Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

I suspect a rootkit may be installed on my laptop

Solved 
11K views 42 replies 2 participants last post by  DR.M 
#1 ·
I am always very cautious when surfing the net and avoid suspicious downloads. I use Norton 360 security (with firewall) and all downloads are automatically scanned. However there is some evidence my OS is playing up, as well as other evidence I am being followed by cyberstalkers.

Here are the results of the FRST scan, two files:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-09-2021
Ran by User (administrator) on USER-PC (LENOVO 2537VNK) (15-09-2021 14:49:08)
Running from C:\Users\User\Downloads
Loaded Profiles: User
Platform: Windows 10 Pro Version 20H2 19042.1165 (X64) Language: English (United Kingdom)
Default browser: Brave
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Adobe Inc. -> Adobe Inc.) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
(Apple Inc.) C:\Program Files\WindowsApps\AppleInc.iTunes_12114.15.53119.0_x64__nzyj5cx40ttqa\AMDS64\AppleMobileDeviceProcess.exe
(Brave Software, Inc. -> Brave Software, Inc.) C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe <11>
(Glarysoft LTD -> Glarysoft Ltd) C:\Program Files (x86)\Glary Utilities 5\GUBootService.exe
(Glarysoft LTD -> Glarysoft Ltd) C:\Program Files (x86)\Glary Utilities 5\Integrator.exe
(Intel Corporation - pGFX -> Intel Corporation) C:\Windows\System32\igfxext.exe
(LENOVO -> Lenovo Corporation) C:\Program Files\Lenovo\Communications Utility\AVControlCenter32.exe
(LENOVO -> Lenovo Corporation) C:\Program Files\Lenovo\Communications Utility\avfaudiosw.exe
(LENOVO -> Lenovo Corporation) C:\Program Files\Lenovo\Communications Utility\cammute.exe
(LENOVO -> Lenovo Corporation) C:\Program Files\Lenovo\Communications Utility\tpknrres.exe
(LENOVO -> Lenovo Corporation) C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe
(LENOVO -> Lenovo Corporation) C:\Program Files\Lenovo\Communications Utility\vcamsvchlpr.exe
(LENOVO -> Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\tpknrsvc.exe
(LENOVO -> Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tphkload.exe
(LENOVO -> Lenovo Group Limited) C:\Program Files\Lenovo\SettingsDependency\SettingsService.exe
(LENOVO -> Lenovo) C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe
(LENOVO -> Lenovo) C:\Program Files\Lenovo\Lenovo Mobile Hotspot\MobileHotspotclient.exe
(Lenovo -> Lenovo.) C:\Windows\System32\ibmpmsvc.exe
(Lenovo(Japan)Ltd. -> Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\extapsup.exe
(Lenovo(Japan)Ltd. -> Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\shtctky.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_3.2108.25001.0_x64__8wekyb3d8bbwe\Cortana.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\oobe\UserOOBEBroker.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(NortonLifeLock Inc. -> NortonLifeLock Inc.) C:\Program Files\Norton Security\Engine\22.21.6.53\nsWscSvc.exe
(NortonLifeLock Inc. -> Symantec Corporation) C:\Program Files\Norton Security\Engine\22.21.6.53\NortonSecurity.exe <2>
(NortonLifeLock Inc. -> Symantec Corporation) C:\Program Files\Norton Utilities\x64\LBGovernor.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation -> NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe <2>
(Piriform Software Ltd -> Piriform Software Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(SUPERAntiSpyware.com -> SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Support.com Inc -> SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Synaptics Incorporated -> Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated -> Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Synaptics Incorporated -> Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Synaptics Incorporated -> Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
(Synaptics Incorporated -> Synaptics) C:\Program Files\Synaptics\SynTP\SynLenovoHelper.exe
(TeamViewer Germany GmbH -> TeamViewer Germany GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [LenovoOptMouseUpdate] => C:\Program Files\Lenovo\HOTKEY\extapsup.exe [250976 2013-05-22] (Lenovo(Japan)Ltd. -> Lenovo Group Limited)
HKLM\...\Run: [LnvMobHotspotClient] => C:\Program Files\Lenovo\Lenovo Mobile Hotspot\MobileHotspotclient.exe [939976 2015-02-20] (LENOVO -> Lenovo)
HKLM\...\Run: [LMCSSTART1] => C:\Program Files\Lenovo\Communications Utility\lmcsctrl.exe [35856 2016-04-12] (LENOVO -> Lenovo Corporation)
HKLM\...\Run: [LMCSSTART2] => C:\Program Files\Lenovo\Communications Utility\lmcsctrl.exe [35856 2016-04-12] (LENOVO -> Lenovo Corporation)
HKLM\...\Run: [LMCSSTART3] => C:\Program Files\Lenovo\Communications Utility\lmcsctrl.exe [35856 2016-04-12] (LENOVO -> Lenovo Corporation)
HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\Run: [GUDelayStartup] => C:\Program Files (x86)\Glary Utilities 5\StartupManager.exe [44416 2021-09-06] (Glarysoft LTD -> Glarysoft Ltd)
HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\Run: [CCleaner Smart Cleaning] => C:\Program Files\CCleaner\CCleaner64.exe [35093120 2021-09-10] (Piriform Software Ltd -> Piriform Software Ltd)
HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [11224432 2021-08-19] (Support.com Inc -> SUPERAntiSpyware)
HKU\S-1-5-21-725688832-2798266748-3951577904-1002\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKLM\...\Windows x64\Print Processors\Canon MG3600 series Print Processor: C:\Windows\System32\spool\prtprocs\x64\CNMPDCT.DLL [30208 2015-03-12] (Microsoft Windows Hardware Compatibility Publisher -> CANON INC.)
HKLM\...\Windows x64\Print Processors\Epson Inkjet: C:\Windows\System32\spool\prtprocs\x64\EP0NPP01.DLL [38912 2011-08-30] (Microsoft Windows Hardware Compatibility Publisher -> SEIKO EPSON CORPORATION)
HKLM\...\Print\Monitors\Canon BJ Language Monitor MG3600 series: C:\Windows\system32\CNMLMCT.DLL [406528 2015-03-12] (Microsoft Windows Hardware Compatibility Publisher -> CANON INC.)
HKLM\...\Print\Monitors\Epson Inbox Language Monitor01: C:\Windows\system32\EP0SLM01.DLL [77824 2011-08-30] (Microsoft Windows Hardware Compatibility Publisher -> SEIKO EPSON CORPORATION)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}] -> C:\Program Files\BraveSoftware\Brave-Browser\Application\93.1.29.81\Installer\chrmstp.exe [2021-09-15] (Brave Software, Inc. -> Brave Software, Inc.)
BootExecute: autocheck autochk *
GroupPolicy: Restriction - Edge <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {02185DAB-EC7D-4771-93CA-7A13C373EB21} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [29155968 2021-09-10] (Piriform Software Ltd -> Piriform Software Ltd)
Task: {0716C9EF-E171-4474-B53C-D6D348C32DC9} - System32\Tasks\BraveSoftwareUpdateTaskMachineCore => C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162384 2021-02-14] (Brave Software, Inc. -> BraveSoftware Inc.)
Task: {0CD05A3D-FEB9-4778-A869-65C65B05EE05} - System32\Tasks\CCleanerSkipUAC - User => C:\Program Files\CCleaner\CCleaner.exe [29155968 2021-09-10] (Piriform Software Ltd -> Piriform Software Ltd)
Task: {16F4058F-4395-4B04-AE73-3229C9242DC2} - System32\Tasks\TVT\TVSUUpdateTask_UserLogOn => C:\Program Files (x86)\Lenovo\System Update\tvsuShim.exe [1758792 2021-07-13] (Lenovo -> )
Task: {1C9F1EBF-9EA4-4232-B4DD-1DCF28C651FE} - \OneDrive Standalone Update Task-S-1-5-21-725688832-2798266748-3951577904-1001 -> No File <==== ATTENTION
Task: {2370EFF6-2FBE-4919-80AC-75645A8C5967} - System32\Tasks\Norton Utility\ActiveSync-NortonUtility => C:\Program Files\Norton Utilities\ActiveBridge.exe
Task: {27E04B9F-5503-4DB1-9C81-32D86E5A4092} - System32\Tasks\Norton Utility\AutomaticCare => C:\Program Files\Norton Utilities\NUP.exe [3629552 2021-09-08] (NortonLifeLock Inc. -> NortonLifeLock Inc)
Task: {2D052895-64CF-487E-BD27-C3DDC8B69F12} - System32\Tasks\Norton WSC Integration => C:\Program Files\Norton Security\Engine\22.21.6.53\WSCStub.exe [646520 2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)
Task: {41515A28-02F0-47B1-9BEC-B94BAFBDDB8C} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1562376 2021-08-16] (Adobe Inc. -> Adobe Inc.)
Task: {4D3CF423-6225-42EE-B386-25068F9110B1} - System32\Tasks\BraveSoftwareUpdateTaskMachineUA => C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162384 2021-02-14] (Brave Software, Inc. -> BraveSoftware Inc.)
Task: {520C7AD1-0C18-4446-A67A-5E75A3179DF5} - System32\Tasks\Norton Utility\Live Boost Process Governor => C:\Program Files\Norton Utilities\x64\LBGovernor.exe [1050096 2021-09-08] (NortonLifeLock Inc. -> Symantec Corporation)
Task: {65AF6671-5786-4851-8D2D-E86F69324D14} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [684976 2021-09-10] (Piriform Software Ltd -> Piriform)
Task: {7B4DEE0E-1C69-4A51-8B1A-1948EBB721BC} - System32\Tasks\Norton 360\Norton 360 Error Processor => C:\Program Files\Norton Security\Engine\22.21.6.53\SymErr.exe [108752 2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc)
Task: {7D6EE954-BED8-4BEB-B629-8AFB44C8F55F} - System32\Tasks\Norton 360\Norton 360 Autofix => C:\Program Files\Norton Security\Engine\22.21.6.53\SymErr.exe [108752 2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc)
Task: {82A3918F-FA6F-49BF-B353-4F6098330641} - System32\Tasks\TotalAV_OEM_Welcome => C:\Program Files (x86)\TotalAV Welcome OEM\ss-oem.exe [251648 2020-06-16] (Protected Antivirus Limited -> Protected.net Group Limited)
Task: {844F8734-D10D-40EB-A4F7-620E97458A53} - System32\Tasks\Norton 360\Norton 360 Error Analyzer => C:\Program Files\Norton Security\Engine\22.21.6.53\SymErr.exe [108752 2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc)
Task: {8CA415D4-47C5-45D2-A1B4-4D6B6C5FA39C} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 => C:\Program Files (x86)\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [17184 2014-09-02] (LENOVO -> Lenovo)
Task: {91734FF1-01CE-4B36-B8F7-90142A4470AB} - System32\Tasks\GU5SkipUAC => C:\Program Files (x86)\Glary Utilities 5\Integrator.exe [919936 2021-09-06] (Glarysoft LTD -> Glarysoft Ltd)
Task: {AB7E6D04-585A-4A9B-9AC2-B75006906469} - System32\Tasks\Lenovo\Lenovo Service Bridge\S-1-5-21-725688832-2798266748-3951577904-1002 => C:\Users\User\AppData\Local\Programs\Lenovo\Lenovo Service Bridge\LSBUpdater.exe [87896 2021-08-18] (Lenovo (Beijing) Limited -> Lenovo Group Limited)
Task: {ADEF22C0-AAD9-473E-8345-EEB75344B7BB} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton 360\Upgrade.exe [2352488 2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)
Task: {AFC1317F-7DAE-4DE5-82E9-161721C12EA6} - System32\Tasks\GlaryInitialize 5 => C:\Program Files (x86)\Glary Utilities 5\Initialize.exe [137088 2021-09-06] (Glarysoft LTD -> Glarysoft Ltd)
Task: {C603A8D8-B575-4689-B3D5-890F8968A78C} - System32\Tasks\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB => C:\Program Files\Mozilla Firefox\default-browser-agent.exe [673720 2021-08-29] (Mozilla Corporation -> Mozilla Foundation)
Task: {DF943F08-4352-4847-BF8C-E654756E88A2} - System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-725688832-2798266748-3951577904-500 => C:\Users\User\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
Task: {E18BF8D0-BC92-4CF1-8DBF-3CB86F636B6E} - System32\Tasks\TUDsDownloader => C:\Program Files\Norton Utilities Premium\activesync.exe
Task: {EA4DC5AF-3B6F-4D7F-AAB3-6ED32FA8F5AA} - System32\Tasks\Lenovo\Lenovo Settings Power => "C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\ThinkPad\Utilities\PWMTR64V.dll",PwrMgrBkGndMonitor
Task: {F87D4065-E2DB-4BA1-88F4-A8B91044AC78} - System32\Tasks\TVT\TVSUUpdateTask => C:\Program Files (x86)\Lenovo\System Update\tvsuShim.exe [1758792 2021-07-13] (Lenovo -> )

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{1a19eb76-236b-4315-85f4-21db9557d96d}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{25e9cf19-0abd-4796-b9e7-6b3f92aedb82}: [DhcpNameServer] 192.168.1.1 192.168.1.1

Edge:
=======
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
Edge DefaultProfile: Profile 1
Edge Profile: C:\Users\User\AppData\Local\Microsoft\Edge\User Data\Profile 1 [2021-09-15]

FireFox:
========
FF DefaultProfile: nyjea0pv.default
FF ProfilePath: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nyjea0pv.default [2021-06-17]
FF ProfilePath: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nxwrwyjm.default-release [2021-09-15]
FF Extension: (Disconnect) - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nxwrwyjm.default-release\Extensions\2.0@disconnect.me.xpi [2021-02-11]
FF Extension: (Hoxx VPN Proxy) - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nxwrwyjm.default-release\Extensions\@hoxx-vpn.xpi [2021-08-29]
FF Extension: (HTTPS Everywhere) - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nxwrwyjm.default-release\Extensions\https-everywhere@eff.org.xpi [2021-08-29]
FF Extension: (Privacy Badger) - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nxwrwyjm.default-release\Extensions\jid1-MnnxcxisBPnSXQ@jetpack.xpi [2021-08-29]
FF Extension: (NoScript) - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nxwrwyjm.default-release\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2021-08-29]
FF Extension: (Adblock Plus - free ad blocker) - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nxwrwyjm.default-release\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2021-08-29]
FF Plugin: @videolan.org/vlc,version=3.0.11 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2021-06-08] (VideoLAN -> VideoLAN)
FF Plugin: @videolan.org/vlc,version=3.0.12 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2021-06-08] (VideoLAN -> VideoLAN)
FF Plugin: @videolan.org/vlc,version=3.0.14 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2021-06-08] (VideoLAN -> VideoLAN)
FF Plugin: @videolan.org/vlc,version=3.0.15 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2021-06-08] (VideoLAN -> VideoLAN)
FF Plugin: Adobe Acrobat -> C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\nppdf32.dll [2021-09-09] (Adobe Inc. -> Adobe Systems Inc.)

Chrome:
=======
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\Default [2021-06-06]
CHR Extension: (Slides) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2021-02-10]
CHR Extension: (Docs) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2021-02-10]
CHR Extension: (Google Drive) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2021-02-10]
CHR Extension: (YouTube) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2021-02-10]
CHR Extension: (Sheets) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2021-02-10]
CHR Extension: (Google Docs Offline) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2021-02-10]
CHR Extension: (Chrome Web Store Payments) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2021-02-10]
CHR Extension: (Gmail) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2021-02-10]
CHR Extension: (Chrome Media Router) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2021-02-10]

Brave:
=======
BRA Profile: C:\Users\User\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default [2021-09-15]
BRA Notifications: Default -> hxxps://www.rt.com
BRA DefaultSearchURL: Default -> hxxps://duckduckgo.com/?q={searchTerms}&t=brave
BRA DefaultSearchKeyword: Default -> :d
BRA DefaultSuggestURL: Default -> hxxps://ac.duckduckgo.com/ac/?q={searchTerms}&type=list
BRA Extension: (Brave Local Data Files Updater) - C:\Users\User\AppData\Local\BraveSoftware\Brave-Browser\User Data\afalakplffnnnlkncjhbmahjfjhmlkal [2021-08-11]
BRA Extension: (Brave Ad Block Updater (Default)) - C:\Users\User\AppData\Local\BraveSoftware\Brave-Browser\User Data\cffkpbalmllkdoenhmdmpbkajipdjfam [2021-09-15]
BRA Extension: (Brave SpeedReader Updater) - C:\Users\User\AppData\Local\BraveSoftware\Brave-Browser\User Data\jicbkmdloagakknpihibphagfckhjdih [2021-09-14]
BRA Extension: (Brave NTP sponsored images) - C:\Users\User\AppData\Local\BraveSoftware\Brave-Browser\User Data\mjpbonbjgpinifgnneajcbigekbpfige [2021-09-15]
BRA Extension: (Brave HTTPS Everywhere Updater) - C:\Users\User\AppData\Local\BraveSoftware\Brave-Browser\User Data\oofiananboodjbbmdelgdommihjbkfag [2021-09-15]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [173472 2021-01-09] (SUPERAntiSpyware.com -> SUPERAntiSpyware.com)
R2 AdobeARMservice; C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [169728 2021-08-16] (Adobe Inc. -> Adobe Inc.)
R2 AVControlCenter; C:\Program Files\Lenovo\Communications Utility\AVControlCenter32.exe [566288 2016-04-12] (LENOVO -> Lenovo Corporation)
S2 brave; C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162384 2021-02-14] (Brave Software, Inc. -> BraveSoftware Inc.)
S3 bravem; C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe [162384 2021-02-14] (Brave Software, Inc. -> BraveSoftware Inc.)
R2 GUBootService; C:\Program Files (x86)\Glary Utilities 5\GUBootService.exe [867712 2021-09-06] (Glarysoft LTD -> Glarysoft Ltd)
R2 Lenovo Settings Service; C:\Program Files\Lenovo\SettingsDependency\SettingsService.exe [2023592 2015-09-25] (LENOVO -> Lenovo Group Limited)
R3 LENOVO.TVTVCAM; C:\Program Files\Lenovo\Communications Utility\vcamsvc.exe [631312 2016-04-12] (LENOVO -> Lenovo Corporation)
S3 LnvHotSpotSvc; C:\Program Files\Lenovo\Lenovo Mobile Hotspot\LnvHotSpotSvc.exe [480712 2015-03-23] (LENOVO -> Lenovo)
S2 LocationTaskManager; C:\Program Files (x86)\Lenovo\LocationAware\loctaskmgr.exe [469720 2015-05-12] (LENOVO -> )
S2 LPlatSvc; C:\Windows\System32\LPlatSvc.exe [892288 2019-12-11] (Lenovo -> Lenovo.)
R2 NortonSecurity; C:\Program Files\Norton Security\Engine\22.21.6.53\NortonSecurity.exe [343336 2021-07-29] (NortonLifeLock Inc. -> Symantec Corporation)
R2 nsWscSvc; C:\Program Files\Norton Security\Engine\22.21.6.53\nsWscSvc.exe [1058664 2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [5394872 2021-08-11] (Microsoft Windows Publisher -> Microsoft Corporation)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [13271336 2021-08-12] (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2011.6-0\NisSrv.exe [2491880 2021-02-08] (Microsoft Windows Publisher -> Microsoft Corporation)
S3 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2011.6-0\MsMpEng.exe [128376 2021-02-08] (Microsoft Windows Publisher -> Microsoft Corporation)

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 BHDrvx64; C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\BASHDefs\20210913.004\BHDrvx64.sys [2018776 2021-09-13] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
S3 BthA2dp; C:\Windows\System32\drivers\BthA2dp.sys [279040 2019-12-07] (Microsoft Corporation) [File not signed]
R1 ccSet_NGC; C:\Windows\System32\drivers\NGCx64\1615060.035\ccSetx64.sys [192248 2021-07-29] (Symantec Corporation -> Symantec Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [516168 2021-02-10] (Symantec Corporation -> Broadcom)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [153672 2021-02-10] (Symantec Corporation -> Broadcom)
R1 GUBootStartup; C:\Windows\System32\drivers\GUBootStartup.sys [30720 2021-02-10] (Microsoft Windows Hardware Compatibility Publisher -> Glarysoft Ltd)
R1 IDSVia64; C:\Program Files\Norton Security\NortonData\22.20.5.39\Definitions\IPSDefs\20210914.061\IDSvia64.sys [1480128 2021-08-23] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R3 LnvHIDHW; C:\Windows\System32\drivers\LnvHIDHW.sys [29496 2014-04-07] (Lenovo(Japan)Ltd. -> Lenovo)
R2 npf; C:\Windows\System32\drivers\npf.sys [36600 2014-04-18] (Riverbed Technology, Inc. -> Riverbed Technology, Inc.)
S3 nsvst_NGC; C:\Windows\System32\drivers\NGCx64\1615060.035\nsvst.sys [56080 2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)
R0 PMDRVS; C:\Windows\System32\drivers\pmdrvs.sys [38160 2019-12-11] (Lenovo -> Lenovo.)
R3 qcusbserlno2k; C:\Windows\system32\DRIVERS\qcusbserlno2k.sys [231040 2011-05-23] (Microsoft Windows Hardware Compatibility Publisher -> QUALCOMM Incorporated)
R2 rimspci; C:\Windows\system32\DRIVERS\rimspe64.sys [61952 2009-10-26] (Microsoft Windows Hardware Compatibility Publisher -> REDC)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2021-01-09] (Support.com, Inc. -> SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2021-01-09] (Support.com, Inc. -> SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 SRTSP; C:\Windows\System32\drivers\NGCx64\1615060.035\SRTSP64.SYS [885192 2021-07-29] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R1 SRTSPX; C:\Windows\System32\drivers\NGCx64\1615060.035\SRTSPX64.SYS [41928 2021-07-29] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R3 SrvHsfHDA; C:\Windows\system32\DRIVERS\VSTAZL6.SYS [292864 2019-12-07] (Microsoft Windows -> Conexant Systems, Inc.)
R3 SrvHsfV92; C:\Windows\system32\DRIVERS\VSTDPV6.SYS [1485312 2019-12-07] (Microsoft Windows -> Conexant Systems, Inc.)
R3 SrvHsfWinac; C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [740864 2019-12-07] (Microsoft Windows -> Conexant Systems, Inc.)
R0 SymEFASI; C:\Windows\System32\drivers\NGCx64\1615060.035\SYMEFASI64.SYS [2062424 2021-07-29] (Symantec Corporation -> Broadcom)
S0 SymELAM; C:\Windows\System32\drivers\NGCx64\1615060.035\SymELAM.sys [25080 2021-07-29] (Microsoft Windows Early Launch Anti-malware Publisher -> Broadcom Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [93152 2021-08-10] (Microsoft Windows Hardware Compatibility Publisher -> Broadcom)
R3 SymEvnt; C:\Program Files\Norton Security\NortonData\22.20.5.39\SymPlatform\SymEvnt.sys [712432 2021-07-13] (Symantec Corporation -> Symantec Corporation)
R1 SymIRON; C:\Windows\System32\drivers\NGCx64\1615060.035\Ironx64.SYS [317296 2021-07-29] (Symantec Corporation -> Broadcom)
R1 SymNetS; C:\Windows\System32\drivers\NGCx64\1615060.035\symnets.sys [575328 2021-07-29] (Symantec Corporation -> Symantec Corporation)
S3 WdBoot; C:\Windows\system32\drivers\wd\WdBoot.sys [48536 2021-02-08] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\wd\WdFilter.sys [429296 2021-02-08] (Microsoft Windows -> Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\drivers\wd\WdNisDrv.sys [70896 2021-02-08] (Microsoft Windows -> Microsoft Corporation)
R1 wpCtrlDrv_NGC; C:\Windows\System32\drivers\NGCx64\1615060.035\wpCtrlDrv.sys [1015760 2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-09-15 14:49 - 2021-09-15 14:52 - 000026118 _____ C:\Users\User\Downloads\FRST.txt
2021-09-15 14:46 - 2021-09-15 14:50 - 000000000 ____D C:\FRST
2021-09-15 14:36 - 2021-09-15 14:36 - 002304000 _____ (Farbar) C:\Users\User\Downloads\FRST64.exe
2021-09-15 11:37 - 2021-09-15 11:37 - 000000000 ____D C:\Windows\system32\Tasks\Remediation
2021-09-10 10:22 - 2021-09-10 10:22 - 000255928 _____ (Malwarebytes) C:\Windows\system32\Drivers\4156B204.sys
2021-09-10 10:22 - 2021-09-10 10:22 - 000000000 ____D C:\ProgramData\Malwarebytes
2021-09-10 10:21 - 2021-09-10 11:56 - 000192952 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2021-09-10 10:21 - 2021-09-10 10:56 - 000000000 ____D C:\Users\User\Documents\mbar
2021-09-10 10:21 - 2021-09-10 10:56 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2021-09-10 10:20 - 2021-09-10 10:20 - 014178840 _____ (Malwarebytes Corp.) C:\Users\User\Downloads\mbar-1.10.3.1001.exe
2021-09-09 21:04 - 2021-09-15 14:17 - 000007310 _____ C:\Windows\ntbtlog.txt
2021-09-09 16:23 - 2021-09-09 16:23 - 000000000 ____D C:\Users\User\AppData\Local\NPE
2021-09-09 16:17 - 2021-09-09 16:18 - 000004484 _____ C:\TDSSKiller.3.1.0.28_09.09.2021_16.17.01_log.txt
2021-09-09 12:07 - 2021-09-09 12:08 - 000004484 _____ C:\TDSSKiller.3.1.0.28_09.09.2021_12.07.54_log.txt
2021-09-09 11:59 - 2021-09-09 12:02 - 000319296 _____ C:\TDSSKiller.3.1.0.28_09.09.2021_11.59.36_log.txt
2021-09-09 11:59 - 2021-09-09 11:59 - 005054744 _____ (AO Kaspersky Lab) C:\Users\User\Downloads\tdsskiller.exe
2021-09-08 17:25 - 2021-09-08 17:25 - 019829840 _____ (Glarysoft Ltd) C:\Users\User\Downloads\Glary_Utilities_v5.173.0.201.exe
2021-09-08 17:22 - 2021-09-08 17:23 - 031850712 _____ (Bandicam Company) C:\Users\User\Downloads\Bandicam_v5.3.0.1879.exe
2021-09-08 16:41 - 2021-09-08 16:41 - 000001921 _____ C:\Users\User\Desktop\Norton Utilities.lnk
2021-09-08 16:41 - 2021-09-08 16:41 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton
2021-09-05 19:46 - 2021-09-05 19:46 - 000000000 ____D C:\Users\User\Downloads\QA - Technical Department - Yetminster DT9 - Indeed.com_files
2021-09-05 19:45 - 2021-09-05 19:46 - 000322107 _____ C:\Users\User\Downloads\QA - Technical Department - Yetminster DT9 - Indeed.com.html
2021-09-03 14:48 - 2021-09-03 14:48 - 000000000 ____D C:\Users\User\AppData\Local\Tvsukernel
2021-09-03 14:15 - 2021-09-03 14:15 - 000000000 ____D C:\Windows\LastGood.Tmp
2021-09-03 14:14 - 2021-09-03 14:14 - 000040888 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdap64.dll
2021-09-03 14:10 - 2021-09-03 14:10 - 000000000 ____D C:\Users\User\AppData\Roaming\iTop Screenshot
2021-09-03 14:10 - 2021-09-03 14:10 - 000000000 ____D C:\Users\User\AppData\LocalLow\iTop Screen Recorder
2021-09-03 14:09 - 2021-09-03 14:10 - 000000000 ____D C:\Users\User\AppData\Roaming\iTop Screen Recorder
2021-09-03 14:09 - 2021-09-03 14:10 - 000000000 ____D C:\ProgramData\iTop
2021-09-03 14:09 - 2021-09-03 14:09 - 000000000 ____D C:\ProgramData\iTop VPN
2021-09-03 14:09 - 2021-09-03 14:09 - 000000000 ____D C:\ProgramData\{150F4013-6884-4350-8DDC-6BFCB4C5DC15}
2021-09-03 14:08 - 2021-09-03 15:05 - 000000000 ____D C:\ProgramData\ProductData
2021-09-03 14:08 - 2021-09-03 14:16 - 000000000 ____D C:\Users\User\AppData\Roaming\instinfo
2021-09-03 14:08 - 2021-09-03 14:08 - 000000000 ____D C:\Users\User\AppData\LocalLow\IObit
2021-09-03 14:07 - 2021-09-03 14:07 - 000000000 ____D C:\ProgramData\{E0224FF9-7AE3-4F9E-991A-2F004F7E3952}
2021-09-03 14:06 - 2021-09-03 14:30 - 000000000 ____D C:\ProgramData\IObit
2021-09-03 14:06 - 2021-09-03 14:08 - 000000000 ____D C:\Users\User\AppData\Roaming\IObit
2021-09-03 10:33 - 2021-09-03 10:33 - 000002359 _____ C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft Teams.lnk
2021-09-03 10:32 - 2021-09-03 10:32 - 000000000 ____D C:\Users\User\AppData\Roaming\Teams
2021-09-03 10:25 - 2021-09-03 10:34 - 000000000 ____D C:\Users\User\AppData\Local\SquirrelTemp
2021-08-31 14:50 - 2021-08-31 14:50 - 000000000 ___HD C:\ProgramData\CanonBJ
2021-08-31 14:50 - 2015-03-12 05:00 - 000406528 _____ (CANON INC.) C:\Windows\system32\CNMLMCT.DLL
2021-08-29 17:21 - 2021-08-29 17:21 - 000000000 ____D C:\Windows\system32\Tasks\Mozilla
2021-08-29 17:03 - 2021-09-03 10:56 - 000000000 ____D C:\Program Files\Mozilla Firefox
2021-08-26 13:17 - 2021-08-26 13:17 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\lenovo
2021-08-26 13:15 - 2021-08-26 13:15 - 008307216 _____ (Lenovo ) C:\Users\User\Downloads\system_update_5.07.0127.exe
2021-08-26 13:09 - 2021-08-26 13:09 - 003221952 _____ (Lenovo ) C:\Users\User\Downloads\LSBSetup (2).exe
2021-08-26 12:14 - 2021-08-26 12:14 - 000001849 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2021-08-26 12:14 - 2021-08-26 12:14 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2021-08-18 16:16 - 2021-08-18 16:16 - 000002884 _____ C:\Windows\system32\Tasks\CCleanerSkipUAC - User

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-09-15 14:32 - 2019-12-07 10:14 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2021-09-15 14:17 - 2020-07-09 21:24 - 000000000 ____D C:\Windows\system32\SleepStudy
2021-09-15 12:00 - 2020-07-09 21:40 - 000004562 _____ C:\Windows\system32\Tasks\Adobe Acrobat Update Task
2021-09-15 11:59 - 2021-07-31 14:45 - 000002061 _____ C:\Users\Public\Desktop\Adobe Acrobat DC.lnk
2021-09-15 11:59 - 2021-06-09 13:12 - 000002073 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat DC.lnk
2021-09-15 11:32 - 2021-02-10 16:47 - 000000000 ____D C:\Program Files\CCleaner
2021-09-15 11:31 - 2021-02-14 18:03 - 000002364 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Brave.lnk
2021-09-15 11:31 - 2021-02-14 18:03 - 000002323 _____ C:\Users\Public\Desktop\Brave.lnk
2021-09-15 11:13 - 2021-02-10 16:47 - 000003936 _____ C:\Windows\system32\Tasks\CCleaner Update
2021-09-15 08:25 - 2021-08-10 18:43 - 000000000 ____D C:\Windows\system32\Tasks\Norton 360
2021-09-14 22:06 - 2021-02-11 14:36 - 000000000 ____D C:\Users\User\AppData\Roaming\Stellarium
2021-09-14 22:06 - 2021-02-10 16:02 - 000000000 ____D C:\Users\User\AppData\Roaming\vlc
2021-09-14 15:37 - 2020-07-09 21:44 - 133215968 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2021-09-14 11:32 - 2019-12-07 10:14 - 000000000 ___HD C:\Program Files\WindowsApps
2021-09-14 11:32 - 2019-12-07 10:14 - 000000000 ____D C:\Windows\AppReadiness
2021-09-13 12:17 - 2021-02-10 22:21 - 000002438 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
2021-09-13 09:33 - 2021-02-10 16:19 - 000000000 ____D C:\Program Files (x86)\Glary Utilities 5
2021-09-11 17:17 - 2021-02-10 18:46 - 000000000 ____D C:\Program Files\Microsoft Update Health Tools
2021-09-09 17:38 - 2020-07-09 21:38 - 000000000 ____D C:\Program Files (x86)\TeamViewer
2021-09-09 17:37 - 2020-07-09 21:24 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2021-09-09 17:37 - 2020-07-09 21:23 - 000008192 ___SH C:\DumpStack.log.tmp
2021-09-09 17:36 - 2019-12-07 10:03 - 000786432 _____ C:\Windows\system32\config\BBI
2021-09-09 17:18 - 2021-02-11 12:31 - 000000000 ____D C:\Users\User\AppData\Local\CrashDumps
2021-09-09 16:23 - 2021-02-10 13:55 - 000000000 ____D C:\ProgramData\Norton
2021-09-08 17:26 - 2021-02-10 16:19 - 000003288 _____ C:\Windows\system32\Tasks\GlaryInitialize 5
2021-09-08 17:26 - 2021-02-10 16:19 - 000003024 _____ C:\Windows\system32\Tasks\GU5SkipUAC
2021-09-08 17:26 - 2021-02-10 16:19 - 000001161 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Glary Utilities 5.lnk
2021-09-08 17:26 - 2021-02-10 16:19 - 000001149 _____ C:\Users\Public\Desktop\Glary Utilities 5.lnk
2021-09-08 17:24 - 2021-02-27 22:11 - 000001057 _____ C:\Users\Public\Desktop\Bandicam.lnk
2021-09-08 17:24 - 2021-02-27 22:10 - 000000000 ____D C:\Program Files (x86)\BandiMPEG1
2021-09-08 17:24 - 2021-02-27 22:10 - 000000000 ____D C:\Program Files (x86)\Bandicam
2021-09-08 16:41 - 2021-07-08 14:15 - 000000000 ____D C:\Program Files\Norton Utilities
2021-09-06 13:02 - 2021-06-16 12:11 - 000000000 ____D C:\Program Files\SUPERAntiSpyware
2021-09-06 09:59 - 2021-02-11 21:52 - 000000000 ____D C:\Users\User\AppData\LocalLow\Mozilla
2021-09-04 08:34 - 2021-03-19 11:51 - 000000000 ____D C:\Users\User\AppData\LocalLow\Norton
2021-09-03 14:59 - 2021-04-30 14:43 - 000000000 ____D C:\Windows\TempInst
2021-09-03 14:59 - 2019-12-07 10:13 - 000000000 ____D C:\Windows\INF
2021-09-03 14:14 - 2021-02-08 16:05 - 001524664 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdagenco6420103.dll
2021-09-03 14:14 - 2021-02-08 16:05 - 000206776 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvhda64v.sys
2021-09-03 11:01 - 2019-12-07 10:03 - 000032768 _____ C:\Windows\system32\config\ELAM
2021-09-03 10:56 - 2021-02-28 15:19 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2021-08-29 22:59 - 2021-02-11 18:53 - 000000000 ____D C:\Users\User\Documents\VSO Downloader
2021-08-29 17:21 - 2021-02-28 15:19 - 000001005 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2021-08-27 21:15 - 2020-07-09 21:30 - 000840838 _____ C:\Windows\system32\PerfStringBackup.INI
2021-08-26 13:17 - 2021-04-30 14:44 - 000000000 ____D C:\Windows\system32\Tasks\TVT
2021-08-26 13:16 - 2021-06-02 16:58 - 000000831 _____ C:\Windows\SysWOW64\InstallUtil.InstallLog
2021-08-26 13:16 - 2020-08-28 09:18 - 000000000 ____D C:\Program Files (x86)\Lenovo
2021-08-26 13:10 - 2021-04-30 15:19 - 000000000 ____D C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
2021-08-26 13:10 - 2021-04-30 11:58 - 000000000 ____D C:\Windows\system32\Tasks\Lenovo
2021-08-26 12:08 - 2021-02-10 16:19 - 000000000 ____D C:\Users\User\AppData\Roaming\GlarySoft
2021-08-19 12:42 - 2021-06-17 12:07 - 000000000 ____D C:\ProgramData\TEMP
2021-08-19 12:41 - 2021-06-17 20:55 - 000000000 ____D C:\Program Files (x86)\SpywareBlaster
2021-08-18 08:12 - 2021-02-10 22:20 - 000003480 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskMachineUA
2021-08-18 08:12 - 2021-02-10 22:20 - 000003356 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskMachineCore
2021-08-17 01:22 - 2021-02-10 18:46 - 000740168 _____ (Microsoft Corporation) C:\Windows\system32\sedplugins.dll
2021-08-17 01:22 - 2021-02-10 18:46 - 000486728 _____ (Microsoft Corporation) C:\Windows\system32\QualityUpdateAssistant.dll

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

==================== End of FRST.txt ========================

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-09-2021
Ran by User (15-09-2021 14:53:42)
Running from C:\Users\User\Downloads
Windows 10 Pro Version 20H2 19042.1165 (X64) (2020-08-27 16:13:03)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

(If an entry is included in the fixlist, it will be removed.)

Administrator (S-1-5-21-725688832-2798266748-3951577904-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-725688832-2798266748-3951577904-503 - Limited - Disabled)
Guest (S-1-5-21-725688832-2798266748-3951577904-501 - Limited - Disabled)
User (S-1-5-21-725688832-2798266748-3951577904-1002 - Administrator - Enabled) => C:\Users\User
WDAGUtilityAccount (S-1-5-21-725688832-2798266748-3951577904-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Norton 360 (Enabled - Up to date) {AECE2126-F4E7-6909-11F2-1B69D1FBCBD0}
AV: Norton 360 (Enabled - Up to date) {9E3FD331-C4C2-7AC4-0537-131EEF1B1F8A}
FW: Norton 360 (Enabled) {A6045214-8EAD-7B9C-2E68-BA2B11C858F1}
FW: Norton 360 (Enabled) {96F5A003-BE88-6851-3AAD-B25C2F288CAB}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat DC (64-bit) (HKLM\...\{AC76BA86-1033-1033-7760-BC15014EA700}) (Version: 21.007.20091 - Adobe)
Bandicam (HKLM-x32\...\Bandicam) (Version: 5.3.0.1879 - Bandicam.com)
Bandicam MPEG-1 Decoder (HKLM-x32\...\BandiMPEG1) (Version: - Bandicam.com)
Brave (HKLM-x32\...\BraveSoftware Brave-Browser) (Version: 93.1.29.81 - Brave Software Inc)
CCleaner (HKLM\...\CCleaner) (Version: 5.85 - Piriform)
Conexant 20585 SmartAudio HD (HKLM\...\CNXT_AUDIO_HDA) (Version: 4.95.49.53 - Conexant)
Core Temp 1.17.1 (HKLM\...\{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1) (Version: 1.17.1 - ALCPU)
Epson Software Updater (HKLM-x32\...\{D2D9559D-359A-4C61-B93A-FE01AE2BFB75}) (Version: 4.5.4 - Seiko Epson Corporation)
Glary Utilities 5.173 (HKLM-x32\...\Glary Utilities 5) (Version: 5.173.0.201 - Glarysoft Ltd)
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.101.0 - Google LLC) Hidden
Intel(R) Turbo Boost Technology Driver (HKLM-x32\...\{D6C630BF-8DBB-4042-8562-DC9A52CB6E7E}) (Version: 01.02.00.1002 - Intel Corporation)
Lenovo Patch Utility (HKLM-x32\...\{E8F27ADF-B1ED-41AF-A7EF-D5E71778480C}) (Version: 1.3.2.6 - Lenovo Group Limited) Hidden
Lenovo Patch Utility 64 bit (HKLM\...\{49A09C2C-FFF4-478E-B397-5E0979F67F5D}) (Version: 1.3.2.6 - Lenovo Group Limited) Hidden
Lenovo Service Bridge (HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\{2C74547D-EF88-47F4-85F5-BE46A31E26B7}_is1) (Version: 5.0.2.5 - Lenovo)
Lenovo Settings Dependency Package (HKLM\...\{3694BA2E-BE31-4B7E-886B-A0B559E69D4D}_is1) (Version: 2.4.0.21 - Lenovo Group Limited)
Lenovo System Update (HKLM-x32\...\TVSU_is1) (Version: 5.07.0127 - Lenovo)
Metric Collection SDK (HKLM-x32\...\{DDAA788F-52E6-44EA-ADB8-92837B11BF26}) (Version: 1.1.0008.00 - Lenovo Group Limited) Hidden
Microsoft Edge (HKLM-x32\...\Microsoft Edge) (Version: 93.0.961.47 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM-x32\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Teams (HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\Teams) (Version: 1.4.00.22472 - Microsoft Corporation)
Microsoft Update Health Tools (HKLM\...\{7B981965-2FBC-433C-B4B3-E183EE97CD29}) (Version: 2.83.0.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.25.28508 (HKLM-x32\...\{6913e92a-b64e-41c9-a5e6-cef39207fe89}) (Version: 14.25.28508.3 - Microsoft Corporation)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.23.27820 (HKLM-x32\...\{45231ab4-69fd-486a-859d-7a59fcd11013}) (Version: 14.23.27820.0 - Microsoft Corporation)
Mozilla Firefox (x64 en-US) (HKLM\...\Mozilla Firefox 91.0.2 (x64 en-US)) (Version: 91.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 90.0 - Mozilla)
Norton 360 (HKLM-x32\...\NGC) (Version: 22.21.6.53 - NortonLifeLock Inc)
Norton Utilities (HKLM\...\{36896A40-D958-486B-8A43-31A41E129FE2}) (Version: 21.4.3.281 - NortonLifeLock Inc)
NVIDIA Graphics Driver 341.74 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 341.74 - NVIDIA Corporation)
On Screen Display (HKLM\...\OnScreenDisplay) (Version: 6.73.01 - )
SharpKeys (HKLM\...\{DCBF8C2F-0053-4BC7-B7A4-ABEE0D4389FC}) (Version: 3.9.0000 - RandyRants.com)
SpywareBlaster 6.0 (HKLM-x32\...\SpywareBlaster_is1) (Version: 6.0.0 - BrightFort LLC)
Stellarium 0.21.1 (HKLM-x32\...\Stellarium_is1) (Version: 0.21.1 - Stellarium team)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 10.0.1238 - SUPERAntiSpyware.com)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 19.0.17.115 - Synaptics Incorporated)
TeamViewer (HKLM-x32\...\TeamViewer) (Version: 15.21.4 - TeamViewer)
TotalAV Welcome OEM (HKLM-x32\...\TotalAV Welcome OEM) (Version: 1.0.0 - TotalAV Welcome OEM) <==== ATTENTION
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
Virtual Moon Atlas V7.0 (HKLM-x32\...\{3EB7A19B-690F-49BA-B494-CADA547D0DB9}_is1) (Version: - )
VLC media player (HKLM\...\VLC media player) (Version: 3.0.15 - VideoLAN)
VSO Downloader 5.1.1.70 (HKLM-x32\...\{3C5CD638-CAD0-4F6C-81FD-B37D47B411F7}_is1) (Version: 5.1.1.70 - VSO Software)
WinPcap 4.1.3 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2980 - CACE Technologies)
Zoom (HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\ZoomUMX) (Version: 5.6.4 (799) - Zoom Video Communications, Inc.)

Packages:
=========
iTunes -> C:\Program Files\WindowsApps\AppleInc.iTunes_12114.15.53119.0_x64__nzyj5cx40ttqa [2021-08-11] (Apple Inc.) [Startup Task]
Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1811.1.0_x64__8wekyb3d8bbwe [2021-02-12] (Microsoft Corporation) [MS Ad]
Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1811.1.0_x86__8wekyb3d8bbwe [2021-02-12] (Microsoft Corporation) [MS Ad]
Photo Frame -> C:\Program Files\WindowsApps\38731basquang.vn.PhotoFrame_1.1.3.0_x64__pyvvk3yw15sng [2021-04-04] (basquang) [MS Ad]
Photos Add-on -> C:\Program Files\WindowsApps\Microsoft.Windows.Photos.DLC.Main_2021.39122.10110.0_x64__8wekyb3d8bbwe [2021-03-23] (Microsoft Corporation)
Photos Media Engine Add-on -> C:\Program Files\WindowsApps\Microsoft.Photos.MediaEngineDLC_1.0.0.0_x64__8wekyb3d8bbwe [2021-02-13] (Microsoft Corporation)
Simple Solitaire -> C:\Program Files\WindowsApps\26720RandomSaladGamesLLC.SimpleSolitaire_7.3.1.0_x64__kx24dqmazqk8j [2021-09-11] (Random Salad Games LLC)
Spotify Music -> C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.167.586.0_x86__zpdnekdrzrea0 [2021-09-03] (Spotify AB) [Startup Task]
The Backgammon -> C:\Program Files\WindowsApps\6918E89D.TheBackgammon_1.2.10.0_x64__66n08swfvvka0 [2021-05-18] (UNBALANCE corp.) [MS Ad]
The Chess Lv.100 -> C:\Program Files\WindowsApps\6918E89D.THECHESSLV.100_1.3.8.0_x64__66n08swfvvka0 [2021-08-13] (UNBALANCE corp.) [MS Ad]

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-725688832-2798266748-3951577904-1002_Classes\CLSID\{19A6E644-14E6-4A60-B8D7-DD20610A871D}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.21140.5\x64\Microsoft.Teams.AddinLoader.dll (Microsoft Corporation -> Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files\Norton Security\Engine\22.21.6.53\buShell.dll [2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)
ShellIconOverlayIdentifiers: [ OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files\Norton Security\Engine\22.21.6.53\buShell.dll [2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)
ShellIconOverlayIdentifiers: [ OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files\Norton Security\Engine\22.21.6.53\buShell.dll [2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File
ShellIconOverlayIdentifiers-x32: [ OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files\Norton Security\Engine\22.21.6.53\buShell.dll [2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)
ShellIconOverlayIdentifiers-x32: [ OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files\Norton Security\Engine\22.21.6.53\buShell.dll [2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)
ShellIconOverlayIdentifiers-x32: [ OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files\Norton Security\Engine\22.21.6.53\buShell.dll [2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => -> No File
ContextMenuHandlers1: [BUContextMenu] -> {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB} => C:\Program Files\Norton Security\Engine\22.21.6.53\buShell.dll [2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)
ContextMenuHandlers1: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => C:\Program Files (x86)\Glary Utilities 5\x64\ContextHandler.dll [2020-10-12] (Glarysoft LTD -> Glarysoft Ltd)
ContextMenuHandlers1: [NortonLifeLock.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files\Norton Security\Engine\22.21.6.53\NavShExt.dll [2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)
ContextMenuHandlers2: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => C:\Program Files (x86)\Glary Utilities 5\x64\ContextHandler.dll [2020-10-12] (Glarysoft LTD -> Glarysoft Ltd)
ContextMenuHandlers2: [NortonLifeLock.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files\Norton Security\Engine\22.21.6.53\NavShExt.dll [2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2012-11-26] (Microsoft Windows Hardware Compatibility Publisher -> Intel Corporation)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2015-06-29] (NVIDIA Corporation -> NVIDIA Corporation)
ContextMenuHandlers6: [BUContextMenu] -> {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB} => C:\Program Files\Norton Security\Engine\22.21.6.53\buShell.dll [2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)
ContextMenuHandlers6: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => C:\Program Files (x86)\Glary Utilities 5\x64\ContextHandler.dll [2020-10-12] (Glarysoft LTD -> Glarysoft Ltd)
ContextMenuHandlers6: [NortonLifeLock.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files\Norton Security\Engine\22.21.6.53\NavShExt.dll [2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)

==================== Codecs (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Drivers32: [vidc.mjpg] => C:\Windows\system32\bdmjpeg64.dll [75248 2017-01-26] (Bandicam Company -> )
HKLM\...\Drivers32: [vidc.mpeg] => C:\Windows\system32\bdmpegv64.dll [75272 2017-01-26] (Bandicam Company -> )
HKLM\...\Drivers32: [msacm.bdmpeg] => C:\Windows\system32\bdmpega64.acm [75784 2017-01-26] (Bandicam Company -> )
HKLM\...\Drivers32: [vidc.mjpg] => C:\Windows\SysWOW64\bdmjpeg.dll [71152 2017-01-26] (Bandicam Company -> )
HKLM\...\Drivers32: [vidc.mpeg] => C:\Windows\SysWOW64\bdmpegv.dll [71176 2017-01-26] (Bandicam Company -> )
HKLM\...\Drivers32: [msacm.bdmpeg] => C:\Windows\SysWOW64\bdmpega.acm [71176 2017-01-26] (Bandicam Company -> )

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

ShortcutWithArgument: C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\188f5ec9d11ded56\Microsoft Edge.lnk -> C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe (Microsoft Corporation) -> --profile-directory="Profile 1"

==================== Loaded Modules (Whitelisted) =============

2021-04-30 12:00 - 2016-04-14 07:50 - 000107008 ____N () [File not signed] C:\Program Files (x86)\ThinkPad\Utilities\US\PWMRT64V.dll
2021-04-30 12:03 - 2016-04-05 09:37 - 002085888 _____ () [File not signed] C:\Program Files\Lenovo\Communications Utility\cv210.dll
2021-04-30 12:03 - 2016-04-05 09:37 - 002201088 _____ () [File not signed] C:\Program Files\Lenovo\Communications Utility\cxcore210.dll
2021-04-30 12:01 - 2014-10-23 10:20 - 000276480 _____ (Lenovo) [File not signed] C:\Program Files\Lenovo\Lenovo Mobile Hotspot\MHHelperDLL.dll

==================== Alternate Data Streams (Whitelisted) ========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [136]

==================== Safe Mode (Whitelisted) ==================

==================== Association (Whitelisted) =================

==================== Internet Explorer (Whitelisted) ==========

BHO: Norton Password Manager -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Security\Engine\22.21.6.53\coIEPlg.dll [2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)
BHO-x32: Norton Password Manager -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Security\Engine32\22.21.6.53\coIEPlg.dll [2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security\Engine\22.21.6.53\coIEPlg.dll [2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security\Engine32\22.21.6.53\coIEPlg.dll [2021-07-29] (NortonLifeLock Inc. -> NortonLifeLock Inc.)

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\008k.com -> 008k.com
IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\00hq.com -> 00hq.com
IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\0190-dialers.com -> 0190-dialers.com
IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\01i.info -> 01i.info
IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\0411dd.com -> 0411dd.com
IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\0511zfhl.com -> 0511zfhl.com
IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\05p.com -> 05p.com
IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\0632qyw.com -> 0632qyw.com
IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\0calories.net -> 0calories.net
IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\0cj.net -> 0cj.net
IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\0scan.com -> 0scan.com
IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\1-britney-spears-nude.com -> 1-britney-spears-nude.com
IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\1-domains-registrations.com -> 1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\1-se.com -> 1-se.com
IE restricted site: HKU\S-1-5-21-725688832-2798266748-3951577904-1002\...\1001movie.com -> 1001movie.com

There are 6091 more sites.

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2019-12-07 10:14 - 2019-12-07 10:12 - 000000824 ____N C:\Windows\system32\drivers\etc\hosts

2021-02-21 17:19 - 2021-02-21 17:24 - 000000436 _____ C:\Windows\system32\drivers\etc\hosts.ics

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-725688832-2798266748-3951577904-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\User\Desktop\G Alexander\Pictures\Wallpapers\grand-canyon-wallpaper.jpeg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(If an entry is included in the fixlist, it will be removed.)

MSCONFIG\Services: TeamViewer => 2

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [TCP Query User{40AAD3D7-52EA-4530-9003-E66B1236D6DA}C:\users\public\desktop\sdio_update\sdio_x64_r715.exe] => (Block) C:\users\public\desktop\sdio_update\sdio_x64_r715.exe => No File
FirewallRules: [UDP Query User{583779DC-EC42-45CC-957B-C960DC6DBFB9}C:\users\public\desktop\sdio_update\sdio_x64_r715.exe] => (Block) C:\users\public\desktop\sdio_update\sdio_x64_r715.exe => No File
FirewallRules: [{480AF5AA-9E64-4970-B285-0EBFE740668C}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{9E94DBE2-F11B-4B8A-A1C6-208A909E5441}] => (Allow) C:\Users\User\AppData\Roaming\Zoom\bin\Zoom.exe (Zoom Video Communications, Inc. -> Zoom Video Communications, Inc.)
FirewallRules: [{B2D7A747-9439-4460-BAA1-D025312332EE}] => (Allow) C:\Users\User\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{BF6E3546-FE15-4763-8C49-7FC7ACD815D2}] => (Allow) C:\Users\User\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{C9D8D439-F519-4BA3-A16F-20E2FB723A75}] => (Allow) C:\Program Files\WindowsApps\AppleInc.iTunes_12114.15.53119.0_x64__nzyj5cx40ttqa\iTunes.exe (Apple Inc. -> Apple Inc.)
FirewallRules: [{A1A30333-9C22-4936-A773-6C608DCB7B08}] => (Allow) C:\Program Files\WindowsApps\AppleInc.iTunes_12114.15.53119.0_x64__nzyj5cx40ttqa\iTunes.exe (Apple Inc. -> Apple Inc.)
FirewallRules: [{26679C38-AF2E-4E8D-825F-682D52DFCCFA}] => (Allow) C:\Program Files\WindowsApps\AppleInc.iTunes_12114.15.53119.0_x64__nzyj5cx40ttqa\iTunes.exe (Apple Inc. -> Apple Inc.)
FirewallRules: [{1A4F990E-B925-44BA-A75A-62DE0656B88B}] => (Allow) C:\Program Files\WindowsApps\AppleInc.iTunes_12114.15.53119.0_x64__nzyj5cx40ttqa\iTunes.exe (Apple Inc. -> Apple Inc.)
FirewallRules: [{71915E36-DA13-4E3F-9145-F82A675C5514}] => (Allow) C:\Program Files\WindowsApps\AppleInc.iTunes_12114.15.53119.0_x64__nzyj5cx40ttqa\AMDS64\AppleMobileDeviceProcess.exe (Apple Inc. -> Apple Inc.)
FirewallRules: [{59EEE163-C714-4484-920F-E3EE988DC269}] => (Allow) C:\Program Files\WindowsApps\AppleInc.iTunes_12114.15.53119.0_x64__nzyj5cx40ttqa\AMDS64\AppleMobileDeviceProcess.exe (Apple Inc. -> Apple Inc.)
FirewallRules: [{8DF63D8A-CCB0-4A69-8F24-CD05729623B4}] => (Allow) C:\Program Files\WindowsApps\AppleInc.iTunes_12114.15.53119.0_x64__nzyj5cx40ttqa\AMDS64\AppleMobileDeviceProcess.exe (Apple Inc. -> Apple Inc.)
FirewallRules: [{142802EE-21F3-4592-BD00-A5CEC25DC25B}] => (Allow) C:\Program Files\WindowsApps\AppleInc.iTunes_12114.15.53119.0_x64__nzyj5cx40ttqa\AMDS64\AppleMobileDeviceProcess.exe (Apple Inc. -> Apple Inc.)
FirewallRules: [{9C6B7C5D-2C8A-438F-8FD8-1C9716EAAE10}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.75.140.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{DEBC74A2-8698-425E-A0DE-EC9F603BEEB0}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.75.140.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{CFAB2553-974C-499E-A356-2E776D88098A}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.75.140.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{C06B28FF-BA50-4035-92AC-9833A06254A6}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.75.140.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{128FED1C-6334-4DB8-B81A-59F3429414BA}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
FirewallRules: [{4164B645-495C-41BD-8241-88CFFE900BCA}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
FirewallRules: [{E5CCF454-6AB3-432A-9C61-DC29F0D7CC81}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
FirewallRules: [{08F396D9-438E-447A-8597-8A7BC7613261}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe (TeamViewer Germany GmbH -> TeamViewer Germany GmbH)
FirewallRules: [{E04B7202-E1E9-4E31-BC6C-7297DADAAF14}] => (Allow) C:\Program Files (x86)\Lenovo\System Update\uncserver.exe (Lenovo -> )
FirewallRules: [{DF6D5B10-9BB1-4B35-BF59-03DD58FC1502}] => (Allow) C:\Program Files (x86)\Lenovo\System Update\uncserver.exe (Lenovo -> )
FirewallRules: [{76A894DE-E8AD-4275-A326-D458551EA3F4}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.167.586.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{FDEEC526-60A7-4FBE-B7CF-5C507DB8A385}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.167.586.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{F4D6C89E-9B84-4FF0-B11D-C8603CD6E086}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.167.586.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{458D0AD2-F42A-4E03-BC6B-2C4274DEDF97}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.167.586.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{687FFFEC-6E61-4A3C-93F3-FE0BD9A8749C}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.167.586.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{C2513710-DC58-442F-858F-E83F60278E41}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.167.586.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{D2CB5E95-32A2-4443-9AE7-DD092C79664E}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.167.586.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{EA25635A-F2B8-48E4-9957-EEE2FE54F90F}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.167.586.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{212C1D7A-7C48-4CDC-BBE3-CAF586CC4F2D}] => (Allow) C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe (Brave Software, Inc. -> Brave Software, Inc.)

==================== Restore Points =========================

29-08-2021 18:23:41 Scheduled Checkpoint
03-09-2021 14:12:54 Driver Booster : NVIDIA High Definition Audio
13-09-2021 12:25:57 Scheduled Checkpoint

==================== Faulty Device Manager Devices ============

==================== Event log errors: ========================

Application errors:
==================
Error: (09/11/2021 09:10:37 PM) (Source: Firefox Default Browser Agent) (EventID: 12007) (User: )
Description: Event-ID 12007

Error: (09/11/2021 09:10:37 PM) (Source: Firefox Default Browser Agent) (EventID: 0) (User: )
Description: Event-ID 0

Error: (09/11/2021 08:19:55 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_BITS, version: 10.0.19041.546, time stamp: 0x058e175a
Faulting module name: qmgr.dll, version: 7.8.19041.746, time stamp: 0x73a7ab6f
Exception code: 0xc0000005
Fault offset: 0x00000000000add14
Faulting process ID: 0x2d74
Faulting application start time: 0x01d7a7281291b86a
Faulting application path: C:\Windows\System32\svchost.exe
Faulting module path: c:\windows\system32\qmgr.dll
Report ID: e40a3478-4408-4c99-b861-30fb935e243c
Faulting package full name:
Faulting package-relative application ID:

Error: (09/09/2021 04:05:37 PM) (Source: ESENT) (EventID: 455) (User: )
Description: taskhostw (12872,R,98) WebCacheLocal: Error -1032 (0xfffffbf8) occurred while opening logfile C:\Users\User\AppData\Local\Microsoft\Windows\WebCache\V01.log.

Error: (09/09/2021 04:05:36 PM) (Source: ESENT) (EventID: 490) (User: )
Description: taskhostw (12872,R,98) WebCacheLocal: An attempt to open the file "C:\Users\User\AppData\Local\Microsoft\Windows\WebCache\V01.log" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Error: (09/08/2021 03:57:54 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: CCleaner64.exe, version: 5.84.0.9143, time stamp: 0x6128cf9a
Faulting module name: CCleaner64.exe, version: 5.84.0.9143, time stamp: 0x6128cf9a
Exception code: 0xc0000409
Fault offset: 0x0000000000c4bd55
Faulting process ID: 0x50c
Faulting application start time: 0x01d7a4c1e3aa03ac
Faulting application path: C:\Program Files\CCleaner\CCleaner64.exe
Faulting module path: C:\Program Files\CCleaner\CCleaner64.exe
Report ID: 7755712e-bffb-4536-88eb-a23a4930e50c
Faulting package full name:
Faulting package-relative application ID:

Error: (09/08/2021 03:55:51 PM) (Source: ESENT) (EventID: 455) (User: )
Description: taskhostw (13308,R,98) WebCacheLocal: Error -1032 (0xfffffbf8) occurred while opening logfile C:\Users\User\AppData\Local\Microsoft\Windows\WebCache\V01.log.

Error: (09/08/2021 03:55:51 PM) (Source: ESENT) (EventID: 490) (User: )
Description: taskhostw (13308,R,98) WebCacheLocal: An attempt to open the file "C:\Users\User\AppData\Local\Microsoft\Windows\WebCache\V01.log" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

System errors:
=============
Error: (09/15/2021 12:30:02 PM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
Description: 4

Error: (09/15/2021 08:30:28 AM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
Description: 4

Error: (09/14/2021 05:27:32 PM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
Description: 4

Error: (09/14/2021 04:12:10 PM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
Description: 4

Error: (09/14/2021 02:50:18 PM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
Description: 4

Error: (09/14/2021 02:37:18 PM) (Source: DCOM) (EventID: 10010) (User: USER-PC)
Description: The server microsoft.windowscommunicationsapps_16005.14326.20206.0_x64__8wekyb3d8bbwe!microsoft.windowslive.calendar.AppXwkn9j84yh1kvnt49k5r8h6y1ecsv09hs.mca did not register with DCOM within the required timeout.

Error: (09/14/2021 12:13:08 PM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
Description: 4

Error: (09/14/2021 08:55:08 AM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
Description: 4

Windows Defender:
================
Date: 2021-02-10 12:44:32
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2021-02-08 15:04:36
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2021-02-08 15:28:49
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2020-07-11 16:45:16
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2021-02-10 12:25:35
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.331.504.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.17800.5
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2021-02-10 12:25:35
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.331.504.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiSpyware
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.17800.5
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2021-02-10 12:25:35
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.331.504.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.17800.5
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2021-02-10 12:25:35
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.331.504.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.17800.5
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2021-02-10 12:25:35
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.331.504.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiSpyware
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.17800.5
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

CodeIntegrity:
===============
Date: 2021-09-15 08:18:26
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\SIHClient.exe) attempted to load \Device\HarddiskVolume2\Program Files\Norton Security\Engine\22.21.6.53\symamsi.dll that did not meet the Windows signing level requirements.

Date: 2021-09-14 11:30:10
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume2\Program Files\Norton Security\Engine\22.21.6.53\symamsi.dll that did not meet the Windows signing level requirements.

==================== Memory info ===========================

BIOS: LENOVO 6IET68WW (1.28 ) 07/12/2010
Motherboard: LENOVO 2537VNK
Processor: Intel(R) Core(TM) i5 CPU M 540 @ 2.53GHz
Percentage of memory in use: 74%
Total physical RAM: 3955.67 MB
Available physical RAM: 1004.36 MB
Total Virtual: 5939.67 MB
Available Virtual: 1854.13 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:297.54 GB) (Free:212.63 GB) NTFS

\\?\Volume{de77ec38-0000-0000-0000-100000000000}\ (System Reserved) (Fixed) (Total:0.05 GB) (Free:0.02 GB) NTFS
\\?\Volume{de77ec38-0000-0000-0016-a3654a000000}\ () (Fixed) (Total:0.5 GB) (Free:0.08 GB) NTFS

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 298.1 GB) (Disk ID: DE77EC38)
Partition 1: (Active) - (Size=50 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=297.5 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=515 MB) - (Type=27)

==================== End of Addition.txt =======================
 
See less See more
#2 ·
Hi, James.

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

4. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

5. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.

=======================

Let's begin.

1. Why do you think you are infected?

Please explain with details what exactly do you mean by the following:

However there is some evidence my OS is playing up, as well as other evidence I am being followed by cyberstalkers.
2. Proxy extension

Are you aware of this proxy extension? Do you need it?

Hoxx VPN Proxy

3. Uninstall programs
  • Press the Windows Key + R.
  • Type appwiz.cpl in the Run box and click OK.
  • The Add/Remove Programs list will open. Locate the following programs in the list:
Code:
Glary Utilities 5.173
TotalAV Welcome OEM
Intel(R) Turbo Boost Technology Driver
  • Select the above programs, one by one, and click Uninstall.
  • Restart the computer at the end of the procedure.
If you don't use Team Viewer, uninstall this program too.

NOTE:

We do not recommend registry cleaners, system optimizers, driver boosters and the like. It is your computer and certainly your choice. However, please consider that with these programs the potential is ever present to cause more problems than they claim to fix. That's why I recommend you to uninstall Glary Utilities anf Turbo Boost Technology Driver. CCleaner is also a registry cleaner. Keep it, if you need it, but do not use the registry cleaning option, as messing up with the registry may make your computer unbootable.


In your next reply please post:

  1. Your detailed description about the evidence you have that you are infected
  2. A reply about the proxy extension
  3. If the uninstalling procedure went well

 
#3 ·
Let's begin.

1. Why do you think you are infected?

Please explain with details what exactly do you mean by the following:

2. Proxy extension

Are you aware of this proxy extension? Do you need it?

Hoxx VPN Proxy

3. Uninstall programs
  • Press the Windows Key + R.
  • Type appwiz.cpl in the Run box and click OK.
  • The Add/Remove Programs list will open. Locate the following programs in the list:
Code:
Glary Utilities 5.173
TotalAV Welcome OEM
Intel(R) Turbo Boost Technology Driver
  • Select the above programs, one by one, and click Uninstall.
  • Restart the computer at the end of the procedure.
If you don't use Team Viewer, uninstall this program too.

In your next reply please post:
  1. Your detailed description about the evidence you have that you are infected
  2. A reply about the proxy extension
  3. If the uninstalling procedure went well
In answer to your questions:

1. The OS does not seem to be behaving because I cannot switch off Auto-Shutdown using the online recommended methods. Also the internal camera and microphone are not working at all and I have tried everything to get them to work. Further I am unable to switch off the Wifi connection using the OS but have to use the physical switch on the side of the laptop (I don't usually use Wifi for security reasons).

I'm absolutely certain I'm being stalked and this doesn't just include cyberstalking, and the police are aware of the situation. The stalking and harassment phenomena often strongly correlates with my online behaviour giving the strong impression that my stalkers can see everything I'm doing both on and offline.

2. The Hoxx VPN Proxy has been removed. The issues with my OS predate the installing of this addon.

3. I have successfully uninstalled the following items:

TotalAV Welcome OEM
Intel(R) Turbo Boost Technology Driver
Team Viewer

I was only too pleased to uninstall TeamViewer. I've never used it, it continually asks to be updated, and the software is far too pushy as if it's attempting to take over your laptop.

I regularly use Glary Utilities and don't really want to uninstall it. Are there any security issues with this software as I think it's fairly reliable?
 
#4 ·
Hi, James.

God job, uninstalling all those programs. As for Glary, some antivirus programs detect it as potentially unwanted program. It's your computer, however, so your decision.

The OS does not seem to be behaving because I cannot switch off Auto-Shutdown using the online recommended methods. Also the internal camera and microphone are not working at all and I have tried everything to get them to work. Further I am unable to switch off the Wifi connection using the OS but have to use the physical switch on the side of the laptop (I don't usually use Wifi for security reasons).
Probably not malware related, but we will continue our checks.

1. Run AdwCleaner (Scan mode)


Download AdwCleaner and save it to your desktop.
  • Double click AdwCleaner.exe to run it.
  • Click Scan Now.
    • When the scan has finished, a Scan Results window will open.
    • Click Cancel (at this point do not attempt to Quarantine anything that is found)
  • Now click the Log Filestab.
    • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
    • A Notepad file will open containing the results of the scan.
    • Please post the contents of the file in your next reply.

2. Run Malwarebytes (Scan mode)
  • Download Malwarebytes and save it to your Desktop.
  • Once downloaded, close all programs and Windows on your computer.
  • Double-click on the icon on your desktop named MBSetup.exe. This will start the installation of MBAM onto your computer.
  • Follow the instructions to install the program.
  • When finished, double click the program's icon created on your Desktop.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Code:
    Under the title Scan Options, all the options are checked.
    Under the title Windows Security Center (Premium only) the option is NOT checked.
    Under the title Potentially unwanted items all options are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Threat Scan Summary window open.
If threats are not found, click View Report and proceed to the two last steps below.

If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

In your next reply, please post:

  1. The screenshot with the popup (if it appears)
  2. The AdwCleaner[S0*].txt
  3. The Malwarebytes report
 
#5 ·
Hi, James.

God job, uninstalling all those programs. As for Glary, some antivirus programs detect it as potentially unwanted program. It's your computer, however, so your decision.

Probably not malware related, but we will continue our checks.

1. Run AdwCleaner (Scan mode)

Download AdwCleaner and save it to your desktop.
  • Double click AdwCleaner.exe to run it.
  • Click Scan Now.
    • When the scan has finished, a Scan Results window will open.
    • Click Cancel (at this point do not attempt to Quarantine anything that is found)
  • Now click the Log Filestab.
    • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
    • A Notepad file will open containing the results of the scan.
    • Please post the contents of the file in your next reply.

2. Run Malwarebytes (Scan mode)
  • Download Malwarebytes and save it to your Desktop.
  • Once downloaded, close all programs and Windows on your computer.
  • Double-click on the icon on your desktop named MBSetup.exe. This will start the installation of MBAM onto your computer.
  • Follow the instructions to install the program.
  • When finished, double click the program's icon created on your Desktop.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
    Code:
    Under the title Scan Options, all the options are checked.
    Under the title Windows Security Center (Premium only) the option is NOT checked.
    Under the title Potentially unwanted items all options are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Threat Scan Summary window open.
If threats are not found, click View Report and proceed to the two last steps below.

If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

In your next reply, please post:
  1. The screenshot with the popup (if it appears)
  2. The AdwCleaner[S0*].txt
  3. The Malwarebytes report
Here are the results:

# -------------------------------
# Malwarebytes AdwCleaner 8.3.0.0
# -------------------------------
# Build: 06-29-2021
# Database: 2021-09-09.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 09-16-2021
# Duration: 00:00:21
# OS: Windows 10 Pro
# Scanned: 31985
# Detected: 17

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.AdvancedSystemCare C:\Users\User\AppData\Roaming\IObit\Advanced SystemCare

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

Preinstalled.LenovoHotkeyManager Folder C:\Program Files\LENOVO\HOTKEY
Preinstalled.LenovoHotkeyManager Registry HKLM\Software\Classes\CLSID\{A48CA1A4-C36B-44f2-8090-19E08DF4365E}
Preinstalled.LenovoHotkeyManager Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|LenovoOptMouseUpdate
Preinstalled.LenovoHotkeyManager Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run|LenovoOptMouseUpdate
Preinstalled.LenovoHotkeyManager Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\OnScreenDisplay
Preinstalled.LenovoPowerManager Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{DAC01CEE-5BAE-42D5-81FC-B687E84E8405}
Preinstalled.LenovoServiceBridge Folder C:\Users\User\AppData\Local\PROGRAMS\LENOVO\LENOVO SERVICE BRIDGE
Preinstalled.LenovoServiceBridge Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{2C74547D-EF88-47F4-85F5-BE46A31E26B7}_is1
Preinstalled.LenovoSettings Folder C:\ProgramData\LENOVO\LENOVO SETTINGS
Preinstalled.LenovoThinkVantageCommunicationsUtility Folder C:\Program Files\LENOVO\COMMUNICATIONS UTILITY
Preinstalled.LenovoThinkVantageCommunicationsUtility Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|LMCSSTART1
Preinstalled.LenovoThinkVantageCommunicationsUtility Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run|LMCSSTART1
Preinstalled.LenovoThinkVantageCommunicationsUtility Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{88C6A6D9-324C-46E8-BA87-563D14021442}_is1
Preinstalled.LenovoUpdate Folder C:\Program Files (x86)\LENOVO\SYSTEM UPDATE
Preinstalled.LenovoUpdate Registry HKLM\Software\Wow6432Node\\Classes\CLSID\{03C6CC92-68F2-4961-9A73-CAECA350BD08}
Preinstalled.LenovoUpdate Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\TVSU_is1

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 16/09/2021
Scan Time: 14:34
Log File: d8797974-16f2-11ec-8620-f0def1090f66.json

-Software Information-
Version: 4.4.6.132
Components Version: 1.0.1453
Update Package Version: 1.0.44996
Licence: Trial

-System Information-
OS: Windows 10 (Build 19042.1165)
CPU: x64
File System: NTFS
User: User-PC\User

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 312126
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 34 min, 58 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)
 
#6 ·
Hi, James.

NOTE: In order not to have in your reply my instructions, do not click on the Reply button. Just write your reply in the Reply area under the last post and then click on the Post reply button.

Let's continue. Malwarebytes didn't detect anything. Let's see how we move on with AdwCleaner.

1. AdwCleaner (Clean mode)

AdwCleaner detected a potentially unwanted program, having to do with Advanced System Care. I will give you instructions to remove it.

The section at the bottom under Preinstalled Software is software that was apparently installed when the device was new, which you may or may not use. Personally, I don't keep anything I don't need/use, but it is your computer so your decision, as I already told you.

To proceed, please do the following:
  • Double click AdwCleaner.exe on your Desktop, to run it as you did before.
  • Click Scan Now.
  • When the scan has finished a Scan Results window will open.
  • Please check all the boxes and then click Quarantine.
  • Click Next.
    • If any pre-installed software was found on your machine, a prompt window will open. Click OK to close it.
    • Check any pre-installed software items you want to remove.
    • Click Quarantine.
  • A prompt to save your work will appear.
    • Click Continue when you're ready to proceed.
  • A prompt to restart your computer will appear.
    • Click Restart Now.
  • Once your computer has restarted:
    • If it doesn't open automatically, please start AdwCleaner.
    • Click the Log Files tab.
    • Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
    • A Notepad file will open containing the results of the removal.
    • Please post the contents of the file in your next reply.

2. Fresh FRST logs
  • Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please attach the content of these two logs in your next reply.
Note: Do not copy and paste the logs here. Use the Attach files button to attach them. It's easier for me to review them.

In your next reply, please post:
  1. The AdwCleaner[C0*].txt
  2. The fresh FRST logs, Addition and FRST
 
#9 ·
Here we go:

FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code:
Start::
CreateRestorePoint:
CloseProcesses:
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [136]
MSCONFIG\Services: TeamViewer => 2
FirewallRules: [TCP Query User{40AAD3D7-52EA-4530-9003-E66B1236D6DA}C:\users\public\desktop\sdio_update\sdio_x64_r715.exe] => (Block) C:\users\public\desktop\sdio_update\sdio_x64_r715.exe => No File
FirewallRules: [UDP Query User{583779DC-EC42-45CC-957B-C960DC6DBFB9}C:\users\public\desktop\sdio_update\sdio_x64_r715.exe] => (Block) C:\users\public\desktop\sdio_update\sdio_x64_r715.exe => No File
FirewallRules: [{B2D7A747-9439-4460-BAA1-D025312332EE}] => (Allow) C:\Users\User\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{BF6E3546-FE15-4763-8C49-7FC7ACD815D2}] => (Allow) C:\Users\User\AppData\Roaming\Zoom\bin\airhost.exe => No File
HKU\S-1-5-21-725688832-2798266748-3951577904-1002\Control Panel\Desktop\\SCRNSAVE.EXE -> 
GroupPolicy: Restriction - Edge <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
Task: {1C9F1EBF-9EA4-4232-B4DD-1DCF28C651FE} - \OneDrive Standalone Update Task-S-1-5-21-725688832-2798266748-3951577904-1001 -> No File <==== ATTENTION
Task: {82A3918F-FA6F-49BF-B353-4F6098330641} - System32\Tasks\TotalAV_OEM_Welcome => C:\Program Files (x86)\TotalAV Welcome OEM\ss-oem.exe
Task: {E18BF8D0-BC92-4CF1-8DBF-3CB86F636B6E} - System32\Tasks\TUDsDownloader => C:\Program Files\Norton Utilities Premium\activesync.exe
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
2021-09-09 16:17 - 2021-09-09 16:18 - 000004484 _____ C:\TDSSKiller.3.1.0.28_09.09.2021_16.17.01_log.txt
2021-09-09 12:07 - 2021-09-09 12:08 - 000004484 _____ C:\TDSSKiller.3.1.0.28_09.09.2021_12.07.54_log.txt
2021-09-09 11:59 - 2021-09-09 12:02 - 000319296 _____ C:\TDSSKiller.3.1.0.28_09.09.2021_11.59.36_log.txt
2021-09-09 11:59 - 2021-09-09 11:59 - 005054744 _____ (AO Kaspersky Lab) C:\Users\User\Downloads\tdsskiller.exe
2021-09-03 14:48 - 2021-09-03 14:48 - 000000000 ____D C:\Users\User\AppData\Local\Tvsukernel
2021-09-03 14:10 - 2021-09-03 14:10 - 000000000 ____D C:\Users\User\AppData\Roaming\iTop Screenshot
2021-09-03 14:10 - 2021-09-03 14:10 - 000000000 ____D C:\Users\User\AppData\LocalLow\iTop Screen Recorder
2021-09-03 14:09 - 2021-09-03 14:10 - 000000000 ____D C:\Users\User\AppData\Roaming\iTop Screen Recorder
2021-09-03 14:09 - 2021-09-03 14:10 - 000000000 ____D C:\ProgramData\iTop
2021-09-03 14:09 - 2021-09-03 14:09 - 000000000 ____D C:\ProgramData\iTop VPN
2021-09-03 14:09 - 2021-09-03 14:09 - 000000000 ____D C:\ProgramData\{150F4013-6884-4350-8DDC-6BFCB4C5DC15}
2021-09-03 14:08 - 2021-09-03 15:05 - 000000000 ____D C:\ProgramData\ProductData
2021-09-03 14:08 - 2021-09-03 14:16 - 000000000 ____D C:\Users\User\AppData\Roaming\instinfo
2021-09-03 14:08 - 2021-09-03 14:08 - 000000000 ____D C:\Users\User\AppData\LocalLow\IObit
2021-09-03 14:07 - 2021-09-03 14:07 - 000000000 ____D C:\ProgramData\{E0224FF9-7AE3-4F9E-991A-2F004F7E3952}
2021-09-03 14:06 - 2021-09-16 16:24 - 000000000 ____D C:\Users\User\AppData\Roaming\IObit
2021-09-03 14:06 - 2021-09-03 14:30 - 000000000 ____D C:\ProgramData\IObit
C:\Program Files (x86)\TotalAV Welcome OEM
CMD: DISM /Online /Cleanup-Image /RestoreHealth
CMD: SFC /scannow
cmd: netsh winsock reset catalog
cmd: netsh int ip reset C:\resettcpip.txt
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: ipconfig /flushdns
EmptyTemp:
End::
  • Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Please post the log in your next reply.
 
#10 ·
  • Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Please post the log in your next reply.
Here's the log:
 

Attachments

#11 ·
Thank you, James.

Let's check the system for corruptions again.
  • Click on the Start button and in the search box, type Command Prompt
  • When you see Command Prompt on the list, right-click on it and select Run as administrator
  • Enter the command below and press on Enter
Code:
sfc /scannow
  • Let the scan finish.
  • You will normally get one of the following results:
    Code:
    Windows Resource Protection did not find any integrity violations
    Windows Resource Protection found corrupt files and successfully repaired them
    Windows Resource Protection found corrupt files but was unable to fix some of them
    Windows Resource Protection could not perform the requested operation
  • Please post the result you got (Screenshot)
 
#13 ·
Hi, James.

The system seems fine, no corruptions/errors found.

In addition, there is no evidence of an active infection.

Just to ensure the above, let's do an online scan.

ESET Online Scanner

Download ESET Online Scanner and save it to your desktop.
  • Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
  • When the tool opens, click Get Started.
  • Read and accept the license agreement.
  • At the Welcome to ESET Online Scanner window, click Get Started.
  • Select whether you would like to send anonymous data to ESET.
  • Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
  • Click on the Full Scan option.
  • Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
  • ESET will now begin scanning your computer. This may take some time.
  • When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
  • ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
  • On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
  • Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.

In your next reply please post:
  1. The eset.txt
  2. Feedback: How is the computer running now? Any remaining issues/questions/concerns
 
#14 ·
Hi, James.

The system seems fine, no corruptions/errors found.

In addition, there is no evidence of an active infection.

Just to ensure the above, let's do an online scan.

ESET Online Scanner

Download ESET Online Scanner and save it to your desktop.
  • Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
  • When the tool opens, click Get Started.
  • Read and accept the license agreement.
  • At the Welcome to ESET Online Scanner window, click Get Started.
  • Select whether you would like to send anonymous data to ESET.
  • Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
  • Click on the Full Scan option.
  • Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
  • ESET will now begin scanning your computer. This may take some time.
  • When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
  • ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
  • On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
  • Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.

In your next reply please post:
  1. The eset.txt
  2. Feedback: How is the computer running now? Any remaining issues/questions/concerns
I have attached the eset.txt file.

A further issue with my laptop that I could also add to the list is that an indicator light regularly comes on to say that the laptop is busy but if you look under Task Manager the laptop does not seem to be busy at all. I don't know if this issue has changed at all recently, but I'll keep an eye on it.
 

Attachments

#16 ·
Hello, James.

I'm surprised that the scan (see my last post containing the eset.txt file) revealed that malware/adware could be contained within my security software itself.
You are certainly right about that. However, nothing to worry about, since the detection is a false-positive, and you can restore the file following the instructions here.

From the Eset's site:
The tool is detected as a potentially unsafe application. It's not detected with default settings. Potentially unsafe applications cover legit tools that can be misused in the wrong hands. We recommend creating a detection exclusion.
The computer is clean. There is nothing to indicate an infection. The issues you are dealing with (shutdown, wifi, camera/microphone etc.) are not related to malware. I recommend you, if all these make your work on the computer difficult, to open a thread in the Windows 10 Forum, saying that you have already checked the computer for malware.

The only remaining thing, is your computer's upgrade. You are still running version 20H2, while the latest one is 21H1. It is important always to keep current with the latest security fixes from Microsoft. This can patch many of the security holes through which attackers can infect your computer.

To upgrade now:
  • Go to this Microsoft page and under the title Create Windows 10 installation media press on Download tool now.
  • Save the tool on your Desktop and double click to run it.
  • On the License terms page, if you accept the license terms, select Accept.
  • On the What do you want to do page, select Upgrade this PC now, and then select Next.
  • Follow the instructions and select Keep personal files and apps, when you are asked to.
  • It might take a couple of hours, depending on your wifi speed connection, to install Windows 10. Your PC will restart a few times. Make sure you don't turn off your PC.
  • After downloading and installing, the tool will walk you through how to set up Windows 10 on your PC.

In case you don't want to upgrade now, let me know to give you the finale instructions, including the tools removal and creating a restore point.
 
#17 ·
You are certainly right about that. However, nothing to worry about, since the detection is a false-positive, and you can restore the file following the instructions here.

To upgrade now:
  • Go to this Microsoft page and under the title Create Windows 10 installation media press on Download tool now.
  • Save the tool on your Desktop and double click to run it.
  • On the License terms page, if you accept the license terms, select Accept.
  • On the What do you want to do page, select Upgrade this PC now, and then select Next.
  • Follow the instructions and select Keep personal files and apps, when you are asked to.
  • It might take a couple of hours, depending on your wifi speed connection, to install Windows 10. Your PC will restart a few times. Make sure you don't turn off your PC.
  • After downloading and installing, the tool will walk you through how to set up Windows 10 on your PC.

In case you don't want to upgrade now, let me know to give you the finale instructions, including the tools removal and creating a restore point.
Wasn't able to restore the quarantined ESET file, even while running as administrator.

Upgraded to 21H1. It took almost all day.
 
#18 ·
Hi, James.

What happened when you tried to follow the steps to restore the file?

Even if the specific file stays in quarantine, your general security is not affected anyway.

Upgraded to 21H1. It took almost all day.
Yes, this is usual when you are applying major/critical updates. Well done! Good job!

By the way, now you got the latest upgrade, is the performance better than before? Any of your issues solved?
 
#19 ·
Hi, James.

What happened when you tried to follow the steps to restore the file?

Even if the specific file stays in quarantine, your general security is not affected anyway.

Yes, this is usual when you are applying major/critical updates. Well done! Good job!

By the way, now you got the latest upgrade, is the performance better than before? Any of your issues solved?
It appears I can still not run my internal camera and microphone. Also there still does not appear to be a direct method available in the OS under Settings for turning off Auto-Shutdown. I'll have to keep an eye on over time on the other issues such as various status indicator lights being on when they shouldn't be.

I ran ESET as administrator but it still didn't allow me to restore the quarantined file. Here's a screenshot:

Product Rectangle Font Screenshot Technology
 
#20 ·
Leave the Norton file there. It won't affect your security.

Now we know the computer is clean and updated, let's check some things about your other issues.

Auto Shut-down

What do you mean exactly? The computer shuts down suddenly? Or sleep> Or hibernate?

In the Search area type Power & Sleep options and choose it from the list..

Check what are the option there and make the changes you want.

You can also choose Additional power settings from the right column and see also what options are there.
 
#22 ·
James,

In order to reply without my replies in your post, please do not click on the Reply button. Instead, write your reply in the Reply area at the end of the topic and then click on the Post reply button.

You didn't tell me: What do you mean by auto shut down? The computer shuts down suddenly? Or sleep? Or hibernate?
 
#24 ·
It would be useful to mention what have you already tried.

This usually cancels the auto-shutdown:
  • Press the Windows logo key on the keyboard, together with the letter R, to open the RUN window.
  • In the empty space copy and paste shutdown -a and OK.
  • After clicking on the OK button or pressing the enter key, the auto-shutdown schedule or task will be canceled automatically.
 
#25 ·
It would be useful to mention what have you already tried.

This usually cancels the auto-shutdown:
  • Press the Windows logo key on the keyboard, together with the letter R, to open the RUN window.
  • In the empty space copy and paste shutdown -a and OK.
  • After clicking on the OK button or pressing the enter key, the auto-shutdown schedule or task will be canceled automatically.
This was one of the recommended fixes given online. There are other variations of this one as well.

However I'll try it again and see what happens.
 
#29 ·
Hi, James.

Here it is an article which can give some light into your issue: Why does my computer turn off without warning?

As you can see, many reasons can cause the auto-shut down, and since the command we used didn't work, I think that the issue has nothing to do with an actual auto-shut-down enabled option.

If you want, you can ask for help in the Windows 10 Forum. Perhaps someone there can assist you more effectively on that.

Since the computer is clean, let's finish the procedure here.

The following tool will remove the tools we used as well as reset system restore points:

Download KpRm by kernel-panik and save it to your desktop.
  • Right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please copy and paste its contents in your next reply.
 
#30 ·
Here it is an article which can give some light into your issue: Why does my computer turn off without warning?

As you can see, many reasons can cause the auto-shut down, and since the command we used didn't work, I think that the issue has nothing to do with an actual auto-shut-down enabled option.

If you want, you can ask for help in the Windows 10 Forum. Perhaps someone there can assist you more effectively on that.
The webpage you quote doesn't really cover the issue I have. The webpage in question covers sudden shutdowns while you are actually using your laptop, not shutdowns that occur when the laptop has been idle for say three hours.

However the webpage also says the following about unscheduled shutdowns:

Your computer may be infected with a virus or other malware that is designed to shut down your computer upon certain conditions. If your computer seems to be turning off when executing a certain program at specific times of the day, it could be infected.

If you believe your computer may be infected with a virus, download a free scanner. If you already have one installed, make sure your virus scanner definitions are up-to-date, then run a full scan.
I have in fact already raised this issue on the Windows 10 Forum. Here is the link:

Couple of annoying problems on Windows 10
 
#32 ·
The webpage you quote doesn't really cover the issue I have. The webpage in question covers sudden shutdowns while you are actually using your laptop, not shutdowns that occur when the laptop has been idle for say three hours.
This is the FIRST time in this topic you say that the computer shuts down after being inactive/idle for 3 hours. Was that so difficult? I asked you so many times to describe what is happening in details...

Also you never told me that you have already an open thread about your issues. Even when I asked you to tell what things have you tried.

Have in mind that describing in details your issues is of a great importance and it can save time from both, you and the person who helps you. You don't just go to the doctor saying "I feel sick". You explain the symptoms.

Anyway.

Try this:
  • In the Search area type Power & Sleep options and choose it from the list.
  • Choose Additional Power Settings from the right column menu.
  • Choose Change Plan Settings from the plan you have already have chosen (Balanced I guess).
  • Change Advance Power Settings.
  • Expand the Sleep option.
  • Expand Hibernate after.
  • Click the field and select the whole number of minutes - You probably have "180", so select this and delete.
  • Type Never then hit the Apply button
  • OK.
Result?

How will resetting my system restore points effect my 21H1 Windows 10 upgrade?
By using the tool above, a new restore point will be created with the computer in this healthy condition where it is now. It is something necessary after a cleaning procedure comes to an end. Your Windows version/upgrade has nothing to do with that. So please, go on to run KpRm.
 
#34 ·
Try this:
  • In the Search area type Power & Sleep options and choose it from the list.
  • Choose Additional Power Settings from the right column menu.
  • Choose Change Plan Settings from the plan you have already have chosen (Balanced I guess).
  • Change Advance Power Settings.
  • Expand the Sleep option.
  • Expand Hibernate after.
  • Click the field and select the whole number of minutes - You probably have "180", so select this and delete.
  • Type Never then hit the Apply button
  • OK.
Result?
I'm trying the set Hibernate to Never method detailed above and will report back.
 
#33 ·
I've just run an ESET malware scan again, running a quick scan.

After downloading the latest updates, ESET detected a second PUP. Both PUP's are of the same identical type and both are also present in a Norton 360 file.

Here's the log:

22/09/2021 15:56:45
Files scanned: 12903
Detected files: 2
Cleaned files: 0
Total scan time 00:38:00
Scan status: Finished
C:\Program Files\Norton Security\Engine\22.21.6.53\NCrypt.exe a variant of Win64/CoinMiner.RH potentially unwanted application error while cleaning (Access denied)

C:\Program Files\Norton Security\Engine\22.21.8.62\NCrypt.exe a variant of Win64/CoinMiner.RH potentially unwanted application error while cleaning (Access denied)

P.S. Yet to run KpRm.
 
#35 ·
Running Eset again was un-necessary, but it gave me the opportunity to realize that although Eset detected those files, it didn't delete them (Access denied) since they are part of your antivirus. That's why you couldn't restore it from Quarantine the first time. There wasn't anything there to be restored. So, all good. (y)

I'm trying the set Hibernate to Never method detailed above and will report back.
Perfect. Was it set to 180 minutes?
 
#39 ·
It was set to 180 minutes or 3 hours which coincidentally was about the same time the laptop auto-shutdown each time.
The laptop did not auto-shutdown after more than 3 hours last night so it seems to have worked. Thanks for the suggestion.
See why describing an issue in detail is important? Glad it worked! You can update the topic in the Windows 10 Forum, saying that the issue is resolved.

KpRm removed the ESET software but left Malwarebytes untouched. The "Malwarebytes Anti-Rootkit" it refers to in the log as having been deleted, is a more specialist anti-rootkit from Malwarebytes I downloaded earlier before our dialogue started.
I know. KpRm removes any tool (and log) which can't be used as it is at any time. These tools are very often getting updates which make useless an older version. Malwarebytes is different. You can keep it as an on-demand scanner and use it whenever you want.

So...

Are we fine now? Any other question?
 
#41 ·
I'm still convinced I may have had spyware on my laptop. Just because it evaded detection doesn't mean it didn't exist.
We have made multiple checks with specialized tools and nothing indicates an infection. The computer is clean, and therefore I mark this topic as Solved.

If you are not convinced, then you can always re-install your operating system.

Take care.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top