Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Closed Topic
 
Topic Tools
  #16  
Old September 11th, 2017, 01:05 AM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
 
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 2,064
Hi,

I apologize for the late reply
-----------------------------------
C:\Program Files\HeavenWard

Do you recognise this programme?
And MTN Online ?

_____________________________________

Uninstall:
C:\Program Files\Plumbytes Software
TeamViewer

==================================================
Code:
 Bitdefender Firewall (Disabled)
Do you use this program actively ?
(Windows Firewall is enabled.) Windows Firewall program seems to be active also !!
===========================================

Please do this;

Next, download ComboFix Save to the Desktop
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.
Please provide the contents of the ComboFix report in your reply.


  #17  
Old September 17th, 2017, 09:57 AM
Sonic Feathers Sonic Feathers is offline
Member
 
Join Date: Sep 2017
Posts: 53
Hi Olgun,
It isn't you who should apologize for a late reply, sorry for this. I only get chance on weekends to attend to this as I'm travelling & often without connectivity.
1) Heavenward is Windetect (a Windows authorized program).
2) Plumbytes is anti-malware, I'd tried to locate the hacks' backdoor with. It can go.
3) Teamviewer, I use to assist my 84yr old mother with correcting her computer. She's in the UK. It is set as a 1way to see her computer & shouldn't permit access into my machine but will uninstall so as to make your task easier.
4) MTN Online & HSPA (CellC/Vodacom) are both modems, which I alternate between dependent on which Network has cheapest data. We have one of top 5 highest data rates here, with areas being partly covered by 1 & partly covered by other. So need swap 1 to the other every so often.
You had asked me not to make changes until you complete your analysis, but take it that if you are querying #1-4, I must uninstall those I can now (#2 & 3)?
2) Plumbytes was removed (don't know when) was just empty Folder. Tried Bitdefender File Shredder BUT the Hackers UAC Settings blocked me! As Administrator, I didn't have permission to delete this. This is the kind of nonsense he's caused for 18 months & why I need get rid of him.
3) Teamviewer was successfully uninstalled with Revo Uninstaller on Max Setting.
#1 & 4 are left. I can remove (Heavenward's) Windetect if you wish me to.

ComboFix didn't download the Recovery console. Here's the standard installation Scan Log. If I must manually install the RC - please advise?:

ComboFix 17-09-14.01 - Darryl 2017/09/17 9:47.1.2 - x86
Microsoft Windows 7 Home Basic 6.1.7601.1.1252.27.1033.18.2009.952 [GMT 2:00]
Running from: c:\users\Darryl\Desktop\ComboFix.exe
AV: Bitdefender Antivirus *Disabled/Updated* {3FB17364-4FCC-0FA7-6BBF-973897395371}
FW: Bitdefender Firewall *Disabled* {078AF241-05A3-0EFF-40E0-3E0D69EA140A}
SP: Bitdefender Antispyware *Disabled/Updated* {84D09280-69F6-0029-510F-AC4AECBE19CC}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2017-08-17 to 2017-09-17 )))))))))))))))))))))))))))))))
.
.
2017-09-17 07:56 . 2017-09-17 07:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2017-09-09 15:31 . 2017-09-09 15:49 -------- d-----w- C:\FRST
2017-09-06 14:44 . 2017-09-06 14:51 -------- d-----w- c:\users\Darryl\AppData\Local\{12A8CCFE-3C33-4995-BAD8-074E4C5B22FD}
2017-09-06 14:43 . 2017-09-06 21:55 -------- d-----w- c:\program files\Plumbytes Software
2017-09-04 18:01 . 2017-09-04 18:01 -------- d-----w- c:\program files\HeavenWard
2017-08-30 21:48 . 2017-09-06 18:15 -------- d-----w- c:\users\Darryl\AppData\Local\CrashDumps
2017-08-25 19:13 . 2017-08-25 19:13 -------- d-----w- c:\users\Darryl\Tracing
2017-08-22 19:12 . 2017-08-22 19:12 -------- dc----w- c:\windows\system32\DRVSTORE
2017-08-22 19:12 . 2017-09-03 21:50 -------- d-----w- c:\program files\HSPA USB Modem
2017-08-19 13:32 . 2017-07-07 15:10 973312 ----a-w- c:\windows\system32\DXPTaskRingtone.dll
2017-08-19 13:32 . 2017-08-01 15:16 497664 ----a-w- c:\windows\system32\win32spl.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2017-08-12 13:30 . 2017-08-11 13:29 95808 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2017-08-02 14:25 . 2016-08-10 08:54 773968 ----a-w- c:\windows\system32\msvcr100.dll
2017-07-29 14:50 . 2017-08-12 15:59 74752 ----a-w- c:\windows\system32\drivers\tdx.sys
2017-07-21 14:26 . 2017-08-12 15:59 282624 ----a-w- c:\windows\system32\mstext40.dll
2017-07-21 14:26 . 2017-08-12 15:59 518144 ----a-w- c:\windows\system32\msjetoledb40.dll
2017-07-21 14:26 . 2017-08-12 15:59 290816 ----a-w- c:\windows\system32\msjtes40.dll
2017-07-21 14:26 . 2017-08-12 15:59 409600 ----a-w- c:\windows\system32\msexch40.dll
2017-07-15 22:01 . 2017-07-15 22:01 57575 ----a-w- c:\programdata\dm.1500155999.bdinstall.bin
2017-07-15 21:55 . 2017-07-15 21:55 74691 ----a-w- c:\programdata\cl.kit.1500155180.bdinstall.bin
2017-07-15 21:55 . 2017-07-15 21:55 1758436 ----a-w- c:\programdata\cl.1500155237.bdinstall.bin
2017-07-15 20:40 . 2017-07-15 20:40 18534 ----a-w- c:\programdata\agent.1500151240.6004.bin
2017-07-15 20:40 . 2017-07-15 20:40 1509 ----a-w- c:\programdata\agent.1500151240.5952.bin
2017-07-15 20:40 . 2017-07-15 20:40 26269 ----a-w- c:\programdata\agent.1500151240.5692.bin
2017-07-15 20:40 . 2017-07-15 20:40 1146 ----a-w- c:\programdata\agent.1500151240.5696.bin
2017-07-15 09:00 . 2017-07-15 09:00 86016 ----a-w- c:\windows\system32\iesysprep.dll
2017-07-15 09:00 . 2017-07-15 09:00 74240 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2017-07-15 09:00 . 2017-07-15 09:00 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2017-07-15 09:00 . 2017-07-15 09:00 645120 ----a-w- c:\windows\system32\jsIntl.dll
2017-07-15 09:00 . 2017-07-15 09:00 48640 ----a-w- c:\windows\system32\mshtmler.dll
2017-07-15 09:00 . 2017-07-15 09:00 36352 ----a-w- c:\windows\system32\imgutil.dll
2017-07-15 09:00 . 2017-07-15 09:00 24576 ----a-w- c:\windows\system32\licmgr10.dll
2017-07-15 09:00 . 2017-07-15 09:00 194048 ----a-w- c:\windows\system32\elshyph.dll
2017-07-15 09:00 . 2017-07-15 09:00 182272 ----a-w- c:\windows\system32\msls31.dll
2017-07-15 09:00 . 2017-07-15 09:00 151552 ----a-w- c:\windows\system32\iexpress.exe
2017-07-15 09:00 . 2017-07-15 09:00 139264 ----a-w- c:\windows\system32\wextract.exe
2017-07-15 09:00 . 2017-07-15 09:00 13312 ----a-w- c:\windows\system32\mshta.exe
2017-07-15 09:00 . 2017-07-15 09:00 111616 ----a-w- c:\windows\system32\IEAdvpack.dll
2017-07-15 08:57 . 2017-07-15 08:57 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2017-07-15 08:57 . 2017-07-15 08:57 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2017-07-15 08:57 . 2017-07-15 08:57 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2017-07-15 08:57 . 2017-07-15 08:57 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2017-07-15 08:57 . 2017-07-15 08:57 364544 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2017-07-15 08:57 . 2017-07-15 08:57 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2017-07-15 08:57 . 2017-07-15 08:57 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2017-07-15 08:57 . 2017-07-15 08:57 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2017-07-15 08:57 . 2017-07-15 08:57 293376 ----a-w- c:\windows\system32\dxgi.dll
2017-07-15 08:57 . 2017-07-15 08:57 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2017-07-15 08:57 . 2017-07-15 08:57 249856 ----a-w- c:\windows\system32\d3d10_1core.dll
2017-07-15 08:57 . 2017-07-15 08:57 220160 ----a-w- c:\windows\system32\d3d10core.dll
2017-07-15 08:57 . 2017-07-15 08:57 207872 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2017-07-15 08:57 . 2017-07-15 08:57 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2017-07-15 08:57 . 2017-07-15 08:57 1158144 ----a-w- c:\windows\system32\XpsPrint.dll
2017-07-15 08:57 . 2017-07-15 08:57 1080832 ----a-w- c:\windows\system32\d3d10.dll
2017-07-15 08:57 . 2017-07-15 08:57 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2017-07-15 05:07 . 2017-07-15 05:07 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BD2B5F49-3985-4439-8ABF-29C286E91779}\offreg.1392.dll
2017-07-15 01:17 . 2017-07-15 01:17 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BD2B5F49-3985-4439-8ABF-29C286E91779}\offreg.3044.dll
2017-07-14 15:10 . 2017-08-12 15:59 382976 ----a-w- c:\windows\system32\wer.dll
2017-07-14 15:10 . 2017-08-12 15:59 1549824 ----a-w- c:\windows\system32\tquery.dll
2017-07-14 15:10 . 2017-08-12 15:59 1363968 ----a-w- c:\windows\system32\Query.dll
2017-07-14 15:10 . 2017-08-12 15:59 666624 ----a-w- c:\windows\system32\mssvp.dll
2017-07-14 15:10 . 2017-08-12 15:59 1400320 ----a-w- c:\windows\system32\mssrch.dll
2017-07-14 15:10 . 2017-08-12 15:59 34816 ----a-w- c:\windows\system32\mssprxy.dll
2017-07-14 15:10 . 2017-08-12 15:59 337408 ----a-w- c:\windows\system32\mssph.dll
2017-07-14 15:10 . 2017-08-12 15:59 197120 ----a-w- c:\windows\system32\mssphtb.dll
2017-07-14 15:10 . 2017-08-12 15:59 104448 ----a-w- c:\windows\system32\mssitlb.dll
2017-07-14 15:10 . 2017-08-12 15:59 59392 ----a-w- c:\windows\system32\msscntrs.dll
2017-07-14 15:00 . 2017-08-12 15:59 427520 ----a-w- c:\windows\system32\SearchIndexer.exe
2017-07-14 15:00 . 2017-08-12 15:59 164352 ----a-w- c:\windows\system32\SearchProtocolHost.exe
2017-07-14 14:59 . 2017-08-12 15:59 86528 ----a-w- c:\windows\system32\SearchFilterHost.exe
2017-07-14 14:59 . 2017-08-12 15:59 9728 ----a-w- c:\windows\system32\msshooks.dll
2017-07-14 14:50 . 2017-08-12 15:59 54272 ----a-w- c:\windows\system32\wermgr.exe
2017-07-14 14:50 . 2017-08-12 15:59 28672 ----a-w- c:\windows\system32\werdiagcontroller.dll
2017-07-14 10:57 . 2017-07-14 10:57 49152 ----a-w- c:\windows\system32\taskhost.exe
2017-07-14 10:53 . 2017-07-14 10:53 1505280 ----a-w- c:\windows\system32\d3d11.dll
2017-07-14 09:55 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2017-07-14 08:43 . 2017-07-14 08:43 10685920 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BD2B5F49-3985-4439-8ABF-29C286E91779}\mpengine.dll
2017-07-14 03:01 . 2017-08-12 15:59 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2017-07-14 03:00 . 2017-08-12 15:59 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2017-07-14 02:48 . 2017-08-12 15:59 62464 ----a-w- c:\windows\system32\iesetup.dll
2017-07-14 02:48 . 2017-08-12 15:59 499200 ----a-w- c:\windows\system32\vbscript.dll
2017-07-14 02:48 . 2017-08-12 15:59 47616 ----a-w- c:\windows\system32\ieetwproxystub.dll
2017-07-14 02:48 . 2017-08-12 15:59 341504 ----a-w- c:\windows\system32\html.iec
2017-07-14 02:47 . 2017-08-12 15:59 64000 ----a-w- c:\windows\system32\MshtmlDac.dll
2017-07-14 02:38 . 2017-08-12 15:59 104960 ----a-w- c:\windows\system32\ieetwcollector.exe
2017-07-14 02:38 . 2017-08-12 15:59 115712 ----a-w- c:\windows\system32\ieUnatt.exe
2017-07-14 02:38 . 2017-08-12 15:59 620032 ----a-w- c:\windows\system32\jscript9diag.dll
2017-07-14 02:33 . 2017-08-12 15:59 667648 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2017-07-14 02:26 . 2017-08-12 15:59 60416 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2017-07-14 02:25 . 2017-08-12 15:59 73216 ----a-w- c:\windows\system32\tdc.ocx
2017-07-14 02:17 . 2017-08-12 15:59 4546048 ----a-w- c:\windows\system32\jscript9.dll
2017-07-14 02:11 . 2017-08-12 15:59 2057216 ----a-w- c:\windows\system32\inetcpl.cpl
2017-07-14 02:11 . 2017-08-12 15:59 1155072 ----a-w- c:\windows\system32\mshtmlmedia.dll
2017-07-14 01:53 . 2017-08-12 15:59 2767872 ----a-w- c:\windows\system32\wininet.dll
2017-07-08 15:19 . 2017-08-12 15:59 250600 ----a-w- c:\windows\system32\clfs.sys
2017-07-08 14:51 . 2017-08-12 15:59 2402816 ----a-w- c:\windows\system32\win32k.sys
2017-07-07 15:15 . 2017-08-12 15:59 4001000 ----a-w- c:\windows\system32\ntkrnlpa.exe
2017-07-07 15:15 . 2017-08-12 15:59 3945192 ----a-w- c:\windows\system32\ntoskrnl.exe
2017-07-07 15:15 . 2017-08-12 15:59 296680 ----a-w- c:\windows\system32\drivers\volmgrx.sys
2017-07-07 15:15 . 2017-08-12 15:59 67304 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2017-07-07 15:15 . 2017-08-12 15:59 137960 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2017-07-07 15:13 . 2017-08-12 15:59 1310528 ----a-w- c:\windows\system32\ntdll.dll
2017-07-07 15:11 . 2017-08-12 15:59 65536 ----a-w- c:\windows\system32\TSpkg.dll
2017-07-07 15:11 . 2017-08-12 15:59 172032 ----a-w- c:\windows\system32\wdigest.dll
2017-07-07 15:11 . 2017-08-12 15:59 109568 ----a-w- c:\windows\system32\t2embed.dll
2017-07-07 15:11 . 2017-08-12 15:59 99840 ----a-w- c:\windows\system32\sspicli.dll
2017-07-07 15:11 . 2017-08-12 15:59 400896 ----a-w- c:\windows\system32\srcore.dll
2017-07-07 15:11 . 2017-08-12 15:59 43008 ----a-w- c:\windows\system32\srclient.dll
2017-07-07 15:11 . 2017-08-12 15:59 50176 ----a-w- c:\windows\system32\setbcdlocale.dll
2017-07-07 15:11 . 2017-08-12 15:59 655360 ----a-w- c:\windows\system32\rpcrt4.dll
2017-07-07 15:11 . 2017-08-12 15:59 254464 ----a-w- c:\windows\system32\schannel.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Bdagent"="c:\program files\Bitdefender\Bitdefender Security\bdagent.exe" [2017-08-31 304608]
"DevMon"="c:\progra~1\HSPAUS~1\Driver\DevMon.e xe" [2013-12-06 45056]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview. exe" [2017-07-14 280576]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BdBkpFolder\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-7-21 836896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
R2 FLAME II MTN MODEM Service;FLAME II MTN MODEM Service;c:\program files\MTN Online\ApplicationController.exe [2015-12-15 574464]
R2 Mobile Broadband HL Service;Mobile Broadband HL Service;c:\programdata\MobileBrServ\mbbservice.exe [2014-02-15 239184]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2017-06-01 317400]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2017-07-14 104960]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominipor t.sys [2012-08-23 14848]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
R3 Samsung UPD Service;Samsung UPD Service;c:\windows\System32\SUPDSvc.exe [2010-08-09 131888]
R3 SCDModem;SCDModem;c:\windows\system32\DRIVERS\SCDM odem.sys [2016-02-01 22528]
R3 SCDSerials;SCDSerials;c:\windows\system32\DRIVERS\ SCDSerials.sys [2016-02-01 22528]
R3 SCDUsbHub;SCDUsbHub;c:\windows\system32\DRIVERS\SC DUsbHub.sys [2016-02-01 15272]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsus bflt.sys [2013-10-02 49152]
S0 atc;atc;c:\windows\system32\DRIVERS\atc.sys [2017-06-07 740824]
S0 avc3;avc3;c:\windows\system32\DRIVERS\avc3.sys [2017-04-19 1290472]
S0 bdprivmon;bdprivmon;c:\windows\system32\DRIVERS\bd privmon.sys [2017-05-11 43064]
S0 gzflt;gzflt;c:\windows\system32\DRIVERS\gzflt.sys [2017-05-11 152784]
S0 Ignis;Ignis Service;c:\windows\system32\DRIVERS\ignis.sys [2017-06-08 282712]
S1 bdfwfpf;bdfwfpf;c:\program files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [2017-05-31 107168]
S1 BDVEDISK;BDVEDISK;c:\windows\system32\DRIVERS\bdve disk.sys [2015-12-04 83824]
S1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\Drivers\SABI.sys [2009-05-28 10752]
S1 WinDetect;WinDetect driver;c:\windows\system32\Drivers\windetect.sys [2017-02-26 16720]
S2 bdredline;Bitdefender RedLine Service;c:\program files\Common Files\Bitdefender\SetupInformation\Bitdefender RedLine\bdredline.exe [2017-08-30 1847960]
S2 DevMgmtService;Bitdefender Device Management Service;c:\program files\Bitdefender\Bitdefender Device Management\DevMgmtService.exe [2017-06-27 87472]
S2 DiagTrack;Diagnostics Tracking Service;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 ProductAgentService;Bitdefender Product Agent Service;c:\program files\Bitdefender Agent\ProductAgentService.exe [2017-06-21 1269824]
S2 UPDATESRV;Bitdefender Desktop Update Service;c:\program files\Bitdefender\Bitdefender Security\updatesrv.exe [2017-08-31 175768]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2010-07-13 297000]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-02 33320]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2010-08-10 94208]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn. sys [2017-04-20 25088]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2010-07-08 322336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
utcsvc REG_MULTI_SZ DiagTrack
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2017-09-04 13:58 1429848 ----a-w- c:\program files\Google\Chrome\Application\60.0.3112.113\Inst aller\chrmstp.exe
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.loveme.com/pickoftheday.shtml
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 168.210.2.2 196.14.239.2 168.210.2.2 196.14.239.2
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PC W\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2384)
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
.
Completion time: 2017-09-17 09:59:11
ComboFix-quarantined-files.txt 2017-09-17 07:59
.
Pre-Run: 87*531*749*376 bytes free
Post-Run: 87*500*939*264 bytes free
.
- - End Of File - - 7EC4294115713C906E7861A3EBF02A51
2E5DEBB2116B3417023E0D6562D7ED07

My continued thanks for your efforts to help remove this Pakistani & his access.
  #18  
Old September 18th, 2017, 03:57 PM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
 
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 2,064
Hello,

Code:
I can remove (Heavenward's) Windetect if you wish me to.
Please uninstall with RevoUninstaller.
=============================================

ComboFix didn't download the Recovery console. Here's the standard installation Scan Log. If I must manually install the RC - please advise?:
OK. No problem.
================================================
Code:
My continued thanks for your efforts to help remove this Pakistani & his access.
How do you know it's Pakistani ?

========================================

Run FRST fixlist:
Note:Run the tool (FRST) from your DeskTop based on the instructions given.Farbar Recovery Scan Tool and Fixlist file should be on the desktop.

Please open notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
Save it to the Desktop, and name it: fixlist.txt
Code:
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: F - F:\setup.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {607f1b2b-74b3-11e7-97a5-90a4de6a0dc0} - G:\autorun.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {6becfb10-876c-11e7-9b5a-90a4de6a0dc0} - F:\setup.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {6becfc34-876c-11e7-9b5a-90a4de6a0dc0} - F:\setup.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {77038b86-6a48-11e7-bf5e-90a4de6a0dc0} - G:\setup.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {8360031e-7f78-11e7-9ad5-90a4de6a0dc0} - F:\AutoRun.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {afdbea82-90f2-11e7-96d7-90a4de6a0dc0} - F:\setup.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {e0d0c9a4-6990-11e7-9fa4-90a4de6a0dc0} - F:\setup.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.loveme.com/pickoftheday.shtml
HKU\S-1-5-21-917511795-3256536166-560280740-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://samsung.msn.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-917511795-3256536166-560280740-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
CHR HKLM\...\Chrome\Extension: [gannpgaobkkhmpomoijebaigcapoeebl] - hxxps://clients2.google.com/service/update2/crx
2017-07-17 23:38 - 2017-07-17 23:38 - 000000000 ____D C:\Users\Darryl\AppData\Local\TeamViewer
2017-07-16 21:55 - 2017-09-07 23:48 - 000000000 ____D C:\Users\Darryl\AppData\Roaming\vlc
2017-07-16 13:13 - 2017-09-05 00:04 - 000000000 ____D C:\Program Files\TeamViewer
2017-07-16 13:13 - 2017-07-30 23:16 - 000000889 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 12.lnk
2017-07-16 13:13 - 2017-07-30 23:16 - 000000877 _____ C:\Users\Public\Desktop\TeamViewer 12.lnk
2017-07-16 13:13 - 2017-07-18 00:58 - 000000000 ____D C:\Users\Darryl\AppData\Roaming\TeamViewer
2017-07-16 13:13 - 2017-04-20 09:27 - 000025088 _____ (TeamViewer GmbH) C:\windows\system32\Drivers\teamviewervpn.sys
FirewallRules: [{65064C98-EE7E-4BAA-94E0-09E071C61E2A}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe
FirewallRules: [{48AB47C9-A327-4CE2-9B48-BF5C1A7AE14B}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe
FirewallRules: [{ED15DF0A-1C3D-498B-9990-ED691B1582BB}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{1F3C1B82-E6D1-4FAE-99B8-9934565F7034}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{0FC94F48-919C-4F44-B5CE-4FAEDE068F63}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe
FirewallRules: [{55580A67-06D4-477A-8E78-E14641BAC04D}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe
FirewallRules: [{36455591-EF8F-4136-80BA-CB9A3A692E4C}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{19E4B086-339C-441B-AFB1-F8E7195ADCED}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe
R2 TeamViewer; C:\Program Files\TeamViewer\TeamViewer_Service.exe [10803440 2017-07-26] (TeamViewer GmbH)
R3 teamviewervpn; C:\windows\System32\DRIVERS\teamviewervpn.sys [25088 2017-04-20] (TeamViewer GmbH)
R1 WinDetect; C:\windows\system32\Drivers\windetect.sys [16720 2017-02-26] (HeavenWard)
2017-09-06 16:44 - 2017-09-06 16:51 - 000000000 ____D C:\Users\Darryl\AppData\Local\{12A8CCFE-3C33-4995-BAD8-074E4C5B22FD}
2017-09-06 16:43 - 2017-09-06 23:55 - 000000000 ____D C:\Program Files\Plumbytes Software
2017-09-04 20:01 - 2017-09-04 20:01 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HeavenWard
2017-09-04 20:01 - 2017-09-04 20:01 - 000000000 ____D C:\Program Files\HeavenWard
C:\Users\Darryl\AppData\Local\TeamViewer
2017-07-16 13:13 - 2017-07-30 23:16 - 000000889 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 12.lnk
2017-07-16 13:13 - 2017-07-30 23:16 - 000000877 _____ C:\Users\Public\Desktop\TeamViewer 12.lnk
2017-07-16 13:13 - 2017-07-18 00:58 - 000000000 ____D C:\Users\Darryl\AppData\Roaming\TeamViewer
2017-07-16 13:13 - 2017-04-20 09:27 - 000025088 _____ (TeamViewer GmbH) C:\windows\system32\Drivers\teamviewervpn.sys
C:\Users\Darryl\AppData\Local\Temp\runsetup.exe
C:\Program Files\TeamViewer\TeamViewer_Service.exe
C:\Users\Darryl\AppData\Local\Temp
C:\windows\wininit.ini
c:\windows\system32\Drivers\windetect.sys [2017-02-26 16720]
c:\windows\system32\DRIVERS\teamviewervpn. sys [2017-04-20 25088]
cmd: ipconfig /flushdns
Hosts:
EmptyTemp:
NOTICE: This script is written specifically for this computer!!!
Running this on another computer may cause damage to the Operating System.

Now, please run FRST, and press theFix button, just once, and wait.

When done, the tool creates a report on the Desktop called: Fixlog.txt

>> Please post the Fixlog.txt in your reply.

-----------------------------------------------------------------------------------
Download RogueKiller:
http://tigzy.geekstogo.com/roguekiller.php

Select the version that applies to the system.
Save to the Desktop.

After closing all windows and browsers, right-click the downloaded RogueKiller file and select: Run as Administrator

At the program console, wait for the Prescan to finish. (Under Status, it says: Prescan finished.)

Press: SCAN

When done, a report opens on the drive: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.
  #19  
Old September 19th, 2017, 08:04 PM
Sonic Feathers Sonic Feathers is offline
Member
 
Join Date: Sep 2017
Posts: 53
Received

Hello Olgun,
I have your mail. Thanks, will comply & post as requested in due course. Not tonight as I prepare work for tomorrow.
Windetect will be removed.
His Iphone has been used & password 'Pakistan' saved in Bitdefender Wallet. Also have coordinates of residences where the Macbook & Motorola was used with other details.
Many thanks.
  #20  
Old September 20th, 2017, 11:30 AM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
 
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 2,064
Do not use it for a while a Wallet Bitdefender and test it
I do not see any clues in your reports. Have you applied instructions I have given
  #21  
Old September 26th, 2017, 10:51 PM
Sonic Feathers Sonic Feathers is offline
Member
 
Join Date: Sep 2017
Posts: 53
Hi Olgun, Thanks for your patience. It was a long weekend, I couldn't do what was needed whilst with guests. Sorry.
1st of all a fools admission, one of the things that had startled me before contacting you is that I had received a Gmail Logon code via Text to my mobile when I hadn't been trying to logon. I suspected it was the hacker again. But when this was repeated last week, I finally realised that when I'd been using Teamviewer to help my old mother, I had used 2 Factor Text Verification to my number. I'm an idiot, the text was because she had been logging on & not selecting a Voice Call for 2x Identification.

Ok, so I tried uninstalling WinDetect. No Installation Package found. So I killed with Bitdefender, used Windetects uninstaller, then Regedit & deleted the Keys for Heavenward & WinDetect. Only 2 Legacy keys would not be deleted. I then went into restore & was doing a restore when I got Bluescreen. I rebooted in safe mode & did the restore. It didn't complete for what ever reason & nothing was changed. I rebooted in normal mode & followed your instructions...

FRST:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 25-09-2017 01
Ran by Darryl (administrator) on WIZARDS-PC (26-09-2017 21:44:11)
Running from C:\Users\Darryl\Desktop
Loaded Profiles: Darryl (Available Profiles: Darryl)
Platform: Microsoft Windows 7 Home Basic Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Security\vsserv.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Device Management\DevMgmtService.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
() C:\Program Files\MTN Online\ApplicationController.exe
(Bitdefender) C:\Program Files\Bitdefender Agent\ProductAgentService.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Security\updatesrv.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Security\bdagent.exe
() C:\Program Files\HSPA USB Modem\Driver\DevMon.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.33.5\GoogleCrashHandler.ex e
(Samsung Electronics Co., Ltd.) C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Security\bdwtxag.exe
(Samsung Electronics Co., Ltd.) C:\Program Files\Samsung\EasySpeedUpManager\EasySpeedUpManage r.exe
(SEC) C:\Program Files\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
(SAMSUNG Electronics) C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
(Samsung Electronics) C:\Program Files\Samsung\Samsung Update Plus\SUPBackground.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
() C:\Windows\Samsung\PanelMgr\SSMMgr.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v3.0\WPF\Presen tationFontCache.exe
() C:\Program Files\HSPA USB Modem\HSPA USB Modem.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Security\seccenter.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Device Management\dmiface.exe
(Bitdefender) C:\Program Files\Common Files\Bitdefender\SetupInformation\Bitdefender RedLine\bdredline.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Bdagent] => C:\Program Files\Bitdefender\Bitdefender Security\bdagent.exe [304608 2017-08-31] (Bitdefender)
HKLM\...\Run: [DevMon] => C:\Program Files\HSPA USB Modem\Driver\DevMon.exe [45056 2013-12-06] ()
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: F - F:\setup.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {607f1b2b-74b3-11e7-97a5-90a4de6a0dc0} - G:\autorun.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {6becfb10-876c-11e7-9b5a-90a4de6a0dc0} - F:\setup.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {6becfc34-876c-11e7-9b5a-90a4de6a0dc0} - F:\setup.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {77038b86-6a48-11e7-bf5e-90a4de6a0dc0} - G:\setup.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {8360031e-7f78-11e7-9ad5-90a4de6a0dc0} - F:\AutoRun.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {afdbea82-90f2-11e7-96d7-90a4de6a0dc0} - F:\setup.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {e0d0c9a4-6990-11e7-9fa4-90a4de6a0dc0} - F:\setup.exe
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\windows\System32\SPReview\SPReview.exe [280576 2017-07-14] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\BdBkpFolder [2017-08-02] ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\..\Interfaces\{61B8ADB1-26E9-4985-80C8-84B326C30146}: [NameServer] 41.50.20.61 41.50.20.29
Tcpip\..\Interfaces\{DD0E4987-FE7E-4B4E-BD96-BA9F8683CC36}: [DhcpNameServer] 192.168.8.1 192.168.8.1
Tcpip\..\Interfaces\{F481106B-D2B0-446C-818C-5B39B3DF0A40}: [DhcpNameServer] 192.168.0.1

Internet Explorer:
==================
HKU\S-1-5-21-917511795-3256536166-560280740-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.loveme.com/pickoftheday.shtml
HKU\S-1-5-21-917511795-3256536166-560280740-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://samsung.msn.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-917511795-3256536166-560280740-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27] (Adobe Systems Incorporated)
BHO: Bitdefender Wallet -> {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -> C:\Program Files\Bitdefender\Bitdefender Security\pmbxie.dll [2017-08-31] (Bitdefender)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_144\bin\ssv.dll [2017-08-12] (Oracle Corporation)
BHO: W2PBrowser Class -> {AA609D72-8482-4076-8991-8CDAE5B93BCB} -> C:\Program Files\Samsung AnyWeb Print\W2PBrowser.dll [2010-08-23] ()
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_144\bin\jp2ssv.dll [2017-08-12] (Oracle Corporation)
Toolbar: HKLM - Bitdefender Wallet - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - C:\Program Files\Bitdefender\Bitdefender Security\pmbxie.dll [2017-08-31] (Bitdefender)

FireFox:
========
FF HKLM\...\Firefox\Extensions: [bdwtwe@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender Security\bdwteff
FF Extension: (Bitdefender Wallet) - C:\Program Files\Bitdefender\Bitdefender Security\bdwteff [2017-07-14]
FF HKLM\...\Thunderbird\Extensions: [bdThunderbird@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender Security\bdtbext
FF Extension: (Bitdefender Antispam Toolbar) - C:\Program Files\Bitdefender\Bitdefender Security\bdtbext [2017-07-14] [not signed]
FF Plugin: @java.com/DTPlugin,version=11.144.2 -> C:\Program Files\Java\jre1.8.0_144\bin\dtplugin\npDeployJava1 .dll [2017-08-12] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.144.2 -> C:\Program Files\Java\jre1.8.0_144\bin\plugin2\npjp2.dll [2017-08-12] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll [2010-03-31] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [No File]
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-07-14] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-07-14] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.2.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)

