austin98 Posted February 14, 2017 ID:1101834 Share Posted February 14, 2017 For a while I've just dealt with this problem because it's only slightly inconvenient and intermittent, but I'd still rather it not happen. Occasionally, when browsing the internet, a new tab will open which becomes my current open tab, which takes me through a few redirects to an Adfly 'account suspended' page, as though it was supposed to redirect to someone's ad but the account was reported and removed. I don't have any Adfly or problematic extensions or toolbars, and I don't have an Adfly program. Neither Microsoft Defender nor Malwarebytes can root this one out. Any help woud be greatly appreciated. Link to post Share on other sites More sharing options...
austin98 Posted February 14, 2017 Author ID:1101835 Share Posted February 14, 2017 Also, I'm pretty sure it only happens when Chrome is open, but I'm not entirely sure. It occurs maybe once every 30-60 minutes. Link to post Share on other sites More sharing options...
kevinf80 Posted February 14, 2017 ID:1101837 Share Posted February 14, 2017 Hello austin98 and welcome to Malwarebytes, My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please: Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good... Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop:Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Choose Settings. at the bottom of the screen click the "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.Internet Explorer - Click the Tools menu in the upper right-corner of the browser. Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen. NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.Change default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties" In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK" Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location..... Next, Follow the instructions in the following link to show hidden files:http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs... Thank you, Kevin.. Link to post Share on other sites More sharing options...
austin98 Posted February 14, 2017 Author ID:1101840 Share Posted February 14, 2017 Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-02-2017 Ran by Owner (administrator) on WIN-7SMPOFTM0TG (14-02-2017 16:28:26) Running from C:\Users\Owner\Downloads Loaded Profiles: Owner (Available Profiles: Owner) Platform: Windows 10 Pro Version 1607 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: Chrome) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) Failed to access process -> Secure System () C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe (ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDService.exe () C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe () C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe (Apple Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe (Impulse Point, LLC) C:\Program Files (x86)\SafeConnect\scManager.sys (Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation) C:\Windows\System32\vmms.exe (Microsoft Corporation) C:\Windows\System32\vmcompute.exe (Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe (ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe (ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDTouch.exe (ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe (Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe (Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe (Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe (Microsoft Corporation) C:\Windows\System32\dllhost.exe (Intel Corporation) C:\Windows\System32\hkcmd.exe (Intel Corporation) C:\Windows\System32\igfxpers.exe (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe (Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe (Flux Software LLC) C:\Users\Owner\AppData\Local\FluxSoftware\Flux\flux.exe (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (Impulse Point, LLC) C:\Program Files (x86)\SafeConnect\SafeConnectClient.exe (Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe () C:\Program Files\Intel\SUR\QUEENCREEK\esrv.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe () C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1701.10102.0_x64__8wekyb3d8bbwe\Calculator.exe () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.11.105.0_x64__kzf8qxf38zg5c\SkypeHost.exe () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.1118.10000.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe (Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE (Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Microsoft Corporation) C:\Windows\System32\smartscreen.exe ==================== Registry (Whitelisted) ==================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [3242696 2015-10-10] (ELAN Microelectronics Corp.) HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13885696 2015-06-04] (Realtek Semiconductor) HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1402624 2015-06-04] (Realtek Semiconductor) HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-16] (Microsoft Corporation) HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-12-12] (Oracle Corporation) Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation) HKU\S-1-5-21-450020220-2406248147-2208601366-1001\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [23818360 2016-11-30] (Google) HKU\S-1-5-21-450020220-2406248147-2208601366-1001\...\Run: [f.lux] => C:\Users\Owner\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC) HKU\S-1-5-21-450020220-2406248147-2208601366-1001\...