Solved Browser unsecured - How do I detect the issue?

March 8, 2020 at 12:13:58
Specs: Windows 7 Ultimate 64-bit SP1, Intel Core i3 4350 @ 3.60GHz
I use LastPass to store my passwords but every time I physically type in my password on my PC browser (I usually use Google Chrome but I think it also happens with Explorer), the account is compromised and someone tries to access it. How can I detect what may be allowing someone to see my typed passwords on my browser? It's been this way for years. I've since done a full wipe and reinstall of my OS (Windows 7) and the issue still seems to persist. I don't see any unknown/untrusted browser extensions

adwcleaner, Malwarebytes and Microsoft Security Essentials finds no problems. CCleaner lists some registry issues such as Invalid Firewall Rules and Missing MUI References but I don't want to repair those just in case it screws something up...

Any ideas?


See More: Browser unsecured - How do I detect the issue?

Reply ↓  Report •

✔ Best Answer
March 8, 2020 at 19:57:57
To cover all the bases, run this.

Please download Dr.Web CureIt and save it to your Desktop. DO NOT perform a scan, until you get it on your desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop. (If this is not possible, this program is portable, and runs right from the location it is downloaded to, like a USB drive or SD card.)
https://www.softpedia.com/get/Antiv...
http://filehippo.com/download_dr_we...
http://www.freedrweb.com/cureit//
http://www.freedrweb.com/cureit/?ln...
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Documentation
http://download.geo.drweb.com/pub/d...

Copy & Paste the contents of the log into a text file & upload it here.
No time delays/Captcha-I'm not a Robot/account/registration needed. Give us the link please.
http://www.fileconvoy.com/index.php
https://i.imgur.com/7UiiqWr.gif
https://i.imgur.com/6N1gfOj.gif



#1
March 8, 2020 at 16:50:44
When you run Malwarebytes did you check off "scan for rootkits"? If not they try that and scan it again.
Also try Firefox for your browser to see if it reacts differently.

You have to be a little bit crazy to keep you from going insane.


Reply ↓  Report •

#2
March 8, 2020 at 18:04:51
Is this about your LastPass account?
Have you turned off Password Auto sign-in in your browser settings?
What gives you the idea someones tries to access the account? What exactly do you see?

Reply ↓  Report •

#3
March 8, 2020 at 19:51:00
Scan for rootkits was not enabled. I enabled it and ran a scan: no threats found.

Reply ↓  Report •

Related Solutions

#4
March 8, 2020 at 19:57:57
✔ Best Answer
To cover all the bases, run this.

Please download Dr.Web CureIt and save it to your Desktop. DO NOT perform a scan, until you get it on your desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop. (If this is not possible, this program is portable, and runs right from the location it is downloaded to, like a USB drive or SD card.)
https://www.softpedia.com/get/Antiv...
http://filehippo.com/download_dr_we...
http://www.freedrweb.com/cureit//
http://www.freedrweb.com/cureit/?ln...
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Documentation
http://download.geo.drweb.com/pub/d...

Copy & Paste the contents of the log into a text file & upload it here.
No time delays/Captcha-I'm not a Robot/account/registration needed. Give us the link please.
http://www.fileconvoy.com/index.php
https://i.imgur.com/7UiiqWr.gif
https://i.imgur.com/6N1gfOj.gif


Reply ↓  Report •

#5
March 8, 2020 at 19:59:28
I have auto complete sign in enabled for LastPass. It's just strange - whenever I physically type in my password to anything (Amazon, Yahoo Mail, Microsoft, Blizzard etc): I get an e-mail a day or two later saying there were attempted logins to the account/strange activity and to reset my password for security measures. It's legit e-mails from the companies. Sometimes the person successfully logs in and changes my settings around! I do my banking via mobile app to be safe since my account was hacked before (around 5 years ago) and the bank had to freeze my account before the funds were transferred.

message edited by Greensky


Reply ↓  Report •

#6
March 8, 2020 at 20:11:25
Ok for CureIt: I used your first link, downloaded it: upon opening it I got a message saying I can't use the program until I update it. I clicked the update link, it took me to https://free.drweb.com/download+cur... I clicked on the "Download Dr.Web CureIt" green button and it started downloading a file named "OdieOuni.exe". Seems a little odd. Is this correct?

Update: It's scanning now. Seems to be working.

message edited by Greensky


Reply ↓  Report •

#7
March 8, 2020 at 20:21:56
"OdieOuni.exe"
If you have the exact spelling, no.
Please confirm.

Reply ↓  Report •

#8
March 8, 2020 at 20:25:39
Sorry I guess it's actually "0die0uni.exe". It did work. The name threw me off though...

message edited by Greensky


Reply ↓  Report •

#9
March 8, 2020 at 20:29:32
"Update: It's scanning now. Seems to be working"
Ok, just spotted that edit, I shall wait for the logs.

Reply ↓  Report •

#10
March 8, 2020 at 20:48:04
So the report is too large to post in it's entirety and I don't think we can attach files here? It did detect some things including "Trojan.InstallCore.3952" which is recommended to be cured. Should I Neutralize it?

Total 36187639910 bytes in 78502 files scanned (294708 objects)
Total 78556 files (294673 objects) are clean
Total 3 files are infected
Total 31 files are raised error condition
Scan time is 00:18:08.894


Reply ↓  Report •

#11
March 8, 2020 at 20:50:45
I have to go to sleep now unfortunately but I can re-scan tomorrow for additional info. The other 2 threats were programs: Driver Easy and PotPlayer.

Reply ↓  Report •

#12
March 8, 2020 at 20:54:15
"Should I Neutralize it?"
Yep.

Reply ↓  Report •

#13
March 8, 2020 at 22:13:38
"The other 2 threats were programs: Driver Easy and PotPlayer"
I download everything from Softpedia, they let you know if the program author has included any adware ( you do get the choice during the install, to skip )
You also get a star rating from customers & staff.
Potplayer has extras, refer this SS ( screenshot )
https://i.imgur.com/GZd9qeP.gif
Driver Easy is clean from Softpedia, but if you downloaded it from one of these.
https://i.imgur.com/roqO3OP.gif

Download.com Has Finally Stopped Bundling Crapware
http://www.howtogeek.com/264592/dow...

Or if you originally download from sites like this,

WARNING: CNET Download.com downloads now come bundled with opt-out crapware and toolbars ( Same applies to Softonic & Brothersoft )
http://www.groovypost.com/unplugged...
http://www.howtogeek.com/198622/her...

If you are not using Driver Easy and PotPlayer ( no reason not to, you have cleaned out the adware ) uninstall with Geek.

Geek Uninstaller
https://www.softpedia.com/get/Tweak...
http://www.freewarefiles.com/GeekUn...
http://www.freewarefiles.com/screen...
http://www.geekuninstaller.com/
Just Double click on the program in Geek, that you want to uninstall. If it opens a web page, close the web page & then wait for Geek to present the 2nd step.

message edited by Johnw


Reply ↓  Report •

#14
March 8, 2020 at 22:20:46
"I have to go to sleep now"
If you are available before 9pm my time, I can do a quick review of your latest info.
If not, I'll be available for about 3 hours tomorrow, then offline at about 11am for about 5 hrs.
I'm here.
https://www.timeanddate.com/worldcl...

Reply ↓  Report •

#15
March 8, 2020 at 22:27:52
"So the report is too large to post in it's entirety and I don't think we can attach files here?"
File Convoy ( no time delays/Captcha-I'm not a Robot/account/registration needed ) Give us the links please.
http://www.fileconvoy.com/index.php
https://i.imgur.com/7UiiqWr.gif
https://i.imgur.com/6N1gfOj.gif

Reply ↓  Report •

#16
March 9, 2020 at 05:02:15

Reply ↓  Report •

#17
March 9, 2020 at 05:07:52
Ok got it, anything else to report before we move to the next step.

Reply ↓  Report •

#18
March 9, 2020 at 06:11:47
Greensky wrote:

> whenever I physically type in my password to anything
> (Amazon, Yahoo Mail, Microsoft, Blizzard etc): I get an
> e-mail a day or two later saying there were attempted
> logins to the account/strange activity and to reset my
> password for security measures.

Almost certainly, the "attempted logins" or "strange activity"
referred to were you logging on.

I think it is highly unlikely that anyone or any malware has
ever tried to access your accounts.

Even the event in which your bank froze your account to
prevent an unauthorized transfer was not likely due to
hacking. Actual hacking would more likely result in a
payment before you could discover that it was done.

-- Jeff, in Minneapolis


Reply ↓  Report •

#19
March 9, 2020 at 07:08:59
I'm wondering if you're simply being spoofed by a hacker who has managed to key log or similar where you go... And thus sends you these fake alerts in hopes you will respond and provide them with genuine/amended details so they can then truly get hacking?

But it will be interesting what Johnw finds; asI think this is right up his street...


Reply ↓  Report •

#20
March 9, 2020 at 17:43:38
Nothing else I can think of to report. It is true that all of these "Account Compromised" e-mails that I get pretty much never end up with anybody actually gaining access to the account. Someone did gain access to my Spotify account recently which was odd.

Reply ↓  Report •

#21
March 9, 2020 at 17:49:53
I'm going to focus on seeing if there is anything on your comp that shouldn't be there.

Next step.

Download ComboFix to your Desktop & then run. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Copy & Paste the contents of the log in your next post please. ComboFix's log should be located at C:\COMBOFIX.TXT.
Copy & Paste the report contents in your next reply, or if too large upload the log using File Convoy.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...

If you think Combofix is frozen, look at the computer clock.
If it's running, Combofix is still working.
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select Yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
https://www.computerhope.com/issues...
Once these two steps have been completed, double-click on the ComboFix icon found on your Desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.


Reply ↓  Report •

#22
March 9, 2020 at 18:51:14
Well it scanned pretty quickly! Here's the log:

ComboFix 19-11-04.01 - James 09/03/2020 19:45:04.1.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8098.4934 [GMT -6:00]
Running from: c:\users\James\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {71A27EC9-3DA6-45FC-60A7-004F623C6189}
SP: Microsoft Security Essentials *Disabled/Updated* {CAC39F2D-1B9C-4A72-5A17-3B3D19BB2B34}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2020-02-10 to 2020-03-10 )))))))))))))))))))))))))))))))
.
.
2020-03-10 01:47 . 2020-03-10 01:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2020-03-10 01:28 . 2020-03-10 01:28 43232 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8AA929AD-0198-40D7-AA3F-BE92D31BBD45}\MpKslDrv.sys
2020-03-10 01:27 . 2020-03-10 01:27 75888 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8AA929AD-0198-40D7-AA3F-BE92D31BBD45}\offreg.1000.dll
2020-03-09 23:57 . 2020-03-09 23:57 214496 ----a-w- c:\windows\system32\drivers\MbamChameleon.sys
2020-03-09 23:57 . 2020-03-09 23:57 248968 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2020-03-09 11:44 . 2020-02-13 21:12 14727384 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8AA929AD-0198-40D7-AA3F-BE92D31BBD45}\mpengine.dll
2020-03-09 03:06 . 2020-03-09 11:42 -------- d-----w- c:\programdata\Doctor Web
2020-03-09 03:06 . 2020-03-09 12:02 -------- d-----w- c:\users\James\Doctor Web
2020-03-08 13:42 . 2020-02-13 21:12 14727384 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2020-02-15 01:00 . 2020-02-15 01:00 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2020-02-15 01:00 . 2020-02-15 01:00 -------- d-----w- c:\programdata\Nefarius Software Solutions e.U
2020-02-15 00:59 . 2020-02-15 00:59 -------- d-----w- c:\program files\Nefarius Software Solutions
2020-02-15 00:58 . 2020-03-08 14:51 -------- d-----w- c:\users\James\AppData\Roaming\DS4Windows
2020-02-14 23:54 . 2020-02-14 23:54 -------- d-----w- c:\users\James\AppData\Roaming\CPY_SAVES
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2020-03-09 02:47 . 2019-08-03 04:09 153312 ----a-w- c:\windows\system32\drivers\mbae64.sys
2020-03-07 14:21 . 2019-10-19 14:45 6933392 ----a-w- c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2020-02-12 14:03 . 2019-07-14 20:01 120407888 -c--a-w- c:\windows\system32\MRT.exe
2020-02-12 13:00 . 2019-11-07 19:22 842296 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2020-02-12 13:00 . 2019-11-07 19:22 175160 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2020-02-02 03:54 . 2020-02-02 03:54 519848 ----a-w- c:\windows\system32\stkMonitor.dll
2020-01-03 03:42 . 2020-01-15 14:01 4061624 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2020-01-03 03:42 . 2020-01-15 14:01 3967416 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2020-01-03 03:41 . 2020-01-15 14:01 1320248 ----a-w- c:\windows\SysWow64\ntdll.dll
2020-01-03 03:38 . 2020-01-15 14:01 834048 ----a-w- c:\windows\SysWow64\user32.dll
2020-01-03 03:38 . 2020-01-15 14:01 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2020-01-03 03:38 . 2020-01-15 14:01 666112 ----a-w- c:\windows\SysWow64\rpcrt4.dll
2020-01-03 03:38 . 2020-01-15 14:01 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2020-01-03 03:38 . 2020-01-15 14:01 275968 ----a-w- c:\windows\SysWow64\KernelBase.dll
2020-01-03 03:38 . 2020-01-15 14:01 82944 ----a-w- c:\windows\SysWow64\bcrypt.dll
2020-01-03 03:38 . 2020-01-15 14:01 172032 ----a-w- c:\windows\SysWow64\wdigest.dll
2020-01-03 03:38 . 2020-01-15 14:01 70144 ----a-w- c:\windows\SysWow64\TSpkg.dll
2020-01-03 03:38 . 2020-01-15 14:01 43008 ----a-w- c:\windows\SysWow64\srclient.dll
2020-01-03 03:38 . 2020-01-15 14:01 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2020-01-03 03:38 . 2020-01-15 14:01 254464 ----a-w- c:\windows\SysWow64\schannel.dll
2020-01-03 03:38 . 2020-01-15 14:01 141312 ----a-w- c:\windows\SysWow64\rpchttp.dll
2020-01-03 03:38 . 2020-01-15 14:01 223232 ----a-w- c:\windows\SysWow64\ncrypt.dll
2020-01-03 03:38 . 2020-01-15 14:01 261632 ----a-w- c:\windows\SysWow64\msv1_0.dll
2020-01-03 03:38 . 2020-01-15 14:01 60416 ----a-w- c:\windows\SysWow64\msobjs.dll
2020-01-03 03:38 . 2020-01-15 14:01 146432 ----a-w- c:\windows\SysWow64\msaudite.dll
2020-01-03 03:38 . 2020-01-15 14:01 555520 ----a-w- c:\windows\SysWow64\kerberos.dll
2020-01-03 03:37 . 2020-01-15 14:01 17408 ----a-w- c:\windows\SysWow64\credssp.dll
2020-01-03 03:37 . 2020-01-15 14:01 627424 ----a-w- c:\windows\system32\winresume.efi
2020-01-03 03:37 . 2020-01-15 14:01 342528 ----a-w- c:\windows\SysWow64\certcli.dll
2020-01-03 03:37 . 2020-01-15 14:01 50688 ----a-w- c:\windows\SysWow64\appidapi.dll
2020-01-03 03:37 . 2020-01-15 14:01 7168 ----a-w- c:\windows\SysWow64\apisetschema.dll
2020-01-03 03:37 . 2020-01-15 14:01 5120 ---ha-w- c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll
2020-01-03 03:37 . 2020-01-15 14:01 644096 ----a-w- c:\windows\SysWow64\advapi32.dll
2020-01-03 03:37 . 2020-01-15 14:01 690688 ----a-w- c:\windows\SysWow64\adtschema.dll
2020-01-03 03:37 . 2020-01-15 14:01 44544 ----a-w- c:\windows\apppatch\acwow64.dll
2020-01-03 03:37 . 2020-01-15 14:01 5553888 ----a-w- c:\windows\system32\ntoskrnl.exe
2020-01-03 03:37 . 2020-01-15 14:01 96992 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2020-01-03 03:37 . 2020-01-15 14:01 709856 ----a-w- c:\windows\system32\winload.efi
2020-01-03 03:37 . 2020-01-15 14:01 263904 ----a-w- c:\windows\system32\hal.dll
2020-01-03 03:36 . 2020-01-15 14:01 155360 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2020-01-03 03:35 . 2020-01-15 14:01 1671296 ----a-w- c:\windows\system32\ntdll.dll
2020-01-03 03:33 . 2020-01-15 14:01 361984 ----a-w- c:\windows\system32\wow64win.dll
2020-01-03 03:33 . 2020-01-15 14:01 243712 ----a-w- c:\windows\system32\wow64.dll
2020-01-03 03:33 . 2020-01-15 14:01 13312 ----a-w- c:\windows\system32\wow64cpu.dll
2020-01-03 03:33 . 2020-01-15 14:01 215552 ----a-w- c:\windows\system32\winsrv.dll
2020-01-03 03:33 . 2020-01-15 14:01 210432 ----a-w- c:\windows\system32\wdigest.dll
2020-01-03 03:33 . 2020-01-15 14:01 1010688 ----a-w- c:\windows\system32\user32.dll
2020-01-03 03:33 . 2020-01-15 14:01 94208 ----a-w- c:\windows\system32\TSpkg.dll
2020-01-03 03:33 . 2020-01-15 14:01 503808 ----a-w- c:\windows\system32\srcore.dll
2020-01-03 03:33 . 2020-01-15 14:01 50176 ----a-w- c:\windows\system32\srclient.dll
2020-01-03 03:33 . 2020-01-15 14:01 28672 ----a-w- c:\windows\system32\sspisrv.dll
2020-01-03 03:33 . 2020-01-15 14:01 236032 ----a-w- c:\windows\system32\srvsvc.dll
2020-01-03 03:33 . 2020-01-15 14:01 135680 ----a-w- c:\windows\system32\sspicli.dll
2020-01-03 03:33 . 2020-01-15 14:01 13312 ----a-w- c:\windows\system32\sscore.dll
2020-01-03 03:33 . 2020-01-15 14:01 63488 ----a-w- c:\windows\system32\setbcdlocale.dll
2020-01-03 03:33 . 2020-01-15 14:01 345600 ----a-w- c:\windows\system32\schannel.dll
2020-01-03 03:33 . 2020-01-15 14:01 28160 ----a-w- c:\windows\system32\secur32.dll
2020-01-03 03:33 . 2020-01-15 14:01 1211392 ----a-w- c:\windows\system32\rpcrt4.dll
2020-01-03 03:33 . 2020-01-15 14:01 190464 ----a-w- c:\windows\system32\rpchttp.dll
2020-01-03 03:33 . 2020-01-15 14:01 16384 ----a-w- c:\windows\system32\ntvdm64.dll
2020-01-03 03:33 . 2020-01-15 14:01 312320 ----a-w- c:\windows\system32\ncrypt.dll
2020-01-03 03:33 . 2020-01-15 14:01 316928 ----a-w- c:\windows\system32\msv1_0.dll
2020-01-03 03:33 . 2020-01-15 14:01 60416 ----a-w- c:\windows\system32\msobjs.dll
2020-01-03 03:33 . 2020-01-15 14:01 146432 ----a-w- c:\windows\system32\msaudite.dll
2020-01-03 03:33 . 2020-01-15 14:01 1472512 ----a-w- c:\windows\system32\lsasrv.dll
2020-01-03 03:33 . 2020-01-15 14:01 733184 ----a-w- c:\windows\system32\kerberos.dll
2020-01-03 03:33 . 2020-01-15 14:01 408576 ----a-w- c:\windows\system32\KernelBase.dll
2020-01-03 03:33 . 2020-01-15 14:01 1162752 ----a-w- c:\windows\system32\kernel32.dll
2020-01-03 03:33 . 2020-01-15 14:01 44032 ----a-w- c:\windows\system32\csrsrv.dll
2020-01-03 03:33 . 2020-01-15 14:01 43520 ----a-w- c:\windows\system32\cryptbase.dll
2020-01-03 03:33 . 2020-01-15 14:01 22016 ----a-w- c:\windows\system32\credssp.dll
2020-01-03 03:33 . 2020-01-15 14:01 463872 ----a-w- c:\windows\system32\certcli.dll
2020-01-03 03:33 . 2020-01-15 14:01 123904 ----a-w- c:\windows\system32\bcrypt.dll
2020-01-03 03:33 . 2020-01-15 14:01 7168 ----a-w- c:\windows\system32\apisetschema.dll
2020-01-03 03:33 . 2020-01-15 14:01 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2020-01-03 03:33 . 2020-01-15 14:01 59904 ----a-w- c:\windows\system32\appidapi.dll
2020-01-03 03:33 . 2020-01-15 14:01 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive1]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2020-02-27 13:08 1262648 ----a-w- c:\users\James\AppData\Local\Microsoft\OneDrive\19.232.1124.0008\FileSyncShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive2]
@="{5AB7172C-9C11-405C-8DD5-AF20F3606282}"
[HKEY_CLASSES_ROOT\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}]
2020-02-27 13:08 1262648 ----a-w- c:\users\James\AppData\Local\Microsoft\OneDrive\19.232.1124.0008\FileSyncShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive3]
@="{A78ED123-AB77-406B-9962-2A5D9D2F7F30}"
[HKEY_CLASSES_ROOT\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}]
2020-02-27 13:08 1262648 ----a-w- c:\users\James\AppData\Local\Microsoft\OneDrive\19.232.1124.0008\FileSyncShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive4]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2020-02-27 13:08 1262648 ----a-w- c:\users\James\AppData\Local\Microsoft\OneDrive\19.232.1124.0008\FileSyncShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive5]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2020-02-27 13:08 1262648 ----a-w- c:\users\James\AppData\Local\Microsoft\OneDrive\19.232.1124.0008\FileSyncShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"f.lux"="c:\users\James\AppData\Local\FluxSoftware\Flux\flux.exe" [2019-05-07 1378824]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner64.exe" [2016-12-06 9288408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"USB3MON"="c:\program files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2014-08-25 293872]
"Intel Driver & Support Assistant"="c:\program files (x86)\Intel\Driver and Support Assistant\DSATray.exe" [2019-11-14 139624]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 HidCerberus.Srv;HidCerberus Service;c:\users\James\Desktop\ProconXImput\HidCerberus.Srv\HidCerberus.Srv.exe -displayname HidCerberus Service -servicename HidCerberus.Srv;c:\users\James\Desktop\ProconXImput\HidCerberus.Srv\HidCerberus.Srv.exe -displayname HidCerberus Service -servicename HidCerberus.Srv [x]
R2 RTLDHCPService;Realtek DHCP Service;c:\program files (x86)\Realtek\USB Wireless LAN Utility\RTLDHCP.exe;c:\program files (x86)\Realtek\USB Wireless LAN Utility\RTLDHCP.exe [x]
R2 Serviio;Serviio;c:\program files\Serviio\bin\ServiioService.exe;c:\program files\Serviio\bin\ServiioService.exe [x]
R3 aswTap;avast! SecureLine TAP Adapter v3;c:\windows\system32\DRIVERS\aswTap.sys;c:\windows\SYSNATIVE\DRIVERS\aswTap.sys [x]
R3 cpuz148;cpuz148;c:\windows\temp\cpuz148\cpuz148_x64.sys;c:\windows\temp\cpuz148\cpuz148_x64.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 GoogleChromeElevationService;Google Chrome Elevation Service;c:\program files (x86)\Google\Chrome\Application\80.0.3987.132\elevation_service.exe;c:\program files (x86)\Google\Chrome\Application\80.0.3987.132\elevation_service.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 NvContainerNetworkService;NVIDIA NetworkService Container;c:\program files\NVIDIA Corporation\NvContainer\nvcontainer.exe;c:\program files\NVIDIA Corporation\NvContainer\nvcontainer.exe [x]
R3 NvStreamKms;NVIDIA KMS;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [x]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 ViGEmBusUpdater;ViGEmBusUpdater;c:\program files\Nefarius Software Solutions\ViGEm Bus Driver\ViGEmBusUpdater.exe;c:\program files\Nefarius Software Solutions\ViGEm Bus Driver\ViGEmBusUpdater.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64_prewin8.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64_prewin8.sys [x]
R3 WiaRpc;Still Image Acquisition Events;c:\windows\system32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S0 iaStorA;iaStorA;c:\windows\system32\DRIVERS\iaStorA.sys;c:\windows\SYSNATIVE\DRIVERS\iaStorA.sys [x]
S0 iaStorF;iaStorF;c:\windows\system32\DRIVERS\iaStorF.sys;c:\windows\SYSNATIVE\DRIVERS\iaStorF.sys [x]
S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S1 MpKslDrv;MpKslDrv;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8AA929AD-0198-40D7-AA3F-BE92D31BBD45}\MpKslDrv.sys;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8AA929AD-0198-40D7-AA3F-BE92D31BBD45}\MpKslDrv.sys [x]
S2 ClickToRunSvc;Microsoft Office Click-to-Run Service;c:\program files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe;c:\program files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [x]
S2 DiagTrack;Diagnostics Tracking Service;c:\windows\System32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 DSAService;Intel(R) Driver & Support Assistant;c:\program files (x86)\Intel\Driver and Support Assistant\DSAService.exe;c:\program files (x86)\Intel\Driver and Support Assistant\DSAService.exe [x]
S2 MBAMChameleon;MBAMChameleon;c:\windows\System32\Drivers\MbamChameleon.sys;c:\windows\SYSNATIVE\Drivers\MbamChameleon.sys [x]
S2 MBAMService;Malwarebytes Service;c:\program files\Malwarebytes\Anti-Malware\MBAMService.exe;c:\program files\Malwarebytes\Anti-Malware\MBAMService.exe [x]
S2 NvContainerLocalSystem;NVIDIA LocalSystem Container;c:\program files\NVIDIA Corporation\NvContainer\nvcontainer.exe;c:\program files\NVIDIA Corporation\NvContainer\nvcontainer.exe [x]
S2 NVDisplay.ContainerLocalSystem;NVIDIA Display Container LS;c:\program files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe;c:\program files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [x]
S2 RealtekWlanU;RealtekWlanU;c:\program files (x86)\Realtek\USB Wireless LAN Utility\RtlService.exe;c:\program files (x86)\Realtek\USB Wireless LAN Utility\RtlService.exe [x]
S2 RunSwUSB;RunSwUSB;c:\windows\runSW.exe;c:\windows\runSW.exe [x]
S3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\DRIVERS\BazisVirtualCDBus.sys;c:\windows\SYSNATIVE\DRIVERS\BazisVirtualCDBus.sys [x]
S3 DSAUpdateService;Intel(R) Driver & Support Assistant Updater;c:\program files (x86)\Intel\Driver and Support Assistant\DSAUpdateService.exe;c:\program files (x86)\Intel\Driver and Support Assistant\DSAUpdateService.exe [x]
S3 ICCWDT;Intel(R) Watchdog Timer Driver (Intel(R) WDT);c:\windows\system32\DRIVERS\ICCWDT.sys;c:\windows\SYSNATIVE\DRIVERS\ICCWDT.sys [x]
S3 iusb3hub;Intel(R) USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\Drivers\mbamswissarmy.sys;c:\windows\SYSNATIVE\Drivers\mbamswissarmy.sys [x]
S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad64v.sys;c:\windows\SYSNATIVE\drivers\nvvad64v.sys [x]
S3 nvvhci;NVVHCI Enumerator Service;c:\windows\system32\DRIVERS\nvvhci.sys;c:\windows\SYSNATIVE\DRIVERS\nvvhci.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 RtlWlanu;Realtek Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\rtwlanu.sys;c:\windows\SYSNATIVE\DRIVERS\rtwlanu.sys [x]
S3 ScpVBus;Scp Virtual Bus Driver;c:\windows\system32\DRIVERS\ScpVBus.sys;c:\windows\SYSNATIVE\DRIVERS\ScpVBus.sys [x]
S3 ViGEmBus;Virtual Gamepad Emulation Service;c:\windows\system32\DRIVERS\ViGEmBus.sys;c:\windows\SYSNATIVE\DRIVERS\ViGEmBus.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMCHAMELEON
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - MPKSLDRV
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr QWAVE wcncsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - LocalSystemNetworkRestricted
WiaRpc
.
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive1]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2020-02-27 13:08 1450552 ----a-w- c:\users\James\AppData\Local\Microsoft\OneDrive\19.232.1124.0008\amd64\FileSyncShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive2]
@="{5AB7172C-9C11-405C-8DD5-AF20F3606282}"
[HKEY_CLASSES_ROOT\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}]
2020-02-27 13:08 1450552 ----a-w- c:\users\James\AppData\Local\Microsoft\OneDrive\19.232.1124.0008\amd64\FileSyncShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive3]
@="{A78ED123-AB77-406B-9962-2A5D9D2F7F30}"
[HKEY_CLASSES_ROOT\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}]
2020-02-27 13:08 1450552 ----a-w- c:\users\James\AppData\Local\Microsoft\OneDrive\19.232.1124.0008\amd64\FileSyncShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive4]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2020-02-27 13:08 1450552 ----a-w- c:\users\James\AppData\Local\Microsoft\OneDrive\19.232.1124.0008\amd64\FileSyncShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ OneDrive5]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2020-02-27 13:08 1450552 ----a-w- c:\users\James\AppData\Local\Microsoft\OneDrive\19.232.1124.0008\amd64\FileSyncShell64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2016-11-15 1353680]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2019-07-15 9270800]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 825184]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalSystemNetworkRestricted
WiaRpc
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\program files\Microsoft Office\Root\Office16\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\program files\Microsoft Office\Root\Office16\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.0.1
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - c:\program files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - c:\program files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - c:\program files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - c:\program files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_32_0_0_330_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_32_0_0_330_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_32_0_0_330_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_32_0_0_330_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_32_0_0_330.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.32"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_32_0_0_330.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_32_0_0_330.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_32_0_0_330.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\AVAST Software]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2020-03-09 19:48:47
ComboFix-quarantined-files.txt 2020-03-10 01:48
.
Pre-Run: 247,573,405,696 bytes free
Post-Run: 247,617,122,304 bytes free
.
- - End Of File - - 31215D006410F7228A5066C1D2B67F50
A36C5E4F47E84449FF07ED3517B43A31


Reply ↓  Report •

#23
March 9, 2020 at 18:57:05
Next step.

Download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not your Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt) on the Desktop.
The logs are large, upload them using this. No time delays/Captcha-I'm not a Robot/account/registration needed. Give us the links please.
http://www.fileconvoy.com/index.php
https://i.imgur.com/7UiiqWr.gif
https://i.imgur.com/6N1gfOj.gif
http://www.filedropper.com/
https://go4up.com/


Reply ↓  Report •

#24
March 9, 2020 at 20:23:38
Logs here: http://www.fileconvoy.com/dfl.php?i...

Reply ↓  Report •

#25
March 10, 2020 at 01:32:46
"Logs here"
Got them.

Upload a SS ( screenshot ) of device manager please.
No need to expand the Devices.


Reply ↓  Report •

#26
March 10, 2020 at 04:42:05
Screenshot here: http://www.fileconvoy.com/dfl.php?i...

Reply ↓  Report •

#27
March 10, 2020 at 04:58:09
Probably not connected to your concerns, but needs to be addressed..

Upload SS of everything Snail finds please. Don't install any drivers, just the SS.

SnailDriver for PC's
https://www.softpedia.com/get/Syste...
https://snailsuite.com/download-sna...
For laptops/notebooks
https://www.softpedia.com/get/Syste...
Screenshot
https://i.imgur.com/5leGrmq.gif
https://i.imgur.com/e8KJq5e.gif
http://www.freewarefiles.com/Snail-...
http://www.freewarefiles.com/screen...
https://snailsuite.com/snail-driver...


Reply ↓  Report •

#28
March 10, 2020 at 05:12:56
Screenshot here: http://www.fileconvoy.com/dfl.php?i...

Reply ↓  Report •

#29
March 10, 2020 at 05:19:25
Thanks, I would update those 4 drivers.

Reply ↓  Report •

#30
March 10, 2020 at 05:36:12
Done! Thanks for all of the support and program recommendations Johnw! Truly you are a cyber God among men! I really appreciated the time you spent here on this!

I'm guessing there aren't any big issues to worry about currently then?


Reply ↓  Report •

#31
March 10, 2020 at 05:37:07
When drivers are updated, is Other devices > Unknown device still in Device manager?

Reply ↓  Report •

#32
March 10, 2020 at 05:45:21
"I'm guessing there aren't any big issues to worry about currently then?"
Not quite finished.

Copy & Paste only the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

CreateRestorePoint:
emptytemp:
closeprocesses:
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
FirewallRules: [{47541E63-CEEE-45C6-8383-DADED73FC3D7}] => (Allow) C:\Users\James\AppData\Roaming\uTorrent\uTorrent.exe No File
FirewallRules: [{602B6209-885E-44FD-A53B-046A7FEF8276}] => (Allow) C:\Users\James\AppData\Roaming\uTorrent\uTorrent.exe No File
FirewallRules: [{F02E4069-C9FB-4158-AD2C-0E0757C9098F}] => (Allow) C:\Program Files (x86)\Doraemon Story of Seasons\DORaEMON STORY OF SEASONS.exe No File
FirewallRules: [{482240E2-7A06-4C84-A74A-8F74656125E0}] => (Allow) C:\Program Files (x86)\Doraemon Story of Seasons\DORaEMON STORY OF SEASONS.exe No File
FirewallRules: [{EF608B06-DF68-47B0-98DF-4727CD276B8D}] => (Allow) C:\Program Files (x86)\Doraemon Story of Seasons\DORaEMON STORY OF SEASONS.exe No File
FirewallRules: [{84FE0970-4060-46A3-A5BE-33BDD86D3168}] => (Allow) C:\Program Files (x86)\Doraemon Story of Seasons\DORaEMON STORY OF SEASONS.exe No File
FirewallRules: [TCP Query User{88C4D24A-ECEF-491D-AA37-0E589C2E33B1}C:\program files (x86)\star wars jedi fallen order\swgame\binaries\win64\starwarsjedifallenorder.exe] => (Block) C:\program files (x86)\star wars jedi fallen order\swgame\binaries\win64\starwarsjedifallenorder.exe No File
FirewallRules: [UDP Query User{9BD9E29B-DE8D-4056-A536-E74271378755}C:\program files (x86)\star wars jedi fallen order\swgame\binaries\win64\starwarsjedifallenorder.exe] => (Block) C:\program files (x86)\star wars jedi fallen order\swgame\binaries\win64\starwarsjedifallenorder.exe No File
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S2 HidCerberus.Srv; "C:\Users\James\Desktop\ProconXImput\HidCerberus.Srv\HidCerberus.Srv.exe" -displayname "HidCerberus Service" -servicename "HidCerberus.Srv" [X]
U1 aswbdisk; no ImagePath
S3 cpuz148; \??\C:\Windows\temp\cpuz148\cpuz148_x64.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

Open FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.
Refer these SS if needed.
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...

message edited by Johnw


Reply ↓  Report •

#33
March 10, 2020 at 16:59:37
Two Unknown Devices are still showing under Other Devices.

Reply ↓  Report •

#34
March 10, 2020 at 17:04:47
From the Fixlog:

Fix result of Farbar Recovery Scan Tool (x64) Version: 08-03-2020
Ran by James (10-03-2020 18:01:56) Run:1
Running from C:\Users\James\Desktop
Loaded Profiles: James (Available Profiles: James)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
emptytemp:
closeprocesses:
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
FirewallRules: [{47541E63-CEEE-45C6-8383-DADED73FC3D7}] => (Allow) C:\Users\James\AppData\Roaming\uTorrent\uTorrent.exe No File
FirewallRules: [{602B6209-885E-44FD-A53B-046A7FEF8276}] => (Allow) C:\Users\James\AppData\Roaming\uTorrent\uTorrent.exe No File
FirewallRules: [{F02E4069-C9FB-4158-AD2C-0E0757C9098F}] => (Allow) C:\Program Files (x86)\Doraemon Story of Seasons\DORaEMON STORY OF SEASONS.exe No File
FirewallRules: [{482240E2-7A06-4C84-A74A-8F74656125E0}] => (Allow) C:\Program Files (x86)\Doraemon Story of Seasons\DORaEMON STORY OF SEASONS.exe No File
FirewallRules: [{EF608B06-DF68-47B0-98DF-4727CD276B8D}] => (Allow) C:\Program Files (x86)\Doraemon Story of Seasons\DORaEMON STORY OF SEASONS.exe No File
FirewallRules: [{84FE0970-4060-46A3-A5BE-33BDD86D3168}] => (Allow) C:\Program Files (x86)\Doraemon Story of Seasons\DORaEMON STORY OF SEASONS.exe No File
FirewallRules: [TCP Query User{88C4D24A-ECEF-491D-AA37-0E589C2E33B1}C:\program files (x86)\star wars jedi fallen order\swgame\binaries\win64\starwarsjedifallenorder.exe] => (Block) C:\program files (x86)\star wars jedi fallen order\swgame\binaries\win64\starwarsjedifallenorder.exe No File
FirewallRules: [UDP Query User{9BD9E29B-DE8D-4056-A536-E74271378755}C:\program files (x86)\star wars jedi fallen order\swgame\binaries\win64\starwarsjedifallenorder.exe] => (Block) C:\program files (x86)\star wars jedi fallen order\swgame\binaries\win64\starwarsjedifallenorder.exe No File
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S2 HidCerberus.Srv; "C:\Users\James\Desktop\ProconXImput\HidCerberus.Srv\HidCerberus.Srv.exe" -displayname "HidCerberus Service" -servicename "HidCerberus.Srv" [X]
U1 aswbdisk; no ImagePath
S3 cpuz148; \??\C:\Windows\temp\cpuz148\cpuz148_x64.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{47541E63-CEEE-45C6-8383-DADED73FC3D7}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{602B6209-885E-44FD-A53B-046A7FEF8276}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F02E4069-C9FB-4158-AD2C-0E0757C9098F}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{482240E2-7A06-4C84-A74A-8F74656125E0}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{EF608B06-DF68-47B0-98DF-4727CD276B8D}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{84FE0970-4060-46A3-A5BE-33BDD86D3168}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{88C4D24A-ECEF-491D-AA37-0E589C2E33B1}C:\program files (x86)\star wars jedi fallen order\swgame\binaries\win64\starwarsjedifallenorder.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{9BD9E29B-DE8D-4056-A536-E74271378755}C:\program files (x86)\star wars jedi fallen order\swgame\binaries\win64\starwarsjedifallenorder.exe" => removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => removed successfully
HKLM\SOFTWARE\Policies\Mozilla => removed successfully
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => removed successfully
HKLM\System\CurrentControlSet\Services\HidCerberus.Srv => removed successfully
HidCerberus.Srv => service removed successfully
HKLM\System\CurrentControlSet\Services\aswbdisk => removed successfully
aswbdisk => service removed successfully
HKLM\System\CurrentControlSet\Services\cpuz148 => removed successfully
cpuz148 => service removed successfully
HKLM\System\CurrentControlSet\Services\VGPU => removed successfully
VGPU => service removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 59681858 B
Java, Flash, Steam htmlcache => 358434581 B
Windows/system/drivers => 2989202 B
Edge => 0 B
Chrome => 655433022 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 66228 B
systemprofile32 => 132584 B
LocalService => 132584 B
NetworkService => 337682 B
James => 315436640 B

RecycleBin => 0 B
EmptyTemp: => 1.3 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 18:02:16 ====


Reply ↓  Report •

#35
March 10, 2020 at 17:19:33
Very good, you are now clean, just those drivers to fix.

Right click on one of them & then click "Update Driver"


Reply ↓  Report •

#36
March 10, 2020 at 17:35:00
The 2 unknown devices? If so it gives me the "windows cannot find driver software for your device" message for both.

Reply ↓  Report •

#37
March 10, 2020 at 17:51:56
Ok, here is how to find out what they are & what to do.

How to Find Drivers for Unknown Devices in Device Manager ( with screenshots )
https://www.howtogeek.com/193798/ho...
https://www.emergingtechs.com/posts...


Reply ↓  Report •

#38
March 10, 2020 at 18:16:41
Brilliant! Thanks again Johnw!

Reply ↓  Report •

#39
March 10, 2020 at 18:59:59
Thanks for the feedback Greensky.

Reply ↓  Report •

Ask Question