Chrome:
=======
CHR DefaultProfile: Default
CHR StartupUrls: Default -> "hxxp://www.loveme.com/mp/PickOfTheDay.shtml"
CHR DefaultSearchURL: Default -> hxxp://www.google.com/search?q={searchTerms}
CHR DefaultSearchKeyword: Default -> global
CHR Profile: C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default [2017-09-26]
CHR Extension: (Google Slides) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhon fmgoek [2017-07-14]
CHR Extension: (Kindle Cloud Reader) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\aicjkkmjijnlncpkailhjcdfke chjbpl [2017-07-18]
CHR Extension: (Google Docs) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfi lokake [2017-07-14]
CHR Extension: (Google Drive) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigk jlhalf [2017-07-14]
CHR Extension: (Authenticator) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhghoamapcdpbohphigoooaddi npkbai [2017-09-18]
CHR Extension: (YouTube) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldk acnbeo [2017-07-14]
CHR Extension: (Adblock Plus) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddi lifddb [2017-07-18]
CHR Extension: (Google Sheets) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpeb giejap [2017-07-14]
CHR Extension: (Bitdefender Wallet) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\gannpgaobkkhmpomoijebaigca poeebl [2017-07-16]
CHR Extension: (Google Docs Offline) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdl olhkhi [2017-07-15]
CHR Extension: (Windscribe - Free VPN and Ad Block) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnmpcagpplmpfojmgmnngilcna nddlhb [2017-08-04]
CHR Extension: (Ubuntu light-themes scrollbars) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\mikdfeaeaecoffpjoodiihgejn bfigln [2017-07-18]
CHR Extension: (Webutation) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfclfmabiojpommfcalfdgjjea ahnjbj [2017-09-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccm gmieda [2017-08-22]
CHR Extension: (Gmail) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoe jaedia [2017-07-14]
CHR Extension: (Chrome Media Router) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcj beemfm [2017-08-11]
CHR Profile: C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1 [2017-09-26]
CHR Extension: (Google Slides) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-09-08]
CHR Extension: (Google Docs) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2017-09-08]
CHR Extension: (Google Drive) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-09-08]
CHR Extension: (YouTube) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-09-08]
CHR Extension: (Google Sheets) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-09-08]
CHR Extension: (Bitdefender Wallet) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gannpgaobkkhmpomoijebaigcapoeebl [2017-09-08]
CHR Extension: (Google Docs Offline) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-09-08]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-09-08]
CHR Extension: (Gmail) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-09-08]
CHR Extension: (Chrome Media Router) - C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-09-08]
CHR Profile: C:\Users\Darryl\AppData\Local\Google\Chrome\User Data\System Profile [2017-09-26]
CHR HKLM\...\Chrome\Extension: [gannpgaobkkhmpomoijebaigcapoeebl] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 bdredline; C:\Program Files\Common Files\Bitdefender\SetupInformation\Bitdefender RedLine\bdredline.exe [1847960 2017-08-30] (Bitdefender)
R2 DevMgmtService; C:\Program Files\Bitdefender\Bitdefender Device Management\DevMgmtService.exe [87472 2017-06-27] (Bitdefender)
R2 FLAME II MTN MODEM Service; C:\Program Files\MTN Online\ApplicationController.exe [574464 2015-12-15] () [File not signed]
S2 Mobile Broadband HL Service; C:\ProgramData\MobileBrServ\mbbservice.exe [239184 2014-02-15] ()
R2 ProductAgentService; C:\Program Files\Bitdefender Agent\ProductAgentService.exe [1269824 2017-06-21] (Bitdefender)
S3 Samsung UPD Service; C:\windows\System32\SUPDSvc.exe [131888 2010-08-09] (Samsung Electronics CO., LTD.)
R2 UPDATESRV; C:\Program Files\Bitdefender\Bitdefender Security\updatesrv.exe [175768 2017-08-31] (Bitdefender)
R2 VSSERV; C:\Program Files\Bitdefender\Bitdefender Security\vsserv.exe [1229856 2017-08-31] (Bitdefender)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 atc; C:\windows\System32\DRIVERS\atc.sys [740824 2017-06-07] (BitDefender S.R.L. Bucharest, ROMANIA)
R0 avc3; C:\windows\System32\DRIVERS\avc3.sys [1290472 2017-04-19] (BitDefender)
R1 bdfwfpf; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [107168 2017-05-31] (BitDefender LLC)
R0 bdprivmon; C:\windows\System32\DRIVERS\bdprivmon.sys [43064 2017-05-11] ( Bitdefender SRL)
R1 BDVEDISK; C:\windows\System32\DRIVERS\bdvedisk.sys [83824 2015-12-04] (BitDefender)
R3 btwampfl; C:\windows\System32\drivers\btwampfl.sys [297000 2010-07-14] (Broadcom Corporation.)
R3 ETD; C:\windows\System32\DRIVERS\ETD.sys [94208 2010-08-10] (ELAN Microelectronics Corp.)
R0 gzflt; C:\windows\System32\DRIVERS\gzflt.sys [152784 2017-05-11] (BitDefender LLC)
R3 hwdatacard; C:\windows\System32\DRIVERS\ZDDriver.sys [106496 2010-01-14] (ZD Secret Incorporated)
R0 Ignis; C:\windows\System32\DRIVERS\ignis.sys [282712 2017-06-08] (Bitdefender)
S3 SCDModem; C:\windows\System32\DRIVERS\SCDModem.sys [22528 2016-02-01] (SCD-MBB Device)
S3 SCDSerials; C:\windows\System32\DRIVERS\SCDSerials.sys [22528 2016-02-01] (SCD-MBB Device)
S3 SCDUsbHub; C:\windows\System32\DRIVERS\SCDUsbHub.sys [15272 2016-02-01] (DriverCoding Incorporated.)
S3 teamviewervpn; C:\windows\System32\DRIVERS\teamviewervpn.sys [25088 2017-04-20] (TeamViewer GmbH)
R0 trufos; C:\windows\System32\DRIVERS\trufos.sys [376664 2017-04-11] (BitDefender S.R.L.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-09-26 21:44 - 2017-09-26 21:45 - 000016171 _____ C:\Users\Darryl\Desktop\FRST.txt
2017-09-26 21:42 - 2017-09-26 21:42 - 000000000 ____D C:\Users\Darryl\Desktop\FRST-OlderVersion
2017-09-26 20:56 - 2017-09-26 20:56 - 000004974 _____ C:\Users\Darryl\Desktop\Fixlist.txt
2017-09-26 20:53 - 2017-09-26 20:53 - 000000114 ____H C:\Users\Darryl\Desktop\.~lock.RK.odt#
2017-09-26 19:49 - 2017-09-26 19:50 - 000023525 _____ C:\Users\Darryl\Desktop\RK.odt
2017-09-23 11:49 - 2017-08-14 19:35 - 001062912 ____N (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2017-09-23 11:49 - 2017-08-14 19:35 - 000655360 ____N (Microsoft Corporation) C:\windows\system32\rpcrt4.dll
2017-09-23 11:49 - 2017-08-14 19:35 - 000554496 ____N (Microsoft Corporation) C:\windows\system32\kerberos.dll
2017-09-23 11:49 - 2017-08-14 19:35 - 000261120 ____N (Microsoft Corporation) C:\windows\system32\msv1_0.dll
2017-09-23 11:49 - 2017-08-14 19:35 - 000254464 ____N (Microsoft Corporation) C:\windows\system32\schannel.dll
2017-09-23 11:49 - 2017-08-14 19:35 - 000223232 ____N (Microsoft Corporation) C:\windows\system32\ncrypt.dll
2017-09-23 11:49 - 2017-08-14 19:35 - 000172032 ____N (Microsoft Corporation) C:\windows\system32\wdigest.dll
2017-09-23 11:49 - 2017-08-14 19:35 - 000099840 ____N (Microsoft Corporation) C:\windows\system32\sspicli.dll
2017-09-23 11:49 - 2017-08-14 19:35 - 000082432 ____N (Microsoft Corporation) C:\windows\system32\bcrypt.dll
2017-09-23 11:49 - 2017-08-14 19:35 - 000065536 ____N (Microsoft Corporation) C:\windows\system32\TSpkg.dll
2017-09-23 11:49 - 2017-08-14 19:35 - 000022016 ____N (Microsoft Corporation) C:\windows\system32\secur32.dll
2017-09-23 11:49 - 2017-08-14 19:35 - 000017408 ____N (Microsoft Corporation) C:\windows\system32\credssp.dll
2017-09-23 11:49 - 2017-08-13 23:26 - 000036352 ____N (Microsoft Corporation) C:\windows\system32\cryptbase.dll
2017-09-23 11:49 - 2017-08-13 23:26 - 000022016 ____N (Microsoft Corporation) C:\windows\system32\lsass.exe
2017-09-23 11:49 - 2017-08-13 23:26 - 000015872 ____N (Microsoft Corporation) C:\windows\system32\sspisrv.dll
2017-09-19 21:07 - 2017-09-20 10:34 - 000023829 _____ C:\Users\Darryl\Desktop\Cybertech.odt
2017-09-18 13:38 - 2017-09-18 13:46 - 000027024 _____ C:\Users\Darryl\Documents\Begginers Guide.odt
2017-09-18 12:44 - 2017-09-18 15:11 - 000000772 _____ C:\Users\Darryl\Desktop\almooJTMD.txt
2017-09-18 11:15 - 2017-09-18 11:18 - 000000000 ____D C:\Users\Darryl\Desktop\Retard
2017-09-17 11:17 - 2017-09-17 11:17 - 000000000 ____D C:\Users\Darryl\AppData\Local\bdch
2017-09-17 11:17 - 2017-09-17 11:17 - 000000000 ____D C:\ProgramData\bdch
2017-09-17 09:59 - 2017-09-17 09:59 - 000017774 _____ C:\ComboFix.txt
2017-09-17 09:32 - 2017-09-17 09:59 - 000000000 ____D C:\Qoobox
2017-09-17 09:31 - 2017-09-17 09:57 - 000000000 ____D C:\windows\erdnt
2017-09-14 15:42 - 2017-08-16 17:10 - 000629760 ____N (Microsoft Corporation) C:\windows\system32\usp10.dll
2017-09-14 15:42 - 2017-08-15 17:10 - 012880896 ____N (Microsoft Corporation) C:\windows\system32\shell32.dll
2017-09-14 15:42 - 2017-08-13 18:24 - 002291200 ____N (Microsoft Corporation) C:\windows\system32\iertutil.dll
2017-09-14 15:42 - 2017-08-13 17:17 - 002767872 ____N (Microsoft Corporation) C:\windows\system32\wininet.dll
2017-09-14 15:42 - 2017-08-13 17:13 - 001314816 ____N (Microsoft Corporation) C:\windows\system32\urlmon.dll
2017-09-14 15:42 - 2017-08-11 08:21 - 001310528 _____ (Microsoft Corporation) C:\windows\system32\ntdll.dll
2017-09-14 15:42 - 2017-08-11 08:19 - 001417728 ____N (Microsoft Corporation) C:\windows\system32\ole32.dll
2017-09-14 15:42 - 2017-08-11 08:19 - 000872448 ____N (Microsoft Corporation) C:\windows\system32\kernel32.dll
2017-09-14 15:42 - 2017-08-11 08:19 - 000644096 ____N (Microsoft Corporation) C:\windows\system32\advapi32.dll
2017-09-14 15:42 - 2017-08-11 08:19 - 000400896 ____N (Microsoft Corporation) C:\windows\system32\srcore.dll
2017-09-14 15:42 - 2017-08-11 08:19 - 000377344 ____N (Microsoft Corporation) C:\windows\system32\rpcss.dll
2017-09-14 15:42 - 2017-08-11 08:19 - 000294400 ____N (Microsoft Corporation) C:\windows\system32\KernelBase.dll
2017-09-14 15:42 - 2017-08-11 08:19 - 000271360 ____N (Microsoft Corporation) C:\windows\system32\Wldap32.dll
2017-09-14 15:42 - 2017-08-11 08:19 - 000171008 ____N (Microsoft Corporation) C:\windows\system32\winsrv.dll
2017-09-14 15:42 - 2017-08-11 08:19 - 000038912 ____N (Microsoft Corporation) C:\windows\system32\csrsrv.dll
2017-09-14 15:42 - 2017-08-11 08:19 - 000016384 ____N (Microsoft Corporation) C:\windows\system32\winnsi.dll
2017-09-14 15:42 - 2017-08-11 08:19 - 000008704 ____N (Microsoft Corporation) C:\windows\system32\nsi.dll
2017-09-14 15:42 - 2017-08-11 08:19 - 000006656 _____ (Microsoft Corporation) C:\windows\system32\apisetschema.dll
2017-09-14 15:42 - 2017-08-11 07:55 - 000069632 _____ (Microsoft Corporation) C:\windows\system32\smss.exe
2017-09-10 14:58 - 2017-09-10 14:59 - 000287454 _____ C:\Users\Darryl\Desktop\RENASA COMMERCIAL POLICY WORDING Motor Section (1) (1).pdf
2017-09-09 17:49 - 2017-09-09 17:49 - 000194254 _____ C:\Users\Darryl\Desktop\FRST 2.txt
2017-09-09 17:49 - 2017-09-09 17:49 - 000039079 _____ C:\Users\Darryl\Desktop\Shortcut 2.txt
2017-09-09 17:49 - 2017-09-09 17:49 - 000028641 _____ C:\Users\Darryl\Desktop\Addition 2.txt
2017-09-09 17:47 - 2017-09-09 17:47 - 000039079 _____ C:\Users\Darryl\Desktop\Shortcut 1.txt
2017-09-09 17:46 - 2017-09-09 17:47 - 000193976 _____ C:\Users\Darryl\Desktop\FRST 1.txt
2017-09-09 17:46 - 2017-09-09 17:47 - 000028381 _____ C:\Users\Darryl\Desktop\Addition 1.txt
2017-09-09 17:31 - 2017-09-26 21:44 - 000000000 ____D C:\FRST
2017-09-09 17:28 - 2017-09-26 21:42 - 001795584 _____ (Farbar) C:\Users\Darryl\Desktop\FRST.exe
2017-09-08 22:21 - 2017-09-08 22:21 - 000000000 ____D C:\Users\Darryl\Downloads\hero Glow In Dark Font
2017-09-08 21:37 - 2017-09-08 21:37 - 000000000 ____D C:\Users\Darryl\Downloads\My_Fontspring_Fonts
2017-09-08 14:47 - 2017-09-08 14:47 - 000074827 _____ C:\Users\Darryl\Downloads\hero Glow In Dark Font.zip
2017-09-08 14:41 - 2017-09-08 14:41 - 000512864 _____ C:\Users\Darryl\Downloads\My_Fontspring_Fonts.zip
2017-09-08 12:45 - 2017-09-08 12:53 - 000000000 ____D C:\Users\Darryl\Desktop\Yulia 172970
2017-09-06 16:44 - 2017-09-06 16:51 - 000000000 ____D C:\Users\Darryl\AppData\Local\{12A8CCFE-3C33-4995-BAD8-074E4C5B22FD}
2017-09-06 16:43 - 2017-09-06 23:55 - 000000000 ____D C:\Program Files\Plumbytes Software
2017-09-04 20:01 - 2017-09-04 20:01 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HeavenWard
2017-09-04 19:53 - 2017-09-04 19:53 - 001046776 _____ (HeavenWard) C:\Users\Darryl\Downloads\windetectsetup.exe
2017-09-03 01:35 - 2017-09-03 01:35 - 000000000 ____H C:\windows\system32\Drivers\Msft_User_WpdMtpDr_01_ 09_00.Wdf
2017-09-01 21:26 - 2017-09-01 21:26 - 000073866 _____ C:\Users\Darryl\Downloads\Gloria Payment.pdf
2017-08-30 23:48 - 2017-09-06 20:15 - 000000000 ____D C:\Users\Darryl\AppData\Local\CrashDumps

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-09-26 21:40 - 2017-07-15 22:40 - 000000000 ____D C:\Program Files\Bitdefender Agent
2017-09-26 21:39 - 2009-07-26 22:06 - 000781790 _____ C:\windows\system32\PerfStringBackup.INI
2017-09-26 21:39 - 2009-07-14 04:37 - 000000000 ____D C:\windows\inf
2017-09-26 21:38 - 2009-07-14 06:34 - 000014512 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-09-26 21:38 - 2009-07-14 06:34 - 000014512 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-09-26 21:30 - 2009-07-14 06:53 - 000000006 ____H C:\windows\Tasks\SA.DAT
2017-09-26 21:30 - 2009-07-14 06:33 - 000298384 _____ C:\windows\system32\FNTCACHE.DAT
2017-09-26 21:29 - 2017-07-16 00:36 - 000048967 _____ C:\bdlog.txt
2017-09-26 21:25 - 2017-07-14 10:22 - 000064824 _____ C:\Users\Darryl\AppData\Local\GDIPFONTCACHEV1.DAT
2017-09-26 21:22 - 2017-07-16 13:13 - 000000000 ____D C:\Users\Darryl\AppData\Roaming\TeamViewer
2017-09-26 21:10 - 2017-07-14 10:09 - 000000000 ____D C:\Users\Darryl
2017-09-26 21:07 - 2017-07-26 15:53 - 000000000 ____D C:\Users\Darryl\Desktop\OpenOffice 4.1.3 (en-US) Installation Files
2017-09-26 21:07 - 2017-07-16 21:55 - 000000000 ____D C:\Users\Darryl\AppData\Roaming\vlc
2017-09-26 21:07 - 2017-07-16 19:28 - 000000000 ___RD C:\Program Files\Skype
2017-09-26 21:07 - 2017-07-16 19:28 - 000000000 ____D C:\Users\Darryl\AppData\Roaming\Skype
2017-09-26 21:07 - 2017-07-16 19:28 - 000000000 ____D C:\Program Files\Common Files\Skype
2017-09-26 21:07 - 2011-04-06 04:33 - 000000000 ____D C:\ProgramData\WinClon
2017-09-26 21:07 - 2009-07-14 04:37 - 000000000 ____D C:\windows\system32\NDF
2017-09-26 21:07 - 2009-07-14 04:37 - 000000000 ____D C:\windows\rescache
2017-09-26 21:07 - 2009-07-14 04:37 - 000000000 ____D C:\windows\PolicyDefinitions
2017-09-26 21:07 - 2009-07-14 04:37 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2017-09-26 21:06 - 2017-07-26 15:53 - 000000000 ____D C:\Users\Darryl\Downloads\OpenOffice 4.1.3 (en-US) Installation Files
2017-09-26 21:06 - 2009-07-14 04:37 - 000000000 ____D C:\windows\registration
2017-09-26 21:02 - 2017-07-14 10:13 - 000000000 ____D C:\ProgramData\Temp
2017-09-26 21:02 - 2011-04-06 04:27 - 000000000 ____D C:\ProgramData\Skype
2017-09-17 10:21 - 2017-07-17 23:38 - 000000000 ____D C:\Users\Darryl\AppData\Local\TeamViewer
2017-09-14 15:52 - 2017-07-14 10:41 - 000000000 ____D C:\windows\system32\MRT
2017-09-12 09:34 - 2017-08-05 16:25 - 000000000 ____D C:\Users\Darryl\AppData\Local\paint.net
2017-09-04 17:38 - 2017-07-20 23:09 - 001974226 _____ C:\windows\ntbtlog.txt
2017-09-04 16:01 - 2017-07-14 10:53 - 000002101 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-09-04 16:01 - 2017-07-14 10:53 - 000002089 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-09-04 00:02 - 2009-07-14 04:37 - 000000000 ____D C:\windows\ModemLogs
2017-09-03 23:50 - 2017-08-22 21:12 - 000000000 ____D C:\Program Files\HSPA USB Modem
2017-08-31 11:03 - 2017-07-15 23:51 - 000000000 ____D C:\ProgramData\Bitdefender

==================== Files in the root of some directories =======

2017-07-15 22:40 - 2017-07-15 22:40 - 000026269 _____ () C:\ProgramData\agent.1500151240.5692.bin
2017-07-15 22:40 - 2017-07-15 22:40 - 000001146 _____ () C:\ProgramData\agent.1500151240.5696.bin
2017-07-15 22:40 - 2017-07-15 22:40 - 000001509 _____ () C:\ProgramData\agent.1500151240.5952.bin
2017-07-15 22:40 - 2017-07-15 22:40 - 000018534 _____ () C:\ProgramData\agent.1500151240.6004.bin
2017-07-15 23:55 - 2017-07-15 23:55 - 001758436 _____ () C:\ProgramData\cl.1500155237.bdinstall.bin
2017-07-15 23:55 - 2017-07-15 23:55 - 000074691 _____ () C:\ProgramData\cl.kit.1500155180.bdinstall.bin
2017-07-16 00:01 - 2017-07-16 00:01 - 000057575 _____ () C:\ProgramData\dm.1500155999.bdinstall.bin

Some files in TEMP:
====================
2017-07-16 19:10 - 2012-11-09 13:50 - 000023040 _____ (Windows (R) 2000 DDK provider) C:\Users\Darryl\AppData\Local\Temp\DeviceSetup.exe
2017-08-19 14:08 - 2017-08-22 21:12 - 000023040 _____ (Windows (R) 2000 DDK provider) C:\Users\Darryl\AppData\Local\Temp\DeviceSetup32.e xe
2017-08-12 14:20 - 2017-08-12 14:20 - 000740416 _____ (Oracle Corporation) C:\Users\Darryl\AppData\Local\Temp\jre-8u144-windows-au.exe
2017-08-19 14:07 - 2017-08-22 21:12 - 003118041 _____ () C:\Users\Darryl\AppData\Local\Temp\runsetup.exe
2017-07-16 13:25 - 2017-07-16 13:26 - 014456872 _____ (Microsoft Corporation) C:\Users\Darryl\AppData\Local\Temp\vc_redist.x86.e xe
2017-09-26 21:44 - 2017-09-26 21:44 - 001594197 _____ () C:\Users\Darryl\AppData\Local\Temp\{319D0EF5-EAD7-4C70-B16C-C29FE8759610}-61.0.3163.100_60.0.3112.113_chrome_updater.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\windows\explorer.exe => File is digitally signed
C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-09-22 21:39

==================== End of FRST.txt ============================

Then:
Fix result of Farbar Recovery Scan Tool (x86) Version: 25-09-2017 01
Ran by Darryl (26-09-2017 21:48:14) Run:1
Running from C:\Users\Darryl\Desktop
Loaded Profiles: Darryl (Available Profiles: Darryl)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: F - F:\setup.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {607f1b2b-74b3-11e7-97a5-90a4de6a0dc0} - G:\autorun.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {6becfb10-876c-11e7-9b5a-90a4de6a0dc0} - F:\setup.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {6becfc34-876c-11e7-9b5a-90a4de6a0dc0} - F:\setup.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {77038b86-6a48-11e7-bf5e-90a4de6a0dc0} - G:\setup.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {8360031e-7f78-11e7-9ad5-90a4de6a0dc0} - F:\AutoRun.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {afdbea82-90f2-11e7-96d7-90a4de6a0dc0} - F:\setup.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\...\MountPoints2: {e0d0c9a4-6990-11e7-9fa4-90a4de6a0dc0} - F:\setup.exe
HKU\S-1-5-21-917511795-3256536166-560280740-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.loveme.com/pickoftheday.shtml
HKU\S-1-5-21-917511795-3256536166-560280740-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://samsung.msn.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-917511795-3256536166-560280740-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR HKLM\...\Chrome\Extension: [gannpgaobkkhmpomoijebaigcapoeebl] - hxxps://clients2.google.com/service/update2/crx
2017-07-17 23:38 - 2017-07-17 23:38 - 000000000 ____D C:\Users\Darryl\AppData\Local\TeamViewer
2017-07-16 21:55 - 2017-09-07 23:48 - 000000000 ____D C:\Users\Darryl\AppData\Roaming\vlc
2017-07-16 13:13 - 2017-09-05 00:04 - 000000000 ____D C:\Program Files\TeamViewer
2017-07-16 13:13 - 2017-07-30 23:16 - 000000889 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 12.lnk
2017-07-16 13:13 - 2017-07-30 23:16 - 000000877 _____ C:\Users\Public\Desktop\TeamViewer 12.lnk
2017-07-16 13:13 - 2017-07-18 00:58 - 000000000 ____D C:\Users\Darryl\AppData\Roaming\TeamViewer
2017-07-16 13:13 - 2017-04-20 09:27 - 000025088 _____ (TeamViewer GmbH) C:\windows\system32\Drivers\teamviewervpn.sys
FirewallRules: [{65064C98-EE7E-4BAA-94E0-09E071C61E2A}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe
FirewallRules: [{48AB47C9-A327-4CE2-9B48-BF5C1A7AE14B}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe
FirewallRules: [{ED15DF0A-1C3D-498B-9990-ED691B1582BB}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{1F3C1B82-E6D1-4FAE-99B8-9934565F7034}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{0FC94F48-919C-4F44-B5CE-4FAEDE068F63}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe
FirewallRules: [{55580A67-06D4-477A-8E78-E14641BAC04D}] => (Allow) C:\Program Files\TeamViewer\TeamViewer.exe
FirewallRules: [{36455591-EF8F-4136-80BA-CB9A3A692E4C}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{19E4B086-339C-441B-AFB1-F8E7195ADCED}] => (Allow) C:\Program Files\TeamViewer\TeamViewer_Service.exe
R2 TeamViewer; C:\Program Files\TeamViewer\TeamViewer_Service.exe [10803440 2017-07-26] (TeamViewer GmbH)
R3 teamviewervpn; C:\windows\System32\DRIVERS\teamviewervpn.sys [25088 2017-04-20] (TeamViewer GmbH)
R1 WinDetect; C:\windows\system32\Drivers\windetect.sys [16720 2017-02-26] (HeavenWard)
2017-09-06 16:44 - 2017-09-06 16:51 - 000000000 ____D C:\Users\Darryl\AppData\Local\{12A8CCFE-3C33-4995-BAD8-074E4C5B22FD}
2017-09-06 16:43 - 2017-09-06 23:55 - 000000000 ____D C:\Program Files\Plumbytes Software
2017-09-04 20:01 - 2017-09-04 20:01 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HeavenWard
2017-09-04 20:01 - 2017-09-04 20:01 - 000000000 ____D C:\Program Files\HeavenWard
C:\Users\Darryl\AppData\Local\TeamViewer
2017-07-16 13:13 - 2017-07-30 23:16 - 000000889 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 12.lnk
2017-07-16 13:13 - 2017-07-30 23:16 - 000000877 _____ C:\Users\Public\Desktop\TeamViewer 12.lnk
2017-07-16 13:13 - 2017-07-18 00:58 - 000000000 ____D C:\Users\Darryl\AppData\Roaming\TeamViewer
2017-07-16 13:13 - 2017-04-20 09:27 - 000025088 _____ (TeamViewer GmbH) C:\windows\system32\Drivers\teamviewervpn.sys
C:\Users\Darryl\AppData\Local\Temp\runsetup.exe
C:\Program Files\TeamViewer\TeamViewer_Service.exe
C:\Users\Darryl\AppData\Local\Temp
C:\windows\wininit.ini
c:\windows\system32\Drivers\windetect.sys [2017-02-26 16720]
c:\windows\system32\DRIVERS\teamviewervpn. sys [2017-04-20 25088]
cmd: ipconfig /flushdns
Hosts:
EmptyTemp:
*****************

Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-917511795-3256536166-560280740-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\F => key removed successfully.
HKU\S-1-5-21-917511795-3256536166-560280740-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{607f1b2b-74b3-11e7-97a5-90a4de6a0dc0} => key removed successfully.
HKLM\Software\Classes\CLSID\{607f1b2b-74b3-11e7-97a5-90a4de6a0dc0} => key not found.
HKU\S-1-5-21-917511795-3256536166-560280740-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{6becfb10-876c-11e7-9b5a-90a4de6a0dc0} => key removed successfully.
HKLM\Software\Classes\CLSID\{6becfb10-876c-11e7-9b5a-90a4de6a0dc0} => key not found.
HKU\S-1-5-21-917511795-3256536166-560280740-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{6becfc34-876c-11e7-9b5a-90a4de6a0dc0} => key removed successfully.
HKLM\Software\Classes\CLSID\{6becfc34-876c-11e7-9b5a-90a4de6a0dc0} => key not found.
HKU\S-1-5-21-917511795-3256536166-560280740-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{77038b86-6a48-11e7-bf5e-90a4de6a0dc0} => key removed successfully.
HKLM\Software\Classes\CLSID\{77038b86-6a48-11e7-bf5e-90a4de6a0dc0} => key not found.
HKU\S-1-5-21-917511795-3256536166-560280740-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{8360031e-7f78-11e7-9ad5-90a4de6a0dc0} => key removed successfully.
HKLM\Software\Classes\CLSID\{8360031e-7f78-11e7-9ad5-90a4de6a0dc0} => key not found.
HKU\S-1-5-21-917511795-3256536166-560280740-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{afdbea82-90f2-11e7-96d7-90a4de6a0dc0} => key removed successfully.
HKLM\Software\Classes\CLSID\{afdbea82-90f2-11e7-96d7-90a4de6a0dc0} => key not found.
HKU\S-1-5-21-917511795-3256536166-560280740-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{e0d0c9a4-6990-11e7-9fa4-90a4de6a0dc0} => key removed successfully.
HKLM\Software\Classes\CLSID\{e0d0c9a4-6990-11e7-9fa4-90a4de6a0dc0} => key not found.
HKU\S-1-5-21-917511795-3256536166-560280740-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-917511795-3256536166-560280740-1000\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key removed successfully.
HKLM\Software\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
HKU\S-1-5-21-917511795-3256536166-560280740-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\gannpgaobkk hmpomoijebaigcapoeebl => key removed successfully.
C:\Users\Darryl\AppData\Local\TeamViewer => moved successfully
C:\Users\Darryl\AppData\Roaming\vlc => moved successfully
"C:\Program Files\TeamViewer" => not found.
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 12.lnk" => not found.
"C:\Users\Public\Desktop\TeamViewer 12.lnk" => not found.
C:\Users\Darryl\AppData\Roaming\TeamViewer => moved successfully
C:\windows\system32\Drivers\teamviewervpn.sys => moved successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAcces s\Parameters\FirewallPolicy\FirewallRules\\{65064C 98-EE7E-4BAA-94E0-09E071C61E2A} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAcces s\Parameters\FirewallPolicy\FirewallRules\\{48AB47 C9-A327-4CE2-9B48-BF5C1A7AE14B} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAcces s\Parameters\FirewallPolicy\FirewallRules\\{ED15DF 0A-1C3D-498B-9990-ED691B1582BB} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAcces s\Parameters\FirewallPolicy\FirewallRules\\{1F3C1B 82-E6D1-4FAE-99B8-9934565F7034} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAcces s\Parameters\FirewallPolicy\FirewallRules\\{0FC94F 48-919C-4F44-B5CE-4FAEDE068F63} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAcces s\Parameters\FirewallPolicy\FirewallRules\\{55580A 67-06D4-477A-8E78-E14641BAC04D} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAcces s\Parameters\FirewallPolicy\FirewallRules\\{364555 91-EF8F-4136-80BA-CB9A3A692E4C} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAcces s\Parameters\FirewallPolicy\FirewallRules\\{19E4B0 86-339C-441B-AFB1-F8E7195ADCED} => value not found.
TeamViewer => service not found.
HKLM\System\CurrentControlSet\Services\teamviewerv pn => key removed successfully.
teamviewervpn => service removed successfully.
WinDetect => service not found.
C:\Users\Darryl\AppData\Local\{12A8CCFE-3C33-4995-BAD8-074E4C5B22FD} => moved successfully
C:\Program Files\Plumbytes Software => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HeavenWard => moved successfully
"C:\Program Files\HeavenWard" => not found.
"C:\Users\Darryl\AppData\Local\TeamViewer" => not found.
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 12.lnk" => not found.
"C:\Users\Public\Desktop\TeamViewer 12.lnk" => not found.
"C:\Users\Darryl\AppData\Roaming\TeamViewer" => not found.
"C:\windows\system32\Drivers\teamviewervpn.sys " => not found.
C:\Users\Darryl\AppData\Local\Temp\runsetup.exe => moved successfully
"C:\Program Files\TeamViewer\TeamViewer_Service.exe" => not found.

"C:\Users\Darryl\AppData\Local\Temp" folder move:

Could not move "C:\Users\Darryl\AppData\Local\Temp" => Scheduled to move on reboot.

C:\windows\wininit.ini => moved successfully
"c:\windows\system32\Drivers\windetect.sys [2017-02-26 16720]" => not found.
"c:\windows\system32\DRIVERS\teamviewervpn. sys [2017-04-20 25088]" => not found.

continued ....
IP Config....
  #22  
Old September 26th, 2017, 10:52 PM
Sonic Feathers Sonic Feathers is offline
Member
 
Join Date: Sep 2017
Posts: 53
Continued from previous post...

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 62164795 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 5074762 B
Edge => 0 B
Chrome => 436095307 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 33460 B
Public => 0 B
ProgramData => 0 B
systemprofile => 29585179 B
LocalService => 6595956 B
NetworkService => 70634 B
Darryl => 87415813 B

RecycleBin => 14917527 B
EmptyTemp: => 620.2 MB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 26-09-2017 21:52:23)

C:\Users\Darryl\AppData\Local\Temp => moved successfully

==== End of Fixlog 21:52:23 ====


Addition Log:
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 25-09-2017 01
Ran by Darryl (26-09-2017 21:45:56)
Running from C:\Users\Darryl\Desktop
Microsoft Windows 7 Home Basic Service Pack 1 (X86) (2017-07-14 08:09:26)
Boot Mode: Normal
================================================== ========


==================== Accounts: =============================

Administrator (S-1-5-21-917511795-3256536166-560280740-500 - Administrator - Disabled)
Darryl (S-1-5-21-917511795-3256536166-560280740-1000 - Administrator - Enabled) => C:\Users\Darryl
Guest (S-1-5-21-917511795-3256536166-560280740-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Bitdefender Antivirus (Disabled - Up to date) {3FB17364-4FCC-0FA7-6BBF-973897395371}
AS: Bitdefender Antispyware (Disabled - Up to date) {84D09280-69F6-0029-510F-AC4AECBE19CC}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Bitdefender Firewall (Disabled) {078AF241-05A3-0EFF-40E0-3E0D69EA140A}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 10 ActiveX (HKLM\...\{FFB768E4-E427-4553-BC36-A11F5E62A94D}) (Version: 10.1.53.64 - Adobe Systems Incorporated)
Adobe Reader 9.1 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A91000000001}) (Version: 9.1.0 - Adobe Systems Incorporated)
Atheros Client Installation Program (HKLM\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 9.0 - Atheros)
BatteryLifeExtender (HKLM\...\{E308B555-8434-4AF8-B66F-729897C75F93}) (Version: 1.0.6 - Samsung)
Bitdefender Agent (HKLM\...\Bitdefender Agent) (Version: 21.0.25.59 - Bitdefender)
Bitdefender Device Management (HKLM\...\Bitdefender Device Management) (Version: 22.0.8.114 - Bitdefender)
Bitdefender Total Security (HKLM\...\Bitdefender) (Version: 22.0.8.118 - Bitdefender)
Broadcom 802.11 Network Adapter (HKLM\...\Broadcom 802.11 Network Adapter) (Version: 5.60.48.55 - Broadcom Corporation)
CyberLink YouCam (HKLM\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 2.0.3911 - CyberLink Corp.)
Easy Display Manager (HKLM\...\{17283B95-21A8-4996-97DA-547A48DB266F}) (Version: 3.2 - Samsung Electronics Co., Ltd.)
Easy Network Manager (HKLM\...\{8732818E-CA78-4ACB-B077-22311BF4C0E4}) (Version: 4.4.7 - Samsung)
Easy SpeedUp Manager (HKLM\...\{EF367AA4-070B-493C-9575-85BE59D789C9}) (Version: 2.1.0.15 - Samsung Electronics Co.,Ltd.)
EasyBatteryManager (HKLM\...\{607DA1C8-34EC-4D7A-AD83-F8E5C70736DF}) (Version: 4.0.0.4 - Samsung)
ETDWare PS/2-X86 8.0.7.0_WHQL (HKLM\...\Elantech) (Version: 8.0.7.0 - ELAN Microelectronic Corp.)
Google Chrome (HKLM\...\Google Chrome) (Version: 60.0.3112.113 - Google Inc.)
Google Update Helper (HKLM\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
HSPA USB Modem (HKLM\...\HSPA USB Modem) (Version: 1.0.0.1 - HSPA USB Modem)
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.2302 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 9.6.3.1001 - Intel Corporation)
Java 8 Update 144 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F32180144F0}) (Version: 8.0.1440.1 - Oracle Corporation)
K-Lite Codec Pack 12.2.5 Full (HKLM\...\KLiteCodecPack_is1) (Version: 12.2.5 - KLCP)
Marvell Miniport Driver (HKLM\...\Marvell Miniport Driver) (Version: 11.24.27.3 - Marvell)
Microsoft .NET Framework 4.7 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.02053 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.50401.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
Mobile Broadband HL Service (HKLM\...\Mobile Broadband HL Service) (Version: 22.001.25.00.03 - Huawei Technologies Co.,Ltd)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MTN Online (HKLM\...\MTN Online_is1) (Version: - TCT Mobile Limited)
OpenOffice 4.1.3 (HKLM\...\{EEA30AEB-8BA7-465B-85D4-098BB99733E7}) (Version: 4.13.9783 - Apache Software Foundation)
paint.net (HKLM\...\{02D89175-E08F-401B-BA30-8B7512B57723}) (Version: 4.0.17 - dotPDN LLC)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6176 - Realtek Semiconductor Corp.)
Samsung AnyWeb Print (HKLM\...\{1DF9729D-2A51-4CA1-B4CE-2B432D7ABA7C}) (Version: 1.0 - Samsung Electronics Co., Ltd.) Hidden
Samsung AnyWeb Print (HKLM\...\{318DBE01-1E6B-4243-84B0-210391FE789A}) (Version: 1.1.19.0 - Samsung Electronics Co., Ltd.)
Samsung Recovery Solution 5 (HKLM\...\{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}) (Version: 5.0.0.6 - Samsung)
Samsung Support Center (HKLM\...\{F687E657-F636-44DF-8125-9FEEA2C362F5}) (Version: 1.1.24 - Samsung)
Samsung Universal Print Driver (HKLM\...\Samsung Universal Print Driver) (Version: 2.01.06.00:16 - Samsung Electronics Co., Ltd.)
Samsung Update Plus (HKLM\...\{142D8CA7-2C6F-45A7-83E3-099AAFD99133}) (Version: 3.0.0.17 - Samsung Electronics Co., Ltd.)
Skype™ 7.39 (HKLM\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.39.102 - Skype Technologies S.A.)
User Guide (HKLM\...\{BAE68339-B0F6-4D33-9554-5A3DB2DFF5DA}) (Version: 1.0 - )
VLC media player (HKLM\...\VLC media player) (Version: 2.2.4 - VideoLAN)
WIDCOMM Bluetooth Software (HKLM\...\{436E0B79-2CFB-4E5F-9380-E17C1B25D0C5}) (Version: 6.3.0.6200 - Broadcom Corporation)
Xvid Plus Codec Pack (HKLM\...\Xvid Plus Codec Pack) (Version: 1.00 - Xvid Plus Codec Pack)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{087B3AE3-E237-4467-B8DB-5A38AB959AC9}\InprocServer32 -> C:\Program Files\OpenOffice 4\program\shlxthdl\shlxthdl.dll (Apache Software Foundation)
CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{30A2652A-DDF7-45e7-ACA6-3EAB26FC8A4E}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation)
CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{3B092F0C-7696-40E3-A80F-68D74DA84210}\InprocServer32 -> C:\Program Files\OpenOffice 4\program\shlxthdl\shlxthdl.dll (Apache Software Foundation)
CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{41662FC2-0D57-4aff-AB27-AD2E12E7C273}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation)
CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{448BB771-CFE2-47C4-BCDF-1FBF378E202C}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation)
CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{63542C48-9552-494A-84F7-73AA6A7C99C1}\InprocServer32 -> C:\Program Files\OpenOffice 4\program\shlxthdl\shlxthdl.dll (Apache Software Foundation)
CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{7B342DC4-139A-4a46-8A93-DB0827CCEE9C}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation)
CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{7BC0E710-5703-45BE-A29D-5D46D8B39262}\InprocServer32 -> C:\Program Files\OpenOffice 4\program\shlxthdl\ooofilt.dll (Apache Software Foundation)
CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{7FA8AE11-B3E3-4D88-AABF-255526CD1CE8}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation)
CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{82154420-0FBF-11d4-8313-005004526AB4}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation)
CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{AE424E85-F6DF-4910-A6A9-438797986431}\InprocServer32 -> C:\Program Files\OpenOffice 4\program\shlxthdl\propertyhdl.dll (Apache Software Foundation)
CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\InprocServer32 -> C:\Program Files\OpenOffice 4\program\shlxthdl\shlxthdl.dll (Apache Software Foundation)
CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{D0484DE6-AAEE-468a-991F-8D4B0737B57A}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation)
CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{D2D59CD1-0A6A-4D36-AE20-47817077D57C}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation)
CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{E5A0B632-DFBA-4549-9346-E414DA06E6F8}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation)
CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{EE5D1EA4-D445-4289-B2FC-55FC93693917}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation)
CustomCLSID: HKU\S-1-5-21-917511795-3256536166-560280740-1000_Classes\CLSID\{F616B81F-7BB8-4F22-B8A5-47428D59F8AD}\localserver32 -> C:\Program Files\OpenOffice 4\program\soffice.exe (Apache Software Foundation)
ContextMenuHandlers1: [BDFVCtxMenuExt] -> {9E96C1F5-0EFA-4348-9460-15D6802C70AA} => C:\Program Files\Bitdefender\Bitdefender Security\bdfvsctx.dll [2017-08-30] (Bitdefender)
ContextMenuHandlers4: [BDFVCtxMenuExt] -> {9E96C1F5-0EFA-4348-9460-15D6802C70AA} => C:\Program Files\Bitdefender\Bitdefender Security\bdfvsctx.dll [2017-08-30] (Bitdefender)
ContextMenuHandlers5: [BDFVCtxMenuExt] -> {9E96C1F5-0EFA-4348-9460-15D6802C70AA} => C:\Program Files\Bitdefender\Bitdefender Security\bdfvsctx.dll [2017-08-30] (Bitdefender)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\windows\system32\igfxpph.dll [2011-02-11] (Intel Corporation)
ContextMenuHandlers6: [BDFVCtxMenuExt] -> {9E96C1F5-0EFA-4348-9460-15D6802C70AA} => C:\Program Files\Bitdefender\Bitdefender Security\bdfvsctx.dll [2017-08-30] (Bitdefender)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {02626086-B4DC-4B5F-A57A-E67C95226B3B} - C:\Windows\System32\Tasks\EasySpeedUpManager => Command(1): "%programfiles%\Samsung\EasySpeedUpManager\EasySpe edUpManager2.exe" -> /s
Task: {02626086-B4DC-4B5F-A57A-E67C95226B3B} - C:\Windows\System32\Tasks\EasySpeedUpManager => Command(2): C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManage r.exe [2010-02-10] (Samsung Electronics Co., Ltd.)
Task: {0506265F-CCE6-4722-86A0-3EB2217B40C3} - System32\Tasks\SamsungSupportCenter => C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe [2011-02-07] (SAMSUNG Electronics)
Task: {3276D76B-0957-4260-B5FA-981D96F9B17B} - System32\Tasks\EasyDisplayMgr => C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe [2010-08-09] (Samsung Electronics Co., Ltd.)
Task: {6B2B613C-02AF-49C9-B3CF-13C98432B417} - System32\Tasks\SUPBackground => C:\Program Files\Samsung\Samsung Update Plus\SUPBackground.exe [2010-08-27] (Samsung Electronics)
Task: {6EC0F541-9061-4D48-BC4E-B7CE6F94EFBF} - System32\Tasks\BatteryLifeExtender => C:\Program Files\Samsung\BatteryLifeExtender\BatteryLifeExten der.exe [2010-08-12] (Samsung Electronics. Co. Ltd.)
Task: {7DB02692-2037-4B2C-9220-05A7B1448AB8} - System32\Tasks\Bitdefender Agent WatchDog_65D6944A0EF74FDAB96E31112AD39864 => C:\Program Files\Bitdefender Agent\WatchDog.exe [2017-06-21] (Bitdefender)
Task: {AE2EF44D-5E1A-445C-BE28-EE49DD6B727F} - System32\Tasks\Microsoft\Windows\Setup\EOSNotify => C:\windows\system32\EOSNotify.exe [2016-06-25] (Microsoft Corporation)
Task: {B30CFFD6-C26F-494D-BD5E-1B88135D6667} - System32\Tasks\EasyBatteryManager => C:\Program Files\Samsung\EasyBatteryManager\EasyBatteryMgr4.e xe [2010-07-20] (SAMSUNG Electronics co., LTD.)
Task: {B5CB4607-8B4C-4A45-8D4A-475764C3454F} - System32\Tasks\{429FD52C-A832-4207-8A7E-20E682FD8515} => C:\windows\system32\pcalua.exe -a G:\setup.exe -d G:\
Task: {CFCFCB43-8880-49B7-9683-4DD6AE0F8056} - System32\Tasks\advSRS5 => C:\Program Files\Samsung\Samsung Recovery Solution 5\WCScheduler.exe [2010-07-27] (SEC)
Task: {DB0B9A2A-1D5A-4BFD-8EA1-703BEB197FD5} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2017-07-14] (Google Inc.)
Task: {DF6907F2-A9D6-4E5B-837A-1829D5A652CF} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2017-07-14] (Google Inc.)
Task: {E1808027-8070-4E55-99F2-128F1F02B1D1} - System32\Tasks\{CC1C8BBB-550A-4CA1-953C-5D21EA5C48EF} => "c:\program files\google\chrome\application\chrome.exe" hxxps://ui.skype.com/ui/0/7.38.0.101/en/abandoninstall?source=lightinstaller&page=tsInstal l

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2017-07-15 23:53 - 2013-09-03 14:29 - 000105448 _____ () C:\Program Files\Bitdefender\Bitdefender Security\bdmetrics.dll
2017-07-15 23:54 - 2017-02-07 12:42 - 000859344 _____ () C:\Program Files\Bitdefender\Bitdefender Security\otengines_001_001\ashttpbr.mdl
2017-07-15 23:54 - 2017-02-07 12:42 - 000466568 _____ () C:\Program Files\Bitdefender\Bitdefender Security\otengines_001_001\ashttpdsp.mdl
2017-07-15 23:54 - 2017-02-07 12:42 - 002660936 _____ () C:\Program Files\Bitdefender\Bitdefender Security\otengines_001_001\ashttpph.mdl
2017-07-15 23:54 - 2017-02-07 12:42 - 001303008 _____ () C:\Program Files\Bitdefender\Bitdefender Security\otengines_001_001\ashttprbl.mdl
2011-04-06 04:32 - 2008-06-05 01:53 - 000026624 _____ () C:\windows\System32\spd__l.dll
2017-07-31 19:40 - 2015-12-15 15:02 - 000574464 _____ () C:\Program Files\MTN Online\ApplicationController.exe
2017-07-31 19:40 - 2016-02-01 11:11 - 000011362 _____ () C:\Program Files\MTN Online\mingwm10.dll
2017-07-31 19:40 - 2016-02-01 11:11 - 000043008 _____ () C:\Program Files\MTN Online\libgcc_s_dw2-1.dll
2017-07-31 19:40 - 2016-02-01 11:11 - 002537472 _____ () C:\Program Files\MTN Online\QtCore4.dll
2017-07-31 19:40 - 2015-12-15 14:58 - 001054208 _____ () C:\Program Files\MTN Online\Common.dll
2017-07-31 19:40 - 2016-02-01 11:11 - 009814016 _____ () C:\Program Files\MTN Online\QtGui4.dll
2017-07-31 19:40 - 2016-02-01 11:11 - 001140224 _____ () C:\Program Files\MTN Online\QtNetwork4.dll
2017-08-22 21:12 - 2013-12-06 11:01 - 000045056 _____ () C:\Program Files\HSPA USB Modem\Driver\DevMon.exe
2011-04-06 04:30 - 2006-08-12 05:48 - 000049152 _____ () C:\Program Files\Samsung\Easy Display Manager\HookDllPS2.dll
2011-04-06 04:33 - 2010-05-07 16:22 - 001636864 _____ () C:\Program Files\Samsung\Samsung Recovery Solution 5\Resdll.dll
2011-04-06 04:33 - 2010-06-08 05:15 - 000618496 _____ () C:\Windows\Samsung\PanelMgr\SSMMgr.exe
2017-08-22 21:12 - 2014-03-10 10:16 - 002088960 _____ () C:\Program Files\HSPA USB Modem\HSPA USB Modem.exe
2017-08-22 21:12 - 2014-01-13 11:45 - 004620288 _____ () C:\Program Files\HSPA USB Modem\lang\Common_DataCrad.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 04:04 - 2017-09-26 21:31 - 000000824 _____ C:\windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-917511795-3256536166-560280740-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Darryl\AppData\Roaming\Microsoft\Windows\ Themes\TranscodedWallpaper.jpg
DNS Servers: 41.50.20.61 - 41.50.20.29
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{B807B4BA-1DC9-44A5-8946-253559FA7C16}] => (Allow) C:\Program Files\Skype\Phone\Skype.exe
FirewallRules: [{1A7B83C8-FAA8-4462-BB18-27F84A9956A0}] => (Allow) C:\Windows\System32\SUPDSvc.exe
FirewallRules: [{A65094D5-6822-498D-A50A-62CDE3A085D2}] => (Allow) C:\Windows\System32\SUPDSvc.exe
FirewallRules: [{FB4CB921-5CB8-40F4-8A39-49E0FD3E0431}] => (Allow) C:\windows\Microsoft.NET\Framework\v4.0.30319\SMSv cHost.exe
FirewallRules: [{16F6BCFE-B6EF-40F0-993A-6703936D0B21}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

06-09-2017 23:48:04 Revo Uninstaller's restore point - Plumbytes Anti-Malware 2017
14-09-2017 15:43:38 Windows Update
17-09-2017 09:44:11 ComboFix created restore point
17-09-2017 10:19:10 Revo Uninstaller's restore point - TeamViewer 12
18-09-2017 11:12:53 Windows Update
23-09-2017 11:49:34 Windows Update
26-09-2017 21:17:23 Revo Uninstaller's restore point - TeamViewer 12
26-09-2017 21:20:39 Revo Uninstaller's restore point - TeamViewer 12
26-09-2017 21:22:20 Windows Backup

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (09/26/2017 09:39:04 PM) (Source: RasClient) (EventID: 20227) (User: )
Description: CoId={4396A617-B9F5-48A0-9966-BDC261D0CE9D}: The user WIZARDS-PC\Darryl dialed a connection named Cell-C which has failed. The error code returned on failure is 0.

Error: (09/26/2017 09:31:04 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbbservice.exe, version: 22.24.0.3, time stamp: 0x52ff0cc9
Faulting module name: mbbservice.exe, version: 22.24.0.3, time stamp: 0x52ff0cc9
Exception code: 0xc0000005
Fault offset: 0x00017a12
Faulting process id: 0x714
Faulting application start time: 0x01d336fdf5287a48
Faulting application path: C:\ProgramData\MobileBrServ\mbbservice.exe
Faulting module path: C:\ProgramData\MobileBrServ\mbbservice.exe
Report Id: 3bd73ce5-a2f1-11e7-a949-90a4de6a0dc0

Error: (09/26/2017 09:28:09 PM) (Source: Windows Backup) (EventID: 4104) (User: )
Description: The backup was not successful. The error is: The filename, directory name, or volume label syntax is incorrect. (0x8007007B).

Error: (09/26/2017 09:17:22 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {e9582167-e0d8-4ea9-bde3-e821d3da9853}

Error: (09/26/2017 09:11:49 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: An unspecified error occurred during System Restore: (Windetect d/l). Additional information: 0xc0000022.

