Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Not Sure What I'm Dealing With Here....But I'm Deeply Worried

crdownload malware vanishing

  • Please log in to reply

#1
Waste of Space

Waste of Space

    Member

  • Member
  • PipPip
  • 56 posts

Hi.  I was downloading a few Gifs from Google Images onto my PC this morning, to use in response to the Happy New Year Gifs which various people had used to wish me all the best for 2020 via Facebook Messenger.

 

Now whenever I download anything at all from the internet, I always scan it with Malwarebytes Premium before opening it, whatever it might be.  On this occasion, something unnervingly weird happened. After downloading (apparently from a website called Tenor) a Gif showing someone taking a bow, I clicked on 'show in folder' and was immediately shown what purported to be the file sitting there in my Downloads  -  but when I right clicked on it and selected 'Scan with Malwarebytes', up popped a box containing the following words:

 

 

bowing2.gif.crdownload     size 985 KB    Date modified 01/10/2020  11:17

 

Could not find this item. This is no longer located in C:\Users\Home\Downloads.

Verify the item's location and try again.

 

 

Horrified, I then tried using the search box (Windows 7) to locate the file, using the name bowing2.gif.crdownload, but drew a complete blank. I then tried searching 'bowing 2.gif' (the name I gave the file when I downloaded it), then 'bowing2.gif.crd' and then just plain 'bowing2', but none of them got a result.

When I again tried right-clicking the downloaded file as shown in my Downloads and selected 'Scan with Malwarebytes' again, this time nothing at all happened, which unnerved me still further.

I'm now seriously worried, because I'm guessing the file has a mind of its own and has hidden itself in my PC. Perhaps it's even knocked out part of Malwarebytes Premium.

 

Any advice you can offer me will be very gratefully received. 


Edited by Waste of Space, 01 January 2020 - 08:24 AM.

  • 0

Advertisements


#2
Waste of Space

Waste of Space

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts

IMPORTANT:  I now find that when I click at the top of the Google screen to open a new tab, the new tab is plain blue for a few seconds before resolving itself into a normal Google search screen.  I don't mean the blue screen of death  -  I mean a normally-configured Google search screen, but with only blue between the topmost fields and the bottommost.

 

I ran a full Malwarebytes Premium scan, but it detected nothing at all, which to me suggests that it's simply blind to the problem.  Perhaps it's even been blinded by whatever that file I downloaded was.  Man, am I worried.

 

Heeeeeelllppp!


Edited by Waste of Space, 01 January 2020 - 06:41 AM.

  • 0

#3
Waste of Space

Waste of Space

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts

UPDATE:  Three hours after I downloaded the Gif, it has now materialised properly in my Downloads, with the name Bowing 2.gif. It has the appearance of a perfectly normal Gif, with the image showing clearly as a large icon on my list of Downloads  -   and when I scanned it with Malwarebytes Premium it checked out as okay.  But when I initially downloaded it, there was no image at all in the large icon and, as aforesaid, it technically wasn't even there.

 

I fear that the original file was some sort of program, which in the last three hours has somehow separated the Gif from itself and placed it in my list of Downloads as a blind.  All newly opened Google tabs are still showing as large blue rectangles.  To put it mildly, I don't feel I can safely switch my PC off until whatever it is that's causing this problem has been completely expunged  -  but I don't know what I'm looking for or even how to look for it.

 

Yikes.


Edited by Waste of Space, 01 January 2020 - 10:05 AM.

  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 22,916 posts
  • MVP

FYI  Replying to your own post takes it off the list of Unreplied Topics which is what we use to find new posts to work on.  Also we want to see a FRST log and Addition.txt log in your first post.

 

  • Get FRST from http://www.bleepingc...very-scan-tool/You need to download the appropriate tool for your PC.  If you don't know if you have a 32 or 64 bit system get them both.  Only one will work and that's the right one.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Check the Addition.txt box
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.  
  • Please copy and paste log back here.
  • It will generate another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.


 


  • 0

#5
Waste of Space

Waste of Space

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts

Many thanks for bringing your brain to bear on my behalf. And I duly take your point re. my initial three posts having created the illusion of my original post's having been addressed already.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-12-2019
Ran by Home (administrator) on HOME-PC (Hewlett-Packard HP Compaq dc7600 Small Form Factor) (02-01-2020 16:58:50)
Running from C:\Users\Home\Desktop
Loaded Profiles: Home (Available Profiles: Home)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Adobe Inc. -> Adobe Systems) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Hewlett-Packard Company -> Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Intel Corporation -> Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation -> Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation -> Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation -> Intel Corporation) C:\Windows\System32\igfxtray.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Piriform Software Ltd -> Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Realtek Semiconductor Corp -> Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor Corp -> Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor Corp -> Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Tweaking LLC -> Tweaking.com) C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe
 
==================== Registry (Whitelisted) ===================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13876952 2015-04-13] (Realtek Semiconductor Corp -> Realtek Semiconductor)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard Company -> Hewlett-Packard)
HKLM-x32\...\Run: [AvgUi] => "C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe" /lps=fmw
HKU\S-1-5-21-2588259368-3398593882-3987161955-1000\...\Run: [CCleaner Smart Cleaning] => C:\Program Files\CCleaner\CCleaner64.exe [24552064 2019-10-14] (Piriform Software Ltd -> Piriform Ltd)
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files (x86)\Google\Chrome\Application\79.0.3945.88\Installer\chrmstp.exe [2019-12-19] (Google LLC -> Google LLC)
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{A6EADE66-0000-0000-484E-7E8A45000000}] -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll [2019-05-03] (Adobe Inc. -> Adobe Systems, Inc.)
Startup: C:\Users\Home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 1510 series.lnk [2020-01-02]
ShortcutAndArgument: Monitor Ink Alerts - HP Deskjet 1510 series.lnk -> C:\Windows\system32\RunDll32.exe => "C:\Program Files\HP\HP Deskjet 1510 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN4151HGH805YR;CONNECTION=USB;MONITOR=1;
GroupPolicy: Restriction - Chrome <==== ATTENTION
 
==================== Scheduled Tasks (Whitelisted) ============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {072D3419-8609-4AA2-B039-CC75F422D9C1} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1240656 2019-09-10] (Adobe Inc. -> Adobe Systems)
Task: {2D8CA166-C188-4D7B-881F-A9CC892E2840} - System32\Tasks\HP AR Program Upload - d77dc0b23f0d4a4b94de0fa08ed7689af165f4121cc840c688d280268f118f2f => C:\Program Files\HP\HP Deskjet 1510 series\bin\HPRewards.exe [3492896 2013-08-13] (Hewlett Packard -> TODO: <Company name>)
Task: {43654E2F-519D-4AD2-BF48-7BD902E39559} - System32\Tasks\HP AR Program Upload - 266169d4c15d42d98792b69faaad09be883dac1ca9ac47ffb31a810d10c5c602 => C:\Program Files\HP\HP Deskjet 1510 series\bin\HPRewards.exe [3492896 2013-08-13] (Hewlett Packard -> TODO: <Company name>)
Task: {44D105E0-75E6-4FAD-BAA2-0988B1135112} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [608384 2019-10-14] (Piriform Software Ltd -> Piriform Software Ltd)
Task: {4EE0C47D-D5F8-41BB-B88F-F1FE50254605} - System32\Tasks\HP AR Program Upload - 412f8083798a4cad91a5e9942b6e307528704b1ebe5a4257875f2b0ba3ec8c9e => C:\Program Files\HP\HP Deskjet 1510 series\bin\HPRewards.exe [3492896 2013-08-13] (Hewlett Packard -> TODO: <Company name>)
Task: {5346CDAE-5D3E-47E4-B9D2-1F20D0D8060F} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [107848 2015-04-06] (Google Inc -> Google Inc.)
Task: {57F886DD-0CD0-4D95-ADC6-756BAD8B20C7} - System32\Tasks\HP AR Program Upload - ed225ec28faa4de69aa38a7e71c12cf8fbd59866eac840578c7dc320e8048fd7 => C:\Program Files\HP\HP Deskjet 1510 series\bin\HPRewards.exe [3492896 2013-08-13] (Hewlett Packard -> TODO: <Company name>)
Task: {5C2F98BA-6F03-43DB-B5F5-B5A1B3B32F4D} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [107848 2015-04-06] (Google Inc -> Google Inc.)
Task: {60EC4C7F-10BE-4CD5-8B26-ACD91A6EE670} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [335416 2019-12-10] (Adobe Inc. -> Adobe)
Task: {652F600F-48EC-455F-BD1C-55B50C2C0B9C} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\Avast Software\Overseer\overseer.exe [1873288 2019-09-19] (AVAST Software s.r.o. -> AVAST Software)
Task: {66AAD051-6D69-4BC2-94C9-C8E1973FD764} - System32\Tasks\Tweaking.com - Windows Repair Tray Icon => C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe [220816 2019-09-30] (Tweaking LLC -> Tweaking.com)
Task: {67934227-D99D-42D8-81D3-BB913E3104FE} - System32\Tasks\HP AR Program Upload - 1e1e7a7c909a4ae68da027dd08f32babfc802297b6164a46b816d00de090c741 => C:\Program Files\HP\HP Deskjet 1510 series\bin\HPRewards.exe [3492896 2013-08-13] (Hewlett Packard -> TODO: <Company name>)
Task: {6AD0EE2C-4DE4-47E6-864F-28D7CDA2CD5B} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_32_0_0_303_pepper.exe [1453112 2019-12-10] (Adobe Inc. -> Adobe)
Task: {712F7E10-29FD-4F02-8024-D9D006EBDC84} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [18458752 2019-10-14] (Piriform Software Ltd -> Piriform Ltd)
Task: {758E6F9E-1A23-487C-8504-742D9F7A50C6} - System32\Tasks\HP AR Program Upload - f35b06af1f374e60a3ad414eb5c3d41a032fd27133d3434f9bd8aff3d42a6c4f => C:\Program Files\HP\HP Deskjet 1510 series\bin\HPRewards.exe [3492896 2013-08-13] (Hewlett Packard -> TODO: <Company name>)
Task: {973746E5-6FC0-46B7-BD31-7824DF328A7F} - System32\Tasks\HP AR Program Upload - baad65bec35348a59e75f47e0acd9b4411d2b698a054484f83cf61d4d95229a3 => C:\Program Files\HP\HP Deskjet 1510 series\bin\HPRewards.exe [3492896 2013-08-13] (Hewlett Packard -> TODO: <Company name>)
Task: {B3CD23D6-9B82-47F4-8F5E-B213D1251910} - System32\Tasks\HPCustParticipation HP Deskjet 1510 series => C:\Program Files\HP\HP Deskjet 1510 series\Bin\HPCustPartic.exe [5642272 2013-08-13] (Hewlett Packard -> Hewlett-Packard Co.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Winsock: Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File 
Winsock: Catalog5 09 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File 
Winsock: Catalog5-x64 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File 
Winsock: Catalog5-x64 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL => No File 
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{740F530B-DDF1-4488-8868-BA63A715455B}: [DhcpNameServer] 192.168.0.1
 
Internet Explorer:
==================
Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll [2013-04-16] (Belarc, Inc. -> Belarc, Inc.)
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @videolan.org/vlc,version=3.0.6 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2019-01-10] (VideoLAN -> VideoLAN)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.35.422\npGoogleUpdate3.dll [2019-12-13] (Google LLC -> Google LLC)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.35.422\npGoogleUpdate3.dll [2019-12-13] (Google LLC -> Google LLC)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2019-12-02] (Adobe Inc. -> Adobe Systems Inc.)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR Profile: C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default [2020-01-02]
CHR Extension: (Slides) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-13]
CHR Extension: (Docs) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-13]
CHR Extension: (Google Drive) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (YouTube) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (Google Search) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (Sheets) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-13]
CHR Extension: (AdBlock — best ad blocker) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2019-12-18]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2019-10-04]
CHR Extension: (Gmail) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2019-04-24]
CHR Extension: (Chrome Media Router) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2019-12-12]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj]
 
==================== Services (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [6960640 2019-11-17] (Malwarebytes Inc -> Malwarebytes)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [294104 2015-04-10] (Realtek Semiconductor Corp -> Realtek Semiconductor)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Windows -> Microsoft Corporation)
 
===================== Drivers (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [153312 2019-12-20] (Malwarebytes Corporation -> Malwarebytes)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [216544 2019-12-20] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [224408 2020-01-02] (Malwarebytes Corporation -> Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\DRIVERS\mbam.sys [73584 2020-01-02] (Malwarebytes Corporation -> Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [278344 2020-01-02] (Malwarebytes Inc -> Malwarebytes)
R3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [106344 2020-01-02] (Malwarebytes Corporation -> Malwarebytes)
R2 speedfan; C:\Windows\SysWOW64\speedfan.sys [28664 2012-12-29] (SOKNO S.R.L. -> Almico Software)
S3 USBET; C:\Windows\System32\DRIVERS\ETdrv.sys [6423936 2013-02-04] (Microsoft Windows Hardware Compatibility Publisher -> Etron)
U1 aswbdisk; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One month (created) ===================
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2020-01-02 16:58 - 2020-01-02 17:00 - 000014924 _____ C:\Users\Home\Desktop\FRST.txt
2020-01-02 16:57 - 2020-01-02 16:57 - 002272256 _____ (Farbar) C:\Users\Home\Desktop\FRST64.exe
2020-01-02 09:12 - 2020-01-02 09:12 - 000073584 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2020-01-02 09:11 - 2020-01-02 09:11 - 000224408 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2020-01-02 09:11 - 2020-01-02 09:11 - 000106344 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2020-01-02 09:06 - 2020-01-02 09:06 - 000278344 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2019-12-22 14:30 - 2019-12-22 14:31 - 000000000 ____D C:\Users\Home\Documents\Flat 1 Cat 22 Dec 19
2019-12-20 16:35 - 2019-12-20 16:35 - 000216544 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2019-12-16 10:03 - 2019-12-16 10:03 - 000402705 _____ C:\Users\Home\Downloads\2112757_17ReceptionistWardCoreJDPSOct1817B2.pdf
2019-12-13 09:56 - 2019-12-29 13:11 - 000000000 ____D C:\Users\Home\Documents\Jobs Applied For Dec 2019
2019-12-07 12:28 - 2019-12-07 12:28 - 000286720 _____ C:\Users\Home\Documents\Database3.accdb
2019-12-05 11:20 - 2019-12-07 12:28 - 000299008 _____ C:\Users\Home\Documents\Database2.accdb
2019-12-05 10:47 - 2019-12-05 10:47 - 000383156 _____ C:\Users\Home\Downloads\2135112_JDPS.pdf
2019-12-03 09:05 - 2019-12-03 09:05 - 000077205 _____ C:\Users\Home\Downloads\Visitor Welcome Assistant - Grade 11.pdf
 
==================== One month (modified) ==================
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2020-01-02 16:59 - 2016-09-18 06:31 - 000000000 ____D C:\FRST
2020-01-02 14:59 - 2014-11-30 23:33 - 000088152 _____ C:\Users\Home\AppData\Local\GDIPFONTCACHEV1.DAT
2020-01-02 09:28 - 2009-07-14 04:45 - 000028352 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2020-01-02 09:28 - 2009-07-14 04:45 - 000028352 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2020-01-02 09:10 - 2009-07-14 05:13 - 000776356 _____ C:\Windows\system32\PerfStringBackup.INI
2020-01-02 09:10 - 2009-07-14 03:20 - 000000000 ____D C:\Windows\inf
2020-01-02 09:05 - 2009-07-14 05:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2020-01-02 09:05 - 2009-07-14 04:45 - 000356016 _____ C:\Windows\system32\FNTCACHE.DAT
2020-01-02 08:59 - 2009-07-14 02:34 - 000000538 _____ C:\Windows\win.ini
2019-12-29 13:07 - 2019-08-21 08:28 - 000000000 ____D C:\Users\Home\Documents\CVs 2019
2019-12-27 13:46 - 2016-07-12 18:16 - 000000000 ____D C:\Users\Home\Documents\Architectural Insides and Outsides
2019-12-26 11:08 - 2019-07-06 10:02 - 000011110 _____ C:\Users\Home\Documents\Albums.xlsx
2019-12-25 16:57 - 2015-04-29 05:45 - 000000000 ____D C:\Users\Home\AppData\Roaming\vlc
2019-12-25 15:15 - 2015-07-23 18:30 - 000000000 ____D C:\Users\Home\AppData\Roaming\dvdcss
2019-12-25 10:03 - 2018-03-28 16:58 - 000003870 _____ C:\Windows\system32\Tasks\CCleaner Update
2019-12-25 10:03 - 2015-07-25 18:29 - 000000822 _____ C:\Users\Public\Desktop\CCleaner.lnk
2019-12-25 10:03 - 2015-07-25 18:29 - 000000822 _____ C:\ProgramData\Desktop\CCleaner.lnk
2019-12-25 10:03 - 2015-07-25 18:29 - 000000000 ____D C:\Program Files\CCleaner
2019-12-24 07:13 - 2009-07-14 02:34 - 000000855 _____ C:\Windows\system32\Drivers\etc\hosts_bak_747
2019-12-20 16:34 - 2019-07-04 12:06 - 000153312 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbae64.sys
2019-12-19 20:05 - 2015-04-06 09:36 - 000002224 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2019-12-19 20:05 - 2015-04-06 09:36 - 000002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2019-12-19 20:05 - 2015-04-06 09:36 - 000002183 _____ C:\ProgramData\Desktop\Google Chrome.lnk
2019-12-19 17:16 - 2015-06-14 08:28 - 000002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2019-12-16 07:02 - 2009-07-14 02:34 - 000000855 _____ C:\Windows\system32\Drivers\etc\hosts_bak_385
2019-12-13 19:58 - 2015-04-06 09:35 - 000003334 _____ C:\Windows\system32\Tasks\GoogleUpdateTaskMachineUA
2019-12-13 19:58 - 2015-04-06 09:35 - 000003206 _____ C:\Windows\system32\Tasks\GoogleUpdateTaskMachineCore
2019-12-12 16:39 - 2019-07-20 08:00 - 000010219 _____ C:\Users\Home\Documents\Tracks.xlsx
2019-12-10 15:46 - 2018-12-17 08:45 - 000842296 _____ (Adobe) C:\Windows\SysWOW64\FlashPlayerApp.exe
2019-12-10 15:46 - 2018-12-17 08:45 - 000175160 _____ (Adobe) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2019-12-10 15:46 - 2018-12-17 08:45 - 000004470 _____ C:\Windows\system32\Tasks\Adobe Flash Player PPAPI Notifier
2019-12-10 15:46 - 2018-12-17 08:45 - 000004324 _____ C:\Windows\system32\Tasks\Adobe Flash Player Updater
2019-12-10 15:46 - 2018-12-17 08:42 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2019-12-10 15:46 - 2018-12-17 08:42 - 000000000 ____D C:\Windows\system32\Macromed
2019-12-08 09:03 - 2009-07-14 02:34 - 000000855 _____ C:\Windows\system32\Drivers\etc\hosts_bak_633
2019-12-08 07:53 - 2009-07-14 02:34 - 000000855 _____ C:\Windows\system32\Drivers\etc\hosts_bak_268
2019-12-07 12:28 - 2016-07-05 11:04 - 000487424 _____ C:\Users\Home\Documents\Database1.accdb
2019-12-07 12:27 - 2017-01-05 16:37 - 000000000 ____D C:\Users\Home\Documents\Used Car Dealers
 
==================== SigCheck ============================
 
(There is no automatic fix for files that do not pass verification.)
 
 
LastRegBack: 2019-12-29 10:54
==================== End of FRST.txt ========================
 
 
 
 
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-12-2019
Ran by Home (02-01-2020 17:01:42)
Running from C:\Users\Home\Desktop
Windows 7 Home Premium Service Pack 1 (X64) (2014-11-30 23:31:31)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2588259368-3398593882-3987161955-500 - Administrator - Disabled)
Guest (S-1-5-21-2588259368-3398593882-3987161955-501 - Limited - Disabled)
Home (S-1-5-21-2588259368-3398593882-3987161955-1000 - Administrator - Enabled) => C:\Users\Home
HomeGroupUser$ (S-1-5-21-2588259368-3398593882-3987161955-1002 - Limited - Enabled)
Malcolm_Richardson (S-1-5-21-2588259368-3398593882-3987161955-1003 - Administrator - Enabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 19.021.20061 - Adobe Systems Incorporated)
Adobe Flash Player 32 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 32.0.0.303 - Adobe)
Belarc Advisor 8.4 (HKLM-x32\...\Belarc Advisor) (Version: 8.4.0.0 - Belarc Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.63 - Piriform)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 79.0.3945.88 - Google LLC)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.35.421 - Google LLC) Hidden
HP Deskjet 1510 series Basic Device Software (HKLM\...\{C9064E5C-D5AB-4EEB-86A6-50756901038A}) (Version: 32.0.1180.44630 - Hewlett-Packard Co.)
HP Deskjet 1510 series Help (HKLM-x32\...\{2E25FCEB-EFCB-4696-AA01-D3CBAC721831}) (Version: 30.0.0 - Hewlett Packard)
HP FWUpdateEDO2 (HKLM-x32\...\{415FA9AD-DA10-4ABE-97B6-5051D4795C90}) (Version: 1.2.0.0 - Hewlett-Packard)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
HPDiagnosticAlert (HKLM-x32\...\{B6465A32-8BE9-4B38-ADC5-4B4BDDC10B0D}) (Version: 1.00.0001 - Microsoft) Hidden
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
Malwarebytes version 4.0.4.49 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.0.4.49 - Malwarebytes)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Product Improvement Study for HP Deskjet 1510 series (HKLM\...\{EC27E742-EB04-4A2C-BA64-20271929528A}) (Version: 32.0.1180.44630 - Hewlett-Packard Co.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7487 - Realtek Semiconductor Corp.)
Speccy (HKLM\...\Speccy) (Version: 1.30 - Piriform)
SpeedFan (remove only) (HKLM-x32\...\SpeedFan) (Version:  - )
Spotify (HKU\S-1-5-21-2588259368-3398593882-3987161955-1000\...\Spotify) (Version: 1.1.10.540.gfcf0430f - Spotify AB)
SpywareBlaster 5.5 (HKLM-x32\...\SpywareBlaster_is1) (Version: 5.5.0 - BrightFort LLC)
The Complete Theory Test V14/1 (Update 7) (HKLM-x32\...\{C8A53C9C-185D-46E0-8F63-1E6AE4140674}_is1) (Version: 18.0 - Imagitech Ltd.)
Tweaking.com - Windows Repair (HKLM-x32\...\Tweaking.com - Windows Repair) (Version: 4.6.0 - Tweaking.com)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player (HKLM\...\VLC media player) (Version: 3.0.6 - VideoLAN)
Webcam Videocap (HKLM-x32\...\{ED1674F5-5165-49BF-B546-AE5343111540}) (Version: 1.0.3.7 - ETRON)
 
==================== Custom CLSID (Whitelisted): ==============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2019-06-26] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers4: [MSSE] -> {0365FE2C-F183-4091-AC82-BFC39FB75C49} =>  -> No File
ContextMenuHandlers4: [Offline Files] -> {474C98EE-CF3D-41f5-80E3-4AAB0AB04301} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\Windows\system32\igfxpph.dll [2009-09-23] (Microsoft Windows Hardware Compatibility Publisher -> Intel Corporation)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2019-06-26] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers6: [Offline Files] -> {474C98EE-CF3D-41f5-80E3-4AAB0AB04301} =>  -> No File
 
==================== Codecs (Whitelisted) ====================
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
WMI:DEFAULT\__FilterToConsumerBinding->\\.\root\default:MSFT_UCScenarioControl.Name=\"Microsoft WMI Updating Consumer Scenario Control\"",Filter="\\.\root\default:__EventFilter.Name=\"Microsoft WMI Updating Consumer Scenario Control\"::
WMI:DEFAULT\__EventFilter->Microsoft WMI Updating Consumer Scenario Control::[Query => SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'MSFT_UCScenario']
 
==================== Loaded Modules (Whitelisted) =============
 
 
==================== Alternate Data Streams (Whitelisted) ========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]
 
==================== Safe Mode (Whitelisted) ==================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\camsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dps => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lfsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\semgrsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\shellhwdetection => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TokenBroker => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WSService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\camsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dps => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\lfsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SamSs => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\semgrsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\shellhwdetection => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv2 => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srvnet => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TokenBroker => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WSService => ""="Service"
 
==================== Association (Whitelisted) =================
 
==================== Internet Explorer trusted/restricted ==========
 
==================== Hosts content: =========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 02:34 - 2020-01-02 09:00 - 000000855 _____ C:\Windows\system32\drivers\etc\hosts
127.0.0.1       localhost
 
==================== Other Areas ===========================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2588259368-3398593882-3987161955-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Home\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
==================== FirewallRules (Whitelisted) ================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{91582C4B-FF78-4304-9353-82382426A9B7}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe No File
FirewallRules: [{7D324CCA-A9AE-4FA6-BE76-DC9C52F85625}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe No File
FirewallRules: [{D324E971-28F4-4AEC-A6FE-F8348E64DEBF}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgdiagex.exe No File
FirewallRules: [{0C4C3AA0-2E79-480C-A36F-1EB22B74B829}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgdiagex.exe No File
FirewallRules: [{F80683F8-8B4E-41A9-BA47-5ED1BBA63A89}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe No File
FirewallRules: [{057B838A-CBDE-4FEC-9424-28564464878E}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe No File
FirewallRules: [{B6131709-9C92-46EF-8873-05AA84527A0B}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe No File
FirewallRules: [{FE14C52B-B307-44A5-8305-0877E29A286E}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe No File
FirewallRules: [TCP Query User{3A02E090-352B-4401-88A4-542C954253E2}C:\users\home\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\home\appdata\roaming\spotify\spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [UDP Query User{54A01565-46AF-45C3-A7B1-608464600528}C:\users\home\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\home\appdata\roaming\spotify\spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{FD9E55CB-621C-4310-9933-F702B56FBF57}] => (Allow) C:\Program Files\HP\HP Deskjet 1510 series\Bin\USBSetup.exe (Hewlett Packard -> Hewlett-Packard Co.)
FirewallRules: [{3001989F-AC38-4230-BC46-1DF7A56E9AB1}] => (Allow) C:\Program Files\HP\HP Deskjet 1510 series\Bin\HPNetworkCommunicatorCom.exe (Hewlett Packard -> Hewlett-Packard Co.)
FirewallRules: [{3D6C740C-368E-479A-B484-D0827DD91718}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS04FE\HPDiagnosticCoreUI.exe No File
FirewallRules: [{ED9974F9-C96C-42DE-8B42-D7310677512A}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS04FE\HPDiagnosticCoreUI.exe No File
FirewallRules: [{1BE16BA5-0406-45E0-AC61-D452984970FD}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS7EC1\HPDiagnosticCoreUI.exe No File
FirewallRules: [{0A7756BE-9C8F-4206-9C6E-4737F2B4CE89}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS7EC1\HPDiagnosticCoreUI.exe No File
FirewallRules: [{6A4A8261-C727-4D6E-B399-F06DF0E4FFB1}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe No File
FirewallRules: [{4D43F22D-30B6-4002-9481-3372D9A95E03}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe No File
FirewallRules: [{6BFDCED0-68E2-4362-92B6-6E689B668555}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe No File
FirewallRules: [{1EC82F80-A0C5-4349-AF33-4E8F3A6DFD1E}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe No File
FirewallRules: [{BD65C8F9-158E-4110-B712-5678C8D75502}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS7F43\HPDiagnosticCoreUI.exe No File
FirewallRules: [{06945B05-D32E-4B23-840D-2F5CBFB66D02}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS7F43\HPDiagnosticCoreUI.exe No File
FirewallRules: [{79F1A065-DE42-4FC5-A9C9-DD40DB34BD0E}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS7F98\HPDiagnosticCoreUI.exe No File
FirewallRules: [{4C2E681B-025E-46F9-9135-772609516805}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS7F98\HPDiagnosticCoreUI.exe No File
FirewallRules: [{291F5196-C787-4871-A693-E558DD01C4EF}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS0481\HPDiagnosticCoreUI.exe No File
FirewallRules: [{22C478D7-9E54-4617-904B-D24E10774339}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS0481\HPDiagnosticCoreUI.exe No File
FirewallRules: [{7BADB43D-255B-4935-A2A7-E415E329FC79}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS177D\HPDiagnosticCoreUI.exe No File
FirewallRules: [{61D98987-BC49-40F9-924C-7DBE46C56C64}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS177D\HPDiagnosticCoreUI.exe No File
FirewallRules: [{C4292078-DACC-4A5B-839E-86882E303808}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS17D5\HPDiagnosticCoreUI.exe No File
FirewallRules: [{BFC82851-E516-4388-A07E-E53D0DA7A84F}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS17D5\HPDiagnosticCoreUI.exe No File
FirewallRules: [{20D13A48-473C-4E11-B40D-855B0A29118A}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS21A6\HPDiagnosticCoreUI.exe No File
FirewallRules: [{955E97F9-8FC0-44E6-9B2A-68BB8AEBA175}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS21A6\HPDiagnosticCoreUI.exe No File
FirewallRules: [{C5EAAEFE-846F-4066-865C-0EC94EE34959}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS2280\HPDiagnosticCoreUI.exe No File
FirewallRules: [{554454FB-9949-4E07-BE5F-DE8FA7B81332}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS2280\HPDiagnosticCoreUI.exe No File
FirewallRules: [{07CF7E03-4DA3-4E5B-BABE-26FAD1FA7194}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS2F04\HPDiagnosticCoreUI.exe No File
FirewallRules: [{8CA063ED-3C66-4A46-895A-E7C749E3D101}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS2F04\HPDiagnosticCoreUI.exe No File
FirewallRules: [{90836511-D3AC-4950-9A13-4CD0EBC95DA0}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS2FC8\HPDiagnosticCoreUI.exe No File
FirewallRules: [{066BEF64-32FA-46C9-96B1-EAD970F6BD79}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS2FC8\HPDiagnosticCoreUI.exe No File
FirewallRules: [{CA36E523-BB50-468B-8913-ACA952B784AD}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS23FE\HPDiagnosticCoreUI.exe No File
FirewallRules: [{7CA9506C-7D01-42F1-A55D-AB0892EAD4BB}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS23FE\HPDiagnosticCoreUI.exe No File
FirewallRules: [{F8CF011E-72EF-49B7-9773-9B2B1999C792}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS24FD\HPDiagnosticCoreUI.exe No File
FirewallRules: [{6D604E38-BF18-48D4-A721-1B1AB20F8E98}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS24FD\HPDiagnosticCoreUI.exe No File
FirewallRules: [{6A8AFE29-979C-4307-A60A-CEBB13FD0153}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS2EAF\HPDiagnosticCoreUI.exe No File
FirewallRules: [{11E741BF-DD05-49F7-94C5-ADB674B8E51D}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS2EAF\HPDiagnosticCoreUI.exe No File
FirewallRules: [{5D21A2E8-7FB0-4151-A71C-037DE400839D}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS5E62\HPDiagnosticCoreUI.exe No File
FirewallRules: [{93C8D387-F38C-47D0-8680-A1CC855D0C96}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS5E62\HPDiagnosticCoreUI.exe No File
FirewallRules: [{B470F693-618C-4268-9302-1AD61E80AF08}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS25F5\HPDiagnosticCoreUI.exe No File
FirewallRules: [{5BCA3F45-90BA-474C-8657-25161047D060}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS25F5\HPDiagnosticCoreUI.exe No File
FirewallRules: [{1B9936B7-239E-4F01-A125-1FCFADBDF1A6}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS2C43\HPDiagnosticCoreUI.exe No File
FirewallRules: [{530AF287-CC01-4D27-AF4B-3512B71962FE}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS2C43\HPDiagnosticCoreUI.exe No File
FirewallRules: [{2BFC9D25-10BD-4596-9910-1FB3C97FBE45}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS2D0A\HPDiagnosticCoreUI.exe No File
FirewallRules: [{E39B4338-7849-4F9F-B223-43BDEF9EA749}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS2D0A\HPDiagnosticCoreUI.exe No File
FirewallRules: [{B2D20065-1652-4234-8EC1-97CBA1308BE3}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS6363\HPDiagnosticCoreUI.exe No File
FirewallRules: [{8DEF58FC-E4AA-400F-8E3F-62FE619430F3}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS6363\HPDiagnosticCoreUI.exe No File
FirewallRules: [{02C15F5E-ADB4-4B33-A261-C5FAF35B1449}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS3619\HPDiagnosticCoreUI.exe No File
FirewallRules: [{DDFAA081-7615-479B-AD2A-DBFF28263ED0}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS3619\HPDiagnosticCoreUI.exe No File
FirewallRules: [{ED61EFA7-8146-4472-9483-0559F499D881}] => (Allow) C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe No File
FirewallRules: [{875B6294-E961-4751-8FCB-C341A3541298}] => (Allow) C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe No File
FirewallRules: [{533461C4-B684-4571-A4D5-3ACA3E648701}] => (Allow) C:\Program Files\CCleaner\CCUpdate.exe (Piriform Software Ltd -> Piriform Software Ltd)
FirewallRules: [{1A50AA60-C8F6-4470-9792-4893C24C97CA}] => (Allow) C:\Program Files\CCleaner\CCUpdate.exe (Piriform Software Ltd -> Piriform Software Ltd)
FirewallRules: [TCP Query User{F79593F0-0823-4776-9C41-045C2927CC96}C:\users\home\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\home\appdata\roaming\spotify\spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [UDP Query User{07AA07E9-CD57-4344-880C-9EA583FA929B}C:\users\home\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\home\appdata\roaming\spotify\spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{1391A5FE-EC60-4FC4-A360-1F949227BED9}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS4243\HPDiagnosticCoreUI.exe No File
FirewallRules: [{000639A6-1AC7-4915-A64A-9931858DF384}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS4243\HPDiagnosticCoreUI.exe No File
FirewallRules: [{AC47F70D-36DE-40BE-AAC9-6DA7B6A9F910}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS4301\HPDiagnosticCoreUI.exe No File
FirewallRules: [{66B89C6C-2A40-4A8D-AE06-F39028F05F33}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS4301\HPDiagnosticCoreUI.exe No File
FirewallRules: [{F135F687-AD93-4823-A0D5-206F3E59FB35}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS2021\HPDiagnosticCoreUI.exe No File
FirewallRules: [{A5FA3349-4A9B-44DB-8B03-7529C83AEA4C}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS2021\HPDiagnosticCoreUI.exe No File
FirewallRules: [{DCA6420F-FBCE-42DD-8C1A-8A783AA687A3}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS21CA\HPDiagnosticCoreUI.exe No File
FirewallRules: [{2D9ECC46-C0BB-484F-8B57-B3EE4ABB1C48}] => (Allow) C:\Users\Home\AppData\Local\Temp\7zS21CA\HPDiagnosticCoreUI.exe No File
FirewallRules: [{F09A9A16-5ECE-4379-BA7D-A7D3A6AFEED7}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC -> Google LLC)
 
==================== Restore Points =========================
 
28-12-2019 18:08:37 Scheduled Checkpoint
 
==================== Faulty Device Manager Devices ============
 
Name: PS/2 Compatible Mouse
Description: PS/2 Compatible Mouse
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
Name: Standard PS/2 Keyboard
Description: Standard PS/2 Keyboard
Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard keyboards)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
 
==================== Event log errors: ========================
 
Application errors:
==================
Error: (01/02/2020 09:06:26 AM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_64) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown
 
Error: (01/02/2020 09:06:06 AM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown
 
Error: (01/02/2020 09:02:18 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x8007043c, This service cannot be started in Safe Mode
.
 
 
Operation:
   Subscribing Writer
 
Context:
   Writer Class Id: {a6ad56c2-b509-4e6c-bb19-49d8f43532f0}
   Writer Name: WMI Writer
   Writer Instance ID: {6b86afbc-da79-45c1-ac42-c888c14d7861}
 
Error: (01/02/2020 09:02:18 AM) (Source: VSS) (EventID: 18) (User: )
Description: Volume Shadow Copy Service error: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started during Safe Mode.
The Volume Shadow Copy service cannot start while in safe mode. [0x8007043c, This service cannot be started in Safe Mode
]
 
 
Operation:
   Subscribing Writer
 
Context:
   Writer Class Id: {a6ad56c2-b509-4e6c-bb19-49d8f43532f0}
   Writer Name: WMI Writer
   Writer Instance ID: {6b86afbc-da79-45c1-ac42-c888c14d7861}
 
Error: (01/02/2020 09:02:13 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x8007043c, This service cannot be started in Safe Mode
.
 
 
Operation:
   Subscribing Writer
 
Context:
   Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Name: Shadow Copy Optimization Writer
   Writer Instance ID: {e5081615-a078-4edd-8001-138ae7c1ad63}
 
Error: (01/02/2020 09:02:13 AM) (Source: VSS) (EventID: 18) (User: )
Description: Volume Shadow Copy Service error: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started during Safe Mode.
The Volume Shadow Copy service cannot start while in safe mode. [0x8007043c, This service cannot be started in Safe Mode
]
 
 
Operation:
   Subscribing Writer
 
Context:
   Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Name: Shadow Copy Optimization Writer
   Writer Instance ID: {e5081615-a078-4edd-8001-138ae7c1ad63}
 
Error: (01/02/2020 09:02:13 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x8007043c, This service cannot be started in Safe Mode
.
 
 
Operation:
   Subscribing Writer
 
Context:
   Writer Class Id: {be000cbe-11fe-4426-9c58-531aa6355fc4}
   Writer Name: ASR Writer
   Writer Instance ID: {a0bf5e48-7802-43a1-9b6b-e5e60531e28a}
 
Error: (01/02/2020 09:02:13 AM) (Source: VSS) (EventID: 18) (User: )
Description: Volume Shadow Copy Service error: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started during Safe Mode.
The Volume Shadow Copy service cannot start while in safe mode. [0x8007043c, This service cannot be started in Safe Mode
]
 
 
Operation:
   Subscribing Writer
 
Context:
   Writer Class Id: {be000cbe-11fe-4426-9c58-531aa6355fc4}
   Writer Name: ASR Writer
   Writer Instance ID: {a0bf5e48-7802-43a1-9b6b-e5e60531e28a}
 
 
System errors:
=============
Error: (01/02/2020 08:17:16 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server:
{9E175B6D-F52A-11D8-B9A5-505054503030}
 
Error: (01/02/2020 08:17:16 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server:
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
 
Error: (01/02/2020 08:17:05 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error: (01/02/2020 08:16:48 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error: (01/02/2020 08:16:47 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
discache
spldr
Wanarpv6
 
Error: (01/02/2020 08:16:41 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: 
The dependency service or group failed to start.
 
Error: (01/02/2020 07:26:14 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server:
{9E175B6D-F52A-11D8-B9A5-505054503030}
 
Error: (01/02/2020 07:25:13 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server:
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
 
 
==================== Memory info =========================== 
 
BIOS: Hewlett-Packard 786D1 v01.03 05/18/2005
Motherboard: Hewlett-Packard 09F8h
Processor: Intel® Pentium® 4 CPU 3.00GHz
Percentage of memory in use: 88%
Total physical RAM: 3063.43 MB
Available physical RAM: 359.96 MB
Total Virtual: 6125 MB
Available Virtual: 3000.98 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:78.14 GB) (Free:18.21 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (Data) (Fixed) (Total:154.69 GB) (Free:154.59 GB) NTFS
 
 
==================== MBR & Partition Table ====================
 
==========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 232.8 GB) (Disk ID: EA1AA9C7)
Partition 1: (Active) - (Size=78.1 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=154.7 GB) - (Type=0F Extended)
 
==================== End of Addition.txt =======================

  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 22,916 posts
  • MVP

Nothing obvious showing in your logs.  If you are worried you can try MBAR (different from MBAM) 

https://www.malwareb...om/antirootkit/

or ESET:

https://www.eset.com...online-scanner/

You want the free one time scan.

 

Looking at your first post:

bowing2.gif.crdownload is a normal step in the download process using the Chrome browser.  (Firefox will call it .part).  The downloaded data is collected in that file until the file is complete.  Then it is transferred to bowing2.gif and bowing2.gif.crdownload is deleted so all that says is that the download wasn't complete when you looked at it.  Why it took 3 hours to completely download is hard to say.  Perhaps the Internet connect at the server was having problems or perhaps the server was overloaded. 


  • 0

#7
Waste of Space

Waste of Space

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts

Okay - and my continuing thanks.

 

MBAR found nothing unpleasant.

 

I ran ESET and the result was as follows:

 

'Found and resolved detections: 1

Scan completed. Your computer was at risk.'

 

But the risk was a bundled toolbar, so I guess that's not what's continuing to make all Google search pages big blue rectangles for the first few seconds after they open. And it's worth saying that even when I scroll down this geekstogo webpage, small blue squares appear and disappear, which they never did before I downloaded that infernal Gif.

 

A former laptop of mine made me all too well aware of how a slowly-dying RAM-starved computer can cause newly-opened Google search tabs to display initially as empty white Google pages with the words 'about:blank' displayed at the top  -  but as for Google pages occupied almost entirely by large expanses of blue?

 

I confess myself baffled and still rather worried, since the phenomenon dates precisely from the arrival of that 'bowing 2' Gif on my PC.  Something just ain't right.


Edited by Waste of Space, 03 January 2020 - 03:49 AM.

  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 22,916 posts
  • MVP

Check your memory using the builtin test:

https://www.howtogee...m-for-problems/

 

Get Process Explorer

https://live.sysinte...com/procexp.exe

Save it to your desktop then run it (Vista or Win7+ - right click and Run As Administrator).  

View, Select Column, check Verified Signer, OK
Options, Verify Image Signatures


Click twice on the CPU column header  to sort things by CPU usage with the big hitters at the top.  

Wait a full minute then:

File, Save As, Save.  Note the file name.   Open the file  on your desktop and copy and paste the text to a reply.


Copy the next 2 lines:

TASKLIST /SVC  > \junk.txt
notepad \junk.txt

Open an Elevated Command Prompt:
Win 7: Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator
Win 8: http://www.eightforu...indows-8-a.html
win 10: http://www.howtogeek...-in-windows-10/

Right click and Paste (or Edit then Paste) and the copied lines should appear.
Hit Enter if notepad does not open.  Copy and paste the text from notepad into a reply.


Get the free version of Speccy:

http://www.filehippo...ownload_speccy/ 

(Look in the upper right for the Download
Latest Version button  - Do NOT press the large Start Download button on the upper left!)  
Download, Save and Install it.  Tell it you do not need CCLEANER.    Run Speccy.  When it finishes (the little icon in the bottom left will stop moving),
File, Save as Text File,  (to your desktop) note the name it gives. OK.  Open the file in notepad and delete the line that gives the serial number of your Operating System.  
(It will be near the top,  10-20  lines down.) Save the file.  Attach the file to your next post.  Attaching the log is the best option as it is too big for the forum.  Attaching is a multi step process.

First click on More Reply Options
Then scroll down to where you see
Choose File and click on it.  Point it at the file and hit Open.
Now click on Attach this file.

 

Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.

Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator.  Then type (with an Enter after each line).

sfc  /scannow

(This will check your critical system files. Does this finish without complaint?  IF it says it couldn't fix everything then:

Copy the next two lines:

findstr  /c:"[SR]"  \windows\logs\cbs\cbs.log  >  %UserProfile%\desktop\junk.txt
notepad %UserProfile%\desktop\junk.txt

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue.  Right click and Paste or Edit then Paste and the copied line should appear.
Hit Enter. Copy and paste the text from notepad or if it is too big, just attach the file.)


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.  (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.)

 

 

 

System Update Readiness Tool for Windows 7

This link is for 64 bit:
https://www.microsof...s.aspx?id=20858

This acts like you are installing a KB.  It checks your operating system to make sure everything is correct.  Can take an hour or more to run.

 

 

In Chrome go to:

chrome://extensions/

 

Then turn all extensions OFF.  Restart Chrome.  Do you still get the blue?

 

Let's try Latency Monitor:

Go to

http://www.resplendence.com/downloads

Scroll down to

System Monitoring Tools

and then find

LatencyMon 6.70 (or it may be a higher number if they update)

Click on Download free home edition

Save it then right click and Run As Admin.  It will install and then start the program.  
It will tell you to click on the Start button but there isn't one.  
Instead click on the green arrowhead (looks like a Play button).   Let it run for at least 20 seconds.  Then hit the red box to stop it.

Edit, Copy Report text to Clipboard then move to a REPLY and Ctrl + v to paste the text into a reply.

 

 

 

 

 


  • 0

#9
Waste of Space

Waste of Space

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts

Hello again and gawd bless yer for rallying round.  Here goes with part one, up as far as Speccy.

 

Windows Memory Diagnostic detected no problems.

 

Process Explorer gave the following result, which I hope makes some sort of sense:

 

Process CPU Private Bytes Working Set PID Verified Signer

System Idle Process 92.42 0 K 24 K 0

procexp64.exe 4.44 25,248 K 48,104 K 628 (Verified) Microsoft Corporation

dwm.exe 1.35 26,928 K 30,468 K 2388 (Verified) Microsoft Windows

System 0.62 160 K 972 K 4

Interrupts 0.51 0 K 0 K n/a

MBAMService.exe 0.21 275,620 K 280,496 K 1944 (Verified) Malwarebytes Inc

chrome.exe 0.12 151,332 K 213,084 K 3096 (Verified) Google LLC

chrome.exe 0.06 25,488 K 40,408 K 2680 (Verified) Google LLC

explorer.exe 0.05 30,236 K 50,620 K 2476 (Verified) Microsoft Windows

svchost.exe 0.04 4,264 K 7,952 K 672 (Verified) Microsoft Windows

chrome.exe 0.03 54,672 K 89,356 K 1832 (Verified) Google LLC

SearchIndexer.exe 0.03 21,804 K 13,160 K 1880 (Verified) Microsoft Windows

chrome.exe 0.02 15,280 K 31,884 K 3732 (Verified) Google LLC

svchost.exe 0.02 24,592 K 15,572 K 1124 (Verified) Microsoft Windows

CCleaner64.exe 0.02 13,112 K 2,528 K 3408 (Verified) Piriform Software Ltd

svchost.exe 0.01 19,760 K 28,112 K 996 (Verified) Microsoft Windows

svchost.exe 0.01 18,044 K 15,732 K 816 (Verified) Microsoft Windows

csrss.exe 0.01 7,340 K 11,264 K 464 (Verified) Microsoft Windows

taskhost.exe 0.01 7,784 K 9,696 K 2244 (Verified) Microsoft Windows

svchost.exe 0.01 3,952 K 7,056 K 752 (Verified) Microsoft Windows

WmiPrvSE.exe < 0.01 17,664 K 22,580 K 4028 (Verified) Microsoft Windows

rundll32.exe < 0.01 3,676 K 8,840 K 3308 (Verified) Microsoft Windows

svchost.exe < 0.01 6,616 K 9,424 K 956 (Verified) Microsoft Windows

csrss.exe < 0.01 2,192 K 3,944 K 396 (Verified) Microsoft Windows

svchost.exe < 0.01 98,996 K 98,308 K 900 (Verified) Microsoft Windows

wuauclt.exe 2,092 K 7,096 K 2540 (Verified) Microsoft Windows

WR_Tray_Icon.exe 1,752 K 1,044 K 884 (Verified) Tweaking LLC

WmiPrvSE.exe 2,568 K 6,824 K 1008 (Verified) Microsoft Windows

winlogon.exe 2,800 K 5,608 K 552 (Verified) Microsoft Windows

wininit.exe 1,632 K 3,944 K 440 (Verified) Microsoft Windows

taskeng.exe 2,088 K 6,328 K 3632 (Verified) Microsoft Windows

taskeng.exe 1,744 K 5,572 K 4480 (Verified) Microsoft Windows

taskeng.exe 2,120 K 5,668 K 3344 (Verified) Microsoft Windows

svchost.exe 13,748 K 12,896 K 1276 (Verified) Microsoft Windows

svchost.exe 4,836 K 7,188 K 1676 (Verified) Microsoft Windows

svchost.exe 2,428 K 5,136 K 388 (Verified) Microsoft Windows

svchost.exe 1,868 K 5,076 K 1744 (Verified) Microsoft Windows

svchost.exe 3,680 K 5,584 K 1536 (Verified) Microsoft Windows

svchost.exe 8,344 K 6,340 K 2524 (Verified) Microsoft Windows

spoolsv.exe 7,148 K 9,000 K 1368 (Verified) Microsoft Windows

smss.exe 500 K 1,108 K 260 (Verified) Microsoft Windows

services.exe 6,672 K 7,588 K 496 (Verified) Microsoft Windows

RtkAudioService64.exe 1,804 K 4,496 K 292 (Verified) Realtek Semiconductor Corp

RAVCpl64.exe 8,292 K 7,560 K 2996 (Verified) Realtek Semiconductor Corp

RAVBg64.exe 14,428 K 7,460 K 1100 (Verified) Realtek Semiconductor Corp

procexp.exe 3,676 K 8,348 K 2068 (Verified) Microsoft Corporation

mbamtray.exe 16,524 K 27,780 K 3852 (Verified) Malwarebytes Inc

lsm.exe 2,484 K 3,960 K 544 (Verified) Microsoft Windows

lsass.exe 4,056 K 8,612 K 536 (Verified) Microsoft Windows

igfxtray.exe 2,384 K 5,320 K 2968 (Verified) Intel Corporation

igfxsrvc.exe 2,132 K 5,272 K 2848 (Verified) Intel Corporation

igfxpers.exe 1,984 K 5,612 K 2984 (Verified) Intel Corporation

hpwuschd2.exe 976 K 3,568 K 3336 (Verified) Hewlett-Packard Company

hkcmd.exe 2,260 K 5,200 K 2976 (Verified) Intel Corporation

chrome.exe 32,100 K 48,360 K 3624 (Verified) Google LLC

chrome.exe 14,176 K 21,756 K 2296 (Verified) Google LLC

chrome.exe 24,812 K 41,380 K 1660 (Verified) Google LLC

chrome.exe 54,632 K 74,920 K 2772 (Verified) Google LLC

chrome.exe 17,832 K 39,224 K 4076 (Verified) Google LLC

chrome.exe 3,908 K 8,720 K 468 (Verified) Google LLC

chrome.exe 3,860 K 9,192 K 2944 (Verified) Google LLC

armsvc.exe 1,196 K 3,780 K 1496 (Verified) Adobe Inc.

 

Command Prompt gave this result:

 

 

Image Name                     PID Services                                    

========================= ======== ============================================

System Idle Process              0 N/A                                         

System                           4 N/A                                         

smss.exe                       260 N/A                                         

csrss.exe                      396 N/A                                         

wininit.exe                    440 N/A                                         

csrss.exe                      464 N/A                                         

services.exe                   496 N/A                                         

lsass.exe                      536 KeyIso, SamSs                               

lsm.exe                        544 N/A                                         

winlogon.exe                   552 N/A                                         

svchost.exe                    672 DcomLaunch, PlugPlay, Power                 

svchost.exe                    752 RpcEptMapper, RpcSs                         

svchost.exe                    816 AudioSrv, Dhcp, eventlog,                   

                                   HomeGroupProvider, lmhosts, wscsvc          

svchost.exe                    900 AudioEndpointBuilder, hidserv,              

                                   HomeGroupListener, Netman, PcaSvc, SysMain, 

                                   TrkWks, UxSms, WdiSystemHost, Wlansvc       

svchost.exe                    956 EventSystem, fdPHost, FontCache, netprofm,  

                                   nsi, WdiServiceHost                         

svchost.exe                    996 Appinfo, Browser, EapHost, IKEEXT,          

                                   iphlpsvc, LanmanServer, MMCSS, ProfSvc,     

                                   Schedule, SENS, ShellHWDetection, Themes,   

                                   Winmgmt, wuauserv                           

svchost.exe                    388 gpsvc                                       

RtkAudioService64.exe          292 RtkAudioService                             

RAVBg64.exe                   1100 N/A                                         

svchost.exe                   1124 CryptSvc, Dnscache, LanmanWorkstation,      

                                   NlaSvc, TermService                         

svchost.exe                   1276 BFE, DPS, MpsSvc, WwanSvc                   

spoolsv.exe                   1368 Spooler                                     

armsvc.exe                    1496 AdobeARMservice                             

svchost.exe                   1536 DiagTrack                                   

svchost.exe                   1676 FDResPub, SSDPSRV, upnphost                 

svchost.exe                   1744 stisvc                                      

SearchIndexer.exe             1880 WSearch                                     

MBAMService.exe               1944 MBAMService                                 

taskhost.exe                  2244 N/A                                         

dwm.exe                       2388 N/A                                         

explorer.exe                  2476 N/A                                         

svchost.exe                   2524 p2pimsvc, p2psvc, PNRPsvc                   

igfxtray.exe                  2968 N/A                                         

hkcmd.exe                     2976 N/A                                         

igfxpers.exe                  2984 N/A                                         

RAVCpl64.exe                  2996 N/A                                         

igfxsrvc.exe                  2848 N/A                                         

rundll32.exe                  3308 N/A                                         

hpwuschd2.exe                 3336 N/A                                         

taskeng.exe                   3344 N/A                                         

CCleaner64.exe                3408 N/A                                         

mbamtray.exe                  3852 N/A                                         

chrome.exe                    3096 N/A                                         

WR_Tray_Icon.exe               884 N/A                                         

chrome.exe                     468 N/A                                         

chrome.exe                    2944 N/A                                         

chrome.exe                    3732 N/A                                         

chrome.exe                    2772 N/A                                         

chrome.exe                    4076 N/A                                         

WmiPrvSE.exe                  4028 N/A                                         

chrome.exe                    1832 N/A                                         

chrome.exe                    1660 N/A                                         

WmiPrvSE.exe                  1008 N/A                                         

chrome.exe                    2680 N/A                                         

chrome.exe                    3624 N/A                                         

wuauclt.exe                   2540 N/A                                         

chrome.exe                    2296 N/A                                         

notepad.exe                   1148 N/A                                         

audiodg.exe                   4664 N/A                                         

cmd.exe                       1812 N/A                                         

conhost.exe                   5012 N/A                                         

tasklist.exe                  5048 N/A                                         

WmiPrvSE.exe                  5088 N/A                               

 

Attached Files


  • 0

#10
RKinner

RKinner

    Malware Expert

  • Expert
  • 22,916 posts
  • MVP

Speccy says it's running a bit hot for a desktop but Speccy often makes mistakes.  Let's get another opinion.

 

http://www.filehippo...nload_speedfan/

Download, save and Install it (Win 7+ or Vista right click and Run As Admin.) then run it (Win 7+ or Vista right click and Run As Admin.).

It will tell you your temps in real time tho the default is to show the hard drive temp in the systray.  You can change it:  Hit Configure then click on the highest temp and check Show in tray.  With no other programs running what is the highest temp you see?  Speccy said it was 50 C.  We normally expect a desktop to run 35-45 C at idle.  If it's over that it usually means the heatsink is clogged with dust.  Run an anti-virus scan, play one of your games or watch a video for at least 5 minutes.  What is the highest temp now?
 

We don't really want it to go over about 65 under load.  If it does it usually means either the fan is defective (speedfan should tell you your fan speed so you can see if it is running) or (most likely) the interface between the fan and the heatsink is clogged with dust. The best fix for a clogged heatsink is to remove the fan (not the heatsink or heatpipe) and vacuum out the heatsink and any other vents and fans.  Make sure you put the fan back in the same direction as you found it.
 


  • 0

Advertisements


#11
Waste of Space

Waste of Space

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts

sfc/scannow:

 

'Windows Resource Protection did not find any integrity violations.'

 

 

Event Viewer

 

Part 1:

 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 03/01/2020 13:54:08
 
Note: All dates below are in the format dd/mm/yyyy
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 03/01/2020 12:22:17
Type: Error Category: 0
Event: 14332 Source: Microsoft-Windows-WMPNSS-Service
Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 03/01/2020 12:21:20
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped. 
 
 
Part 2
 
Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 03/01/2020 13:57:04
 
Note: All dates below are in the format dd/mm/yyyy
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 

Edited by Waste of Space, 03 January 2020 - 08:56 AM.

  • 0

#12
Waste of Space

Waste of Space

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts

System Update Readiness Tool for Windows 7:

 

I was a bit baffled by this.  I followed the instructions, which resulted in Hotfix for Windows being installed on my PC  -  the precise nature of which I don't comprehend  -  and there was no 'result' as such.  It's at times like this that I realise how ignorant I am.

 

Okay, on to the next task.


Edited by Waste of Space, 03 January 2020 - 09:46 AM.

  • 0

#13
Waste of Space

Waste of Space

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts

I tried switching all Chrome extensions off and then restarting it, but the large blue rectangles are still there when I open a new tab  -  and small blue boxes are still appearing on screen here and there when I scroll down using the scrolling wheel on the mouse.  (I should've said that they don't appear when I scroll down by dragging on the scrolling bar.)

 

 

Latency Monitor results:

 

Highest tight loop latency measured on any CPU:  6.16362 µs

 

CPU0 Group 0, no. 0:  6.16362 µs

 

CU1 Group 0, no. 1:  4.79393 µs

 

 

As for Speedfan, the highest temperature shown was HD0 41C.


Edited by Waste of Space, 03 January 2020 - 10:15 AM.

  • 0

#14
Waste of Space

Waste of Space

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts

Many thanks for all your suggestions. I really do appreciate your help, especially when I bear in mind that you're probably juggling any number of other people's problems at any given time. I'm astonished that it doesn't all become a complete and utter blur and that you don't just glaze over altogether.  Very kind of you to take the time to devote yourself to this sort of thing when you could be out there fishing, golfing or gator wrestling instead.  One of life's unsung heroes, I'd say.  Respect.


  • 0

#15
RKinner

RKinner

    Malware Expert

  • Expert
  • 22,916 posts
  • MVP

Log for System Update Readiness tool  is at C:\Windows\Logs\CBS\CheckSUR.log if you want to post it.  Usually it just does its work without complaining.

 

Can you download Firefox and install it?

 

https://www.mozilla....US/firefox/new/

 

Does it have the same blue squares?

 

 

What kind of mouse is this?  Is there a newer driver on the maker's website?  Can you try another regular mouse?

 

Let's try Rogue Killer

http://www.adlice.co...iller/#download
Portable 32 bits
Portable 64 bits

Download and Save.



Right click on the downloaded file (RogueKillerX64.exe or RogueKiller.exe)  and Run As admin

Start Scan
Start Scan

Will take about 20 minutes to complete.

Open Report
Export TXT (save it to your desktop as rk) Save

Do not let Rogue Killer remove anything until you hear from me.  Leave Rogue Killer up (but minimized) so you won't have to rescan.

Open rk.txt and copy and paste it to your next Reply.


 


  • 0






Similar Topics


Also tagged with one or more of these keywords: crdownload, malware, vanishing

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP