|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#16
|
||||
|
||||
Hi,
I apologize for the late reply ----------------------------------- C:\Program Files\HeavenWard Do you recognise this programme? And MTN Online ? _____________________________________ Uninstall: C:\Program Files\Plumbytes Software TeamViewer ================================================== Code:
Bitdefender Firewall (Disabled) (Windows Firewall is enabled.) Windows Firewall program seems to be active also !! =========================================== Please do this; Next, download ComboFix Save to the Desktop
|
#17
|
|||
|
|||
Hi Olgun,
It isn't you who should apologize for a late reply, sorry for this. I only get chance on weekends to attend to this as I'm travelling & often without connectivity. 1) Heavenward is Windetect (a Windows authorized program). 2) Plumbytes is anti-malware, I'd tried to locate the hacks' backdoor with. It can go. 3) Teamviewer, I use to assist my 84yr old mother with correcting her computer. She's in the UK. It is set as a 1way to see her computer & shouldn't permit access into my machine but will uninstall so as to make your task easier. 4) MTN Online & HSPA (CellC/Vodacom) are both modems, which I alternate between dependent on which Network has cheapest data. We have one of top 5 highest data rates here, with areas being partly covered by 1 & partly covered by other. So need swap 1 to the other every so often. You had asked me not to make changes until you complete your analysis, but take it that if you are querying #1-4, I must uninstall those I can now (#2 & 3)? 2) Plumbytes was removed (don't know when) was just empty Folder. Tried Bitdefender File Shredder BUT the Hackers UAC Settings blocked me! As Administrator, I didn't have permission to delete this. This is the kind of nonsense he's caused for 18 months & why I need get rid of him. 3) Teamviewer was successfully uninstalled with Revo Uninstaller on Max Setting. #1 & 4 are left. I can remove (Heavenward's) Windetect if you wish me to. ComboFix didn't download the Recovery console. Here's the standard installation Scan Log. If I must manually install the RC - please advise?: ComboFix 17-09-14.01 - Darryl 2017/09/17 9:47.1.2 - x86 Microsoft Windows 7 Home Basic 6.1.7601.1.1252.27.1033.18.2009.952 [GMT 2:00] Running from: c:\users\Darryl\Desktop\ComboFix.exe AV: Bitdefender Antivirus *Disabled/Updated* {3FB17364-4FCC-0FA7-6BBF-973897395371} FW: Bitdefender Firewall *Disabled* {078AF241-05A3-0EFF-40E0-3E0D69EA140A} SP: Bitdefender Antispyware *Disabled/Updated* {84D09280-69F6-0029-510F-AC4AECBE19CC} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((( Files Created from 2017-08-17 to 2017-09-17 ))))))))))))))))))))))))))))))) . . 2017-09-17 07:56 . 2017-09-17 07:56 -------- d-----w- c:\users\Default\AppData\Local\temp 2017-09-09 15:31 . 2017-09-09 15:49 -------- d-----w- C:\FRST 2017-09-06 14:44 . 2017-09-06 14:51 -------- d-----w- c:\users\Darryl\AppData\Local\{12A8CCFE-3C33-4995-BAD8-074E4C5B22FD} 2017-09-06 14:43 . 2017-09-06 21:55 -------- d-----w- c:\program files\Plumbytes Software 2017-09-04 18:01 . 2017-09-04 18:01 -------- d-----w- c:\program files\HeavenWard 2017-08-30 21:48 . 2017-09-06 18:15 -------- d-----w- c:\users\Darryl\AppData\Local\CrashDumps 2017-08-25 19:13 . 2017-08-25 19:13 -------- d-----w- c:\users\Darryl\Tracing 2017-08-22 19:12 . 2017-08-22 19:12 -------- dc----w- c:\windows\system32\DRVSTORE 2017-08-22 19:12 . 2017-09-03 21:50 -------- d-----w- c:\program files\HSPA USB Modem 2017-08-19 13:32 . 2017-07-07 15:10 973312 ----a-w- c:\windows\system32\DXPTaskRingtone.dll 2017-08-19 13:32 . 2017-08-01 15:16 497664 ----a-w- c:\windows\system32\win32spl.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2017-08-12 13:30 . 2017-08-11 13:29 95808 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2017-08-02 14:25 . 2016-08-10 08:54 773968 ----a-w- c:\windows\system32\msvcr100.dll 2017-07-29 14:50 . 2017-08-12 15:59 74752 ----a-w- c:\windows\system32\drivers\tdx.sys 2017-07-21 14:26 . 2017-08-12 15:59 282624 ----a-w- c:\windows\system32\mstext40.dll 2017-07-21 14:26 . 2017-08-12 15:59 518144 ----a-w- c:\windows\system32\msjetoledb40.dll 2017-07-21 14:26 . 2017-08-12 15:59 290816 ----a-w- c:\windows\system32\msjtes40.dll 2017-07-21 14:26 . 2017-08-12 15:59 409600 ----a-w- c:\windows\system32\msexch40.dll 2017-07-15 22:01 . 2017-07-15 22:01 57575 ----a-w- c:\programdata\dm.1500155999.bdinstall.bin 2017-07-15 21:55 . 2017-07-15 21:55 74691 ----a-w- c:\programdata\cl.kit.1500155180.bdinstall.bin 2017-07-15 21:55 . 2017-07-15 21:55 1758436 ----a-w- c:\programdata\cl.1500155237.bdinstall.bin 2017-07-15 20:40 . 2017-07-15 20:40 18534 ----a-w- c:\programdata\agent.1500151240.6004.bin 2017-07-15 20:40 . 2017-07-15 20:40 1509 ----a-w- c:\programdata\agent.1500151240.5952.bin 2017-07-15 20:40 . 2017-07-15 20:40 26269 ----a-w- c:\programdata\agent.1500151240.5692.bin 2017-07-15 20:40 . 2017-07-15 20:40 1146 ----a-w- c:\programdata\agent.1500151240.5696.bin 2017-07-15 09:00 . 2017-07-15 09:00 86016 ----a-w- c:\windows\system32\iesysprep.dll 2017-07-15 09:00 . 2017-07-15 09:00 74240 ----a-w- c:\windows\system32\SetIEInstalledDate.exe 2017-07-15 09:00 . 2017-07-15 09:00 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe 2017-07-15 09:00 . 2017-07-15 09:00 645120 ----a-w- c:\windows\system32\jsIntl.dll 2017-07-15 09:00 . 2017-07-15 09:00 48640 ----a-w- c:\windows\system32\mshtmler.dll 2017-07-15 09:00 . 2017-07-15 09:00 36352 ----a-w- c:\windows\system32\imgutil.dll 2017-07-15 09:00 . 2017-07-15 09:00 24576 ----a-w- c:\windows\system32\licmgr10.dll 2017-07-15 09:00 . 2017-07-15 09:00 194048 ----a-w- c:\windows\system32\elshyph.dll 2017-07-15 09:00 . 2017-07-15 09:00 182272 ----a-w- c:\windows\system32\msls31.dll 2017-07-15 09:00 . 2017-07-15 09:00 151552 ----a-w- c:\windows\system32\iexpress.exe 2017-07-15 09:00 . 2017-07-15 09:00 139264 ----a-w- c:\windows\system32\wextract.exe 2017-07-15 09:00 . 2017-07-15 09:00 13312 ----a-w- c:\windows\system32\mshta.exe 2017-07-15 09:00 . 2017-07-15 09:00 111616 ----a-w- c:\windows\system32\IEAdvpack.dll 2017-07-15 08:57 . 2017-07-15 08:57 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll 2017-07-15 08:57 . 2017-07-15 08:57 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll 2017-07-15 08:57 . 2017-07-15 08:57 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll 2017-07-15 08:57 . 2017-07-15 08:57 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll 2017-07-15 08:57 . 2017-07-15 08:57 364544 ----a-w- c:\windows\system32\XpsGdiConverter.dll 2017-07-15 08:57 . 2017-07-15 08:57 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll 2017-07-15 08:57 . 2017-07-15 08:57 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll 2017-07-15 08:57 . 2017-07-15 08:57 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll 2017-07-15 08:57 . 2017-07-15 08:57 293376 ----a-w- c:\windows\system32\dxgi.dll 2017-07-15 08:57 . 2017-07-15 08:57 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll 2017-07-15 08:57 . 2017-07-15 08:57 249856 ----a-w- c:\windows\system32\d3d10_1core.dll 2017-07-15 08:57 . 2017-07-15 08:57 220160 ----a-w- c:\windows\system32\d3d10core.dll 2017-07-15 08:57 . 2017-07-15 08:57 207872 ----a-w- c:\windows\system32\WindowsCodecsExt.dll 2017-07-15 08:57 . 2017-07-15 08:57 161792 ----a-w- c:\windows\system32\d3d10_1.dll 2017-07-15 08:57 . 2017-07-15 08:57 1158144 ----a-w- c:\windows\system32\XpsPrint.dll 2017-07-15 08:57 . 2017-07-15 08:57 1080832 ----a-w- c:\windows\system32\d3d10.dll 2017-07-15 08:57 . 2017-07-15 08:57 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll 2017-07-15 05:07 . 2017-07-15 05:07 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BD2B5F49-3985-4439-8ABF-29C286E91779}\offreg.1392.dll 2017-07-15 01:17 . 2017-07-15 01:17 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BD2B5F49-3985-4439-8ABF-29C286E91779}\offreg.3044.dll 2017-07-14 15:10 . 2017-08-12 15:59 382976 ----a-w- c:\windows\system32\wer.dll 2017-07-14 15:10 . 2017-08-12 15:59 1549824 ----a-w- c:\windows\system32\tquery.dll 2017-07-14 15:10 . 2017-08-12 15:59 1363968 ----a-w- c:\windows\system32\Query.dll 2017-07-14 15:10 . 2017-08-12 15:59 666624 ----a-w- c:\windows\system32\mssvp.dll 2017-07-14 15:10 . 2017-08-12 15:59 1400320 ----a-w- c:\windows\system32\mssrch.dll 2017-07-14 15:10 . 2017-08-12 15:59 34816 ----a-w- c:\windows\system32\mssprxy.dll 2017-07-14 15:10 . 2017-08-12 15:59 337408 ----a-w- c:\windows\system32\mssph.dll 2017-07-14 15:10 . 2017-08-12 15:59 197120 ----a-w- c:\windows\system32\mssphtb.dll 2017-07-14 15:10 . 2017-08-12 15:59 104448 ----a-w- c:\windows\system32\mssitlb.dll 2017-07-14 15:10 . 2017-08-12 15:59 59392 ----a-w- c:\windows\system32\msscntrs.dll 2017-07-14 15:00 . 2017-08-12 15:59 427520 ----a-w- c:\windows\system32\SearchIndexer.exe 2017-07-14 15:00 . 2017-08-12 15:59 164352 ----a-w- c:\windows\system32\SearchProtocolHost.exe 2017-07-14 14:59 . 2017-08-12 15:59 86528 ----a-w- c:\windows\system32\SearchFilterHost.exe 2017-07-14 14:59 . 2017-08-12 15:59 9728 ----a-w- c:\windows\system32\msshooks.dll 2017-07-14 14:50 . 2017-08-12 15:59 54272 ----a-w- c:\windows\system32\wermgr.exe 2017-07-14 14:50 . 2017-08-12 15:59 28672 ----a-w- c:\windows\system32\werdiagcontroller.dll 2017-07-14 10:57 . 2017-07-14 10:57 49152 ----a-w- c:\windows\system32\taskhost.exe 2017-07-14 10:53 . 2017-07-14 10:53 1505280 ----a-w- c:\windows\system32\d3d11.dll 2017-07-14 09:55 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll 2017-07-14 08:43 . 2017-07-14 08:43 10685920 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BD2B5F49-3985-4439-8ABF-29C286E91779}\mpengine.dll 2017-07-14 03:01 . 2017-08-12 15:59 2724864 ----a-w- c:\windows\system32\mshtml.tlb 2017-07-14 03:00 . 2017-08-12 15:59 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll 2017-07-14 02:48 . 2017-08-12 15:59 62464 ----a-w- c:\windows\system32\iesetup.dll 2017-07-14 02:48 . 2017-08-12 15:59 499200 ----a-w- c:\windows\system32\vbscript.dll 2017-07-14 02:48 . 2017-08-12 15:59 47616 ----a-w- c:\windows\system32\ieetwproxystub.dll 2017-07-14 02:48 . 2017-08-12 15:59 341504 ----a-w- c:\windows\system32\html.iec 2017-07-14 02:47 . 2017-08-12 15:59 64000 ----a-w- c:\windows\system32\MshtmlDac.dll 2017-07-14 02:38 . 2017-08-12 15:59 104960 ----a-w- c:\windows\system32\ieetwcollector.exe 2017-07-14 02:38 . 2017-08-12 15:59 115712 ----a-w- c:\windows\system32\ieUnatt.exe 2017-07-14 02:38 . 2017-08-12 15:59 620032 ----a-w- c:\windows\system32\jscript9diag.dll 2017-07-14 02:33 . 2017-08-12 15:59 667648 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe 2017-07-14 02:26 . 2017-08-12 15:59 60416 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll 2017-07-14 02:25 . 2017-08-12 15:59 73216 ----a-w- c:\windows\system32\tdc.ocx 2017-07-14 02:17 . 2017-08-12 15:59 4546048 ----a-w- c:\windows\system32\jscript9.dll 2017-07-14 02:11 . 2017-08-12 15:59 2057216 ----a-w- c:\windows\system32\inetcpl.cpl 2017-07-14 02:11 . 2017-08-12 15:59 1155072 ----a-w- c:\windows\system32\mshtmlmedia.dll 2017-07-14 01:53 . 2017-08-12 15:59 2767872 ----a-w- c:\windows\system32\wininet.dll 2017-07-08 15:19 . 2017-08-12 15:59 250600 ----a-w- c:\windows\system32\clfs.sys 2017-07-08 14:51 . 2017-08-12 15:59 2402816 ----a-w- c:\windows\system32\win32k.sys 2017-07-07 15:15 . 2017-08-12 15:59 4001000 ----a-w- c:\windows\system32\ntkrnlpa.exe 2017-07-07 15:15 . 2017-08-12 15:59 3945192 ----a-w- c:\windows\system32\ntoskrnl.exe 2017-07-07 15:15 . 2017-08-12 15:59 296680 ----a-w- c:\windows\system32\drivers\volmgrx.sys 2017-07-07 15:15 . 2017-08-12 15:59 67304 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2017-07-07 15:15 . 2017-08-12 15:59 137960 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2017-07-07 15:13 . 2017-08-12 15:59 1310528 ----a-w- c:\windows\system32\ntdll.dll 2017-07-07 15:11 . 2017-08-12 15:59 65536 ----a-w- c:\windows\system32\TSpkg.dll 2017-07-07 15:11 . 2017-08-12 15:59 172032 ----a-w- c:\windows\system32\wdigest.dll 2017-07-07 15:11 . 2017-08-12 15:59 109568 ----a-w- c:\windows\system32\t2embed.dll 2017-07-07 15:11 . 2017-08-12 15:59 99840 ----a-w- c:\windows\system32\sspicli.dll 2017-07-07 15:11 . 2017-08-12 15:59 400896 ----a-w- c:\windows\system32\srcore.dll 2017-07-07 15:11 . 2017-08-12 15:59 43008 ----a-w- c:\windows\system32\srclient.dll 2017-07-07 15:11 . 2017-08-12 15:59 50176 ----a-w- c:\windows\system32\setbcdlocale.dll 2017-07-07 15:11 . 2017-08-12 15:59 655360 ----a-w- c:\windows\system32\rpcrt4.dll 2017-07-07 15:11 . 2017-08-12 15:59 254464 ----a-w- c:\windows\system32\schannel.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "Bdagent"="c:\program files\Bitdefender\Bitdefender Security\bdagent.exe" [2017-08-31 304608] "DevMon"="c:\progra~1\HSPAUS~1\Driver\DevMon.e xe" [2013-12-06 45056] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce] "SPReview"="c:\windows\System32\SPReview\SPReview. exe" [2017-07-14 280576] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BdBkpFolder\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-7-21 836896] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system] "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "mixer1"=wdmaud.drv . R2 FLAME II MTN MODEM Service;FLAME II MTN MODEM Service;c:\program files\MTN Online\ApplicationController.exe [2015-12-15 574464] R2 Mobile Broadband HL Service;Mobile Broadband HL Service;c:\programdata\MobileBrServ\mbbservice.exe [2014-02-15 239184] R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2017-06-01 317400] R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2017-07-14 104960] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominipor t.sys [2012-08-23 14848] R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776] R3 Samsung UPD Service;Samsung UPD Service;c:\windows\System32\SUPDSvc.exe [2010-08-09 131888] R3 SCDModem;SCDModem;c:\windows\system32\DRIVERS\SCDM odem.sys [2016-02-01 22528] R3 SCDSerials;SCDSerials;c:\windows\system32\DRIVERS\ SCDSerials.sys [2016-02-01 22528] R3 SCDUsbHub;SCDUsbHub;c:\windows\system32\DRIVERS\SC DUsbHub.sys [2016-02-01 15272] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsus bflt.sys [2013-10-02 49152] S0 atc;atc;c:\windows\system32\DRIVERS\atc.sys [2017-06-07 740824] S0 avc3;avc3;c:\windows\system32\DRIVERS\avc3.sys [2017-04-19 1290472] S0 bdprivmon;bdprivmon;c:\windows\system32\DRIVERS\bd privmon.sys [2017-05-11 43064] S0 gzflt;gzflt;c:\windows\system32\DRIVERS\gzflt.sys [2017-05-11 152784] S0 Ignis;Ignis Service;c:\windows\system32\DRIVERS\ignis.sys [2017-06-08 282712] S1 bdfwfpf;bdfwfpf;c:\program files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [2017-05-31 107168] S1 BDVEDISK;BDVEDISK;c:\windows\system32\DRIVERS\bdve disk.sys [2015-12-04 83824] S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752] S1 WinDetect;WinDetect driver;c:\windows\system32\Drivers\windetect.sys [2017-02-26 16720] S2 bdredline;Bitdefender RedLine Service;c:\program files\Common Files\Bitdefender\SetupInformation\Bitdefender RedLine\bdredline.exe [2017-08-30 1847960] S2 DevMgmtService;Bitdefender Device Management Service;c:\program files\Bitdefender\Bitdefender Device Management\DevMgmtService.exe [2017-06-27 87472] S2 DiagTrack;Diagnostics Tracking Service;c:\windows\System32\svchost.exe [2009-07-14 20992] S2 ProductAgentService;Bitdefender Product Agent Service;c:\program files\Bitdefender Agent\ProductAgentService.exe [2017-06-21 1269824] S2 UPDATESRV;Bitdefender Desktop Update Service;c:\program files\Bitdefender\Bitdefender Security\updatesrv.exe [2017-08-31 175768] S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-07-13 297000] S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-02 33320] S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2010-08-10 94208] S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn. sys [2017-04-20 25088] S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2010-07-08 322336] . . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr fdrespub AppIDSvc QWAVE wcncsvc SensrSvc utcsvc REG_MULTI_SZ DiagTrack . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2017-09-04 13:58 1429848 ----a-w- c:\program files\Google\Chrome\Application\60.0.3112.113\Inst aller\chrmstp.exe . . ------- Supplementary Scan ------- . uStart Page = https://www.loveme.com/pickoftheday.shtml IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm TCP: DhcpNameServer = 168.210.2.2 196.14.239.2 168.210.2.2 196.14.239.2 . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PC W\Security] @Denied: (Full) (Everyone) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'Explorer.exe'(2384) c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll . Completion time: 2017-09-17 09:59:11 ComboFix-quarantined-files.txt 2017-09-17 07:59 . Pre-Run: 87*531*749*376 bytes free Post-Run: 87*500*939*264 bytes free . - - End Of File - - 7EC4294115713C906E7861A3EBF02A51 2E5DEBB2116B3417023E0D6562D7ED07 My continued thanks for your efforts to help remove this Pakistani & his access. |
#18
|
||||
|
||||
Hello,
Code:
I can remove (Heavenward's) Windetect if you wish me to. ============================================= ComboFix didn't download the Recovery console. Here's the standard installation Scan Log. If I must manually install the RC - please advise?: OK. No problem. ================================================ Code:
My continued thanks for your efforts to help remove this Pakistani & his access. ======================================== Run FRST fixlist: Note:Run the tool (FRST) from your DeskTop based on the instructions given.Farbar Recovery Scan Tool and Fixlist file should be on the desktop. Please open notepad (Start > All Programs > Accessories > Notepad) Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad. Save it to the Desktop, and name it: fixlist.txt Code:
CreateRestorePoint: CloseProcesses: HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: F - F:\setup.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {607f1b2b-74b3-11e7-97a5-90a4de6a0dc0} - G:\autorun.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {6becfb10-876c-11e7-9b5a-90a4de6a0dc0} - F:\setup.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {6becfc34-876c-11e7-9b5a-90a4de6a0dc0} - F:\setup.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {77038b86-6a48-11e7-bf5e-90a4de6a0dc0} - G:\setup.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {8360031e-7f78-11e7-9ad5-90a4de6a0dc0} - F:\AutoRun.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {afdbea82-90f2-11e7-96d7-90a4de6a0dc0} - F:\setup.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {e0d0c9a4-6990-11e7-9fa4-90a4de6a0dc0} - F:\setup.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.loveme.com/pickoftheday.shtml HKU\S-1-5-21-917511795-3256536166-560280740-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://samsung.msn.com SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox SearchScopes: HKU\S-1-5-21-917511795-3256536166-560280740-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = CHR HKLM\...\Chrome\Extension: [gannpgaobkkhmpomoijebaigcapoeebl] - hxxps://clients2.google.com/service/update2/crx 2017-07-17 23:38 - 2017-07-17 23:38 - 000000000 ____D C:\Users\Darryl\AppData\Local\TeamViewer 2017-07-16 21:55 - 2017-09-07 23:48 - 000000000 ____D C:\Users\Darryl\AppData\Roaming\vlc 2017-07-16 13:13 - 2017-09-05 00:04 - 000000000 ____D C:\Program Files\TeamViewer 2017-07-16 13:13 - 2017-07-30 23:16 - 000000889 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 12.lnk 2017-07-16 13:13 - 2017-07-30 23:16 - 000000877 _____ C:\Users\Public\Desktop\TeamViewer 12.lnk 2017-07-16 13:13 - 2017-07-18 00:58 - 000000000 ____D C:\Users\Darryl\AppData\Roaming\TeamViewer 2017-07-16 13:13 - 2017-04-20 09:27 - 000025088 _____ (TeamViewer GmbH) C:\windows\system32\Drivers\teamviewervpn.sys FirewallRules: [{65064C98-EE7E-4BAA-94E0-09E071C61E2A}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe FirewallRules: [{48AB47C9-A327-4CE2-9B48-BF5C1A7AE14B}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe FirewallRules: [{ED15DF0A-1C3D-498B-9990-ED691B1582BB}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe FirewallRules: [{1F3C1B82-E6D1-4FAE-99B8-9934565F7034}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe FirewallRules: [{0FC94F48-919C-4F44-B5CE-4FAEDE068F63}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe FirewallRules: [{55580A67-06D4-477A-8E78-E14641BAC04D}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe FirewallRules: [{36455591-EF8F-4136-80BA-CB9A3A692E4C}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe FirewallRules: [{19E4B086-339C-441B-AFB1-F8E7195ADCED}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe R2 TeamViewer; C:\Program Files\TeamViewer\TeamViewer_Service.exe [10803440 2017-07-26] (TeamViewer GmbH) R3 teamviewervpn; C:\windows\System32\DRIVERS\teamviewervpn.sys [25088 2017-04-20] (TeamViewer GmbH) R1 WinDetect; C:\windows\system32\Drivers\windetect.sys [16720 2017-02-26] (HeavenWard) 2017-09-06 16:44 - 2017-09-06 16:51 - 000000000 ____D C:\Users\Darryl\AppData\Local\{12A8CCFE-3C33-4995-BAD8-074E4C5B22FD} 2017-09-06 16:43 - 2017-09-06 23:55 - 000000000 ____D C:\Program Files\Plumbytes Software 2017-09-04 20:01 - 2017-09-04 20:01 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HeavenWard 2017-09-04 20:01 - 2017-09-04 20:01 - 000000000 ____D C:\Program Files\HeavenWard C:\Users\Darryl\AppData\Local\TeamViewer 2017-07-16 13:13 - 2017-07-30 23:16 - 000000889 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 12.lnk 2017-07-16 13:13 - 2017-07-30 23:16 - 000000877 _____ C:\Users\Public\Desktop\TeamViewer 12.lnk 2017-07-16 13:13 - 2017-07-18 00:58 - 000000000 ____D C:\Users\Darryl\AppData\Roaming\TeamViewer 2017-07-16 13:13 - 2017-04-20 09:27 - 000025088 _____ (TeamViewer GmbH) C:\windows\system32\Drivers\teamviewervpn.sys C:\Users\Darryl\AppData\Local\Temp\runsetup.exe C:\Program Files\TeamViewer\TeamViewer_Service.exe C:\Users\Darryl\AppData\Local\Temp C:\windows\wininit.ini c:\windows\system32\Drivers\windetect.sys [2017-02-26 16720] c:\windows\system32\DRIVERS\teamviewervpn. sys [2017-04-20 25088] cmd: ipconfig /flushdns Hosts: EmptyTemp: Running this on another computer may cause damage to the Operating System. Now, please run FRST, and press theFix button, just once, and wait. When done, the tool creates a report on the Desktop called: Fixlog.txt >> Please post the Fixlog.txt in your reply. ----------------------------------------------------------------------------------- Download RogueKiller: http://tigzy.geekstogo.com/roguekiller.php Select the version that applies to the system. Save to the Desktop. After closing all windows and browsers, right-click the downloaded RogueKiller file and select: Run as Administrator At the program console, wait for the Prescan to finish. (Under Status, it says: Prescan finished.) Press: SCAN When done, a report opens on the drive: RKreport.txt Please provide the RKreport.txt (Mode: Scan) in your reply. |
#19
|
|||
|
|||
Received
Hello Olgun,
I have your mail. Thanks, will comply & post as requested in due course. Not tonight as I prepare work for tomorrow. Windetect will be removed. His Iphone has been used & password 'Pakistan' saved in Bitdefender Wallet. Also have coordinates of residences where the Macbook & Motorola was used with other details. Many thanks. |
#20
|
||||
|
||||
Do not use it for a while a Wallet Bitdefender and test it
I do not see any clues in your reports. Have you applied instructions I have given |
#21
|
|||
|
|||
Hi Olgun, Thanks for your patience. It was a long weekend, I couldn't do what was needed whilst with guests. Sorry.
1st of all a fools admission, one of the things that had startled me before contacting you is that I had received a Gmail Logon code via Text to my mobile when I hadn't been trying to logon. I suspected it was the hacker again. But when this was repeated last week, I finally realised that when I'd been using Teamviewer to help my old mother, I had used 2 Factor Text Verification to my number. I'm an idiot, the text was because she had been logging on & not selecting a Voice Call for 2x Identification. Ok, so I tried uninstalling WinDetect. No Installation Package found. So I killed with Bitdefender, used Windetects uninstaller, then Regedit & deleted the Keys for Heavenward & WinDetect. Only 2 Legacy keys would not be deleted. I then went into restore & was doing a restore when I got Bluescreen. I rebooted in safe mode & did the restore. It didn't complete for what ever reason & nothing was changed. I rebooted in normal mode & followed your instructions... FRST: Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 25-09-2017 01 Ran by Darryl (administrator) on WIZARDS-PC (26-09-2017 21:44:11) Running from C:\Users\Darryl\Desktop Loaded Profiles: Darryl (Available Profiles: Darryl) Platform: Microsoft Windows 7 Home Basic Service Pack 1 (X86) Language: English (United States) Internet Explorer Version 11 (Default browser: Chrome) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Bitdefender) C:\Program Files\Bitdefender\Bitdefender Security\vsserv.exe (Bitdefender) C:\Program Files\Bitdefender\Bitdefender Device Management\DevMgmtService.exe (Microsoft Corporation) C:\Windows\System32\wlanext.exe (Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe () C:\Program Files\MTN Online\ApplicationController.exe (Bitdefender) C:\Program Files\Bitdefender Agent\ProductAgentService.exe (Bitdefender) C:\Program Files\Bitdefender\Bitdefender Security\updatesrv.exe (Bitdefender) C:\Program Files\Bitdefender\Bitdefender Security\bdagent.exe () C:\Program Files\HSPA USB Modem\Driver\DevMon.exe (Google Inc.) C:\Program Files\Google\Update\1.3.33.5\GoogleCrashHandler.ex e (Samsung Electronics Co., Ltd.) C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe (Intel Corporation) C:\Windows\System32\igfxext.exe (Intel Corporation) C:\Windows\System32\igfxsrvc.exe (Bitdefender) C:\Program Files\Bitdefender\Bitdefender Security\bdwtxag.exe (Samsung Electronics Co., Ltd.) C:\Program Files\Samsung\EasySpeedUpManager\EasySpeedUpManage r.exe (SEC) C:\Program Files\Samsung\Samsung Recovery Solution 5\WCScheduler.exe (SAMSUNG Electronics) C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe (Samsung Electronics) C:\Program Files\Samsung\Samsung Update Plus\SUPBackground.exe (Intel Corporation) C:\Windows\System32\hkcmd.exe (Intel Corporation) C:\Windows\System32\igfxtray.exe (Intel Corporation) C:\Windows\System32\igfxpers.exe (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe () C:\Windows\Samsung\PanelMgr\SSMMgr.exe (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe (Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v3.0\WPF\Presen tationFontCache.exe () C:\Program Files\HSPA USB Modem\HSPA USB Modem.exe (Microsoft Corporation) C:\Windows\System32\wuauclt.exe (Bitdefender) C:\Program Files\Bitdefender\Bitdefender Security\seccenter.exe (Bitdefender) C:\Program Files\Bitdefender\Bitdefender Device Management\dmiface.exe (Bitdefender) C:\Program Files\Common Files\Bitdefender\SetupInformation\Bitdefender RedLine\bdredline.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [Bdagent] => C:\Program Files\Bitdefender\Bitdefender Security\bdagent.exe [304608 2017-08-31] (Bitdefender) HKLM\...\Run: [DevMon] => C:\Program Files\HSPA USB Modem\Driver\DevMon.exe [45056 2013-12-06] () HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: F - F:\setup.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {607f1b2b-74b3-11e7-97a5-90a4de6a0dc0} - G:\autorun.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {6becfb10-876c-11e7-9b5a-90a4de6a0dc0} - F:\setup.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {6becfc34-876c-11e7-9b5a-90a4de6a0dc0} - F:\setup.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {77038b86-6a48-11e7-bf5e-90a4de6a0dc0} - G:\setup.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {8360031e-7f78-11e7-9ad5-90a4de6a0dc0} - F:\AutoRun.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {afdbea82-90f2-11e7-96d7-90a4de6a0dc0} - F:\setup.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {e0d0c9a4-6990-11e7-9fa4-90a4de6a0dc0} - F:\setup.exe HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\windows\System32\SPReview\SPReview.exe [280576 2017-07-14] (Microsoft Corporation) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\BdBkpFolder [2017-08-02] () ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\..\Interfaces\{61B8ADB1-26E9-4985-80C8-84B326C30146}: [NameServer] 41.50.20.61 41.50.20.29 Tcpip\..\Interfaces\{DD0E4987-FE7E-4B4E-BD96-BA9F8683CC36}: [DhcpNameServer] 192.168.8.1 192.168.8.1 Tcpip\..\Interfaces\{F481106B-D2B0-446C-818C-5B39B3DF0A40}: [DhcpNameServer] 192.168.0.1 Internet Explorer: ================== HKU\S-1-5-21-917511795-3256536166-560280740-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.loveme.com/pickoftheday.shtml HKU\S-1-5-21-917511795-3256536166-560280740-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://samsung.msn.com SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox SearchScopes: HKU\S-1-5-21-917511795-3256536166-560280740-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27] (Adobe Systems Incorporated) BHO: Bitdefender Wallet -> {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -> C:\Program Files\Bitdefender\Bitdefender Security\pmbxie.dll [2017-08-31] (Bitdefender) BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_144\bin\ssv.dll [2017-08-12] (Oracle Corporation) BHO: W2PBrowser Class -> {AA609D72-8482-4076-8991-8CDAE5B93BCB} -> C:\Program Files\Samsung AnyWeb Print\W2PBrowser.dll [2010-08-23] () BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_144\bin\jp2ssv.dll [2017-08-12] (Oracle Corporation) Toolbar: HKLM - Bitdefender Wallet - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender Security\pmbxie.dll [2017-08-31] (Bitdefender) FireFox: ======== FF HKLM\...\Firefox\Extensions: [bdwtwe@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender Security\bdwteff FF Extension: (Bitdefender Wallet) - C:\Program Files\Bitdefender\Bitdefender Security\bdwteff [2017-07-14] FF HKLM\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender Security\bdtbext FF Extension: (Bitdefender Antispam Toolbar) - C:\Program Files\Bitdefender\Bitdefender Security\bdtbext [2017-07-14] [not signed] FF Plugin: @java.com/DTPlugin,version=11.144.2 -> C:\Program Files\Java\jre1.8.0_144\bin\dtplugin\npDeployJava1 .dll [2017-08-12] (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=11.144.2 -> C:\Program Files\Java\jre1.8.0_144\bin\plugin2\npjp2.dll [2017-08-12] (Oracle Corporation) FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll [2010-03-31] ( Microsoft Corporation) FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [No File] FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-07-14] (Google Inc.) FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-07-14] (Google Inc.) FF Plugin: @videolan.org/vlc,version=2.2.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN) Chrome: ======= CHR DefaultProfile: Default CHR StartupUrls: Default -> "hxxp://www.loveme.com/mp/PickOfTheDay.shtml" CHR DefaultSearchURL: Default -> hxxp://www.google.com/search?q={searchTerms} CHR DefaultSearchKeyword: Default -> global CHR Profile: C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default [2017-09-26] CHR Extension: (Google Slides) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhon fmgoek [2017-07-14] CHR Extension: (Kindle Cloud Reader) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\aicjkkmjijnlncpkailhjcdfke chjbpl [2017-07-18] CHR Extension: (Google Docs) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfi lokake [2017-07-14] CHR Extension: (Google Drive) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigk jlhalf [2017-07-14] CHR Extension: (Authenticator) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhghoamapcdpbohphigoooaddi npkbai [2017-09-18] CHR Extension: (YouTube) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldk acnbeo [2017-07-14] CHR Extension: (Adblock Plus) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddi lifddb [2017-07-18] CHR Extension: (Google Sheets) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpeb giejap [2017-07-14] CHR Extension: (Bitdefender Wallet) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\gannpgaobkkhmpomoijebaigca poeebl [2017-07-16] CHR Extension: (Google Docs Offline) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdl olhkhi [2017-07-15] CHR Extension: (Windscribe - Free VPN and Ad Block) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnmpcagpplmpfojmgmnngilcna nddlhb [2017-08-04] CHR Extension: (Ubuntu light-themes scrollbars) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\mikdfeaeaecoffpjoodiihgejn bfigln [2017-07-18] CHR Extension: (Webutation) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfclfmabiojpommfcalfdgjjea ahnjbj [2017-09-26] CHR Extension: (Chrome Web Store Payments) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccm gmieda [2017-08-22] CHR Extension: (Gmail) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoe jaedia [2017-07-14] CHR Extension: (Chrome Media Router) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcj beemfm [2017-08-11] CHR Profile: C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1 [2017-09-26] CHR Extension: (Google Slides) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-09-08] CHR Extension: (Google Docs) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2017-09-08] CHR Extension: (Google Drive) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-09-08] CHR Extension: (YouTube) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-09-08] CHR Extension: (Google Sheets) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-09-08] CHR Extension: (Bitdefender Wallet) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gannpgaobkkhmpomoijebaigcapoeebl [2017-09-08] CHR Extension: (Google Docs Offline) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-09-08] CHR Extension: (Chrome Web Store Payments) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-09-08] CHR Extension: (Gmail) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-09-08] CHR Extension: (Chrome Media Router) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-09-08] CHR Profile: C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\System Profile [2017-09-26] CHR HKLM\...\Chrome\Extension: [gannpgaobkkhmpomoijebaigcapoeebl] - hxxps://clients2.google.com/service/update2/crx ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 bdredline; C:\Program Files\Common Files\Bitdefender\SetupInformation\Bitdefender RedLine\bdredline.exe [1847960 2017-08-30] (Bitdefender) R2 DevMgmtService; C:\Program Files\Bitdefender\Bitdefender Device Management\DevMgmtService.exe [87472 2017-06-27] (Bitdefender) R2 FLAME II MTN MODEM Service; C:\Program Files\MTN Online\ApplicationController.exe [574464 2015-12-15] () [File not signed] S2 Mobile Broadband HL Service; C:\ProgramData\MobileBrServ\mbbservice.exe [239184 2014-02-15] () R2 ProductAgentService; C:\Program Files\Bitdefender Agent\ProductAgentService.exe [1269824 2017-06-21] (Bitdefender) S3 Samsung UPD Service; C:\windows\System32\SUPDSvc.exe [131888 2010-08-09] (Samsung Electronics CO., LTD.) R2 UPDATESRV; C:\Program Files\Bitdefender\Bitdefender Security\updatesrv.exe [175768 2017-08-31] (Bitdefender) R2 VSSERV; C:\Program Files\Bitdefender\Bitdefender Security\vsserv.exe [1229856 2017-08-31] (Bitdefender) S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation) ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R0 atc; C:\windows\System32\DRIVERS\atc.sys [740824 2017-06-07] (BitDefender S.R.L. Bucharest, ROMANIA) R0 avc3; C:\windows\System32\DRIVERS\avc3.sys [1290472 2017-04-19] (BitDefender) R1 bdfwfpf; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [107168 2017-05-31] (BitDefender LLC) R0 bdprivmon; C:\windows\System32\DRIVERS\bdprivmon.sys [43064 2017-05-11] (© Bitdefender SRL) R1 BDVEDISK; C:\windows\System32\DRIVERS\bdvedisk.sys [83824 2015-12-04] (BitDefender) R3 btwampfl; C:\windows\System32\drivers\btwampfl.sys [297000 2010-07-14] (Broadcom Corporation.) R3 ETD; C:\windows\System32\DRIVERS\ETD.sys [94208 2010-08-10] (ELAN Microelectronics Corp.) R0 gzflt; C:\windows\System32\DRIVERS\gzflt.sys [152784 2017-05-11] (BitDefender LLC) R3 hwdatacard; C:\windows\System32\DRIVERS\ZDDriver.sys [106496 2010-01-14] (ZD Secret Incorporated) R0 Ignis; C:\windows\System32\DRIVERS\ignis.sys [282712 2017-06-08] (Bitdefender) S3 SCDModem; C:\windows\System32\DRIVERS\SCDModem.sys [22528 2016-02-01] (SCD-MBB Device) S3 SCDSerials; C:\windows\System32\DRIVERS\SCDSerials.sys [22528 2016-02-01] (SCD-MBB Device) S3 SCDUsbHub; C:\windows\System32\DRIVERS\SCDUsbHub.sys [15272 2016-02-01] (DriverCoding Incorporated.) S3 teamviewervpn; C:\windows\System32\DRIVERS\teamviewervpn.sys [25088 2017-04-20] (TeamViewer GmbH) R0 trufos; C:\windows\System32\DRIVERS\trufos.sys [376664 2017-04-11] (BitDefender S.R.L.) ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-09-26 21:44 - 2017-09-26 21:45 - 000016171 _____ C:\Users\Darryl\Desktop\FRST.txt 2017-09-26 21:42 - 2017-09-26 21:42 - 000000000 ____D C:\Users\Darryl\Desktop\FRST-OlderVersion 2017-09-26 20:56 - 2017-09-26 20:56 - 000004974 _____ C:\Users\Darryl\Desktop\Fixlist.txt 2017-09-26 20:53 - 2017-09-26 20:53 - 000000114 ____H C:\Users\Darryl\Desktop\.~lock.RK.odt# 2017-09-26 19:49 - 2017-09-26 19:50 - 000023525 _____ C:\Users\Darryl\Desktop\RK.odt 2017-09-23 11:49 - 2017-08-14 19:35 - 001062912 ____N (Microsoft Corporation) C:\windows\system32\lsasrv.dll 2017-09-23 11:49 - 2017-08-14 19:35 - 000655360 ____N (Microsoft Corporation) C:\windows\system32\rpcrt4.dll 2017-09-23 11:49 - 2017-08-14 19:35 - 000554496 ____N (Microsoft Corporation) C:\windows\system32\kerberos.dll 2017-09-23 11:49 - 2017-08-14 19:35 - 000261120 ____N (Microsoft Corporation) C:\windows\system32\msv1_0.dll 2017-09-23 11:49 - 2017-08-14 19:35 - 000254464 ____N (Microsoft Corporation) C:\windows\system32\schannel.dll 2017-09-23 11:49 - 2017-08-14 19:35 - 000223232 ____N (Microsoft Corporation) C:\windows\system32\ncrypt.dll 2017-09-23 11:49 - 2017-08-14 19:35 - 000172032 ____N (Microsoft Corporation) C:\windows\system32\wdigest.dll 2017-09-23 11:49 - 2017-08-14 19:35 - 000099840 ____N (Microsoft Corporation) C:\windows\system32\sspicli.dll 2017-09-23 11:49 - 2017-08-14 19:35 - 000082432 ____N (Microsoft Corporation) C:\windows\system32\bcrypt.dll 2017-09-23 11:49 - 2017-08-14 19:35 - 000065536 ____N (Microsoft Corporation) C:\windows\system32\TSpkg.dll 2017-09-23 11:49 - 2017-08-14 19:35 - 000022016 ____N (Microsoft Corporation) C:\windows\system32\secur32.dll 2017-09-23 11:49 - 2017-08-14 19:35 - 000017408 ____N (Microsoft Corporation) C:\windows\system32\credssp.dll 2017-09-23 11:49 - 2017-08-13 23:26 - 000036352 ____N (Microsoft Corporation) C:\windows\system32\cryptbase.dll 2017-09-23 11:49 - 2017-08-13 23:26 - 000022016 ____N (Microsoft Corporation) C:\windows\system32\lsass.exe 2017-09-23 11:49 - 2017-08-13 23:26 - 000015872 ____N (Microsoft Corporation) C:\windows\system32\sspisrv.dll 2017-09-19 21:07 - 2017-09-20 10:34 - 000023829 _____ C:\Users\Darryl\Desktop\Cybertech.odt 2017-09-18 13:38 - 2017-09-18 13:46 - 000027024 _____ C:\Users\Darryl\Documents\Begginers Guide.odt 2017-09-18 12:44 - 2017-09-18 15:11 - 000000772 _____ C:\Users\Darryl\Desktop\almooJTMD.txt 2017-09-18 11:15 - 2017-09-18 11:18 - 000000000 ____D C:\Users\Darryl\Desktop\Retard 2017-09-17 11:17 - 2017-09-17 11:17 - 000000000 ____D C:\Users\Darryl\AppData\Local\bdch 2017-09-17 11:17 - 2017-09-17 11:17 - 000000000 ____D C:\ProgramData\bdch 2017-09-17 09:59 - 2017-09-17 09:59 - 000017774 _____ C:\ComboFix.txt 2017-09-17 09:32 - 2017-09-17 09:59 - 000000000 ____D C:\Qoobox 2017-09-17 09:31 - 2017-09-17 09:57 - 000000000 ____D C:\windows\erdnt 2017-09-14 15:42 - 2017-08-16 17:10 - 000629760 ____N (Microsoft Corporation) C:\windows\system32\usp10.dll 2017-09-14 15:42 - 2017-08-15 17:10 - 012880896 ____N (Microsoft Corporation) C:\windows\system32\shell32.dll 2017-09-14 15:42 - 2017-08-13 18:24 - 002291200 ____N (Microsoft Corporation) C:\windows\system32\iertutil.dll 2017-09-14 15:42 - 2017-08-13 17:17 - 002767872 ____N (Microsoft Corporation) C:\windows\system32\wininet.dll 2017-09-14 15:42 - 2017-08-13 17:13 - 001314816 ____N (Microsoft Corporation) C:\windows\system32\urlmon.dll 2017-09-14 15:42 - 2017-08-11 08:21 - 001310528 _____ (Microsoft Corporation) C:\windows\system32\ntdll.dll 2017-09-14 15:42 - 2017-08-11 08:19 - 001417728 ____N (Microsoft Corporation) C:\windows\system32\ole32.dll 2017-09-14 15:42 - 2017-08-11 08:19 - 000872448 ____N (Microsoft Corporation) C:\windows\system32\kernel32.dll 2017-09-14 15:42 - 2017-08-11 08:19 - 000644096 ____N (Microsoft Corporation) C:\windows\system32\advapi32.dll 2017-09-14 15:42 - 2017-08-11 08:19 - 000400896 ____N (Microsoft Corporation) C:\windows\system32\srcore.dll 2017-09-14 15:42 - 2017-08-11 08:19 - 000377344 ____N (Microsoft Corporation) C:\windows\system32\rpcss.dll 2017-09-14 15:42 - 2017-08-11 08:19 - 000294400 ____N (Microsoft Corporation) C:\windows\system32\KernelBase.dll 2017-09-14 15:42 - 2017-08-11 08:19 - 000271360 ____N (Microsoft Corporation) C:\windows\system32\Wldap32.dll 2017-09-14 15:42 - 2017-08-11 08:19 - 000171008 ____N (Microsoft Corporation) C:\windows\system32\winsrv.dll 2017-09-14 15:42 - 2017-08-11 08:19 - 000038912 ____N (Microsoft Corporation) C:\windows\system32\csrsrv.dll 2017-09-14 15:42 - 2017-08-11 08:19 - 000016384 ____N (Microsoft Corporation) C:\windows\system32\winnsi.dll 2017-09-14 15:42 - 2017-08-11 08:19 - 000008704 ____N (Microsoft Corporation) C:\windows\system32\nsi.dll 2017-09-14 15:42 - 2017-08-11 08:19 - 000006656 _____ (Microsoft Corporation) C:\windows\system32\apisetschema.dll 2017-09-14 15:42 - 2017-08-11 07:55 - 000069632 _____ (Microsoft Corporation) C:\windows\system32\smss.exe 2017-09-10 14:58 - 2017-09-10 14:59 - 000287454 _____ C:\Users\Darryl\Desktop\RENASA COMMERCIAL POLICY WORDING Motor Section (1) (1).pdf 2017-09-09 17:49 - 2017-09-09 17:49 - 000194254 _____ C:\Users\Darryl\Desktop\FRST 2.txt 2017-09-09 17:49 - 2017-09-09 17:49 - 000039079 _____ C:\Users\Darryl\Desktop\Shortcut 2.txt 2017-09-09 17:49 - 2017-09-09 17:49 - 000028641 _____ C:\Users\Darryl\Desktop\Addition 2.txt 2017-09-09 17:47 - 2017-09-09 17:47 - 000039079 _____ C:\Users\Darryl\Desktop\Shortcut 1.txt 2017-09-09 17:46 - 2017-09-09 17:47 - 000193976 _____ C:\Users\Darryl\Desktop\FRST 1.txt 2017-09-09 17:46 - 2017-09-09 17:47 - 000028381 _____ C:\Users\Darryl\Desktop\Addition 1.txt 2017-09-09 17:31 - 2017-09-26 21:44 - 000000000 ____D C:\FRST 2017-09-09 17:28 - 2017-09-26 21:42 - 001795584 _____ (Farbar) C:\Users\Darryl\Desktop\FRST.exe 2017-09-08 22:21 - 2017-09-08 22:21 - 000000000 ____D C:\Users\Darryl\Downloads\hero Glow In Dark Font 2017-09-08 21:37 - 2017-09-08 21:37 - 000000000 ____D C:\Users\Darryl\Downloads\My_Fontspring_Fonts 2017-09-08 14:47 - 2017-09-08 14:47 - 000074827 _____ C:\Users\Darryl\Downloads\hero Glow In Dark Font.zip 2017-09-08 14:41 - 2017-09-08 14:41 - 000512864 _____ C:\Users\Darryl\Downloads\My_Fontspring_Fonts.zip 2017-09-08 12:45 - 2017-09-08 12:53 - 000000000 ____D C:\Users\Darryl\Desktop\Yulia 172970 2017-09-06 16:44 - 2017-09-06 16:51 - 000000000 ____D C:\Users\Darryl\AppData\Local\{12A8CCFE-3C33-4995-BAD8-074E4C5B22FD} 2017-09-06 16:43 - 2017-09-06 23:55 - 000000000 ____D C:\Program Files\Plumbytes Software 2017-09-04 20:01 - 2017-09-04 20:01 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HeavenWard 2017-09-04 19:53 - 2017-09-04 19:53 - 001046776 _____ (HeavenWard) C:\Users\Darryl\Downloads\windetectsetup.exe 2017-09-03 01:35 - 2017-09-03 01:35 - 000000000 ____H C:\windows\system32\Drivers\Msft_User_WpdMtpDr_01_ 09_00.Wdf 2017-09-01 21:26 - 2017-09-01 21:26 - 000073866 _____ C:\Users\Darryl\Downloads\Gloria Payment.pdf 2017-08-30 23:48 - 2017-09-06 20:15 - 000000000 ____D C:\Users\Darryl\AppData\Local\CrashDumps ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-09-26 21:40 - 2017-07-15 22:40 - 000000000 ____D C:\Program Files\Bitdefender Agent 2017-09-26 21:39 - 2009-07-26 22:06 - 000781790 _____ C:\windows\system32\PerfStringBackup.INI 2017-09-26 21:39 - 2009-07-14 04:37 - 000000000 ____D C:\windows\inf 2017-09-26 21:38 - 2009-07-14 06:34 - 000014512 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2017-09-26 21:38 - 2009-07-14 06:34 - 000014512 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2017-09-26 21:30 - 2009-07-14 06:53 - 000000006 ____H C:\windows\Tasks\SA.DAT 2017-09-26 21:30 - 2009-07-14 06:33 - 000298384 _____ C:\windows\system32\FNTCACHE.DAT 2017-09-26 21:29 - 2017-07-16 00:36 - 000048967 _____ C:\bdlog.txt 2017-09-26 21:25 - 2017-07-14 10:22 - 000064824 _____ C:\Users\Darryl\AppData\Local\GDIPFONTCACHEV1.DAT 2017-09-26 21:22 - 2017-07-16 13:13 - 000000000 ____D C:\Users\Darryl\AppData\Roaming\TeamViewer 2017-09-26 21:10 - 2017-07-14 10:09 - 000000000 ____D C:\Users\Darryl 2017-09-26 21:07 - 2017-07-26 15:53 - 000000000 ____D C:\Users\Darryl\Desktop\OpenOffice 4.1.3 (en-US) Installation Files 2017-09-26 21:07 - 2017-07-16 21:55 - 000000000 ____D C:\Users\Darryl\AppData\Roaming\vlc 2017-09-26 21:07 - 2017-07-16 19:28 - 000000000 ___RD C:\Program Files\Skype 2017-09-26 21:07 - 2017-07-16 19:28 - 000000000 ____D C:\Users\Darryl\AppData\Roaming\Skype 2017-09-26 21:07 - 2017-07-16 19:28 - 000000000 ____D C:\Program Files\Common Files\Skype 2017-09-26 21:07 - 2011-04-06 04:33 - 000000000 ____D C:\ProgramData\WinClon 2017-09-26 21:07 - 2009-07-14 04:37 - 000000000 ____D C:\windows\system32\NDF 2017-09-26 21:07 - 2009-07-14 04:37 - 000000000 ____D C:\windows\rescache 2017-09-26 21:07 - 2009-07-14 04:37 - 000000000 ____D C:\windows\PolicyDefinitions 2017-09-26 21:07 - 2009-07-14 04:37 - 000000000 ____D C:\Program Files\Common Files\microsoft shared 2017-09-26 21:06 - 2017-07-26 15:53 - 000000000 ____D C:\Users\Darryl\Downloads\OpenOffice 4.1.3 (en-US) Installation Files 2017-09-26 21:06 - 2009-07-14 04:37 - 000000000 ____D C:\windows\registration 2017-09-26 21:02 - 2017-07-14 10:13 - 000000000 ____D C:\ProgramData\Temp 2017-09-26 21:02 - 2011-04-06 04:27 - 000000000 ____D C:\ProgramData\Skype 2017-09-17 10:21 - 2017-07-17 23:38 - 000000000 ____D C:\Users\Darryl\AppData\Local\TeamViewer 2017-09-14 15:52 - 2017-07-14 10:41 - 000000000 ____D C:\windows\system32\MRT 2017-09-12 09:34 - 2017-08-05 16:25 - 000000000 ____D C:\Users\Darryl\AppData\Local\paint.net 2017-09-04 17:38 - 2017-07-20 23:09 - 001974226 _____ C:\windows\ntbtlog.txt 2017-09-04 16:01 - 2017-07-14 10:53 - 000002101 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk 2017-09-04 16:01 - 2017-07-14 10:53 - 000002089 _____ C:\Users\Public\Desktop\Google Chrome.lnk 2017-09-04 00:02 - 2009-07-14 04:37 - 000000000 ____D C:\windows\ModemLogs 2017-09-03 23:50 - 2017-08-22 21:12 - 000000000 ____D C:\Program Files\HSPA USB Modem 2017-08-31 11:03 - 2017-07-15 23:51 - 000000000 ____D C:\ProgramData\Bitdefender ==================== Files in the root of some directories ======= 2017-07-15 22:40 - 2017-07-15 22:40 - 000026269 _____ () C:\ProgramData\agent.1500151240.5692.bin 2017-07-15 22:40 - 2017-07-15 22:40 - 000001146 _____ () C:\ProgramData\agent.1500151240.5696.bin 2017-07-15 22:40 - 2017-07-15 22:40 - 000001509 _____ () C:\ProgramData\agent.1500151240.5952.bin 2017-07-15 22:40 - 2017-07-15 22:40 - 000018534 _____ () C:\ProgramData\agent.1500151240.6004.bin 2017-07-15 23:55 - 2017-07-15 23:55 - 001758436 _____ () C:\ProgramData\cl.1500155237.bdinstall.bin 2017-07-15 23:55 - 2017-07-15 23:55 - 000074691 _____ () C:\ProgramData\cl.kit.1500155180.bdinstall.bin 2017-07-16 00:01 - 2017-07-16 00:01 - 000057575 _____ () C:\ProgramData\dm.1500155999.bdinstall.bin Some files in TEMP: ==================== 2017-07-16 19:10 - 2012-11-09 13:50 - 000023040 _____ (Windows (R) 2000 DDK provider) C:\Users\Darryl\AppData\Local\Temp\DeviceSetup.exe 2017-08-19 14:08 - 2017-08-22 21:12 - 000023040 _____ (Windows (R) 2000 DDK provider) C:\Users\Darryl\AppData\Local\Temp\DeviceSetup32.e xe 2017-08-12 14:20 - 2017-08-12 14:20 - 000740416 _____ (Oracle Corporation) C:\Users\Darryl\AppData\Local\Temp\jre-8u144-windows-au.exe 2017-08-19 14:07 - 2017-08-22 21:12 - 003118041 _____ () C:\Users\Darryl\AppData\Local\Temp\runsetup.exe 2017-07-16 13:25 - 2017-07-16 13:26 - 014456872 _____ (Microsoft Corporation) C:\Users\Darryl\AppData\Local\Temp\vc_redist.x86.e xe 2017-09-26 21:44 - 2017-09-26 21:44 - 001594197 _____ () C:\Users\Darryl\AppData\Local\Temp\{319D0EF5-EAD7-4C70-B16C-C29FE8759610}-61.0.3163.100_60.0.3112.113_chrome_updater.exe ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\windows\explorer.exe => File is digitally signed C:\windows\system32\winlogon.exe => File is digitally signed C:\windows\system32\wininit.exe => File is digitally signed C:\windows\system32\svchost.exe => File is digitally signed C:\windows\system32\services.exe => File is digitally signed C:\windows\system32\User32.dll => File is digitally signed C:\windows\system32\userinit.exe => File is digitally signed C:\windows\system32\rpcss.dll => File is digitally signed C:\windows\system32\dnsapi.dll => File is digitally signed C:\windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2017-09-22 21:39 ==================== End of FRST.txt ============================ Then: Fix result of Farbar Recovery Scan Tool (x86) Version: 25-09-2017 01 Ran by Darryl (26-09-2017 21:48:14) Run:1 Running from C:\Users\Darryl\Desktop Loaded Profiles: Darryl (Available Profiles: Darryl) Boot Mode: Normal ============================================== fixlist content: ***************** CreateRestorePoint: CloseProcesses: HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: F - F:\setup.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {607f1b2b-74b3-11e7-97a5-90a4de6a0dc0} - G:\autorun.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {6becfb10-876c-11e7-9b5a-90a4de6a0dc0} - F:\setup.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {6becfc34-876c-11e7-9b5a-90a4de6a0dc0} - F:\setup.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {77038b86-6a48-11e7-bf5e-90a4de6a0dc0} - G:\setup.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {8360031e-7f78-11e7-9ad5-90a4de6a0dc0} - F:\AutoRun.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {afdbea82-90f2-11e7-96d7-90a4de6a0dc0} - F:\setup.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {e0d0c9a4-6990-11e7-9fa4-90a4de6a0dc0} - F:\setup.exe HKU\S-1-5-21-917511795-3256536166-560280740-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.loveme.com/pickoftheday.shtml HKU\S-1-5-21-917511795-3256536166-560280740-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://samsung.msn.com SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox SearchScopes: HKU\S-1-5-21-917511795-3256536166-560280740-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = CHR HKLM\...\Chrome\Extension: [gannpgaobkkhmpomoijebaigcapoeebl] - hxxps://clients2.google.com/service/update2/crx 2017-07-17 23:38 - 2017-07-17 23:38 - 000000000 ____D C:\Users\Darryl\AppData\Local\TeamViewer 2017-07-16 21:55 - 2017-09-07 23:48 - 000000000 ____D C:\Users\Darryl\AppData\Roaming\vlc 2017-07-16 13:13 - 2017-09-05 00:04 - 000000000 ____D C:\Program Files\TeamViewer 2017-07-16 13:13 - 2017-07-30 23:16 - 000000889 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 12.lnk 2017-07-16 13:13 - 2017-07-30 23:16 - 000000877 _____ C:\Users\Public\Desktop\TeamViewer 12.lnk 2017-07-16 13:13 - 2017-07-18 00:58 - 000000000 ____D C:\Users\Darryl\AppData\Roaming\TeamViewer 2017-07-16 13:13 - 2017-04-20 09:27 - 000025088 _____ (TeamViewer GmbH) C:\windows\system32\Drivers\teamviewervpn.sys FirewallRules: [{65064C98-EE7E-4BAA-94E0-09E071C61E2A}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe FirewallRules: [{48AB47C9-A327-4CE2-9B48-BF5C1A7AE14B}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe FirewallRules: [{ED15DF0A-1C3D-498B-9990-ED691B1582BB}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe FirewallRules: [{1F3C1B82-E6D1-4FAE-99B8-9934565F7034}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe FirewallRules: [{0FC94F48-919C-4F44-B5CE-4FAEDE068F63}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe FirewallRules: [{55580A67-06D4-477A-8E78-E14641BAC04D}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe FirewallRules: [{36455591-EF8F-4136-80BA-CB9A3A692E4C}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe FirewallRules: [{19E4B086-339C-441B-AFB1-F8E7195ADCED}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe R2 TeamViewer; C:\Program Files\TeamViewer\TeamViewer_Service.exe [10803440 2017-07-26] (TeamViewer GmbH) R3 teamviewervpn; C:\windows\System32\DRIVERS\teamviewervpn.sys [25088 2017-04-20] (TeamViewer GmbH) R1 WinDetect; C:\windows\system32\Drivers\windetect.sys [16720 2017-02-26] (HeavenWard) 2017-09-06 16:44 - 2017-09-06 16:51 - 000000000 ____D C:\Users\Darryl\AppData\Local\{12A8CCFE-3C33-4995-BAD8-074E4C5B22FD} 2017-09-06 16:43 - 2017-09-06 23:55 - 000000000 ____D C:\Program Files\Plumbytes Software 2017-09-04 20:01 - 2017-09-04 20:01 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HeavenWard 2017-09-04 20:01 - 2017-09-04 20:01 - 000000000 ____D C:\Program Files\HeavenWard C:\Users\Darryl\AppData\Local\TeamViewer 2017-07-16 13:13 - 2017-07-30 23:16 - 000000889 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 12.lnk 2017-07-16 13:13 - 2017-07-30 23:16 - 000000877 _____ C:\Users\Public\Desktop\TeamViewer 12.lnk 2017-07-16 13:13 - 2017-07-18 00:58 - 000000000 ____D C:\Users\Darryl\AppData\Roaming\TeamViewer 2017-07-16 13:13 - 2017-04-20 09:27 - 000025088 _____ (TeamViewer GmbH) C:\windows\system32\Drivers\teamviewervpn.sys C:\Users\Darryl\AppData\Local\Temp\runsetup.exe C:\Program Files\TeamViewer\TeamViewer_Service.exe C:\Users\Darryl\AppData\Local\Temp C:\windows\wininit.ini c:\windows\system32\Drivers\windetect.sys [2017-02-26 16720] c:\windows\system32\DRIVERS\teamviewervpn. sys [2017-04-20 25088] cmd: ipconfig /flushdns Hosts: EmptyTemp: ***************** Restore point was successfully created. Processes closed successfully. HKU\S-1-5-21-917511795-3256536166-560280740-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\F => key removed successfully. HKU\S-1-5-21-917511795-3256536166-560280740-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{607f1b2b-74b3-11e7-97a5-90a4de6a0dc0} => key removed successfully. HKLM\Software\Classes\CLSID\{607f1b2b-74b3-11e7-97a5-90a4de6a0dc0} => key not found. HKU\S-1-5-21-917511795-3256536166-560280740-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{6becfb10-876c-11e7-9b5a-90a4de6a0dc0} => key removed successfully. HKLM\Software\Classes\CLSID\{6becfb10-876c-11e7-9b5a-90a4de6a0dc0} => key not found. HKU\S-1-5-21-917511795-3256536166-560280740-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{6becfc34-876c-11e7-9b5a-90a4de6a0dc0} => key removed successfully. HKLM\Software\Classes\CLSID\{6becfc34-876c-11e7-9b5a-90a4de6a0dc0} => key not found. HKU\S-1-5-21-917511795-3256536166-560280740-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{77038b86-6a48-11e7-bf5e-90a4de6a0dc0} => key removed successfully. HKLM\Software\Classes\CLSID\{77038b86-6a48-11e7-bf5e-90a4de6a0dc0} => key not found. HKU\S-1-5-21-917511795-3256536166-560280740-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{8360031e-7f78-11e7-9ad5-90a4de6a0dc0} => key removed successfully. HKLM\Software\Classes\CLSID\{8360031e-7f78-11e7-9ad5-90a4de6a0dc0} => key not found. HKU\S-1-5-21-917511795-3256536166-560280740-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{afdbea82-90f2-11e7-96d7-90a4de6a0dc0} => key removed successfully. HKLM\Software\Classes\CLSID\{afdbea82-90f2-11e7-96d7-90a4de6a0dc0} => key not found. HKU\S-1-5-21-917511795-3256536166-560280740-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{e0d0c9a4-6990-11e7-9fa4-90a4de6a0dc0} => key removed successfully. HKLM\Software\Classes\CLSID\{e0d0c9a4-6990-11e7-9fa4-90a4de6a0dc0} => key not found. HKU\S-1-5-21-917511795-3256536166-560280740-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully HKU\S-1-5-21-917511795-3256536166-560280740-1000\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key removed successfully. HKLM\Software\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. HKU\S-1-5-21-917511795-3256536166-560280740-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully. HKLM\SOFTWARE\Google\Chrome\Extensions\gannpgaobkk hmpomoijebaigcapoeebl => key removed successfully. C:\Users\Darryl\AppData\Local\TeamViewer => moved successfully C:\Users\Darryl\AppData\Roaming\vlc => moved successfully "C:\Program Files\TeamViewer" => not found. "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 12.lnk" => not found. "C:\Users\Public\Desktop\TeamViewer 12.lnk" => not found. C:\Users\Darryl\AppData\Roaming\TeamViewer => moved successfully C:\windows\system32\Drivers\teamviewervpn.sys => moved successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAcces s\Parameters\FirewallPolicy\FirewallRules\\{65064C 98-EE7E-4BAA-94E0-09E071C61E2A} => value not found. HKLM\SYSTEM\CurrentControlSet\services\SharedAcces s\Parameters\FirewallPolicy\FirewallRules\\{48AB47 C9-A327-4CE2-9B48-BF5C1A7AE14B} => value not found. HKLM\SYSTEM\CurrentControlSet\services\SharedAcces s\Parameters\FirewallPolicy\FirewallRules\\{ED15DF 0A-1C3D-498B-9990-ED691B1582BB} => value not found. HKLM\SYSTEM\CurrentControlSet\services\SharedAcces s\Parameters\FirewallPolicy\FirewallRules\\{1F3C1B 82-E6D1-4FAE-99B8-9934565F7034} => value not found. HKLM\SYSTEM\CurrentControlSet\services\SharedAcces s\Parameters\FirewallPolicy\FirewallRules\\{0FC94F 48-919C-4F44-B5CE-4FAEDE068F63} => value not found. HKLM\SYSTEM\CurrentControlSet\services\SharedAcces s\Parameters\FirewallPolicy\FirewallRules\\{55580A 67-06D4-477A-8E78-E14641BAC04D} => value not found. HKLM\SYSTEM\CurrentControlSet\services\SharedAcces s\Parameters\FirewallPolicy\FirewallRules\\{364555 91-EF8F-4136-80BA-CB9A3A692E4C} => value not found. HKLM\SYSTEM\CurrentControlSet\services\SharedAcces s\Parameters\FirewallPolicy\FirewallRules\\{19E4B0 86-339C-441B-AFB1-F8E7195ADCED} => value not found. TeamViewer => service not found. HKLM\System\CurrentControlSet\Services\teamviewerv pn => key removed successfully. teamviewervpn => service removed successfully. WinDetect => service not found. C:\Users\Darryl\AppData\Local\{12A8CCFE-3C33-4995-BAD8-074E4C5B22FD} => moved successfully C:\Program Files\Plumbytes Software => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HeavenWard => moved successfully "C:\Program Files\HeavenWard" => not found. "C:\Users\Darryl\AppData\Local\TeamViewer" => not found. "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 12.lnk" => not found. "C:\Users\Public\Desktop\TeamViewer 12.lnk" => not found. "C:\Users\Darryl\AppData\Roaming\TeamViewer" => not found. "C:\windows\system32\Drivers\teamviewervpn.sys " => not found. C:\Users\Darryl\AppData\Local\Temp\runsetup.exe => moved successfully "C:\Program Files\TeamViewer\TeamViewer_Service.exe" => not found. "C:\Users\Darryl\AppData\Local\Temp" folder move: Could not move "C:\Users\Darryl\AppData\Local\Temp" => Scheduled to move on reboot. C:\windows\wininit.ini => moved successfully "c:\windows\system32\Drivers\windetect.sys [2017-02-26 16720]" => not found. "c:\windows\system32\DRIVERS\teamviewervpn. sys [2017-04-20 25088]" => not found. continued .... IP Config.... |
#22
|
|||
|
|||
Continued from previous post...
========= ipconfig /flushdns ========= Windows IP Configuration Successfully flushed the DNS Resolver Cache. ========= End of CMD: ========= C:\Windows\System32\Drivers\etc\hosts => moved successfully Hosts restored successfully. =========== EmptyTemp: ========== BITS transfer queue => 8388608 B DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 62164795 B Java, Flash, Steam htmlcache => 0 B Windows/system/drivers => 5074762 B Edge => 0 B Chrome => 436095307 B Firefox => 0 B Opera => 0 B Temp, IE cache, history, cookies, recent: Users => 0 B Default => 33460 B Public => 0 B ProgramData => 0 B systemprofile => 29585179 B LocalService => 6595956 B NetworkService => 70634 B Darryl => 87415813 B RecycleBin => 14917527 B EmptyTemp: => 620.2 MB temporary data Removed. ================================ Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 26-09-2017 21:52:23) C:\Users\Darryl\AppData\Local\Temp => moved successfully ==== End of Fixlog 21:52:23 ==== Addition Log: Additional scan result of Farbar Recovery Scan Tool (x86) Version: 25-09-2017 01 Ran by Darryl (26-09-2017 21:45:56) Running from C:\Users\Darryl\Desktop Microsoft Windows 7 Home Basic Service Pack 1 (X86) (2017-07-14 08:09:26) Boot Mode: Normal ================================================== ======== ==================== Accounts: ============================= Administrator (S-1-5-21-917511795-3256536166-560280740-500 - Administrator - Disabled) Darryl (S-1-5-21-917511795-3256536166-560280740-1000 - Administrator - Enabled) => C:\Users\Darryl Guest (S-1-5-21-917511795-3256536166-560280740-501 - Limited - Disabled) ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Bitdefender Antivirus (Disabled - Up to date) {3FB17364-4FCC-0FA7-6BBF-973897395371} AS: Bitdefender Antispyware (Disabled - Up to date) {84D09280-69F6-0029-510F-AC4AECBE19CC} AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} FW: Bitdefender Firewall (Disabled) {078AF241-05A3-0EFF-40E0-3E0D69EA140A} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) Adobe Flash Player 10 ActiveX (HKLM\...\{FFB768E4-E427-4553-BC36-A11F5E62A94D}) (Version: 10.1.53.64 - Adobe Systems Incorporated) Adobe Reader 9.1 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A91000000001}) (Version: 9.1.0 - Adobe Systems Incorporated) Atheros Client Installation Program (HKLM\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 9.0 - Atheros) BatteryLifeExtender (HKLM\...\{E308B555-8434-4AF8-B66F-729897C75F93}) (Version: 1.0.6 - Samsung) Bitdefender Agent (HKLM\...\Bitdefender Agent) (Version: 21.0.25.59 - Bitdefender) Bitdefender Device Management (HKLM\...\Bitdefender Device Management) (Version: 22.0.8.114 - Bitdefender) Bitdefender Total Security (HKLM\...\Bitdefender) (Version: 22.0.8.118 - Bitdefender) Broadcom 802.11 Network Adapter (HKLM\...\Broadcom 802.11 Network Adapter) (Version: 5.60.48.55 - Broadcom Corporation) CyberLink YouCam (HKLM\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 2.0.3911 - CyberLink Corp.) Easy Display Manager (HKLM\...\{17283B95-21A8-4996-97DA-547A48DB266F}) (Version: 3.2 - Samsung Electronics Co., Ltd.) Easy Network Manager (HKLM\...\{8732818E-CA78-4ACB-B077-22311BF4C0E4}) (Version: 4.4.7 - Samsung) Easy SpeedUp Manager (HKLM\...\{EF367AA4-070B-493C-9575-85BE59D789C9}) (Version: 2.1.0.15 - Samsung Electronics Co.,Ltd.) EasyBatteryManager (HKLM\...\{607DA1C8-34EC-4D7A-AD83-F8E5C70736DF}) (Version: 4.0.0.4 - Samsung) ETDWare PS/2-X86 8.0.7.0_WHQL (HKLM\...\Elantech) (Version: 8.0.7.0 - ELAN Microelectronic Corp.) Google Chrome (HKLM\...\Google Chrome) (Version: 60.0.3112.113 - Google Inc.) Google Update Helper (HKLM\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden HSPA USB Modem (HKLM\...\HSPA USB Modem) (Version: 1.0.0.1 - HSPA USB Modem) Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.2302 - Intel Corporation) Intel(R) Rapid Storage Technology (HKLM\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 9.6.3.1001 - Intel Corporation) Java 8 Update 144 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F32180144F0}) (Version: 8.0.1440.1 - Oracle Corporation) K-Lite Codec Pack 12.2.5 Full (HKLM\...\KLiteCodecPack_is1) (Version: 12.2.5 - KLCP) Marvell Miniport Driver (HKLM\...\Marvell Miniport Driver) (Version: 11.24.27.3 - Marvell) Microsoft .NET Framework 4.7 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.02053 - Microsoft Corporation) Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.50401.0 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation) Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation) Mobile Broadband HL Service (HKLM\...\Mobile Broadband HL Service) (Version: 22.001.25.00.03 - Huawei Technologies Co.,Ltd) MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation) MTN Online (HKLM\...\MTN Online_is1) (Version: - TCT Mobile Limited) OpenOffice 4.1.3 (HKLM\...\{EEA30AEB-8BA7-465B-85D4-098BB99733E7}) (Version: 4.13.9783 - Apache Software Foundation) paint.net (HKLM\...\{02D89175-E08F-401B-BA30-8B7512B57723}) (Version: 4.0.17 - dotPDN LLC) Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6176 - Realtek Semiconductor Corp.) Samsung AnyWeb Print (HKLM\...\{1DF9729D-2A51-4CA1-B4CE-2B432D7ABA7C}) (Version: 1.0 - Samsung Electronics Co., Ltd.) Hidden Samsung AnyWeb Print (HKLM\...\{318DBE01-1E6B-4243-84B0-210391FE789A}) (Version: 1.1.19.0 - Samsung Electronics Co., Ltd.) Samsung Recovery Solution 5 (HKLM\...\{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}) (Version: 5.0.0.6 - Samsung) Samsung Support Center (HKLM\...\{F687E657-F636-44DF-8125-9FEEA2C362F5}) (Version: 1.1.24 - Samsung) Samsung Universal Print Driver (HKLM\...\Samsung Universal Print Driver) (Version: 2.01.06.00:16 - Samsung Electronics Co., Ltd.) Samsung Update Plus (HKLM\...\{142D8CA7-2C6F-45A7-83E3-099AAFD99133}) (Version: 3.0.0.17 - Samsung Electronics Co., Ltd.) Skype™ 7.39 (HKLM\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.39.102 - Skype Technologies S.A.) User Guide (HKLM\...\{BAE68339-B0F6-4D33-9554-5A3DB2DFF5DA}) (Version: 1.0 - ) VLC media player (HKLM\...\VLC media player) (Version: 2.2.4 - VideoLAN) WIDCOMM Bluetooth Software (HKLM\...\{436E0B79-2CFB-4E5F-9380-E17C1B25D0C5}) (Version: 6.3.0.6200 - Broadcom Corporation) Xvid Plus Codec Pack (HKLM\...\Xvid Plus Codec Pack) (Version: 1.00 - Xvid Plus Codec Pack) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{087B3AE3-E237-4467-B8DB-5A38AB959AC9}\InprocServer32 -> C:\Program Files\OpenOffice 4\program\shlxthdl\shlxthdl.dll (Apache Software Foundation) CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{30A2652A-DDF7-45e7-ACA6-3EAB26FC8A4E}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation) CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{3B092F0C-7696-40E3-A80F-68D74DA84210}\InprocServer32 -> C:\Program Files\OpenOffice 4\program\shlxthdl\shlxthdl.dll (Apache Software Foundation) CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{41662FC2-0D57-4aff-AB27-AD2E12E7C273}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation) CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{448BB771-CFE2-47C4-BCDF-1FBF378E202C}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation) CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{63542C48-9552-494A-84F7-73AA6A7C99C1}\InprocServer32 -> C:\Program Files\OpenOffice 4\program\shlxthdl\shlxthdl.dll (Apache Software Foundation) CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{7B342DC4-139A-4a46-8A93-DB0827CCEE9C}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation) CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{7BC0E710-5703-45BE-A29D-5D46D8B39262}\InprocServer32 -> C:\Program Files\OpenOffice 4\program\shlxthdl\ooofilt.dll (Apache Software Foundation) CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{7FA8AE11-B3E3-4D88-AABF-255526CD1CE8}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation) CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{82154420-0FBF-11d4-8313-005004526AB4}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation) CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{AE424E85-F6DF-4910-A6A9-438797986431}\InprocServer32 -> C:\Program Files\OpenOffice 4\program\shlxthdl\propertyhdl.dll (Apache Software Foundation) CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\InprocServer32 -> C:\Program Files\OpenOffice 4\program\shlxthdl\shlxthdl.dll (Apache Software Foundation) CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{D0484DE6-AAEE-468a-991F-8D4B0737B57A}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation) CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{D2D59CD1-0A6A-4D36-AE20-47817077D57C}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation) CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{E5A0B632-DFBA-4549-9346-E414DA06E6F8}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation) CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{EE5D1EA4-D445-4289-B2FC-55FC93693917}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation) CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{F616B81F-7BB8-4F22-B8A5-47428D59F8AD}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation) ContextMenuHandlers1: [BDFVCtxMenuExt] -> {9E96C1F5-0EFA-4348-9460-15D6802C70AA} => C:\Program Files\Bitdefender\Bitdefender Security\bdfvsctx.dll [2017-08-30] (Bitdefender) ContextMenuHandlers4: [BDFVCtxMenuExt] -> {9E96C1F5-0EFA-4348-9460-15D6802C70AA} => C:\Program Files\Bitdefender\Bitdefender Security\bdfvsctx.dll [2017-08-30] (Bitdefender) ContextMenuHandlers5: [BDFVCtxMenuExt] -> {9E96C1F5-0EFA-4348-9460-15D6802C70AA} => C:\Program Files\Bitdefender\Bitdefender Security\bdfvsctx.dll [2017-08-30] (Bitdefender) ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\windows\system32\igfxpph.dll [2011-02-11] (Intel Corporation) ContextMenuHandlers6: [BDFVCtxMenuExt] -> {9E96C1F5-0EFA-4348-9460-15D6802C70AA} => C:\Program Files\Bitdefender\Bitdefender Security\bdfvsctx.dll [2017-08-30] (Bitdefender) ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {02626086-B4DC-4B5F-A57A-E67C95226B3B} - C:\Windows\System32\Tasks\EasySpeedUpManager => Command(1): "%programfiles%\Samsung\EasySpeedUpManager\EasySpe edUpManager2.exe" -> /s Task: {02626086-B4DC-4B5F-A57A-E67C95226B3B} - C:\Windows\System32\Tasks\EasySpeedUpManager => Command(2): C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManage r.exe [2010-02-10] (Samsung Electronics Co., Ltd.) Task: {0506265F-CCE6-4722-86A0-3EB2217B40C3} - System32\Tasks\SamsungSupportCenter => C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe [2011-02-07] (SAMSUNG Electronics) Task: {3276D76B-0957-4260-B5FA-981D96F9B17B} - System32\Tasks\EasyDisplayMgr => C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe [2010-08-09] (Samsung Electronics Co., Ltd.) Task: {6B2B613C-02AF-49C9-B3CF-13C98432B417} - System32\Tasks\SUPBackground => C:\Program Files\Samsung\Samsung Update Plus\SUPBackground.exe [2010-08-27] (Samsung Electronics) Task: {6EC0F541-9061-4D48-BC4E-B7CE6F94EFBF} - System32\Tasks\BatteryLifeExtender => C:\Program Files\Samsung\BatteryLifeExtender\BatteryLifeExten der.exe [2010-08-12] (Samsung Electronics. Co. Ltd.) Task: {7DB02692-2037-4B2C-9220-05A7B1448AB8} - System32\Tasks\Bitdefender Agent WatchDog_65D6944A0EF74FDAB96E31112AD39864 => C:\Program Files\Bitdefender Agent\WatchDog.exe [2017-06-21] (Bitdefender) Task: {AE2EF44D-5E1A-445C-BE28-EE49DD6B727F} - System32\Tasks\Microsoft\Windows\Setup\EOSNotify => C:\windows\system32\EOSNotify.exe [2016-06-25] (Microsoft Corporation) Task: {B30CFFD6-C26F-494D-BD5E-1B88135D6667} - System32\Tasks\EasyBatteryManager => C:\Program Files\Samsung\EasyBatteryManager\EasyBatteryMgr4.e xe [2010-07-20] (SAMSUNG Electronics co., LTD.) Task: {B5CB4607-8B4C-4A45-8D4A-475764C3454F} - System32\Tasks\{429FD52C-A832-4207-8A7E-20E682FD8515} => C:\windows\system32\pcalua.exe -a G:\setup.exe -d G:\ Task: {CFCFCB43-8880-49B7-9683-4DD6AE0F8056} - System32\Tasks\advSRS5 => C:\Program Files\Samsung\Samsung Recovery Solution 5\WCScheduler.exe [2010-07-27] (SEC) Task: {DB0B9A2A-1D5A-4BFD-8EA1-703BEB197FD5} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2017-07-14] (Google Inc.) Task: {DF6907F2-A9D6-4E5B-837A-1829D5A652CF} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2017-07-14] (Google Inc.) Task: {E1808027-8070-4E55-99F2-128F1F02B1D1} - System32\Tasks\{CC1C8BBB-550A-4CA1-953C-5D21EA5C48EF} => "c:\program files\google\chrome\application\chrome.exe" hxxps://ui.skype.com/ui/0/7.38.0.101/en/abandoninstall?source=lightinstaller&page=tsInstal l (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) ==================== Shortcuts & WMI ======================== (The entries could be listed to be restored or removed.) ==================== Loaded Modules (Whitelisted) ============== 2017-07-15 23:53 - 2013-09-03 14:29 - 000105448 _____ () C:\Program Files\Bitdefender\Bitdefender Security\bdmetrics.dll 2017-07-15 23:54 - 2017-02-07 12:42 - 000859344 _____ () C:\Program Files\Bitdefender\Bitdefender Security\otengines_001_001\ashttpbr.mdl 2017-07-15 23:54 - 2017-02-07 12:42 - 000466568 _____ () C:\Program Files\Bitdefender\Bitdefender Security\otengines_001_001\ashttpdsp.mdl 2017-07-15 23:54 - 2017-02-07 12:42 - 002660936 _____ () C:\Program Files\Bitdefender\Bitdefender Security\otengines_001_001\ashttpph.mdl 2017-07-15 23:54 - 2017-02-07 12:42 - 001303008 _____ () C:\Program Files\Bitdefender\Bitdefender Security\otengines_001_001\ashttprbl.mdl 2011-04-06 04:32 - 2008-06-05 01:53 - 000026624 _____ () C:\windows\System32\spd__l.dll 2017-07-31 19:40 - 2015-12-15 15:02 - 000574464 _____ () C:\Program Files\MTN Online\ApplicationController.exe 2017-07-31 19:40 - 2016-02-01 11:11 - 000011362 _____ () C:\Program Files\MTN Online\mingwm10.dll 2017-07-31 19:40 - 2016-02-01 11:11 - 000043008 _____ () C:\Program Files\MTN Online\libgcc_s_dw2-1.dll 2017-07-31 19:40 - 2016-02-01 11:11 - 002537472 _____ () C:\Program Files\MTN Online\QtCore4.dll 2017-07-31 19:40 - 2015-12-15 14:58 - 001054208 _____ () C:\Program Files\MTN Online\Common.dll 2017-07-31 19:40 - 2016-02-01 11:11 - 009814016 _____ () C:\Program Files\MTN Online\QtGui4.dll 2017-07-31 19:40 - 2016-02-01 11:11 - 001140224 _____ () C:\Program Files\MTN Online\QtNetwork4.dll 2017-08-22 21:12 - 2013-12-06 11:01 - 000045056 _____ () C:\Program Files\HSPA USB Modem\Driver\DevMon.exe 2011-04-06 04:30 - 2006-08-12 05:48 - 000049152 _____ () C:\Program Files\Samsung\Easy Display Manager\HookDllPS2.dll 2011-04-06 04:33 - 2010-05-07 16:22 - 001636864 _____ () C:\Program Files\Samsung\Samsung Recovery Solution 5\Resdll.dll 2011-04-06 04:33 - 2010-06-08 05:15 - 000618496 _____ () C:\Windows\Samsung\PanelMgr\SSMMgr.exe 2017-08-22 21:12 - 2014-03-10 10:16 - 002088960 _____ () C:\Program Files\HSPA USB Modem\HSPA USB Modem.exe 2017-08-22 21:12 - 2014-01-13 11:45 - 004620288 _____ () C:\Program Files\HSPA USB Modem\lang\Common_DataCrad.dll ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.) ==================== Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) ==================== Hosts content: =============================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-14 04:04 - 2017-09-26 21:31 - 000000824 _____ C:\windows\system32\Drivers\etc\hosts ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-917511795-3256536166-560280740-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Darryl\AppData\Roaming\Microsoft\Windows\ Themes\TranscodedWallpaper.jpg DNS Servers: 41.50.20.61 - 41.50.20.29 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [{B807B4BA-1DC9-44A5-8946-253559FA7C16}] => (Allow) C:\Program Files\Skype\Phone\Skype.exe FirewallRules: [{1A7B83C8-FAA8-4462-BB18-27F84A9956A0}] => (Allow) C:\Windows\System32\SUPDSvc.exe FirewallRules: [{A65094D5-6822-498D-A50A-62CDE3A085D2}] => (Allow) C:\Windows\System32\SUPDSvc.exe FirewallRules: [{FB4CB921-5CB8-40F4-8A39-49E0FD3E0431}] => (Allow) C:\windows\Microsoft.NET\Framework\v4.0.30319\SMSv cHost.exe FirewallRules: [{16F6BCFE-B6EF-40F0-993A-6703936D0B21}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe ==================== Restore Points ========================= 06-09-2017 23:48:04 Revo Uninstaller's restore point - Plumbytes Anti-Malware 2017 14-09-2017 15:43:38 Windows Update 17-09-2017 09:44:11 ComboFix created restore point 17-09-2017 10:19:10 Revo Uninstaller's restore point - TeamViewer 12 18-09-2017 11:12:53 Windows Update 23-09-2017 11:49:34 Windows Update 26-09-2017 21:17:23 Revo Uninstaller's restore point - TeamViewer 12 26-09-2017 21:20:39 Revo Uninstaller's restore point - TeamViewer 12 26-09-2017 21:22:20 Windows Backup ==================== Faulty Device Manager Devices ============= ==================== Event log errors: ========================= Application errors: ================== Error: (09/26/2017 09:39:04 PM) (Source: RasClient) (EventID: 20227) (User: ) Description: CoId={4396A617-B9F5-48A0-9966-BDC261D0CE9D}: The user WIZARDS-PC\Darryl dialed a connection named Cell-C which has failed. The error code returned on failure is 0. Error: (09/26/2017 09:31:04 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: mbbservice.exe, version: 22.24.0.3, time stamp: 0x52ff0cc9 Faulting module name: mbbservice.exe, version: 22.24.0.3, time stamp: 0x52ff0cc9 Exception code: 0xc0000005 Fault offset: 0x00017a12 Faulting process id: 0x714 Faulting application start time: 0x01d336fdf5287a48 Faulting application path: C:\ProgramData\MobileBrServ\mbbservice.exe Faulting module path: C:\ProgramData\MobileBrServ\mbbservice.exe Report Id: 3bd73ce5-a2f1-11e7-a949-90a4de6a0dc0 Error: (09/26/2017 09:28:09 PM) (Source: Windows Backup) (EventID: 4104) (User: ) Description: The backup was not successful. The error is: The filename, directory name, or volume label syntax is incorrect. (0x8007007B). Error: (09/26/2017 09:17:22 PM) (Source: VSS) (EventID: 8194) (User: ) Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied. . This is often caused by incorrect security settings in either the writer or requestor process. Operation: Gathering Writer Data Context: Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220} Writer Name: System Writer Writer Instance ID: {e9582167-e0d8-4ea9-bde3-e821d3da9853} Error: (09/26/2017 09:11:49 PM) (Source: System Restore) (EventID: 8210) (User: ) Description: An unspecified error occurred during System Restore: (Windetect d/l). Additional information: 0xc0000022. Error: (09/26/2017 09:11:06 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: mbbservice.exe, version: 22.24.0.3, time stamp: 0x52ff0cc9 Faulting module name: mbbservice.exe, version: 22.24.0.3, time stamp: 0x52ff0cc9 Exception code: 0xc0000005 Fault offset: 0x00017a12 Faulting process id: 0x294 Faulting application start time: 0x01d336fb2b845a08 Faulting application path: C:\ProgramData\MobileBrServ\mbbservice.exe Faulting module path: C:\ProgramData\MobileBrServ\mbbservice.exe Report Id: 723118f1-a2ee-11e7-81ef-90a4de6a0dc0 Error: (09/26/2017 08:35:53 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: mbbservice.exe, version: 22.24.0.3, time stamp: 0x52ff0cc9 Faulting module name: mbbservice.exe, version: 22.24.0.3, time stamp: 0x52ff0cc9 Exception code: 0xc0000005 Fault offset: 0x00017a12 Faulting process id: 0x8a4 Faulting application start time: 0x01d336f63fab2187 Faulting application path: C:\ProgramData\MobileBrServ\mbbservice.exe Faulting module path: C:\ProgramData\MobileBrServ\mbbservice.exe Report Id: 8654d342-a2e9-11e7-8a33-90a4de880e61 Error: (09/26/2017 05:35:17 PM) (Source: SideBySide) (EventID: 33) (User: ) Description: Activation context generation failed for "C:\Program Files\Samsung\BatteryLifeExtender\Drv\SABI2x64\KSt artMem.exe.Manifest". Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64 ",publicKeyToken="6595b64144ccf1df",type="win32",v ersion="6.0.0.0" could not be found. Please use sxstrace.exe for detailed diagnosis. Error: (09/26/2017 05:35:09 PM) (Source: SideBySide) (EventID: 33) (User: ) Description: Activation context generation failed for "C:\Program Files\Samsung\Samsung Support Center\Drv\drv2x64\KStartMem.exe.Manifest". Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64 ",publicKeyToken="6595b64144ccf1df",type="win32",v ersion="6.0.0.0" could not be found. Please use sxstrace.exe for detailed diagnosis. Error: (09/26/2017 05:34:14 PM) (Source: SideBySide) (EventID: 33) (User: ) Description: Activation context generation failed for "c:\program files\samsung\easy display manager\RunGfxUI64.exe". Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64 ",publicKeyToken="6595b64144ccf1df",type="win32",v ersion="6.0.0.0" could not be found. Please use sxstrace.exe for detailed diagnosis. System errors: ============= Error: (09/26/2017 09:34:06 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The Bitdefender RedLine Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 600000 milliseconds: Restart the service. Error: (09/26/2017 09:33:06 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The Bitdefender RedLine Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. Error: (09/26/2017 09:31:05 PM) (Source: Service Control Manager) (EventID: 7026) (User: ) Description: The following boot-start or system-start driver(s) failed to load: atc Error: (09/26/2017 09:31:04 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Mobile Broadband HL Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. Error: (09/26/2017 09:31:04 PM) (Source: Service Control Manager) (EventID: 7009) (User: ) Description: A timeout was reached (30000 milliseconds) while waiting for the Mobile Broadband HL Service service to connect. Error: (09/26/2017 09:30:48 PM) (Source: Service Control Manager) (EventID: 7023) (User: ) Description: The Diagnostics Tracking Service service terminated with the following error: General access denied error Error: (09/26/2017 09:24:16 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The Bitdefender RedLine Service service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 600000 milliseconds: Restart the service. Error: (09/26/2017 09:14:14 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The Bitdefender RedLine Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 600000 milliseconds: Restart the service. Error: (09/26/2017 09:13:14 PM) (Source: Service Control Manager) (EventID: 7031) (User: ) Description: The Bitdefender RedLine Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. Error: (09/26/2017 09:11:17 PM) (Source: Service Control Manager) (EventID: 7024) (User: ) Description: The Background Intelligent Transfer Service service terminated with service-specific error General access denied error . ==================== Memory info =========================== Processor: Celeron(R) Dual-Core CPU T3500 @ 2.10GHz Percentage of memory in use: 66% Total physical RAM: 2008.61 MB Available physical RAM: 669.7 MB Total Virtual: 2308.61 MB Available Virtual: 982.3 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:114 GB) (Free:80.4 GB) NTFS Drive d: () (Fixed) (Total:168.77 GB) (Free:124.37 GB) NTFS ==================== MBR & Partition Table ================== ================================================== ====== Disk: 0 (Size: 298.1 GB) (Disk ID: 29AB717C) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=114 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=168.8 GB) - (Type=OF Extended) Partition 4: (Not Active) - (Size=15.2 GB) - (Type=27) ==================== End of Addition.txt ============================ RogueKiller: RogueKiller V12.11.17.0 [Sep 25 2017] (Free) by Adlice Software mail : http://www.adlice.com/contact/ Feedback : https://forum.adlice.com Website : http://www.adlice.com/download/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version Started in : Normal mode User : Darryl [Administrator] Started from : C:\Program Files\RogueKiller\RogueKiller.exe Mode : Scan -- Date : 09/26/2017 22:39:43 (Duration : 00:27:23) ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 1 ¤¤¤ [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\T cpip\Parameters\Interfaces\{61B8ADB1-26E9-4985-80C8-84B326C30146} | NameServer : 41.50.20.61 41.50.20.29 ([South Africa][-]) -> Found ¤¤¤ Tasks : 1 ¤¤¤ [Hj.Shortcut] \{CC1C8BBB-550A-4CA1-953C-5D21EA5C48EF} -- "c:\program files\google\chrome\application\chrome.exe" (https://ui.skype.com/ui/0/7.38.0.101...page=tsInstall) -> Found ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 2 ¤¤¤ [PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://www.loveme.com/mp/PickOfTheDay.shtml] -> Found [PUM.SearchPage][Chrome:Config] Default [SecurePrefs] : default_search_provider_data.template_url_data.key word [global] -> Found ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: WDC WD3200BPVT-35ZEST0 +++++ --- User --- [MBR] 5130ed095ebe77edeba5e0aa3712f416 [BSP] 622503cd16bda2641ea5679500556658 : Kiwi|VT.Unknown MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 116736 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 239282176 | Size: 172824 MB 3 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 593225728 | Size: 15582 MB User = LL1 ... OK User = LL2 ... OK +++++ PhysicalDrive1: 3G USB MMC Storage USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) I hope that the 4 Malware occurrences are there, if not please ask me to find & post them & I'll do it. Many thanks Olgun. |
#23
|
||||
|
||||
Hi Sonic Feathers,
Okay. Quote:
=========== Please post a fresh FRST logfile for my check. (Frst.txt and Additional.txt) |
#24
|
|||
|
|||
How to stop hacker (using UAC)
Hello, No sweat Olgun. RK found 4 Malware entries.
RogueKiller V12.11.17.0 [Sep 25 2017] (Free) by Adlice Software mail : http://www.adlice.com/contact/ Feedback : https://forum.adlice.com Website : http://www.adlice.com/download/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version Started in : Normal mode User : Darryl [Administrator] Started from : C:\Program Files\RogueKiller\RogueKiller.exe Mode : Scan -- Date : 09/26/2017 22:39:43 (Duration : 00:27:23) ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 1 ¤¤¤ [PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\T cpip\Parameters\Interfaces\{61B8ADB1-26E9-4985-80C8-84B326C30146} | NameServer : 41.50.20.61 41.50.20.29 ([South Africa][-]) -> Found ¤¤¤ Tasks : 1 ¤¤¤ [Hj.Shortcut] \{CC1C8BBB-550A-4CA1-953C-5D21EA5C48EF} -- "c:\program files\google\chrome\application\chrome.exe" (https://ui.skype.com/ui/0/7.38.0.101...page=tsInstall) -> Found ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 2 ¤¤¤ [PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://www.loveme.com/mp/PickOfTheDay.shtml] -> Found [PUM.SearchPage][Chrome:Config] Default [SecurePrefs] : default_search_provider_data.template_url_data.key word [global] -> Found ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: WDC WD3200BPVT-35ZEST0 +++++ --- User --- [MBR] 5130ed095ebe77edeba5e0aa3712f416 [BSP] 622503cd16bda2641ea5679500556658 : Kiwi|VT.Unknown MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 116736 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 239282176 | Size: 172824 MB 3 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 593225728 | Size: 15582 MB User = LL1 ... OK User = LL2 ... OK +++++ PhysicalDrive1: 3G USB MMC Storage USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) As a .Jpg https://imgur.com/a/vS4Fc Hope that is a help. 03:30, I'll check back when next I can for your instruction. Thanks. |
#25
|
||||
|
||||
Quote:
Delete your cache, history, and other browser data https://support.google.com/chrome/answer/95582?hl=en Next >> Reset Chrome browser settings https://support.google.com/chrome/answer/3296214?hl=en If HomePage and SearchPage do not fix problems, please do the following; Make Google my default search engine https://support.google.com/websearch/answer/464?hl=en or; Change your Google Search browser settings https://support.google.com/websearch..._topic=3036131 Make Google your homepage https://support.google.com/websearch..._topic=3036131 ================================================== ===== Quote:
|
#26
|
||||
|
||||
Quote:
Two firewall can render the system unstable. |
#27
|
|||
|
|||
Hi Olgun,
All done as you'd suggested. I'll use Revo Uninstaller & BD to check that all record is cleaned. Tell me is it time that we can look at the correcting the UAC & get rid of the illicit User and Groups? The hacker as well ('Administrators', because he has me locked out of many Admin tasks). I am sure he has something buried on the HDD that notifies him of changes automatically that then runs some script that resets UAC as he wants for easy access. I have taken some screen shots of some of the Properties that you can see what he's been up to. Please remember that I am the sole user of the machine, so Groups should not exist. The original Administrator account was WIZARDS-PC\Darryl Administrator. Even that has been changed to Wizards-PC Administrator, which is a previous form from before Factory Reset, in some instances. Often I get, 'you do not have permission to alter XXX (e.g. ... this value). Can the UAC be locked somehow to stop any changes without 2x Factor Authentication please? At least then I would be aware he has again changed UAC. Sorry the pics have got mixed up a bit. https://i.imgur.com/bI1ycts.jpg https://i.imgur.com/B4UfLMs.jpg https://i.imgur.com/xZXbNyH.jpg https://i.imgur.com/wehRS20.jpg Ok? I'll try to get back to your reply as soon as possible, it's going to be a heavy week. Many thanks Olgun. |
#28
|
||||
|
||||
I can not reach the links you send.
============= Quote:
Quote:
------------------- Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 25-09-2017 01 Ran by Darryl (administrator) on WIZARDS-PC (26-09-2017 21:44:11) Running from C:\Users\Darryl\Desktop Loaded Profiles: Darryl (Available Profiles: Darryl) Platform: Microsoft Windows 7 Home Basic Service Pack 1 (X86) Language: English (United States) Internet Explorer Version 11 (Default browser: Chrome) Boot Mode: Normal ------------------------- Addition Log: Additional scan result of Farbar Recovery Scan Tool (x86) Version: 25-09-2017 01 Ran by Darryl (26-09-2017 21:45:56) Running from C:\Users\Darryl\Desktop Microsoft Windows 7 Home Basic Service Pack 1 (X86) (2017-07-14 08:09:26) Boot Mode: Normal -------------------------------- I can not see the problem. ?? |
#29
|
|||
|
|||
Hey,
Yes I see from your pics it looks as it should be, yet when you look at the pics, there are multiple invader Users & Groups (especially 'AdministratorS'). Perhaps the are hidden in the registry & aren't visible to you? I changed the settings on Imgur to Public, now anyone can see them (the first 4). But here are the BB code links: [IMG][/IMG] [IMG][/IMG] [IMG][/IMG] [IMG][/IMG] I'd not answered you on the IP's. Those IP's are suspicious. They are not normal SA format. The Wifi IP I'm using for past few days is 196.210... & my modem is 195 something. Using VPN it is 185.189... Must those 2 IP's be removed? How? Please don't get mad with me? As my Bitdefender had expired & I can't afford a new Subscription, I needed remove, install Windscribe VPN to get a free trial again, re-install Bitdefender. As soon as that's done, I'll use Revo Uninstaller to remove Windscribe. Thanks Olgun, I must go & work if I am to eat tonight. |
#30
|
||||
|
||||
Hi Sonic Feathers,
I got pictures from another channel. and I saw them. They do not appear in the reports. --------- Uninstall the VPN software. It creates confusion for me. -------------- UAC: Please UAC check ===>> re-enable that feature. Click Start > Control Panel > User Accounts > Change User Account Control settings and set it back to Always Notify. Please send me the picture, please. ============================================ Run a cmd prompt as an admin by going Start - type cmd then right click on cmd and select Run as administrator Enable administrator account - it is not the same as the UAC one. From admin command prompt : net user administrator /active:yes Now log out of your current account and you will now see an administrator login. click it and you should be able to load the desktop without a bunch of errors. ======================================== PC restart. SecurityCheck Please download SecurityCheck: LINK1 LINK2
Please download MiniToolBox, save it to your desktop and run it. Checkmark the following checkboxes:
Note: When using "Reset FF Proxy Settings" option Firefox should be closed. |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
hacker | idr | Malware Removal | 2 | April 14th, 2019 03:28 PM |
R U a Hacker? | Jintan | Open Discussion | 3 | December 4th, 2011 12:28 AM |
Could this be a hacker? please help. | Terlain888 | Applications | 7 | March 7th, 2007 06:42 AM |
Hacker | sirlarry07 | Malware Removal | 12 | November 3rd, 2004 10:46 PM |
Hacker Or Not? | jadeelisha | Malware Removal | 9 | March 2nd, 2004 09:28 PM |
All times are GMT +1. The time now is 10:59 PM.