66639AE3} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {181602AA-FCE7-407C-9AF5-D2934B9BFFAA} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {3DD40326-57C9-4654-94E6-7C19BFC0354C} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {5D75D731-A019-41A8-AD9A-7509D2B1400E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {881F0C38-8553-49BB-90EB-DFFB58B059E9} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {A5E48EDA-A6E4-4E5B-B460-67FD43A9DAA7} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {C99A9152-B203-4BF2-BCB6-31F6E047A3A9} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {CA3F51C2-00F8-4A92-BD82-AEF119386431} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {D0CC6C86-708E-447A-BD47-C0FC4564A123} - \WPD\SqmUpload_S-1-5-21-1420173382-84886174-3424915379-1001 -> No File <==== ATTENTION
Task: {D785B47C-7B97-4BC7-8035-A98A110029EC} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {DF8747ED-9A51-462E-BA4D-C5C0237561BD} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {E04814EB-4277-4C28-B849-9ED729579E66} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\Software\Classes\exefile: "%1" %* <==== ATTENTION
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\Software\Classes\.exe: exefile => "%1" %* <==== ATTENTION[/B]

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Let me know if the problem persists.

#5 nomorepupsplz

nomorepupsplz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 04 August 2018 - 01:52 PM

When I tried to download RogueKiller I received a message from Windows Defender saying there was a trojan: O97M/Donoff. It appears that windows defender cancelled the download.

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.08.2018
Ran by Luque (04-08-2018 11:38:10) Run:2
Running from C:\Users\Luque\Desktop
Loaded Profiles: Luque (Available Profiles: Luque & maxim_000)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
CloseProcesses:
 
Task: {00F8BF80-F48D-4E10-9040-A8D078355D45} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {0CFD2483-EFE7-42A1-8C23-EB0B66639AE3} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {181602AA-FCE7-407C-9AF5-D2934B9BFFAA} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {3DD40326-57C9-4654-94E6-7C19BFC0354C} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {5D75D731-A019-41A8-AD9A-7509D2B1400E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {881F0C38-8553-49BB-90EB-DFFB58B059E9} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {A5E48EDA-A6E4-4E5B-B460-67FD43A9DAA7} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {C99A9152-B203-4BF2-BCB6-31F6E047A3A9} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {CA3F51C2-00F8-4A92-BD82-AEF119386431} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {D0CC6C86-708E-447A-BD47-C0FC4564A123} - \WPD\SqmUpload_S-1-5-21-1420173382-84886174-3424915379-1001 -> No File <==== ATTENTION
Task: {D785B47C-7B97-4BC7-8035-A98A110029EC} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {DF8747ED-9A51-462E-BA4D-C5C0237561BD} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {E04814EB-4277-4C28-B849-9ED729579E66} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\Software\Classes\exefile: "%1" %* <==== ATTENTION
HKU\S-1-5-21-1420173382-84886174-3424915379-1001\Software\Classes\.exe: exefile => "%1" %* <==== ATTENTION[/B]
 
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
 
Reboot:
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{00F8BF80-F48D-4E10-9040-A8D078355D45}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{00F8BF80-F48D-4E10-9040-A8D078355D45}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0CFD2483-EFE7-42A1-8C23-EB0B66639AE3}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0CFD2483-EFE7-42A1-8C23-EB0B66639AE3}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{181602AA-FCE7-407C-9AF5-D2934B9BFFAA}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{181602AA-FCE7-407C-9AF5-D2934B9BFFAA}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{3DD40326-57C9-4654-94E6-7C19BFC0354C}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3DD40326-57C9-4654-94E6-7C19BFC0354C}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5D75D731-A019-41A8-AD9A-7509D2B1400E}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5D75D731-A019-41A8-AD9A-7509D2B1400E}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{881F0C38-8553-49BB-90EB-DFFB58B059E9}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{881F0C38-8553-49BB-90EB-DFFB58B059E9}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A5E48EDA-A6E4-4E5B-B460-67FD43A9DAA7}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A5E48EDA-A6E4-4E5B-B460-67FD43A9DAA7}" => removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C99A9152-B203-4BF2-BCB6-31F6E047A3A9}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C99A9152-B203-4BF2-BCB6-31F6E047A3A9}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{CA3F51C2-00F8-4A92-BD82-AEF119386431}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CA3F51C2-00F8-4A92-BD82-AEF119386431}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D0CC6C86-708E-447A-BD47-C0FC4564A123}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D0CC6C86-708E-447A-BD47-C0FC4564A123}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WPD\SqmUpload_S-1-5-21-1420173382-84886174-3424915379-1001" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D785B47C-7B97-4BC7-8035-A98A110029EC}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D785B47C-7B97-4BC7-8035-A98A110029EC}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DF8747ED-9A51-462E-BA4D-C5C0237561BD}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF8747ED-9A51-462E-BA4D-C5C0237561BD}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E04814EB-4277-4C28-B849-9ED729579E66}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E04814EB-4277-4C28-B849-9ED729579E66}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd" => removed successfully
"HKU\S-1-5-21-1420173382-84886174-3424915379-1001\Software\Classes\exefile" => removed successfully
"HKU\S-1-5-21-1420173382-84886174-3424915379-1001\Software\Classes\.exe" => removed successfully
 
========= ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
========= IPCONFIG /release =========
 
 
Windows IP Configuration
 
No operation can be performed on Ethernet 3 while it has its media disconnected.
No operation can be performed on Local Area Connection* 8 while it has its media disconnected.
No operation can be performed on Local Area Connection* 10 while it has its media disconnected.
No operation can be performed on Bluetooth Network Connection 3 while it has its media disconnected.
 
Ethernet adapter Ethernet 3:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Local Area Connection* 8:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Local Area Connection* 10:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Wi-Fi 3:
 
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::748f:6468:9033:637b%26
   Default Gateway . . . . . . . . . : 
 
Ethernet adapter Bluetooth Network Connection 3:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
========= End of CMD: =========
 
 
========= IPCONFIG /renew =========
 
 
Windows IP Configuration
 
No operation can be performed on Ethernet 3 while it has its media disconnected.
No operation can be performed on Local Area Connection* 8 while it has its media disconnected.
No operation can be performed on Local Area Connection* 10 while it has its media disconnected.
No operation can be performed on Bluetooth Network Connection 3 while it has its media disconnected.
 
Ethernet adapter Ethernet 3:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Local Area Connection* 8:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Local Area Connection* 10:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
Wireless LAN adapter Wi-Fi 3:
 
   Connection-specific DNS Suffix  . : frontierlocal.net
   Link-local IPv6 Address . . . . . : fe80::748f:6468:9033:637b%26
   IPv4 Address. . . . . . . . . . . : 192.168.254.19
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.254.254
 
Ethernet adapter Bluetooth Network Connection 3:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
 
========= End of CMD: =========
 
 
 
The system needed a reboot.
 
==== End of Fixlog 11:39:28 ====


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,208 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:36 AM

Posted 05 August 2018 - 06:22 AM

Hi,

If the problem persists and you need to run the RogueKiller dequarantine the file.

How to:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus

Do not worry it's safe if downloaded from the link I provided.

#7 nomorepupsplz

nomorepupsplz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 07 August 2018 - 06:17 PM

Here is the RogueKiller report. I haven't ran into any issues so far but let me know if you see anything suspicious.

 

RogueKiller V12.12.30.0 (x64) [Aug  6 2018] (Free) by Adlice Software
 
Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : Luque [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 08/07/2018 14:36:49 (Duration : 01:29:05)
Switches : -refid
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 14 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9c70d52c-e77f-41ac-8dc3-71c0cc6b2689} | DhcpNameServer : 168.94.0.14 168.94.0.15 ([United States][United States])  -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C00E965B-8547-4D7F-ADE1-11654133CD49} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS662F\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {F1CEC38F-4A89-4BAF-B332-4B1FC6BB0CCF} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS662F\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {B6F75F1C-86FB-474E-AD72-48D0DBB46DE7} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS7832\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {65CF7E82-75ED-4C72-A675-EB85631FA626} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS7832\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {B669CDEF-F761-40EB-B13E-CA6BDBEB0007} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS756D\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C66A1422-2BFD-4678-B93C-3A090AAAC21C} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS756D\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {B930D3AB-E620-42D8-A84E-A4FF5919D886} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS4534\hppiw.exe|Name=HP Printer Install Wizard| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E11AAA49-C0D1-4642-B90B-47D068A458C7} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS4534\hppiw.exe|Name=HP Printer Install Wizard| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7EEF32A1-14B1-4DB2-93C9-5B1C2B4F7D86} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS44D5\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6AFFE317-728C-4D75-BA78-79D4DC4A1F34} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS44D5\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E04ABAA1-FCC4-41B4-8971-9322D32CD8FE} : v2.22|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\Luque\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe|Name=Microsoft SkyDrive| [x] -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1420173382-84886174-3424915379-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1420173382-84886174-3424915379-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10JPVX-22JC3T0 +++++
--- User ---
[MBR] 0086f36f0b7bc8b257f89fc226376c3d
[BSP] 9e3b3c473b1db0daa516427cdae6e1cc : Windows Vista/7/8 MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 300 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 616448 | Size: 99 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 819200 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1081344 | Size: 951904 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1950582784 | Size: 986 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1952602112 | Size: 450 MB
User = LL1 ... OK
User = LL2 ... OK


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,208 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:36 AM

Posted 08 August 2018 - 06:30 AM

Hi,

You can delete these Suspicious.Path.
They are temporary files created by the HP Printer Install Wizard.

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C00E965B-8547-4D7F-ADE1-11654133CD49} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS662F\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {F1CEC38F-4A89-4BAF-B332-4B1FC6BB0CCF} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS662F\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {B6F75F1C-86FB-474E-AD72-48D0DBB46DE7} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS7832\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {65CF7E82-75ED-4C72-A675-EB85631FA626} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS7832\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {B669CDEF-F761-40EB-B13E-CA6BDBEB0007} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS756D\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C66A1422-2BFD-4678-B93C-3A090AAAC21C} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS756D\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {B930D3AB-E620-42D8-A84E-A4FF5919D886} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS4534\hppiw.exe|Name=HP Printer Install Wizard| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E11AAA49-C0D1-4642-B90B-47D068A458C7} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS4534\hppiw.exe|Name=HP Printer Install Wizard| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {7EEF32A1-14B1-4DB2-93C9-5B1C2B4F7D86} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS44D5\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6AFFE317-728C-4D75-BA78-79D4DC4A1F34} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\Luque\AppData\Local\Temp\7zS44D5\HPDiagnosticCoreUI.exe|Name=HPSAPS| [x] -> Found


Restart the computer normally when done.

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users