Error: (09/26/2017 09:11:06 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbbservice.exe, version: 22.24.0.3, time stamp: 0x52ff0cc9
Faulting module name: mbbservice.exe, version: 22.24.0.3, time stamp: 0x52ff0cc9
Exception code: 0xc0000005
Fault offset: 0x00017a12
Faulting process id: 0x294
Faulting application start time: 0x01d336fb2b845a08
Faulting application path: C:\ProgramData\MobileBrServ\mbbservice.exe
Faulting module path: C:\ProgramData\MobileBrServ\mbbservice.exe
Report Id: 723118f1-a2ee-11e7-81ef-90a4de6a0dc0

Error: (09/26/2017 08:35:53 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbbservice.exe, version: 22.24.0.3, time stamp: 0x52ff0cc9
Faulting module name: mbbservice.exe, version: 22.24.0.3, time stamp: 0x52ff0cc9
Exception code: 0xc0000005
Fault offset: 0x00017a12
Faulting process id: 0x8a4
Faulting application start time: 0x01d336f63fab2187
Faulting application path: C:\ProgramData\MobileBrServ\mbbservice.exe
Faulting module path: C:\ProgramData\MobileBrServ\mbbservice.exe
Report Id: 8654d342-a2e9-11e7-8a33-90a4de880e61

Error: (09/26/2017 05:35:17 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Program Files\Samsung\BatteryLifeExtender\Drv\SABI2x64\KSt artMem.exe.Manifest".
Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64 ",publicKeyToken="6595b64144ccf1df",type="win32",v ersion="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/26/2017 05:35:09 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Program Files\Samsung\Samsung Support Center\Drv\drv2x64\KStartMem.exe.Manifest".
Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64 ",publicKeyToken="6595b64144ccf1df",type="win32",v ersion="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/26/2017 05:34:14 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "c:\program files\samsung\easy display manager\RunGfxUI64.exe".
Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64 ",publicKeyToken="6595b64144ccf1df",type="win32",v ersion="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.


System errors:
=============
Error: (09/26/2017 09:34:06 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Bitdefender RedLine Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 600000 milliseconds: Restart the service.

Error: (09/26/2017 09:33:06 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Bitdefender RedLine Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (09/26/2017 09:31:05 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
atc

Error: (09/26/2017 09:31:04 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Mobile Broadband HL Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (09/26/2017 09:31:04 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Mobile Broadband HL Service service to connect.

Error: (09/26/2017 09:30:48 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Diagnostics Tracking Service service terminated with the following error:
General access denied error

Error: (09/26/2017 09:24:16 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Bitdefender RedLine Service service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 600000 milliseconds: Restart the service.

Error: (09/26/2017 09:14:14 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Bitdefender RedLine Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 600000 milliseconds: Restart the service.

Error: (09/26/2017 09:13:14 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Bitdefender RedLine Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (09/26/2017 09:11:17 PM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The Background Intelligent Transfer Service service terminated with service-specific error General access denied error
.


==================== Memory info ===========================

Processor: Celeron(R) Dual-Core CPU T3500 @ 2.10GHz
Percentage of memory in use: 66%
Total physical RAM: 2008.61 MB
Available physical RAM: 669.7 MB
Total Virtual: 2308.61 MB
Available Virtual: 982.3 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:114 GB) (Free:80.4 GB) NTFS
Drive d: () (Fixed) (Total:168.77 GB) (Free:124.37 GB) NTFS

==================== MBR & Partition Table ==================

================================================== ======
Disk: 0 (Size: 298.1 GB) (Disk ID: 29AB717C)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=114 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=168.8 GB) - (Type=OF Extended)
Partition 4: (Not Active) - (Size=15.2 GB) - (Type=27)

==================== End of Addition.txt ============================


RogueKiller:
RogueKiller V12.11.17.0 [Sep 25 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Darryl [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 09/26/2017 22:39:43 (Duration : 00:27:23)

Processes : 0

Registry : 1
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\T cpip\Parameters\Interfaces\{61B8ADB1-26E9-4985-80C8-84B326C30146} | NameServer : 41.50.20.61 41.50.20.29 ([South Africa][-]) -> Found

Tasks : 1
[Hj.Shortcut] \{CC1C8BBB-550A-4CA1-953C-5D21EA5C48EF} -- "c:\program files\google\chrome\application\chrome.exe" (https://ui.skype.com/ui/0/7.38.0.101...page=tsInstall) -> Found

Files : 0

WMI : 0

Hosts File : 0

Antirootkit : 0 (Driver: Loaded)

Web browsers : 2
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://www.loveme.com/mp/PickOfTheDay.shtml] -> Found
[PUM.SearchPage][Chrome:Config] Default [SecurePrefs] : default_search_provider_data.template_url_data.key word [global] -> Found

MBR Check :
+++++ PhysicalDrive0: WDC WD3200BPVT-35ZEST0 +++++
--- User ---
[MBR] 5130ed095ebe77edeba5e0aa3712f416
[BSP] 622503cd16bda2641ea5679500556658 : Kiwi|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 116736 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 239282176 | Size: 172824 MB
3 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 593225728 | Size: 15582 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: 3G USB MMC Storage USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

I hope that the 4 Malware occurrences are there, if not please ask me to find & post them & I'll do it. Many thanks Olgun.
  #23  
Old September 27th, 2017, 12:48 AM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
 
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 2,064
Hi Sonic Feathers,

Okay.
Quote:
I hope that the 4 Malware occurrences are there, if not please ask me to find & post them & I'll do it.
Sorry.I did't fully understand.

===========

Please post a fresh FRST logfile for my check. (Frst.txt and Additional.txt)
  #24  
Old September 28th, 2017, 02:42 AM
Sonic Feathers Sonic Feathers is offline
Member
 
Join Date: Sep 2017
Posts: 53
How to stop hacker (using UAC)

Hello, No sweat Olgun. RK found 4 Malware entries.
RogueKiller V12.11.17.0 [Sep 25 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Darryl [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 09/26/2017 22:39:43 (Duration : 00:27:23)

Processes : 0

Registry : 1
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\T cpip\Parameters\Interfaces\{61B8ADB1-26E9-4985-80C8-84B326C30146} | NameServer : 41.50.20.61 41.50.20.29 ([South Africa][-]) -> Found

Tasks : 1
[Hj.Shortcut] \{CC1C8BBB-550A-4CA1-953C-5D21EA5C48EF} -- "c:\program files\google\chrome\application\chrome.exe" (https://ui.skype.com/ui/0/7.38.0.101...page=tsInstall) -> Found

Files : 0

WMI : 0

Hosts File : 0

Antirootkit : 0 (Driver: Loaded)

Web browsers : 2
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://www.loveme.com/mp/PickOfTheDay.shtml] -> Found
[PUM.SearchPage][Chrome:Config] Default [SecurePrefs] : default_search_provider_data.template_url_data.key word [global] -> Found

MBR Check :
+++++ PhysicalDrive0: WDC WD3200BPVT-35ZEST0 +++++
--- User ---
[MBR] 5130ed095ebe77edeba5e0aa3712f416
[BSP] 622503cd16bda2641ea5679500556658 : Kiwi|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 116736 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 239282176 | Size: 172824 MB
3 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 593225728 | Size: 15582 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: 3G USB MMC Storage USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

As a .Jpg
https://imgur.com/a/vS4Fc

Hope that is a help. 03:30, I'll check back when next I can for your instruction. Thanks.
  #25  
Old September 28th, 2017, 11:08 PM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
 
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 2,064
Quote:
Web browsers : 2
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://www.loveme.com/mp/PickOfTheDay.shtml] -> Found
[PUM.SearchPage][Chrome:Config] Default [SecurePrefs] : default_search_provider_data.template_url_data.key word [global] -> Found
if necessary;Instructions on how to backup your Favourites/Bookmarks . Please do the following;
Delete your cache, history, and other browser data

https://support.google.com/chrome/answer/95582?hl=en
Next >>
Reset Chrome browser settings https://support.google.com/chrome/answer/3296214?hl=en


If HomePage and SearchPage do not fix problems, please do the following;

Make Google my default search engine
https://support.google.com/websearch/answer/464?hl=en

or;
Change your Google Search browser settings
https://support.google.com/websearch..._topic=3036131

Make Google your homepage
https://support.google.com/websearch..._topic=3036131

================================================== =====

Quote:
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\T cpip\Parameters\Interfaces\{61B8ADB1-26E9-4985-80C8-84B326C30146} | NameServer : 41.50.20.61 41.50.20.29 ([South Africa][-]) -> Found
Are you own this IP number informations. Are you writing from South Africa ?
  #26  
Old September 28th, 2017, 11:19 PM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
 
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 2,064
Quote:
Bitdefender Firewall
Windows Firewall is enabled.
Do you also use Bitdefender Firewall?

Two firewall can render the system unstable.
  #27  
Old October 1st, 2017, 03:25 PM
Sonic Feathers Sonic Feathers is offline
Member
 
Join Date: Sep 2017
Posts: 53
Hi Olgun,
All done as you'd suggested. I'll use Revo Uninstaller & BD to check that all record is cleaned.

Tell me is it time that we can look at the correcting the UAC & get rid of the illicit User and Groups? The hacker as well ('Administrators', because he has me locked out of many Admin tasks). I am sure he has something buried on the HDD that notifies him of changes automatically that then runs some script that resets UAC as he wants for easy access. I have taken some screen shots of some of the Properties that you can see what he's been up to. Please remember that I am the sole user of the machine, so Groups should not exist. The original Administrator account was WIZARDS-PC\Darryl Administrator. Even that has been changed to Wizards-PC Administrator, which is a previous form from before Factory Reset, in some instances. Often I get, 'you do not have permission to alter XXX (e.g. ... this value).

Can the UAC be locked somehow to stop any changes without 2x Factor Authentication please? At least then I would be aware he has again changed UAC.
Sorry the pics have got mixed up a bit.
https://i.imgur.com/bI1ycts.jpg
https://i.imgur.com/B4UfLMs.jpg
https://i.imgur.com/xZXbNyH.jpg
https://i.imgur.com/wehRS20.jpg

Ok? I'll try to get back to your reply as soon as possible, it's going to be a heavy week. Many thanks Olgun.
  #28  
Old October 1st, 2017, 09:48 PM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
 
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 2,064
I can not reach the links you send.

=============

Quote:
Tell me is it time that we can look at the correcting the UAC & get rid of the illicit User and Groups?

The hacker as well ('Administrators', because he has me locked out of many Admin tasks).

I am sure he has something buried on the HDD that notifies him of changes automatically that then runs some script that resets UAC as he wants for easy access.
which data to according ?

Quote:
The original Administrator account was WIZARDS-PC\Darryl Administrator.
ComboFix 17-09-14.01 - Darryl 2017/09/17 9:47.1.2 - x86
-------------------
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 25-09-2017 01
Ran by Darryl (administrator) on WIZARDS-PC (26-09-2017 21:44:11)
Running from C:\Users\Darryl\Desktop
Loaded Profiles: Darryl (Available Profiles: Darryl)
Platform: Microsoft Windows 7 Home Basic Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
-------------------------
Addition Log:
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 25-09-2017 01
Ran by Darryl (26-09-2017 21:45:56)
Running from C:\Users\Darryl\Desktop
Microsoft Windows 7 Home Basic Service Pack 1 (X86) (2017-07-14 08:09:26)
Boot Mode: Normal
--------------------------------

I can not see the problem. ??
  #29  
Old October 2nd, 2017, 09:59 AM
Sonic Feathers Sonic Feathers is offline
Member
 
Join Date: Sep 2017
Posts: 53
Hey,
Yes I see from your pics it looks as it should be, yet when you look at the pics, there are multiple invader Users & Groups (especially 'AdministratorS'). Perhaps the are hidden in the registry & aren't visible to you? I changed the settings on Imgur to Public, now anyone can see them (the first 4). But here are the BB code links:
[IMG][/IMG]
[IMG][/IMG]
[IMG][/IMG]
[IMG][/IMG]

I'd not answered you on the IP's. Those IP's are suspicious. They are not normal SA format. The Wifi IP I'm using for past few days is 196.210... & my modem is 195 something. Using VPN it is 185.189... Must those 2 IP's be removed? How?

Please don't get mad with me? As my Bitdefender had expired & I can't afford a new Subscription, I needed remove, install Windscribe VPN to get a free trial again, re-install Bitdefender. As soon as that's done, I'll use Revo Uninstaller to remove Windscribe.

Thanks Olgun, I must go & work if I am to eat tonight.
  #30  
Old October 2nd, 2017, 04:25 PM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
 
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 2,064
Hi Sonic Feathers,

I got pictures from another channel. and I saw them. They do not appear in the reports.
---------
Uninstall the VPN software. It creates confusion for me.
--------------
UAC:
Please UAC check ===>> re-enable that feature. Click Start > Control Panel > User Accounts > Change User Account Control settings and set it back to Always Notify.

Please send me the picture, please.

============================================

Run a cmd prompt as an admin by going Start - type cmd then right click on cmd and select Run as administrator
Enable administrator account - it is not the same as the UAC one.

From admin command prompt :
net user administrator /active:yes

Now log out of your current account and you will now see an administrator login. click it and you should be able to load the desktop without a bunch of errors.
========================================

PC restart.

SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.
=========================

Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
Closed Topic

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 09:48 PM.