Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

User Tag List

Scammer took control of laptop

This is a discussion on Scammer took control of laptop within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. My sister fell victim to a scammer and I'd like to know if she has anything more to be concerned


Closed Thread
 
Thread Tools Search this Thread
Old 01-31-2017, 07:39 AM   #1
Registered Member
 
Join Date: Dec 2015
Posts: 23
OS: Windows 10



My sister fell victim to a scammer and I'd like to know if she has anything more to be concerned about.

She is running Windows10 on a Toshiba Satellite L50-C-1XM laptop. She received a pop-up alert that purported to be from Microsoft, telling her to phone a support number, and the laptop gave a very annoying alarm that she couldn't turn off.

She phoned the number and spoke to a guy with a strong Indian accent, who told her to press the Windows key and then the "R" key. She complied.

The guy told her that she had no firewall and offered to sell her a firewall for £300. She told him that she was running Norton Internet Security and he said that it had been breached.

She declined the offer and phoned me. I went over and ran Malwarebytes, but while MB was running, Norton found the infection and eradicated it.

I used my own laptop to change her banking password, and forbade her to access her bank account online until this has been cleared up.

Many thanks for your help.


dds file:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.14393.0
Run by Loulou at 15:19:08 on 2017-01-31
Microsoft Windows 10 Home 10.0.14393.0.1252.44.2057.18.8106.5453 [GMT 0:00]
.
AV: Norton Internet Security *Enabled/Updated* {53C7D717-52E2-B95E-FA61-6F32ECC805DB}
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {E8A636F3-74D8-B6D0-C0D1-5440974F4F66}
FW: Norton Internet Security *Enabled* {6BFC5632-188D-B806-D13E-C607121B42A0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k RPCSS
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\igfxCUIService.exe
C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\WINDOWS\system32\WLANExt.exe
C:\WINDOWS\System32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Elantech\ETDService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe -k utcsvc
C:\Windows\system32\CxAudMsg64.exe
C:\WINDOWS\system32\ibtsiva.exe
C:\WINDOWS\SysWow64\IntelCpHeciSvc.exe
C:\Program Files (x86)\Norton Internet Security\Engine\22.8.1.14\NIS.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\svchost.exe -k appmodel
C:\Program Files (x86)\TOSHIBA\TOSHIBA System Driver\RMService.exe
C:\Program Files\TOSHIBA\Teco\TecoService.exe
C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_service.exe
C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe
C:\WINDOWS\system32\dashost.exe
C:\WINDOWS\System32\dwm.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\WINDOWS\system32\sihost.exe
C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup
C:\WINDOWS\system32\taskhostw.exe
C:\Program Files (x86)\Norton Internet Security\Engine\22.8.1.14\NIS.exe
C:\Users\Loulou\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe
C:\WINDOWS\system32\igfxEM.exe
C:\WINDOWS\system32\igfxHK.exe
C:\WINDOWS\system32\igfxTray.exe
C:\WINDOWS\Explorer.EXE
C:\Windows\System32\RuntimeBroker.exe
C:\Program Files\Elantech\ETDCtrlHelper.exe
C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.10.152.0_x64__kzf8qxf38zg5c\SkypeHost.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe
C:\Program Files\TOSHIBA\Teco\TecoResident.exe
C:\Program Files\TOSHIBA\System Setting\TCrdMain_Win8.exe
C:\Users\Loulou\AppData\Local\Microsoft\OneDrive\OneDrive.exe
C:\Program Files (x86)\MyDrive Connect\TomTom MyDrive Connect.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\WinZip\FAH\FAHWindow64.exe
C:\Program Files\WinZip\WzPreloader.exe
C:\WINDOWS\System32\fontdrvhost.exe
C:\WINDOWS\system32\ApplicationFrameHost.exe
C:\Program Files\TOSHIBA\Toshiba Service Station\ToshibaServiceStation.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\TOSHIBA\TPHM\TosWififind.exe
C:\WINDOWS\system32\AUDIODG.EXE
C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.1118.10000.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
C:\Program Files\WindowsApps\Microsoft.WindowsStore_11610.1001.25.0_x64__8wekyb3d8bbwe\WinStore.App.exe
C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.37.0_x86__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
C:\WINDOWS\system32\browser_broker.exe
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe
C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\smartscreen.exe
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\backgroundTaskHost.exe
svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uLocal Page = %11%\blank.htm
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\22.8.1.14\coIEPlg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\22.8.1.14\coIEPlg.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\22.8.1.14\coIEPlg.dll
uRun: [OneDrive] "C:\Users\Loulou\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background
uRun: [MyDriveConnect.exe] "C:\Program Files (x86)\MyDrive Connect\TomTom MyDrive Connect.exe" -startwithoutDA
uRun: [TomTomHOME.exe] "C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe"
uRunOnce: [Uninstall C:\Users\Loulou\AppData\Local\Microsoft\OneDrive\17.3.6390.0509_1\amd64] C:\WINDOWS\System32\cmd.exe /q /c rmdir /s /q "C:\Users\Loulou\AppData\Local\Microsoft\OneDrive\17.3.6390.0509_1\amd64"
mRun: [TSVU] "c:\Program Files\TOSHIBA\TOSHIBA Smart View Utility\TosSmartViewLauncher.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\FAH.lnk - C:\Program Files\WinZip\FAH\FAHConsole.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\WINZIP~1.LNK - C:\Program Files\WinZip\WzPreloader.exe
mPolicies-System: DSCAutomationHostEnabled = dword:2
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{6227d309-6267-4286-9276-069d8e766081} : DHCPNameServer = 40.42.1.201 40.42.1.203
TCP: Interfaces\{94ff6e49-5159-40c1-a76c-0435b0d524fa} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{94ff6e49-5159-40c1-a76c-0435b0d524fa}\14E64627F696461405 : DHCPNameServer = 192.168.43.1
Handler: tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
Handler: windows.tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
SSODL: WebCheck - <orphaned>
LSA: Security Packages = ""
CLSID: {603D3801-BD81-11d0-A3A5-00C04FD706EC} - C:\WINDOWS\System32\windows.storage.dll
x64-BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine64\22.8.1.14\coieplg.dll
x64-TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine64\22.8.1.14\coieplg.dll
x64-Run: [ETDCtrl] C:\Program Files (x86)\Elantech\ETDCtrl.exe
x64-Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe
x64-Run: [SmartAudio] "C:\Program Files\CONEXANT\SAII\SACpl.exe" /t
x64-Run: [TecoResident] C:\Program Files\TOSHIBA\Teco\TecoResident.exe
x64-Run: [TosWaitSrv] C:\Program Files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe
x64-Run: [TCrdMain] C:\Program Files\Toshiba\System Setting\TCrdMain_Win8.exe
x64-mPolicies-System: DSCAutomationHostEnabled = dword:2
x64-Handler: tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\WINDOWS\System32\tbauth.dll
x64-Handler: windows.tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\WINDOWS\System32\tbauth.dll
x64-SSODL: WebCheck - <orphaned>
x64-mASetup: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - /UserInstall
x64-mASetup: {89820200-ECBD-11cf-8B85-00AA005B4340} - U
x64-CLSID: {603D3801-BD81-11d0-A3A5-00C04FD706EC} - C:\WINDOWS\System32\windows.storage.dll
.
============= SERVICES / DRIVERS ===============
.
R0 iaStorA;iaStorA;C:\WINDOWS\System32\drivers\iaStorA.sys [2015-6-23 1455552]
R0 intelpep;Intel(R) Power Engine Plug-in Driver;C:\WINDOWS\System32\drivers\intelpep.sys [2016-7-16 48152]
R0 iorate;iorate;C:\WINDOWS\System32\drivers\iorate.sys [2016-11-10 48992]
R0 SymEFASI;Symantec Extended File Attributes (SI);C:\WINDOWS\System32\drivers\NISx64\1608010.00E\symefasi64.sys [2016-11-17 1628888]
R0 volume;Volume driver;C:\WINDOWS\System32\drivers\volume.sys [2016-7-16 16224]
R0 WindowsTrustedRT;Windows Trusted Execution Environment Class Extension;C:\WINDOWS\System32\drivers\WindowsTrustedRT.sys [2016-7-16 107032]
R0 WindowsTrustedRTProxy;Microsoft Windows Trusted Runtime Secure Service;C:\WINDOWS\System32\drivers\WindowsTrustedRTProxy.sys [2016-7-16 17944]
R0 Wof;Windows Overlay File System Filter Driver;C:\WINDOWS\System32\drivers\wof.sys [2016-8-24 199008]
R1 ahcache;Application Compatibility Cache;C:\WINDOWS\System32\drivers\ahcache.sys [2016-10-28 227328]
R1 BHDrvx64;BHDrvx64;C:\Program Files (x86)\Norton Internet Security\NortonData\22.5.4.24\Definitions\BASHDefs\20170125.003\BHDrvx64.sys [2017-1-27 1874136]
R1 ccSet_NIS;NIS Settings Manager;C:\WINDOWS\System32\drivers\NISx64\1608010.00E\ccsetx64.sys [2016-11-17 174328]
R1 FileCrypt;FileCrypt;C:\WINDOWS\System32\drivers\filecrypt.sys [2016-7-16 88576]
R1 GpuEnergyDrv;GPU Energy Driver;C:\WINDOWS\System32\drivers\gpuenergydrv.sys [2016-7-16 8192]
R1 IDSVia64;IDSVia64;C:\Program Files (x86)\Norton Internet Security\NortonData\22.5.4.24\Definitions\IPSDefs\20170130.001\IDSviA64.sys [2017-1-31 1038024]
R1 SymIRON;Symantec Iron Driver;C:\WINDOWS\System32\drivers\NISx64\1608010.00E\ironx64.sys [2016-11-17 289520]
R1 SymNetS;Symantec Network Security WFP Driver;C:\WINDOWS\System32\drivers\NISx64\1608010.00E\symnets.sys [2016-11-17 567512]
R2 CDPSvc;Connected Devices Platform Service;C:\WINDOWS\System32\svchost.exe -k LocalService [2016-7-16 44496]
R2 CDPUserSvc_3055f6e;CDPUserSvc_3055f6e;C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup [2016-7-16 44496]
R2 clreg;Virtual Registry for Containers;C:\WINDOWS\System32\drivers\registry.sys [2016-7-16 70144]
R2 CoreMessagingRegistrar;CoreMessaging;C:\WINDOWS\System32\svchost.exe -k LocalServiceNoNetwork [2016-7-16 44496]
R2 CxAudMsg;Conexant Audio Message Service;C:\WINDOWS\System32\CxAudMsg64.exe [2015-10-12 225496]
R2 DiagTrack;Connected User Experiences and Telemetry;C:\WINDOWS\System32\svchost.exe -k utcsvc [2016-7-16 44496]
R2 ETDService;Elan Service;C:\Program Files\Elantech\ETDService.exe [2016-6-2 144608]
R2 ibtsiva;Intel Bluetooth Service;C:\WINDOWS\System32\ibtsiva --> C:\WINDOWS\System32\ibtsiva [?]
R2 igfxCUIService2.0.0.0;Intel(R) HD Graphics Control Panel Service;C:\WINDOWS\System32\igfxCUIService.exe [2016-4-25 373752]
R2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [2015-7-10 223520]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\22.8.1.14\nis.exe [2016-11-17 289080]
R2 OneSyncSvc_3055f6e;Sync Host_3055f6e;C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup [2016-7-16 44496]
R2 storqosflt;Storage QoS Filter Driver;C:\WINDOWS\System32\drivers\storqosflt.sys [2016-7-16 78336]
R2 tiledatamodelsvc;Tile Data model server;C:\WINDOWS\System32\svchost.exe -k appmodel [2016-7-16 44496]
R2 TomTomHOMEService;TomTomHOMEService;C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2015-7-13 93040]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;C:\Program Files\TOSHIBA\Teco\TecoService.exe [2015-7-6 331056]
R2 TOSRMService;TOSRMService;C:\Program Files (x86)\TOSHIBA\TOSHIBA System Driver\RMService.exe [2015-6-24 326960]
R2 UserManager;User Manager;C:\WINDOWS\System32\svchost.exe -k netsvcs [2016-7-16 44496]
R2 wcifs;Windows Container Isolation;C:\WINDOWS\System32\drivers\wcifs.sys [2016-9-30 119648]
R2 wcnfs;Windows Container Name Virtualization;C:\WINDOWS\System32\drivers\wcnfs.sys [2016-7-16 66560]
R2 WpnService;Windows Push Notifications System Service;C:\WINDOWS\System32\svchost.exe -k netsvcs [2016-7-16 44496]
R2 ZeroConfigService;Intel(R) PROSet/Wireless Zero Configuration Service;C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [2015-6-11 3831200]
R3 ClipSVC;Client License Service (ClipSVC);C:\WINDOWS\System32\svchost.exe -k wsappx [2016-7-16 44496]
R3 DsSvc;Data Sharing Service;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2016-7-16 44496]
R3 dts_apo_service;DTS APO Service;C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_service.exe [2015-5-27 19960]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2017-1-27 156824]
R3 ETD;ELAN Input Device;C:\WINDOWS\System32\drivers\ETD.sys [2016-6-2 580696]
R3 ETDSMBus;ETDSMBus;C:\WINDOWS\System32\drivers\ETDSMBus.sys [2016-5-4 31832]
R3 ibtusb;Intel(R) Wireless Bluetooth(R);C:\WINDOWS\System32\drivers\ibtusb.sys [2016-7-12 349960]
R3 IntcDAud;Intel(R) Display Audio;C:\WINDOWS\System32\drivers\IntcDAud.sys [2016-5-12 481768]
R3 lfsvc;Geolocation Service;C:\WINDOWS\System32\svchost.exe -k netsvcs [2016-7-16 44496]
R3 LicenseManager;Windows License Manager Service;C:\WINDOWS\System32\svchost.exe -k LocalService [2016-7-16 44496]
R3 NcbService;Network Connection Broker;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2016-7-16 44496]
R3 NdisVirtualBus;Microsoft Virtual Network Adapter Enumerator;C:\WINDOWS\System32\drivers\NdisVirtualBus.sys [2016-7-16 20480]
R3 NETwNb64;___ Intel(R) Wireless Adapter Driver for Windows 8.1 - 64 Bit;C:\WINDOWS\System32\drivers\Netwbw02.sys [2015-6-21 3776792]
R3 NgcCtnrSvc;Microsoft Passport Container;C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted [2016-7-16 44496]
R3 PimIndexMaintenanceSvc_3055f6e;Contact Data_3055f6e;C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup [2016-7-16 44496]
R3 QIOMem;Generic IO & Memory Access;C:\WINDOWS\System32\drivers\QIOMem.sys [2015-5-5 14000]
R3 RSP2STOR;Realtek PCIE CardReader Driver - P2;C:\WINDOWS\System32\drivers\RtsP2Stor.sys [2015-10-12 301784]
R3 rt640x64;Realtek RT640 NT Driver;C:\WINDOWS\System32\drivers\rt640x64.sys [2015-10-12 895256]
R3 StateRepository;State Repository Service;C:\WINDOWS\System32\svchost.exe -k appmodel [2016-7-16 44496]
R3 TemproMonitoringService;TEMPRO Service;C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe [2015-11-17 120392]
R3 TimeBrokerSvc;Time Broker;C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted [2016-7-16 44496]
R3 TMachInfo;TMachInfo;C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2014-4-3 53896]
R3 UEFI;Microsoft UEFI Driver;C:\WINDOWS\System32\drivers\uefi.sys [2016-7-16 28512]
R3 UnistoreSvc_3055f6e;User Data Storage_3055f6e;C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup [2016-7-16 44496]
R3 UserDataSvc_3055f6e;User Data Access_3055f6e;C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup [2016-7-16 44496]
S0 SymELAM;Symantec ELAM Driver;C:\WINDOWS\System32\drivers\NISx64\1608010.00E\symelam.sys [2016-11-17 24192]
S2 DoSvc;Delivery Optimization;C:\WINDOWS\System32\svchost.exe -k netsvcs [2016-7-16 44496]
S2 MapsBroker;Downloaded Maps Manager;C:\WINDOWS\System32\svchost.exe -k NetworkService [2016-7-16 44496]
S3 AcpiDev;ACPI Devices driver;C:\WINDOWS\System32\drivers\AcpiDev.sys [2016-7-16 18432]
S3 ADP80XX;ADP80XX;C:\WINDOWS\System32\drivers\adp80xx.sys [2016-7-16 1135456]
S3 AJRouter;AllJoyn Router Service;C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted [2016-7-16 44496]
S3 applockerfltr;Smartlocker Filter Driver;C:\WINDOWS\System32\drivers\applockerfltr.sys [2016-7-16 15360]
S3 AppReadiness;App Readiness;C:\WINDOWS\System32\svchost.exe -k AppReadiness [2016-7-16 44496]
S3 AppXSvc;AppX Deployment Service (AppXSVC);C:\WINDOWS\System32\svchost.exe -k wsappx [2016-7-16 44496]
S3 bcmfn;bcmfn Service;C:\WINDOWS\System32\drivers\bcmfn.sys [2016-7-16 9728]
S3 bcmfn2;bcmfn2 Service;C:\WINDOWS\System32\drivers\bcmfn2.sys [2016-7-16 9728]
S3 BthHFSrv;Bluetooth Handsfree Service;C:\WINDOWS\System32\svchost.exe -k LocalServiceAndNoImpersonation [2016-7-16 44496]
S3 buttonconverter;Service for Portable Device Control devices;C:\WINDOWS\System32\drivers\buttonconverter.sys [2016-7-16 38912]
S3 CapImg;HID driver for CapImg touch screen;C:\WINDOWS\System32\drivers\capimg.sys [2016-10-28 118272]
S3 cht4iscsi;cht4iscsi;C:\WINDOWS\System32\drivers\cht4sx64.sys [2016-7-16 346976]
S3 cht4vbd;Chelsio Virtual Bus Driver;C:\WINDOWS\System32\drivers\cht4vx64.sys [2016-7-16 2104160]
S3 DcpSvc;DataCollectionPublishingService;C:\WINDOWS\System32\svchost.exe -k netsvcs [2016-7-16 44496]
S3 DevQueryBroker;DevQuery Background Discovery Broker;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2016-7-16 44496]
S3 diagnosticshub.standardcollector.service;Microsoft (R) Diagnostics Hub Standard Collector Service;C:\WINDOWS\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe [2016-7-16 93184]
S3 DmEnrollmentSvc;Device Management Enrollment Service;C:\WINDOWS\System32\svchost.exe -k netsvcs [2016-7-16 44496]
S3 dmwappushservice;dmwappushsvc;C:\WINDOWS\System32\svchost.exe -k netsvcs [2016-7-16 44496]
S3 embeddedmode;Embedded Mode;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2016-7-16 44496]
S3 EntAppSvc;Enterprise App Management Service;C:\WINDOWS\System32\svchost.exe -k appmodel [2016-7-16 44496]
S3 FrameServer;Windows Camera Frame Server;C:\WINDOWS\System32\svchost.exe -k Camera [2016-7-16 44496]
S3 genericusbfn;Generic USB Function Class;C:\WINDOWS\System32\drivers\genericusbfn.sys [2016-7-16 20480]
S3 hidinterrupt;Common Driver for HID Buttons implemented with interrupts;C:\WINDOWS\System32\drivers\hidinterrupt.sys [2016-7-16 50016]
S3 HvHost;HV Host Service;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2016-7-16 44496]
S3 iagpio;Intel Serial IO GPIO Controller Driver;C:\WINDOWS\System32\drivers\iagpio.sys [2016-7-16 33280]
S3 iai2c;Intel(R) Serial IO I2C Host Controller;C:\WINDOWS\System32\drivers\iai2c.sys [2016-7-16 81408]
S3 iaLPSS2i_GPIO2;Intel(R) Serial IO GPIO Driver v2;C:\WINDOWS\System32\drivers\iaLPSS2i_GPIO2.sys [2016-7-16 64512]
S3 iaLPSS2i_I2C;Intel(R) Serial IO I2C Driver v2;C:\WINDOWS\System32\drivers\iaLPSS2i_I2C.sys [2016-7-16 176384]
S3 iaLPSSi_GPIO;Intel(R) Serial IO GPIO Controller Driver;C:\WINDOWS\System32\drivers\iaLPSSi_GPIO.sys [2016-7-16 38128]
S3 iaLPSSi_I2C;Intel(R) Serial IO I2C Controller Driver;C:\WINDOWS\System32\drivers\iaLPSSi_I2C.sys [2016-7-16 113152]
S3 iaStorAV;Intel(R) SATA RAID Controller Windows;C:\WINDOWS\System32\drivers\iaStorAV.sys [2016-7-16 673120]
S3 ibbus;Mellanox InfiniBand Bus/AL (Filter Driver);C:\WINDOWS\System32\drivers\ibbus.sys [2016-7-16 526176]
S3 icssvc;Windows Mobile Hotspot Service;C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted [2016-7-16 44496]
S3 IndirectKmd;Indirect Displays Kernel-Mode Driver;C:\WINDOWS\System32\drivers\IndirectKmd.sys [2016-7-16 35840]
S3 Intel(R) Capability Licensing Service TCP IP Interface;Intel(R) Capability Licensing Service TCP IP Interface;C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [2015-5-21 881152]
S3 LSI_SAS2i;LSI_SAS2i;C:\WINDOWS\System32\drivers\lsi_sas2i.sys [2016-7-16 105824]
S3 LSI_SAS3i;LSI_SAS3i;C:\WINDOWS\System32\drivers\lsi_sas3i.sys [2016-7-16 101216]
S3 megasas2i;megasas2i;C:\WINDOWS\System32\drivers\MegaSas2i.sys [2016-10-12 64352]
S3 MessagingService_3055f6e;MessagingService_3055f6e;C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup [2016-7-16 44496]
S3 mlx4_bus;Mellanox ConnectX Bus Enumerator;C:\WINDOWS\System32\drivers\mlx4_bus.sys [2016-7-16 842584]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2015-6-11 268192]
S3 ndfltr;NetworkDirect Service;C:\WINDOWS\System32\drivers\ndfltr.sys [2016-7-16 108896]
S3 NetAdapterCx;Network Adapter Wdf Class Extension Library;C:\WINDOWS\System32\drivers\NetAdapterCx.sys [2016-7-16 90624]
S3 NetSetupSvc;Network Setup Service;C:\WINDOWS\System32\svchost.exe -k netsvcs [2016-7-16 44496]
S3 NgcSvc;Microsoft Passport;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2016-7-16 44496]
S3 percsas2i;percsas2i;C:\WINDOWS\System32\drivers\percsas2i.sys [2016-7-16 58720]
S3 percsas3i;percsas3i;C:\WINDOWS\System32\drivers\percsas3i.sys [2016-7-16 61792]
S3 PhoneSvc;Phone Service;C:\WINDOWS\System32\svchost.exe -k LocalService [2016-7-16 44496]
S3 ReFSv1;ReFSv1;C:\WINDOWS\System32\drivers\refsv1.sys [2016-7-16 928608]
S3 RetailDemo;Retail Demo Service;C:\WINDOWS\System32\svchost.exe -k netsvcs [2016-7-16 44496]
S3 ScDeviceEnum;Smart Card Device Enumeration Service;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2016-7-16 44496]
S3 scmbus;Microsoft Storage Class Memory Bus Driver;C:\WINDOWS\System32\drivers\scmbus.sys [2016-7-16 88416]
S3 scmdisk0101;Microsoft NVDIMM-N disk driver;C:\WINDOWS\System32\drivers\scmdisk0101.sys [2016-7-16 123904]
S3 SensorDataService;Sensor Data Service;C:\WINDOWS\System32\SensorDataService.exe [2016-9-14 1312768]
S3 SensorService;Sensor Service;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2016-7-16 44496]
S3 SerCx2;Serial UART Support Library;C:\WINDOWS\System32\drivers\SerCx2.sys [2016-7-16 151904]
S3 smphost;Microsoft Storage Spaces SMP;C:\WINDOWS\System32\svchost.exe -k smphost [2016-7-16 44496]
S3 SmsRouter;Microsoft Windows SMS Router Service.;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2016-7-16 44496]
S3 stornvme;Microsoft Standard NVM Express Driver;C:\WINDOWS\System32\drivers\stornvme.sys [2016-9-30 81760]
S3 storufs;Microsoft Universal Flash Storage (UFS) Driver;C:\WINDOWS\System32\drivers\storufs.sys [2016-7-16 32096]
S3 TieringEngineService;Storage Tiers Management;C:\WINDOWS\System32\TieringEngineService.exe [2016-7-16 287744]
S3 TPCHSrv;TPCH Service;C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe [2015-7-21 973104]
S3 UcmCx0101;USB Connector Manager KMDF Class Extension;C:\WINDOWS\System32\drivers\UcmCx.sys [2016-7-16 95744]
S3 UcmTcpciCx0101;UCM-TCPCI KMDF Class Extension;C:\WINDOWS\System32\drivers\UcmTcpciCx.sys [2016-7-16 108544]
S3 UcmUcsi;USB Connector Manager UCSI Client;C:\WINDOWS\System32\drivers\UcmUcsi.sys [2016-7-16 50688]
S3 UdeCx;USB Device Emulation Support Library;C:\WINDOWS\System32\drivers\Udecx.sys [2016-7-16 45568]
S3 Ufx01000;USB Function Class Extension;C:\WINDOWS\System32\drivers\ufx01000.sys [2016-7-16 263008]
S3 UfxChipidea;USB Chipidea Controller;C:\WINDOWS\System32\drivers\UfxChipidea.sys [2016-7-16 96608]
S3 ufxsynopsys;USB Synopsys Controller;C:\WINDOWS\System32\drivers\ufxsynopsys.sys [2016-7-16 137056]
S3 UrsChipidea;Chipidea USB Role-Switch Driver;C:\WINDOWS\System32\drivers\urschipidea.sys [2016-7-16 28512]
S3 UrsCx01000;USB Role-Switch Support Library;C:\WINDOWS\System32\drivers\urscx01000.sys [2016-7-16 57696]
S3 UrsSynopsys;Synopsys USB Role-Switch Driver;C:\WINDOWS\System32\drivers\urssynopsys.sys [2016-7-16 27488]
S3 UsoSvc;Update Orchestrator Service for Windows Update;C:\WINDOWS\System32\svchost.exe -k netsvcs [2016-7-16 44496]
S3 vhf;Virtual HID Framework (VHF) Driver;C:\WINDOWS\System32\drivers\vhf.sys [2016-7-16 32256]
S3 vmgid;Microsoft Hyper-V Guest Infrastructure Driver;C:\WINDOWS\System32\drivers\vmgid.sys [2016-7-16 10240]
S3 vmicguestinterface;Hyper-V Guest Service Interface;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2016-7-16 44496]
S3 vmicvmsession;Hyper-V PowerShell Direct Service;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2016-7-16 44496]
S3 WalletService;WalletService;C:\WINDOWS\System32\svchost.exe -k appmodel [2016-7-16 44496]
S3 wdiwifi;WDI Driver Framework;C:\WINDOWS\System32\drivers\WdiWiFi.sys [2016-9-30 719360]
S3 WdNisDrv;Windows Defender Network Inspection System Driver;C:\WINDOWS\System32\drivers\WdNisDrv.sys [2016-7-16 123232]
S3 WdNisSvc;Windows Defender Network Inspection Service;C:\Program Files\Windows Defender\NisSrv.exe [2016-7-16 347328]
S3 WEPHOSTSVC;Windows Encryption Provider Host Service;C:\WINDOWS\System32\svchost.exe -k WepHostSvcGroup [2016-7-16 44496]
S3 WinMad;WinMad Service;C:\WINDOWS\System32\drivers\winmad.sys [2016-7-16 32096]
S3 WinVerbs;WinVerbs Service;C:\WINDOWS\System32\drivers\winverbs.sys [2016-7-16 64864]
S3 wisvc;Windows Insider Service;C:\WINDOWS\System32\svchost.exe -k netsvcs [2016-7-16 44496]
S3 workfolderssvc;Work Folders;C:\WINDOWS\System32\svchost.exe -k LocalService [2016-7-16 44496]
S3 WpnUserService_3055f6e;Windows Push Notifications User Service_3055f6e;C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup [2016-7-16 44496]
S3 XblAuthManager;Xbox Live Auth Manager;C:\WINDOWS\System32\svchost.exe -k netsvcs [2016-7-16 44496]
S3 XblGameSave;Xbox Live Game Save;C:\WINDOWS\System32\svchost.exe -k netsvcs [2016-7-16 44496]
S3 xboxgip;Xbox Game Input Protocol Driver;C:\WINDOWS\System32\drivers\xboxgip.sys [2016-12-10 258560]
S3 XboxNetApiSvc;Xbox Live Networking Service;C:\WINDOWS\System32\svchost.exe -k netsvcs [2016-7-16 44496]
S3 xinputhid;XINPUT HID Filter Driver;C:\WINDOWS\System32\drivers\xinputhid.sys [2016-9-1 43520]
S4 shpamsvc;Shared PC Account Manager;C:\WINDOWS\System32\svchost.exe -k netsvcs [2016-7-16 44496]
S4 tzautoupdate;Auto Time Zone Updater;C:\WINDOWS\System32\svchost.exe -k LocalService [2016-7-16 44496]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile=C:\WINDOWS\System32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2017-01-27 18:08:00 -------- d-----w- C:\ProgramData\Trusteer
2017-01-27 13:09:41 -------- d-----w- C:\Program Files (x86)\Citrix
2017-01-27 13:09:27 -------- d-----w- C:\Users\Loulou\AppData\Local\Citrix
2017-01-25 08:39:42 142848 ----a-w- C:\WINDOWS\System32\poqexec.exe
2017-01-25 08:39:42 120320 ----a-w- C:\WINDOWS\SysWow64\poqexec.exe
2017-01-11 15:14:59 947712 ----a-w- C:\WINDOWS\System32\MSVP9DEC.dll
.
==================== Find3M ====================
.
2017-01-30 12:31:02 180 ----a-w- C:\WINDOWS\System32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2017-01-27 15:29:00 192216 ----a-w- C:\WINDOWS\System32\drivers\MBAMSwissArmy.sys
2017-01-14 18:36:17 200 ----a-w- C:\WINDOWS\System32\{EC94D02F-D200-4428-9531-05AF7F9799CB}.bat
2016-12-22 23:13:26 835576 ----a-w- C:\WINDOWS\SysWow64\FlashPlayerApp.exe
2016-12-22 23:13:26 177656 ----a-w- C:\WINDOWS\SysWow64\FlashPlayerCPLApp.cpl
2016-12-21 08:08:31 245600 ----a-w- C:\WINDOWS\System32\offlinesam.dll
2016-12-21 08:08:17 136032 ----a-w- C:\WINDOWS\System32\ImplatSetup.dll
2016-12-21 08:04:10 7816032 ----a-w- C:\WINDOWS\System32\ntoskrnl.exe
2016-12-21 07:49:39 328008 ----a-w- C:\WINDOWS\System32\Windows.Storage.ApplicationData.dll
2016-12-21 07:46:39 624048 ----a-w- C:\WINDOWS\System32\drivers\cng.sys
2016-12-21 07:43:56 92512 ----a-w- C:\WINDOWS\System32\rdpudd.dll
2016-12-21 07:43:06 4130440 ----a-w- C:\WINDOWS\System32\mfcore.dll
2016-12-21 07:43:01 1454504 ----a-w- C:\WINDOWS\System32\mfnetsrc.dll
2016-12-21 07:43:00 1071736 ----a-w- C:\WINDOWS\System32\mfnetcore.dll
2016-12-21 07:42:59 1988560 ----a-w- C:\WINDOWS\System32\mfmp4srcsnk.dll
2016-12-21 07:42:55 1702392 ----a-w- C:\WINDOWS\System32\mfasfsrcsnk.dll
2016-12-21 07:42:54 1300600 ----a-w- C:\WINDOWS\System32\mfmpeg2srcsnk.dll
2016-12-21 07:42:27 241504 ----a-w- C:\WINDOWS\System32\CloudExperienceHost.dll
2016-12-21 07:41:56 1600632 ----a-w- C:\WINDOWS\System32\sppobjs.dll
2016-12-21 07:37:23 455520 ----a-w- C:\WINDOWS\System32\securekernel.exe
2016-12-21 07:15:01 22563840 ----a-w- C:\WINDOWS\System32\edgehtml.dll
2016-12-21 07:14:11 43008 ----a-w- C:\WINDOWS\System32\LaunchWinApp.exe
2016-12-21 07:13:54 119808 ----a-w- C:\WINDOWS\System32\KnobsCsp.dll
2016-12-21 07:12:14 83968 ----a-w- C:\WINDOWS\System32\ProvPluginEng.dll
2016-12-21 07:10:22 175104 ----a-w- C:\WINDOWS\System32\wbem\netswitchteamcim.dll
2016-12-21 07:10:09 234496 ----a-w- C:\WINDOWS\System32\KnobsCore.dll
2016-12-21 07:09:56 363520 ----a-w- C:\WINDOWS\System32\Windows.UI.BioFeedback.dll
2016-12-21 07:09:13 368640 ----a-w- C:\WINDOWS\System32\OneBackupHandler.dll
2016-12-21 07:08:35 211968 ----a-w- C:\WINDOWS\System32\InstallAgent.exe
2016-12-21 07:08:33 261632 ----a-w- C:\WINDOWS\System32\wbem\ndisimplatcim.dll
2016-12-21 07:08:27 360448 ----a-w- C:\WINDOWS\System32\rdpencom.dll
2016-12-21 07:08:23 289792 ----a-w- C:\WINDOWS\System32\DeveloperOptionsSettingsHandlers.dll
2016-12-21 07:08:14 418304 ----a-w- C:\WINDOWS\System32\Windows.UI.BlockedShutdown.dll
2016-12-21 07:08:06 349184 ----a-w- C:\WINDOWS\System32\provengine.dll
2016-12-21 07:08:03 1292288 ----a-w- C:\WINDOWS\System32\MSVPXENC.dll
2016-12-21 07:07:10 748544 ----a-w- C:\WINDOWS\System32\StoreAgent.dll
2016-12-21 0749 260608 ----a-w- C:\WINDOWS\System32\InstallAgentUserBroker.exe
2016-12-21 0749 147456 ----a-w- C:\WINDOWS\System32\winsrv.dll
2016-12-21 0726 310784 ----a-w- C:\WINDOWS\System32\SyncSettings.dll
2016-12-21 0705 6285312 ----a-w- C:\WINDOWS\System32\Windows.Media.dll
2016-12-21 07:05:21 261632 ----a-w- C:\WINDOWS\System32\indexeddbserver.dll
2016-12-21 07:05:01 49152 ----a-w- C:\WINDOWS\System32\Windows.UI.Shell.dll
2016-12-21 07:05:01 425984 ----a-w- C:\WINDOWS\System32\aadcloudap.dll
2016-12-21 07:01:42 9131008 ----a-w- C:\WINDOWS\System32\twinui.dll
2016-12-21 07:00:29 440320 ----a-w- C:\WINDOWS\System32\fhcfg.dll
2016-12-21 06:59:50 883712 ----a-w- C:\WINDOWS\System32\samsrv.dll
2016-12-21 06:59:31 1908224 ----a-w- C:\WINDOWS\System32\AzureSettingSyncProvider.dll
2016-12-21 06:57:48 462336 ----a-w- C:\WINDOWS\System32\fhsettingsprovider.dll
2016-12-21 06:56:56 936960 ----a-w- C:\WINDOWS\System32\MCRecvSrc.dll
2016-12-21 06:55:16 8129536 ----a-w- C:\WINDOWS\System32\Chakra.dll
2016-12-21 06:55:09 4749312 ----a-w- C:\WINDOWS\System32\SettingsHandlers_nt.dll
2016-12-21 06:54:14 5511680 ----a-w- C:\WINDOWS\System32\aclui.dll
2016-12-21 06:53:19 6664192 ----a-w- C:\WINDOWS\System32\mspaint.exe
2016-12-21 06:53:13 4474368 ----a-w- C:\WINDOWS\System32\D3DCompiler_47.dll
2016-12-21 06:53:10 1692672 ----a-w- C:\WINDOWS\System32\AppXDeploymentExtensions.onecore.dll
2016-12-21 06:51:56 5611008 ----a-w- C:\WINDOWS\System32\d2d1.dll
2016-12-21 06:51:53 2275840 ----a-w- C:\WINDOWS\System32\AppXDeploymentServer.dll
2016-12-21 06:51:41 8075776 ----a-w- C:\WINDOWS\System32\mstscax.dll
2016-12-21 06:50:57 1490432 ----a-w- C:\WINDOWS\System32\lsasrv.dll
2016-12-21 06:49:55 2691072 ----a-w- C:\WINDOWS\System32\Windows.UI.Logon.dll
2016-12-21 06:49:43 1062912 ----a-w- C:\WINDOWS\System32\SettingSyncCore.dll
2016-12-21 06:49:25 4149248 ----a-w- C:\WINDOWS\System32\rdpcorets.dll
2016-12-21 06:47:47 1121280 ----a-w- C:\WINDOWS\System32\aadtb.dll
2016-12-21 05:59:21 218976 ----a-w- C:\WINDOWS\SysWow64\offlinesam.dll
2016-12-21 05:09:45 263472 ----a-w- C:\WINDOWS\SysWow64\Windows.Storage.ApplicationData.dll
2016-12-21 05:02:16 1852720 ----a-w- C:\WINDOWS\SysWow64\mfmp4srcsnk.dll
2016-12-21 05:02:12 3892864 ----a-w- C:\WINDOWS\SysWow64\mfcore.dll
2016-12-21 05:02:09 1277344 ----a-w- C:\WINDOWS\SysWow64\mfasfsrcsnk.dll
2016-12-21 05:02:02 1360464 ----a-w- C:\WINDOWS\SysWow64\mfnetsrc.dll
2016-12-21 05:02:01 980832 ----a-w- C:\WINDOWS\SysWow64\mfnetcore.dll
2016-12-21 05:02:00 1201872 ----a-w- C:\WINDOWS\SysWow64\mfmpeg2srcsnk.dll
2016-12-21 04:46:55 34304 ----a-w- C:\WINDOWS\SysWow64\LaunchWinApp.exe
2016-12-21 04:43:09 285184 ----a-w- C:\WINDOWS\SysWow64\Windows.UI.BlockedShutdown.dll
2016-12-21 04:41:59 253952 ----a-w- C:\WINDOWS\SysWow64\Windows.UI.BioFeedback.dll
2016-12-21 04:41:15 231936 ----a-w- C:\WINDOWS\SysWow64\Windows.ApplicationModel.LockScreen.dll
2016-12-21 04:40:57 180224 ----a-w- C:\WINDOWS\SysWow64\InstallAgent.exe
2016-12-21 04:40:43 237056 ----a-w- C:\WINDOWS\SysWow64\SyncSettings.dll
2016-12-21 04:40:39 318976 ----a-w- C:\WINDOWS\SysWow64\rdpencom.dll
2016-12-21 04:40:07 557568 ----a-w- C:\WINDOWS\SysWow64\StoreAgent.dll
2016-12-21 04:39:58 1300480 ----a-w- C:\WINDOWS\SysWow64\MSVPXENC.dll
2016-12-21 04:39:04 223232 ----a-w- C:\WINDOWS\SysWow64\InstallAgentUserBroker.exe
2016-12-21 04:38:54 866816 ----a-w- C:\WINDOWS\SysWow64\Windows.UI.Cred.dll
2016-12-21 04:35:42 198656 ----a-w- C:\WINDOWS\SysWow64\indexeddbserver.dll
2016-12-21 04:35:28 4612608 ----a-w- C:\WINDOWS\SysWow64\Windows.Media.dll
2016-12-21 04:34:53 7626752 ----a-w- C:\WINDOWS\SysWow64\twinui.dll
2016-12-21 04:33:09 19413504 ----a-w- C:\WINDOWS\SysWow64\edgehtml.dll
2016-12-21 04:30:56 5398016 ----a-w- C:\WINDOWS\SysWow64\aclui.dll
2016-12-21 04:30:06 1255936 ----a-w- C:\WINDOWS\SysWow64\AzureSettingSyncProvider.dll
2016-12-21 04:27:12 640000 ----a-w- C:\WINDOWS\SysWow64\MCRecvSrc.dll
2016-12-21 04:26:36 1155072 ----a-w- C:\WINDOWS\SysWow64\MSVP9DEC.dll
2016-12-21 04:25:44 7469056 ----a-w- C:\WINDOWS\SysWow64\mstscax.dll
2016-12-21 04:25:42 6474752 ----a-w- C:\WINDOWS\SysWow64\mspaint.exe
2016-12-21 04:24:58 6044160 ----a-w- C:\WINDOWS\SysWow64\Chakra.dll
2016-12-21 04:24:30 5061120 ----a-w- C:\WINDOWS\SysWow64\d2d1.dll
2016-12-21 04:24:11 886272 ----a-w- C:\WINDOWS\SysWow64\aadtb.dll
2016-12-21 04:24:09 3733504 ----a-w- C:\WINDOWS\SysWow64\D3DCompiler_47.dll
2016-12-21 04:22:44 1883648 ----a-w- C:\WINDOWS\SysWow64\Windows.UI.Logon.dll
2016-12-21 04:22:32 860672 ----a-w- C:\WINDOWS\SysWow64\SettingSyncCore.dll
2016-12-14 05:41:35 1235296 ----a-w- C:\WINDOWS\System32\aeinv.dll
2016-12-14 05:41:32 590960 ----a-w- C:\WINDOWS\System32\AudioSes.dll
.
============= FINISH: 15:19:55.36 ===============
Attached Files
File Type: txt attach.txt (4.1 KB, 45 views)
Andy Kay is offline  
Sponsored Links
Advertisement
 
Old 02-04-2017, 01:52 PM   #2
Registered Member
 
Join Date: Dec 2015
Posts: 23
OS: Windows 10



BUMP, please.
Andy Kay is offline  
Old 02-07-2017, 09:53 AM   #3
Registered Member
 
Join Date: Dec 2015
Posts: 23
OS: Windows 10



BUMP, please
Andy Kay is offline  
Sponsored Links
Advertisement
 
Old 02-08-2017, 05:45 AM   #4
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Andy Kay,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Please download to and run all requested tools from your Desktop.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My native language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Now, let's get started, shall we?

Please do the below steps.

STEP 1

Please download AdwCleaner from here and save it to your desktop.

Click the green 'Download now @bleepingcomputer' button.
Run AdwCleaner and select Scan
Once the Scan is done, select Clean
Once done it will ask to reboot, please allow the reboot.
On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
Please copy/paste the contents of the log in your next reply.

STEP 2

Please download Farbar Recovery Scan Tool and save it to your desktop.

Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
Make sure the Addition.txt button is ticked.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.

=========================================================

Things I need to see in your next post:
  • AdwCleaner[C#].txt
  • Addition.txt
  • FRST.txt
__________________
tekir06 is offline  
Old 02-09-2017, 06:17 AM   #5
Registered Member
 
Join Date: Dec 2015
Posts: 23
OS: Windows 10



Thank you for your help Tolga.
Hopefully I have completed all the tasks you set for me, and the required logs are copied/attached here.



# AdwCleaner v6.043 - Logfile created 09/02/2017 at 13:52:32
# Updated on 27/01/2017 by Malwarebytes
# Database : 2017-02-09.1 [Server]
# Operating System : Windows 10 Home (X64)
# Username : Loulou - LAPTOP-B2LB2N6H
# Running from : C:\Users\Loulou\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****

[-] Folder deleted: C:\Users\Loulou\AppData\Local\Host App Service
[-] Folder deleted: C:\ProgramData\Booking.com
[#] Folder deleted on reboot: C:\Users\Loulou\AppData\Local\Host App Service
[-] Folder deleted: C:\Users\Default\AppData\Local\Host App Service
[-] Folder deleted: C:\Users\Public\Pokki


***** [ Files ] *****

[-] File deleted: C:\Users\Loulou\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\App Explorer.lnk
[-] File deleted: C:\Users\Loulou\Desktop\eBay.lnk
[-] File deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\App Explorer.lnk


***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****

[-] Task deleted: App Explorer


***** [ Registry ] *****

[-] Key deleted: HKU\S-1-5-21-2762926265-1076335583-2018748949-1001\Software\Host App Service
[-] Key deleted: HKU\S-1-5-21-2762926265-1076335583-2018748949-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service
[#] Key deleted on reboot: HKCU\Software\Host App Service
[#] Key deleted on reboot: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service
[#] Key deleted on reboot: [x64] HKCU\Software\Host App Service
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service
[-] Key deleted: HKU\S-1-5-21-2762926265-1076335583-2018748949-1001\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
[#] Key deleted on reboot: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\ask.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Ask.com - What's Your Question?
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ask.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Ask.com - What's Your Question?
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\ask.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Ask.com - What's Your Question?
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ask.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Ask.com - What's Your Question?


***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [4025 Bytes] - [09/02/2017 13:52:32]
C:\AdwCleaner\AdwCleaner[S0].txt - [4085 Bytes] - [09/02/2017 13:51:25]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [4171 Bytes] ##########
Attached Files
File Type: txt FRST.txt (41.1 KB, 46 views)
File Type: txt Addition.txt (25.1 KB, 47 views)
Andy Kay is offline  
Old 02-10-2017, 01:52 PM   #6
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Andy Kay,

Please do the following.

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST64.exe

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.

Code:
CreateRestorePoint:
Task: {127E7245-C62A-4F5B-B50E-145F3E74FF16} - \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_Display -> No File <==== ATTENTION
Task: {4AB423B9-A92D-4BD2-9728-214ECDC16348} - \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot -> No File <==== ATTENTION
Task: {50F38699-58A3-4A2E-8EC3-B6D034EFCC6C} - \Toshiba\CommonNotifier -> No File <==== ATTENTION
Task: {62892DFB-B003-4708-9C90-54B7C4FFC82C} - \Microsoft\Windows\UpdateOrchestrator\Policy Install -> No File <==== ATTENTION
Task: {715B7D74-E0D3-48F7-A959-4EBCE0E43B06} - \dts_apo_service_task -> No File <==== ATTENTION
Task: {721B05DE-F970-4FEB-8552-CAE8D64EA0ED} - \Resolution+ Setting Task -> No File <==== ATTENTION
Task: {8CEEDBB2-F9E4-4792-BC7E-8BCA352BB938} - \DropboxOEM -> No File <==== ATTENTION
Task: {9562F93F-A837-4753-A338-55EC9FB6581A} - \Microsoft\Windows\MUI\Lpksetup -> No File <==== ATTENTION
Task: {9EE37D6F-AF29-457D-B019-8D727EA8B9F9} - \Microsoft\Office\Microsoft Office Touchless Attach Notification -> No File <==== ATTENTION
Task: {A2D6CCCC-ACEC-4321-A88B-1214BEC79C5C} - \Microsoft\Windows\MUI\Mcbuilder -> No File <==== ATTENTION
Task: {B5B3A8C7-3F28-4069-B9D4-83DDCCA5EBCE} - \BTSchedulerTask -> No File <==== ATTENTION
Task: {D63FA765-782F-47FC-A68C-05265DAB3F61} - \Microsoft\Windows\UpdateOrchestrator\MusUx_UpdateInterval -> No File <==== ATTENTION
Task: {E6010D43-6AE7-4B59-8E67-EC78FD8E8E96} - \Microsoft\Windows\NetCfg\BindingWorkItemQueueHandler -> No File <==== ATTENTION
Task: {EB0DE6E5-57AE-4A4B-A159-D78F963CA4BC} - \TOSHIBA\Service Station -> No File <==== ATTENTION
SearchScopes: HKU\S-1-5-21-2762926265-1076335583-2018748949-1001 -> DefaultScope {C1CC6A56-F33D-4ACF-90B7-2E385B91546F} URL = 
SearchScopes: HKU\S-1-5-21-2762926265-1076335583-2018748949-1001 -> {C1CC6A56-F33D-4ACF-90B7-2E385B91546F} URL = 
RemoveProxy:
CMD: bitsadmin /reset /allusers
EmptyTemp:
Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
__________________
tekir06 is offline  
Old 02-11-2017, 07:08 AM   #7
Registered Member
 
Join Date: Dec 2015
Posts: 23
OS: Windows 10



Fix result of Farbar Recovery Scan Tool (x64) Version: 11-02-2017 01
Ran by Loulou (11-02-2017 14:56:28) Run:1
Running from C:\Users\Loulou\Desktop
Loaded Profiles: Loulou (Available Profiles: Loulou)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
Task: {127E7245-C62A-4F5B-B50E-145F3E74FF16} - \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_Display -> No File <==== ATTENTION
Task: {4AB423B9-A92D-4BD2-9728-214ECDC16348} - \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot -> No File <==== ATTENTION
Task: {50F38699-58A3-4A2E-8EC3-B6D034EFCC6C} - \Toshiba\CommonNotifier -> No File <==== ATTENTION
Task: {62892DFB-B003-4708-9C90-54B7C4FFC82C} - \Microsoft\Windows\UpdateOrchestrator\Policy Install -> No File <==== ATTENTION
Task: {715B7D74-E0D3-48F7-A959-4EBCE0E43B06} - \dts_apo_service_task -> No File <==== ATTENTION
Task: {721B05DE-F970-4FEB-8552-CAE8D64EA0ED} - \Resolution+ Setting Task -> No File <==== ATTENTION
Task: {8CEEDBB2-F9E4-4792-BC7E-8BCA352BB938} - \DropboxOEM -> No File <==== ATTENTION
Task: {9562F93F-A837-4753-A338-55EC9FB6581A} - \Microsoft\Windows\MUI\Lpksetup -> No File <==== ATTENTION
Task: {9EE37D6F-AF29-457D-B019-8D727EA8B9F9} - \Microsoft\Office\Microsoft Office Touchless Attach Notification -> No File <==== ATTENTION
Task: {A2D6CCCC-ACEC-4321-A88B-1214BEC79C5C} - \Microsoft\Windows\MUI\Mcbuilder -> No File <==== ATTENTION
Task: {B5B3A8C7-3F28-4069-B9D4-83DDCCA5EBCE} - \BTSchedulerTask -> No File <==== ATTENTION
Task: {D63FA765-782F-47FC-A68C-05265DAB3F61} - \Microsoft\Windows\UpdateOrchestrator\MusUx_UpdateInterval -> No File <==== ATTENTION
Task: {E6010D43-6AE7-4B59-8E67-EC78FD8E8E96} - \Microsoft\Windows\NetCfg\BindingWorkItemQueueHandler -> No File <==== ATTENTION
Task: {EB0DE6E5-57AE-4A4B-A159-D78F963CA4BC} - \TOSHIBA\Service Station -> No File <==== ATTENTION
SearchScopes: HKU\S-1-5-21-2762926265-1076335583-2018748949-1001 -> DefaultScope {C1CC6A56-F33D-4ACF-90B7-2E385B91546F} URL =
SearchScopes: HKU\S-1-5-21-2762926265-1076335583-2018748949-1001 -> {C1CC6A56-F33D-4ACF-90B7-2E385B91546F} URL =
RemoveProxy:
CMD: bitsadmin /reset /allusers
EmptyTemp:
*****************

Restore point was successfully created.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{127E7245-C62A-4F5B-B50E-145F3E74FF16} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{127E7245-C62A-4F5B-B50E-145F3E74FF16} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_Display => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4AB423B9-A92D-4BD2-9728-214ECDC16348} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4AB423B9-A92D-4BD2-9728-214ECDC16348} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{50F38699-58A3-4A2E-8EC3-B6D034EFCC6C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{50F38699-58A3-4A2E-8EC3-B6D034EFCC6C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Toshiba\CommonNotifier => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{62892DFB-B003-4708-9C90-54B7C4FFC82C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{62892DFB-B003-4708-9C90-54B7C4FFC82C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Policy Install => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{715B7D74-E0D3-48F7-A959-4EBCE0E43B06} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{715B7D74-E0D3-48F7-A959-4EBCE0E43B06} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\dts_apo_service_task => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{721B05DE-F970-4FEB-8552-CAE8D64EA0ED} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{721B05DE-F970-4FEB-8552-CAE8D64EA0ED} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Resolution+ Setting Task => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{8CEEDBB2-F9E4-4792-BC7E-8BCA352BB938} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8CEEDBB2-F9E4-4792-BC7E-8BCA352BB938} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DropboxOEM => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{9562F93F-A837-4753-A338-55EC9FB6581A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9562F93F-A837-4753-A338-55EC9FB6581A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MUI\Lpksetup => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9EE37D6F-AF29-457D-B019-8D727EA8B9F9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9EE37D6F-AF29-457D-B019-8D727EA8B9F9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Microsoft Office Touchless Attach Notification => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A2D6CCCC-ACEC-4321-A88B-1214BEC79C5C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A2D6CCCC-ACEC-4321-A88B-1214BEC79C5C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\MUI\Mcbuilder => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B5B3A8C7-3F28-4069-B9D4-83DDCCA5EBCE} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B5B3A8C7-3F28-4069-B9D4-83DDCCA5EBCE} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BTSchedulerTask => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D63FA765-782F-47FC-A68C-05265DAB3F61} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D63FA765-782F-47FC-A68C-05265DAB3F61} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\MusUx_UpdateInterval => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{E6010D43-6AE7-4B59-8E67-EC78FD8E8E96} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E6010D43-6AE7-4B59-8E67-EC78FD8E8E96} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\NetCfg\BindingWorkItemQueueHandler => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{EB0DE6E5-57AE-4A4B-A159-D78F963CA4BC} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EB0DE6E5-57AE-4A4B-A159-D78F963CA4BC} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TOSHIBA\Service Station => key removed successfully
HKU\S-1-5-21-2762926265-1076335583-2018748949-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-2762926265-1076335583-2018748949-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C1CC6A56-F33D-4ACF-90B7-2E385B91546F} => key removed successfully
HKCR\CLSID\{C1CC6A56-F33D-4ACF-90B7-2E385B91546F} => key not found.

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-2762926265-1076335583-2018748949-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-2762926265-1076335583-2018748949-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========


========= bitsadmin /reset /allusers =========


BITSADMIN version 3.0
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 5005297 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 49871500 B
Java, Flash, Steam htmlcache => 20963 B
Windows/system/drivers => 3413285 B
Edge => 116600412 B
Chrome => 0 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 30580 B
NetworkService => 6708 B
Loulou => 1457679 B

RecycleBin => 4209 B
EmptyTemp: => 168.2 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 14:57:34 ====
Andy Kay is offline  
Old 02-13-2017, 03:24 AM   #8
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Andy Kay,

Please do the below steps

STEP 1

Launch Malwarebytes Anti-Malware


On the Settings tab > Detection and Protection subtab, Detection Options section, tick the box Scan for rootkits.
Click on the Scan tab, then click on Start Scan.
A check for database updates will be performed.
After the update check completes, a scan will begin.
With some infections, you may see this message box.
'Could not load DDA driver'
Click Yes to this message, to allow the driver to load after a restart.
Allow the computer to restart. Continue with the rest of these instructions.
When the scan is complete, click 'Remove Selected'.
In most cases, a restart will be required and a prompt will be shown.
Wait for the prompt to restart the computer to appear, then click on Yes.

Posting the Malwarebytes log:

After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click Export.
Click Text file (*.txt)
In the Save File dialog box which appears, click on Desktop.
In the File name: box type a name for your scan log.
A message box named File Saved should appear stating "Your file has been successfully exported".
Click Ok
Attach that saved log to your next reply.

STEP 2

Go here and click 'SCAN NOW' under 'ESET Online Scanner' to check for remnants.

You will be prompted to download and install esetonlinescanner_enu.exe. Click on the link and save the file to a convenient location.
Double-click on esetonlinescanner_enu.exe to install and a new window will open. Follow the prompts.
Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how
At the bottom of the Terms of use window, tick the option Download latest version of ESET Online Scanner then click Accept
When/if prompted by UAC, 'Do you want to allow this app to make changes to your PC?', please choose Yes
Tick the option Enable detection of potentially unwanted applications
Click on Advanced settings
Make sure that the option Clean threats automatically is unticked.
Ensure these options are ticked:
  • Enable detection of potentially unsafe applications
  • Enable detection of suspicious applications
  • Scan archives
  • Enable Anti-Stealth technology
Click Scan
Wait for the scan to finish.
When the scan is done, if it shows a screen that says Threats found, click Save to text file... then name it and save it to your desktop.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Please copy/paste the contents of the log in your next reply.
To close ESET Online Scanner, select Do not clean then Finish
__________________
tekir06 is offline  
Old 02-14-2017, 09:03 AM   #9
Registered Member
 
Join Date: Dec 2015
Posts: 23
OS: Windows 10



C:\Windows\Installer\1c86a.msi a variant of Win32/Systweak.L potentially unwanted application,a variant of Win32/Systweak.N potentially unwanted application
Attached Files
File Type: txt mbam.txt (1.0 KB, 43 views)
Andy Kay is offline  
Old 02-15-2017, 01:18 AM   #10
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Andy Kay,

Please do the following.

Open Notepad (Start > All Programs > Accessories > Notepad).
Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
Save it as fixlist.txt next to FRST64.exe

NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.

Code:
CreateRestorePoint:
C:\Windows\Installer\1c86a.msi
RemoveProxy:
CMD: bitsadmin /reset /allusers
EmptyTemp:
Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after the restart.
When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.


NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

=========================================================

Please re-run FRST tool, attach FRST.txt and Addition.txt logs.
__________________
tekir06 is offline  
Old 02-16-2017, 05:50 AM   #11
Registered Member
 
Join Date: Dec 2015
Posts: 23
OS: Windows 10



Fix result of Farbar Recovery Scan Tool (x64) Version: 15-02-2017 02
Ran by Loulou (16-02-2017 13:23:52) Run:2
Running from C:\Users\Loulou\Desktop
Loaded Profiles: Loulou (Available Profiles: Loulou)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
C:\Windows\Installer\1c86a.msi
RemoveProxy:
CMD: bitsadmin /reset /allusers
EmptyTemp:
*****************

Restore point was successfully created.
C:\Windows\Installer\1c86a.msi => moved successfully

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-2762926265-1076335583-2018748949-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-2762926265-1076335583-2018748949-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========


========= bitsadmin /reset /allusers =========


BITSADMIN version 3.0
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 10522289 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 7432418 B
Java, Flash, Steam htmlcache => 2485 B
Windows/system/drivers => 0 B
Edge => 156625040 B
Chrome => 0 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 128 B
LocalService => 822 B
NetworkService => 0 B
Loulou => 7974728 B

RecycleBin => 0 B
EmptyTemp: => 174.1 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 13:24:54 ====
Attached Files
File Type: txt Addition.txt (23.6 KB, 39 views)
File Type: txt FRST.txt (21.7 KB, 52 views)
Andy Kay is offline  
Old 02-17-2017, 12:05 AM   #12
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Andy Kay,

Your reports are clear. Let's remove all tools and logs that we use.

CLEAN UP

Please download delfix to your desktop.
  • Close all other programs and start delfix.
  • Right-click on delfix.exe and select " Run as administrator " to run it.
  • Ensure Remove disinfection tools is ticked. Also tick: Create registry backup, Purge system restore
  • Click Run
  • delfix will now delete all found traces of our removal process.

Note: The program will run for a few moments and then notepad will open with a log. No need to post this log.

=========================================================

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System. Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help keep your computer from becoming vulnerable. It is best if you have these set to download automatically.

Turn on Automatic Updates in Windows 10

------------------------------------------------------

Make sure you backup your system, so possible reformatting in the future isn't necessary:

Backup and Restore - Microsoft Windows

------------------------------------------------------

PREVENTION

Please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop

    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows 10 here

Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
tekir06 is offline  
Old 02-17-2017, 12:32 AM   #13
Registered Member
 
Join Date: Dec 2015
Posts: 23
OS: Windows 10



Tolga,
thank you so much for you help.
Please let me know how I might show my appreciation by contributing to the upkeep of this website.
Kindest regards,
Andy.
Andy Kay is offline  
Old 02-18-2017, 02:06 PM   #14
Security Team
Analyst
 
tekir06's Avatar
 
Join Date: Oct 2010
Location: Turkiye
Posts: 1,859
OS: Windows 7 (32 Bit)



Hello Andy Kay,

You're welcome. I'm glad to help. Thank you for your patience and cooperation.

Our Service is free.
__________________
tekir06 is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Urgent help needed to remove multiple virus :win64/patched.A and Trojan.
Dear tech guru, I got hit by the FBI virus a day and a half ago and later more viruses came in unexpected. Here are the details of my computer and the viruses. I have already backed up my system, and ran the tdsskiller and otl. I would like to completely get rid of the viruses. Your help is...
deesw8 Resolved HJT Threads 52 11-05-2012 09:56 AM
Have a badly infected laptop need help!
Hi I have been having dramas with my laptop and now I really need help to remove the issues causing me major problems. I have AVG anti virus protection installed and when running a scan was being told that I have an infection called Trojan horse hider:MPR The browser I use is firefox and for...
LindsayH Virus/Trojan/Spyware Help 139 06-03-2012 08:01 PM
blue screen, laptop shuts down in safe mode help
Hello, For the last few days my computer shuts down in safe mode every time i wanna do a scan, i disabled reboot and blue screen appeared with message STOP-0x0000008E(0XC0000005,0X8054B0BA,0XEDF2B754,0X00000000) first time then second time this message pxtdrpow.sys , ...
armoni75 Virus/Trojan/Spyware Help 1 01-27-2012 10:44 AM
I can't access Facebook Part II
Ok, I read the instructions and am reposting with the requested information. To recap, I was a victim of the youtube/facebook trojan and while I have finally gotten all malware removed and restored all other functions on my computer, I cannot access Facebook no matter what I try. I have changed the...
manwtalent Virus/Trojan/Spyware Help 8 09-10-2011 05:53 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 05:19 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts