[Keyboardclick]

Hello,

 

My mom is having a lot of trouble with her laptop. I am currently going through the beginning virus removal guide (FRST is currently scanning), but this is a long story, so I figured I would go ahead and start.

 

It all started several days ago. She noticed an yellow exclamation on her white shield at the bottom left corner (she has Windows 10), indicating that Windows Security Shields has actions recommended. She clicked it to figure out what action needed taken, and it says no action needs taken, everything is fine, on, and up to date. Weird. However, this continually happens - the yellow exclamation appears yet no action needs taken.

 

Then, she went to play an older game, and realized that in order to make it work, she had to change the resolution on her laptop down in order for the game to work. I have no idea if this is related, and she has since changed her resolution back, but this is the only setting that she has changed that we can think of, so I thought it might be good information for you.

 

A couple days ago, she went to open a Libre word document. We have used Libre for a couple of years now, and she opens this among other documents daily. However, this time when she tried to open it, an Avast window popped up, stating something like:

 

soffice.bin is trying to delete or change j.odt in protected folders

 

This warning says it was found the the Ransomware shield. She closed this window, and tried to open the document again, and a Libre warning window popped up, saying it can only be opened in read only mode, and asked if she wanted to open a copy.

 

Since then, she has not been able to open any Libre word documents without the Read Only Libre warning popping up, and the Avast warning about soffice.bin pops up randomly when she tries, but not every time.

 

Day before yesterday, I ran an Avast full system scan on her computer. I didn't write it down, but it found something like gray.plan.../life which it said was bad and should be gotten rid of. I told it to get rid of it, and it said it couldn't. Like an idiot, I just closed Avast and went to bed.

 

Yesterday, I ran Avast's full system scan and boot time scan, Malwarebytes, Spybots full scan and rootkit scan, and nothing has found anything, not even the gray.plan.../life or whatever that showed up the first time.

 

So, today, I thought I better post on Geeks to Go. I thought, hey, I'll make it easy on them. I'll take screen shots of everything that comes up so they can see exactly what I am seeing.

 

So I set about that task pretty sure of myself and feeling good. I took the first screen shot, went to save it so I could attach it to my post, and Avast pops up:

 

We've just protected your file!

PlckerHost.exe is trying to change or delete the file screenshot.png in your protected Desktop folder.

detected by Ransomware Shield

 

So I can't even save screen shots to add to the post.

I have no idea what is going on. When Avast pops up, I can either Block App or Allow App.

I am afraid to do either. I don't want to block it, because I don't know if said app is me and Avast is freaking out for some reason. I don't want to allow it, because I don't know if said app is something bad that is trying to change my files and should be blocked.

 

This has never happened before. We wondered if it was just a problem with Libre, but since I can't save screen shots, that doesn't seem to be it.

 

I will update with information about the scans you want me to run as I do them.

 

Thank you.

[Advertisements]

P.S.

My laptop, with the same Windows, same programs, same updates, same version of Libre, is doing none of this weird stuff and operating fine.

[Keyboardclick]

P.S.

My laptop, with the same Windows, same programs, same updates, same version of Libre, is doing none of this weird stuff and operating fine.

[DR M]

Hi, keyboardclick.

 

Let's see the logs first.

[Keyboardclick]

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14-08-2021
Ran by User (18-08-2021 13:46:58)
Running from C:\Users\User\Desktop
Windows 10 Home Version 20H2 19042.1165 (X64) (2021-05-29 08:19:40)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

(If an entry is included in the fixlist, it will be removed.)

Administrator (S-1-5-21-127966655-3041496052-59511839-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-127966655-3041496052-59511839-503 - Limited - Disabled)
Guest (S-1-5-21-127966655-3041496052-59511839-501 - Limited - Disabled)
User (S-1-5-21-127966655-3041496052-59511839-1001 - Administrator - Enabled) => C:\Users/User
WDAGUtilityAccount (S-1-5-21-127966655-3041496052-59511839-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Spybot - Search and Destroy (Enabled - Up to date) {F77C7796-45C4-531E-0DAE-B4A8229B11C8}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Avast Antivirus (Enabled - Up to date) {EB19B86E-3998-C706-90EF-92B41EB091AF}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Abandoned: Chestnut Lodge Asylum (HKLM-x32\...\BFG-Abandoned - Chestnut Lodge Asylum) (Version:  - )
Avast Free Antivirus (HKLM\...\Avast Antivirus) (Version: 21.6.2474 - Avast Software)
Big Fish: Game Manager (HKLM-x32\...\BFGC) (Version: 3.3.1.10 - )
f.lux (HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\Flux) (Version:  - f.lux Software LLC)
Intel® Chipset Device Software (HKLM-x32\...\{a2c684b7-4a4b-425f-a805-1e88940804b0}) (Version: 10.1.18460.8229 - Intel® Corporation)
Lenovo Vantage Service (HKLM-x32\...\VantageSRV_is1) (Version: 3.7.19.0 - Lenovo Group Ltd.)
LibreOffice 7.1.5.2 (HKLM\...\{4F0D0C39-A2CD-4908-AA4C-A1CC9BDCD71A}) (Version: 7.1.5.2 - The Document Foundation)
Logitech SetPoint 6.70 (HKLM\...\sp6) (Version: 6.70.55 - Logitech)
Malwarebytes version 4.4.4.126 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.4.4.126 - Malwarebytes)
Microsoft 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.14228.20250 - Microsoft Corporation)
Microsoft Edge (HKLM-x32\...\Microsoft Edge) (Version: 92.0.902.73 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\OneDriveSetup.exe) (Version: 21.150.0725.0001 - Microsoft Corporation)
Microsoft Update Health Tools (HKLM\...\{852D8FE5-BC66-4061-B1C4-CADF51E5B27D}) (Version: 2.82.0.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24123 (HKLM-x32\...\{206898cc-4b41-4d98-ac28-9f9ae57f91fe}) (Version: 14.0.24123.0 - Microsoft Corporation)
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.26.28720 (HKLM-x32\...\{7d607fb4-7e28-4c7a-a92f-3fcdaf555faf}) (Version: 14.26.28720.3 - Microsoft Corporation)
Mozilla Firefox (x64 en-US) (HKLM\...\Mozilla Firefox 91.0 (x64 en-US)) (Version: 91.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 89.0.2 - Mozilla)
Office 16 Click-to-Run Extensibility Component (HKLM\...\{90160000-008C-0000-1000-0000000FF1CE}) (Version: 16.0.14228.20250 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-007E-0000-1000-0000000FF1CE}) (Version: 16.0.14228.20250 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM\...\{90160000-008C-0409-1000-0000000FF1CE}) (Version: 16.0.14131.20278 - Microsoft Corporation) Hidden
Smart Defrag 7 (HKLM-x32\...\Smart Defrag_is1) (Version: 7.0.0.62 - IObit)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.8.68.0 - Safer-Networking Ltd.)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
The Agency of Anomalies: Cinderstone Orphanage (HKLM-x32\...\BFG-The Agency of Anomalies - Cinderstone Orphanage) (Version:  - )
The Agency of Anomalies: Mind Invasion (HKLM-x32\...\BFG-The Agency of Anomalies - Mind Invasion) (Version:  - )
The Agency of Anomalies: Mystic Hospital (HKLM-x32\...\BFG-The Agency of Anomalies - Mystic Hospital) (Version:  - )
The Agency of Anomalies: The Last Performance (HKLM-x32\...\BFG-The Agency of Anomalies - The Last Performance) (Version:  - )
Zoom (HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\ZoomUMX) (Version: 5.6.7 (1016) - Zoom Video Communications, Inc.)

Packages:
=========
AV1 Video Extension -> C:\Program Files\WindowsApps\Microsoft.AV1VideoExtension_1.1.41601.0_x64__8wekyb3d8bbwe [2021-07-09] (Microsoft Corporation)
Dolby Audio -> C:\Program Files\WindowsApps\DolbyLaboratories.DolbyAudio_3.20800.804.0_x64__rz1tebttyb220 [2021-03-04] (Dolby Laboratories)
Elevoc Vocplus System -> C:\Program Files\WindowsApps\ElevocTechnologyCo.Ltd.ElevocVocplusSystem_1.0.29.0_x64__ttaqwwhyt5s6t [2021-07-01] (Elevoc Technology Co., Ltd.)
HP Smart -> C:\Program Files\WindowsApps\AD2F1837.HPPrinterControl_129.1.234.0_x64__v10z8vjag6ke6 [2021-07-24] (HP Inc.)
Intel® Graphics Command Center -> C:\Program Files\WindowsApps\AppUp.IntelGraphicsExperience_1.100.3370.0_x64__8j3eq9eme6ctt [2021-07-24] (INTEL CORP) [Startup Task]
Lenovo Hotkeys -> C:\Program Files\WindowsApps\E0469640.LenovoUtility_4.0.44.0_x64__5grkq8ppsgwt4 [2021-07-15] (LENOVO INC) [Startup Task]
Lenovo Vantage -> C:\Program Files\WindowsApps\E046963F.LenovoCompanion_10.2105.16.0_x64__k1h2ywk1493x8 [2021-06-03] (LENOVO INC.)
Microsoft Solitaire Collection -> C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.10.7290.0_x64__8wekyb3d8bbwe [2021-08-04] (Microsoft Studios) [MS Ad]
MPEG-2 Video Extension -> C:\Program Files\WindowsApps\Microsoft.MPEG2VideoExtension_1.0.42152.0_x64__8wekyb3d8bbwe [2021-08-17] (Microsoft Corporation)
Realtek Audio Control -> C:\Program Files\WindowsApps\RealtekSemiconductorCorp.RealtekAudioControl_1.19.234.0_x64__dt26b99r8h8gj [2021-03-04] (Realtek Semiconductor Corp)
Spotify Music -> C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.165.643.0_x86__zpdnekdrzrea0 [2021-08-06] (Spotify AB) [Startup Task]

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Avast Software\Avast\ashShell.dll [2021-08-04] (Avast Software s.r.o. -> AVAST Software)
ShellIconOverlayIdentifiers-x32: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Avast Software\Avast\ashShell.dll [2021-08-04] (Avast Software s.r.o. -> AVAST Software)
ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Avast Software\Avast\ashShell.dll [2021-08-04] (Avast Software s.r.o. -> AVAST Software)
ContextMenuHandlers1: [SmartDefragExtension] -> {189F1E63-33A7-404B-B2F6-8C76A452CC54} => C:\Windows\System32\IObitSmartDefragExtension.dll [2019-09-12] (IObit Information Technology -> IObit)
ContextMenuHandlers3: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Avast Software\Avast\ashShell.dll [2021-08-04] (Avast Software s.r.o. -> AVAST Software)
ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Avast Software\Avast\ashShell.dll [2021-08-04] (Avast Software s.r.o. -> AVAST Software)
ContextMenuHandlers6: [SmartDefragExtension] -> {189F1E63-33A7-404B-B2F6-8C76A452CC54} => C:\Windows\System32\IObitSmartDefragExtension.dll [2019-09-12] (IObit Information Technology -> IObit)

==================== Codecs (Whitelisted) ====================

==================== Shortcuts & WMI ========================

==================== Loaded Modules (Whitelisted) =============

2021-03-04 23:36 - 2021-03-04 23:36 - 000000000 ____L (Microsoft Corporation) C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll
2021-03-04 23:36 - 2021-03-04 23:36 - 000000000 ____L (Microsoft Corporation) C:\Program Files\Microsoft Office\Root\Office16\c2r64.dll
2021-07-20 20:38 - 2020-05-30 15:58 - 001280000 _____ (Robert Simpson, et al.) [File not signed] C:\ProgramData\Lenovo\iMController\Plugins\GenericMessagingPlugin\x86\x86\SQLite.Interop.dll
2021-06-01 00:21 - 2020-11-03 05:08 - 000954864 _____ (SQLite Development Team) [File not signed] C:\ProgramData\Lenovo\iMController\Plugins\LenovoWiFiSecurityPlugin\x86\x86\e_sqlite3.dll

==================== Alternate Data Streams (Whitelisted) ========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:2CB9631F [270]
AlternateDataStreams: C:\ProgramData\TEMP:3B812EE0 [430]
AlternateDataStreams: C:\ProgramData\TEMP:45936E12 [486]
AlternateDataStreams: C:\ProgramData\TEMP:4C1D9362 [196]
AlternateDataStreams: C:\ProgramData\TEMP:5164A01F [496]
AlternateDataStreams: C:\ProgramData\TEMP:51E66512 [227]
AlternateDataStreams: C:\ProgramData\TEMP:551BED5F [203]
AlternateDataStreams: C:\ProgramData\TEMP:5BC73C48 [446]
AlternateDataStreams: C:\ProgramData\TEMP:6FF14C72 [456]
AlternateDataStreams: C:\ProgramData\TEMP:8732B03A [490]
AlternateDataStreams: C:\ProgramData\TEMP:9EDA68BD [478]
AlternateDataStreams: C:\ProgramData\TEMP:BF9D6105 [486]
AlternateDataStreams: C:\ProgramData\TEMP:EE2DD6CC [478]

==================== Safe Mode (Whitelisted) ==================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aswSP.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\aswSP.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""="Service"

==================== Association (Whitelisted) =================

==================== Internet Explorer (Whitelisted) ==========

HKU\S-1-5-21-127966655-3041496052-59511839-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=LCTE
HKU\S-1-5-21-127966655-3041496052-59511839-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.msn.com/?pc=LCTE
HKU\S-1-5-21-127966655-3041496052-59511839-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://mystart.lenovo.com/
BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll [2020-11-20] (Logitech Inc -> Logitech, Inc.)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll [2021-06-04] (Microsoft Corporation -> Microsoft Corporation)
BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll [2020-11-20] (Logitech Inc -> Logitech, Inc.)
Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2021-07-28] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2021-07-28] (Microsoft Corporation -> Microsoft Corporation)
Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2021-07-28] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2021-07-28] (Microsoft Corporation -> Microsoft Corporation)
Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2021-07-28] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2021-07-28] (Microsoft Corporation -> Microsoft Corporation)
Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2021-07-28] (Microsoft Corporation -> Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2021-07-28] (Microsoft Corporation -> Microsoft Corporation)

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

There are 7942 more sites.

IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\123simsen.com -> www.123simsen.com

There are 7942 more sites.

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2019-12-07 04:14 - 2021-08-17 17:44 - 000454574 ____R C:\Windows\system32\drivers\etc\hosts
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123haustiereundmehr.com
127.0.0.1 123moviedownload.com
127.0.0.1 www.123moviedownload.com

There are 15603 more lines.

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-127966655-3041496052-59511839-1001\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{F1AE6852-83AF-41B4-A64F-E92D95291784}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{174B3D6C-8CF0-4509-8C3C-E200472F1A5A}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe (Valve -> Valve Corporation)
FirewallRules: [{DB772E2A-9548-4EC8-A5A7-4832A00CE34E}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe (Valve -> Valve Corporation)
FirewallRules: [{057C7857-46BD-49DD-A1F7-F0B8C0C9D7CB}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe (Valve -> Valve Corporation)
FirewallRules: [{3F30A360-49DE-4143-A938-275BD385C315}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe (Valve -> Valve Corporation)
FirewallRules: [{FC94C90E-BDC9-41BA-B59F-6F3C08BE0C82}] => (Allow) C:\Users\User\AppData\Roaming\Zoom\bin\Zoom.exe (Zoom Video Communications, Inc. -> Zoom Video Communications, Inc.)
FirewallRules: [{05497EFE-1E85-46E6-88EB-1AFF1353D08A}] => (Allow) C:\Users\User\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{F406400E-1821-465F-B85A-313216D7A2B9}] => (Allow) C:\Users\User\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{2998401E-8E45-403D-B6EE-A157DA30B682}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\outlook.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{7CF4B369-F149-4820-AF6E-9D565B4284AC}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.165.643.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{FF4C557F-8A82-4C41-9A79-70777EB9A893}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.165.643.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{703252E9-7D45-4AFB-A1EE-D24404911B7C}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.165.643.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{751C5FF0-7EAF-48CC-B32E-01B595E9CBE2}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.165.643.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{9D250CE4-92AC-4933-BB34-C101822BD12A}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.165.643.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{B4B0B63B-24AE-425A-903D-04EFA659B5D8}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.165.643.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{516F4F0F-807F-46FD-B1A2-45D2E9C4C848}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.165.643.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{67AA1B2D-C22D-46C1-8D04-1314C5A0DA76}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.165.643.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)
FirewallRules: [{66715A2E-2AEC-4543-A438-95A0362FB095}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.75.140.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{D09D6BD1-BFE5-4068-B10B-DD87A203EE69}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.75.140.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{A649BD9F-D648-4A10-8027-69B5F67D1AAB}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.75.140.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
FirewallRules: [{8407649B-0406-434F-85BF-C67900C0E504}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.75.140.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service

==================== Restore Points =========================

17-08-2021 14:43:30 Scheduled Checkpoint

==================== Faulty Device Manager Devices ============

==================== Event log errors: ========================

Application errors:
==================
Error: (08/18/2021 01:31:29 PM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\LAPTOP-DDK31LC2$ via https://INTC-KeyId-6...plates/Aik/scepfailed:

GetCACaps
GetCACaps: Not Found
{"Message":"The authority \"intc-keyid-6301daf571b821515a03d4689057201d9ca42c9d.microsoftaik.azure.net\" does not exist."}
HTTP/1.1 404 Not Found
Date: Wed, 18 Aug 2021 18:31:28 GMT
Content-Length: 122
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000;includeSubDomains
x-ms-request-id: 56de69da-969d-4474-a9da-7316fcff2902

Method: GET(2140ms)
Stage: GetCACaps
Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

Error: (08/17/2021 08:15:49 PM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\LAPTOP-DDK31LC2$ via https://INTC-KeyId-6...plates/Aik/scepfailed:

GetCACaps
GetCACaps: Not Found
{"Message":"The authority \"intc-keyid-6301daf571b821515a03d4689057201d9ca42c9d.microsoftaik.azure.net\" does not exist."}
HTTP/1.1 404 Not Found
Date: Wed, 18 Aug 2021 01:15:48 GMT
Content-Length: 122
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000;includeSubDomains
x-ms-request-id: e86463fa-07c7-4d6a-8fc2-63284b7fd0cc

Method: GET(1172ms)
Stage: GetCACaps
Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

Error: (08/17/2021 12:35:44 PM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\LAPTOP-DDK31LC2$ via https://INTC-KeyId-6...plates/Aik/scepfailed:

GetCACaps
GetCACaps: Not Found
{"Message":"The authority \"intc-keyid-6301daf571b821515a03d4689057201d9ca42c9d.microsoftaik.azure.net\" does not exist."}
HTTP/1.1 404 Not Found
Date: Tue, 17 Aug 2021 17:35:42 GMT
Content-Length: 122
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000;includeSubDomains
x-ms-request-id: 2aa1a370-f0b9-4905-9299-7d171a3b24bc

Method: GET(1344ms)
Stage: GetCACaps
Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

Error: (08/17/2021 12:10:47 PM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\LAPTOP-DDK31LC2$ via https://INTC-KeyId-6...plates/Aik/scepfailed:

GetCACaps
GetCACaps: Not Found
{"Message":"The authority \"intc-keyid-6301daf571b821515a03d4689057201d9ca42c9d.microsoftaik.azure.net\" does not exist."}
HTTP/1.1 404 Not Found
Date: Tue, 17 Aug 2021 17:10:45 GMT
Content-Length: 122
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000;includeSubDomains
x-ms-request-id: 4a47617b-4182-4156-a41a-675074966f3a

Method: GET(594ms)
Stage: GetCACaps
Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

Error: (08/17/2021 11:39:34 AM) (Source: CertEnroll) (EventID: 86) (User: NT AUTHORITY)
Description: SCEP Certificate enrollment initialization for WORKGROUP\LAPTOP-DDK31LC2$ via https://INTC-KeyId-6...plates/Aik/scepfailed:

GetCACaps
GetCACaps: Not Found
{"Message":"The authority \"intc-keyid-6301daf571b821515a03d4689057201d9ca42c9d.microsoftaik.azure.net\" does not exist."}
HTTP/1.1 404 Not Found
Date: Tue, 17 Aug 2021 16:39:33 GMT
Content-Length: 122
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000;includeSubDomains
x-ms-request-id: 59ac7816-6a4a-47a5-9bb0-58d84fa2f204

Method: GET(1250ms)
Stage: GetCACaps
Not found (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

Error: (08/16/2021 10:46:00 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x8007045b, A system shutdown is in progress.
.

Error: (08/16/2021 10:46:00 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {4e14fba2-2e22-11d1-9964-00c04fbbb345} and name CEventSystem cannot be started. [0x8007045b, A system shutdown is in progress.
]

Error: (08/16/2021 10:46:00 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x8007045b, A system shutdown is in progress.
.

System errors:
=============
Error: (08/18/2021 03:28:40 AM) (Source: Netwtw10) (EventID: 5005) (User: )
Description: Intel® Wi-Fi 6 AX201 160MHz : Has encountered an internal error and has failed.
5005 - Driver internal error

Error: (08/18/2021 03:28:38 AM) (Source: Netwtw10) (EventID: 5002) (User: )
Description: Intel® Wi-Fi 6 AX201 160MHz : Has determined that the network adapter is not functioning properly.
5002 - uCode SW error (SysAssert, NMI)

Error: (08/18/2021 03:28:38 AM) (Source: Netwtw10) (EventID: 5005) (User: )
Description: Intel® Wi-Fi 6 AX201 160MHz : Has encountered an internal error and has failed.
5005 - Driver internal error

Error: (08/18/2021 03:28:38 AM) (Source: Netwtw10) (EventID: 5007) (User: )
Description: 5007 - TX/CMD timeout (TfdQueue hanged)

Error: (08/17/2021 10:43:06 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1053" attempting to start the service edgeupdate with arguments "/comsvc" in order to run the server:
{CECDDD22-2E72-4832-9606-A9B0E5E344B2}

Error: (08/17/2021 10:43:06 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Microsoft Edge Update Service (edgeupdate) service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (08/17/2021 10:43:06 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Microsoft Edge Update Service (edgeupdate) service to connect.

Error: (08/17/2021 12:50:18 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The LenovoVantageService service terminated unexpectedly.  It has done this 1 time(s).

Windows Defender:
================
Date: 2021-05-28 16:12:10
Description:
Microsoft Defender Antivirus scan has been stopped before completion.
Scan Type: Antimalware
Scan Parameters: Quick Scan

Date: 2021-07-08 15:32:25
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.339.1577.0
Update Source: Microsoft Update Server
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.18100.6
Error code: 0x80240438
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.

Date: 2021-07-06 16:48:07
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.339.1577.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.18100.6
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2021-07-06 16:48:07
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.339.1577.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiSpyware
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.18100.6
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2021-07-06 16:48:07
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.339.1577.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.18100.6
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

Date: 2021-07-06 16:48:07
Description:
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version:
Previous security intelligence Version: 1.339.1577.0
Update Source: Microsoft Malware Protection Center
Security intelligence Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.18100.6
Error code: 0x80072ee7
Error description: The server name or address could not be resolved

CodeIntegrity:
===============
Date: 2021-08-18 13:46:10
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Avast Software\Avast\aswAMSI.dll that did not meet the Windows signing level requirements.

Date: 2021-08-18 13:32:40
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\SecurityHealthService.exe) attempted to load \Device\HarddiskVolume3\Program Files\Avast Software\Avast\aswAMSI.dll that did not meet the Windows signing level requirements.

==================== Memory info ===========================

BIOS: LENOVO GGCN26WW 04/25/2021
Motherboard: LENOVO LNVNB161216
Processor: 11th Gen Intel® Core™ i3-1115G4 @ 3.00GHz
Percentage of memory in use: 63%
Total physical RAM: 7991.3 MB
Available physical RAM: 2922.29 MB
Total Virtual: 9271.3 MB
Available Virtual: 3826.62 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:930.27 GB) (Free:872.65 GB) NTFS

\\?\Volume{b1b0d02d-ecb6-4a60-9113-4c61d36af3f7}\ (WINRE_DRV) (Fixed) (Total:0.98 GB) (Free:0.49 GB) NTFS
\\?\Volume{fe5c744e-612d-4c6c-8ec9-41104b32fc2c}\ (SYSTEM_DRV) (Fixed) (Total:0.25 GB) (Free:0.2 GB) FAT32

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 28A6A6C6)

Partition: GPT.

==================== End of Addition.txt =======================

[Keyboardclick]

I did it backwards, this one is Addition.txt

Here comes FRST.txt ...

Edited by Keyboardclick, 18 August 2021 - 01:23 PM.

[Keyboardclick]

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{5da62158-9e67-49ae-83c7-40da4be9c5a8}: [DhcpNameServer] 150.213.1.3
Tcpip\..\Interfaces\{666ac231-0bd2-4651-861b-396d17dfcc9d}: [DhcpNameServer] 192.168.1.254

Edge:
=======
Edge Profile: C:\Users\User\AppData\Local\Microsoft\Edge\User Data\Default [2021-08-18]

FireFox:
========
FF DefaultProfile: dnxs5hjs.default
FF ProfilePath: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\dnxs5hjs.default [2021-05-28]
FF ProfilePath: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\59kfiq3z.default-release-1622672176047 [2021-08-18]
FF DownloadDir: C:\Users\User\Desktop
FF Homepage: Mozilla\Firefox\Profiles\59kfiq3z.default-release-1622672176047 -> hxxps://duckduckgo.com/
FF Extension: (DuckDuckGo Privacy Essentials) - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\59kfiq3z.default-release-1622672176047\Extensions\[email protected] [2021-08-16]
FF Extension: (uBlock Origin) - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\59kfiq3z.default-release-1622672176047\Extensions\[email protected] [2021-07-31]
FF Extension: (Add-ons Search Detection) - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\59kfiq3z.default-release-1622672176047\features\{717653e6-c955-4985-859f-3e3816ebaf8e}\[email protected] [2021-08-13]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt
FF Extension: (Logitech SetPoint) - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2021-05-29] [not signed]
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2021-06-04] (Microsoft Corporation -> Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL [2021-06-04] (Microsoft Corporation -> Microsoft Corporation)

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 aswbIDSAgent; C:\Program Files\Avast Software\Avast\aswidsagent.exe [8262736 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
R2 avast! Antivirus; C:\Program Files\Avast Software\Avast\AvastSvc.exe [627480 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
R2 avast! Tools; C:\Program Files\Avast Software\Avast\aswToolsSvc.exe [374552 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
R2 AvastWscReporter; C:\Program Files\Avast Software\Avast\wsc_proxy.exe [56912 2021-05-28] (Avast Software s.r.o. -> AVAST Software)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [9142128 2021-08-05] (Microsoft Corporation -> Microsoft Corporation)
R2 DolbyDAXAPI; C:\Windows\System32\DriverStore\FileRepository\dax3_swc_aposvc.inf_amd64_e9ebbe69987eef47\DAX3API.exe [2173912 2020-10-15] (Dolby Laboratories, Inc. -> Dolby Laboratories)
R2 ElevocService; C:\Windows\System32\ElevocControlService.exe [147312 2020-11-16] (Microsoft Windows Hardware Compatibility Publisher -> )
R2 ImControllerService; C:\Windows\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe [81896 2021-08-12] (Lenovo -> Lenovo Group Ltd.)
S2 IntelAudioService; C:\Windows\System32\DriverStore\FileRepository\intcoed.inf_amd64_639c92dde0957139\\AS\\IAS\\IntelAudioService.exe [528232 2020-08-26] (Smart Sound Technology -> Intel)
R2 LenovoFnAndFunctionKeys; C:\Windows\System32\DriverStore\FileRepository\lenovofnandfunctionkeys.inf_amd64_2fcf64020e032ea8\LenovoUtilityService.exe [531360 2021-02-23] (Lenovo -> Lenovo(beijing) Limited)
R2 LenovoVantageService; C:\Program Files (x86)\Lenovo\VantageService\3.7.19.0\LenovoVantageService.exe [28576 2021-05-17] (Lenovo -> Lenovo Group Ltd.)
R2 LITSSVC; C:\Windows\System32\LNBITSSvc.exe [1817944 2020-09-10] (Lenovo -> Lenovo(beijing) Limited)
S3 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [7477704 2021-08-04] (Malwarebytes Inc -> Malwarebytes)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2747312 2020-04-26] (Safer-Networking Ltd. -> Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [4583240 2020-04-26] (Safer-Networking Ltd. -> Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [940976 2019-09-04] (Safer-Networking Ltd. -> Safer-Networking Ltd.)
R2 UDCService; C:\Windows\System32\drivers\Lenovo\udc\Service\UDClientService.exe [107952 2021-05-19] (Lenovo -> Lenovo Group Ltd.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [3004048 2019-12-07] (Microsoft Windows Publisher -> Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103384 2019-12-07] (Microsoft Windows Publisher -> Microsoft Corporation)

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 aswArDisk; C:\Windows\System32\drivers\aswArDisk.sys [35720 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
R1 aswArPot; C:\Windows\System32\drivers\aswArPot.sys [218976 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
R1 aswbidsdriver; C:\Windows\System32\drivers\aswbidsdriver.sys [367640 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
R0 aswbidsh; C:\Windows\System32\drivers\aswbidsh.sys [250392 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
R0 aswbuniv; C:\Windows\System32\drivers\aswbuniv.sys [99352 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
R0 aswElam; C:\Windows\System32\drivers\aswElam.sys [17344 2021-08-04] (Microsoft Windows Early Launch Anti-malware Publisher -> AVAST Software)
R1 aswKbd; C:\Windows\System32\drivers\aswKbd.sys [41352 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
R1 aswMonFlt; C:\Windows\System32\drivers\aswMonFlt.sys [184648 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
R1 aswNetHub; C:\Windows\System32\drivers\aswNetHub.sys [559816 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
R1 aswRdr; C:\Windows\System32\drivers\aswRdr2.sys [108408 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
R0 aswRvrt; C:\Windows\System32\drivers\aswRvrt.sys [82904 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
R1 aswSnx; C:\Windows\System32\drivers\aswSnx.sys [851704 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
R1 aswSP; C:\Windows\System32\drivers\aswSP.sys [471920 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
R2 aswStm; C:\Windows\System32\drivers\aswStm.sys [215392 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
R0 aswVmm; C:\Windows\System32\drivers\aswVmm.sys [328568 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
S3 BthA2dp; C:\Windows\System32\drivers\BthA2dp.sys [279040 2021-03-04] (Microsoft Corporation) [File not signed]
R3 iaLPSS2_GPIO2_TGL; C:\Windows\System32\DriverStore\FileRepository\ialpss2_gpio2_tgl.inf_amd64_2d381b4e92c4580e\iaLPSS2_GPIO2_TGL.sys [129288 2020-06-04] (Intel Corporation -> Intel Corporation)
R3 iaLPSS2_I2C_TGL; C:\Windows\System32\DriverStore\FileRepository\ialpss2_i2c_tgl.inf_amd64_18d252599a45c7f5\iaLPSS2_I2C_TGL.sys [198408 2020-06-04] (Intel Corporation -> Intel Corporation)
R3 iaLPSS2_SPI_TGL; C:\Windows\System32\DriverStore\FileRepository\ialpss2_spi_tgl.inf_amd64_a377b182eb0b1769\iaLPSS2_SPI_TGL.sys [156936 2020-06-04] (Intel Corporation -> Intel Corporation)
R3 iaLPSS2_UART2_TGL; C:\Windows\System32\DriverStore\FileRepository\ialpss2_uart2_tgl.inf_amd64_17edb8d819140063\iaLPSS2_UART2_TGL.sys [311560 2020-06-04] (Intel Corporation -> Intel Corporation)
R0 iaStorVD; C:\Windows\System32\drivers\iaStorVD.sys [1431928 2020-10-28] (Intel® Rapid Storage Technology -> Intel Corporation)
S0 MbamElam; C:\Windows\System32\DRIVERS\MbamElam.sys [19912 2021-05-28] (Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes)
S3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [248992 2021-08-04] (Malwarebytes Inc -> Malwarebytes)
S0 Spybot3ELAM; C:\Windows\System32\drivers\Spybot3ELAM.sys [19904 2019-06-21] (Microsoft Windows Early Launch Anti-malware Publisher -> Windows ® Win 7 DDK provider)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [46688 2019-12-07] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [350136 2019-12-07] (Microsoft Windows -> Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [54200 2019-12-07] (Microsoft Windows -> Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-08-18 13:45 - 2021-08-18 13:46 - 000009458 _____ C:\Users\User\Desktop\FRST.txt
2021-08-18 13:44 - 2021-08-18 13:45 - 000000000 ____D C:\FRST
2021-08-18 13:44 - 2021-08-18 13:44 - 000000000 ____D C:\Users\User\Desktop\FRST-OlderVersion
2021-08-18 13:43 - 2021-08-18 13:44 - 002300416 _____ (Farbar) C:\Users\User\Desktop\FRST64.exe
2021-08-17 17:43 - 2021-08-04 22:47 - 000454574 ____R C:\Windows\system32\Drivers\etc\hosts.20210817-174359.backup
2021-08-17 12:41 - 2021-08-17 12:41 - 000000000 ____D C:\Users\Public\Documents\sun
2021-08-17 12:31 - 2021-08-17 12:31 - 000001181 _____ C:\Users\Public\Desktop\LibreOffice 7.1.lnk
2021-08-17 12:31 - 2021-08-17 12:31 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LibreOffice 7.1
2021-08-16 02:33 - 2021-08-16 02:33 - 000000000 ____D C:\Users\User\AppData\Roaming\Orneon
2021-08-16 02:33 - 2021-08-16 02:33 - 000000000 ____D C:\Users\User\AppData\Roaming\Macromedia
2021-08-14 20:44 - 2021-08-14 20:44 - 000001999 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Game Manager.lnk
2021-08-14 20:44 - 2021-08-14 20:44 - 000001987 _____ C:\Users\Public\Desktop\Game Manager.lnk
2021-08-14 20:44 - 2021-08-14 20:44 - 000001208 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\More Great Games.lnk
2021-08-14 20:38 - 2021-08-14 20:45 - 000000000 ____D C:\Program Files (x86)\bfgclient
2021-08-14 20:38 - 2021-08-14 20:38 - 000000000 ____D C:\ProgramData\Big Fish
2021-08-14 20:37 - 2021-08-16 02:32 - 000000000 ____D C:\BigFishCache
2021-08-14 19:31 - 2021-08-17 12:40 - 000000000 ____D C:\Users\User\Desktop\shortcuts
2021-08-13 03:10 - 2021-08-13 03:11 - 000000000 ____D C:\Program Files (x86)\The Agency of Anomalies - Mind Invasion
2021-08-13 03:10 - 2021-08-13 03:10 - 000000000 ____D C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\The Agency of Anomalies - Mind Invasion
2021-08-13 03:10 - 2021-08-13 03:10 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\The Agency of Anomalies - Mind Invasion
2021-08-13 03:09 - 2021-08-13 03:10 - 000000000 ____D C:\Program Files (x86)\The Agency of Anomalies - The Last Performance
2021-08-13 03:09 - 2021-08-13 03:09 - 000000000 ____D C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\The Agency of Anomalies - The Last Performance
2021-08-13 03:09 - 2021-08-13 03:09 - 000000000 ____D C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\The Agency of Anomalies - Cinderstone Orphanage
2021-08-13 03:09 - 2021-08-13 03:09 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\The Agency of Anomalies - The Last Performance
2021-08-13 03:09 - 2021-08-13 03:09 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\The Agency of Anomalies - Cinderstone Orphanage
2021-08-13 03:09 - 2021-08-13 03:09 - 000000000 ____D C:\Program Files (x86)\The Agency of Anomalies - Cinderstone Orphanage
2021-08-13 02:46 - 2021-08-13 02:47 - 000000000 ____D C:\Program Files (x86)\The Agency of Anomalies - Mystic Hospital
2021-08-13 02:46 - 2021-08-13 02:46 - 000000000 ____D C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\The Agency of Anomalies - Mystic Hospital
2021-08-13 02:46 - 2021-08-13 02:46 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\The Agency of Anomalies - Mystic Hospital
2021-08-12 18:19 - 2021-08-12 18:19 - 000000000 ____D C:\Windows\system32\Tasks\Mozilla
2021-08-12 17:39 - 2021-08-13 17:27 - 000000000 ____D C:\Program Files\Mozilla Firefox
2021-08-11 20:38 - 2021-08-11 20:38 - 000000261 _____ C:\Users\User\Desktop\Religious and Inspirational Statuary Lucky Mojo Curio Co. Catalogue.URL
2021-08-10 17:55 - 2021-08-10 17:55 - 002755584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2021-08-10 17:55 - 2021-08-10 17:55 - 002755584 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2021-08-10 17:55 - 2021-08-10 17:55 - 001333760 _____ C:\Windows\SysWOW64\TextInputMethodFormatter.dll
2021-08-10 17:55 - 2021-08-10 17:55 - 000011347 _____ C:\Windows\system32\DrtmAuthTxt.wim
2021-08-10 17:54 - 2021-08-10 17:54 - 001823280 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2021-08-10 17:54 - 2021-08-10 17:54 - 001393480 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2021-08-10 17:53 - 2021-08-10 17:53 - 000288768 _____ C:\Windows\system32\Windows.Management.InprocObjects.dll
2021-08-10 17:32 - 2021-08-10 17:32 - 000000000 ___HD C:\$WinREAgent
2021-08-09 02:00 - 2021-08-09 02:00 - 000000000 ____D C:\Users\User\AppData\Roaming\Azuaz Games
2021-08-09 01:32 - 2021-08-09 01:32 - 000000000 ____D C:\Program Files\Reference Assemblies
2021-08-09 01:32 - 2021-08-09 01:32 - 000000000 ____D C:\Program Files\MSBuild
2021-08-09 01:32 - 2021-08-09 01:32 - 000000000 ____D C:\Program Files (x86)\Reference Assemblies
2021-08-09 01:32 - 2021-08-09 01:32 - 000000000 ____D C:\Program Files (x86)\MSBuild
2021-08-04 22:47 - 2021-08-04 18:55 - 000454574 ____R C:\Windows\system32\Drivers\etc\hosts.20210804-224739.backup
2021-08-04 18:55 - 2021-08-04 18:55 - 000000000 ____D C:\Windows\system32\Tasks\Safer-Networking
2021-08-04 18:55 - 2019-12-07 04:12 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts.20210804-185538.backup
2021-08-04 18:45 - 2021-08-04 18:45 - 000248992 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2021-08-04 15:29 - 2021-08-04 15:28 - 000339736 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2021-08-04 15:29 - 2021-08-04 15:28 - 000215392 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2021-08-18 13:39 - 2021-05-28 15:14 - 000000000 ____D C:\Users\User\AppData\LocalLow\Mozilla
2021-08-18 13:32 - 2021-05-28 16:38 - 000000000 ____D C:\ProgramData\Avast Software
2021-08-18 13:31 - 2021-05-29 03:28 - 000000000 __SHD C:\Users\User\IntelGraphicsProfiles
2021-08-18 13:31 - 2019-12-07 04:14 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2021-08-18 13:30 - 2021-05-28 17:16 - 000000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2021-08-18 13:30 - 2021-03-04 23:55 - 000000000 ____D C:\ProgramData\Goodix
2021-08-18 13:30 - 2021-03-04 22:16 - 000000000 ___HD C:\Intel
2021-08-18 13:30 - 2020-05-06 13:33 - 000008192 ___SH C:\DumpStack.log.tmp
2021-08-18 13:30 - 2020-05-06 13:33 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2021-08-18 13:30 - 2019-12-07 04:14 - 000000000 ____D C:\Windows\ServiceState
2021-08-18 03:28 - 2019-12-07 04:03 - 000524288 _____ C:\Windows\system32\config\BBI
2021-08-18 03:27 - 2021-05-30 10:03 - 000000000 ____D C:\ProgramData\TEMP
2021-08-18 03:27 - 2021-05-29 10:09 - 000002704 _____ C:\Windows\system32\Tasks\SmartDefrag_AutoAnalyze
2021-08-18 03:27 - 2021-05-29 03:32 - 000002850 _____ C:\Windows\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-127966655-3041496052-59511839-1001
2021-08-18 03:27 - 2021-03-04 23:41 - 000002846 _____ C:\Windows\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-127966655-3041496052-59511839-500
2021-08-18 03:27 - 2021-03-04 23:23 - 000003408 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskMachineUA
2021-08-18 03:27 - 2021-03-04 23:23 - 000003184 _____ C:\Windows\system32\Tasks\MicrosoftEdgeUpdateTaskMachineCore
2021-08-18 02:33 - 2021-05-28 16:42 - 000000000 ____D C:\Windows\system32\Tasks\Avast Software
2021-08-18 02:32 - 2020-05-06 13:33 - 000000000 ____D C:\Windows\system32\SleepStudy
2021-08-17 20:00 - 2019-12-07 04:14 - 000000000 ___HD C:\Program Files\WindowsApps
2021-08-17 20:00 - 2019-12-07 04:14 - 000000000 ____D C:\Windows\AppReadiness
2021-08-17 12:35 - 2020-05-06 13:33 - 000632536 _____ C:\Windows\system32\FNTCACHE.DAT
2021-08-17 12:31 - 2021-05-29 10:38 - 000000000 ____D C:\Program Files\LibreOffice
2021-08-16 22:56 - 2019-12-07 04:14 - 000000000 ____D C:\Windows\LiveKernelReports
2021-08-16 22:45 - 2021-05-29 03:24 - 000000000 ____D C:\Users\User
2021-08-16 18:23 - 2021-05-29 03:24 - 000002415 _____ C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2021-08-16 17:32 - 2019-12-07 04:13 - 000000000 ____D C:\Windows\INF
2021-08-16 01:50 - 2021-05-28 16:41 - 000004264 _____ C:\Windows\system32\Tasks\Avast Emergency Update
2021-08-15 02:45 - 2021-03-04 23:33 - 000000000 ____D C:\Program Files\Microsoft Office
2021-08-14 03:42 - 2021-05-30 09:14 - 000000000 ____D C:\Program Files (x86)\Steam
2021-08-13 17:47 - 2021-03-04 23:23 - 000002445 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk
2021-08-13 17:27 - 2021-06-02 17:37 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2021-08-13 03:10 - 2021-05-30 17:58 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2021-08-12 18:19 - 2021-06-02 17:37 - 000000972 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2021-08-12 17:42 - 2021-05-28 16:44 - 000000000 ____D C:\Users\User\AppData\Local\Avast Software
2021-08-12 17:17 - 2020-05-06 13:41 - 000841126 _____ C:\Windows\system32\PerfStringBackup.INI
2021-08-12 10:55 - 2021-03-14 22:27 - 000108008 _____ (Lenovo Group Ltd.) C:\Windows\system32\WudfUpdate_02000.dll
2021-08-12 10:55 - 2021-03-14 22:27 - 000062440 _____ (Lenovo Group Ltd.) C:\Windows\system32\ImController.InfInstaller.exe
2021-08-12 10:55 - 2021-03-04 23:30 - 000108008 _____ (Lenovo Group Ltd.) C:\Windows\system32\ImController.CoInstaller.dll
2021-08-12 10:55 - 2021-03-04 22:47 - 000429944 _____ (Lenovo Group Limited) C:\Windows\system32\iMDriverHelper.dll
2021-08-10 18:10 - 2019-12-07 04:14 - 000000000 ___SD C:\Windows\system32\UNP
2021-08-10 18:10 - 2019-12-07 04:14 - 000000000 ___RD C:\Windows\ImmersiveControlPanel
2021-08-10 18:10 - 2019-12-07 04:14 - 000000000 ____D C:\Windows\SysWOW64\Dism
2021-08-10 18:10 - 2019-12-07 04:14 - 000000000 ____D C:\Windows\SystemResources
2021-08-10 18:10 - 2019-12-07 04:14 - 000000000 ____D C:\Windows\system32\oobe
2021-08-10 18:10 - 2019-12-07 04:14 - 000000000 ____D C:\Windows\system32\Dism
2021-08-10 18:10 - 2019-12-07 04:14 - 000000000 ____D C:\Windows\ShellComponents
2021-08-10 18:10 - 2019-12-07 04:14 - 000000000 ____D C:\Windows\bcastdvr
2021-08-10 18:10 - 2019-12-07 04:03 - 000000000 ____D C:\Windows\servicing
2021-08-10 18:07 - 2019-12-07 04:03 - 000000000 ____D C:\Windows\CbsTemp
2021-08-10 17:21 - 2021-05-30 14:19 - 000000000 ____D C:\Windows\system32\MRT
2021-08-10 17:17 - 2021-05-30 14:19 - 133215968 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2021-08-09 17:13 - 2021-05-29 03:28 - 000000000 ____D C:\Users\User\AppData\Local\Packages
2021-08-09 01:08 - 2021-06-01 00:41 - 000000000 ____D C:\Users\User\AppData\Local\CrashDumps
2021-08-04 20:27 - 2021-05-28 17:16 - 000000000 ____D C:\ProgramData\Spybot - Search & Destroy
2021-08-04 19:35 - 2021-05-30 16:26 - 000000000 ____D C:\Users\User\Desktop\virus [bleep]
2021-08-04 19:18 - 2021-05-29 10:07 - 000000000 ____D C:\Users\User\AppData\Roaming\IObit
2021-08-04 18:57 - 2021-05-29 10:09 - 000000000 ____D C:\ProgramData\ProductData
2021-08-04 18:49 - 2021-05-28 17:23 - 000002000 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes.lnk
2021-08-04 15:29 - 2019-12-07 04:14 - 000000000 ___HD C:\Windows\ELAMBKUP
2021-08-04 15:28 - 2021-05-28 16:41 - 000851704 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2021-08-04 15:28 - 2021-05-28 16:41 - 000559816 _____ (AVAST Software) C:\Windows\system32\Drivers\aswNetHub.sys
2021-08-04 15:28 - 2021-05-28 16:41 - 000471920 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2021-08-04 15:28 - 2021-05-28 16:41 - 000367640 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsdriver.sys
2021-08-04 15:28 - 2021-05-28 16:41 - 000328568 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2021-08-04 15:28 - 2021-05-28 16:41 - 000250392 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbidsh.sys
2021-08-04 15:28 - 2021-05-28 16:41 - 000218976 _____ (AVAST Software) C:\Windows\system32\Drivers\aswArPot.sys
2021-08-04 15:28 - 2021-05-28 16:41 - 000184648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2021-08-04 15:28 - 2021-05-28 16:41 - 000108408 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2021-08-04 15:28 - 2021-05-28 16:41 - 000099352 _____ (AVAST Software) C:\Windows\system32\Drivers\aswbuniv.sys
2021-08-04 15:28 - 2021-05-28 16:41 - 000082904 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2021-08-04 15:28 - 2021-05-28 16:41 - 000041352 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
2021-08-04 15:28 - 2021-05-28 16:41 - 000035720 _____ (AVAST Software) C:\Windows\system32\Drivers\aswArDisk.sys
2021-08-04 15:28 - 2021-05-28 16:41 - 000017344 _____ (AVAST Software) C:\Windows\system32\Drivers\aswElam.sys
2021-08-03 18:00 - 2021-05-28 15:00 - 000000000 ____D C:\Program Files\Microsoft Update Health Tools
2021-08-02 15:53 - 2021-05-29 03:32 - 000000000 ___RD C:\Users\User\OneDrive
2021-07-31 19:14 - 2021-06-05 18:09 - 000029703 _____ C:\Users\User\Documents\Jay.odt
2021-07-28 22:32 - 2019-12-07 04:14 - 000000000 ____D C:\Program Files\Common Files\microsoft shared
2021-07-26 17:06 - 2021-03-04 23:30 - 000000000 ____D C:\Windows\TempInst
2021-07-19 20:32 - 2021-06-06 17:13 - 000012547 _____ C:\Users\User\Documents\Matt.odt

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

==================== End of FRST.txt ========================

Edited by Keyboardclick, 18 August 2021 - 01:30 PM.

[DR M]

The FRST log is not completed. Please check and see if there is a part missing above the section titled as Internet (Whitelisted).

 

If not, restart the computer and run the FRST tool again. This time, please attach the two logs. 

 

(To attach the files, click on the More Reply Options at the bottom right of the reply area, and then choose Attach File)

[Keyboardclick]

Alright, just an update,

before I went to restart the computer, I thought it might be a good idea to delete the old logs first to ensure that the new ones are new. When I went to delete the FRST log, Avast popped up:

 

We've just protected your file

explorer.exe is trying to change or delete the file FRST.txt in your protected Desktop folder

Ransomware shield found this

 

I can block or allow. I guess I'll just close Avast, leave the files where they are, and restart the computer.

[Keyboardclick]

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-08-2021
Ran by User (administrator) on LAPTOP-DDK31LC2 (LENOVO 82H8) (18-08-2021 15:39:33)
Running from C:\Users\User\Desktop
Loaded Profiles: User
Platform: Windows 10 Home Version 20H2 19042.1165 (X64) Language: English (United States)
Default browser: FF
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Avast Software s.r.o. -> AVAST Software) C:\Program Files\Avast Software\Avast\aswEngSrv.exe
(Avast Software s.r.o. -> AVAST Software) C:\Program Files\Avast Software\Avast\aswidsagent.exe
(Avast Software s.r.o. -> AVAST Software) C:\Program Files\Avast Software\Avast\aswToolsSvc.exe
(Avast Software s.r.o. -> AVAST Software) C:\Program Files\Avast Software\Avast\AvastSvc.exe
(Avast Software s.r.o. -> AVAST Software) C:\Program Files\Avast Software\Avast\AvastUI.exe <3>
(Avast Software s.r.o. -> AVAST Software) C:\Program Files\Avast Software\Avast\wsc_proxy.exe
(Dolby Laboratories, Inc. -> Dolby Laboratories) C:\Windows\System32\DriverStore\FileRepository\DAX3_S~1.INF\DAX3API.exe
(Dolby Laboratories, Inc. -> Dolby Laboratories) C:\Windows\System32\DriverStore\FileRepository\dax3_swc_aposvc.inf_amd64_e9ebbe69987eef47\DAX3API.exe
(F.lux Software LLC -> f.lux Software LLC) C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe
(Intel® Embedded Subsystems and IP Blocks Group -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\dal.inf_amd64_ffc75848a6342fdf\jhi_service.exe
(Intel® pGFX 2020 -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_9ea30e7f88626f47\igfxCUIServiceN.exe
(Intel® pGFX 2020 -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_9ea30e7f88626f47\igfxEMN.exe
(Intel® pGFX 2020 -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\dptf_cpu.inf_amd64_f75fa513cf0ccec1\esif_uf.exe
(Intel® pGFX 2020 -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\igcc_dch.inf_amd64_caa7639078e34732\OneApp.IGCC.WinService.exe
(Intel® pGFX 2020 -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_b82fe59be849351e\IntelCpHDCPSvc.exe
(Intel® Rapid Storage Technology -> Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\iastorvd.inf_amd64_ba8fc4ad6162dd3e\RstMwService.exe
(Lenovo -> Lenovo Group Ltd.) C:\Program Files (x86)\Lenovo\VantageService\3.7.19.0\Lenovo.Vantage.AddinHost.exe <2>
(Lenovo -> Lenovo Group Ltd.) C:\Program Files (x86)\Lenovo\VantageService\3.7.19.0\LenovoVantageService.exe
(Lenovo -> Lenovo Group Ltd.) C:\Windows\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe
(Lenovo -> Lenovo Group Ltd.) C:\Windows\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.SettingsApp.exe
(Lenovo -> Lenovo Group Ltd.) C:\Windows\Lenovo\ImController\PluginHost86\Lenovo.Modern.ImController.PluginHost.CompanionApp.exe
(Lenovo -> Lenovo Group Ltd.) C:\Windows\Lenovo\ImController\PluginHost86\Lenovo.Modern.ImController.PluginHost.Device.exe <2>
(Lenovo -> Lenovo Group Ltd.) C:\Windows\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe
(Lenovo -> Lenovo Group Ltd.) C:\Windows\System32\drivers\Lenovo\udc\Service\UDClientService.exe
(Lenovo -> Lenovo Group Ltd.) C:\Windows\System32\drivers\Lenovo\udc\Service\UDCUserAgent.exe
(Lenovo -> Lenovo(beijing) Limited) C:\Windows\System32\AutoModeDetect.exe
(Lenovo -> Lenovo(beijing) Limited) C:\Windows\System32\DriverStore\FileRepository\lenovofnandfunctionkeys.inf_amd64_2fcf64020e032ea8\LenovoUtilityService.exe
(Lenovo -> Lenovo(beijing) Limited) C:\Windows\System32\LNBITSSvc.exe
(LENOVO INC) C:\Program Files\WindowsApps\E0469640.LenovoUtility_4.0.44.0_x64__5grkq8ppsgwt4\LaunchUtility\utility.exe
(Logitech Inc -> Logitech, Inc.) C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
(Logitech Inc -> Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Users\User\AppData\Local\Microsoft\OneDrive\OneDrive.exe
(Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.20090.0_x64__8wekyb3d8bbwe\HxTsr.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\oobe\UserOOBEBroker.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Microsoft Windows Hardware Compatibility Publisher -> ) C:\Windows\System32\ElevocControlService.exe
(Realtek Semiconductor Corp. -> Realtek Semiconductor) C:\Windows\System32\DriverStore\FileRepository\realtekservice.inf_amd64_85a48ee0cac1d3dd\RtkAudUService64.exe <2>
(Safer-Networking Ltd. -> Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd. -> Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Safer-Networking Ltd. -> Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd. -> Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Shenzhen Goodix Technology Co., Ltd. -> Goodix) C:\Windows\System32\drivers\SessionService.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtkAudUService] => C:\Windows\System32\DriverStore\FileRepository\realtekservice.inf_amd64_85a48ee0cac1d3dd\RtkAudUService64.exe [1183968 2020-10-14] (Realtek Semiconductor Corp. -> Realtek Semiconductor)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\Avast Software\Avast\AvLaunch.exe [123672 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [3136136 2020-11-20] (Logitech Inc -> Logitech, Inc.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [6787856 2019-03-19] (Safer-Networking Ltd. -> Safer-Networking Ltd.)
HKU\S-1-5-21-127966655-3041496052-59511839-1001\...\Run: [f.lux] => C:\Users\User\AppData\Local\FluxSoftware\Flux\flux.exe [1515848 2021-06-17] (F.lux Software LLC -> f.lux Software LLC)
BootExecute: autocheck autochk * sdnclean64.exe
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {02185350-C8EE-4372-87FE-DFC43B9570F9} - System32\Tasks\Microsoft\Office\Office Automatic Updates 2.0 => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [23253888 2021-08-06] (Microsoft Corporation -> Microsoft Corporation)
Task: {23544ED1-1D12-4868-8B29-86D6BF5BBC1E} - System32\Tasks\Lenovo\ImController\TimeBasedEvents\ac3ed4f2-524a-4f28-ae61-6e0da438b910 => C:\Windows\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe [81896 2021-08-12] (Lenovo -> Lenovo Group Ltd.)
Task: {2C165524-1C71-462C-A9CE-AC521916965E} - System32\Tasks\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB => C:\Program Files\Mozilla Firefox\default-browser-agent.exe [673720 2021-08-12] (Mozilla Corporation -> Mozilla Foundation)
Task: {47F05EB9-C61B-415A-A7F6-4DEFDC6F0903} - System32\Tasks\Avast Emergency Update => C:\Program Files\Avast Software\Avast\AvEmUpdate.exe [4902680 2021-08-04] (Avast Software s.r.o. -> AVAST Software)
Task: {62207DF2-9ECC-4767-98C7-1A09BCE4699A} - System32\Tasks\Lenovo\UDC\Lenovo UDC Monitor => C:\Windows\system32\drivers\lenovo\udc\data\InfBackup\UdcInfInstaller.exe [192928 2021-05-19] (Lenovo -> Lenovo Group Ltd.)
Task: {7468AE31-4C72-4E5E-AE5D-00296054BE50} - System32\Tasks\Lenovo\ImController\Plugins\LenovoSystemUpdatePlugin_WeeklyTask => %windir%\System32\reg.exe add hklm\SOFTWARE\Lenovo\SystemUpdatePlugin\scheduler  /v start /t reg_dword /d 1 /f /reg:32
Task: {7E1F847A-F389-466D-B862-1BCDB7B8E036} - System32\Tasks\Microsoft\Office\Office Feature Updates Logon => C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe [139112 2021-08-15] (Microsoft Corporation -> Microsoft Corporation)
Task: {843557A5-DFBF-4481-B82B-0714215FC6C0} - System32\Tasks\Lenovo\ImController\TimeBasedEvents\1c1cd76b-32f1-4fb6-aaad-601ba115e52e => C:\Windows\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe [81896 2021-08-12] (Lenovo -> Lenovo Group Ltd.)
Task: {8A706206-A6D7-428E-ABAD-E3F94932F298} - System32\Tasks\Lenovo\ImController\TimeBasedEvents\f57607b9-efa9-44a6-92ba-39e78ecfdbd1 => C:\Windows\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe [81896 2021-08-12] (Lenovo -> Lenovo Group Ltd.)
Task: {8AD1A74E-7EEC-4086-AD58-C71BE4AAAF41} - System32\Tasks\Lenovo\Vantage\Schedule\DailyTelemetryTransmission => C:\Program Files (x86)\Lenovo\VantageService\3.7.19.0\ScheduleEventAction.exe [23968 2021-05-17] (Lenovo -> Lenovo Group Ltd.)
Task: {8E9FBCD5-D6BF-400D-8537-CC000191D4DA} - System32\Tasks\Lenovo\ImController\Lenovo iM Controller Monitor => C:\Windows\system32\ImController.InfInstaller.exe [62440 2021-08-12] (Lenovo -> Lenovo Group Ltd.)
Task: {A3BD33B8-56DF-4ADE-AB3E-04546F8F7F68} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\Avast Software\Overseer\overseer.exe [1790184 2021-05-28] (Avast Software s.r.o. -> Avast Software)
Task: {A4270A50-DC5F-4848-AB65-8187D589205F} - System32\Tasks\Lenovo\Vantage\Lenovo.Vantage.ServiceMaintainance => %systemroot%\system32\sc.exe start LenovoVantageService
Task: {ADB188C0-0405-4FF7-B0A6-EF4C5170A450} - System32\Tasks\Lenovo\ImController\Lenovo iM Controller Scheduled Maintenance => "%windir%\system32\sc.exe" START ImControllerService
Task: {AF18DD2B-2C36-43AD-A934-0D8DC091D23E} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [23253888 2021-08-06] (Microsoft Corporation -> Microsoft Corporation)
Task: {BE3CDDE7-CB8A-43E2-947A-448ADF0DEE86} - System32\Tasks\Lenovo\UDC\Lenovo UDC Idle Monitor => C:\windows\system32\drivers\Lenovo\udc\Service\UDCUserAgent.exe [434608 2021-05-19] (Lenovo -> Lenovo Group Ltd.)
Task: {C6BC6923-E52C-4CE4-B1D2-EAAE95D35EA6} - System32\Tasks\Lenovo\ImController\TimeBasedEvents\f160b6d2-f3b9-4d25-b7b8-f6814e8e780d => C:\Windows\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe [81896 2021-08-12] (Lenovo -> Lenovo Group Ltd.)
Task: {CDCE6BD5-0E3D-4EAA-9024-8F2F8EF5A9A9} - System32\Tasks\Lenovo\BatteryGauge\BatteryGaugeMaintenance => C:\ProgramData\Lenovo\ImController\Plugins\LenovoBatteryGaugePackage\x64\BGHelper.exe [144456 2021-07-15] (Lenovo -> Lenovo Group Ltd.)
Task: {E123B47B-126B-4D43-BFA9-326173FD5CF9} - System32\Tasks\Microsoft\Office\Office Feature Updates => C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe [139112 2021-08-15] (Microsoft Corporation -> Microsoft Corporation)
Task: {E650E7D5-4689-4E06-BEF5-5EB26A14C545} - System32\Tasks\SmartDefrag_AutoAnalyze => C:\Program Files (x86)\IObit\Smart Defrag\AutoDefrag.exe [314128 2018-05-02] (IObit Information Technology -> IObit)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

 

 

So, because of the above mentioned problems, I was not able to save the log to make an attachment. I believe I found the items above Internet Whitelist, and copied it above.

[Keyboardclick]

I hope this is right and helped.

[DR M]

Hi, keyboardclick.

 

Could I call you with your real name please? It would be easier for me.
 
Here are my first comments/instructions regarding your logs:
 
1. Ransomware Shield by Avast
 
It seems that the warnings you are getting are due to a specific setting in Avast. The Desktop folder is added to the protected files and every time you are trying to do something, the protection is getting activated giving you the warning.
 
Please read here about the Ransomware Shield by Avast. How to use Avast Ransomware Shield | Avast
 
You can choose the mode (smart or strict), the applications you allow to modify files in the protected folders, remove the Desktop from the protected folders or even disable the feature.
 
 
2. Uninstall programs
 
2.1. Antivirus protection
 
You have both, Avast and Spybot & Destroy enabled. That's why the built-in Windows 10 antivirus (Defender) disabled itself automatically. I understand your intention to have multiple opinions about your security, but in this case I would recommend you to uninstall Spybot - Search and Destroy.
 
 
2.2. Smart Defrag 7
 
We do not recommend registry cleaners, system optimizers, driver boosters, defragment programs and the like. It is your computer and certainly your choice. My recommendation is to uninstall Smart Defrag 7.
 
To uninstall the above programs:

• Press the Windows Key + R.
• Type appwiz.cpl in the Run box and click OK.
• The Add/Remove Programs list will open. Locate the following programs in the list:

Smart Defrag 7
Spybot - Search and Destroy

• Select the above programs, one by one, and click Uninstall.
• Restart the computer at the end of the procedure.

 

3. Run AdwCleaner (Scan mode)

Download AdwCleaner and save it to your desktop.

• Double click AdwCleaner.exe to run it.
• Click Scan Now.
  • When the scan has finished, a Scan Results window will open.
  • Click Cancel (at this point do not attempt to Quarantine anything that is found)
• Now click the Log Files tab.
  • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
  • A Notepad file will open containing the results of the scan.
  • Please post the contents of the file in your next reply.

 

4. Run Malwarebytes (Scan mode)

• Download Malwarebytes and save it to your Desktop.
• Once downloaded, close all programs and Windows on your computer.
• Double-click on the icon on your desktop named MBSetup.exe. This will start the installation of MBAM onto your computer.
• Follow the instructions to install the program.
• When finished, double click the program's icon created on your Desktop.
• Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
  

  Under the title Scan Options, all the options are checked.
  Under the title Windows Security Center (Premium only) the option is NOT checked.
  Under the title Potentially unwanted items all options are set to Always.

• Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
• When finished, you will see the Threat Scan Summary window open.
• If threats are not found, click View Report and proceed to the two last steps below.
  
  If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

 

 

In your next reply please post:

1. What did you do with the Ransomware Shield by Avast
2. What programs did you uninstall and if the procedure went fine
3. The AdwCleaner[S0*].txt
4. The Malwarebytes report

[Keyboardclick]

Hello,

 

You are right about the Ransomware shield, I had mine set to Smart, and mom had hers set higher so it wouldn't let her do anything with her own files. So now, Libre will open, I can save and delete things from her desk top. That part seems fixed, thank you.

 

For the rest:

 

We have used Spybot and Smart Defrag for years and are happy with it, so I am not going to uninstall them just yet. They haven't caused us issues so far.

 

I am running AdwCleaner on her laptop now, but I am reading and replying off of mine, so the new logs will be in the following post once it is finished.

I have already run Malwarebytes, and it did not find anything. Should I run it again?

 

About her Windows Security Shields,

the fact that the white shield at the bottom left of her task bar has an exclamation stating action is recommended does not have to do with how she is using different antivirus software, I don't think.

 

I am using the same antivirus software as she, and mine does not have an exclamation, there is a green check and it says all is well.

 

When she clicks on the shield to find out what actions are recommended, it says that none are, there is no setting to fix, all settings have green checks and say no action needed.

So why does the shield icon on the task bar say otherwise? Very weird.

 

She says that at some point she found a place (in her Windows settings probably) saying something about how the internet was not protected, but now she can't remember where she saw that, and I can't find it. Could this be the action that needs taken?

 

What about the gray.plan.../life thing that Avast found on the full system scan at first? It said it needed removed, could not remove it, and then neither I nor Avast can find this again to figure out what to do with it. Is it gone? Should she be worried about it?

 

AdwCleaner logs are coming...

[Keyboardclick]

Here is the AdwCleaner log:

 

# -------------------------------
# Malwarebytes AdwCleaner 8.3.0.0
# -------------------------------
# Build:    06-29-2021
# Database: 2021-08-09.1 (Cloud)
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    08-19-2021
# Duration: 00:00:09
# OS:       Windows 10 Home
# Scanned:  31995
# Detected: 13

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.AdvancedSystemCare C:\ProgramData\IObit\Advanced SystemCare
PUP.Optional.AdvancedSystemCare C:\Users\User\AppData\Roaming\IObit\Advanced SystemCare

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.Legacy             HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy             HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com
PUP.Optional.Legacy             HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy             HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com
PUP.Optional.Legacy             HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy             HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

Preinstalled.LenovoIMController   Folder   C:\ProgramData\LENOVO\IMCONTROLLER
Preinstalled.LenovoIMController   Folder   C:\Users\User\AppData\Local\LENOVO\IMCONTROLLER
Preinstalled.LenovoIMController   Folder   C:\Windows\LENOVO\IMCONTROLLER
Preinstalled.LenovoIMController   Folder   C:\Windows\System32\Tasks\LENOVO\IMCONTROLLER
Preinstalled.LenovoIMController   Registry   HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\Lenovo Dependency Package_is1

 

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

[DR M]

Hello.
 
Windows 10 automatically defrag your hard drives for you, as needed. There is no need to use a third-party program for that. Defrag software is almost entirely a thing of the past. The only exception may be for external HDDs that may need the occasional defrag every once in a great while. Even then, the Windows defrag is just fine.
 
As for the computer's security: You actually need an antivirus and an anti-malware in your computer. You can keep Malwarebytes as your anti-malware and, if you stay with the free version, you can scan the computer once every now and then, depending on how often you use your computer. For antivirus, you have to choose which of the three -Defender, Avast, Spybot- you want for real time protection. Defender disables itself when there is another antivirus present and that is fine. But you can't have enabled at the same time Avast and Spybot. If you want Spybot for a second opinion, then disable the live protection and use it as an on-demand scanner. You can enable it when you want to scan the computer with it, but then, you will have to disable Avast. Many antivirus in the system may cause:

More than one of those security programs may conflict with each other and cause the following:

• False positives: When the anti virus software tells you that your PC has a virus when it actually doesn't.
• Conflicts: Your system may lock up due to both products attempting to access the same file at the same time.
• Low performance: More that one antivirus will cause your PC to become slow and it may even crash or blue screen.
• Less protection: Two antivirus trying to scan the same file may interfere with the process and allow a malicious file onto the computer without notice to you.

 

==================================
 
Let's continue.
 
I would like to see a screenshot of the exclamation regarding Windows Security. Please attach one for me to check. 
 
Also, I would like to see the Malwarebytes report after the scan.
 
After that:

1. AdwCleaner (Clean mode)

Let me explain to you the log created by AdwCleaner:

The findings in Folders and Registry parts of the log, are adware and PUPs which stands for Potentially Unwanted Programs. In the instructions below, I will list them all to be removed.

The section at the bottom under Preinstalled Software is software that was apparently installed when the device was new, which you may or may not use. Personally, I keep only the programs I need/use in my computer and uninstall everything else. But it is your computer, so your decision.

To proceed, please do the following:

• Double click AdwCleaner.exe on your Desktop, to run it as you did before.
• Click Scan Now.
• When the scan has finished a Scan Results window will open.
• Please check all the boxes and then click Quarantine.
• Click Next.
  • If any pre-installed software was found on your machine, a prompt window will open. Click OK to close it.
  • Check any pre-installed software items you want to remove.
  • Click Quarantine.
• A prompt to save your work will appear.
  • Click Continue when you're ready to proceed.
• A prompt to restart your computer will appear.
  • Click Restart Now.
• Once your computer has restarted:
  • If it doesn't open automatically, please start AdwCleaner.
  • Click the Log Files tab.
  • Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
  • A Notepad file will open containing the results of the removal.
  • Please post the contents of the file in your next reply.

 

2. ESET Online Scanner

Download ESET Online Scanner and save it to your desktop.

• Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
• When the tool opens, click Get Started.
• Read and accept the license agreement.
• At the Welcome to ESET Online Scanner window, click Get Started.
• Select whether you would like to send anonymous data to ESET.
• Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
• Click on the Full Scan option.
• Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
• ESET will now begin scanning your computer. This may take some time.
• When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
• ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
• On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
• Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.

 

3. Fresh FRST logs

• Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
• Press Scan button and wait for a while.
• The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
• Please attach the content of these two logs in your next reply.

(To attach the files, click on the More Reply Options at the bottom right of the reply area, and then choose Attach File)

 

 

In your next reply, please post:

1. The screenshot
2. The Malwarebytes report
3. The AdwCleaner[C0*].txt
4. The Eset.txt
5. The fresh FRST logs, Addition and FRST

[Keyboardclick]

Thanks. I am working on scanning and collecting logs on her computer.

 

Can you tell me how to disable the live protection with Spybot? I looked through the settings, and can't figure it out. I didn't realize it was on. I have the screen shots ready on Mom's laptop, so I will include them in the next post with the logs. Thanks again.