Author Topic: chromium showed up on computer...malwarebytes showed infection  (Read 2758 times)

Offline mommyto3furballs

  • Bronze Member
  • Posts: 184
hello again. wish i didn't have to come back but i do :( i downloaded a program on this computer which didn't work out for me so i uninstalled it. then i had an shortcut for chromium on my computer which i never had before nor never installed. i uninstalled it but it kept opening up despite being uninstalled. i did a malware scan on 6/10 which had evidence of a bunch of junk on here (i keep my computer clean) which i allowed malwarebytes to clean up. i just finished up a malware scan 6/12 which shows nothing. i have all the scans which i will copy and paste here, and i will attach a screen shot of the chromium page i was seeing. all other needed logs are here too. thanks K

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:12-06-2016 01
Ran by ghy (administrator) on DESKTOP-4GKB2LG (12-06-2016 19:45:48)
Running from C:\Users\ghy\Desktop
Loaded Profiles: ghy (Available Profiles: ghy)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Intel Corporation) C:\Windows\SysWOW64\IntelCpHeciSvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Windows (R) Win 7 DDK provider) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
() C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDService.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDTouch.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Qualcomm®Atheros®) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
() C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
(Microsoft Corporation) C:\Windows\System32\NetworkUXBroker.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.ZuneMusic_3.6.20961.0_x64__8wekyb3d8bbwe\Music.UI.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.WindowsStore_11602.1.26.0_x64__8wekyb3d8bbwe\WinStore.Mobile.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2890056 2013-09-06] (ELAN Microelectronics Corp.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176952 2016-06-01] (Apple Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7405752 2016-06-10] (AVAST Software)
HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1284680 2014-01-17] (CANON INC.)
HKLM-x32\...\Run: [Aimersoft Helper Compact.exe] => C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [132736 2013-09-07] (Qualcomm®Atheros®)
HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7943072 2016-06-02] (SUPERAntiSpyware)
HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\Run: [Chromium] => c:\users\ghy\appdata\local\chromium\application\chrome.exe [1068544 2016-03-18] (The Chromium Authors)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-05-04] (AVAST Software)
Startup: C:\Users\ghy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FacebookGamesNotifier.exe.lnk [2016-06-01]
ShortcutTarget: FacebookGamesNotifier.exe.lnk -> C:\Users\ghy\AppData\Local\Facebook\Games\FacebookGamesNotifier.exe (No File)
GroupPolicy: Restriction - Chrome <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{27c3b822-5058-4999-ae2f-3aa01a887b39}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-12-18] ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-05-04]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-05-04]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR DefaultSearchURL: Default -> hxxps://abs.twimg.com/favicons/favicon.ico
CHR DefaultSearchKeyword: Default -> Yahoo
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
CHR Profile: C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-02-24]
CHR Extension: (Google Docs) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-02-24]
CHR Extension: (Google Drive) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-02-24]
CHR Extension: (WOT: Web of Trust, Website Reputation Ratings) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2016-06-01]
CHR Extension: (YouTube) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-02-24]
CHR Extension: (Twitter) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmbniebmoflhomonmkjbhjdafagjnlpl [2016-05-18]
CHR Extension: (Google Search) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-02-24]
CHR Extension: (Google Sheets) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-02-24]
CHR Extension: (Google Docs Offline) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (AdBlock) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-06-03]
CHR Extension: (Avast Online Security) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-05-04]
CHR Extension: (Yahoo Partner) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\iofjfanlcnefinbcgjlbfajkafgaaole [2016-05-11]
CHR Extension: (Chrome Web Store Payments) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-01]
CHR Extension: (Gmail) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-02-24]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2016-04-19]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-03-02] (Apple Inc.)
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [312448 2013-09-07] (Windows (R) Win 7 DDK provider) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [243296 2016-05-04] (AVAST Software)
R2 ETDService; C:\Program Files\Elantech\ETDService.exe [101192 2013-09-06] (ELAN Microelectronics Corp.)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [330136 2015-08-27] (Intel Corporation)
R2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [84616 2013-06-28] ()
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-05-04] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-05-04] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [107792 2016-05-04] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-05-04] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-05-04] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1070904 2016-05-04] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [465792 2016-05-04] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [166432 2016-05-04] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [287528 2016-05-04] (AVAST Software)
R3 athr; C:\Windows\System32\drivers\athwbx.sys [3859968 2013-08-16] (Qualcomm Atheros Communications, Inc.)
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [129152 2016-04-25] (Samsung Electronics Co., Ltd.)
R3 MEIx64; C:\Windows\System32\drivers\TeeDriverW8x64.sys [202032 2016-01-19] (Intel Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
S3 WsAudio_Device(1); C:\Windows\system32\drivers\VirtualAudio1.sys [31080 2015-08-03] (Wondershare)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-12 19:45 - 2016-06-12 19:46 - 00012450 _____ C:\Users\ghy\Desktop\FRST.txt
2016-06-12 19:45 - 2016-06-12 19:45 - 00000000 ____D C:\FRST
2016-06-12 19:43 - 2016-06-12 19:43 - 00001050 _____ C:\Users\ghy\Desktop\june 12 malwarescan.txt
2016-06-12 18:55 - 2016-06-12 19:44 - 02385408 _____ (Farbar) C:\Users\ghy\Desktop\FRST64.exe
2016-06-12 18:15 - 2016-06-12 18:15 - 00028361 _____ C:\Users\ghy\Desktop\malware scan june 2016.txt
2016-06-12 18:12 - 2016-06-12 18:12 - 00000000 ____D C:\Users\ghy\AppData\Local\ActiveSync
2016-06-11 15:53 - 2016-06-11 16:01 - 00000000 ____D C:\Users\ghy\Desktop\mp3 songs
2016-06-11 14:02 - 2016-06-11 15:28 - 00000000 ____D C:\Users\ghy\Desktop\Possible Wrecked CDs
2016-06-10 12:23 - 2016-06-10 12:30 - 00000000 ____D C:\Users\ghy\Desktop\Charlie Pride
2016-06-10 11:39 - 2016-06-10 12:12 - 00000000 ____D C:\Users\ghy\Desktop\Clay Walker
2016-06-10 11:24 - 2016-06-10 11:47 - 00000000 ____D C:\SUPERDelete
2016-06-10 11:19 - 2016-06-10 11:20 - 00000000 ____D C:\Users\ghy\AppData\Local\Chromium
2016-06-10 11:18 - 2016-06-10 11:18 - 00003550 _____ C:\Windows\System32\Tasks\ByteFence Scan
2016-06-10 11:18 - 2016-06-10 11:18 - 00003446 _____ C:\Windows\System32\Tasks\ByteFence
2016-06-10 11:18 - 2016-06-10 11:18 - 00000000 ____D C:\Users\ghy\Documents\Any Audio Converter
2016-06-10 11:03 - 2016-06-10 14:31 - 00000000 ____D C:\Users\ghy\Desktop\Songs That Won't Play On Computer
2016-06-10 11:01 - 2016-06-10 11:02 - 00000000 ____D C:\Users\ghy\Documents\Aimersoft DRM Media Converter
2016-06-10 11:00 - 2015-08-03 10:55 - 00675840 _____ () C:\Windows\SysWOW64\ac3filter.ax
2016-06-10 11:00 - 2015-08-03 10:54 - 00892928 _____ (Free Software Foundation) C:\Windows\SysWOW64\iconv.dll
2016-06-10 11:00 - 2015-08-03 10:54 - 00496640 _____ C:\Windows\SysWOW64\xvid.ax
2016-06-10 11:00 - 2015-08-03 10:51 - 00031080 _____ (Wondershare) C:\Windows\system32\Drivers\VirtualAudio1.sys
2016-06-10 09:53 - 2016-06-10 09:53 - 00000000 ____D C:\Users\ghy\Desktop\Keith Urban
2016-06-10 08:05 - 2016-06-10 08:45 - 00000000 ____D C:\Users\ghy\Desktop\Chris Cagle
2016-06-08 19:37 - 2016-06-08 19:45 - 00000000 ____D C:\Users\ghy\Desktop\Debbie Gibson
2016-06-08 19:35 - 2016-06-11 19:33 - 00000000 ____D C:\Users\ghy\Desktop\Kathy Mattea
2016-06-08 19:11 - 2016-06-10 09:02 - 00000000 ____D C:\Users\ghy\Desktop\Jessica Andrews
2016-06-08 16:56 - 2016-06-08 18:55 - 00000000 ____D C:\Users\ghy\Desktop\Spice Girls
2016-06-08 16:18 - 2016-06-08 16:19 - 00000000 ____D C:\Users\ghy\Desktop\Taylor Swift
2016-06-08 16:18 - 2016-06-08 16:19 - 00000000 ____D C:\Users\ghy\Desktop\Kellie Pickler
2016-06-08 12:34 - 2016-06-08 16:20 - 00000000 ____D C:\Users\ghy\Desktop\Unknown Artist
2016-06-08 11:54 - 2016-06-08 17:05 - 00000000 ____D C:\Users\ghy\Desktop\Tiffany
2016-06-08 11:53 - 2016-06-08 11:53 - 00000000 ____D C:\Users\ghy\Desktop\The Box
2016-06-08 11:18 - 2016-06-11 19:30 - 00000000 ____D C:\Users\ghy\Desktop\New folder (2)
2016-06-07 14:24 - 2016-06-07 14:24 - 00031188 _____ C:\Users\ghy\Desktop\june hydro bill 2016.pdf
2016-06-07 14:15 - 2016-06-07 14:15 - 00001822 _____ C:\Users\Public\Desktop\iTunes.lnk
2016-06-07 14:15 - 2016-06-07 14:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2016-06-07 14:15 - 2016-06-07 14:15 - 00000000 ____D C:\Program Files\iTunes
2016-06-07 14:15 - 2016-06-07 14:15 - 00000000 ____D C:\Program Files\iPod
2016-06-07 14:15 - 2016-06-07 14:15 - 00000000 ____D C:\Program Files (x86)\iTunes
2016-06-02 11:50 - 2016-06-02 11:50 - 04291320 _____ (BrightFort LLC ) C:\Users\ghy\Downloads\spywareblastersetup55.exe
2016-05-31 14:29 - 2016-05-31 14:29 - 00010554 _____ C:\Users\ghy\Desktop\june 2016 budget paid.ods
2016-05-30 17:54 - 2016-05-30 17:54 - 00000279 _____ C:\Users\ghy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Recycle Bin.lnk
2016-05-30 15:50 - 2016-05-30 19:06 - 00000000 ____D C:\Users\ghy\Desktop\Little Shop Of Horrors
2016-05-30 15:22 - 2016-05-30 18:50 - 00000000 ____D C:\Users\ghy\Desktop\Adam's Lawn Mower Diagrams
2016-05-30 12:43 - 2016-06-07 15:18 - 00000000 ____D C:\Users\ghy\Desktop\New folder (4)
2016-05-30 12:38 - 2016-05-30 12:51 - 00000000 ____D C:\Users\ghy\Desktop\New folder (3)
2016-05-28 18:52 - 2016-05-28 18:52 - 00149733 _____ C:\Users\ghy\Downloads\GC_056962.pdf
2016-05-28 18:00 - 2016-06-08 15:20 - 00000000 ____D C:\Users\ghy\Desktop\Unknown Album
2016-05-28 16:21 - 2016-05-28 16:22 - 00000000 ____D C:\Users\ghy\Desktop\Unblock Us Cancellation Stuff
2016-05-26 10:56 - 2016-05-26 10:56 - 00000000 ____D C:\Users\ghy\AppData\Local\Apps\2.0
2016-05-26 10:47 - 2016-06-11 19:36 - 00000000 ____D C:\Users\ghy\AppData\Roaming\MusicBee
2016-05-26 10:38 - 2016-05-26 10:38 - 00001080 _____ C:\Users\ghy\Desktop\MusicBee.lnk
2016-05-26 10:38 - 2016-05-26 10:38 - 00000000 ____D C:\Users\ghy\Downloads\MusicBeeSetup_3_0a
2016-05-26 10:38 - 2016-05-26 10:38 - 00000000 ____D C:\Users\ghy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MusicBee
2016-05-26 10:38 - 2016-05-26 10:38 - 00000000 ____D C:\Program Files (x86)\MusicBee
2016-05-26 10:34 - 2016-05-26 10:35 - 11777915 _____ C:\Users\ghy\Downloads\MusicBeeSetup_3_0a.zip
2016-05-26 10:07 - 2016-05-26 10:07 - 00000000 ____D C:\Users\ghy\AppData\Local\MediaMonkey
2016-05-25 15:40 - 2016-05-25 15:40 - 00000000 ____D C:\Users\ghy\AppData\Local\FacebookGames
2016-05-25 15:40 - 2016-05-25 15:40 - 00000000 ____D C:\Users\ghy\AppData\Local\Facebook
2016-05-25 15:40 - 2016-05-25 15:40 - 00000000 ____D C:\Users\ghy\AppData\Local\CEF
2016-05-25 15:20 - 2016-05-25 15:20 - 00000043 _____ C:\Users\ghy\Desktop\email address to pay westario credit vampires in owen sound.txt
2016-05-25 13:20 - 2016-05-25 13:20 - 00000000 ____D C:\Users\ghy\Downloads\Unblock Us Invoices
2016-05-24 17:26 - 2016-05-24 17:28 - 00173116 _____ C:\Windows\Minidump\052416-62875-01.dmp
2016-05-24 17:26 - 2016-05-24 17:26 - 427209106 _____ C:\Windows\MEMORY.DMP
2016-05-20 19:54 - 2016-05-20 19:57 - 21583056 _____ C:\Users\ghy\Downloads\Carolyn Dawn Johnson - Dress Rehearsal.mp4
2016-05-18 20:50 - 2016-05-18 20:50 - 26016641 _____ C:\Users\ghy\Downloads\Nelson - After the Rain.mp4
2016-05-18 15:00 - 2016-06-11 14:01 - 00000000 ____D C:\Users\ghy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
2016-05-16 20:59 - 2016-06-03 16:29 - 00000000 ____D C:\Users\ghy\Desktop\May 2016 Hydro Usage
2016-05-15 14:37 - 2016-05-15 14:37 - 00000046 _____ C:\Users\ghy\Desktop\microsoft live email addy.txt
2016-05-14 20:02 - 2016-05-14 20:02 - 00000000 ____D C:\Users\ghy\Desktop\Favourite Mistake
2016-05-14 12:44 - 2016-05-14 12:46 - 00000000 ____D C:\Users\ghy\Desktop\Shows For 1Channel on Kodi
2016-05-14 09:03 - 2016-05-14 09:03 - 00000000 ____D C:\ProgramData\Package Cache

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-12 19:32 - 2016-03-26 10:38 - 00000000 ____D C:\Users\ghy\AppData\Local\CrashDumps
2016-06-12 18:54 - 2016-02-24 16:32 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-06-12 18:22 - 2015-10-30 03:24 - 00000000 ____D C:\Windows\AppReadiness
2016-06-12 18:16 - 2015-10-30 03:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-06-12 18:14 - 2016-02-25 18:12 - 00004164 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{A4D67DFC-4CDE-45A7-8BF3-A9B059A161BA}
2016-06-12 18:13 - 2016-03-10 15:03 - 01872896 ___SH C:\Users\ghy\Desktop\Thumbs.db
2016-06-12 18:11 - 2016-02-24 16:24 - 00000000 __SHD C:\Users\ghy\IntelGraphicsProfiles
2016-06-11 19:34 - 2016-04-24 12:38 - 00000000 ____D C:\Users\ghy\AppData\Roaming\Mp3tag
2016-06-11 10:30 - 2016-02-24 16:30 - 00000258 __RSH C:\ProgramData\ntuser.pol
2016-06-11 10:30 - 2016-02-24 16:29 - 00000000 ____D C:\ProgramData\TEMP
2016-06-11 10:30 - 2016-02-24 16:29 - 00000000 ____D C:\Program Files (x86)\SpywareBlaster
2016-06-11 07:41 - 2016-02-24 18:48 - 00004280 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-06-10 11:47 - 2016-02-24 17:59 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-06-10 11:46 - 2015-10-30 02:28 - 00524288 ___SH C:\Windows\system32\config\BBI
2016-06-10 11:00 - 2015-10-30 03:21 - 00000000 ____D C:\Windows\INF
2016-06-10 09:17 - 2016-02-24 16:29 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2016-06-08 19:26 - 2016-02-24 18:54 - 00002272 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-06-08 19:26 - 2016-02-24 18:54 - 00002260 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-06-07 15:20 - 2016-04-24 19:09 - 00000000 ____D C:\Users\ghy\Desktop\Music Completed
2016-06-07 14:15 - 2016-02-24 18:24 - 00000000 ____D C:\Program Files\Common Files\Apple
2016-06-06 15:07 - 2016-04-15 15:49 - 00753152 ___SH C:\Users\ghy\Downloads\Thumbs.db
2016-06-03 13:01 - 2016-02-24 18:09 - 00000000 ____D C:\Users\ghy\Desktop\Maintenance
2016-06-02 11:50 - 2016-02-24 16:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster
2016-06-01 19:23 - 2016-03-22 18:36 - 00000000 ____D C:\Users\ghy\AppData\Local\ElevatedDiagnostics
2016-06-01 18:20 - 2015-10-30 03:24 - 00000000 ____D C:\Windows\system32\NDF
2016-05-31 15:19 - 2016-04-29 14:12 - 00000000 ____D C:\Users\ghy\AppData\Roaming\WinFF
2016-05-30 20:46 - 2016-05-09 20:11 - 00011707 _____ C:\Users\ghy\Desktop\june 2016 budget.ods
2016-05-30 18:48 - 2016-02-25 09:22 - 00000000 ____D C:\Users\ghy\Desktop\Banking
2016-05-29 19:26 - 2016-04-22 12:19 - 00000000 ____D C:\Users\ghy\Desktop\New folder
2016-05-28 16:23 - 2016-02-24 18:07 - 00879220 _____ C:\Windows\system32\PerfStringBackup.INI
2016-05-24 20:35 - 2016-02-24 18:03 - 00000000 ____D C:\Users\ghy
2016-05-24 17:26 - 2016-03-07 19:48 - 00000000 ____D C:\Windows\Minidump
2016-05-23 19:31 - 2016-02-24 18:07 - 00002406 _____ C:\Users\ghy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-05-23 19:31 - 2016-02-24 18:07 - 00000000 ___RD C:\Users\ghy\OneDrive
2016-05-15 19:06 - 2016-02-24 18:04 - 00000000 ____D C:\Users\ghy\AppData\Local\Packages
2016-05-14 16:26 - 2015-10-30 03:24 - 00000000 ____D C:\Windows\rescache
2016-05-14 12:14 - 2015-10-30 03:11 - 00000000 ____D C:\Windows\CbsTemp
2016-05-14 09:24 - 2016-03-30 18:42 - 00034304 ___SH C:\Users\ghy\Documents\Thumbs.db

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-06-06 11:36

==================== End of FRST.txt ============================



Offline mommyto3furballs

  • Bronze Member
  • Posts: 184
Re: chromium showed up on computer...malwarebytes showed infection
« Reply #1 on: June 12, 2016, 06:00:48 PM »
Additional scan result of Farbar Recovery Scan Tool (x64) Version:12-06-2016 01
Ran by ghy (2016-06-12 19:46:52)
Running from C:\Users\ghy\Desktop
Windows 10 Home Version 1511 (X64) (2016-02-24 22:02:09)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2176856750-3379297402-3027562793-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-2176856750-3379297402-3027562793-503 - Limited - Disabled)
ghy (S-1-5-21-2176856750-3379297402-3027562793-1001 - Administrator - Enabled) => C:\Users\ghy
Guest (S-1-5-21-2176856750-3379297402-3027562793-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2176856750-3379297402-3027562793-1003 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Apple Application Support (32-bit) (HKLM-x32\...\{26356515-5821-40FA-9C3D-9785052A1062}) (Version: 4.3.1 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{C2651553-6CA3-4822-B2E6-BC4ACA6E0EA2}) (Version: 4.3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2E4AF2A6-50EA-4260-9BA4-5E582D11879A}) (Version: 9.3.0.15 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 11.2.2262 - AVAST Software)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version: 1.1.10.15 - Canon Inc.)
Canon Inkjet Printer/Scanner/Fax Extended Survey Program (HKLM-x32\...\CANONIJPLM100) (Version: 4.2.0 - Canon Inc.)
Canon MG2900 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG2900_series) (Version: 1.00 - Canon Inc.)
Canon MG2900 series On-screen Manual (HKLM-x32\...\Canon MG2900 series On-screen Manual) (Version: 7.7.1 - Canon Inc.)
Canon My Printer (HKLM-x32\...\CanonMyPrinter) (Version: 3.2.1 - Canon Inc.)
Canon Quick Menu (HKLM-x32\...\CanonQuickMenu) (Version: 2.4.0 - Canon Inc.)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
ETDWare PS/2-X64 11.6.27.201_WHQL (HKLM\...\Elantech) (Version: 11.6.27.201 - ELAN Microelectronic Corp.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 51.0.2704.84 - Google Inc.)
Google Update Helper (x32 Version: 1.3.21.169 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.30.3 - Google Inc.) Hidden
iTunes (HKLM\...\{9F4BF859-C3A4-4AB6-BDD1-9C5D58188598}) (Version: 12.4.1.6 - Apple Inc.)
LibreOffice 5.1.2.2 (HKLM-x32\...\{09AD7191-4F96-442C-B2F4-1491B144DBEB}) (Version: 5.1.2.2 - The Document Foundation)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Mp3tag v2.77 (HKLM-x32\...\Mp3tag) (Version: v2.77 - Florian Heidenreich)
MusicBee 3.0 (HKLM-x32\...\MusicBee) (Version: 3.0 - Steven Mayall)
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.305 - Qualcomm Atheros Communications)
Qualcomm Atheros WiFi Driver Installation (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 12.05 - Qualcomm Atheros)
SafeZone Stable 1.48.2066.101 (x32 Version: 1.48.2066.101 - Avast Software) Hidden
SpywareBlaster 5.5 (HKLM-x32\...\SpywareBlaster_is1) (Version: 5.5.0 - BrightFort LLC)
SumatraPDF (HKLM-x32\...\SumatraPDF) (Version: 3.1.1 - Krzysztof Kowalczyk)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1212 - SUPERAntiSpyware.com)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\ghy\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\FileCoAuth.exe (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1720E5D8-0E22-4305-9A94-700F6FA029AA} - System32\Tasks\SafeZone scheduled Autoupdate 1458656602 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2016-04-15] (Avast Software)
Task: {5D567699-2A24-4A00-8D84-D4B9C24BF89F} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [2016-05-11] (Microsoft Corporation)
Task: {7007A817-D767-47B8-9C0B-F2E5B942F696} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-02-24] (Google Inc.)
Task: {85D9A422-B70F-4343-ABC8-2F107980D850} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2016-05-04] (AVAST Software)
Task: {945F854A-156F-485E-B780-BD6512D41187} - System32\Tasks\ByteFence => C:\Program Files\ByteFence\ByteFence.exe <==== ATTENTION
Task: {C5D276B6-EBA7-46C1-9148-2D6F7C39A931} - System32\Tasks\ByteFence Scan => C:\Program Files\ByteFence\ByteFence.exe <==== ATTENTION
Task: {D5BA1EEF-453E-4AEA-85E8-D6029358E2F5} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2016-02-23] (Apple Inc.)
Task: {E2F8DC34-0075-4BA5-8618-722FF8006087} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-02-24] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-04-20 12:08 - 2013-06-28 11:28 - 00084616 _____ () C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
2016-03-18 22:56 - 2016-03-18 22:56 - 00092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2016-04-22 01:07 - 2016-04-22 01:07 - 01337144 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2015-10-30 03:18 - 2015-10-30 03:18 - 00185856 _____ () C:\Windows\SYSTEM32\ism32k.dll
2016-04-12 18:13 - 2016-03-29 06:20 - 02656952 _____ () C:\Windows\system32\CoreUIComponents.dll
2016-04-12 18:13 - 2016-03-29 06:20 - 02656952 _____ () C:\Windows\System32\CoreUIComponents.dll
2016-05-23 19:31 - 2016-05-23 19:31 - 00959168 _____ () C:\Users\ghy\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64\ClientTelemetry.dll
2016-02-24 16:08 - 2015-12-07 00:14 - 00093696 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Windows.UI.Shell.SharedUtilities.dll
2016-05-11 08:35 - 2016-04-23 00:25 - 00472064 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\QuickActions.dll
2016-05-11 08:37 - 2016-04-23 00:02 - 07992832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-05-11 08:36 - 2016-04-22 23:58 - 00591360 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-05-11 08:37 - 2016-04-22 23:58 - 02483200 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-05-11 08:37 - 2016-04-23 00:01 - 04089856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2013-09-07 02:48 - 2013-09-07 02:48 - 00011264 _____ () C:\Program Files (x86)\Bluetooth Suite\Modules\ActivateDesktopDebugger\ActivateDesktopDebugger.dll
2013-09-07 02:45 - 2013-09-07 02:45 - 00086016 _____ () C:\Program Files (x86)\Bluetooth Suite\Modules\Map\MAP.dll
2013-09-07 02:52 - 2013-09-07 02:52 - 00012928 _____ () C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe
2016-04-18 16:41 - 2016-04-18 16:42 - 00144384 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
2016-04-30 12:18 - 2016-04-30 12:19 - 10256384 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsStore_11602.1.26.0_x64__8wekyb3d8bbwe\WinStore.Entertainment.Mobile.dll
2016-05-04 15:12 - 2016-05-04 15:12 - 00123344 _____ () C:\Program Files\AVAST Software\Avast\log.dll
2016-05-04 15:12 - 2016-05-04 15:12 - 00135816 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2016-05-04 15:12 - 2016-05-04 15:12 - 00309912 _____ () C:\Program Files\AVAST Software\Avast\browser_pass.dll
2016-05-04 15:12 - 2016-05-04 15:12 - 00479680 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2016-06-11 07:40 - 2016-06-11 07:40 - 02932736 _____ () C:\Program Files\AVAST Software\Avast\defs\16061100\algo.dll
2016-06-12 18:11 - 2016-06-12 18:11 - 02932736 _____ () C:\Program Files\AVAST Software\Avast\defs\16061201\algo.dll
2016-05-23 19:31 - 2016-05-23 19:31 - 00679624 _____ () C:\Users\ghy\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\ClientTelemetry.dll
2016-02-24 18:47 - 2016-02-24 18:47 - 40539648 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2016-04-18 16:41 - 2016-04-18 16:42 - 00141312 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeBackgroundTasks.dll
2016-04-18 16:41 - 2016-04-18 16:42 - 22284800 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkyWrap.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\008k.com -> 008k.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\00hq.com -> 00hq.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\0190-dialers.com -> 0190-dialers.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\01i.info -> 01i.info
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\0411dd.com -> 0411dd.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\0511zfhl.com -> 0511zfhl.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\05p.com -> 05p.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\0632qyw.com -> 0632qyw.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\0calories.net -> 0calories.net
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\0cj.net -> 0cj.net
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\0scan.com -> 0scan.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\1-britney-spears-nude.com -> 1-britney-spears-nude.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\1-domains-registrations.com -> 1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\1-se.com -> 1-se.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\1001movie.com -> 1001movie.com

There are 6091 more sites.


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2015-10-30 03:24 - 2015-10-30 03:21 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\ghy\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppBackground\{ba2ca346-b9b6-4e44-b85c-c0a7ffcc09e7}.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{4E2190CD-0579-4985-8C13-4EF03DC5A74D}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{9BF67C33-E3F8-48F6-9262-0A958700627E}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{50009B7F-1F82-471E-9272-EA869C891427}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{31BDFD1E-29C6-408D-A191-522CFB577B5D}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [TCP Query User{E6B15A9E-81A1-44C4-8BE1-2588B971A411}C:\program files (x86)\kodi\kodi.exe] => (Allow) C:\program files (x86)\kodi\kodi.exe
FirewallRules: [UDP Query User{E8B9D116-AFBD-4667-8A14-DE491B55A6F3}C:\program files (x86)\kodi\kodi.exe] => (Allow) C:\program files (x86)\kodi\kodi.exe
FirewallRules: [TCP Query User{94A3AAF4-97E3-4281-B1CA-D7A08930D66F}C:\program files (x86)\mediamonkey\mediamonkey.exe] => (Allow) C:\program files (x86)\mediamonkey\mediamonkey.exe
FirewallRules: [UDP Query User{F55B3252-8310-49CE-A424-32D353A30141}C:\program files (x86)\mediamonkey\mediamonkey.exe] => (Allow) C:\program files (x86)\mediamonkey\mediamonkey.exe
FirewallRules: [{CF70D792-F84B-4812-B8A6-EF8029AF2E0E}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{5870FA69-5623-4AEE-A458-55B2EC5A17E0}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{04FBAA3F-67D2-491D-8D75-FF3E9584C548}] => (Allow) C:\Users\ghy\AppData\Local\Chromium\Application\chrome.exe

==================== Restore Points =========================

21-05-2016 17:38:02 Scheduled Checkpoint
30-05-2016 13:02:27 Scheduled Checkpoint
01-06-2016 08:08:03 Removed Facebook Games Arcade 0.5.0.0
11-06-2016 16:18:44 Scheduled Checkpoint

==================== Faulty Device Manager Devices =============

Name: Base System Device
Description: Base System Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Base System Device
Description: Base System Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (06/12/2016 07:32:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: backgroundTaskHost.exe, version: 10.0.10586.0, time stamp: 0x5632d8f0
Faulting module name: ntdll.dll, version: 10.0.10586.306, time stamp: 0x571af2eb
Exception code: 0xc0000409
Fault offset: 0x00000000000a9ba0
Faulting process id: 0x1c88
Faulting application start time: 0xbackgroundTaskHost.exe0
Faulting application path: backgroundTaskHost.exe1
Faulting module path: backgroundTaskHost.exe2
Report Id: backgroundTaskHost.exe3
Faulting package full name: backgroundTaskHost.exe4
Faulting package-relative application ID: backgroundTaskHost.exe5

Error: (06/12/2016 07:32:29 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8

Error: (06/11/2016 09:05:26 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-4GKB2LG)
Description: Activation of app Microsoft.WindowsStore_8wekyb3d8bbwe!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (06/11/2016 07:03:21 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-4GKB2LG)
Description: Activation of app Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic failed with error: -2147417836 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (06/11/2016 04:18:52 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (06/11/2016 11:11:40 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-4GKB2LG)
Description: Activation of app Microsoft.WindowsStore_8wekyb3d8bbwe!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (06/11/2016 10:55:22 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-4GKB2LG)
Description: Activation of app Microsoft.Windows.Photos_8wekyb3d8bbwe!App failed with error: -2147023170 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (06/11/2016 08:49:36 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528.manifest.

Error: (06/10/2016 11:46:35 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe, version: 10.0.10586.0, time stamp: 0x5632d7ba
Faulting module name: ESENT.dll, version: 10.0.10586.212, time stamp: 0x56fa1686
Exception code: 0xc0000602
Fault offset: 0x000000000022885f
Faulting process id: 0x4f8
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3
Faulting package full name: svchost.exe4
Faulting package-relative application ID: svchost.exe5

Error: (06/10/2016 11:46:35 AM) (Source: ESENT) (EventID: 908) (User: )
Description: svchost (1272) Terminating process due to non-recoverable failure: PV: 10.0.10586.0 SV: 10.0.10586.0 GLE: 0 ERR: -1603(fucb.cxx:359): dllentry.cxx(103) (ESENT[10.0.10586.0] RETAIL RTM MBCS)


System errors:
=============
Error: (06/12/2016 06:14:08 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-4GKB2LG)
Description: machine-defaultLocalActivation{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DESKTOP-4GKB2LGghyS-1-5-21-2176856750-3379297402-3027562793-1001LocalHost (Using LRPC)Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewyS-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742

Error: (06/12/2016 06:14:08 PM) (Source: DCOM) (EventID: 10016) (User: DESKTOP-4GKB2LG)
Description: machine-defaultLocalActivation{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DESKTOP-4GKB2LGghyS-1-5-21-2176856750-3379297402-3027562793-1001LocalHost (Using LRPC)Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewyS-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742

Error: (06/12/2016 08:18:17 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The User Data Access_41b4ae7 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (06/12/2016 08:18:17 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The User Data Storage_41b4ae7 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (06/12/2016 08:18:17 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Contact Data_41b4ae7 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (06/12/2016 08:18:17 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Sync Host_41b4ae7 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (06/12/2016 08:18:16 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable

Error: (06/11/2016 09:05:35 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Sync Host_216b37b service to connect.

Error: (06/11/2016 09:05:35 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the User Data Storage_216b37b service to connect.

Error: (06/11/2016 09:05:35 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the User Data Storage_216b37b service, but this action failed with the following error:
%%1056


CodeIntegrity:
===================================
  Date: 2016-06-10 10:06:59.274
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-31 15:12:26.147
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-31 15:11:10.609
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-31 15:10:34.394
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-30 15:32:00.316
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-14 16:54:34.684
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-14 09:12:58.436
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-11 17:25:30.164
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-14 13:56:22.425
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-04-13 12:55:09.134
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel(R) Celeron(R) CPU 1000M @ 1.80GHz
Percentage of memory in use: 36%
Total physical RAM: 3911.27 MB
Available physical RAM: 2502.13 MB
Total Virtual: 4615.27 MB
Available Virtual: 2954.99 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:281.36 GB) (Free:226.35 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298.1 GB) (Disk ID: 1AF85E84)

Partition: GPT.

==================== End of Addition.txt ============================

6/10/16 scan which showed malware

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/10/2016
Scan Time: 11:25 AM
Logfile: malware scan june 2016.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.06.10.03
Rootkit Database: v2016.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: ghy

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 285584
Time Elapsed: 18 min, 12 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 9
PUP.Optional.SearchManager, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pilplloabdedfmialnfchjomjmpjcoej, Quarantined, [5bf05f9c30693204518e965524dfcb35],
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, Quarantined, [73d8d625edac88aedd539e35c241c23e],
PUP.Optional.SearchManager, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\pilplloabdedfmialnfchjomjmpjcoej, Quarantined, [58f339c237624beb2db246a5ac573fc1],
PUP.Optional.WinYahoo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, Quarantined, [fb504fac35640333c16fba19c241c937],
PUP.Optional.InstallCore, HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\SOFTWARE\csastats, Quarantined, [ee5da7549dfc2d09538734b74ab96f91],
PUP.Optional.SearchManager, HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pilplloabdedfmialnfchjomjmpjcoej, Quarantined, [1932738815841d19e887823ae51d21df],
PUP.Optional.WinYahoo, HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, Quarantined, [94b7798237629c9a85aa7063857efb05],
PUP.Optional.WinYahoo, HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BFREPORT, Quarantined, [480397643861191dfa9c1ad37c87c63a],
PUP.Optional.ProductSetup, HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\SOFTWARE\PRODUCTSETUP, Quarantined, [04475aa1efaad4627856fda421e222de],

Registry Values: 5
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, hxxps://ca.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f[73d8d625edac88aedd539e35c241c23e]D4%26b[73d8d625edac88aedd539e35c241c23e]DIE%26cc[73d8d625edac88aedd539e35c241c23e]Dca%26pa[73d8d625edac88aedd539e35c241c23e]DWincy%26cd[73d8d625edac88aedd539e35c241c23e]D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr[73d8d625edac88aedd539e35c241c23e]D202028605%26a[73d8d625edac88aedd539e35c241c23e]Dwbf_anvsft_16_23%26os_ver[73d8d625edac88aedd539e35c241c23e]D10.0%26os[73d8d625edac88aedd539e35c241c23e]DWindowsQuarantinedB10QuarantinedBHome&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, hxxps://ca.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f[fb504fac35640333c16fba19c241c937]D4%26b[fb504fac35640333c16fba19c241c937]DIE%26cc[fb504fac35640333c16fba19c241c937]Dca%26pa[fb504fac35640333c16fba19c241c937]DWincy%26cd[fb504fac35640333c16fba19c241c937]D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr[fb504fac35640333c16fba19c241c937]D202028605%26a[fb504fac35640333c16fba19c241c937]Dwbf_anvsft_16_23%26os_ver[fb504fac35640333c16fba19c241c937]D10.0%26os[fb504fac35640333c16fba19c241c937]DWindowsQuarantinedB10QuarantinedBHome&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, hxxps://ca.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f[94b7798237629c9a85aa7063857efb05]D4%26b[94b7798237629c9a85aa7063857efb05]DIE%26cc[94b7798237629c9a85aa7063857efb05]Dca%26pa[94b7798237629c9a85aa7063857efb05]DWincy%26cd[94b7798237629c9a85aa7063857efb05]D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr[94b7798237629c9a85aa7063857efb05]D202028605%26a[94b7798237629c9a85aa7063857efb05]Dwbf_anvsft_16_23%26os_ver[94b7798237629c9a85aa7063857efb05]D10.0%26os[94b7798237629c9a85aa7063857efb05]DWindowsQuarantinedB10QuarantinedBHome&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BFREPORT|filename, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\uninstall.exe, Quarantined, [480397643861191dfa9c1ad37c87c63a]
PUP.Optional.ProductSetup, HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\SOFTWARE\PRODUCTSETUP|tb, 0G2O2W1R0C1R1H, Quarantined, [04475aa1efaad4627856fda421e222de]

Registry Data: 3
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=fBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[4407be3d5a3fa6903f341b4b976d3ec2]D1%26bBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[4407be3d5a3fa6903f341b4b976d3ec2]DIE%26ccBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[4407be3d5a3fa6903f341b4b976d3ec2]Dca%26paBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[4407be3d5a3fa6903f341b4b976d3ec2]DWincy%26cdBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[4407be3d5a3fa6903f341b4b976d3ec2]D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26crBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[4407be3d5a3fa6903f341b4b976d3ec2]D202028605%26aBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[4407be3d5a3fa6903f341b4b976d3ec2]Dwbf_anvsft_16_23%26os_verBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[4407be3d5a3fa6903f341b4b976d3ec2]D10.0%26osBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[4407be3d5a3fa6903f341b4b976d3ec2]DWindowsGood: (www.google.com)B10Good: (www.google.com)BHome, %4, %5
PUP.Optional.WinYahoo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=fBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[4209d12a0990b383bfb4412507fdbf41]D1%26bBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[4209d12a0990b383bfb4412507fdbf41]DIE%26ccBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[4209d12a0990b383bfb4412507fdbf41]Dca%26paBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[4209d12a0990b383bfb4412507fdbf41]DWincy%26cdBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[4209d12a0990b383bfb4412507fdbf41]D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26crBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[4209d12a0990b383bfb4412507fdbf41]D202028605%26aBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[4209d12a0990b383bfb4412507fdbf41]Dwbf_anvsft_16_23%26os_verBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[4209d12a0990b383bfb4412507fdbf41]D10.0%26osBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[4209d12a0990b383bfb4412507fdbf41]DWindowsGood: (www.google.com)B10Good: (www.google.com)BHome, %4, %5
PUP.Optional.WinYahoo, HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=fBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[15361ae1dabf9c9aa4cdd78fe420936d]D1%26bBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[15361ae1dabf9c9aa4cdd78fe420936d]DIE%26ccBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[15361ae1dabf9c9aa4cdd78fe420936d]Dca%26paBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[15361ae1dabf9c9aa4cdd78fe420936d]DWincy%26cdBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[15361ae1dabf9c9aa4cdd78fe420936d]D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26crBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[15361ae1dabf9c9aa4cdd78fe420936d]D202028605%26aBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[15361ae1dabf9c9aa4cdd78fe420936d]Dwbf_anvsft_16_23%26os_verBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[15361ae1dabf9c9aa4cdd78fe420936d]D10.0%26osBad: (hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_anvsft_16_23&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0Bzzzzzz0EtA0ByB0D0A0DyD0AtCtCyCtN0D0Tzu0StCyCtBtBtN1L2XzutAtFtBtBtFtAtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyDyCtC0EtByCyC0EtGtDtC0CtDtG0D0FtC0FtGtAzy0DzztGtByE0DyDyC0A0EyBtCtDtB0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2StD0ByEtDyCtD0B0FtGtAzzyE0CtGyEzy0CzztG0ByByB0CtG0Czy0A0CyByE0F0D0DyDzz0E2QtN0A0LzuyE%26cr%3D202028605%26a%3Dwbf_anvsft_16_23%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome),Replaced,[15361ae1dabf9c9aa4cdd78fe420936d]DWindowsGood: (www.google.com)B10Good: (www.google.com)BHome, %4, %5

Folders: 2
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\HowToRemove, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}, Quarantined, [9ead6497455487afb29515730ef6b64a],

Files: 24
PUP.Optional.WinYahoo, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HowToRemove.html.lnk, Quarantined, [f2592dce0b8e81b5def3b21fef14c838],
PUP.Optional.SearchManager, C:\Users\ghy\AppData\Local\Chromium\User Data\Default\Local Storage\chrome-extension_pilplloabdedfmialnfchjomjmpjcoej_0.localstorage, Quarantined, [c48724d77e1ba0968f4e35b645bef808],
PUP.Optional.SearchManager, C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pilplloabdedfmialnfchjomjmpjcoej_0.localstorage, Quarantined, [e06bad4ed5c43ef85a84a74418ebe917],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\HowToRemove\HowToRemove.html, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\HowToRemove\chromium-min.jpg, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\HowToRemove\control panel-min-min.JPG, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\HowToRemove\down.png, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\HowToRemove\ff menu.JPG, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\HowToRemove\ff search engine-min.png, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\HowToRemove\hp-min ff.png, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\HowToRemove\hp-min ie.png, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\HowToRemove\search engine.gif, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\HowToRemove\setup pages.gif, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\HowToRemove\sp-min.png, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\HowToRemove\start-min.jpg, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\HowToRemove\up.png, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\bapi.dat, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\deda, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\info.dat, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\install.log, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\rire, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\Sqlite3.dll, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\tasa, Quarantined, [9ead6497455487afb29515730ef6b64a],
PUP.Optional.WinYahoo, C:\Users\ghy\AppData\Local\{FFBCC9E0-DB14-A558-B68C-80B092E47C28}\uninst.dat, Quarantined, [9ead6497455487afb29515730ef6b64a],

Physical Sectors: 0
(No malicious items detected)


(end)

6/12/2016 clean scan

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/12/2016
Scan Time: 6:54 PM
Logfile: june 12 malwarescan.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.06.12.04
Rootkit Database: v2016.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: ghy

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 290136
Time Elapsed: 29 min, 6 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)
« Last Edit: June 12, 2016, 09:30:31 PM by Hoov »

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27056
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: chromium showed up on computer...malwarebytes showed infection
« Reply #2 on: June 12, 2016, 09:45:48 PM »
Howdy again. Its Hoov. I have a few questions and a statement. First chromium in of itself is not a bad thing. It is actually the engine behind Google's Chrome.

Now to the questions, did the program that you downloaded have anything to do with Yahoo or something called "How to remove"? The reason I ask is that everything that was removed seems to be tied together and have something to do with both Yahoo and "How to Remove". The good thing is at a quick glance, it looks like you drove a stake thru its heart and is either totally dead, or pretty much dead. I wanted to let you know that. I will go thru the logs more thoroughly tomorrow in the late morning.

Forgot to mention, I edited out a bunch of HTTP in the log above and changed them to HXXP just so that the links were broken so no one inadvertently clicks into an infection.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline mommyto3furballs

  • Bronze Member
  • Posts: 184
Re: chromium showed up on computer...malwarebytes showed infection
« Reply #3 on: June 13, 2016, 05:33:09 AM »
hi hoov. can't remember if anything was yahoo related or not. could've been not exactly positive. yes i became aware chrome was based on chromium (learned that when this issue showed up). i just turned on laptop this morning and it automatically started (chromium). i would keep it but with it being added as part of an infection, i'd rather not. anyways i'll be back online early this afternoon.

p.s. yes thanks for editing the http logs for me. don't want anyone else getting infected :)

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27056
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: chromium showed up on computer...malwarebytes showed infection
« Reply #4 on: June 14, 2016, 07:34:09 AM »
Please follow these steps (Please read them, they do not automatically remove found items):

1.- Download AdwCleaner by Xplode onto your Desktop.
  •   Please close all open programs and internet browsers.
  •   Double click on Adwcleaner.exe to run the tool.
  •   Click on the Scan button..
  •   Please be patient as this can take a while to complete.
  •   You will get a prompt asking to close all programs. Click OK.
  •   Click OK again to reboot your computer. A text file will open after the restart.
  •   Please post the content of that logfile in your reply.
  •   You can find the logfile at C:\AdwCleaner[Sn].txt.
2.- Download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt in your next message.
3.- Please download RogueKiller and Save to the desktop.
  • Close all windows and browsers
  • Double click on RogueKiller.exe to run the tool.
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please post it in your next reply.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline mommyto3furballs

  • Bronze Member
  • Posts: 184
Re: chromium showed up on computer...malwarebytes showed infection
« Reply #5 on: June 14, 2016, 10:14:40 AM »
# AdwCleaner v5.119 - Logfile created 14/06/2016 at 11:32:50
# Updated 30/05/2016 by Xplode
# Database : 2016-06-13.1 [Server]
# Operating system : Windows 10 Home  (X64)
# Username : ghy - DESKTOP-4GKB2LG
# Running from : C:\Users\ghy\Desktop\AdwCleaner.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****

[-] Task Deleted : ByteFence
[-] Task Deleted : ByteFence Scan

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1663C10B-0D55-438D-8496-19A3DBAEC0E4}

***** [ Web browsers ] *****

[-] [C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [1082 bytes] - [14/06/2016 11:32:50]
C:\AdwCleaner\AdwCleaner[S1].txt - [1114 bytes] - [14/06/2016 11:29:35]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1228 bytes] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows 10 Home x64
Ran by ghy (Administrator) on Tue 06/14/2016 at 11:38:22.00
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 06/14/2016 at 11:41:12.10
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
RogueKiller V12.3.3.0 [Jun 13 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : ghy [Administrator]
Started from : C:\Users\ghy\Desktop\RogueKiller.exe
Mode : Delete -- Date : 06/14/2016 12:05:05

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2176856750-3379297402-3027562793-1001\Software\Microsoft\Windows\CurrentVersion\Run | Chromium : "c:\users\ghy\appdata\local\chromium\application\chrome.exe" --auto-launch-at-startup --profile-directory="Default" --restore-last-session
  • -> Deleted
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2176856750-3379297402-3027562793-1001\Software\Microsoft\Windows\CurrentVersion\Run | Chromium : "c:\users\ghy\appdata\local\chromium\application\chrome.exe" --auto-launch-at-startup --profile-directory="Default" --restore-last-session
  • -> ERROR [2]


¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[Suspicious.Path][File] C:\Users\ghy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FacebookGamesNotifier.exe.lnk [LNK@] C:\Users\ghy\AppData\Local\Facebook\Games\FacebookGamesNotifier.exe -> Deleted

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD3200BPVT-22JJ5T0 +++++
--- User ---
[MBR] 2b8c13c9fe7aa3fa87c1c94de6490a67
[BSP] f08be744cb9cd69f4160f0e70fe4ba66 : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 300 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 288115 MB
4 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 593496064 | Size: 15452 MB
User = LL1 ... OK
User = LL2 ... OK



Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27056
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: chromium showed up on computer...malwarebytes showed infection
« Reply #6 on: June 16, 2016, 06:10:48 AM »
Is Chromium still starting on its own? Can you uninstall Chromium?

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline mommyto3furballs

  • Bronze Member
  • Posts: 184
Re: chromium showed up on computer...malwarebytes showed infection
« Reply #7 on: June 16, 2016, 07:19:15 AM »
chromium hasn't showed up in a couple of days. was reading online and found out that there was a hidden area where it could be and it was there (program files x86). since i deleted the file its been gone. computer running great except for last night when it was running sluggish. found out why this morning. was downloading windows updates. figures! so everything gone then? i can uninstall all the programs? will await your word.

K

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27056
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: chromium showed up on computer...malwarebytes showed infection
« Reply #8 on: June 16, 2016, 07:43:18 AM »
Did you delete chromium or uninstall it?

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline mommyto3furballs

  • Bronze Member
  • Posts: 184
Re: chromium showed up on computer...malwarebytes showed infection
« Reply #9 on: June 16, 2016, 08:58:33 AM »
i had uninstalled it a few days ago before starting this thread. after i realized it was still popping up, i did a search on the computer to find it. everything i found on the computer relating to it i deleted. but it still popped up. after i did the scans that you recommended, i found where it was hiding and it let me delete. my apologies if i did something wrong.

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27056
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: chromium showed up on computer...malwarebytes showed infection
« Reply #10 on: June 16, 2016, 10:27:42 AM »
It will show up in the programs and features list but no worries.

Go ahead and run FRST again and post the logs again. If it shows up we will scrub it from the system.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline mommyto3furballs

  • Bronze Member
  • Posts: 184
Re: chromium showed up on computer...malwarebytes showed infection
« Reply #11 on: June 16, 2016, 02:03:32 PM »
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:16-06-2016 01
Ran by ghy (administrator) on DESKTOP-4GKB2LG (16-06-2016 15:57:13)
Running from C:\Users\ghy\Desktop
Loaded Profiles: ghy (Available Profiles: ghy)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Intel Corporation) C:\Windows\SysWOW64\IntelCpHeciSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Windows (R) Win 7 DDK provider) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDService.exe
() C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDTouch.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Qualcomm®Atheros®) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
() C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2890056 2013-09-06] (ELAN Microelectronics Corp.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176952 2016-06-01] (Apple Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7405752 2016-06-10] (AVAST Software)
HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1284680 2014-01-17] (CANON INC.)
HKLM-x32\...\Run: [Aimersoft Helper Compact.exe] => C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [132736 2013-09-07] (Qualcomm®Atheros®)
HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7943072 2016-06-02] (SUPERAntiSpyware)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-05-04] (AVAST Software)
GroupPolicy: Restriction - Chrome <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{27c3b822-5058-4999-ae2f-3aa01a887b39}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-12-18] ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-05-04]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-05-04]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR DefaultSearchURL: Default -> hxxps://abs.twimg.com/favicons/favicon.ico
CHR DefaultSearchKeyword: Default -> Yahoo
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
CHR Profile: C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-02-24]
CHR Extension: (Google Docs) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-02-24]
CHR Extension: (Google Drive) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-02-24]
CHR Extension: (WOT: Web of Trust, Website Reputation Ratings) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2016-06-01]
CHR Extension: (YouTube) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-02-24]
CHR Extension: (Twitter) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmbniebmoflhomonmkjbhjdafagjnlpl [2016-05-18]
CHR Extension: (Google Search) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-02-24]
CHR Extension: (Google Sheets) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-02-24]
CHR Extension: (Google Docs Offline) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (AdBlock) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-06-03]
CHR Extension: (Avast Online Security) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-05-04]
CHR Extension: (Yahoo Partner) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\iofjfanlcnefinbcgjlbfajkafgaaole [2016-05-11]
CHR Extension: (Chrome Web Store Payments) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-01]
CHR Extension: (Gmail) - C:\Users\ghy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-02-24]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2016-04-19]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-03-02] (Apple Inc.)
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [312448 2013-09-07] (Windows (R) Win 7 DDK provider) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [243296 2016-05-04] (AVAST Software)
R2 ETDService; C:\Program Files\Elantech\ETDService.exe [101192 2013-09-06] (ELAN Microelectronics Corp.)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [330136 2015-08-27] (Intel Corporation)
R2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [84616 2013-06-28] ()
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-05-04] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-05-04] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [107792 2016-05-04] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-05-04] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-05-04] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1070904 2016-05-04] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [465792 2016-05-04] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [166432 2016-05-04] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [287528 2016-05-04] (AVAST Software)
R3 athr; C:\Windows\System32\drivers\athwbx.sys [3859968 2013-08-16] (Qualcomm Atheros Communications, Inc.)
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [129152 2016-04-25] (Samsung Electronics Co., Ltd.)
R3 MEIx64; C:\Windows\System32\drivers\TeeDriverW8x64.sys [202032 2016-01-19] (Intel Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [24688 2016-06-14] ()
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
S3 WsAudio_Device(1); C:\Windows\system32\drivers\VirtualAudio1.sys [31080 2015-08-03] (Wondershare)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-16 15:57 - 2016-06-16 15:58 - 00011718 _____ C:\Users\ghy\Desktop\FRST.txt
2016-06-16 15:56 - 2016-06-16 15:56 - 00000000 ____D C:\Users\ghy\Desktop\FRST-OlderVersion
2016-06-16 10:52 - 2016-06-16 10:52 - 00000000 ____D C:\Users\ghy\AppData\Local\ActiveSync
2016-06-15 17:23 - 2016-05-28 02:13 - 01401024 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2016-06-15 17:23 - 2016-05-28 02:13 - 00046784 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2016-06-15 17:23 - 2016-05-28 00:29 - 22379008 _____ (Microsoft Corporation) C:\Windows\system32\edgehtml.dll
2016-06-15 17:23 - 2016-05-28 00:19 - 24605696 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-06-15 17:23 - 2016-05-28 00:18 - 11545088 _____ (Microsoft Corporation) C:\Windows\system32\twinui.dll
2016-06-15 17:23 - 2016-05-28 00:18 - 07977472 _____ (Microsoft Corporation) C:\Windows\system32\mos.dll
2016-06-15 17:23 - 2016-05-28 00:17 - 00630784 _____ (Microsoft Corporation) C:\Windows\system32\MessagingDataModel2.dll
2016-06-15 17:23 - 2016-05-28 00:08 - 13385728 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-06-15 17:23 - 2016-05-28 00:06 - 07200256 _____ (Microsoft Corporation) C:\Windows\system32\BingMaps.dll
2016-06-15 17:23 - 2016-05-28 00:04 - 06973952 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Data.Pdf.dll
2016-06-15 17:23 - 2016-05-28 00:00 - 03585536 _____ (Microsoft Corporation) C:\Windows\system32\SystemSettingsThresholdAdminFlowUI.dll
2016-06-15 17:22 - 2016-05-28 02:13 - 00290496 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2016-06-15 17:22 - 2016-05-28 01:25 - 04268880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setupapi.dll
2016-06-15 17:22 - 2016-05-28 01:22 - 07474528 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-06-15 17:22 - 2016-05-28 01:22 - 04387680 _____ (Microsoft Corporation) C:\Windows\system32\setupapi.dll
2016-06-15 17:22 - 2016-05-28 01:20 - 00430312 _____ (Microsoft Corporation) C:\Windows\system32\ws2_32.dll
2016-06-15 17:22 - 2016-05-28 01:09 - 00501600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\NetSetupEngine.dll
2016-06-15 17:22 - 2016-05-28 01:08 - 00693600 _____ (Microsoft Corporation) C:\Windows\system32\NetSetupEngine.dll
2016-06-15 17:22 - 2016-05-28 01:07 - 03675512 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-06-15 17:22 - 2016-05-28 01:07 - 02921880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-06-15 17:22 - 2016-05-28 01:07 - 01322248 _____ (Microsoft Corporation) C:\Windows\system32\ole32.dll
2016-06-15 17:22 - 2016-05-28 01:07 - 00808288 _____ (Microsoft Corporation) C:\Windows\system32\WWAHost.exe
2016-06-15 17:22 - 2016-05-28 01:06 - 00730344 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Internal.Shell.Broker.dll
2016-06-15 17:22 - 2016-05-28 01:05 - 04515264 _____ (Microsoft Corporation) C:\Windows\explorer.exe
2016-06-15 17:22 - 2016-05-28 00:58 - 01996640 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2016-06-15 17:22 - 2016-05-28 00:58 - 00379232 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2016-06-15 17:22 - 2016-05-28 00:57 - 02548944 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2016-06-15 17:22 - 2016-05-28 00:57 - 02195632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10warp.dll
2016-06-15 17:22 - 2016-05-28 00:57 - 01594416 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2016-06-15 17:22 - 2016-05-28 00:57 - 01372312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2016-06-15 17:22 - 2016-05-28 00:57 - 00649792 _____ (Microsoft Corporation) C:\Windows\system32\dxgi.dll
2016-06-15 17:22 - 2016-05-28 00:57 - 00636304 _____ (Microsoft Corporation) C:\Windows\system32\fontdrvhost.exe
2016-06-15 17:22 - 2016-05-28 00:57 - 00546456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontdrvhost.exe
2016-06-15 17:22 - 2016-05-28 00:57 - 00521664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxgi.dll
2016-06-15 17:22 - 2016-05-28 00:57 - 00316256 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2016-06-15 17:22 - 2016-05-28 00:35 - 00123392 _____ (Microsoft Corporation) C:\Windows\system32\tdlrecover.exe
2016-06-15 17:22 - 2016-05-28 00:35 - 00031744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dumpsdport.sys
2016-06-15 17:22 - 2016-05-28 00:31 - 00091648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdlrecover.exe
2016-06-15 17:22 - 2016-05-28 00:22 - 00163328 _____ (Microsoft Corporation) C:\Windows\system32\tetheringservice.dll
2016-06-15 17:22 - 2016-05-28 00:19 - 00567808 _____ (Microsoft Corporation) C:\Windows\system32\MBMediaManager.dll
2016-06-15 17:22 - 2016-05-28 00:18 - 00460800 _____ (Microsoft Corporation) C:\Windows\system32\MapConfiguration.dll
2016-06-15 17:22 - 2016-05-28 00:18 - 00380416 _____ (Microsoft Corporation) C:\Windows\system32\SystemEventsBrokerServer.dll
2016-06-15 17:22 - 2016-05-28 00:18 - 00285184 _____ (Microsoft Corporation) C:\Windows\system32\VEEventDispatcher.dll
2016-06-15 17:22 - 2016-05-28 00:17 - 09918976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\twinui.dll
2016-06-15 17:22 - 2016-05-28 00:17 - 00963072 _____ (Microsoft Corporation) C:\Windows\system32\iphlpsvc.dll
2016-06-15 17:22 - 2016-05-28 00:16 - 19344384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-06-15 17:22 - 2016-05-28 00:16 - 00684544 _____ (Microsoft Corporation) C:\Windows\system32\StructuredQuery.dll
2016-06-15 17:22 - 2016-05-28 00:16 - 00592896 _____ (Microsoft Corporation) C:\Windows\system32\AppContracts.dll
2016-06-15 17:22 - 2016-05-28 00:16 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\tileobjserver.dll
2016-06-15 17:22 - 2016-05-28 00:15 - 01056256 _____ (Microsoft Corporation) C:\Windows\system32\JpMapControl.dll
2016-06-15 17:22 - 2016-05-28 00:15 - 00853504 _____ (Microsoft Corporation) C:\Windows\system32\MapsStore.dll
2016-06-15 17:22 - 2016-05-28 00:15 - 00794624 _____ (Microsoft Corporation) C:\Windows\system32\winhttp.dll
2016-06-15 17:22 - 2016-05-28 00:14 - 18674176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\edgehtml.dll
2016-06-15 17:22 - 2016-05-28 00:14 - 01716736 _____ (Microsoft Corporation) C:\Windows\system32\SRHInproc.dll
2016-06-15 17:22 - 2016-05-28 00:14 - 00988160 _____ (Microsoft Corporation) C:\Windows\system32\NMAA.dll
2016-06-15 17:22 - 2016-05-28 00:14 - 00606208 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-06-15 17:22 - 2016-05-28 00:13 - 00990208 _____ (Microsoft Corporation) C:\Windows\system32\SharedStartModel.dll
2016-06-15 17:22 - 2016-05-28 00:13 - 00982016 _____ (Microsoft Corporation) C:\Windows\system32\AppxPackaging.dll
2016-06-15 17:22 - 2016-05-28 00:13 - 00939520 _____ (Microsoft Corporation) C:\Windows\system32\MapControlCore.dll
2016-06-15 17:22 - 2016-05-28 00:13 - 00467456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AppContracts.dll
2016-06-15 17:22 - 2016-05-28 00:12 - 00614400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winhttp.dll
2016-06-15 17:22 - 2016-05-28 00:12 - 00521728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\StructuredQuery.dll
2016-06-15 17:22 - 2016-05-28 00:11 - 00711680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MapControlCore.dll
2016-06-15 17:22 - 2016-05-28 00:11 - 00504320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-06-15 17:22 - 2016-05-28 00:08 - 06295552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mos.dll
2016-06-15 17:22 - 2016-05-28 00:06 - 12128256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-06-15 17:22 - 2016-05-28 00:06 - 01339904 _____ (Microsoft Corporation) C:\Windows\system32\gpsvc.dll
2016-06-15 17:22 - 2016-05-28 00:05 - 03994624 _____ (Microsoft Corporation) C:\Windows\system32\SettingsHandlers_nt.dll
2016-06-15 17:22 - 2016-05-28 00:05 - 03664896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-06-15 17:22 - 2016-05-28 00:05 - 02582016 _____ (Microsoft Corporation) C:\Windows\system32\MFMediaEngine.dll
2016-06-15 17:22 - 2016-05-28 00:05 - 01797120 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.Immersive.dll
2016-06-15 17:22 - 2016-05-28 00:03 - 05323776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Data.Pdf.dll
2016-06-15 17:22 - 2016-05-28 00:03 - 05205504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\BingMaps.dll
2016-06-15 17:22 - 2016-05-28 00:03 - 02609664 _____ (Microsoft Corporation) C:\Windows\system32\NetworkMobileSettings.dll
2016-06-15 17:22 - 2016-05-28 00:03 - 01185280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\LocationFramework.dll
2016-06-15 17:22 - 2016-05-28 00:02 - 03590144 _____ (Microsoft Corporation) C:\Windows\system32\win32kfull.sys
2016-06-15 17:22 - 2016-05-28 00:02 - 02061824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MFMediaEngine.dll
2016-06-15 17:22 - 2016-05-28 00:02 - 01534464 _____ (Microsoft Corporation) C:\Windows\system32\LocationFramework.dll
2016-06-15 17:22 - 2016-05-28 00:01 - 01799680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.UI.Logon.dll
2016-06-15 17:22 - 2016-05-28 00:01 - 01582080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.UI.Immersive.dll
2016-06-15 17:22 - 2016-05-28 00:01 - 01500160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-06-15 17:22 - 2016-05-28 00:00 - 05660160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Chakra.dll
2016-06-15 17:22 - 2016-05-28 00:00 - 02635776 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.Logon.dll
2016-06-15 17:22 - 2016-05-28 00:00 - 02168320 _____ (Microsoft Corporation) C:\Windows\system32\AppXDeploymentServer.dll
2016-06-15 17:22 - 2016-05-28 00:00 - 01730560 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-06-15 17:22 - 2016-05-28 00:00 - 01707520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ActiveSyncProvider.dll
2016-06-15 17:22 - 2016-05-27 23:58 - 07832576 _____ (Microsoft Corporation) C:\Windows\system32\Chakra.dll
2016-06-15 17:22 - 2016-05-27 23:58 - 04896256 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-06-15 17:22 - 2016-05-27 23:58 - 02066432 _____ (Microsoft Corporation) C:\Windows\system32\AppXDeploymentExtensions.dll
2016-06-15 17:22 - 2016-05-27 23:58 - 01996288 _____ (Microsoft Corporation) C:\Windows\system32\ActiveSyncProvider.dll
2016-06-15 17:22 - 2016-05-27 23:57 - 02281472 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2016-06-15 17:22 - 2016-05-27 23:55 - 01390080 _____ (Microsoft Corporation) C:\Windows\system32\Windows.UI.Shell.dll
2016-06-15 17:21 - 2016-05-28 02:13 - 01184960 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2016-06-15 17:21 - 2016-05-28 02:13 - 00514752 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2016-06-15 17:21 - 2016-05-28 02:13 - 00092352 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2016-06-15 17:21 - 2016-05-28 01:23 - 00388384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ws2_32.dll
2016-06-15 17:21 - 2016-05-28 01:23 - 00312160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mswsock.dll
2016-06-15 17:21 - 2016-05-28 01:22 - 00428896 _____ (Microsoft Corporation) C:\Windows\system32\hal.dll
2016-06-15 17:21 - 2016-05-28 01:22 - 00211296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tpm.sys
2016-06-15 17:21 - 2016-05-28 01:22 - 00118624 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\partmgr.sys
2016-06-15 17:21 - 2016-05-28 01:18 - 00357216 _____ (Microsoft Corporation) C:\Windows\system32\mswsock.dll
2016-06-15 17:21 - 2016-05-28 01:16 - 00026408 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2016-06-15 17:21 - 2016-05-28 01:09 - 00170848 _____ (Microsoft Corporation) C:\Windows\system32\NetworkUXBroker.exe
2016-06-15 17:21 - 2016-05-28 01:09 - 00084832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\NetSetupApi.dll
2016-06-15 17:21 - 2016-05-28 01:08 - 00258912 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ufx01000.sys
2016-06-15 17:21 - 2016-05-28 01:08 - 00115040 _____ (Microsoft Corporation) C:\Windows\system32\NetSetupApi.dll
2016-06-15 17:21 - 2016-05-28 01:07 - 00957608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ole32.dll
2016-06-15 17:21 - 2016-05-28 01:07 - 00703840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WWAHost.exe
2016-06-15 17:21 - 2016-05-28 01:07 - 00331616 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\pci.sys
2016-06-15 17:21 - 2016-05-28 01:06 - 22561256 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2016-06-15 17:21 - 2016-05-28 01:06 - 04074160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
2016-06-15 17:21 - 2016-05-28 01:06 - 00303216 _____ (Microsoft Corporation) C:\Windows\system32\LockAppHost.exe
2016-06-15 17:21 - 2016-05-28 01:06 - 00254656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\LockAppHost.exe
2016-06-15 17:21 - 2016-05-28 01:04 - 00604928 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2016-06-15 17:21 - 2016-05-28 01:04 - 00431296 _____ (Microsoft Corporation) C:\Windows\system32\bcryptprimitives.dll
2016-06-15 17:21 - 2016-05-28 01:04 - 00360480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\bcryptprimitives.dll
2016-06-15 17:21 - 2016-05-28 01:04 - 00161632 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-06-15 17:21 - 2016-05-28 01:04 - 00111064 _____ (Microsoft Corporation) C:\Windows\system32\ncryptsslp.dll
2016-06-15 17:21 - 2016-05-28 01:04 - 00097096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncryptsslp.dll
2016-06-15 17:21 - 2016-05-28 01:03 - 00131248 _____ (Microsoft Corporation) C:\Windows\system32\gpapi.dll
2016-06-15 17:21 - 2016-05-28 00:57 - 00577376 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgmms2.sys
2016-06-15 17:21 - 2016-05-28 00:35 - 00089088 _____ (Microsoft Corporation) C:\Windows\system32\MapsCSP.dll
2016-06-15 17:21 - 2016-05-28 00:31 - 00088576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\olepro32.dll
2016-06-15 17:21 - 2016-05-28 00:31 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\MosHostClient.dll
2016-06-15 17:21 - 2016-05-28 00:29 - 00079360 _____ (Microsoft Corporation) C:\Windows\system32\adhsvc.dll
2016-06-15 17:21 - 2016-05-28 00:29 - 00045568 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2016-06-15 17:21 - 2016-05-28 00:29 - 00019456 _____ (Microsoft Corporation) C:\Windows\system32\httpprxp.dll
2016-06-15 17:21 - 2016-05-28 00:28 - 00166400 _____ (Microsoft Corporation) C:\Windows\system32\MusNotification.exe
2016-06-15 17:21 - 2016-05-28 00:28 - 00118272 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2016-06-15 17:21 - 2016-05-28 00:28 - 00090112 _____ (Microsoft Corporation) C:\Windows\system32\FwRemoteSvr.dll
2016-06-15 17:21 - 2016-05-28 00:27 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MosHostClient.dll
2016-06-15 17:21 - 2016-05-28 00:27 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\mapsupdatetask.dll
2016-06-15 17:21 - 2016-05-28 00:26 - 00199168 _____ (Microsoft Corporation) C:\Windows\system32\InstallAgent.exe
2016-06-15 17:21 - 2016-05-28 00:26 - 00157184 _____ (Microsoft Corporation) C:\Windows\system32\dmcertinst.exe
2016-06-15 17:21 - 2016-05-28 00:26 - 00145920 _____ (Microsoft Corporation) C:\Windows\system32\omadmclient.exe
2016-06-15 17:21 - 2016-05-28 00:26 - 00120320 _____ (Microsoft Corporation) C:\Windows\system32\MapsBtSvc.dll
2016-06-15 17:21 - 2016-05-28 00:26 - 00074752 _____ (Microsoft Corporation) C:\Windows\system32\MosStorage.dll
2016-06-15 17:21 - 2016-05-28 00:25 - 00037376 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2016-06-15 17:21 - 2016-05-28 00:24 - 00218624 _____ (Microsoft Corporation) C:\Windows\system32\cdd.dll
2016-06-15 17:21 - 2016-05-28 00:24 - 00124928 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Ndu.sys
2016-06-15 17:21 - 2016-05-28 00:24 - 00093696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll
2016-06-15 17:21 - 2016-05-28 00:24 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\browserbroker.dll
2016-06-15 17:21 - 2016-05-28 00:24 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\AppCapture.dll
2016-06-15 17:21 - 2016-05-28 00:24 - 00072704 _____ (Microsoft Corporation) C:\Windows\system32\moshost.dll
2016-06-15 17:21 - 2016-05-28 00:24 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\dhcpcsvc6.dll
2016-06-15 17:21 - 2016-05-28 00:24 - 00053760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FwRemoteSvr.dll
2016-06-15 17:21 - 2016-05-28 00:23 - 00155136 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hidclass.sys
2016-06-15 17:21 - 2016-05-28 00:23 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\dhcpcsvc.dll
2016-06-15 17:21 - 2016-05-28 00:22 - 00406528 _____ (Microsoft Corporation) C:\Windows\system32\MusUpdateHandlers.dll
2016-06-15 17:21 - 2016-05-28 00:22 - 00368640 _____ (Microsoft Corporation) C:\Windows\system32\usocore.dll
2016-06-15 17:21 - 2016-05-28 00:22 - 00278528 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netbt.sys
2016-06-15 17:21 - 2016-05-28 00:22 - 00269824 _____ (Microsoft Corporation) C:\Windows\system32\moshostcore.dll
2016-06-15 17:21 - 2016-05-28 00:22 - 00161280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\InstallAgent.exe
2016-06-15 17:21 - 2016-05-28 00:22 - 00087040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MapsBtSvc.dll
2016-06-15 17:21 - 2016-05-28 00:22 - 00079872 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2016-06-15 17:21 - 2016-05-28 00:22 - 00059904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MosStorage.dll
2016-06-15 17:21 - 2016-05-28 00:21 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\StoreAgent.dll
2016-06-15 17:21 - 2016-05-28 00:21 - 00239104 _____ (Microsoft Corporation) C:\Windows\system32\BrokerLib.dll
2016-06-15 17:21 - 2016-05-28 00:21 - 00207360 _____ (Microsoft Corporation) C:\Windows\system32\NetSetupSvc.dll
2016-06-15 17:21 - 2016-05-28 00:21 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\wscsvc.dll
2016-06-15 17:21 - 2016-05-28 00:20 - 00641536 _____ (Microsoft Corporation) C:\Windows\system32\enterprisecsps.dll
2016-06-15 17:21 - 2016-05-28 00:20 - 00511488 _____ (Microsoft Corporation) C:\Windows\system32\newdev.dll
2016-06-15 17:21 - 2016-05-28 00:20 - 00332288 _____ (Microsoft Corporation) C:\Windows\system32\polstore.dll
2016-06-15 17:21 - 2016-05-28 00:20 - 00267264 _____ (Microsoft Corporation) C:\Windows\system32\dhcpcore6.dll
2016-06-15 17:21 - 2016-05-28 00:20 - 00199168 _____ (Microsoft Corporation) C:\Windows\system32\GnssAdapter.dll
2016-06-15 17:21 - 2016-05-28 00:20 - 00174080 _____ (Microsoft Corporation) C:\Windows\system32\SettingsHandlers_Privacy.dll
2016-06-15 17:21 - 2016-05-28 00:20 - 00057344 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcsvc6.dll
2016-06-15 17:21 - 2016-05-28 00:19 - 00764928 _____ (Microsoft Corporation) C:\Windows\system32\Chakradiag.dll
2016-06-15 17:21 - 2016-05-28 00:19 - 00414720 _____ (Microsoft Corporation) C:\Windows\system32\bcastdvr.exe
2016-06-15 17:21 - 2016-05-28 00:19 - 00355840 _____ (Microsoft Corporation) C:\Windows\system32\dhcpcore.dll
2016-06-15 17:21 - 2016-05-28 00:19 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcsvc.dll
2016-06-15 17:21 - 2016-05-28 00:18 - 00610816 _____ (Microsoft Corporation) C:\Windows\system32\rastls.dll
2016-06-15 17:21 - 2016-05-28 00:18 - 00591360 _____ (Microsoft Corporation) C:\Windows\system32\vpnike.dll
2016-06-15 17:21 - 2016-05-28 00:18 - 00392192 _____ (Microsoft Corporation) C:\Windows\system32\IPSECSVC.DLL
2016-06-15 17:21 - 2016-05-28 00:17 - 00485888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\newdev.dll
2016-06-15 17:21 - 2016-05-28 00:17 - 00415232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\StoreAgent.dll
2016-06-15 17:21 - 2016-05-28 00:17 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\RDXTaskFactory.dll
2016-06-15 17:21 - 2016-05-28 00:17 - 00278016 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Internal.Management.dll
2016-06-15 17:21 - 2016-05-28 00:17 - 00173056 _____ (Microsoft Corporation) C:\Windows\system32\mdmmigrator.dll
2016-06-15 17:21 - 2016-05-28 00:16 - 00690176 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv2.sys
2016-06-15 17:21 - 2016-05-28 00:16 - 00406528 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2016-06-15 17:21 - 2016-05-28 00:16 - 00291328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\polstore.dll
2016-06-15 17:21 - 2016-05-28 00:16 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcore6.dll
2016-06-15 17:21 - 2016-05-28 00:15 - 00535040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rastls.dll
2016-06-15 17:21 - 2016-05-28 00:15 - 00349696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MapConfiguration.dll
2016-06-15 17:21 - 2016-05-28 00:15 - 00293888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dhcpcore.dll
2016-06-15 17:21 - 2016-05-28 00:15 - 00237056 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys
2016-06-15 17:21 - 2016-05-28 00:14 - 00965632 _____ (Microsoft Corporation) C:\Windows\system32\SRH.dll
2016-06-15 17:21 - 2016-05-28 00:14 - 00784384 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-06-15 17:21 - 2016-05-28 00:14 - 00499712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MessagingDataModel2.dll
2016-06-15 17:21 - 2016-05-28 00:14 - 00219136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\VEEventDispatcher.dll
2016-06-15 17:21 - 2016-05-28 00:14 - 00200192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Internal.Management.dll
2016-06-15 17:21 - 2016-05-28 00:13 - 01387520 _____ (Microsoft Corporation) C:\Windows\system32\win32kbase.sys
2016-06-15 17:21 - 2016-05-28 00:13 - 00587776 _____ (Microsoft Corporation) C:\Windows\system32\bisrv.dll
2016-06-15 17:21 - 2016-05-28 00:12 - 00800768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JpMapControl.dll
2016-06-15 17:21 - 2016-05-28 00:11 - 01445888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SRHInproc.dll
2016-06-15 17:21 - 2016-05-28 00:11 - 00890368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AppxPackaging.dll
2016-06-15 17:21 - 2016-05-28 00:11 - 00799744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SRH.dll
2016-06-15 17:21 - 2016-05-28 00:11 - 00784896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\NMAA.dll
2016-06-15 17:21 - 2016-05-28 00:11 - 00687616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-06-15 17:21 - 2016-05-28 00:11 - 00128512 _____ (Microsoft Corporation) C:\Windows\system32\httpprxm.dll
2016-06-15 17:21 - 2016-05-28 00:09 - 01073152 _____ (Microsoft Corporation) C:\Windows\system32\RDXService.dll
2016-06-15 17:21 - 2016-05-28 00:04 - 00555520 _____ (Microsoft Corporation) C:\Windows\system32\SyncController.dll
2016-06-15 17:21 - 2016-05-28 00:04 - 00450560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SyncController.dll
2016-06-15 17:21 - 2016-05-28 00:03 - 00693760 _____ (Microsoft Corporation) C:\Windows\system32\internetmail.dll
2016-06-15 17:21 - 2016-05-28 00:03 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\dmenrollengine.dll
2016-06-15 17:21 - 2016-05-28 00:02 - 00103424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\updatepolicy.dll
2016-06-15 17:21 - 2016-05-28 00:01 - 00111104 _____ (Microsoft Corporation) C:\Windows\system32\updatepolicy.dll
2016-06-15 17:21 - 2016-05-28 00:00 - 02230272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-06-15 17:21 - 2016-05-28 00:00 - 00162816 _____ (Microsoft Corporation) C:\Windows\system32\enrollmentapi.dll
2016-06-15 17:21 - 2016-05-28 00:00 - 00151040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mdmregistration.dll
2016-06-15 17:21 - 2016-05-28 00:00 - 00090624 _____ (Microsoft Corporation) C:\Windows\system32\DeviceEnroller.exe
2016-06-15 17:21 - 2016-05-27 23:59 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\mdmregistration.dll
2016-06-15 17:21 - 2016-05-27 23:58 - 02755584 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-06-15 17:21 - 2016-05-27 23:53 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\ngcpopkeysrv.dll
2016-06-14 11:44 - 2016-06-14 12:06 - 00000000 ____D C:\ProgramData\RogueKiller
2016-06-14 11:44 - 2016-06-14 11:44 - 00024688 _____ C:\Windows\system32\Drivers\TrueSight.sys
2016-06-14 11:29 - 2016-06-14 11:32 - 00000000 ____D C:\AdwCleaner
2016-06-14 11:27 - 2016-06-14 11:42 - 19936840 _____ C:\Users\ghy\Desktop\RogueKiller.exe
2016-06-14 11:27 - 2016-06-14 11:38 - 01610816 _____ (Malwarebytes) C:\Users\ghy\Desktop\JRT.exe
2016-06-14 11:27 - 2016-06-14 11:27 - 03677248 _____ C:\Users\ghy\Desktop\AdwCleaner.exe
2016-06-12 19:45 - 2016-06-16 15:57 - 00000000 ____D C:\FRST
2016-06-12 18:55 - 2016-06-16 15:56 - 02386944 _____ (Farbar) C:\Users\ghy\Desktop\FRST64.exe
2016-06-11 15:53 - 2016-06-11 16:01 - 00000000 ____D C:\Users\ghy\Desktop\mp3 songs
2016-06-11 14:02 - 2016-06-11 15:28 - 00000000 ____D C:\Users\ghy\Desktop\Possible Wrecked CDs
2016-06-10 12:23 - 2016-06-10 12:30 - 00000000 ____D C:\Users\ghy\Desktop\Charlie Pride
2016-06-10 11:39 - 2016-06-10 12:12 - 00000000 ____D C:\Users\ghy\Desktop\Clay Walker
2016-06-10 11:24 - 2016-06-10 11:47 - 00000000 ____D C:\SUPERDelete
2016-06-10 11:18 - 2016-06-10 11:18 - 00000000 ____D C:\Users\ghy\Documents\Any Audio Converter
2016-06-10 11:03 - 2016-06-15 17:28 - 00000000 ____D C:\Users\ghy\Desktop\Songs That Won't Play On Computer
2016-06-10 11:01 - 2016-06-10 11:02 - 00000000 ____D C:\Users\ghy\Documents\Aimersoft DRM Media Converter
2016-06-10 11:00 - 2015-08-03 10:55 - 00675840 _____ () C:\Windows\SysWOW64\ac3filter.ax
2016-06-10 11:00 - 2015-08-03 10:54 - 00892928 _____ (Free Software Foundation) C:\Windows\SysWOW64\iconv.dll
2016-06-10 11:00 - 2015-08-03 10:54 - 00496640 _____ C:\Windows\SysWOW64\xvid.ax
2016-06-10 11:00 - 2015-08-03 10:51 - 00031080 _____ (Wondershare) C:\Windows\system32\Drivers\VirtualAudio1.sys
2016-06-10 09:53 - 2016-06-10 09:53 - 00000000 ____D C:\Users\ghy\Desktop\Keith Urban
2016-06-10 08:05 - 2016-06-10 08:45 - 00000000 ____D C:\Users\ghy\Desktop\Chris Cagle
2016-06-08 19:37 - 2016-06-08 19:45 - 00000000 ____D C:\Users\ghy\Desktop\Debbie Gibson
2016-06-08 19:35 - 2016-06-11 19:33 - 00000000 ____D C:\Users\ghy\Desktop\Kathy Mattea
2016-06-08 19:11 - 2016-06-10 09:02 - 00000000 ____D C:\Users\ghy\Desktop\Jessica Andrews
2016-06-08 16:56 - 2016-06-08 18:55 - 00000000 ____D C:\Users\ghy\Desktop\Spice Girls
2016-06-08 16:18 - 2016-06-08 16:19 - 00000000 ____D C:\Users\ghy\Desktop\Taylor Swift
2016-06-08 16:18 - 2016-06-08 16:19 - 00000000 ____D C:\Users\ghy\Desktop\Kellie Pickler
2016-06-08 12:34 - 2016-06-08 16:20 - 00000000 ____D C:\Users\ghy\Desktop\Unknown Artist
2016-06-08 11:54 - 2016-06-08 17:05 - 00000000 ____D C:\Users\ghy\Desktop\Tiffany
2016-06-08 11:53 - 2016-06-08 11:53 - 00000000 ____D C:\Users\ghy\Desktop\The Box
2016-06-08 11:18 - 2016-06-11 19:30 - 00000000 ____D C:\Users\ghy\Desktop\New folder (2)
2016-06-07 14:24 - 2016-06-07 14:24 - 00031188 _____ C:\Users\ghy\Desktop\june hydro bill 2016.pdf
2016-06-07 14:15 - 2016-06-07 14:15 - 00001822 _____ C:\Users\Public\Desktop\iTunes.lnk
2016-06-07 14:15 - 2016-06-07 14:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2016-06-07 14:15 - 2016-06-07 14:15 - 00000000 ____D C:\Program Files\iTunes
2016-06-07 14:15 - 2016-06-07 14:15 - 00000000 ____D C:\Program Files\iPod
2016-06-07 14:15 - 2016-06-07 14:15 - 00000000 ____D C:\Program Files (x86)\iTunes
2016-06-02 11:50 - 2016-06-02 11:50 - 04291320 _____ (BrightFort LLC ) C:\Users\ghy\Downloads\spywareblastersetup55.exe
2016-05-31 14:29 - 2016-05-31 14:29 - 00010554 _____ C:\Users\ghy\Desktop\june 2016 budget paid.ods
2016-05-30 17:54 - 2016-05-30 17:54 - 00000279 _____ C:\Users\ghy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Recycle Bin.lnk
2016-05-30 15:50 - 2016-05-30 19:06 - 00000000 ____D C:\Users\ghy\Desktop\Little Shop Of Horrors
2016-05-30 15:22 - 2016-05-30 18:50 - 00000000 ____D C:\Users\ghy\Desktop\Adam's Lawn Mower Diagrams
2016-05-30 12:43 - 2016-06-07 15:18 - 00000000 ____D C:\Users\ghy\Desktop\New folder (4)
2016-05-30 12:38 - 2016-05-30 12:51 - 00000000 ____D C:\Users\ghy\Desktop\New folder (3)
2016-05-28 18:52 - 2016-05-28 18:52 - 00149733 _____ C:\Users\ghy\Downloads\GC_056962.pdf
2016-05-28 18:00 - 2016-06-08 15:20 - 00000000 ____D C:\Users\ghy\Desktop\Unknown Album
2016-05-28 16:21 - 2016-05-28 16:22 - 00000000 ____D C:\Users\ghy\Desktop\Unblock Us Cancellation Stuff
2016-05-26 10:56 - 2016-05-26 10:56 - 00000000 ____D C:\Users\ghy\AppData\Local\Apps\2.0
2016-05-26 10:47 - 2016-06-14 17:38 - 00000000 ____D C:\Users\ghy\AppData\Roaming\MusicBee
2016-05-26 10:38 - 2016-05-26 10:38 - 00001080 _____ C:\Users\ghy\Desktop\MusicBee.lnk
2016-05-26 10:38 - 2016-05-26 10:38 - 00000000 ____D C:\Users\ghy\Downloads\MusicBeeSetup_3_0a
2016-05-26 10:38 - 2016-05-26 10:38 - 00000000 ____D C:\Users\ghy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MusicBee
2016-05-26 10:38 - 2016-05-26 10:38 - 00000000 ____D C:\Program Files (x86)\MusicBee
2016-05-26 10:34 - 2016-05-26 10:35 - 11777915 _____ C:\Users\ghy\Downloads\MusicBeeSetup_3_0a.zip
2016-05-25 15:40 - 2016-05-25 15:40 - 00000000 ____D C:\Users\ghy\AppData\Local\FacebookGames
2016-05-25 15:40 - 2016-05-25 15:40 - 00000000 ____D C:\Users\ghy\AppData\Local\Facebook
2016-05-25 15:40 - 2016-05-25 15:40 - 00000000 ____D C:\Users\ghy\AppData\Local\CEF
2016-05-25 15:20 - 2016-05-25 15:20 - 00000043 _____ C:\Users\ghy\Desktop\email address to pay westario credit vampires in owen sound.txt
2016-05-25 13:20 - 2016-05-25 13:20 - 00000000 ____D C:\Users\ghy\Downloads\Unblock Us Invoices
2016-05-24 17:26 - 2016-05-24 17:28 - 00173116 _____ C:\Windows\Minidump\052416-62875-01.dmp
2016-05-24 17:26 - 2016-05-24 17:26 - 427209106 _____ C:\Windows\MEMORY.DMP
2016-05-20 19:54 - 2016-05-20 19:57 - 21583056 _____ C:\Users\ghy\Downloads\Carolyn Dawn Johnson - Dress Rehearsal.mp4
2016-05-18 20:50 - 2016-05-18 20:50 - 26016641 _____ C:\Users\ghy\Downloads\Nelson - After the Rain.mp4
2016-05-18 15:00 - 2016-06-11 14:01 - 00000000 ____D C:\Users\ghy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-16 15:53 - 2016-02-24 16:24 - 00000000 __SHD C:\Users\ghy\IntelGraphicsProfiles
2016-06-16 14:49 - 2015-10-30 03:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-06-16 14:49 - 2015-10-30 03:24 - 00000000 ____D C:\Windows\AppReadiness
2016-06-16 12:15 - 2016-02-24 17:59 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-06-16 12:14 - 2016-02-24 18:03 - 00000000 ____D C:\Users\ghy
2016-06-16 12:14 - 2015-10-30 02:28 - 00524288 ___SH C:\Windows\system32\config\BBI
2016-06-16 11:35 - 2016-02-25 18:12 - 00004164 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{A4D67DFC-4CDE-45A7-8BF3-A9B059A161BA}
2016-06-16 11:06 - 2016-03-26 10:38 - 00000000 ____D C:\Users\ghy\AppData\Local\CrashDumps
2016-06-16 08:13 - 2016-02-24 18:04 - 00000000 __RHD C:\Users\Public\AccountPictures
2016-06-16 08:10 - 2016-02-24 17:55 - 00254416 _____ C:\Windows\system32\FNTCACHE.DAT
2016-06-16 08:08 - 2015-10-30 03:24 - 00000000 ___SD C:\Windows\system32\DiagSvcs
2016-06-16 08:08 - 2015-10-30 03:24 - 00000000 ____D C:\Windows\system32\SystemResetPlatform
2016-06-16 08:08 - 2015-10-30 03:24 - 00000000 ____D C:\Windows\bcastdvr
2016-06-16 08:08 - 2015-10-30 03:21 - 00000000 ____D C:\Windows\INF
2016-06-15 17:46 - 2015-10-30 03:11 - 00000000 ____D C:\Windows\CbsTemp
2016-06-15 17:41 - 2016-02-24 16:13 - 00000000 ____D C:\Windows\system32\MRT
2016-06-15 17:35 - 2016-02-24 16:13 - 142482544 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-06-15 16:33 - 2016-02-24 16:32 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-06-15 16:15 - 2016-02-24 18:48 - 00004280 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-06-13 07:25 - 2016-03-10 15:03 - 01877504 ___SH C:\Users\ghy\Desktop\Thumbs.db
2016-06-11 19:34 - 2016-04-24 12:38 - 00000000 ____D C:\Users\ghy\AppData\Roaming\Mp3tag
2016-06-11 10:30 - 2016-02-24 16:30 - 00000258 __RSH C:\ProgramData\ntuser.pol
2016-06-11 10:30 - 2016-02-24 16:29 - 00000000 ____D C:\ProgramData\TEMP
2016-06-11 10:30 - 2016-02-24 16:29 - 00000000 ____D C:\Program Files (x86)\SpywareBlaster
2016-06-10 09:17 - 2016-02-24 16:29 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2016-06-08 19:26 - 2016-02-24 18:54 - 00002272 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-06-08 19:26 - 2016-02-24 18:54 - 00002260 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-06-07 15:20 - 2016-04-24 19:09 - 00000000 ____D C:\Users\ghy\Desktop\Music Completed
2016-06-07 14:15 - 2016-02-24 18:24 - 00000000 ____D C:\Program Files\Common Files\Apple
2016-06-06 15:07 - 2016-04-15 15:49 - 00753152 ___SH C:\Users\ghy\Downloads\Thumbs.db
2016-06-03 16:29 - 2016-05-16 20:59 - 00000000 ____D C:\Users\ghy\Desktop\May 2016 Hydro Usage
2016-06-03 13:01 - 2016-02-24 18:09 - 00000000 ____D C:\Users\ghy\Desktop\Maintenance
2016-06-02 11:50 - 2016-02-24 16:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster
2016-06-01 19:23 - 2016-03-22 18:36 - 00000000 ____D C:\Users\ghy\AppData\Local\ElevatedDiagnostics
2016-06-01 18:20 - 2015-10-30 03:24 - 00000000 ____D C:\Windows\system32\NDF
2016-05-31 15:19 - 2016-04-29 14:12 - 00000000 ____D C:\Users\ghy\AppData\Roaming\WinFF
2016-05-30 20:46 - 2016-05-09 20:11 - 00011707 _____ C:\Users\ghy\Desktop\june 2016 budget.ods
2016-05-30 18:48 - 2016-02-25 09:22 - 00000000 ____D C:\Users\ghy\Desktop\Banking
2016-05-29 19:26 - 2016-04-22 12:19 - 00000000 ____D C:\Users\ghy\Desktop\New folder
2016-05-28 16:23 - 2016-02-24 18:07 - 00879220 _____ C:\Windows\system32\PerfStringBackup.INI
2016-05-28 01:55 - 2016-02-24 18:02 - 02718208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PrintConfig.dll
2016-05-24 17:26 - 2016-03-07 19:48 - 00000000 ____D C:\Windows\Minidump
2016-05-23 19:31 - 2016-02-24 18:07 - 00002406 _____ C:\Users\ghy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-05-23 19:31 - 2016-02-24 18:07 - 00000000 ___RD C:\Users\ghy\OneDrive

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-06-13 21:05

==================== End of FRST.txt ============================

Offline mommyto3furballs

  • Bronze Member
  • Posts: 184
Re: chromium showed up on computer...malwarebytes showed infection
« Reply #12 on: June 16, 2016, 02:06:34 PM »
Additional scan result of Farbar Recovery Scan Tool (x64) Version:16-06-2016 01
Ran by ghy (2016-06-16 15:58:41)
Running from C:\Users\ghy\Desktop
Windows 10 Home Version 1511 (X64) (2016-02-24 22:02:09)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2176856750-3379297402-3027562793-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-2176856750-3379297402-3027562793-503 - Limited - Disabled)
ghy (S-1-5-21-2176856750-3379297402-3027562793-1001 - Administrator - Enabled) => C:\Users\ghy
Guest (S-1-5-21-2176856750-3379297402-3027562793-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2176856750-3379297402-3027562793-1003 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Apple Application Support (32-bit) (HKLM-x32\...\{26356515-5821-40FA-9C3D-9785052A1062}) (Version: 4.3.1 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{C2651553-6CA3-4822-B2E6-BC4ACA6E0EA2}) (Version: 4.3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2E4AF2A6-50EA-4260-9BA4-5E582D11879A}) (Version: 9.3.0.15 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 11.2.2262 - AVAST Software)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version: 1.1.10.15 - Canon Inc.)
Canon Inkjet Printer/Scanner/Fax Extended Survey Program (HKLM-x32\...\CANONIJPLM100) (Version: 4.2.0 - Canon Inc.)
Canon MG2900 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG2900_series) (Version: 1.00 - Canon Inc.)
Canon MG2900 series On-screen Manual (HKLM-x32\...\Canon MG2900 series On-screen Manual) (Version: 7.7.1 - Canon Inc.)
Canon My Printer (HKLM-x32\...\CanonMyPrinter) (Version: 3.2.1 - Canon Inc.)
Canon Quick Menu (HKLM-x32\...\CanonQuickMenu) (Version: 2.4.0 - Canon Inc.)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
ETDWare PS/2-X64 11.6.27.201_WHQL (HKLM\...\Elantech) (Version: 11.6.27.201 - ELAN Microelectronic Corp.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 51.0.2704.84 - Google Inc.)
Google Update Helper (x32 Version: 1.3.21.169 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.30.3 - Google Inc.) Hidden
iTunes (HKLM\...\{9F4BF859-C3A4-4AB6-BDD1-9C5D58188598}) (Version: 12.4.1.6 - Apple Inc.)
LibreOffice 5.1.2.2 (HKLM-x32\...\{09AD7191-4F96-442C-B2F4-1491B144DBEB}) (Version: 5.1.2.2 - The Document Foundation)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Mp3tag v2.77 (HKLM-x32\...\Mp3tag) (Version: v2.77 - Florian Heidenreich)
MusicBee 3.0 (HKLM-x32\...\MusicBee) (Version: 3.0 - Steven Mayall)
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.305 - Qualcomm Atheros Communications)
Qualcomm Atheros WiFi Driver Installation (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 12.05 - Qualcomm Atheros)
SafeZone Stable 1.48.2066.101 (x32 Version: 1.48.2066.101 - Avast Software) Hidden
SpywareBlaster 5.5 (HKLM-x32\...\SpywareBlaster_is1) (Version: 5.5.0 - BrightFort LLC)
SumatraPDF (HKLM-x32\...\SumatraPDF) (Version: 3.1.1 - Krzysztof Kowalczyk)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1212 - SUPERAntiSpyware.com)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\ghy\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\FileCoAuth.exe (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1720E5D8-0E22-4305-9A94-700F6FA029AA} - System32\Tasks\SafeZone scheduled Autoupdate 1458656602 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2016-04-15] (Avast Software)
Task: {5D567699-2A24-4A00-8D84-D4B9C24BF89F} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [2016-06-15] (Microsoft Corporation)
Task: {7007A817-D767-47B8-9C0B-F2E5B942F696} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-02-24] (Google Inc.)
Task: {85D9A422-B70F-4343-ABC8-2F107980D850} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2016-05-04] (AVAST Software)
Task: {D5BA1EEF-453E-4AEA-85E8-D6029358E2F5} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2016-02-23] (Apple Inc.)
Task: {E2F8DC34-0075-4BA5-8618-722FF8006087} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-02-24] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-04-20 12:08 - 2013-06-28 11:28 - 00084616 _____ () C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
2016-03-18 22:56 - 2016-03-18 22:56 - 00092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2016-04-22 01:07 - 2016-04-22 01:07 - 01337144 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2015-10-30 03:18 - 2015-10-30 03:18 - 00185856 _____ () C:\Windows\SYSTEM32\ism32k.dll
2016-04-12 18:13 - 2016-03-29 06:20 - 02656952 _____ () C:\Windows\system32\CoreUIComponents.dll
2016-04-12 18:13 - 2016-03-29 06:20 - 02656952 _____ () C:\Windows\System32\CoreUIComponents.dll
2016-05-23 19:31 - 2016-05-23 19:31 - 00959168 _____ () C:\Users\ghy\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64\ClientTelemetry.dll
2016-02-24 16:08 - 2015-12-07 00:14 - 00093696 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Windows.UI.Shell.SharedUtilities.dll
2016-05-11 08:35 - 2016-04-23 00:25 - 00472064 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\QuickActions.dll
2016-06-15 17:23 - 2016-05-27 23:59 - 07992832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-06-15 17:23 - 2016-05-27 23:53 - 00591360 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-06-15 17:23 - 2016-05-27 23:54 - 02483200 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-06-15 17:23 - 2016-05-27 23:56 - 04089856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2013-09-07 02:48 - 2013-09-07 02:48 - 00011264 _____ () C:\Program Files (x86)\Bluetooth Suite\Modules\ActivateDesktopDebugger\ActivateDesktopDebugger.dll
2013-09-07 02:45 - 2013-09-07 02:45 - 00086016 _____ () C:\Program Files (x86)\Bluetooth Suite\Modules\Map\MAP.dll
2013-09-07 02:52 - 2013-09-07 02:52 - 00012928 _____ () C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe
2016-04-18 16:41 - 2016-04-18 16:42 - 00144384 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
2016-05-04 15:12 - 2016-05-04 15:12 - 00123344 _____ () C:\Program Files\AVAST Software\Avast\log.dll
2016-05-04 15:12 - 2016-05-04 15:12 - 00135816 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2016-06-16 07:15 - 2016-06-16 07:15 - 02934272 _____ () C:\Program Files\AVAST Software\Avast\defs\16061600\algo.dll
2016-05-04 15:12 - 2016-05-04 15:12 - 00309912 _____ () C:\Program Files\AVAST Software\Avast\browser_pass.dll
2016-05-04 15:12 - 2016-05-04 15:12 - 00479680 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2016-05-23 19:31 - 2016-05-23 19:31 - 00679624 _____ () C:\Users\ghy\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\ClientTelemetry.dll
2016-02-24 18:47 - 2016-02-24 18:47 - 40539648 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2016-04-18 16:41 - 2016-04-18 16:42 - 00141312 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeBackgroundTasks.dll
2016-04-18 16:41 - 2016-04-18 16:42 - 22284800 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkyWrap.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\008k.com -> 008k.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\00hq.com -> 00hq.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\0190-dialers.com -> 0190-dialers.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\01i.info -> 01i.info
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\0411dd.com -> 0411dd.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\0511zfhl.com -> 0511zfhl.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\05p.com -> 05p.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\0632qyw.com -> 0632qyw.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\0calories.net -> 0calories.net
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\0cj.net -> 0cj.net
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\0scan.com -> 0scan.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\1-britney-spears-nude.com -> 1-britney-spears-nude.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\1-domains-registrations.com -> 1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\1-se.com -> 1-se.com
IE restricted site: HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\...\1001movie.com -> 1001movie.com

There are 6091 more sites.


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2015-10-30 03:24 - 2015-10-30 03:21 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2176856750-3379297402-3027562793-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\ghy\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppBackground\{ba2ca346-b9b6-4e44-b85c-c0a7ffcc09e7}.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{4E2190CD-0579-4985-8C13-4EF03DC5A74D}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{9BF67C33-E3F8-48F6-9262-0A958700627E}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{50009B7F-1F82-471E-9272-EA869C891427}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{31BDFD1E-29C6-408D-A191-522CFB577B5D}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [TCP Query User{E6B15A9E-81A1-44C4-8BE1-2588B971A411}C:\program files (x86)\kodi\kodi.exe] => (Allow) C:\program files (x86)\kodi\kodi.exe
FirewallRules: [UDP Query User{E8B9D116-AFBD-4667-8A14-DE491B55A6F3}C:\program files (x86)\kodi\kodi.exe] => (Allow) C:\program files (x86)\kodi\kodi.exe
FirewallRules: [TCP Query User{94A3AAF4-97E3-4281-B1CA-D7A08930D66F}C:\program files (x86)\mediamonkey\mediamonkey.exe] => (Allow) C:\program files (x86)\mediamonkey\mediamonkey.exe
FirewallRules: [UDP Query User{F55B3252-8310-49CE-A424-32D353A30141}C:\program files (x86)\mediamonkey\mediamonkey.exe] => (Allow) C:\program files (x86)\mediamonkey\mediamonkey.exe
FirewallRules: [{CF70D792-F84B-4812-B8A6-EF8029AF2E0E}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{5870FA69-5623-4AEE-A458-55B2EC5A17E0}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{04FBAA3F-67D2-491D-8D75-FF3E9584C548}] => (Allow) C:\Users\ghy\AppData\Local\Chromium\Application\chrome.exe

==================== Restore Points =========================

21-05-2016 17:38:02 Scheduled Checkpoint
30-05-2016 13:02:27 Scheduled Checkpoint
01-06-2016 08:08:03 Removed Facebook Games Arcade 0.5.0.0
11-06-2016 16:18:44 Scheduled Checkpoint
14-06-2016 11:38:26 JRT Pre-Junkware Removal

==================== Faulty Device Manager Devices =============

Name: Base System Device
Description: Base System Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Base System Device
Description: Base System Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (06/16/2016 11:24:11 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 2125

Error: (06/16/2016 11:24:11 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 2125

Error: (06/16/2016 11:24:11 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (06/16/2016 11:05:58 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: taskhostw.exe, version: 10.0.10586.0, time stamp: 0x5632d756
Faulting module name: ntdll.dll, version: 10.0.10586.306, time stamp: 0x571af2eb
Exception code: 0xc0000005
Fault offset: 0x00000000000227d5
Faulting process id: 0xf78
Faulting application start time: 0xtaskhostw.exe0
Faulting application path: taskhostw.exe1
Faulting module path: taskhostw.exe2
Report Id: taskhostw.exe3
Faulting package full name: taskhostw.exe4
Faulting package-relative application ID: taskhostw.exe5

Error: (06/14/2016 08:06:36 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 11219

Error: (06/14/2016 08:06:36 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 11219

Error: (06/14/2016 08:06:36 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (06/14/2016 11:38:45 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (06/12/2016 07:32:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: backgroundTaskHost.exe, version: 10.0.10586.0, time stamp: 0x5632d8f0
Faulting module name: ntdll.dll, version: 10.0.10586.306, time stamp: 0x571af2eb
Exception code: 0xc0000409
Fault offset: 0x00000000000a9ba0
Faulting process id: 0x1c88
Faulting application start time: 0xbackgroundTaskHost.exe0
Faulting application path: backgroundTaskHost.exe1
Faulting module path: backgroundTaskHost.exe2
Report Id: backgroundTaskHost.exe3
Faulting package full name: backgroundTaskHost.exe4
Faulting package-relative application ID: backgroundTaskHost.exe5

Error: (06/12/2016 07:32:29 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8


System errors:
=============
Error: (06/16/2016 03:44:36 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The User Data Access_d58b1 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (06/16/2016 03:44:36 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The User Data Storage_d58b1 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (06/16/2016 03:44:36 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Contact Data_d58b1 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (06/16/2016 03:44:36 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Sync Host_d58b1 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (06/16/2016 03:44:35 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable

Error: (06/16/2016 12:19:28 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The User Data Access_30411 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (06/16/2016 12:19:28 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The User Data Storage_30411 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (06/16/2016 12:19:28 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Contact Data_30411 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (06/16/2016 12:19:28 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Sync Host_30411 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (06/16/2016 12:19:27 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable


CodeIntegrity:
===================================
  Date: 2016-06-16 08:13:05.848
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-06-16 07:18:24.658
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-06-10 10:06:59.274
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-31 15:12:26.147
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-31 15:11:10.609
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-31 15:10:34.394
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-30 15:32:00.316
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-14 16:54:34.684
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-14 09:12:58.436
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-05-11 17:25:30.164
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel(R) Celeron(R) CPU 1000M @ 1.80GHz
Percentage of memory in use: 30%
Total physical RAM: 3911.27 MB
Available physical RAM: 2718.38 MB
Total Virtual: 4615.27 MB
Available Virtual: 3413.63 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:281.36 GB) (Free:222.72 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298.1 GB) (Disk ID: 1AF85E84)

Partition: GPT.

==================== End of Addition.txt ============================

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27056
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: chromium showed up on computer...malwarebytes showed infection
« Reply #13 on: June 16, 2016, 08:09:07 PM »
Well, there is not much wrong other than one entry having to do with chromium. You do have one or two hardware devices that are showing up with no drivers. Go into the control panel and then to the device manager and see if there are any entries with a yellow exclamation mark or a red x. If there is let me know what it or they are. If there are none, go up to the menu and click view and then select show hidden devices, and see if there are any problems there.

You also have this problem,
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
But I think this is a false indication, as I have the same problem and I have seen it on many windows 10 machines. If you want to fix that, you may want to look at this,


Last is this GroupPolicy: Restriction - Chrome <======= ATTENTION and for that we do this,

  • Open notepad. Please copy the contents of the code box below.
  • To do this highlight the contents of the box and right click on it.
  • Then paste it into the open notepad.
  • Save it on the Desktop as fixlist.txt

    >>>>>>>>>>>>>>>>>>


    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

Close processes:
Create Restore Point:
GroupPolicy: Restriction - Chrome <======= ATTENTION
empty temp:
reboot:
  • NOTE It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
  • Run FRST/FRST64 and press the Fix button just once and wait.
  • If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
  • The tool will make a log on the Desktop (Fixlog.txt). Please copy it and post it in your reply..
  • Note: If the tool warned you about the outdated version please download and run the updated version.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline mommyto3furballs

  • Bronze Member
  • Posts: 184
Re: chromium showed up on computer...malwarebytes showed infection
« Reply #14 on: June 17, 2016, 06:24:53 AM »
ok went to device manager and there was 2 warnings. its under 'other devices' and it says 'base system device'. i've enclosed a screenshot of it.

Fix result of Farbar Recovery Scan Tool (x64) Version:16-06-2016 01
Ran by ghy (2016-06-17 08:12:35) Run:1
Running from C:\Users\ghy\Desktop
Loaded Profiles: ghy (Available Profiles: ghy)
Boot Mode: Normal
==============================================

fixlist content:
*****************

Close processes:
Create Restore Point:
GroupPolicy: Restriction - Chrome <======= ATTENTION
empty temp:
reboot:
*****************

Processes closed successfully.
Create Restore Point: => Error: No automatic fix found for this entry.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully

=========== EmptyTemp: ==========

DOMStore, BITS transfer queue, thumbcache, IE frameiconcache.dat => 128391920 bytes
Java, Opera, Flash, IE recovery, Steam htmlcache, Windows/system/drivers/LocalLow Temp => 35840 bytes
Edge => 867730 bytes
Chrome => 483299628 bytes
Firefox => 0 bytes

Temp, IE cache, history, cookies, recent:
Default => 0 bytes
ProgramData => 0 bytes
Public => 0 bytes
systemprofile => 128 bytes
systemprofile32 => 0 bytes
LocalService => 44214 bytes
NetworkService => 36534 bytes
ghy => 9452876 bytes

RecycleBin => 0 bytes
EmptyTemp: => 593.3 MB temporary data Removed.
======================================


The system needed a reboot.

==== End of Fixlog 08:13:02 ====