\Run: [Spotify Web Helper] => C:\Users\Owner\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1446000 2017-02-06] (Spotify Ltd) HKU\S-1-5-21-450020220-2406248147-2208601366-1001\...\Run: [Spotify] => C:\Users\Owner\AppData\Roaming\Spotify\Spotify.exe [7133808 2017-02-06] (Spotify Ltd) HKU\S-1-5-21-450020220-2406248147-2208601366-1001\...\RunOnce: [Uninstall C:\Users\Owner\AppData\Local\Microsoft\OneDrive\17.3.5951.0827_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Owner\AppData\Local\Microsoft\OneDrive\17.3.5951.0827_1\amd64" HKU\S-1-5-21-450020220-2406248147-2208601366-1001\...\MountPoints2: {17a9f3d1-b425-11e6-80f7-d76b1e22fe18} - "W:\setup.exe" HKU\S-1-5-21-450020220-2406248147-2208601366-1001\...\MountPoints2: {17a9f6d6-b425-11e6-80f7-d76b1e22fe18} - "X:\Setup.exe" HKU\S-1-5-21-450020220-2406248147-2208601366-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> HKU\S-1-5-18\...\RunOnce: [Application Restart #0] => C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [371928 2016-07-16] (Microsoft Corporation) ShellIconOverlayIdentifiers: [ GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google) ShellIconOverlayIdentifiers: [ GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google) ShellIconOverlayIdentifiers: [ GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google) ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ShellIconOverlayIdentifiers: [0PerformanceMonitor] -> {3B5B973C-92A4-4855-9D3F-0F3D23332208} => -> No File Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass IE RunOnce.lnk [2016-05-16] ShortcutTarget: Install LastPass IE RunOnce.lnk -> C:\Program Files (x86)\Common Files\lpuninstall.exe (LastPass) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SafeConnect.lnk [2016-09-13] ShortcutTarget: SafeConnect.lnk -> C:\Program Files (x86)\SafeConnect\SCClient.exe (Impulse Point, LLC) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) ProxyServer: [S-1-5-21-450020220-2406248147-2208601366-1001] => 52.9.135.126:3128 Winsock: Catalog5-x64 07 C:\Windows\system32\wlidnsp.dll [66048 2016-07-16] (Microsoft Corporation) Winsock: Catalog5-x64 08 C:\Windows\system32\wlidnsp.dll [66048 2016-07-16] (Microsoft Corporation) Tcpip\Parameters: [DhcpNameServer] 128.227.47.6 128.227.47.7 Tcpip\..\Interfaces\{6b0e86f1-332f-460c-953f-7b7c8ebd7be0}: [DhcpNameServer] 104.250.191.129 8.8.4.4 Tcpip\..\Interfaces\{7a450e3c-fe63-405a-b1a0-0b4bbc3789a4}: [NameServer] 8.8.8.8,208.67.222.222 Tcpip\..\Interfaces\{7a450e3c-fe63-405a-b1a0-0b4bbc3789a4}: [DhcpNameServer] 128.227.47.6 128.227.47.7 Internet Explorer: ================== BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_121\bin\ssv.dll [2017-01-22] (Oracle Corporation) BHO: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2016-05-16] (LastPass) BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2016-11-15] (Microsoft Corporation) BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-01-22] (Oracle Corporation) BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2016-12-13] (Microsoft Corporation) BHO-x32: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar.dll [2016-05-16] (LastPass) Toolbar: HKLM - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2016-05-16] (LastPass) Toolbar: HKLM-x32 - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll [2016-05-16] (LastPass) FireFox: ======== FF Plugin: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-01-22] (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-01-22] (Oracle Corporation) FF Plugin: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2016-05-16] (LastPass) FF Plugin-x32: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2016-05-16] (LastPass) FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-07-19] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation) FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.) FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2016-07-19] (Microsoft Corporation) Chrome: ======= CHR DefaultProfile: Default CHR HomePage: Default -> hxxp://www.google.com/ CHR StartupUrls: Default -> "hxxp://google.com/","hxxp://www.google.com","","hxxp://www1.delta-search.com/?babsrc=HP_ss&mntrId=6C2A9CB70D0D046E&affID=123884&tsp=4975" CHR Session Restore: Default -> is enabled. CHR Profile: C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default [2017-02-14] CHR Extension: (Instant Notifications for Gmail) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\adlgnpfgagimgadbaboilkbdnhbpegmd [2015-06-05] CHR Extension: (Google Drive) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-20] CHR Extension: (Adobe Acrobat) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2017-01-30] CHR Extension: (Accent Grid) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\efedjomeallaomheefphgnbleieplnfk [2017-01-05] CHR Extension: (MindTheWord) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\fabjlaokbhaoehejcoblhahcekmogbom [2017-01-31] CHR Extension: (AdBlock) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2017-01-30] CHR Extension: (Kindle Cloud Reader) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\icdipabjmbhpdkjaihfjoikhjjeneebd [2016-06-28] CHR Extension: (Chrome Web Store Payments) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-19] CHR Extension: (Chrome Media Router) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-01-27] CHR HKU\S-1-5-21-450020220-2406248147-2208601366-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Owner\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx [2015-06-04] CHR HKU\S-1-5-21-450020220-2406248147-2208601366-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 DirMngr; C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe [216576 2016-04-05] () [File not signed] R2 ESRV_SVC_QUEENCREEK; C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe [805632 2016-11-17] () R2 ETDService; C:\Program Files\Elantech\ETDService.exe [144072 2015-10-10] (ELAN Microelectronics Corp.) S3 hns; C:\WINDOWS\System32\HostNetSvc.dll [553984 2016-12-13] (Microsoft Corporation) R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes) R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes) S3 OpenVPNService; C:\Program Files (x86)\Ivacy\bin\openvpnserv.exe [26416 2016-05-24] (The OpenVPN Project) R2 SCManager; C:\Program Files (x86)\SafeConnect\scManager.sys [176936 2016-09-13] (Impulse Point, LLC) S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [2889896 2016-09-15] (Microsoft Corporation) R2 SystemUsageReportSvc_QUEENCREEK; C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe [156928 2016-11-17] () S2 USER_ESRV_SVC_QUEENCREEK; C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe [805632 2016-11-17] () R3 vmcompute; C:\WINDOWS\system32\vmcompute.exe [1911296 2016-11-11] (Microsoft Corporation) R2 vmms; C:\WINDOWS\system32\vmms.exe [14422528 2016-10-14] (Microsoft Corporation) R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation) R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation) ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 BazisPortableCDBus; C:\WINDOWS\System32\drivers\BazisPortableCDBus.sys [283480 2015-07-25] (Sysprogs OU) S3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.) S3 lunparser; C:\WINDOWS\System32\drivers\lunparser.sys [22528 2016-09-16] (Microsoft Corporation) R1 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [107736 2015-04-14] (Malwarebytes Corporation) R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes) R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2017-02-14] (Malwarebytes) R3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation) S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] () S3 passthruparser; C:\WINDOWS\System32\drivers\passthruparser.sys [24576 2016-09-16] (Microsoft Corporation) S3 pcip; C:\WINDOWS\System32\drivers\pcip.sys [46592 2016-09-16] (Microsoft Corporation) S3 pvhdparser; C:\WINDOWS\System32\drivers\pvhdparser.sys [50176 2016-09-16] (Microsoft Corporation) S3 ramparser; C:\WINDOWS\System32\drivers\ramparser.sys [30720 2016-09-16] (Microsoft Corporation) R3 RTSUER; C:\WINDOWS\system32\Drivers\RtsUer.sys [402960 2015-07-16] (Realsil Semiconductor Corporation) S3 rtux64w10; C:\WINDOWS\System32\drivers\rtux64w10.sys [354624 2016-08-07] (Realtek ) R3 semav6msr64; C:\WINDOWS\system32\drivers\semav6msr64.sys [21984 2016-10-18] () R3 SmbDrvI; C:\WINDOWS\system32\DRIVERS\Smb_driver_Intel.sys [42696 2015-07-23] (Synaptics Incorporated) S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [165504 2016-09-05] (Samsung Electronics Co., Ltd.) R3 Synth3dVsp; C:\WINDOWS\System32\drivers\synth3dvsp.sys [103424 2016-09-16] (Microsoft Corporation) R3 tapoas; C:\WINDOWS\System32\drivers\tapoas.sys [30720 2012-07-15] (The OpenVPN Project) S3 vhdparser; C:\WINDOWS\System32\drivers\vhdparser.sys [26624 2016-09-16] (Microsoft Corporation) R2 VMSP; C:\WINDOWS\System32\drivers\vmswitch.sys [1616384 2016-12-13] (Microsoft Corporation) R0 vmsproxy; C:\WINDOWS\System32\drivers\vmsproxy.sys [33632 2016-08-05] (Microsoft Corporation) S3 VMSVSF; C:\WINDOWS\System32\drivers\vmswitch.sys [1616384 2016-12-13] (Microsoft Corporation) S3 VMSVSP; C:\WINDOWS\System32\drivers\vmswitch.sys [1616384 2016-12-13] (Microsoft Corporation) S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation) R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation) R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation) S3 WinNat; C:\WINDOWS\System32\drivers\winnat.sys [207360 2016-09-16] (Microsoft Corporation) ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) NETSVC: hns -> C:\Windows\System32\HostNetSvc.dll (Microsoft Corporation) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-02-14 16:28 - 2017-02-14 16:28 - 00019465 _____ C:\Users\Owner\Downloads\FRST.txt 2017-02-14 16:27 - 2017-02-14 16:28 - 02422272 _____ (Farbar) C:\Users\Owner\Downloads\FRST64.exe 2017-02-13 11:45 - 2017-02-13 11:45 - 00000022 _____ C:\WINDOWS\S.dirmngr 2017-01-26 11:02 - 2017-01-26 11:06 - 00000000 ____D C:\AdwCleaner 2017-01-25 16:36 - 2016-12-21 02:08 - 00142848 _____ (Microsoft Corporation) C:\WINDOWS\system32\poqexec.exe 2017-01-25 16:36 - 2016-12-20 23:44 - 00120320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\poqexec.exe 2017-01-15 16:11 - 2017-01-15 16:11 - 00338392 _____ C:\WINDOWS\system32\FNTCACHE.DAT 2017-01-15 16:02 - 2017-01-15 16:02 - 00000027 _____ C:\Settings.ini ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-02-14 16:28 - 2016-06-22 06:42 - 00000000 ____D C:\FRST 2017-02-14 16:09 - 2015-06-04 04:24 - 00000000 ____D C:\Users\Owner\AppData\Local\Packages 2017-02-14 16:01 - 2015-06-04 01:52 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys 2017-02-14 15:57 - 2016-09-16 09:44 - 00000000 ____D C:\WINDOWS\system32\SleepStudy 2017-02-14 15:57 - 2016-06-18 10:41 - 00000000 ____D C:\Program Files (x86)\SafeConnect 2017-02-13 11:59 - 2017-01-11 18:19 - 00915834 _____ C:\WINDOWS\system32\perfh00C.dat 2017-02-13 11:59 - 2017-01-11 18:19 - 00183740 _____ C:\WINDOWS\system32\perfc00C.dat 2017-02-13 11:59 - 2015-06-04 04:27 - 03069448 _____ C:\WINDOWS\system32\PerfStringBackup.INI 2017-02-13 11:56 - 2015-06-04 05:16 - 00000000 ___RD C:\Users\Owner\Google Drive 2017-02-13 11:45 - 2016-09-16 09:58 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2017-02-13 11:35 - 2016-07-16 01:04 - 01310720 _____ C:\WINDOWS\system32\config\BBI 2017-02-13 11:33 - 2016-04-24 10:17 - 00000000 ____D C:\Users\Owner\AppData\Local\Spotify 2017-02-13 10:09 - 2016-04-24 10:15 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Spotify 2017-02-11 10:05 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\AppReadiness 2017-02-10 08:31 - 2016-07-16 06:45 - 00000000 ____D C:\WINDOWS\INF 2017-02-09 18:07 - 2016-07-16 06:47 - 00000000 ___HD C:\Program Files\WindowsApps 2017-02-09 10:30 - 2015-06-04 01:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013 2017-02-02 19:52 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\NDF 2017-02-02 09:47 - 2015-06-05 17:18 - 00002272 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk 2017-02-01 20:35 - 2016-07-16 06:36 - 00000000 ____D C:\WINDOWS\CbsTemp 2017-02-01 20:34 - 2016-07-16 09:15 - 00000000 ____D C:\WINDOWS\OCR 2017-01-23 22:42 - 2016-06-06 17:29 - 00000000 ____D C:\Users\Owner\AppData\Roaming\vlc 2017-01-22 18:22 - 2015-06-04 00:39 - 00000000 ____D C:\ProgramData\Oracle 2017-01-22 18:18 - 2016-09-13 18:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit 2017-01-22 18:18 - 2016-08-08 15:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java 2017-01-22 18:18 - 2015-11-25 13:19 - 00000000 ____D C:\Program Files\Java 2017-01-22 18:17 - 2016-08-08 15:51 - 00110144 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge-64.dll 2017-01-21 21:56 - 2015-06-04 00:27 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk 2017-01-15 12:02 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\rescache ==================== Files in the root of some directories ======= 2016-05-16 12:05 - 2016-05-16 12:05 - 21737496 _____ (LastPass) C:\Program Files (x86)\Common Files\lpuninstall.exe 2016-06-17 01:54 - 2016-06-17 01:54 - 0004436 _____ () C:\Users\Owner\AppData\Roaming\90msp-RKSJ-V 2016-10-10 02:33 - 2016-10-10 02:33 - 0000677 _____ () C:\Users\Owner\AppData\Roaming\adventives.zkh 2016-06-17 01:53 - 2016-06-17 01:53 - 0001196 _____ () C:\Users\Owner\AppData\Roaming\Athens 2016-10-10 02:33 - 2016-10-10 02:33 - 0060457 _____ () C:\Users\Owner\AppData\Roaming\bookmaking.rgj 2016-10-11 13:57 - 2016-10-11 20:32 - 0061134 _____ () C:\Users\Owner\AppData\Roaming\Carney.DLB 2016-06-17 01:53 - 2016-06-17 01:53 - 0001930 _____ () C:\Users\Owner\AppData\Roaming\compare-with-callbacks.js 2016-06-17 01:53 - 2016-06-17 01:53 - 0003119 _____ () C:\Users\Owner\AppData\Roaming\frnphon.env 2016-06-22 07:58 - 2016-06-22 07:58 - 0000747 _____ () C:\Users\Owner\AppData\Local\recently-used.xbel 2015-11-25 13:07 - 2015-11-25 13:07 - 0000008 _____ () C:\ProgramData\- 2016-07-19 11:48 - 2016-07-19 11:48 - 0000057 _____ () C:\ProgramData\Ament.ini 2016-09-16 09:45 - 2016-09-16 09:45 - 0000000 ____H () C:\ProgramData\DP45977C.lfl Some files in TEMP: ==================== 2017-01-22 18:17 - 2017-01-22 18:17 - 0739904 _____ (Oracle Corporation) C:\Users\Owner\AppData\Local\Temp\jre-8u121-windows-au.exe ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\wininit.exe => File is digitally signed C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\dnsapi.dll => File is digitally signed C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2017-02-14 10:05 ==================== End of FRST.txt ============================ Addition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted February 14, 2017 ID:1101842 Share Posted February 14, 2017 Is this proxy server known and trusted...? ProxyServer: [S-1-5-21-450020220-2406248147-2208601366-1001] => 52.9.135.126:3128 Link to post Share on other sites More sharing options...
austin98 Posted February 14, 2017 Author ID:1101843 Share Posted February 14, 2017 I'm in a dorm, so would the wifi be tied to the proxy? They take network security very seriously here, including a constantly running safeconnect program and traffic monitoring. Link to post Share on other sites More sharing options...
kevinf80 Posted February 14, 2017 ID:1101845 Share Posted February 14, 2017 mmm, the connection is through DNS Servers: 8.8.8.8 - 208.67.222.222, can you get confirmation regarding the proxy.. The info follows: IP Information for 52.9.135.126 Quick Stats IP Location United States United States San Francisco Amazon Technologies Inc. ASN United States AS16509 AMAZON-02 - Amazon.com, Inc., US (registered May 04, 2000) Resolve Host ec2-52-9-135-126.us-west-1.compute.amazonaws.com Whois Server whois.arin.net IP Address 52.9.135.126 Then the DNS settings are not quite right either.. 8.8.8.8 is correct for Google DNS, the secondary 208.67.222.222 looks not quite right, is this correct... IP Information for 8.8.8.8 Quick StatsIP Location United States United States Mountain View Google Inc. ASN United States AS15169 GOOGLE - Google Inc., US (registered Mar 30, 2000) Resolve Host google-public-dns-a.google.com Whois Server whois.arin.net IP Address 8.8.8.8 Reverse IP 9,960 websites use this address. IP Information for 208.67.222.222 Quick StatsIP Location Hong Kong Hong Kong Hong Kong Opendns Llc ASN Hong Kong AS36692 OPENDNS - OpenDNS, LLC, US (registered Mar 21, 2006) Resolve Host resolver1.opendns.com Whois Server whois.arin.net IP Address 208.67.222.222 Reverse IP 32 websites use this address. Link to post Share on other sites More sharing options...
austin98 Posted February 14, 2017 Author ID:1101852 Share Posted February 14, 2017 Ah, I input the DNS in, and I used to use Ivacy VPN so I had a VPN set up through that. Not sure if that's tied to the proxy, I don't recognize it. I set proxy settings to automatic and deleted the Ivacy VPN. Could that have been the problem? Ran Farbar once more, the results: Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-02-2017 Ran by Owner (administrator) on WIN-7SMPOFTM0TG (14-02-2017 17:26:07) Running from C:\Users\Owner\Downloads Loaded Profiles: Owner (Available Profiles: Owner) Platform: Windows 10 Pro Version 1607 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: Chrome) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) Failed to access process -> Secure System () C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe (ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDService.exe () C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe () C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe (Apple Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe (Impulse Point, LLC) C:\Program Files (x86)\SafeConnect\scManager.sys (Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation) C:\Windows\System32\vmms.exe (Microsoft Corporation) C:\Windows\System32\vmcompute.exe (Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe (ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe (ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDTouch.exe (ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe (Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe (Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe (Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe (Microsoft Corporation) C:\Windows\System32\dllhost.exe (Intel Corporation) C:\Windows\System32\hkcmd.exe (Intel Corporation) C:\Windows\System32\igfxpers.exe (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe (Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe (Flux Software LLC) C:\Users\Owner\AppData\Local\FluxSoftware\Flux\flux.exe (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (Impulse Point, LLC) C:\Program Files (x86)\SafeConnect\SafeConnectClient.exe (Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe () C:\Program Files\Intel\SUR\QUEENCREEK\esrv.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe () C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1701.10102.0_x64__8wekyb3d8bbwe\Calculator.exe () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.11.105.0_x64__kzf8qxf38zg5c\SkypeHost.exe () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.1118.10000.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe (Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE (Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Microsoft Corporation) C:\Windows\splwow64.exe (Microsoft Corporation) C:\Windows\System32\smartscreen.exe ==================== Registry (Whitelisted) ==================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [3242696 2015-10-10] (ELAN Microelectronics Corp.) HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13885696 2015-06-04] (Realtek Semiconductor) HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1402624 2015-06-04] (Realtek Semiconductor) HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-16] (Microsoft Corporation) HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-12-12] (Oracle Corporation) Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation) HKU\S-1-5-21-450020220-2406248147-2208601366-1001\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [23818360 2016-11-30] (Google) HKU\S-1-5-21-450020220-2406248147-2208601366-1001\...\Run: [f.lux] => C:\Users\Owner\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC) HKU\S-1-5-21-450020220-2406248147-2208601366-1001\...\Run: [Spotify Web Helper] => C:\Users\Owner\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1446000 2017-02-06] (Spotify Ltd) HKU\S-1-5-21-450020220-2406248147-2208601366-1001\...\Run: [Spotify] => C:\Users\Owner\AppData\Roaming\Spotify\Spotify.exe [7133808 2017-02-06] (Spotify Ltd) HKU\S-1-5-21-450020220-2406248147-2208601366-1001\...\RunOnce: [Uninstall C:\Users\Owner\AppData\Local\Microsoft\OneDrive\17.3.5951.0827_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Owner\AppData\Local\Microsoft\OneDrive\17.3.5951.0827_1\amd64" HKU\S-1-5-21-450020220-2406248147-2208601366-1001\...\MountPoints2: {17a9f3d1-b425-11e6-80f7-d76b1e22fe18} - "W:\setup.exe" HKU\S-1-5-21-450020220-2406248147-2208601366-1001\...\MountPoints2: {17a9f6d6-b425-11e6-80f7-d76b1e22fe18} - "X:\Setup.exe" HKU\S-1-5-21-450020220-2406248147-2208601366-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> HKU\S-1-5-18\...\RunOnce: [Application Restart #0] => C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [371928 2016-07-16] (Microsoft Corporation) ShellIconOverlayIdentifiers: [ GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google) ShellIconOverlayIdentifiers: [ GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google) ShellIconOverlayIdentifiers: [ GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google) ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ShellIconOverlayIdentifiers: [0PerformanceMonitor] -> {3B5B973C-92A4-4855-9D3F-0F3D23332208} => -> No File Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass IE RunOnce.lnk [2016-05-16] ShortcutTarget: Install LastPass IE RunOnce.lnk -> C:\Program Files (x86)\Common Files\lpuninstall.exe (LastPass) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SafeConnect.lnk [2016-09-13] ShortcutTarget: SafeConnect.lnk -> C:\Program Files (x86)\SafeConnect\SCClient.exe (Impulse Point, LLC) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) ProxyServer: [S-1-5-21-450020220-2406248147-2208601366-1001] => 52.9.135.126:3128 Winsock: Catalog5-x64 07 C:\Windows\system32\wlidnsp.dll [66048 2016-07-16] (Microsoft Corporation) Winsock: Catalog5-x64 08 C:\Windows\system32\wlidnsp.dll [66048 2016-07-16] (Microsoft Corporation) Tcpip\Parameters: [DhcpNameServer] 128.227.47.6 128.227.47.7 Tcpip\..\Interfaces\{6b0e86f1-332f-460c-953f-7b7c8ebd7be0}: [DhcpNameServer] 104.250.191.129 8.8.4.4 Tcpip\..\Interfaces\{7a450e3c-fe63-405a-b1a0-0b4bbc3789a4}: [NameServer] 8.8.8.8,208.67.222.222 Tcpip\..\Interfaces\{7a450e3c-fe63-405a-b1a0-0b4bbc3789a4}: [DhcpNameServer] 128.227.47.6 128.227.47.7 Internet Explorer: ================== BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_121\bin\ssv.dll [2017-01-22] (Oracle Corporation) BHO: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2016-05-16] (LastPass) BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2016-11-15] (Microsoft Corporation) BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-01-22] (Oracle Corporation) BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2016-12-13] (Microsoft Corporation) BHO-x32: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar.dll [2016-05-16] (LastPass) Toolbar: HKLM - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2016-05-16] (LastPass) Toolbar: HKLM-x32 - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll [2016-05-16] (LastPass) FireFox: ======== FF Plugin: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-01-22] (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-01-22] (Oracle Corporation) FF Plugin: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2016-05-16] (LastPass) FF Plugin-x32: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2016-05-16] (LastPass) FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-07-19] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2014-01-23] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation) FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.) FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2016-07-19] (Microsoft Corporation) Chrome: ======= CHR DefaultProfile: Default CHR HomePage: Default -> hxxp://www.google.com/ CHR StartupUrls: Default -> "hxxp://google.com/","hxxp://www.google.com","","hxxp://www1.delta-search.com/?babsrc=HP_ss&mntrId=6C2A9CB70D0D046E&affID=123884&tsp=4975" CHR Session Restore: Default -> is enabled. CHR Profile: C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default [2017-02-14] CHR Extension: (Instant Notifications for Gmail) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\adlgnpfgagimgadbaboilkbdnhbpegmd [2015-06-05] CHR Extension: (Google Drive) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-20] CHR Extension: (Adobe Acrobat) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2017-01-30] CHR Extension: (Accent Grid) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\efedjomeallaomheefphgnbleieplnfk [2017-01-05] CHR Extension: (MindTheWord) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\fabjlaokbhaoehejcoblhahcekmogbom [2017-01-31] CHR Extension: (AdBlock) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2017-01-30] CHR Extension: (Kindle Cloud Reader) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\icdipabjmbhpdkjaihfjoikhjjeneebd [2016-06-28] CHR Extension: (Chrome Web Store Payments) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-19] CHR Extension: (Chrome Media Router) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-01-27] CHR HKU\S-1-5-21-450020220-2406248147-2208601366-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Owner\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx [2015-06-04] CHR HKU\S-1-5-21-450020220-2406248147-2208601366-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 DirMngr; C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe [216576 2016-04-05] () [File not signed] R2 ESRV_SVC_QUEENCREEK; C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe [805632 2016-11-17] () R2 ETDService; C:\Program Files\Elantech\ETDService.exe [144072 2015-10-10] (ELAN Microelectronics Corp.) S3 hns; C:\WINDOWS\System32\HostNetSvc.dll [553984 2016-12-13] (Microsoft Corporation) R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes) R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes) S3 OpenVPNService; C:\Program Files (x86)\Ivacy\bin\openvpnserv.exe [26416 2016-05-24] (The OpenVPN Project) R2 SCManager; C:\Program Files (x86)\SafeConnect\scManager.sys [176936 2016-09-13] (Impulse Point, LLC) S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [2889896 2016-09-15] (Microsoft Corporation) R2 SystemUsageReportSvc_QUEENCREEK; C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe [156928 2016-11-17] () S2 USER_ESRV_SVC_QUEENCREEK; C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe [805632 2016-11-17] () R3 vmcompute; C:\WINDOWS\system32\vmcompute.exe [1911296 2016-11-11] (Microsoft Corporation) R2 vmms; C:\WINDOWS\system32\vmms.exe [14422528 2016-10-14] (Microsoft Corporation) R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation) R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation) ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 BazisPortableCDBus; C:\WINDOWS\System32\drivers\BazisPortableCDBus.sys [283480 2015-07-25] (Sysprogs OU) S3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.) S3 lunparser; C:\WINDOWS\System32\drivers\lunparser.sys [22528 2016-09-16] (Microsoft Corporation) R1 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [107736 2015-04-14] (Malwarebytes Corporation) R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes) R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2017-02-14] (Malwarebytes) R3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation) S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] () S3 passthruparser; C:\WINDOWS\System32\drivers\passthruparser.sys [24576 2016-09-16] (Microsoft Corporation) S3 pcip; C:\WINDOWS\System32\drivers\pcip.sys [46592 2016-09-16] (Microsoft Corporation) S3 pvhdparser; C:\WINDOWS\System32\drivers\pvhdparser.sys [50176 2016-09-16] (Microsoft Corporation) S3 ramparser; C:\WINDOWS\System32\drivers\ramparser.sys [30720 2016-09-16] (Microsoft Corporation) R3 RTSUER; C:\WINDOWS\system32\Drivers\RtsUer.sys [402960 2015-07-16] (Realsil Semiconductor Corporation) S3 rtux64w10; C:\WINDOWS\System32\drivers\rtux64w10.sys [354624 2016-08-07] (Realtek ) R3 semav6msr64; C:\WINDOWS\system32\drivers\semav6msr64.sys [21984 2016-10-18] () R3 SmbDrvI; C:\WINDOWS\system32\DRIVERS\Smb_driver_Intel.sys [42696 2015-07-23] (Synaptics Incorporated) S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [165504 2016-09-05] (Samsung Electronics Co., Ltd.) R3 Synth3dVsp; C:\WINDOWS\System32\drivers\synth3dvsp.sys [103424 2016-09-16] (Microsoft Corporation) R3 tapoas; C:\WINDOWS\System32\drivers\tapoas.sys [30720 2012-07-15] (The OpenVPN Project) S3 vhdparser; C:\WINDOWS\System32\drivers\vhdparser.sys [26624 2016-09-16] (Microsoft Corporation) R2 VMSP; C:\WINDOWS\System32\drivers\vmswitch.sys [1616384 2016-12-13] (Microsoft Corporation) R0 vmsproxy; C:\WINDOWS\System32\drivers\vmsproxy.sys [33632 2016-08-05] (Microsoft Corporation) S3 VMSVSF; C:\WINDOWS\System32\drivers\vmswitch.sys [1616384 2016-12-13] (Microsoft Corporation) S3 VMSVSP; C:\WINDOWS\System32\drivers\vmswitch.sys [1616384 2016-12-13] (Microsoft Corporation) S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation) R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation) R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation) S3 WinNat; C:\WINDOWS\System32\drivers\winnat.sys [207360 2016-09-16] (Microsoft Corporation) ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) NETSVC: hns -> C:\Windows\System32\HostNetSvc.dll (Microsoft Corporation) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-02-14 17:23 - 2017-02-14 17:23 - 00322274 _____ C:\Users\Owner\Downloads\Lab6-CBD-SamplDistn_x-bar.pdf 2017-02-14 17:23 - 2017-02-14 17:23 - 00230547 _____ C:\Users\Owner\Downloads\Lab5-CBD -SamplDistn_p-hat.pdf 2017-02-14 17:23 - 2017-02-14 17:23 - 00162537 _____ C:\Users\Owner\Downloads\Lab7-CBD-CI-mu.pdf 2017-02-14 16:28 - 2017-02-14 17:26 - 00019739 _____ C:\Users\Owner\Downloads\FRST.txt 2017-02-14 16:27 - 2017-02-14 16:28 - 02422272 _____ (Farbar) C:\Users\Owner\Downloads\FRST64.exe 2017-02-13 11:45 - 2017-02-13 11:45 - 00000022 _____ C:\WINDOWS\S.dirmngr 2017-01-26 11:02 - 2017-01-26 11:06 - 00000000 ____D C:\AdwCleaner 2017-01-25 16:36 - 2016-12-21 02:08 - 00142848 _____ (Microsoft Corporation) C:\WINDOWS\system32\poqexec.exe 2017-01-25 16:36 - 2016-12-20 23:44 - 00120320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\poqexec.exe 2017-01-15 16:11 - 2017-01-15 16:11 - 00338392 _____ C:\WINDOWS\system32\FNTCACHE.DAT 2017-01-15 16:02 - 2017-01-15 16:02 - 00000027 _____ C:\Settings.ini ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-02-14 17:26 - 2016-06-22 06:42 - 00000000 ____D C:\FRST 2017-02-14 17:23 - 2015-06-04 01:52 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys 2017-02-14 16:09 - 2015-06-04 04:24 - 00000000 ____D C:\Users\Owner\AppData\Local\Packages 2017-02-14 15:57 - 2016-09-16 09:44 - 00000000 ____D C:\WINDOWS\system32\SleepStudy 2017-02-14 15:57 - 2016-06-18 10:41 - 00000000 ____D C:\Program Files (x86)\SafeConnect 2017-02-13 11:59 - 2017-01-11 18:19 - 00915834 _____ C:\WINDOWS\system32\perfh00C.dat 2017-02-13 11:59 - 2017-01-11 18:19 - 00183740 _____ C:\WINDOWS\system32\perfc00C.dat 2017-02-13 11:59 - 2015-06-04 04:27 - 03069448 _____ C:\WINDOWS\system32\PerfStringBackup.INI 2017-02-13 11:56 - 2015-06-04 05:16 - 00000000 ___RD C:\Users\Owner\Google Drive 2017-02-13 11:45 - 2016-09-16 09:58 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2017-02-13 11:35 - 2016-07-16 01:04 - 01310720 _____ C:\WINDOWS\system32\config\BBI 2017-02-13 11:33 - 2016-04-24 10:17 - 00000000 ____D C:\Users\Owner\AppData\Local\Spotify 2017-02-13 10:09 - 2016-04-24 10:15 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Spotify 2017-02-11 10:05 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\AppReadiness 2017-02-10 08:31 - 2016-07-16 06:45 - 00000000 ____D C:\WINDOWS\INF 2017-02-09 18:07 - 2016-07-16 06:47 - 00000000 ___HD C:\Program Files\WindowsApps 2017-02-09 10:30 - 2015-06-04 01:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013 2017-02-02 19:52 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\NDF 2017-02-02 09:47 - 2015-06-05 17:18 - 00002272 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk 2017-02-01 20:35 - 2016-07-16 06:36 - 00000000 ____D C:\WINDOWS\CbsTemp 2017-02-01 20:34 - 2016-07-16 09:15 - 00000000 ____D C:\WINDOWS\OCR 2017-01-23 22:42 - 2016-06-06 17:29 - 00000000 ____D C:\Users\Owner\AppData\Roaming\vlc 2017-01-22 18:22 - 2015-06-04 00:39 - 00000000 ____D C:\ProgramData\Oracle 2017-01-22 18:18 - 2016-09-13 18:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit 2017-01-22 18:18 - 2016-08-08 15:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java 2017-01-22 18:18 - 2015-11-25 13:19 - 00000000 ____D C:\Program Files\Java 2017-01-22 18:17 - 2016-08-08 15:51 - 00110144 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge-64.dll 2017-01-21 21:56 - 2015-06-04 00:27 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk 2017-01-15 12:02 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\rescache ==================== Files in the root of some directories ======= 2016-05-16 12:05 - 2016-05-16 12:05 - 21737496 _____ (LastPass) C:\Program Files (x86)\Common Files\lpuninstall.exe 2016-06-17 01:54 - 2016-06-17 01:54 - 0004436 _____ () C:\Users\Owner\AppData\Roaming\90msp-RKSJ-V 2016-10-10 02:33 - 2016-10-10 02:33 - 0000677 _____ () C:\Users\Owner\AppData\Roaming\adventives.zkh 2016-06-17 01:53 - 2016-06-17 01:53 - 0001196 _____ () C:\Users\Owner\AppData\Roaming\Athens 2016-10-10 02:33 - 2016-10-10 02:33 - 0060457 _____ () C:\Users\Owner\AppData\Roaming\bookmaking.rgj 2016-10-11 13:57 - 2016-10-11 20:32 - 0061134 _____ () C:\Users\Owner\AppData\Roaming\Carney.DLB 2016-06-17 01:53 - 2016-06-17 01:53 - 0001930 _____ () C:\Users\Owner\AppData\Roaming\compare-with-callbacks.js 2016-06-17 01:53 - 2016-06-17 01:53 - 0003119 _____ () C:\Users\Owner\AppData\Roaming\frnphon.env 2016-06-22 07:58 - 2016-06-22 07:58 - 0000747 _____ () C:\Users\Owner\AppData\Local\recently-used.xbel 2015-11-25 13:07 - 2015-11-25 13:07 - 0000008 _____ () C:\ProgramData\- 2016-07-19 11:48 - 2016-07-19 11:48 - 0000057 _____ () C:\ProgramData\Ament.ini 2016-09-16 09:45 - 2016-09-16 09:45 - 0000000 ____H () C:\ProgramData\DP45977C.lfl Some files in TEMP: ==================== 2017-01-22 18:17 - 2017-01-22 18:17 - 0739904 _____ (Oracle Corporation) C:\Users\Owner\AppData\Local\Temp\jre-8u121-windows-au.exe ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\wininit.exe => File is digitally signed C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\dnsapi.dll => File is digitally signed C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2017-02-14 10:05 ==================== End of FRST.txt ============================ Addition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted February 14, 2017 ID:1101856 Share Posted February 14, 2017 Nothing has changed with the DNS settings, I do not like the mismatch. Safeconnect appears to work by encryption, it also checks whats happening with your system, makes sure anti-virus is good, also checks no P2P connections are made....lots of other checks... You mention that the problem appears to be down to Chrome opening unwanted tabs, lets go for a clean install of Chrome and see what gives after that... If your Chrome Bookmarks are important do this first: Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks..... Continue for a clean install: Download Chrome installer and save to install later: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html Remove all synced data from Chrome go here: https://support.google.com/chrome/answer/6386691?hl=en-GB follow those instructions... It is essntial that any/all synced data is removed when the browser is hijacked or exploited in anyway... Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!! Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata) For XP that will be My Computer > C:\ Documents and Settings\Your User Name\Application Data\Roaming How to show hidden files and folders for windows: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ Install Google Chrome : Install Adblock Plus to Chrome: https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb Install DrWeb Link Ant-virus Link Checker: https://chrome.google.com/webstore/detail/drweb-anti-virus-link-che/aleggpabliehgbeagmfhnodcijcmbonb?hl=en Does that help with tab issue..? Link to post Share on other sites More sharing options...
austin98 Posted February 15, 2017 Author ID:1101888 Share Posted February 15, 2017 (edited) It appears so far as though it has! Didn't even bother doing a reinstall, for some reason I figured it wasn't a problem with Chrome. Thanks so much! I'll be back if the problem reappears, so let's hope this is my last reply! Edited February 15, 2017 by austin98 Link to post Share on other sites More sharing options...
kevinf80 Posted February 15, 2017 ID:1101924 Share Posted February 15, 2017 I see no reason why you should not re-install Chrome, obviously that is your choice..As you say the issue has not returned run the following to clean up.. Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down:"Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following item is the only one checkmarked: Remove disinfection tools <----- this will remove tools we have used. Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner? Take care and surf safe Kevin... Link to post Share on other sites More sharing options...
austin98 Posted February 15, 2017 Author ID:1102002 Share Posted February 15, 2017 Sorry about that, I mean't I didn't even think about doing a reinstall before you suggested it. I reinstalled yesterday as you suggested, but bad news... This morning, A Microsoft Edge tab opened up itself with the AdF.ly suspended page again, the same popup but now in Edge. At least it doesn't bring the popup front and center anymore, so that's a step in the right direction I guess... Link to post Share on other sites More sharing options...
kevinf80 Posted February 15, 2017 ID:1102053 Share Posted February 15, 2017 Please download Zemana AntiMalware and save it to your Desktop. Install the program and once the installation is complete it will start automatically. Without changing any options, press Scan to begin. After the short scan is finished, if threats are detected press Next to remove them.Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually. Open Zemana AntiMalware again. Click on icon and double click the latest report. Now click File > Save As and choose your Desktop before pressing Save. Attach saved report in your next message. Next, Alter your DNS settings, see if the issue clears.... Download and unzip DNSJumper to your Desktop, the tool is portable no installation necessary. Tool can be downloaded here: http://www.sordum.org/downloads/?dns-jumper Right click on Dnsjumper.exe and select "Run as Administrator" to start the tool, For XP just double click to run. From the left hand pane select "Flush DNS" From the main interface select the dropdown under "Choose a DNS Server" From the list select either "Google Public DNS" or "Open DNS" From the left hand pane select "Apply DNS" When done re-boot your system.... Any improvement....? Link to post Share on other sites More sharing options...
austin98 Posted February 15, 2017 Author ID:1102071 Share Posted February 15, 2017 So far so good, but it is intermittent so we'll see! 2017.02.15-15.32.57-i0-t92-d4.txt Link to post Share on other sites More sharing options...
kevinf80 Posted February 15, 2017 ID:1102091 Share Posted February 15, 2017 Yes please let me know what happens, I see Zemana hit on the proxy..... Link to post Share on other sites More sharing options...
kevinf80 Posted February 17, 2017 ID:1102472 Share Posted February 17, 2017 Any progress...? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 21, 2017 Root Admin ID:1103248 Share Posted February 21, 2017 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts