Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

User Tag List

Possible Trojan Infection

This is a discussion on Possible Trojan Infection within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. I have been getting lots of trojans popping up in Windows Security, I go through the motions of removing them,


Like Tree1Likes
  • 1 Post By Gary R
Closed Thread
 
Thread Tools Search this Thread
Old 01-22-2020, 05:41 PM   #1
Registered Member
 
Join Date: Oct 2006
Location: Canada
Posts: 32
OS: Windows 10



I have been getting lots of trojans popping up in Windows Security, I go through the motions of removing them, but they keep coming back after restarting. Now I think they keep coming back as different named ones.
My computer will not upload the FRST or ADDITION files so I am starting this thread from another computer for now.

Computer is a Pre-built 64-bit, windows 10 Professional O.S.
Intel Core 2 quad CPU, Q6600 @ 2.4 GHz 2.39 GHz
4 GB Ram

I could only get the FRST file uploaded before now getting BLOCKED from your site.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 22-01-2020 01
Ran by Owner (administrator) on BRIANDESKTOP (Dell Inc. OptiPlex 755) (22-01-2020 17:12:43)
Running from C:\Users\Owner\Downloads
Loaded Profiles: Owner (Available Profiles: Owner & supportaccount & DefaultAppPool)
Platform: Windows 10 Pro Version 1903 18362.592 (X64) Language: English (United States)
Default browser: Chrome
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() [File not signed] C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
(Adobe Inc. -> Adobe Systems) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
(Bluebeam, Inc. -> Bluebeam, Inc.) C:\Program Files\Bluebeam Software\Bluebeam Revu\2018\Revu\BBPrint.exe
(CyberLink -> Cyberlink Corp.) [File not signed] C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe
(Dropbox, Inc -> Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
(IBM -> IBM Corp.) C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
(IBM -> IBM Corp.) C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe
(IBM -> IBM Corp.) C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportInjService_x64.exe
(IBM -> IBM Corp.) C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportInjService_x64.exe
(Intel Corporation -> Intel Corporation) C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe
(Intel Corporation -> Intel Corporation) C:\Program Files (x86)\Intel\AMT\LMS.exe
(Kaspersky Lab -> Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Users\Owner\AppData\Local\Microsoft\OneDrive\OneDrive.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\MusNotification.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\usocoreworker.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
(Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1911.3-0\MsMpEng.exe
(Microsoft Windows Publisher -> Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1911.3-0\NisSrv.exe
(NTI Corporation -> ) C:\Program Files (x86)\NTI\NTI Backup Now EZ 4\ScheduleService.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(Sage Software, Inc. -> Sage) C:\Program Files (x86)\winsim\ConnectionManager\Simply.SystemTrayIcon.exe
(Sage Software, Inc. -> Sage) C:\Program Files (x86)\winsim\ConnectionManager\SimplyConnectionManager.exe
(SEIKO EPSON Corporation -> SEIKO EPSON CORPORATION) C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE
(SEIKO EPSON Corporation -> SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
(SEIKO EPSON CORPORATION) [File not signed] C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSvc.exe
(SUPERAntiSpyware.com -> SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
(Support.com Inc -> SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
(TeamViewer -> TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(TeamViewer -> TeamViewer GmbH) C:\Users\Owner\AppData\Roaming\Batiscaf\defwin.exe
(TeamViewer GmbH -> TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe
(TeamViewer GmbH -> TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
(TeamViewer GmbH -> TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe
(TeamViewer GmbH -> TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe
(Wondershare Technology Co.,Ltd -> Wondershare) C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [picon] => C:\Program Files (x86)\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe [796696 2009-07-21] (Intel Corporation -> Intel Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2398776 2016-06-14] (NVIDIA Corporation -> NVIDIA Corporation)
HKLM\...\Run: [BbInstallUser] => C:\Program Files\Bluebeam Software\Bluebeam Revu\2018\Pushbutton PDF\Bluebeam Admin User.exe [107568 2019-04-17] (Bluebeam, Inc. -> Bluebeam, Inc.)
HKLM\...\Run: [BbPrintMonitor] => C:\Program Files\Bluebeam Software\Bluebeam Revu\2018\Revu\BBPrint.exe [880688 2019-04-17] (Bluebeam, Inc. -> Bluebeam, Inc.)
HKLM-x32\...\Run: [RemoteControl] => C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe [56928 2006-11-23] (CyberLink -> Cyberlink Corp.) [File not signed]
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [6261760 2020-01-07] (Dropbox, Inc -> Dropbox, Inc.)
HKLM-x32\...\Run: [ConnectionManager] => C:\Program Files (x86)\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe [386392 2019-12-07] (Sage Software, Inc. -> Sage)
HKLM-x32\...\Run: [BackupNowEZ4Tray] => C:\Program Files (x86)\NTI\NTI Backup Now EZ 4\Bunez4Tray.exe [1089712 2016-10-21] (NTI Corporation -> NTI Corporation)
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2133216 2017-03-23] (Wondershare Technology Co.,Ltd -> Wondershare)
HKU\S-1-5-21-2941010735-3585041794-3592001094-1000\...\Run: [Google Update] => C:\Users\Owner\AppData\Local\Google\Update\1.3.35.422\GoogleUpdateCore.exe [219592 2019-12-15] (Google LLC -> Google LLC)
HKU\S-1-5-21-2941010735-3585041794-3592001094-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [9198000 2019-12-18] (Support.com Inc -> SUPERAntiSpyware)
HKU\S-1-5-21-2941010735-3585041794-3592001094-1000\...\RunOnce: [Application Restart #1] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --notification-launch-id="3|0|Default|0|hxxps://www.youtube.com/|p#hxxps://www.youtube.com/#1Abraham Hicks Love Yourself Into Alignment No Ads DuringRecommended: And Joyhxxps://lh5.googleusercontent.com/-XBvK8XLGuPc/AAAAAAAAAAI/AAAAAAAAAAA/SObKNmNihmw/s96-mo/photo.jpg" --flag-switches-begin --flag-switches-end --enable-audio-service-sandbox --restore-last-session
HKU\S-1-5-21-2941010735-3585041794-3592001094-1000\...\MountPoints2: {907b6325-bffc-11e3-8be2-806e6f6e6963} - "D:\start.exe"
HKLM\Software\...\AppCompatFlags\Custom\Acrobat.exe: [{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\Acrobat.exe: [{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\AcroRd32.exe: [{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\AcroRd32.exe: [{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\EXCEL.EXE: [{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\EXCEL.EXE: [{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\iexplore.exe: [{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\iexplore.exe: [{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\INFOPATH.EXE: [{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\INFOPATH.EXE: [{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\java.exe: [{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\java.exe: [{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\javaw.exe: [{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\javaw.exe: [{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\javaws.exe: [{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\javaws.exe: [{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\LYNC.EXE: [{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\LYNC.EXE: [{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\MSACCESS.EXE: [{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\MSACCESS.EXE: [{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\MSPUB.EXE: [{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\MSPUB.EXE: [{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\OIS.EXE: [{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\OIS.EXE: [{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\OUTLOOK.EXE: [{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\OUTLOOK.EXE: [{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\POWERPNT.EXE: [{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\POWERPNT.EXE: [{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\PPTVIEW.EXE: [{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\PPTVIEW.EXE: [{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\VISIO.EXE: [{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\VISIO.EXE: [{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\VPREVIEW.EXE: [{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\VPREVIEW.EXE: [{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\WINWORD.EXE: [{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\WINWORD.EXE: [{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\wordpad.exe: [{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\Custom\wordpad.exe: [{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb] -> EMET_Database
HKLM\Software\...\AppCompatFlags\InstalledSDB\{e1c810aa-f7cc-4aaf-ada1-181863075f9b}: [DatabasePath] -> C:\WINDOWS\AppPatch\CustomSDB\{e1c810aa-f7cc-4aaf-ada1-181863075f9b}.sdb [2016-12-26]
HKLM\Software\...\AppCompatFlags\InstalledSDB\{f8c4cc07-6dc4-418f-b72b-304fcdb64052}: [DatabasePath] -> C:\WINDOWS\AppPatch\CustomSDB\{f8c4cc07-6dc4-418f-b72b-304fcdb64052}.sdb [2016-12-26]
HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files (x86)\Google\Chrome\Application\79.0.3945.130\Installer\chrmstp.exe [2020-01-22] (Google LLC -> Google LLC)
HKLM\Software\...\Authentication\Credential Providers: [{503739d0-4c5e-4cfd-b3ba-d881334f0df2}] ->
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk [2020-01-22]
ShortcutTarget: Windows Defender.lnk -> C:\Users\Owner\AppData\Roaming\Batiscaf\defwin.exe (TeamViewer -> TeamViewer GmbH)
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {003CDC2E-93C2-4FD7-ADE6-D189B3F331FE} - System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2118352 2014-03-19] (Microsoft Corporation -> Microsoft Corporation)
Task: {00FC7519-833A-415B-B0BB-E0A6D8E2F60E} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {03C16BC1-F4F3-44A7-994D-35A28CB681A9} - System32\Tasks\Microsoft\Windows\Media Center\InstallPlayReady => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {043F0B55-4022-4D6B-B267-B358C2DB6CCE} - System32\Tasks\Microsoft\Windows\SideShow\SystemDataProviders => {7CCA6768-8373-4D28-8876-83E8B4E3A969}
Task: {052B12E6-DC6F-4B0E-9878-ADF6C2FC00D0} - System32\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {0573E675-FA70-4A16-948C-551C99B695A0} - System32\Tasks\DropboxUpdateTaskMachineCore => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-11-19] (Dropbox, Inc -> Dropbox, Inc.)
Task: {0906F0AB-A8CD-435F-BDA4-0932697C3AF8} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [13797712 2018-09-10] (Piriform Ltd -> Piriform Ltd)
Task: {098F8197-0609-42C8-8137-75D17DE4D323} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1911.3-0\MpCmdRun.exe [469648 2019-12-07] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {0EFAF3D1-8991-4545-9D6D-5BD0E164BC46} - System32\Tasks\DropboxUpdateTaskMachineUA => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-11-19] (Dropbox, Inc -> Dropbox, Inc.)
Task: {16296365-C78D-4E16-84A5-12997B4A1BA5} - System32\Tasks\Microsoft\Windows\SideShow\GadgetManager => {FF87090D-4A9A-4F47-879B-29A80C355D61}
Task: {203D2B5D-DBAB-45F6-801F-292E6E1C130C} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1911.3-0\MpCmdRun.exe [469648 2019-12-07] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {2D591A9C-4ADB-433D-9DE5-2DF5F1F02573} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [335416 2020-01-21] (Adobe Inc. -> Adobe)
Task: {2D9D6A1A-4A91-4546-BDA6-02BF8AE04A0D} - System32\Tasks\G2MUpdateTask-S-1-5-21-2941010735-3585041794-3592001094-1000 => C:\Program Files (x86)\Citrix\GoToMeeting\6519\g2mupdate.exe [41536 2017-03-08] (Citrix Online -> Citrix Online, a division of Citrix Systems, Inc.)
Task: {30B9A528-3F8B-4A5D-BB2B-41B7B351F426} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1911.3-0\MpCmdRun.exe [469648 2019-12-07] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {32B952E2-1958-412A-816D-B9919C1DE7F7} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantAllUsersRun => C:\WINDOWS\UpdateAssistant\UpdateAssistant.exe [0 0000-00-00] (Microsoft Corporation) (Access Denied)
Task: {3518859E-2071-4F49-9D05-4CD4B764ECBA} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun => C:\WINDOWS\UpdateAssistant\UpdateAssistant.exe [0 0000-00-00] (Microsoft Corporation) (Access Denied)
Task: {455AD01A-A8CE-4F17-98BF-D4973293B211} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [619416 2019-02-04] (Piriform Software Ltd -> Piriform Software Ltd)
Task: {486D715E-6AA2-44CF-BC48-B6990CBB53C6} - System32\Tasks\Microsoft\Windows\Shell\WindowsParentalControlsMigration => {343D770D-7788-47C2-B62A-B7C4CED925CB}
Task: {5B42DD9C-5A26-4F27-BB95-34603F0997E5} - System32\Tasks\Microsoft\Windows\Shell\WindowsParentalControls => {DFA14C43-F385-4170-99CC-1B7765FA0E4A}
Task: {5BCD6644-903D-417C-8943-2580435717C0} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2 => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {5CCC1466-E0BC-46E5-89B2-ED866138B13D} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {6030F09E-8D4C-4933-AD8A-4128FCEA57D3} - System32\Tasks\Microsoft\Windows\Media Center\OCURActivate => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {610A82AC-5BF0-486F-9CAF-B58EC26C2BBB} - System32\Tasks\Microsoft\Windows\Media Center\ehDRMInit => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {6121F116-9746-441A-9CDC-350729AA44DC} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2941010735-3585041794-3592001094-1000Core => C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-06-20] (Google Inc -> Google Inc.)
Task: {63D0110B-9C57-42ED-BB1E-A1BAFE55D744} - System32\Tasks\Microsoft\Windows\Media Center\OCURDiscovery => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {6619266F-8CB4-4F3C-827F-7F0AC193F7A4} - System32\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {66649AED-C261-4CFE-ADA5-C6286218026A} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1240656 2019-09-10] (Adobe Inc. -> Adobe Systems)
Task: {6C103E98-1636-4300-9B3D-BB9415462B4B} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscovery => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {7557BBCE-0C80-4E7A-A9F9-35F960610A55} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant => C:\WINDOWS\UpdateAssistant\UpdateAssistant.exe [0 0000-00-00] (Microsoft Corporation) (Access Denied)
Task: {7A1EAC41-2F2F-4A37-B4B2-9D91A4315AC5} - System32\Tasks\Microsoft\Windows\Media Center\RegisterSearch => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {7EC8CF87-DC24-4E8A-9B97-D4E20E6867A5} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashUtil32_32_0_0_321_pepper.exe [1453624 2020-01-21] (Adobe Inc. -> Adobe)
Task: {82125653-3B24-47E6-BA6A-FE584E3436AD} - System32\Tasks\{20481B20-8659-4CEA-8F80-85FDB2A7B758} => C:\Windows\system32\pcalua.exe -a D:\AutoRunPro.exe -d D:\
Task: {8AA89A41-ABB4-4692-8E0B-40A1F14E294F} - System32\Tasks\Microsoft\Windows\SideShow\SessionAgent => {45F26E9E-6199-477F-85DA-AF1EDFE067B1}
Task: {8C51AA78-3039-4B6B-B9AA-019F8F6D130F} - System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [1487568 2014-03-19] (Microsoft Corporation -> Microsoft Corporation)
Task: {8F313ABA-6BF1-41E8-8FD2-46BB7435A747} - System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\mousekeyboardcenter.exe [2211024 2014-03-19] (Microsoft Corporation -> Microsoft)
Task: {A2145D31-F1A3-411E-B90B-9AE1B0B34549} - System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2118352 2014-03-19] (Microsoft Corporation -> Microsoft Corporation)
Task: {A34D8CB6-5C8C-414D-A959-D9ED162EA2F9} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun => C:\WINDOWS\UpdateAssistant\UpdateAssistant.exe [0 0000-00-00] (Microsoft Corporation) (Access Denied)
Task: {A9BB17FB-7177-4C9A-9158-147DDA9EFBC0} - System32\Tasks\Microsoft_Hardware_Launch_itype_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [1487568 2014-03-19] (Microsoft Corporation -> Microsoft Corporation)
Task: {AD9F190F-B2C4-4722-AEE6-469892D6E329} - System32\Tasks\G2MUploadTask-S-1-5-21-2941010735-3585041794-3592001094-1000 => C:\Program Files (x86)\Citrix\GoToMeeting\6519\g2mupload.exe [41536 2017-03-08] (Citrix Online -> Citrix Online, a division of Citrix Systems, Inc.)
Task: {AF8D3E46-F763-4AFF-8844-5E52834750FD} - System32\Tasks\Microsoft\Windows\SideShow\AutoWake => {E51DFD48-AA36-4B45-BB52-E831F02E8316}
Task: {B0CBAB43-44FC-469B-A4CE-87426761FDCE} - System32\Tasks\Microsoft\Windows\PerfTrack\BackgroundConfigSurveyor => {EA9155A3-8A39-40B4-8963-D3C761B18371}
Task: {B352AC5F-B4CE-4DAA-B3E1-E12CAE400EDA} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2941010735-3585041794-3592001094-1000UA => C:\Users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-06-20] (Google Inc -> Google Inc.)
Task: {BC4DE2DF-6FA9-47CF-8937-E8B950836E9F} - System32\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {BD89D6BF-24A6-492E-9DD7-480BE206CC0D} - System32\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {C07B5952-9F2D-4F91-851E-EB8C89412D51} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1911.3-0\MpCmdRun.exe [469648 2019-12-07] (Microsoft Windows Publisher -> Microsoft Corporation)
Task: {C7C4BE24-93A4-42F1-8921-E59072D96588} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => C:\WINDOWS\ehome\mcupdate.exe
Task: {D0DB9595-4F69-4F57-A997-AE69C331C0DD} - System32\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {D2F3ED54-DA24-4657-A3D0-763719F6EDDE} - System32\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {D377E2CF-3176-4373-8D96-67F735D63F38} - System32\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {D636A3F9-8C1B-4ECB-B565-CB5373B61D14} - System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {DBCED337-F724-44FC-AAE0-61C4494DA67D} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1 => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {DCA1D292-931E-45F8-8840-30FE1D2DF3DE} - System32\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {EA09F9F5-1F58-4E3E-8D78-3A40136219F7} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [144200 2015-11-22] (Google Inc -> Google Inc.)
Task: {EFA2719A-95AF-4AFB-B6BB-A7E9B6ADD9B4} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate => C:\WINDOWS\ehome\mcupdate.exe
Task: {F0786202-87EE-4F37-ACBF-03D38C365436} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [144200 2015-11-22] (Google Inc -> Google Inc.)
Task: {F72A7DAB-BEA1-4DDE-81CB-13AC03F80DC0} - System32\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry => C:\WINDOWS\ehome\MCUpdate.exe
Task: {F9980EE5-9420-4004-8988-41DE42DA4BAC} - System32\Tasks\Microsoft\Windows\Media Center\RecordingRestart => C:\WINDOWS\ehome\ehrec.exe
Task: {FD1A77FF-417B-4029-9DE1-E6E0C185FF44} - System32\Tasks\Microsoft\Windows\MobilePC\HotStart => {06DA0625-9701-43DA-BFD7-FBEEA2180A1E}

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
Task: C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-2941010735-3585041794-3592001094-1000.job => C:\Program Files (x86)\Citrix\GoToMeeting\6519\g2mupdate.exe
Task: C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-2941010735-3585041794-3592001094-1000.job => C:\Program Files (x86)\Citrix\GoToMeeting\6519\g2mupload.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.153.176.1 8.8.8.8
Tcpip\..\Interfaces\{3b0d0c84-b83f-4f62-94e0-ec285251d325}: [DhcpNameServer] 192.168.1.1 64.59.184.15 64.59.190.245
Tcpip\..\Interfaces\{ee62e349-4d1d-4426-ae7a-a196c4ab401b}: [DhcpNameServer] 75.153.176.1 8.8.8.8

Internet Explorer:
==================
HKU\S-1-5-21-2941010735-3585041794-3592001094-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.ca/
SearchScopes: HKU\S-1-5-21-2941010735-3585041794-3592001094-1000 -> DefaultScope {425040C6-9BDE-414C-8BF9-1E7E1D880D6C} URL = hxxps://search.yahoo.com/search?fr=mcafee&type=C011US876D20150913&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2941010735-3585041794-3592001094-1000 -> {425040C6-9BDE-414C-8BF9-1E7E1D880D6C} URL = hxxps://search.yahoo.com/search?fr=mcafee&type=C011US876D20150913&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2941010735-3585041794-3592001094-1000 -> {DD1DA92C-0E5D-4A85-AC19-63D149FC9583} URL = hxxps://search.yahoo.com/search?fr=mcafee&type=C011US0D19700101&p={searchTerms}
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation -> Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation -> Microsoft Corporation)

Edge:
======
DownloadDir: C:\Users\Owner\Downloads

FireFox:
========
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @MagellanGPS.com/CommunicationPlugin -> C:\Program Files (x86)\Magellan\Magellan Communicator\npMgnPlg.dll [2012-01-11] (MiTAC International Corporation -> Magellan Navigation, Inc.)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.35.422\npGoogleUpdate3.dll [2019-12-15] (Google LLC -> Google LLC)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.35.422\npGoogleUpdate3.dll [2019-12-15] (Google LLC -> Google LLC)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2019-12-02] (Adobe Inc. -> Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2941010735-3585041794-3592001094-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Owner\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-02-28] (Citrix Online -> Citrix Online)
FF Plugin HKU\S-1-5-21-2941010735-3585041794-3592001094-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.35.422\npGoogleUpdate3.dll [2019-12-15] (Google LLC -> Google LLC)
FF Plugin HKU\S-1-5-21-2941010735-3585041794-3592001094-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.35.422\npGoogleUpdate3.dll [2019-12-15] (Google LLC -> Google LLC)

Chrome:
=======
CHR DefaultProfile: Default
CHR StartupUrls: Default -> "hxxps://player.siriusxm.ca/home/foryou#/player/live","hxxps://www.facebook.com/","hxxps://webmail.telus.net/#1","hxxps://shopbadmintononline.com/"
CHR DefaultSearchURL: Default -> hxxps://search.yahoo.com/search?fr=mcafee&type=C211US876D20150913&p={searchTerms}
CHR DefaultSearchKeyword: Default -> mcafee
CHR Notifications: Default -> hxxps://mail.google.com; hxxps://www.facebook.com; hxxps://www.icy-veins.com; hxxps://www.pinterest.com; hxxps://www.youtube.com
CHR Profile: C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default [2020-01-22]
CHR Extension: (Slides) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-14]
CHR Extension: (Docs) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-14]
CHR Extension: (Google Drive) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-10-17]
CHR Extension: (IBM Security Rapport) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbjllphbppobebmjpjcijfbakobcheof [2019-12-27]
CHR Extension: (YouTube) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-12-26]
CHR Extension: (Honey) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmnlcjabgnpnenekpadlanbbkooimhnj [2020-01-21]
CHR Extension: (Adobe Acrobat) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2019-09-30]
CHR Extension: (Sheets) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-14]
CHR Extension: (Google Docs Offline) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2020-01-21]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2019-10-03]
CHR Extension: (Gmail) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2019-04-24]
CHR Extension: (Chrome Media Router) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2019-12-18]
CHR Profile: C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Guest Profile [2019-12-27]
CHR Profile: C:\Users\Owner\AppData\Local\Google\Chrome\User Data\System Profile [2019-12-27]
CHR HKU\S-1-5-21-2941010735-3585041794-3592001094-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bbjllphbppobebmjpjcijfbakobcheof]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2017-02-08] (SUPERAntiSpyware.com -> SUPERAntiSpyware.com)
S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-11-19] (Dropbox, Inc -> Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-11-19] (Dropbox, Inc -> Dropbox, Inc.)
R2 DbxSvc; C:\WINDOWS\system32\DbxSvc.exe [44552 2020-01-07] (Dropbox, Inc -> Dropbox, Inc.)
R2 EpsonBidirectionalService; C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe [94208 2006-12-19] (SEIKO EPSON CORPORATION) [File not signed]
S3 GoToAssist; C:\Program Files (x86)\Citrix\GoToAssist Corporate\1121\G2AC_Service.exe [310080 2015-06-22] (Citrix Online -> Citrix Online, a division of Citrix Systems, Inc.)
R2 KSS; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe [202080 2014-06-15] (Kaspersky Lab -> Kaspersky Lab ZAO)
R2 LMS; C:\Program Files (x86)\Intel\AMT\LMS.exe [174616 2009-07-21] (Intel Corporation -> Intel Corporation)
S4 LogService; C:\RealTick\log_service32.exe [22528 2012-10-05] (Townsend Analytics) [File not signed]
R2 NTI Backup Now EZ 4 Scheduler; C:\Program Files (x86)\NTI\NTI Backup Now EZ 4\ScheduleService.exe [105136 2016-10-21] (NTI Corporation -> )
S2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [2522680 2016-06-14] (NVIDIA Corporation -> NVIDIA Corporation)
R2 RapportMgmtService; C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [3001632 2019-10-06] (IBM -> IBM Corp.)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe [167936 2005-08-07] () [File not signed]
S3 Sage 50 Transaction Manager 2016 - CDN; C:\Program Files (x86)\Winsim\TransactionManager2016 - CDN\Sage_SA.TransactionManager.exe [35848 2016-12-06] (Sage Software, Inc. -> Sage)
S3 Sage 50 Transaction Manager 2017 - CDN; C:\Program Files (x86)\Winsim\TransactionManager2017 - CDN\Sage_SA.TransactionManager.exe [42400 2017-06-06] (Sage Software, Inc. -> Sage)
S3 Sage 50 Transaction Manager 2018 - CDN; C:\Program Files (x86)\Winsim\TransactionManager2018 - CDN\Sage_SA.TransactionManager.exe [42400 2018-05-31] (Sage Software, Inc. -> Sage)
S3 Sage 50 Transaction Manager 2019 - CDN; C:\Program Files (x86)\Winsim\TransactionManager2019 - CDN\Sage_SA.TransactionManager.exe [42328 2019-06-03] (Sage Software, Inc. -> Sage)
S3 Sage 50 Transaction Manager 2020 - CDN; C:\Program Files (x86)\Winsim\TransactionManager2020 - CDN\Sage_SA.TransactionManager.exe [42328 2019-12-07] (Sage Software, Inc. -> Sage)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [5796168 2019-09-17] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 Simply Accounting Database Connection Manager; C:\Program Files (x86)\Winsim\ConnectionManager\SimplyConnectionManager.exe [35160 2019-12-07] (Sage Software, Inc. -> Sage)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5702416 2015-09-11] (TeamViewer -> TeamViewer GmbH)
R2 termservice; c:\program files\windows mail\appcache.xml [55296 2020-01-21] (fhhfyayy4gfgg) [File not signed] <==== ATTENTION (no ServiceDLL)
R2 UNS; C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2066968 2009-07-21] (Intel Corporation -> Intel Corporation)
R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1911.3-0\NisSrv.exe [3206472 2019-12-07] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1911.3-0\MsMpEng.exe [103376 2019-12-07] (Microsoft Windows Publisher -> Microsoft Corporation)
S3 WsDrvInst; C:\Program Files (x86)\Wondershare\Video Converter Ultimate (Desktop)\Transfer\DriverInstall.exe [107760 2019-09-26] (Wondershare Technology Co.,Ltd -> Wondershare)
R2 NVDisplay.ContainerLocalSystem; "C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe" -s NVDisplay.ContainerLocalSystem -f "C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\LocalSystem" -r -p 30000

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131984 2017-05-18] (Samsung Electronics Co., Ltd. -> Samsung Electronics Co., Ltd.)
R3 nvlddmkm; C:\WINDOWS\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_db678424d2641c3d\nvlddmkm.sys [22094728 2019-10-04] (NVIDIA Corporation -> NVIDIA Corporation)
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [28216 2016-06-14] (NVIDIA Corporation -> NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\WINDOWS\system32\drivers\nvvad64v.sys [56384 2016-04-13] (NVIDIA Corporation -> NVIDIA Corporation)
S3 NxDrv; C:\WINDOWS\System32\DRIVERS\NxDrv.sys [24264 2011-07-28] (SonicWALL Inc. -> SonicWALL Inc.)
R1 RapportAegle64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportAegle64.sys [429112 2019-10-06] (IBM -> IBM Corp.)
R1 RapportCerberus_1950099; c:\programdata\trusteer\rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_1950099.sys [1466824 2019-11-29] (IBM -> IBM Corp.)
R1 RapportEI64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [542112 2019-10-06] (IBM -> IBM Corp.)
R0 RapportHades64; C:\WINDOWS\System32\Drivers\RapportHades64.sys [395384 2019-10-06] (IBM -> IBM Corp.)
R0 RapportKE64; C:\WINDOWS\System32\Drivers\RapportKE64.sys [445240 2019-10-06] (IBM -> IBM Corp.)
R1 RapportPG64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [560568 2019-10-06] (IBM -> IBM Corp.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (Support.com, Inc. -> SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (Support.com, Inc. -> SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [166288 2017-05-18] (Samsung Electronics Co., Ltd. -> Samsung Electronics Co., Ltd.)
S3 usbser; C:\Windows\SysWOW64\drivers\usbser.sys [24192 2005-04-26] (Microsoft Corporation) [File not signed]
S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [45664 2019-12-07] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [355760 2019-12-07] (Microsoft Windows -> Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [54192 2019-12-07] (Microsoft Windows -> Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One month (created) ===================

(If an entry is included in the fixlist, the file/folder will be moved.)

2020-01-22 17:12 - 2020-01-22 17:14 - 000038679 _____ C:\Users\Owner\Downloads\FRST.txt
2020-01-22 17:12 - 2020-01-22 17:12 - 000000000 ____D C:\Users\Owner\Downloads\FRST-OlderVersion
2020-01-22 17:11 - 2020-01-22 17:11 - 000000000 ___HD C:\OneDriveTemp
2020-01-22 16:54 - 2020-01-22 16:54 - 000000000 ____D C:\Users\supportaccount\AppData\Local\PeerDistRepub
2020-01-21 22:23 - 2020-01-21 22:23 - 025900032 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 025444352 _____ (Microsoft Corporation) C:\WINDOWS\system32\Hydrogen.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 022627840 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 019849216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 018020352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 008012800 _____ (Microsoft Corporation) C:\WINDOWS\system32\mstscax.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 007754752 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 007016448 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mstscax.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 006520480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.Protection.PlayReady.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 005913600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 002801152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\win32kfull.sys
2020-01-21 22:23 - 2020-01-21 22:23 - 002494464 _____ (Microsoft Corporation) C:\WINDOWS\system32\msmpeg2vdec.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 001610752 _____ (Microsoft Corporation) C:\WINDOWS\system32\HologramCompositor.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 001458688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\GdiPlus.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 001399096 _____ (Microsoft Corporation) C:\WINDOWS\system32\hvix64.exe
2020-01-21 22:23 - 2020-01-21 22:23 - 001151816 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfmpeg2srcsnk.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 001106944 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.Streaming.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 001098720 _____ (Microsoft Corporation) C:\WINDOWS\system32\DolbyDecMFT.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 001072952 _____ (Microsoft Corporation) C:\WINDOWS\system32\hvax64.exe
2020-01-21 22:23 - 2020-01-21 22:23 - 001020032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\crypt32.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000852480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.Streaming.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000842752 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000701440 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Mirage.Internal.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000689664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000673792 _____ (Microsoft Corporation) C:\WINDOWS\system32\wiaaut.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000671232 _____ (Microsoft Corporation) C:\WINDOWS\system32\wiaservc.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000646144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Internal.Management.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000571392 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wiaaut.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000432256 _____ (Microsoft Corporation) C:\WINDOWS\system32\tsmf.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000363840 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tsmf.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\win32k.sys
2020-01-21 22:23 - 2020-01-21 22:23 - 000321536 _____ (Microsoft Corporation) C:\WINDOWS\system32\sti.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000227840 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\sti.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000206336 _____ (Microsoft Corporation) C:\WINDOWS\system32\sti_ci.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000148992 _____ (Microsoft Corporation) C:\WINDOWS\system32\MDMAppInstaller.exe
2020-01-21 22:23 - 2020-01-21 22:23 - 000145920 _____ (Microsoft Corporation) C:\WINDOWS\system32\wiadss.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000127520 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dmcmnutils.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000119808 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wiadss.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000090624 _____ (Microsoft Corporation) C:\WINDOWS\system32\tsgqec.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000089536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\win32u.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000083968 _____ (Microsoft Corporation) C:\WINDOWS\system32\wiarpc.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000070144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tsgqec.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000066560 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\clfsw32.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000066048 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\enterpriseresourcemanager.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000018432 _____ (Microsoft Corporation) C:\WINDOWS\system32\wiatrace.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000015360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wiatrace.dll
2020-01-21 22:23 - 2020-01-21 22:23 - 000007680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\DMAlertListener.ProxyStub.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 009928208 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2020-01-21 22:22 - 2020-01-21 22:22 - 007600448 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.Protection.PlayReady.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 003729408 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
2020-01-21 22:22 - 2020-01-21 22:22 - 003703296 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentServer.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 003263488 _____ (Microsoft Corporation) C:\WINDOWS\system32\tquery.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 002870784 _____ (Microsoft Corporation) C:\WINDOWS\system32\mssrch.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 002716672 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kbase.sys
2020-01-21 22:22 - 2020-01-21 22:22 - 002561536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tquery.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 002473976 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinapi.appcore.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 002305536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mssrch.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 001985928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinapi.appcore.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 001835008 _____ (Microsoft Corporation) C:\WINDOWS\system32\enterprisecsps.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 001697280 _____ (Microsoft Corporation) C:\WINDOWS\system32\GdiPlus.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 001664896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\user32.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 001655880 _____ (Microsoft Corporation) C:\WINDOWS\system32\user32.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 001330952 _____ (Microsoft Corporation) C:\WINDOWS\system32\crypt32.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 001051664 _____ (Microsoft Corporation) C:\WINDOWS\system32\pidgenx.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000921600 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Internal.Management.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000896512 _____ (Microsoft Corporation) C:\WINDOWS\system32\MdmDiagnostics.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000851456 _____ (Microsoft Corporation) C:\WINDOWS\system32\SearchIndexer.exe
2020-01-21 22:22 - 2020-01-21 22:22 - 000678712 _____ (Microsoft Corporation) C:\WINDOWS\system32\StructuredQuery.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000670720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SearchIndexer.exe
2020-01-21 22:22 - 2020-01-21 22:22 - 000550400 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2020-01-21 22:22 - 2020-01-21 22:22 - 000542496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\StructuredQuery.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000401408 _____ (Microsoft Corporation) C:\WINDOWS\system32\SearchProtocolHost.exe
2020-01-21 22:22 - 2020-01-21 22:22 - 000400696 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\clfs.sys
2020-01-21 22:22 - 2020-01-21 22:22 - 000392192 _____ (Microsoft Corporation) C:\WINDOWS\system32\Search.ProtocolHandler.MAPI2.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000379392 _____ (Microsoft Corporation) C:\WINDOWS\system32\provengine.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000368128 _____ (Microsoft Corporation) C:\WINDOWS\system32\mssvp.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000336384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SearchProtocolHost.exe
2020-01-21 22:22 - 2020-01-21 22:22 - 000329216 _____ (Microsoft Corporation) C:\WINDOWS\system32\DiagnosticLogCSP.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000317440 _____ (Microsoft Corporation) C:\WINDOWS\system32\ConhostV1.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000299520 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mssvp.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000294400 _____ (Microsoft Corporation) C:\WINDOWS\system32\provops.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000283136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Search.ProtocolHandler.MAPI2.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000271872 _____ (Microsoft Corporation) C:\WINDOWS\system32\provhandlers.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000240640 _____ (Microsoft Corporation) C:\WINDOWS\system32\SearchFilterHost.exe
2020-01-21 22:22 - 2020-01-21 22:22 - 000233472 _____ (Microsoft Corporation) C:\WINDOWS\system32\KnobsCore.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000232448 _____ (Microsoft Corporation) C:\WINDOWS\system32\provisioningcsp.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000223232 _____ (Microsoft Corporation) C:\WINDOWS\system32\tssrvlic.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000211968 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SearchFilterHost.exe
2020-01-21 22:22 - 2020-01-21 22:22 - 000204800 _____ (Microsoft Corporation) C:\WINDOWS\system32\mssph.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000162696 _____ (Microsoft Corporation) C:\WINDOWS\system32\dmcmnutils.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000160768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mssph.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000147456 _____ (Microsoft Corporation) C:\WINDOWS\system32\mssprxy.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000132096 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\tsusbhub.sys
2020-01-21 22:22 - 2020-01-21 22:22 - 000128512 _____ (Microsoft Corporation) C:\WINDOWS\system32\mssitlb.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000127064 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32u.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000123904 _____ (Microsoft Corporation) C:\WINDOWS\system32\cryptcatsvc.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000120320 _____ (Microsoft Corporation) C:\WINDOWS\system32\KnobsCsp.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000113152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mssitlb.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000102400 _____ (Microsoft Corporation) C:\WINDOWS\system32\NFCProvisioningPlugin.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000097280 _____ (Microsoft Corporation) C:\WINDOWS\system32\provdatastore.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000091136 _____ (Microsoft Corporation) C:\WINDOWS\system32\ProvPluginEng.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000088576 _____ (Microsoft Corporation) C:\WINDOWS\system32\BarcodeProvisioningPlugin.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000084480 _____ (Microsoft Corporation) C:\WINDOWS\system32\enterpriseresourcemanager.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000083456 _____ (Microsoft Corporation) C:\WINDOWS\system32\provtool.exe
2020-01-21 22:22 - 2020-01-21 22:22 - 000083456 _____ (Microsoft Corporation) C:\WINDOWS\system32\clfsw32.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000066048 _____ (Microsoft Corporation) C:\WINDOWS\system32\RemovableMediaProvisioningPlugin.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000062976 _____ (Microsoft Corporation) C:\WINDOWS\system32\LSCSHostPolicy.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000060416 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mssprxy.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000060416 _____ (Microsoft Corporation) C:\WINDOWS\system32\msscntrs.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000046080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msscntrs.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000033792 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Management.Provisioning.ProxyStub.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000027648 _____ (Microsoft Corporation) C:\WINDOWS\system32\lstelemetry.dll
2020-01-21 22:22 - 2020-01-21 22:22 - 000026112 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\WSDScan.sys
2020-01-21 22:22 - 2020-01-21 22:22 - 000010752 _____ (Microsoft Corporation) C:\WINDOWS\system32\DMAlertListener.ProxyStub.dll
2020-01-21 22:03 - 2019-12-09 21:15 - 000492544 _____ (Microsoft Corporation) C:\WINDOWS\system32\poqexec.exe
2020-01-21 22:03 - 2019-12-09 20:59 - 000390656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\poqexec.exe
2020-01-21 18:02 - 2020-01-21 18:02 - 000000000 ____D C:\Users\supportaccount\AppData\Local\Comms
2020-01-21 14:54 - 2020-01-21 14:54 - 000000000 ____D C:\Users\supportaccount\AppData\LocalLow\Adobe
2020-01-21 14:54 - 2020-01-21 14:54 - 000000000 ____D C:\Users\supportaccount\AppData\Local\Adobe
2020-01-08 18:23 - 2020-01-08 18:23 - 000124806 _____ C:\Users\Owner\Downloads\Tylers kitchen with 40_ uppers.pdf
2020-01-08 17:55 - 2020-01-08 17:55 - 000145140 _____ C:\Users\Owner\Downloads\Tylers kitchen 30_ uppers (1).pdf
2020-01-08 16:12 - 2020-01-08 16:12 - 000132184 _____ C:\Users\Owner\Downloads\Tylers kitchen 30_ uppers.pdf
2020-01-08 13:10 - 2020-01-08 13:10 - 594621545 _____ C:\WINDOWS\MEMORY.DMP
2020-01-08 13:10 - 2020-01-08 13:10 - 000566948 _____ C:\WINDOWS\Minidump\010820-11734-01.dmp
2020-01-08 13:10 - 2020-01-08 13:10 - 000000000 ____D C:\WINDOWS\Minidump
2020-01-08 12:57 - 2020-01-08 12:57 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2020-01-07 05:21 - 2020-01-07 05:21 - 000047600 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-stable.sys
2020-01-07 05:21 - 2020-01-07 05:21 - 000047600 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-dev.sys
2020-01-07 05:21 - 2020-01-07 05:21 - 000047600 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-canary.sys
2020-01-07 05:21 - 2020-01-07 05:21 - 000044552 _____ (Dropbox, Inc.) C:\WINDOWS\system32\DbxSvc.exe
2020-01-05 15:07 - 2020-01-05 15:07 - 001239195 _____ C:\Users\Owner\Downloads\Tylers kitchen.pdf
2019-12-31 10:14 - 2019-12-31 10:14 - 000148341 _____ C:\Users\Owner\Downloads\ReceiptReport.pdf
2019-12-31 09:50 - 2020-01-21 14:26 - 000000000 ____D C:\Users\Owner\AppData\Roaming\Batiscaf

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2020-01-22 17:14 - 2019-07-22 15:08 - 000972156 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2020-01-22 17:14 - 2019-03-18 20:50 - 000000000 ____D C:\WINDOWS\INF
2020-01-22 17:13 - 2016-12-23 23:35 - 000000000 ____D C:\FRST
2020-01-22 17:12 - 2019-12-02 10:43 - 002580480 _____ (Farbar) C:\Users\Owner\Downloads\FRST64.exe
2020-01-22 17:11 - 2016-07-19 13:55 - 000000000 ___RD C:\Users\Owner\OneDrive
2020-01-22 17:09 - 2019-03-18 20:52 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2020-01-22 17:07 - 2019-07-22 15:10 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2020-01-22 17:07 - 2019-07-22 14:55 - 001647392 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2020-01-22 17:07 - 2016-09-15 22:51 - 000000000 ____D C:\ProgramData\NVIDIA
2020-01-22 17:06 - 2019-03-18 20:52 - 000000000 ___SD C:\WINDOWS\system32\UNP
2020-01-22 17:06 - 2019-03-18 20:52 - 000000000 ____D C:\WINDOWS\SystemResources
2020-01-22 17:06 - 2019-03-18 20:52 - 000000000 ____D C:\WINDOWS\ShellExperiences
2020-01-22 17:06 - 2019-03-18 20:52 - 000000000 ____D C:\WINDOWS\bcastdvr
2020-01-22 17:06 - 2019-03-18 20:37 - 000524288 _____ C:\WINDOWS\system32\config\BBI
2020-01-22 14:37 - 2019-07-22 15:10 - 000004162 _____ C:\WINDOWS\system32\Tasks\User_Feed_Synchronization-{D45969D5-1613-4F7B-AFEC-C03FFEFFC0FE}
2020-01-22 13:18 - 2016-12-26 17:05 - 000002341 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2020-01-22 13:18 - 2016-12-26 17:05 - 000002300 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2020-01-22 13:18 - 2016-12-26 17:05 - 000002300 _____ C:\ProgramData\Desktop\Google Chrome.lnk
2020-01-22 12:14 - 2019-07-22 14:55 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
2020-01-21 22:34 - 2013-12-23 13:06 - 000000000 ____D C:\WINDOWS\system32\MRT
2020-01-21 22:28 - 2013-12-23 13:06 - 120202352 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2020-01-21 22:27 - 2019-03-18 20:37 - 000000000 ____D C:\WINDOWS\CbsTemp
2020-01-21 22:08 - 2019-12-02 10:23 - 000000000 ____D C:\Users\supportaccount\AppData\Local\Packages
2020-01-21 22:08 - 2019-03-18 20:52 - 000000000 ___HD C:\Program Files\WindowsApps
2020-01-21 22:08 - 2019-03-18 20:52 - 000000000 ____D C:\WINDOWS\AppReadiness
2020-01-21 14:54 - 2019-12-02 10:23 - 000000000 ____D C:\Users\supportaccount\AppData\Roaming\Adobe
2020-01-21 14:42 - 2019-12-02 10:23 - 000000000 ___RD C:\Users\supportaccount\3D Objects
2020-01-21 14:42 - 2016-04-26 22:42 - 000000000 __RHD C:\Users\Public\AccountPictures
2020-01-21 14:41 - 2019-12-13 21:36 - 000000000 ____D C:\Users\Owner\AppData\Roaming\DBLite
2020-01-21 14:41 - 2019-12-08 09:54 - 000000000 ____D C:\Users\Owner\AppData\Roaming\MyLiteDB
2020-01-21 14:33 - 2016-05-04 18:20 - 000000000 ____D C:\Users\Owner\AppData\Local\CrashDumps
2020-01-21 12:11 - 2019-12-18 13:55 - 000000925 _____ C:\Windows Defender.lnk
2020-01-21 12:01 - 2019-07-22 15:10 - 000004594 _____ C:\WINDOWS\system32\Tasks\Adobe Flash Player PPAPI Notifier
2020-01-21 12:01 - 2019-03-18 20:52 - 000000000 ____D C:\WINDOWS\system32\Macromed
2020-01-21 12:00 - 2019-03-18 20:52 - 000000000 ____D C:\WINDOWS\SysWOW64\Macromed
2020-01-09 21:08 - 2014-04-22 21:12 - 000000000 ____D C:\Users\Owner\AppData\Local\Battle.net
2020-01-08 21:59 - 2019-07-22 15:01 - 000000000 ____D C:\Users\Owner
2020-01-08 17:32 - 2014-06-30 11:41 - 000000000 ____D C:\Users\Owner\AppData\Local\ElevatedDiagnostics
2020-01-08 12:57 - 2015-11-02 18:16 - 000000000 ____D C:\Program Files (x86)\Dropbox
2020-01-07 18:51 - 2019-03-18 20:52 - 000000000 ____D C:\WINDOWS\system32\FxsTmp
2020-01-07 18:26 - 2014-06-17 16:17 - 000000000 ____D C:\Users\Owner\Documents\Li-Ning
2020-01-06 17:08 - 2015-10-14 18:07 - 000004875 _____ C:\WINDOWS\ODBC.INI
2020-01-06 16:52 - 2019-10-30 19:38 - 000000000 ____D C:\Program Files (x86)\Sage 50 Pro Accounting Version 2020
2020-01-06 16:48 - 2019-07-22 15:10 - 000003374 _____ C:\WINDOWS\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2941010735-3585041794-3592001094-1000
2020-01-06 16:48 - 2019-07-22 15:01 - 000002409 _____ C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2020-01-06 11:29 - 2019-07-22 15:10 - 000004210 _____ C:\WINDOWS\system32\Tasks\CCleaner Update
2019-12-31 15:47 - 2016-07-19 13:50 - 000000000 ____D C:\Users\Owner\AppData\Local\Packages
2019-12-31 15:29 - 2019-12-07 12:04 - 000795250 _____ C:\WINDOWS\ntbtlog.txt
2019-12-31 15:22 - 2016-12-26 09:25 - 000000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2019-12-31 13:09 - 2016-12-26 17:04 - 000000000 ____D C:\Program Files\SUPERAntiSpyware
2019-12-31 09:32 - 2019-11-26 20:18 - 000000000 ____D C:\Users\Owner\AppData\Roaming\DScience

==================== Files in the root of some directories ========

2016-12-26 17:40 - 2016-12-30 07:23 - 000000115 _____ () C:\Users\Owner\AppData\Roaming\LogFile.txt
2014-06-07 20:29 - 2014-06-07 20:29 - 000007652 _____ () C:\Users\Owner\AppData\Local\Resmon.ResmonCfg
2017-04-08 09:26 - 2017-04-08 09:26 - 000000000 _____ () C:\Users\Owner\AppData\Local\{62287BAF-A115-49BA-9240-5503F719DF52}

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

==================== End of FRST.txt ========================
xcell is offline  
Sponsored Links
Advertisement
 
Old 01-23-2020, 12:48 AM   #2
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 669
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64



I need to see your Addition.txt file.

If you can't attach it, then please try posting it, as you did with FRST.txt

If you can't do that, then upload it to one of the free online file hosting services, and then post me the link to the file.
__________________
Gary R is offline  
Old 01-23-2020, 10:47 AM   #3
Registered Member
 
Join Date: Oct 2006
Location: Canada
Posts: 32
OS: Windows 10



https://www.dropbox.com/s/ia6ans42hp...ition.txt?dl=0
xcell is offline  
Sponsored Links
Advertisement
 
Old 01-23-2020, 10:09 PM   #4
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 669
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64



Thanks. Looking over your logs now, this may take some time, I'll be back as soon as I can.
__________________
Gary R is offline  
Old 01-24-2020, 01:40 AM   #5
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 669
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64



There is no obvious signs of malware in the logs you've supplied, though I do have a few questions'

1. Did you install Team Viewer yourself ?

2. At some point in the past was EMET (Enhanced Mitigation Experience Toolkit) used on your computer ?

3. Your logs show you are using Windows Defender as your AV, but your Install List shows you still have Kaspersky installed, is that true ?

The Windows Defender section in your Addition.txt log shows Defender flagging a Kaspersky process as Malware, and I suspect that is the cause of your problems, but I'll wait for your replies to my questions before advising on a course of action.
__________________
Gary R is offline  
Old 01-24-2020, 10:09 AM   #6
Registered Member
 
Join Date: Oct 2006
Location: Canada
Posts: 32
OS: Windows 10



1. Yes, I did install team viewer myself.
2. Not sure about the EMET toolkit, it is possible.
3. Yes to Windows Defender, and yes Kaspersky online(free version) is installed, I don't use it very often, only if things like this start happening.

I ran windows Defender Offline after I sent the logs to you, and I am not getting the Windows Security 'X' on the icon for the last 2 days.

Other items I have noticed that are not normal:

1. Last night before shutting down, after closing all the open windows etc, my desktop was populated with about 20 extra folder icons. They were all on the left side of my screen like they were the organized to be the first icons or maybe hidden off the screen to the left. I could not delete them, when I tried it said they could be recovered from the Control panel later. I ran the WD AV Offline scan again and they all disappeared after rebooting.

2. I have seen a DOS window pop up from time to time over the past few months and most times I did not see what it was running, the other day it did stay up long enough for me to see is read 'Copying file to....."

3. I ran a video yesterday and almost immediately another window popped up and asked for my Windows Security password, it appeared to be generated from Windows Security, but I have never seen that before. I did not enter any passwords, just closed it and the video ran.
xcell is offline  
Old 01-24-2020, 03:33 PM   #7
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 669
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64



OK, then please do the following ....

First ...

Go to Control Panel > Programs and Features and Uninstall kaspersky

Reboot your computer to complete the uninstall.

Next ...

Download ESET Online Scanner and save it to your desktop.
  • Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
  • When the tool opens, click Get Started.
  • Read and accept the license agreement.
  • At the Welcome to ESET Online Scanner window, click Get Started.
  • Select whether you would like to send anonymous data to ESET.
  • Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
  • Click on the Full Scan option.
  • Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
  • ESET will now begin scanning your computer. This may take some time.
  • When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
  • ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
  • On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
  • Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.

Next ....

Run a new scan with FRST and post me the new FRST.txt and attach the new Addition.txt (if you zip the Attach.txt file first, you should be able to attach it)
icotonev likes this.
__________________
Gary R is offline  
Old 01-26-2020, 11:06 PM   #8
Registered Member
 
Join Date: Oct 2006
Location: Canada
Posts: 32
OS: Windows 10



The computer has been off for a few days over the weekend, I removed Kaspersky, rebooted but WD has found the following:
Trojan:Win32/Generic!BV (Twice)

These were found and quarantined by WD, some on multiple occasions since Jan 9:
Trojan:Win32/Occamy.C
Trojan:Win32/Detplock
Behavior:Win32/DefenseEvasion.WI!ml
Trojan:Win32/Wacatac.C!ml
Trojan:Win32/Zpevdo.A
Program:Win32/Uwasson.A!ml


1/26/2020 22:46:43 PM
Files scanned: 378082
Detected files: 68
Cleaned files: 68
Total scan time 02:28:34
Scan status: Finished


C:\AdwCleaner\quarantine\files\gykbpigrkvditcrybdvhccodvywzjqkr\{85490C41-BC0D-C744-B1E0-BAB41091032C}\YSearchUtil.dll a variant of Win32/YahooSearch.C potentially unwanted application cleaned by deleting
C:\Program Files\Windows Mail\appcache.xml a variant of Win64/RA-based.D trojan cleaned by deleting (after the next restart)
C:\Users\Owner\AppData\Local\Microsoft\Windows\INetCache\IE\5OD0TD86\errlog[1].exe a variant of MSIL/Spy.Tiny.AZ trojan cleaned by deleting
C:\Users\Owner\AppData\Local\Microsoft\Windows\INetCache\IE\5OD0TD86\msi_update[1].dll Win32/Agent.ABMF trojan cleaned by deleting
C:\Users\Owner\AppData\Local\Microsoft\Windows\INetCache\IE\E0FK8X38\errlog[1].exe a variant of MSIL/Spy.Tiny.AZ trojan cleaned by deleting
C:\Users\Owner\AppData\Local\Microsoft\Windows\INetCache\IE\WP6Y3T9T\msi_update[1].dll a variant of Win32/Packed.Themida.HIB trojan cleaned by deleting
C:\Users\Owner\AppData\Local\Temp\YGjKJLaX0VHSpqvG8AZuYEY2ix0tVez.exe a variant of MSIL/Spy.Tiny.AZ trojan cleaned by deleting
C:\Users\Owner\AppData\LocalLow\Oracle\Java\jre1.8.0_144\java_sp\amazoncct.dll a variant of Win32/Distromatic.E potentially unwanted application cleaned by deleting
C:\Users\Owner\AppData\LocalLow\Oracle\Java\jre1.8.0_144\java_sp\YSearchUtil.dll a variant of Win32/YahooSearch.C potentially unwanted application cleaned by deleting
C:\Users\Owner\AppData\LocalLow\Oracle\Java\jre1.8.0_144\java_sp.dll a variant of Win32/YahooSearch.C potentially unwanted application,a variant of Win32/Distromatic.E potentially unwanted application deleted
C:\Users\Owner\AppData\Roaming\Batiscaf\msi.dll a variant of Win32/Packed.Themida.HIB trojan cleaned by deleting (after the next restart)
C:\Users\Owner\AppData\Roaming\Batiscaf\msi.dll.x Win32/Agent.ABMF trojan cleaned by deleting
C:\Users\Owner\AppData\Roaming\DBLite\database.db a variant of Generik.BIRXUPP trojan cleaned by deleting
C:\Users\Owner\AppData\Roaming\DBLite\dbs2.ps1 PowerShell/Kryptik.AA trojan cleaned by deleting
C:\Users\Owner\AppData\Roaming\DBLite\mydb.db a variant of Generik.ICTNGIP trojan cleaned by deleting
C:\Users\Owner\AppData\Roaming\DScience\msi.dll a variant of Win32/Packed.VMProtect.MR trojan cleaned by deleting
C:\Users\Owner\AppData\Roaming\DScience\msi.dll.x a variant of Win32/Packed.VMProtect.MR trojan cleaned by deleting
C:\Users\Owner\AppData\Roaming\MyLiteDB\db.ps1 PowerShell/Kryptik.AA trojan cleaned by deleting
C:\Users\Owner\AppData\Roaming\MySign\signed.ps1 PowerShell/RA-based.A trojan cleaned by deleting
C:\Users\Owner\Downloads\Security\ccsetup525.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting
C:\Users\Owner\Downloads\Security\spsetup128.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting
C:\Users\Owner\Downloads\ccsetup543.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting
C:\Users\Owner\Downloads\video_editor_x64 (1).exe Win64/TrojanDownloader.AHK.AQ trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\errlogORX5D6GN.exe a variant of MSIL/Spy.Tiny.AZ trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\errlog[10].exe a variant of MSIL/Spy.Tiny.AZ trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\errlog[1].exe a variant of MSIL/Spy.Tiny.AZ trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\errlog[2].exe a variant of MSIL/Spy.Tiny.AZ trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\errlog[3].exe a variant of MSIL/Spy.Tiny.AZ trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\errlog[4].exe a variant of MSIL/Spy.Tiny.AZ trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\errlog[5].exe a variant of MSIL/Spy.Tiny.AZ trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\errlog[6].exe a variant of MSIL/Spy.Tiny.AZ trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\errlog[7].exe a variant of MSIL/Spy.Tiny.AZ trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\errlog[8].exe a variant of MSIL/Spy.Tiny.AZ trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\errlog[9].exe a variant of MSIL/Spy.Tiny.AZ trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\msi_updateP913GH71.dll Win32/Agent.ABMF trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\msi_updateRX6R1E31.dll a variant of Win32/Packed.Themida.HIB trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\msi_update[10].dll a variant of Win32/Packed.VMProtect.MR trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\msi_update[1].dll a variant of Win32/Packed.VMProtect.MR trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\msi_update[2].dll a variant of Win32/Packed.VMProtect.MR trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\msi_update[3].dll a variant of Win32/Packed.VMProtect.MR trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\msi_update[4].dll a variant of Win32/Packed.VMProtect.MR trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\msi_update[5].dll a variant of Win32/Packed.VMProtect.MR trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\msi_update[6].dll a variant of Win32/Packed.VMProtect.MR trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\msi_update[7].dll a variant of Win32/Packed.VMProtect.MR trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\msi_update[8].dll a variant of Win32/Packed.VMProtect.MR trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\msi_update[9].dll a variant of Win32/Packed.VMProtect.MR trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\part2[1].exe a variant of Generik.LKKYHDD trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\part2[2].exe a variant of Generik.LKKYHDD trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\part2[3].exe a variant of Generik.LKKYHDD trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\part2[4].exe a variant of Generik.LKKYHDD trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\part2[5].exe a variant of Generik.LKKYHDD trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\part2[6].exe a variant of Generik.LKKYHDD trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\part2[7].exe a variant of Generik.LKKYHDD trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\part2[8].exe a variant of Generik.LKKYHDD trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\IE\part2[9].exe a variant of Generik.LKKYHDD trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\RodtekD2umgtDJHVpaSPZJWZSOODwhN.exe a variant of MSIL/Spy.Tiny.AZ trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Xs5welaw7jeqo2SsOklDMsuzffLDdTW.exe a variant of MSIL/Spy.Tiny.AZ trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\znDrtmfRD0gZS5WTz1XHVRAaKMoLUaG.exe a variant of MSIL/Spy.Tiny.AZ trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Batiscaf\msi.dll Win32/Agent.ABMF trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Batiscaf\msi.dll.x a variant of Win32/Packed.VMProtect.MR trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\DBLite\database.db a variant of Generik.BIRXUPP trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\DBLite\dbs.ps1 PowerShell/Kryptik.AA trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Gooled\msi.dll a variant of Win32/Packed.Themida.HIB trojan cleaned by deleting (after the next restart)
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Gooled\msi.dll.x a variant of Win32/Packed.Themida.HIB trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Stronged\msi.dll a variant of Win32/Packed.VMProtect.MR trojan cleaned by deleting
C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Stronged\msi.dll.x a variant of Win32/Packed.VMProtect.MR trojan cleaned by deleting
Operating memory a variant of Win32/Packed.Themida.HIB trojan contained infected files
Autostart locations multiple threats,a variant of Win64/RA-based.D trojan,a variant of Win32/Packed.Themida.HIB trojan cleaned by deleting (after the next restart)
Attached Files
File Type: zip FRST.zip (13.3 KB, 4 views)
File Type: zip Addition.zip (13.7 KB, 3 views)
xcell is offline  
Old 01-27-2020, 05:54 AM   #9
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 669
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64



If you haven't already done so, please reboot your computer, to complete the removal process of the infections found by e-set.

Next ....

You have used msconfig to disable a number of items from starting at boot up. This is not a good thing to do. MSConfig was designed for troubleshooting boot problems, it was not designed to be used the way you are using it.

So ....
  • Click Start and in the Search window type msconfig and hit return
  • MSConfig window will open.
  • Click on the Services tab, and select Enable all
  • Click on the Startup tab, and click on Open Task Manager .... now enable any items you have disabled.
  • Exit msconfig.

Next ....

Reboot your computer (this is important)

Next ....
  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press Ctrl+y (Ctrl and y keys at the same time)
  • A blank randomly named .txt Notepad file will open.
  • Copy and paste the following into it ....
Code:
(Microsoft Windows -> ) C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\services1.exe
HKU\S-1-5-21-2941010735-3585041794-3592001094-1000\...\MountPoints2: {907b6325-bffc-11e3-8be2-806e6f6e6963} - "D:\start.exe"
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
Task: {00FC7519-833A-415B-B0BB-E0A6D8E2F60E} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
SearchScopes: HKU\S-1-5-21-2941010735-3585041794-3592001094-1000 -> DefaultScope {425040C6-9BDE-414C-8BF9-1E7E1D880D6C} URL = hxxps://search.yahoo.com/search?fr=mcafee&type=C011US876D20150913&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2941010735-3585041794-3592001094-1000 -> {425040C6-9BDE-414C-8BF9-1E7E1D880D6C} URL = hxxps://search.yahoo.com/search?fr=mcafee&type=C011US876D20150913&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2941010735-3585041794-3592001094-1000 -> {DD1DA92C-0E5D-4A85-AC19-63D149FC9583} URL = hxxps://search.yahoo.com/search?fr=mcafee&type=C011US0D19700101&p={searchTerms}
S3 WsDrvInst; "C:\Program Files (x86)\Wondershare\Video Converter Ultimate (Desktop)\Transfer\DriverInstall.exe" [X]
2019-12-31 09:50 - 2020-01-26 21:39 - 000000000 ____D C:\Users\Owner\AppData\Roaming\Batiscaf
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>  -> No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} =>  -> No File
ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> No File
ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} =>  -> No File
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} =>  -> No File
ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> No File
FirewallRules: [{E8C72FDA-2023-40D8-BE59-720C4DCA7044}] => (Allow) C:\Users\Owner\AppData\Local\Temp\WZSE0.TMP\Common\EpsonNet Setup\ENEasyApp.exe No File
FirewallRules: [{85920B92-627C-4CE4-A73A-28788B291B98}] => (Allow) C:\Users\Owner\AppData\Local\Temp\WZSE0.TMP\Common\EpsonNet Setup\ENEasyApp.exe No File
FirewallRules: [{C7FC0CE8-3F5F-475F-8ADC-ECD546AE1D1E}] => (Allow) C:\Program Files (x86)\McAfee\Supportability\MVT\MvtApp.exe No File
FirewallRules: [{124B0E8C-EF8E-4FF2-9A81-666F9291F88B}] => (Allow) C:\Program Files (x86)\McAfee\Supportability\MVT\MvtApp.exe No File
FirewallRules: [{6B448BC7-E280-401D-8AA4-353D6FA7EF5F}] => (Allow) C:\Users\Owner\Downloads\ProductDetection.exe No File
FirewallRules: [{800B3273-9280-4F07-B7C5-7A9F94B924DB}] => (Allow) C:\Users\Owner\Downloads\ProductDetection.exe No File
FirewallRules: [{6910F3AC-F13B-446E-B17D-E5DFCFF51F3F}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeCam.exe No File
FirewallRules: [{62E98E6E-31BB-44D0-A3AC-9F334396E500}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeCam.exe No File
FirewallRules: [{BA51C85B-CFA8-4093-9D66-4078E8BAC6D5}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeEnC2.exe No File
FirewallRules: [{953BC8E4-3C15-4190-9BA2-9BAF0DA8023B}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeEnC2.exe No File
FirewallRules: [{A94435F7-784C-4A86-8128-95E5A5CF8918}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe No File
FirewallRules: [{B231E9B5-FFFB-462B-8B8D-120672C4F81F}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe No File
FirewallRules: [{A171EC4F-FDE3-4808-86B8-F6F992CDA644}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeTray.exe No File
FirewallRules: [{AD8A59C8-778E-4C0E-9178-ED88FE877FA0}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeTray.exe No File
FirewallRules: [{C31E9392-D463-4232-961A-2A1B31AE94D3}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe No File
FirewallRules: [{6CCB11ED-5AEE-46BF-BB78-417710621AE2}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe No File
FirewallRules: [{32468295-E703-4435-B17F-CB2F1E8BFE19}] => (Allow) D:\Common\EpsonNet Setup\ENEasyApp.exe No File
FirewallRules: [{03F62BE6-2959-40D7-8CD4-976E85BE36DC}] => (Allow) D:\Common\EpsonNet Setup\ENEasyApp.exe No File
FirewallRules: [{2195D407-DB69-4F42-98AA-D7A79C3CB508}] => (Allow) C:\Program Files (x86)\Common Files\Mcafee\MMSSHost\MMSSHost.exe No File
FirewallRules: [{1E8AEF3D-2C01-4E0A-B273-31EB1C4CCFA0}] => (Allow) C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHost.exe No File
VirusTotal:C:\RealTick\log_service32.exe;C:\WINDOWS\system32\drivers\jskyyftn.sys;C:\Windows\system32\vct3216.acm;C:\Windows\system32\scg726.acm;C:\Windows\system32\alf2cd.acm
cmd: ipconfig /flush dns
emptytemp:
  • Press Ctrl+s to save fixlist.txt
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Now press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log

Next ....

Run a new scan with e-set online scanner and post me the new log please.
__________________
Gary R is offline  
Old 01-27-2020, 11:30 AM   #10
Registered Member
 
Join Date: Oct 2006
Location: Canada
Posts: 32
OS: Windows 10



Fix result of Farbar Recovery Scan Tool (x64) Version: 27-01-2020
Ran by Owner (27-01-2020 09:16:02) Run:2
Running from C:\Users\Owner\Downloads
Loaded Profiles: Owner (Available Profiles: Owner & supportaccount & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
(Microsoft Windows -> ) C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\services1.exe
HKU\S-1-5-21-2941010735-3585041794-3592001094-1000\...\MountPoints2: {907b6325-bffc-11e3-8be2-806e6f6e6963} - "D:\start.exe"
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
Task: {00FC7519-833A-415B-B0BB-E0A6D8E2F60E} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
SearchScopes: HKU\S-1-5-21-2941010735-3585041794-3592001094-1000 -> DefaultScope {425040C6-9BDE-414C-8BF9-1E7E1D880D6C} URL = hxxps://search.yahoo.com/search?fr=mcafee&type=C011US876D20150913&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2941010735-3585041794-3592001094-1000 -> {425040C6-9BDE-414C-8BF9-1E7E1D880D6C} URL = hxxps://search.yahoo.com/search?fr=mcafee&type=C011US876D20150913&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2941010735-3585041794-3592001094-1000 -> {DD1DA92C-0E5D-4A85-AC19-63D149FC9583} URL = hxxps://search.yahoo.com/search?fr=mcafee&type=C011US0D19700101&p={searchTerms}
S3 WsDrvInst; "C:\Program Files (x86)\Wondershare\Video Converter Ultimate (Desktop)\Transfer\DriverInstall.exe" [X]
2019-12-31 09:50 - 2020-01-26 21:39 - 000000000 ____D C:\Users\Owner\AppData\Roaming\Batiscaf
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => -> No File
ContextMenuHandlers1: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} => -> No File
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => -> No File
ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} => -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File
FirewallRules: [{E8C72FDA-2023-40D8-BE59-720C4DCA7044}] => (Allow) C:\Users\Owner\AppData\Local\Temp\WZSE0.TMP\Common\EpsonNet Setup\ENEasyApp.exe No File
FirewallRules: [{85920B92-627C-4CE4-A73A-28788B291B98}] => (Allow) C:\Users\Owner\AppData\Local\Temp\WZSE0.TMP\Common\EpsonNet Setup\ENEasyApp.exe No File
FirewallRules: [{C7FC0CE8-3F5F-475F-8ADC-ECD546AE1D1E}] => (Allow) C:\Program Files (x86)\McAfee\Supportability\MVT\MvtApp.exe No File
FirewallRules: [{124B0E8C-EF8E-4FF2-9A81-666F9291F88B}] => (Allow) C:\Program Files (x86)\McAfee\Supportability\MVT\MvtApp.exe No File
FirewallRules: [{6B448BC7-E280-401D-8AA4-353D6FA7EF5F}] => (Allow) C:\Users\Owner\Downloads\ProductDetection.exe No File
FirewallRules: [{800B3273-9280-4F07-B7C5-7A9F94B924DB}] => (Allow) C:\Users\Owner\Downloads\ProductDetection.exe No File
FirewallRules: [{6910F3AC-F13B-446E-B17D-E5DFCFF51F3F}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeCam.exe No File
FirewallRules: [{62E98E6E-31BB-44D0-A3AC-9F334396E500}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeCam.exe No File
FirewallRules: [{BA51C85B-CFA8-4093-9D66-4078E8BAC6D5}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeEnC2.exe No File
FirewallRules: [{953BC8E4-3C15-4190-9BA2-9BAF0DA8023B}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeEnC2.exe No File
FirewallRules: [{A94435F7-784C-4A86-8128-95E5A5CF8918}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe No File
FirewallRules: [{B231E9B5-FFFB-462B-8B8D-120672C4F81F}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe No File
FirewallRules: [{A171EC4F-FDE3-4808-86B8-F6F992CDA644}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeTray.exe No File
FirewallRules: [{AD8A59C8-778E-4C0E-9178-ED88FE877FA0}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeTray.exe No File
FirewallRules: [{C31E9392-D463-4232-961A-2A1B31AE94D3}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe No File
FirewallRules: [{6CCB11ED-5AEE-46BF-BB78-417710621AE2}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe No File
FirewallRules: [{32468295-E703-4435-B17F-CB2F1E8BFE19}] => (Allow) D:\Common\EpsonNet Setup\ENEasyApp.exe No File
FirewallRules: [{03F62BE6-2959-40D7-8CD4-976E85BE36DC}] => (Allow) D:\Common\EpsonNet Setup\ENEasyApp.exe No File
FirewallRules: [{2195D407-DB69-4F42-98AA-D7A79C3CB508}] => (Allow) C:\Program Files (x86)\Common Files\Mcafee\MMSSHost\MMSSHost.exe No File
FirewallRules: [{1E8AEF3D-2C01-4E0A-B273-31EB1C4CCFA0}] => (Allow) C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHost.exe No File
VirusTotal:C:\RealTick\log_service32.exe;C:\WINDOWS\system32\drivers\jskyyftn.sys;C:\Windows\system32\vct3216.acm;C:\Windows\system32\scg726.acm;C:\Windows\system32\alf2cd.acm
cmd: ipconfig /flush dns
emptytemp:
*****************

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\services1.exe => No running process found
HKU\S-1-5-21-2941010735-3585041794-3592001094-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{907b6325-bffc-11e3-8be2-806e6f6e6963} => removed successfully
HKLM\SOFTWARE\Policies\Mozilla => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{00FC7519-833A-415B-B0BB-E0A6D8E2F60E}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{00FC7519-833A-415B-B0BB-E0A6D8E2F60E}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager" => not found
"HKU\S-1-5-21-2941010735-3585041794-3592001094-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully
HKU\S-1-5-21-2941010735-3585041794-3592001094-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{425040C6-9BDE-414C-8BF9-1E7E1D880D6C} => removed successfully
HKU\S-1-5-21-2941010735-3585041794-3592001094-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DD1DA92C-0E5D-4A85-AC19-63D149FC9583} => removed successfully
HKLM\System\CurrentControlSet\Services\WsDrvInst => removed successfully
WsDrvInst => service removed successfully
C:\Users\Owner\AppData\Roaming\Batiscaf => moved successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\7-Zip => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\ANotepad++64 => removed successfully
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\BriefcaseMenu => removed successfully
"HKLM\Software\Classes\CLSID\{85BBD920-42A0-1069-A2E4-08002B30309D}" => removed successfully
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers\{4A7C4306-57E0-4C0C-83A9-78C1528F618C} => removed successfully
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\7-Zip => removed successfully
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\Gadgets => removed successfully
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\BriefcaseMenu => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E8C72FDA-2023-40D8-BE59-720C4DCA7044}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{85920B92-627C-4CE4-A73A-28788B291B98}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C7FC0CE8-3F5F-475F-8ADC-ECD546AE1D1E}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{124B0E8C-EF8E-4FF2-9A81-666F9291F88B}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6B448BC7-E280-401D-8AA4-353D6FA7EF5F}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{800B3273-9280-4F07-B7C5-7A9F94B924DB}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6910F3AC-F13B-446E-B17D-E5DFCFF51F3F}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{62E98E6E-31BB-44D0-A3AC-9F334396E500}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{BA51C85B-CFA8-4093-9D66-4078E8BAC6D5}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{953BC8E4-3C15-4190-9BA2-9BAF0DA8023B}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A94435F7-784C-4A86-8128-95E5A5CF8918}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B231E9B5-FFFB-462B-8B8D-120672C4F81F}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A171EC4F-FDE3-4808-86B8-F6F992CDA644}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{AD8A59C8-778E-4C0E-9178-ED88FE877FA0}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C31E9392-D463-4232-961A-2A1B31AE94D3}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6CCB11ED-5AEE-46BF-BB78-417710621AE2}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{32468295-E703-4435-B17F-CB2F1E8BFE19}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{03F62BE6-2959-40D7-8CD4-976E85BE36DC}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2195D407-DB69-4F42-98AA-D7A79C3CB508}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1E8AEF3D-2C01-4E0A-B273-31EB1C4CCFA0}" => removed successfully
VirusTotal: C:\RealTick\log_service32.exe => https://www.virustotal.com/file/2c1b...is/1569871618/
"VirusTotal: C:\WINDOWS\system32\drivers\jskyyftn.sys" => not found
VirusTotal: C:\Windows\system32\vct3216.acm => https://www.virustotal.com/file/fe05...is/1579394013/
VirusTotal: C:\Windows\system32\scg726.acm => https://www.virustotal.com/file/449e...is/1579394009/
VirusTotal: C:\Windows\system32\alf2cd.acm => https://www.virustotal.com/file/3e9b...is/1579394002/

========= ipconfig /flush dns =========


Error: unrecognized or incomplete command line.

USAGE:
ipconfig [/allcompartments] [/? | /all |
/renew [adapter] | /release [adapter] |
/renew6 [adapter] | /release6 [adapter] |
/flushdns | /displaydns | /registerdns |
/showclassid adapter |
/setclassid adapter [classid] |
/showclassid6 adapter |
/setclassid6 adapter [classid] ]

where
adapter Connection name
(wildcard characters * and ? allowed, see examples)

Options:
/? Display this help message
/all Display full configuration information.
/release Release the IPv4 address for the specified adapter.
/release6 Release the IPv6 address for the specified adapter.
/renew Renew the IPv4 address for the specified adapter.
/renew6 Renew the IPv6 address for the specified adapter.
/flushdns Purges the DNS Resolver cache.
/registerdns Refreshes all DHCP leases and re-registers DNS names
/displaydns Display the contents of the DNS Resolver Cache.
/showclassid Displays all the dhcp class IDs allowed for adapter.
/setclassid Modifies the dhcp class id.
/showclassid6 Displays all the IPv6 DHCP class IDs allowed for adapter.
/setclassid6 Modifies the IPv6 DHCP class id.


The default is to display only the IP address, subnet mask and
default gateway for each adapter bound to TCP/IP.

For Release and Renew, if no adapter name is specified, then the IP address
leases for all adapters bound to TCP/IP will be released or renewed.

For Setclassid and Setclassid6, if no ClassId is specified, then the ClassId is removed.

Examples:
> ipconfig ... Show information
> ipconfig /all ... Show detailed information
> ipconfig /renew ... renew all adapters
> ipconfig /renew EL* ... renew any connection that has its
name starting with EL
> ipconfig /release *Con* ... release all matching connections,
eg. "Wired Ethernet Connection 1" or
"Wired Ethernet Connection 2"
> ipconfig /allcompartments ... Show information about all
compartments
> ipconfig /allcompartments /all ... Show detailed information about all
compartments

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 10248192 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 242450196 B
Java, Flash, Steam htmlcache => 1351 B
Windows/system/drivers => 4036217 B
Edge => 3537620 B
Chrome => 412711089 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 6656 B
Users => 6656 B
ProgramData => 6656 B
Public => 6656 B
systemprofile => 6656 B
systemprofile32 => 6656 B
LocalService => 21312 B
NetworkService => 11604217 B
Owner => 52405281 B
supportaccount => 52432373 B
DefaultAppPool => 52432373 B

RecycleBin => 217449828 B
EmptyTemp: => 1010.3 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 09:20:00 ====


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


ESET SCAN

1/27/2020 11:26:17 AM
Files scanned: 375664
Detected files: 0
Cleaned files: 0
Total scan time: 01:47:48
Scan status: Finished
xcell is offline  
Old 01-27-2020, 02:29 PM   #11
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 669
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64



  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press Ctrl+y (Ctrl and y keys at the same time)
  • A blank randomly named .txt Notepad file will open.
  • Copy and paste the following into it ....
Code:
S1 jskyyftn; C:\WINDOWS\system32\drivers\jskyyftn.sys [72816 2020-01-26] (Microsoft Corporation -> Microsoft Corporation)
C:\WINDOWS\system32\drivers\jskyyftn.sys
AlternateDataStreams: C:\WINDOWS\system32\Drivers\jskyyftn.sys:changelist [310]
cmd: ipconfig /flushdns
  • Press Ctrl+s to save fixlist.txt
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Now press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log

Also ... please let me know how your computer is behaving now
__________________
Gary R is offline  
Old 01-27-2020, 11:37 PM   #12
Registered Member
 
Join Date: Oct 2006
Location: Canada
Posts: 32
OS: Windows 10



Fix result of Farbar Recovery Scan Tool (x64) Version: 27-01-2020
Ran by Owner (27-01-2020 23:27:30) Run:3
Running from C:\Users\Owner\Downloads
Loaded Profiles: Owner (Available Profiles: Owner & supportaccount & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
S1 jskyyftn; C:\WINDOWS\system32\drivers\jskyyftn.sys [72816 2020-01-26] (Microsoft Corporation -> Microsoft Corporation)
C:\WINDOWS\system32\drivers\jskyyftn.sys
AlternateDataStreams: C:\WINDOWS\system32\Drivers\jskyyftn.sys:changelist [310]
cmd: ipconfig /flushdns
*****************

jskyyftn => service not found.
"C:\WINDOWS\system32\drivers\jskyyftn.sys" => not found
"C:\WINDOWS\system32\Drivers\jskyyftn.sys" => ":changelist" ADS not found.

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


==== End of Fixlog 23:27:30 ====


Computer seems to be running OK for now, I will watch and let you know.

Thanks for the help, I appreciate it a lot.
xcell is offline  
Old 01-28-2020, 03:31 AM   #13
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 669
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64



You're welcome.

I'll leave this topic open for a couple of days, if you have any problems then let me know.

If I don't hear from you by Friday, I'll post instructions for the safe removal of the tools we've been using to clean your machine, and I'll close this topic.
__________________
Gary R is offline  
Old 01-28-2020, 08:20 AM   #14
Registered Member
 
Join Date: Oct 2006
Location: Canada
Posts: 32
OS: Windows 10



Thank-you
xcell is offline  
Old 01-31-2020, 09:34 PM   #15
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 669
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64



To uninstall FRST and remove all its files, please do the following ...
  • Rename FRST64.exe to Uninstall.exe
  • Double click on Uninstall.exe to launch it.
    • Your computer will reboot, and on reboot will remove FRST and all its files.
__________________
Gary R is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 06:21 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts