Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Virus on laptop - pop up screen and audio message [Solved]

Started by bjorkstrait , Jun 28 2022 10:27 AM

Virus lock screen talking message

This topic is locked

#1
bjorkstrait

Posted 28 June 2022 - 10:27 AM

New Member

Member
9 posts

Hey guys,

I returned from work to my mother frantically asking me to fix her laptop. I'm not sure if she downloaded something, or what she did, but the screen had locked with an open message about some virus infection and there was an audible message about her IP being used for nefarious purposes or something.

I Ctrl-Alt-Del and closed down whatever program was open. Then downloaded mbam and ran that - it removed 5 malware (report listed below)

I then ran a windows defender check, but it found nothing.

If you could help, that'd be greatly appreciated.

Thanks in advance

------ MBAM report listed -----

Malwarebytes

www.malwarebytes.com

-Log Details-

Scan Date: 28/06/2022

Scan Time: 17:10

Log File: c393f198-f6fc-11ec-aaf6-646c80a21792.json

-Software Information-

Version: 4.5.10.200

Components Version: 1.0.1702

Update Package Version: 1.0.56537

Licence: Trial

-System Information-

OS: Windows 11 (Build 22000.739)

CPU: x64

File System: NTFS

User: LAPTOP-21SARBCO\ruthc

-Scan Summary-

Scan Type: Threat Scan

Scan Initiated By: Manual

Result: Completed

Objects Scanned: 280655

Threats Detected: 5

Threats Quarantined: 0

Time Elapsed: 3 min, 6 sec

-Scan Options-

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Disabled

Heuristics: Enabled

PUP: Detect

PUM: Detect

-Scan Details-

Process: 0

(No malicious items detected)

Module: 0

(No malicious items detected)

Registry Key: 0

(No malicious items detected)

Registry Value: 0

(No malicious items detected)

Registry Data: 0

(No malicious items detected)

Data Stream: 0

(No malicious items detected)

Folder: 0

(No malicious items detected)

File: 5

PUP.Optional.DriverReviver, C:\USERS\RUTHC\DOWNLOADS\DRIVERREVIVERSETUP_PPC4.EXE, No Action By User, 4021, 462815, 1.0.56537, , ame, , 21F2A5C5C23D7C559235A364C9C756BC, 1FF8F669041F2551FB357795CB2B00B916D4D5816AAB19F6DE344CA02C479ECA

PUP.Optional.DriverReviver, C:\USERS\RUTHC\DOWNLOADS\DRIVERREVIVERSETUP_PPC4 (2).EXE, No Action By User, 4021, 462815, 1.0.56537, , ame, , C6B26902500449B19F7B56852DFFC148, B4412A873B816F9E8C9DC89FD7BBCF52F78B53478295B3F0651465135ACD231B

PUP.Optional.DriverReviver, C:\USERS\RUTHC\DOWNLOADS\DRIVERREVIVERSETUP_PPC4 (3).EXE, No Action By User, 4021, 462815, 1.0.56537, , ame, , C6B26902500449B19F7B56852DFFC148, B4412A873B816F9E8C9DC89FD7BBCF52F78B53478295B3F0651465135ACD231B

PUP.Optional.DriverReviver, C:\USERS\RUTHC\DOWNLOADS\DRIVERREVIVERSETUP_PPC4 (1).EXE, No Action By User, 4021, 462815, 1.0.56537, , ame, , C6B26902500449B19F7B56852DFFC148, B4412A873B816F9E8C9DC89FD7BBCF52F78B53478295B3F0651465135ACD231B

PUP.Optional.WinZipDriverUpdater, C:\USERS\RUTHC\DOWNLOADS\WZDU53.EXE, No Action By User, 1732, 484645, 1.0.56537, , ame, , C629D2EA3096BDA8991F4EDA48358F55, 50E5E5ECDA4467B0AF8B1F5597AF8E1B2121489DB633EA081F1A94A5483E949A

Physical Sector: 0

(No malicious items detected)

WMI: 0

(No malicious items detected)

(end)

----------

---------- FRST ----------

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 24-06-2022 01

Ran by ruthc (administrator) on LAPTOP-21SARBCO (HP HP Laptop 14s-fq0xxx) (28-06-2022 17:20:21)

Running from C:\Users\ruthc\OneDrive\Desktop

Loaded Profiles: ruthc

Platform: Microsoft Windows 11 Home Version 21H2 22000.739 (X64) Language: English (United Kingdom)

Default browser: Edge

Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe ->) (Malwarebytes Inc. -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe

(C:\Program Files\WindowsApps\AD2F1837.myHP_6.52219.341.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe ->) (HP Inc.) C:\Program Files\WindowsApps\AD2F1837.myHP_6.52219.341.0_x64__v10z8vjag6ke6\win32\HPAudioSwitch.exe

(C:\Program Files\WindowsApps\MicrosoftTeams_22147.303.1400.1220_x64__8wekyb3d8bbwe\msteams.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.37\msedgewebview2.exe <12>

(DriverStore\FileRepository\u0375335.inf_amd64_7de275617d9da25a\B374868\atiesrxx.exe ->) (Advanced Micro Devices Inc. -> AMD) C:\Windows\System32\DriverStore\FileRepository\u0375335.inf_amd64_7de275617d9da25a\B374868\atieclxx.exe

(explorer.exe ->) (Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2204.12.0_x64__8wekyb3d8bbwe\Notepad\Notepad.exe

(HP Inc.) C:\Program Files\WindowsApps\AD2F1837.HPSystemEventUtility_1.2.15.0_x64__v10z8vjag6ke6\SystemEventUtility\HPSystemEventUtilityHost.exe

(Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe <11>

(services.exe ->) (Advanced Micro Devices Inc. -> AMD) C:\Windows\System32\DriverStore\FileRepository\u0375335.inf_amd64_7de275617d9da25a\B374868\atiesrxx.exe

(services.exe ->) (HP Inc. -> HP Inc.) C:\Program Files\HPCommRecovery\HPCommRecovery.exe

(services.exe ->) (HP Inc. -> HP Inc.) C:\Windows\System32\DriverStore\FileRepository\hpanalyticscomp.inf_amd64_a6e24179070178de\x64\TouchpointAnalyticsClientService.exe

(services.exe ->) (HP Inc. -> HP Inc.) C:\Windows\System32\DriverStore\FileRepository\hpcustomcapcomp.inf_amd64_82b4ea84f6cb4b64\x64\AppHelperCap.exe

(services.exe ->) (HP Inc. -> HP Inc.) C:\Windows\System32\DriverStore\FileRepository\hpcustomcapcomp.inf_amd64_82b4ea84f6cb4b64\x64\DiagsCap.exe

(services.exe ->) (HP Inc. -> HP Inc.) C:\Windows\System32\DriverStore\FileRepository\hpcustomcapcomp.inf_amd64_82b4ea84f6cb4b64\x64\NetworkCap.exe

(services.exe ->) (HP Inc. -> HP Inc.) C:\Windows\System32\DriverStore\FileRepository\hpcustomcapcomp.inf_amd64_82b4ea84f6cb4b64\x64\SysInfoCap.exe

(services.exe ->) (Malwarebytes Inc. -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe

(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

(services.exe ->) (Microsoft Windows Hardware Compatibility Publisher -> Advanced Micro Devices, Inc.) C:\Windows\System32\amdfendrsr.exe

(services.exe ->) (Realtek Semiconductor Corp. -> Realtek Semiconductor Corp.) C:\Windows\RtkBtManServ.exe

(services.exe ->) (Realtek Semiconductor Corp. -> Realtek Semiconductor) C:\Windows\System32\DriverStore\FileRepository\realtekservice.inf_amd64_19d333f59f2c41d3\RtkAudUService64.exe <3>

(services.exe ->) (Sound Research Corporation -> Sound Research, Corp.) C:\Windows\System32\SECOMN64.exe

(services.exe ->) (Synaptics Incorporated -> Synaptics Incorporated) C:\Windows\System32\SynTPEnhService.exe

(sihost.exe ->) (HP Inc.) C:\Program Files\WindowsApps\AD2F1837.myHP_6.52219.341.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe

(svchost.exe ->) (HP Inc. -> HP Inc.) C:\Program Files (x86)\HP\HPAudioSwitch\HPAudioSwitch.exe

(svchost.exe ->) (HP Inc.) C:\Program Files\WindowsApps\AD2F1837.myHP_6.52219.341.0_x64__v10z8vjag6ke6\HP.MyHP.exe

(svchost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe

(svchost.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Users\ruthc\AppData\Local\Microsoft\OneDrive\22.121.0605.0002\FileCoAuth.exe

(svchost.exe ->) (Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_4.2204.13303.0_x64__8wekyb3d8bbwe\Cortana.exe

(svchost.exe ->) (Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2204.6.0_x64__8wekyb3d8bbwe\ScreenSketch.exe

(svchost.exe ->) (Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.20970.0_x64__8wekyb3d8bbwe\HxOutlook.exe

(svchost.exe ->) (Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.20970.0_x64__8wekyb3d8bbwe\HxTsr.exe

(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe

(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe <3>

(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\smartscreen.exe

(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\UUS\amd64\MoUsoCoreWorker.exe

(svchost.exe ->) (Microsoft Windows) C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_421.20070.425.0_x64__cw5n1h2txyewy\Dashboard\Widgets.exe

(SynTPEnhService.exe ->) (Synaptics Incorporated -> Synaptics Incorporated) C:\Windows\System32\SynTPEnh.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtkAudUService] => C:\WINDOWS\System32\DriverStore\FileRepository\realtekservice.inf_amd64_19d333f59f2c41d3\RtkAudUService64.exe [3496544 2022-03-13] (Realtek Semiconductor Corp. -> Realtek Semiconductor)

HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION

HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION

HKU\S-1-5-19\...\Run: [HPSEU_Host_Launcher] => C:\System.sav\util\HPSEU\HpseuHostLauncher.exe [525312 2022-01-22] (HP Inc.) [File not signed]

HKU\S-1-5-20\...\Run: [HPSEU_Host_Launcher] => C:\System.sav\util\HPSEU\HpseuHostLauncher.exe [525312 2022-01-22] (HP Inc.) [File not signed]

HKU\S-1-5-21-2388426293-319619428-3289471441-1001\...\Run: [HPSEU_Host_Launcher] => C:\System.sav\util\HPSEU\HpseuHostLauncher.exe [525312 2022-01-22] (HP Inc.) [File not signed]

HKU\S-1-5-21-2388426293-319619428-3289471441-1001\...\Run: [MicrosoftEdgeAutoLaunch_68EB7EF85583FD10115C5F979EE00ED2] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 [3601824 2022-06-22] (Microsoft Corporation -> Microsoft Corporation)

HKLM\Software\...\Authentication\Credential Providers: [{C885AA15-1764-4293-B82A-0586ADD46B35}] ->

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk [2022-06-28]

ShortcutTarget: $McRebootA5E6DEAA56$.lnk -> (No File)

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0062E574-4BF0-4B80-AC82-A259DB1702ED} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\HP\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [1148048 2022-05-31] (HP Inc. -> HP Inc.)

Task: {47A77A86-5C9B-4DAF-9CDD-00A48A4D44A8} - System32\Tasks\HPAudioSwitch => C:\Program Files (x86)\HP\HPAudioSwitch\HPAudioSwitch.exe [1644472 2019-06-21] (HP Inc. -> HP Inc.)

Task: {4FFC1F2C-F5B0-49A5-BA65-FFDA4562F4F3} - System32\Tasks\Microsoft\Office\Office Performance Monitor => C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\operfmon.exe [67472 2022-05-28] (Microsoft Corporation -> Microsoft Corporation)

Task: {6A8DF0F6-8B6C-4EE5-89A0-0B3C3FC76117} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [23246768 2022-06-18] (Microsoft Corporation -> Microsoft Corporation)

Task: {7A94A5B2-DDE6-4227-A62E-01F544467742} - System32\Tasks\HP\Consent Manager Launcher => sc start hptouchpointanalyticsservice

Task: {A68DA446-CA5B-4443-83DF-F93B94B65A8C} - System32\Tasks\Microsoft\Office\Office Feature Updates Logon => C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe [144800 2022-06-18] (Microsoft Corporation -> Microsoft Corporation)

Task: {A8D38D39-E5FF-4D00-ABC5-9213B3E7AE87} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Report => C:\Program Files (x86)\HP\HP Support Framework\Resources\HPSFReport.exe [138328 2022-05-31] (HP Inc. -> HP Inc.)

Task: {ADA2D89B-F91C-4787-8638-4C0221621717} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker => C:\Program Files (x86)\HP\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [1148048 2022-05-31] (HP Inc. -> HP Inc.)

Task: {C6CE3521-4F58-4D16-AF7F-241648221132} - System32\Tasks\Microsoft\Office\Office Automatic Updates 2.0 => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [23246768 2022-06-18] (Microsoft Corporation -> Microsoft Corporation)

Task: {CA86C737-2081-46F5-9555-96FF9A0F3146} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Update Notice => C:\Program Files (x86)\HP\HP Support Framework\Resources\BingPopup\BingPopup.exe [411280 2022-05-31] (HP Inc. -> HP Inc.)

Task: {CCDFC0B8-01A3-4E74-A820-4F13F51D269E} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => C:\WINDOWS\System32\MbaeParserTask.exe (No File)

Task: {D05E31D8-1103-4DFE-B292-BF4AB436C182} - System32\Tasks\Microsoft\Office\Office Feature Updates => C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe [144800 2022-06-18] (Microsoft Corporation -> Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

Tcpip\..\Interfaces\{4b3be7a7-0662-4492-af97-061a88061663}: [DhcpNameServer] 192.168.1.254

Edge:

=======

Edge DefaultProfile: Default

Edge Profile: C:\Users\ruthc\AppData\Local\Microsoft\Edge\User Data\Default [2022-06-28]

Edge DefaultSearchURL: Default -> hxxps://find.searchtoolshub.com?a811fc667f160ba97f5770beaa1eec28=H1xAXFNGX1xZVlQNEQQwBw9cQ1pRR1heXVRKXFVCWltcVFQJDB0LU1pWSi4nNikoW1FKWlEyX19bUEJcPkRfXls%252BQlxRRDBeW1FCM1k3Kl00WTdcVStfXypQLSlVNVtAXVVEL1lELlxaVkte&q={searchTerms}

Edge DefaultSearchKeyword: Default -> find.searchtoolshub.com

Edge DefaultSuggestURL: Default -> hxxps://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02

FireFox:

========

FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL [2022-04-01] (Microsoft Corporation -> Microsoft Corporation)

FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL [2022-03-05] (Microsoft Corporation -> Microsoft Corporation)

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 0004051656432248mcinstcleanup; C:\ProgramData\McInstTemp0004051656432248\McInst.exe [913112 2022-02-18] (McAfee, LLC -> McAfee, LLC)

R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [11988384 2022-06-18] (Microsoft Corporation -> Microsoft Corporation)

R2 HP Comm Recover; C:\Program Files\HPCommRecovery\HPCommRecovery.exe [905080 2020-03-18] (HP Inc. -> HP Inc.)

R2 HPAppHelperCap; C:\WINDOWS\System32\DriverStore\FileRepository\hpcustomcapcomp.inf_amd64_82b4ea84f6cb4b64\x64\AppHelperCap.exe [764448 2022-03-30] (HP Inc. -> HP Inc.)

R2 HPDiagsCap; C:\WINDOWS\System32\DriverStore\FileRepository\hpcustomcapcomp.inf_amd64_82b4ea84f6cb4b64\x64\DiagsCap.exe [763480 2022-03-30] (HP Inc. -> HP Inc.)

R2 HPNetworkCap; C:\WINDOWS\System32\DriverStore\FileRepository\hpcustomcapcomp.inf_amd64_82b4ea84f6cb4b64\x64\NetworkCap.exe [759336 2022-03-30] (HP Inc. -> HP Inc.)

R2 HPSysInfoCap; C:\WINDOWS\System32\DriverStore\FileRepository\hpcustomcapcomp.inf_amd64_82b4ea84f6cb4b64\x64\SysInfoCap.exe [762904 2022-03-30] (HP Inc. -> HP Inc.)

R2 HpTouchpointAnalyticsService; C:\WINDOWS\System32\DriverStore\FileRepository\hpanalyticscomp.inf_amd64_a6e24179070178de\x64\TouchpointAnalyticsClientService.exe [497328 2022-03-30] (HP Inc. -> HP Inc.)

R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [8677120 2022-06-28] (Malwarebytes Inc. -> Malwarebytes)

S3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2205.7-0\NisSrv.exe [3120992 2022-06-21] (Microsoft Windows Publisher -> Microsoft Corporation)

S3 WinDefend; C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2205.7-0\MsMpEng.exe [133544 2022-06-21] (Microsoft Windows Publisher -> Microsoft Corporation)

S3 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe" [X]

S2 mfemms; "C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe" [X]

S3 mfevtp; no ImagePath

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 AMDAfdAudioService; C:\WINDOWS\System32\DriverStore\FileRepository\amdacpafd.inf_amd64_4f059863a425c74d\amdacpafd.sys [356328 2021-12-28] (Advanced Micro Devices Inc. -> Advanced Micro Devices)

R3 amdwddmg; C:\WINDOWS\System32\DriverStore\FileRepository\u0375335.inf_amd64_7de275617d9da25a\B374868\amdkmdag.sys [80558960 2022-01-02] (Advanced Micro Devices Inc. -> Advanced Micro Devices, Inc.)

S3 AmUStor; C:\WINDOWS\system32\drivers\AmUStorU.sys [135296 2020-09-17] (Alcorlink Corp. -> )

S3 BthA2dp; C:\WINDOWS\System32\drivers\BthA2dp.sys [507904 2022-01-22] (Microsoft Corporation) [File not signed]

S3 BthHFEnum; C:\WINDOWS\System32\drivers\bthhfenum.sys [180224 2022-01-22] (Microsoft Corporation) [File not signed]

S3 BTHMODEM; C:\WINDOWS\System32\drivers\bthmodem.sys [98304 2021-06-05] (Microsoft Corporation) [File not signed]

R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae64.sys [158640 2022-06-28] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)

R3 HPCustomCapDriver; C:\WINDOWS\System32\DriverStore\FileRepository\hpcustomcapdriver.inf_amd64_a955fa431e522f5e\x64\hpcustomcapdriver.sys [25592 2021-09-16] (HP Inc. -> HP Inc.)

S3 Hsp; C:\WINDOWS\System32\drivers\Hsp.sys [111960 2022-05-11] (Microsoft Windows -> Microsoft Corporation)

R2 MBAMChameleon; C:\WINDOWS\System32\Drivers\MbamChameleon.sys [223176 2022-06-28] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)

S0 MbamElam; C:\WINDOWS\System32\DRIVERS\MbamElam.sys [21480 2022-06-28] (Microsoft Windows Early Launch Anti-malware Publisher -> Malwarebytes)

R3 MBAMFarflt; C:\WINDOWS\System32\DRIVERS\farflt.sys [192960 2022-06-28] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)

R3 MBAMProtection; C:\WINDOWS\system32\DRIVERS\mbam.sys [74680 2022-06-28] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)

R3 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [239544 2022-06-28] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)

R3 MBAMWebProtection; C:\WINDOWS\system32\DRIVERS\mwac.sys [181992 2022-06-28] (Malwarebytes Inc. -> Malwarebytes)

S3 WdBoot; C:\WINDOWS\system32\drivers\wd\WdBoot.sys [49576 2022-06-21] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)

S3 WdFilter; C:\WINDOWS\system32\drivers\wd\WdFilter.sys [452856 2022-06-21] (Microsoft Windows -> Microsoft Corporation)

S3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [91384 2022-06-21] (Microsoft Windows -> Microsoft Corporation)

R3 WirelessButtonDriver64; C:\WINDOWS\System32\drivers\WirelessButtonDriver64.sys [37280 2021-11-23] (HP Inc. -> HP)

S0 cfwids; system32\drivers\cfwids.sys [X]

R0 mfeaack; system32\drivers\mfeaack.sys [X]

R0 mfeavfk; system32\drivers\mfeavfk.sys [X]

S0 mfeelamk; system32\drivers\mfeelamk.sys [X]

S0 mfefirek; system32\drivers\mfefirek.sys [X]

R0 mfehidk; system32\drivers\mfehidk.sys [X]

R0 mfeplk; system32\drivers\mfeplk.sys [X]

R0 mfewfpk; system32\drivers\mfewfpk.sys [X]

S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2022-06-28 17:19 - 2022-06-28 17:20 - 000000000 ____D C:\FRST

2022-06-28 17:10 - 2022-06-28 17:10 - 000074680 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys

2022-06-28 17:09 - 2022-06-28 17:09 - 000239544 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys

2022-06-28 17:09 - 2022-06-28 17:09 - 000223176 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MbamChameleon.sys

2022-06-28 17:09 - 2022-06-28 17:09 - 000192960 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys

2022-06-28 17:09 - 2022-06-28 17:09 - 000181992 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys

2022-06-28 17:09 - 2022-06-28 17:09 - 000158640 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbae64.sys

2022-06-28 17:09 - 2022-06-28 17:09 - 000021480 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MbamElam.sys

2022-06-28 17:09 - 2022-06-28 17:09 - 000002040 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes.lnk

2022-06-28 17:09 - 2022-06-28 17:09 - 000002028 _____ C:\Users\Public\Desktop\Malwarebytes.lnk

2022-06-28 17:09 - 2022-06-28 17:09 - 000000000 ____D C:\Users\ruthc\AppData\Local\mbam

2022-06-28 17:08 - 2022-06-28 17:08 - 000000000 ____D C:\ProgramData\Malwarebytes

2022-06-28 17:08 - 2022-06-28 17:08 - 000000000 ____D C:\Program Files\Malwarebytes

2022-06-28 17:05 - 2020-07-10 20:46 - 000708400 _____ (gamigo, Inc.) C:\ProgramData\uninstall314673.exe

2022-06-28 17:04 - 2022-06-28 17:04 - 000000000 ____D C:\ProgramData\McInstTemp0004051656432248

2022-06-28 10:59 - 2022-06-28 10:59 - 000519653 _____ C:\Users\ruthc\Downloads\RC ATR June 2022.pdf

2022-06-28 10:59 - 2022-06-28 10:59 - 000412370 _____ C:\Users\ruthc\Downloads\RC Agenda Conference Call Review Meeting 2022.pdf

2022-06-26 22:16 - 2022-06-27 18:53 - 000021596 _____ C:\Users\ruthc\OneDrive\Documents\Dissapearing pinwheel quilt..odt

2022-06-26 21:36 - 2022-06-26 21:36 - 000001128 _____ C:\Users\Public\Desktop\OpenOffice 4.1.12.lnk

2022-06-26 21:36 - 2022-06-26 21:36 - 000000000 ___SD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenOffice 4.1.12

2022-06-26 21:25 - 2022-06-26 21:35 - 135098488 _____ (Apache Software Foundation) C:\Users\ruthc\Downloads\Apache_OpenOffice_4.1.12_Win_x86_install_en-GB.exe

2022-06-17 17:37 - 2022-06-17 17:37 - 000000000 _____ C:\Users\ruthc\OneDrive\Documents\quilt label.txt

2022-06-16 16:15 - 2022-06-16 16:54 - 000022020 _____ C:\Users\ruthc\OneDrive\Documents\quilt label modern.odt

2022-06-16 15:07 - 2022-06-16 15:07 - 000000000 ____D C:\Users\ruthc\OneDrive\Documents\New folder

2022-06-15 18:55 - 2022-06-15 18:55 - 000614400 _____ C:\WINDOWS\system32\TextInputMethodFormatter.dll

2022-06-15 18:55 - 2022-06-15 18:55 - 000557056 _____ (Microsoft Corporation) C:\WINDOWS\system32\PhotoScreensaver.scr

2022-06-15 18:55 - 2022-06-15 18:55 - 000485376 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PhotoScreensaver.scr

2022-06-15 18:55 - 2022-06-15 18:55 - 000299008 _____ C:\WINDOWS\system32\EsclScan.dll

2022-06-15 18:55 - 2022-06-15 18:55 - 000180224 _____ C:\WINDOWS\system32\EsclProtocol.dll

2022-06-15 18:55 - 2022-06-15 18:55 - 000015042 _____ C:\WINDOWS\system32\DrtmAuthTxt.wim

2022-06-15 18:54 - 2022-06-15 18:54 - 000335872 _____ C:\WINDOWS\system32\Windows.Management.InprocObjects.dll

2022-06-15 18:51 - 2022-06-15 18:51 - 000000000 ___HD C:\$WinREAgent

2022-06-13 11:56 - 2022-06-13 11:56 - 000699617 _____ C:\Users\ruthc\Downloads\the-festival-of-quilts-hall-9-entry-tickets-80094792.pdf

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2022-06-28 17:10 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\SystemTemp

2022-06-28 17:09 - 2022-01-18 18:51 - 000000000 ____D C:\Users\ruthc\AppData\Local\D3DSCache

2022-06-28 17:09 - 2021-06-05 13:10 - 000000000 ___HD C:\WINDOWS\ELAMBKUP

2022-06-28 17:06 - 2022-01-18 18:50 - 000000000 ____D C:\Users\ruthc\AppData\Local\Packages

2022-06-28 17:06 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\AppReadiness

2022-06-28 17:06 - 2021-03-13 20:28 - 000000000 ____D C:\ProgramData\Packages

2022-06-28 17:05 - 2021-06-05 13:10 - 000000000 ___HD C:\Program Files\WindowsApps

2022-06-28 17:05 - 2021-03-13 20:36 - 000000000 ____D C:\ProgramData\McAfee

2022-06-28 17:05 - 2021-03-13 20:33 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WildTangent Games

2022-06-28 17:04 - 2021-06-05 13:09 - 000000000 ____D C:\WINDOWS\INF

2022-06-28 17:04 - 2021-06-05 13:01 - 000032768 _____ C:\WINDOWS\system32\config\ELAM

2022-06-28 17:04 - 2021-03-13 20:36 - 000000000 ____D C:\Program Files\Common Files\McAfee

2022-06-28 17:03 - 2021-03-13 20:34 - 000000000 ____D C:\Program Files (x86)\ExpressVPN

2022-06-28 17:02 - 2021-06-05 13:10 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft

2022-06-28 16:49 - 2022-01-18 18:52 - 000000000 ____D C:\Users\ruthc\AppData\Local\PlaceholderTileLogoFolder

2022-06-28 16:48 - 2022-01-22 22:21 - 000000000 ____D C:\WINDOWS\system32\SleepStudy

2022-06-28 14:27 - 2022-01-18 18:52 - 000000000 ___RD C:\Users\ruthc\OneDrive

2022-06-27 21:26 - 2022-01-22 22:26 - 000003588 _____ C:\WINDOWS\system32\Tasks\OneDrive Reporting Task-S-1-5-21-2388426293-319619428-3289471441-1001

2022-06-27 21:26 - 2022-01-22 22:26 - 000003378 _____ C:\WINDOWS\system32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2388426293-319619428-3289471441-1001

2022-06-27 21:26 - 2022-01-18 18:46 - 000002386 _____ C:\Users\ruthc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk

2022-06-27 21:23 - 2021-06-05 13:01 - 000000000 ____D C:\WINDOWS\CbsTemp

2022-06-26 21:36 - 2022-01-22 14:44 - 000000000 ____D C:\Program Files (x86)\OpenOffice 4

2022-06-25 13:09 - 2020-11-20 06:48 - 000002445 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk

2022-06-25 13:09 - 2020-11-20 06:48 - 000002283 _____ C:\Users\Public\Desktop\Microsoft Edge.lnk

2022-06-21 10:41 - 2020-05-06 09:58 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd

2022-06-21 10:31 - 2022-01-22 22:26 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT

2022-06-21 10:31 - 2020-05-06 09:58 - 000012288 ___SH C:\DumpStack.log.tmp

2022-06-20 18:50 - 2022-01-22 21:01 - 000000000 ____D C:\Users\ruthc

2022-06-18 17:51 - 2020-11-20 06:58 - 000000000 ____D C:\Program Files\Microsoft Office

2022-06-17 20:02 - 2022-01-22 22:26 - 000854410 _____ C:\WINDOWS\system32\PerfStringBackup.INI

2022-06-17 17:47 - 2021-06-05 13:01 - 000786432 _____ C:\WINDOWS\system32\config\BBI

2022-06-17 16:58 - 2022-01-22 13:45 - 000000000 ____D C:\WINDOWS\system32\MRT

2022-06-17 16:57 - 2022-01-22 13:45 - 145918784 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe

2022-06-15 22:02 - 2022-01-22 22:21 - 000620968 _____ C:\WINDOWS\system32\FNTCACHE.DAT

2022-06-15 22:02 - 2021-06-05 18:17 - 000000000 ____D C:\Program Files\Windows Photo Viewer

2022-06-15 22:02 - 2021-06-05 18:17 - 000000000 ____D C:\Program Files (x86)\Windows Photo Viewer

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ___SD C:\WINDOWS\SysWOW64\F12

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ___SD C:\WINDOWS\system32\F12

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ___RD C:\WINDOWS\ImmersiveControlPanel

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\SysWOW64\vi-VN

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\SysWOW64\oobe

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\SysWOW64\lv-LV

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\SysWOW64\lt-LT

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\SysWOW64\id-ID

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\SysWOW64\gl-ES

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\SysWOW64\eu-ES

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\SysWOW64\et-EE

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\SysWOW64\es-MX

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\SysWOW64\Dism

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\SysWOW64\ca-ES

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\SystemResources

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\system32\vi-VN

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\system32\oobe

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\system32\lv-LV

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\system32\lt-LT

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\system32\id-ID

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\system32\gl-ES

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\system32\eu-ES

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\system32\et-EE

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\system32\es-MX

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\system32\Dism

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\system32\DDFs

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\system32\ca-ES

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\system32\appraiser

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\ShellExperiences

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\ShellComponents

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\PolicyDefinitions

2022-06-15 22:02 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\bcastdvr

2022-06-15 22:02 - 2021-03-13 20:36 - 000000000 ____D C:\Program Files (x86)\McAfee

2022-06-15 18:54 - 2022-01-22 22:26 - 003101184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PrintConfig.dll

2022-06-15 10:14 - 2021-06-05 13:10 - 000000000 ____D C:\WINDOWS\system32\SecurityHealth

2022-06-11 19:56 - 2022-01-26 15:57 - 000003442 _____ C:\WINDOWS\system32\Tasks\MicrosoftEdgeUpdateTaskMachineCore1d80fd6690b9a31

2022-06-11 19:56 - 2022-01-22 22:26 - 000003536 _____ C:\WINDOWS\system32\Tasks\MicrosoftEdgeUpdateTaskMachineUA

2022-06-07 13:59 - 2022-01-22 22:26 - 000000000 ____D C:\WINDOWS\system32\Tasks\Hewlett-Packard

==================== Files in the root of some directories ========

2022-06-28 17:05 - 2020-07-10 20:46 - 000708400 _____ (gamigo, Inc.) C:\ProgramData\uninstall314673.exe

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

==================== End of FRST.txt ========================

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 24-06-2022 01

Ran by ruthc (28-06-2022 17:21:18)

Running from C:\Users\ruthc\OneDrive\Desktop

Microsoft Windows 11 Home Version 21H2 22000.739 (X64) (2022-01-22 21:37:02)

Boot Mode: Normal

==========================================================

==================== Accounts: =============================

(If an entry is included in the fixlist, it will be removed.)

Administrator (S-1-5-21-2388426293-319619428-3289471441-500 - Administrator - Disabled)

DefaultAccount (S-1-5-21-2388426293-319619428-3289471441-503 - Limited - Disabled)

Guest (S-1-5-21-2388426293-319619428-3289471441-501 - Limited - Disabled)

ruthc (S-1-5-21-2388426293-319619428-3289471441-1001 - Administrator - Enabled) => C:\Users\ruthc

WDAGUtilityAccount (S-1-5-21-2388426293-319619428-3289471441-504 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

HP Audio Switch (HKLM-x32\...\{3A5141D4-47DB-4302-9B1C-272BE585BC8A}) (Version: 1.0.179.0 - HP Inc.)

HP Connection Optimizer (HKLM-x32\...\{6468C4A5-E47E-405F-B675-A70A70983EA6}) (Version: 2.0.17.0 - HP Inc.)

HP Documentation (HKLM\...\HP_Documentation) (Version: 1.0.0.1 - HP Inc.)

Malwarebytes version 4.5.10.200 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.5.10.200 - Malwarebytes)

Microsoft 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.15225.20288 - Microsoft Corporation)

Microsoft Edge (HKLM-x32\...\Microsoft Edge) (Version: 103.0.1264.37 - Microsoft Corporation)

Microsoft Edge WebView2 Runtime (HKLM-x32\...\Microsoft EdgeWebView) (Version: 103.0.1264.37 - Microsoft Corporation)

Microsoft OneDrive (HKU\S-1-5-21-2388426293-319619428-3289471441-1001\...\OneDriveSetup.exe) (Version: 22.121.0605.0002 - Microsoft Corporation)

Microsoft Update Health Tools (HKLM\...\{6A2A8076-135F-4F55-BB02-DED67C8C6934}) (Version: 4.67.0.0 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)

Office 16 Click-to-Run Extensibility Component (HKLM\...\{90160000-008C-0000-1000-0000000FF1CE}) (Version: 16.0.15225.20150 - Microsoft Corporation) Hidden

Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-007E-0000-1000-0000000FF1CE}) (Version: 16.0.15225.20288 - Microsoft Corporation) Hidden

Office 16 Click-to-Run Localization Component (HKLM\...\{90160000-008C-0409-1000-0000000FF1CE}) (Version: 16.0.13127.20616 - Microsoft Corporation) Hidden

OpenOffice 4.1.12 (HKLM-x32\...\{E9F3BF94-AA18-42B6-8B6D-245BBF585C8C}) (Version: 4.112.9809 - Apache Software Foundation)

PDFHub (HKU\S-1-5-21-2388426293-319619428-3289471441-1001\...\PDFHub) (Version: 1.0 - PDFHub)

Windows PC Health Check (HKLM\...\{B1E7D0FD-7CFE-4E0C-A5DA-0F676499DB91}) (Version: 3.2.2110.14001 - Microsoft Corporation)

Zoom (HKU\S-1-5-21-2388426293-319619428-3289471441-1001\...\ZoomUMX) (Version: 5.10.4 (5035) - Zoom Video Communications, Inc.)

Packages:

=========

Amazon -> C:\Program Files\WindowsApps\Amazon.com.Amazon_2018.519.2815.0_x64__343d40qqvtj1t [2021-03-13] (Amazon.com)

AMD Radeon Software -> C:\Program Files\WindowsApps\AdvancedMicroDevicesInc-2.AMDRadeonSoftware_10.21.10043.0_x64__0a9344xs7nr4m [2022-04-12] (Advanced Micro Devices Inc.) [Startup Task]

AV1 Video Extension -> C:\Program Files\WindowsApps\Microsoft.AV1VideoExtension_1.1.51091.0_x64__8wekyb3d8bbwe [2022-05-15] (Microsoft Corporation)

Dropbox promotion -> C:\Program Files\WindowsApps\C27EB4BA.DropboxOEM_20.4.8.0_x64__xbfy0k16fey96 [2022-05-01] (Dropbox Inc.)

Energy Star -> C:\Program Files\WindowsApps\AD2F1837.HPInc.EnergyStar_1.2.0.0_x64__v10z8vjag6ke6 [2021-03-13] (HP Inc.)

HP Audio Center -> C:\Program Files\WindowsApps\AD2F1837.HPAudioCenter_1.29.257.0_x64__v10z8vjag6ke6 [2022-04-07] (HP Inc.)

HP PC Hardware Diagnostics Windows -> C:\Program Files\WindowsApps\AD2F1837.HPPCHardwareDiagnosticsWindows_1.8.1.0_x64__v10z8vjag6ke6 [2022-03-11] (HP Inc.)

HP Privacy Settings -> C:\Program Files\WindowsApps\AD2F1837.HPPrivacySettings_1.0.42.0_x64__v10z8vjag6ke6 [2022-01-22] (HP Inc.)

HP QuickDrop -> C:\Program Files\WindowsApps\AD2F1837.HPQuickDrop_2.5.9180.0_x64__v10z8vjag6ke6 [2022-03-03] (HP Inc.)

HP Smart -> C:\Program Files\WindowsApps\AD2F1837.HPPrinterControl_136.1.269.0_x64__v10z8vjag6ke6 [2022-05-01] (HP Inc.)

HP Support Assistant -> C:\Program Files\WindowsApps\AD2F1837.HPSupportAssistant_9.17.31.0_x64__v10z8vjag6ke6 [2022-06-07] (HP Inc.)

HP System Event Utility -> C:\Program Files\WindowsApps\AD2F1837.HPSystemEventUtility_1.2.15.0_x64__v10z8vjag6ke6 [2022-01-22] (HP Inc.)

Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1811.1.0_x64__8wekyb3d8bbwe [2022-01-22] (Microsoft Corporation) [MS Ad]

Microsoft Advertising SDK for XAML -> C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1811.1.0_x86__8wekyb3d8bbwe [2022-01-22] (Microsoft Corporation) [MS Ad]

Microsoft Solitaire Collection -> C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.13.5310.0_x64__8wekyb3d8bbwe [2022-06-07] (Microsoft Studios) [MS Ad]

Microsoft To Do -> C:\Program Files\WindowsApps\Microsoft.Todos_2.72.51601.0_x64__8wekyb3d8bbwe [2022-06-10] (Microsoft Corporation) [Startup Task]

Microsoft Whiteboard -> C:\Program Files\WindowsApps\Microsoft.Whiteboard_52.10615.423.0_x64__8wekyb3d8bbwe [2022-06-20] (Microsoft Corporation)

myHP -> C:\Program Files\WindowsApps\AD2F1837.myHP_6.52219.341.0_x64__v10z8vjag6ke6 [2022-06-16] (HP Inc.) [Startup Task]

Netflix -> C:\Program Files\WindowsApps\4DF9E0F8.Netflix_6.98.1805.0_x64__mcm4njqhnhss8 [2022-02-18] (Netflix, Inc.)

Simple Solitaire -> C:\Program Files\WindowsApps\26720RandomSaladGamesLLC.SimpleSolitaire_7.4.4.0_x64__kx24dqmazqk8j [2022-01-22] (Random Salad Games LLC)

Spotify Music -> C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.188.612.0_x86__zpdnekdrzrea0 [2022-06-26] (Spotify AB) [Startup Task]

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2022-06-28] (Malwarebytes Inc. -> Malwarebytes)

ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => C:\WINDOWS\System32\atiacm64.dll [2022-01-02] (Advanced Micro Devices Inc. -> Advanced Micro Devices, Inc.)

ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2022-06-28] (Malwarebytes Inc. -> Malwarebytes)

==================== Codecs (Whitelisted) ====================

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free Trials.lnk -> C:\Program Files (x86)\Online Services\Adobe\WizLink.exe () -> hxxp://js.redirect.hp.com/jumpstation?type=103&RedeemCode=LjWFD%2b2MAOBBaqAih8mLzO8xHawRDaYYznH5kKyccbyakTJhU3tBPfVk0KfEMKJV6vhvt1OQWppMchnU4OUWQGlHvMS8RtgesPgRYJYxEqmYdNBO6ijyegCjMgIxnrNhjc4PeNUzIDuHGSrKM0FWLEKY4JxsToehDIE7NCgUW7w%3d

ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LastPass.lnk -> C:\Program Files (x86)\Online Services\LastPass\WizLink.exe () -> hxxp://js.redirect.hp.com/jumpstation?bd=lastpass&c=*&locale=*&pf=*&s=*&tp=edge

ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utomik - Play over 1000 games.lnk -> C:\Program Files (x86)\Online Services\Utomik\WizLink.exe () -> hxxps://www.utomik.com/hp_desktop

==================== Loaded Modules (Whitelisted) =============

2022-06-20 20:28 - 2022-06-20 20:28 - 000138240 _____ () [File not signed] C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\Interop.IWs06dcaa36#\4a3769626565d5b38994a350ecd077f7\Interop.IWshRuntimeLibrary.ni.dll

2022-04-06 08:20 - 2022-04-06 08:20 - 000598016 _____ (Apache Software Foundation) [File not signed] C:\Program Files (x86)\OpenOffice 4\program\shlxthdl\ooofilt_x64.dll

2022-04-06 08:20 - 2022-04-06 08:20 - 000555520 _____ (Apache Software Foundation) [File not signed] C:\Program Files (x86)\OpenOffice 4\program\shlxthdl\propertyhdl_x64.dll

2022-06-20 20:27 - 2022-06-20 20:27 - 000134656 _____ (hardcodet.net) [File not signed] C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\Hardcodet.W6cab32f3#\048cc93f8fbad6787c3b146860a63190\Hardcodet.Wpf.TaskbarNotification.ni.dll

2021-03-13 20:34 - 2021-03-13 20:34 - 000014336 _____ (HP Inc.) [File not signed] C:\Program Files\WindowsApps\AD2F1837.HPSystemEventUtility_1.2.15.0_x64__v10z8vjag6ke6\SystemEventUtility\NativeRpcClient.DLL

2022-06-20 20:28 - 2022-06-20 20:28 - 001701888 _____ (Mark Heath & Contributors) [File not signed] C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\NAudio\89989f0af086613020f5536a81d2cb29\NAudio.ni.dll

2020-11-20 06:58 - 2020-11-20 06:58 - 000000000 ____L (Microsoft Corporation) [simlink -> C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppvIsvSubsystems64.dll] C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll

2020-11-20 06:58 - 2020-11-20 06:58 - 000000000 ____L (Microsoft Corporation) [simlink -> C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2R64.dll] C:\Program Files\Microsoft Office\Root\Office16\c2r64.dll

2022-06-20 20:28 - 2022-06-20 20:28 - 003060736 _____ (Newtonsoft) [File not signed] C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\Newtonsoft.Json\10ca0de79d4d77d8d4605c4008e737d0\Newtonsoft.Json.ni.dll

2022-06-20 20:27 - 2022-06-20 20:27 - 000793088 _____ (The Apache Software Foundation) [File not signed] C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\log4net\6624297264fd20d5b7f17b66820eb3dc\log4net.ni.dll

==================== Alternate Data Streams (Whitelisted) ========

==================== Safe Mode (Whitelisted) ==================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) =================

==================== Internet Explorer (Whitelisted) ==========

SearchScopes: HKLM -> {C66264D2-B2B4-4FD3-9F81-08AE876DAF91} URL = hxxp://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk1-vsb-21&link%5FcPortugueseode=qs&index=aps&field-keywords={searchTerms}

SearchScopes: HKLM-x32 -> {C66264D2-B2B4-4FD3-9F81-08AE876DAF91} URL = hxxp://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk1-vsb-21&link%5FcPortugueseode=qs&index=aps&field-keywords={searchTerms}

SearchScopes: HKU\S-1-5-21-2388426293-319619428-3289471441-1001 -> {C66264D2-B2B4-4FD3-9F81-08AE876DAF91} URL = hxxp://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk1-vsb-21&link%5FcPortugueseode=qs&index=aps&field-keywords={searchTerms}

BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\HP\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2022-05-31] (HP Inc. -> HP Inc.)

BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\OCHelper.dll [2022-03-05] (Microsoft Corporation -> Microsoft Corporation)

BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\HP\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2022-05-31] (HP Inc. -> HP Inc.)

Handler: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-05-28] (Microsoft Corporation -> Microsoft Corporation)

Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2022-05-28] (Microsoft Corporation -> Microsoft Corporation)

Handler: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-05-28] (Microsoft Corporation -> Microsoft Corporation)

Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2022-05-28] (Microsoft Corporation -> Microsoft Corporation)

Handler: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-05-28] (Microsoft Corporation -> Microsoft Corporation)

Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2022-05-28] (Microsoft Corporation -> Microsoft Corporation)

Handler: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL [2022-05-28] (Microsoft Corporation -> Microsoft Corporation)

Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL [2022-05-28] (Microsoft Corporation -> Microsoft Corporation)

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2019-12-07 10:14 - 2019-12-07 10:12 - 000000824 _____ C:\WINDOWS\system32\drivers\etc\hosts

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2388426293-319619428-3289471441-1001\Control Panel\Desktop\\Wallpaper -> C:\windows\web\wallpaper\HP Backgrounds\backgroundDefault.jpg

DNS Servers: 192.168.1.254

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: )

Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(If an entry is included in the fixlist, it will be removed.)

HKLM\...\StartupApproved\Run32: => "ExpressVPNNotificationService"

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{CBDA2712-2D53-41A5-8E6F-C178112146CE}] => (Allow) C:\Users\ruthc\AppData\Roaming\Zoom\bin\airhost.exe => No File

FirewallRules: [{031D6228-CC2C-4BDE-B79C-5DDEACDF2E27}] => (Allow) C:\Users\ruthc\AppData\Roaming\Zoom\bin\airhost.exe => No File

FirewallRules: [{44D2E955-6EF4-464E-B8FE-FE04D1BD972E}] => (Allow) C:\Users\ruthc\AppData\Roaming\Zoom\bin\Zoom.exe (Zoom Video Communications, Inc. -> Zoom Video Communications, Inc.)

FirewallRules: [{A4F934F8-F34D-4E99-87A2-DB1045A72386}] => (Allow) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe => No File

FirewallRules: [{6AB9BB49-8B29-4217-BDC7-506755A45179}] => (Allow) C:\Program Files\Microsoft Office\root\Office16\outlook.exe (Microsoft Corporation -> Microsoft Corporation)

FirewallRules: [{9EFF8B6E-1D2F-4D51-AB75-1DFEB19E60AD}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.83.3409.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)

FirewallRules: [{0EA2BD7E-FB0A-4078-9BA8-1AA649A1F6EC}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.83.3409.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)

FirewallRules: [{D8A80CCF-ACD8-4385-A1BB-A14DE599B2CF}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.83.3409.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)

FirewallRules: [{AB0882FA-4811-4E92-B2BB-E7C7F011E918}] => (Allow) C:\Program Files\WindowsApps\Microsoft.SkypeApp_15.83.3409.0_x86__kzf8qxf38zg5c\Skype\Skype.exe (Skype Software Sarl -> Skype Technologies S.A.)

FirewallRules: [{6BE04408-8A26-4141-9576-1222EBF15C24}] => (Allow) C:\Program Files\WindowsApps\MicrosoftTeams_22147.303.1400.1220_x64__8wekyb3d8bbwe\msteams.exe (Microsoft Corporation -> Microsoft Corporation)

FirewallRules: [{A5B6B941-E2CD-46CA-9434-A2B08AB5879E}] => (Allow) C:\Program Files\WindowsApps\MicrosoftTeams_22147.303.1400.1220_x64__8wekyb3d8bbwe\msteams.exe (Microsoft Corporation -> Microsoft Corporation)

FirewallRules: [{6BDEF23B-4243-46BD-8CBC-41A269882F9E}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.188.612.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)

FirewallRules: [{2C0C3475-406B-48A6-B37C-FDFF0C38E0AA}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.188.612.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)

FirewallRules: [{D4D59F1E-27CC-4DC9-930C-7A3B88415EAA}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.188.612.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)

FirewallRules: [{8A7FB468-918A-4D40-BF21-EA1A43FF17CC}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.188.612.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)

FirewallRules: [{38B8FF5F-5171-483F-AA22-D7D252733D7B}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.188.612.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)

FirewallRules: [{28ECBF1E-FF6B-4336-8461-1BFF193253C0}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.188.612.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)

FirewallRules: [{74D81DC1-52D1-44D4-B4B6-EB2DDA06A49D}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.188.612.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)

FirewallRules: [{C9717A48-E55C-4DCD-B86D-1123654C0F82}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.188.612.0_x86__zpdnekdrzrea0\Spotify.exe (Spotify AB -> Spotify Ltd)

FirewallRules: [{4F425F7B-5D1A-4286-8D1B-FDCE4E7358AC}] => (Allow) C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.37\msedgewebview2.exe (Microsoft Corporation -> Microsoft Corporation)

==================== Restore Points =========================

26-06-2022 12:37:14 Scheduled Checkpoint

27-06-2022 21:22:54 Windows Modules Installer

==================== Faulty Device Manager Devices ============

==================== Event log errors: ========================

Application errors:

==================

Error: (06/27/2022 06:53:57 PM) (Source: Application Error) (EventID: 1000) (User: )

Description: Faulting application name: MiniSearchHost.exe, version: 421.22500.3075.0, time stamp: 0x624de781

Faulting module name: twinapi.appcore.dll, version: 10.0.22000.593, time stamp: 0xa5a9468c

Exception code: 0xc000027b

Fault offset: 0x000000000010a594

Faulting process ID: 0x2cd8

Faulting application start time: 0x01d88a4e2565142a

Faulting application path: C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

Faulting module path: C:\Windows\System32\twinapi.appcore.dll

Report ID: 9afd8757-baae-4be6-ac1c-a5a388cd5600

Faulting package full name: MicrosoftWindows.Client.CBS_1000.22000.739.0_x64__cw5n1h2txyewy

Faulting package-relative application ID: MiniSearchUI

Error: (06/26/2022 09:22:03 PM) (Source: Microsoft Office 16) (EventID: 2011) (User: )

Description: Office Subscription licensing exception: Error Code: 0x305; CorrelationId: {72858CDC-95D7-4F28-BC97-E02B338F7773}

Error: (06/26/2022 09:21:15 PM) (Source: Microsoft Office 16) (EventID: 2011) (User: )

Description: Office Subscription licensing exception: Error Code: 0x305; CorrelationId: {72858CDC-95D7-4F28-BC97-E02B338F7773}

Error: (06/26/2022 06:24:25 PM) (Source: Application Hang) (EventID: 1002) (User: )

Description: The program HxOutlook.exe version 16.0.14326.20970 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Process ID: 5b4

Start Time: 01d889818260e1f0

Termination Time: 4294967295

Application Path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.20970.0_x64__8wekyb3d8bbwe\HxOutlook.exe

Report Id: ea9c6e99-8000-4bab-aeb3-4036f26ada6b

Faulting package full name: microsoft.windowscommunicationsapps_16005.14326.20970.0_x64__8wekyb3d8bbwe

Faulting package-relative application ID: microsoft.windowslive.mail

Hang type: Quiesce

Error: (06/25/2022 08:48:53 PM) (Source: Application Error) (EventID: 1000) (User: )

Description: Faulting application name: MiniSearchHost.exe, version: 421.22500.3075.0, time stamp: 0x624de781

Faulting module name: twinapi.appcore.dll, version: 10.0.22000.593, time stamp: 0xa5a9468c

Exception code: 0xc000027b

Fault offset: 0x000000000010a594

Faulting process ID: 0x1f50

Faulting application start time: 0x01d888cc98d29427

Faulting application path: C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

Faulting module path: C:\Windows\System32\twinapi.appcore.dll

Report ID: 199a8373-718d-4e9f-9346-973cf14c0cd7

Faulting package full name: MicrosoftWindows.Client.CBS_1000.22000.739.0_x64__cw5n1h2txyewy

Faulting package-relative application ID: MiniSearchUI

Error: (06/24/2022 01:54:54 PM) (Source: Application Error) (EventID: 1000) (User: )

Description: Faulting application name: MiniSearchHost.exe, version: 421.22500.3075.0, time stamp: 0x624de781

Faulting module name: twinapi.appcore.dll, version: 10.0.22000.593, time stamp: 0xa5a9468c

Exception code: 0xc000027b

Fault offset: 0x000000000010a594

Faulting process ID: 0x3eac

Faulting application start time: 0x01d887c99993eb10

Faulting application path: C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

Faulting module path: C:\Windows\System32\twinapi.appcore.dll

Report ID: 1e3db106-4dcf-4d4c-9c9c-2f5c50486ed9

Faulting package full name: MicrosoftWindows.Client.CBS_1000.22000.739.0_x64__cw5n1h2txyewy

Faulting package-relative application ID: MiniSearchUI

Error: (06/23/2022 01:50:59 PM) (Source: Application Error) (EventID: 1000) (User: )

Description: Faulting application name: svchost.exe_PrintWorkflowUserSvc, version: 10.0.22000.527, time stamp: 0xe6f2ec65

Faulting module name: combase.dll, version: 10.0.22000.708, time stamp: 0x9e680117

Exception code: 0xc0000602

Fault offset: 0x0000000000034c11

Faulting process ID: 0x97c

Faulting application start time: 0x01d886ff8ac349a4

Faulting application path: C:\WINDOWS\system32\svchost.exe

Faulting module path: C:\WINDOWS\System32\combase.dll

Report ID: 7a839927-5977-4ca8-aa25-95e183e6511e

Faulting package full name:

Faulting package-relative application ID:

Error: (06/20/2022 08:28:26 PM) (Source: Application Error) (EventID: 1000) (User: )

Description: Faulting application name: MiniSearchHost.exe, version: 421.22500.3075.0, time stamp: 0x624de781

Faulting module name: twinapi.appcore.dll, version: 10.0.22000.593, time stamp: 0xa5a9468c

Exception code: 0xc000027b

Fault offset: 0x000000000010a594

Faulting process ID: 0x1d00

Faulting application start time: 0x01d884dbe8ec13e3

Faulting application path: C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

Faulting module path: C:\Windows\System32\twinapi.appcore.dll

Report ID: 2b37350e-cc16-4bf1-90f4-964b286b0b9f

Faulting package full name: MicrosoftWindows.Client.CBS_1000.22000.739.0_x64__cw5n1h2txyewy

Faulting package-relative application ID: MiniSearchUI

System errors:

=============

Error: (06/28/2022 02:27:03 PM) (Source: Server) (EventID: 2505) (User: )

Description: The server could not bind to the transport \Device\NetBT_Tcpip_{4B3BE7A7-0662-4492-AF97-061A88061663} because another computer on the network has the same name. The server could not start.

Error: (06/28/2022 02:26:57 PM) (Source: Microsoft-Windows-NDIS) (EventID: 10317) (User: )

Description: Miniport Microsoft Wi-Fi Direct Virtual Adapter #2, {3bca86fa-3f98-4285-8d04-31ddda2dbe69}, had event 74

Error: (06/28/2022 10:22:01 AM) (Source: Server) (EventID: 2505) (User: )

Error: (06/28/2022 10:21:57 AM) (Source: Microsoft-Windows-NDIS) (EventID: 10317) (User: )

Description: Miniport Microsoft Wi-Fi Direct Virtual Adapter #2, {3bca86fa-3f98-4285-8d04-31ddda2dbe69}, had event 74

Error: (06/27/2022 10:18:19 PM) (Source: disk) (EventID: 11) (User: )

Description: The driver detected a controller error on \Device\Harddisk1\DR8.

Error: (06/27/2022 06:48:35 PM) (Source: Server) (EventID: 2505) (User: )

Error: (06/27/2022 10:17:41 AM) (Source: Server) (EventID: 2505) (User: )

Error: (06/27/2022 10:17:34 AM) (Source: Microsoft-Windows-NDIS) (EventID: 10317) (User: )

Description: Miniport Microsoft Wi-Fi Direct Virtual Adapter #2, {3bca86fa-3f98-4285-8d04-31ddda2dbe69}, had event 74

Windows Defender:

================

Date: 2022-06-28 15:57:40

Description:

Microsoft Defender Antivirus scan has been stopped before completion.

Scan Type: Antimalware

Scan Parameters: Quick Scan

Date: 2022-06-26 12:35:09

Description:

Microsoft Defender Antivirus scan has been stopped before completion.

Scan Type: Antimalware

Scan Parameters: Quick Scan

Date: 2022-05-30 17:50:22

Description:

Microsoft Defender Antivirus scan has been stopped before completion.

Scan Type: Antimalware

Scan Parameters: Quick Scan

Date: 2022-05-25 17:08:32

Description:

Microsoft Defender Antivirus scan has been stopped before completion.

Scan Type: Antimalware

Scan Parameters: Quick Scan

Date: 2022-05-23 17:54:37

Description:

Microsoft Defender Antivirus scan has been stopped before completion.

Scan Type: Antimalware

Scan Parameters: Quick Scan

CodeIntegrity:

===============

Date: 2022-06-28 16:52:22

Description:

Code Integrity determined that a process (\Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.2205.7-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume3\Program Files\McAfee\MfeAV\AMSIExt.dll that did not meet the Custom 3 / Antimalware signing level requirements.

Date: 2022-06-28 16:51:52

Description:

Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\SecurityHealthService.exe) attempted to load \Device\HarddiskVolume3\Program Files\McAfee\MfeAV\AMSIExt.dll that did not meet the Windows signing level requirements.

Date: 2022-06-28 10:22:27

Description:

Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\SIHClient.exe) attempted to load \Device\HarddiskVolume3\Program Files\McAfee\MfeAV\AMSIExt.dll that did not meet the Windows signing level requirements.

==================== Memory info ===========================

BIOS: AMI F.51 08/12/2021

Motherboard: HP 87B8

Processor: AMD Ryzen 5 4500U with Radeon Graphics

Percentage of memory in use: 63%

Total physical RAM: 7541.36 MB

Available physical RAM: 2768.95 MB

Total Virtual: 8757.36 MB

Available Virtual: 2106.59 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:237.62 GB) (Free:182.82 GB) (Model: KBG40ZNV256G KIOXIA) (Protected) NTFS

\\?\Volume{210f79fb-6489-44da-b57a-64b6b75c1a33}\ () (Fixed) (Total:0.58 GB) (Free:0.08 GB) NTFS

\\?\Volume{cd011f05-8982-446e-9a35-a06f9cebd46c}\ (SYSTEM) (Fixed) (Total:0.25 GB) (Free:0.17 GB) FAT32

==================== MBR & Partition Table ====================

==========================================================

Disk: 0 (Size: 238.5 GB) (Disk ID: 436A460F)

Partition: GPT.

==================== End of Addition.txt =======================

#2
DR M

Posted 29 June 2022 - 01:08 AM

The Grecian Geek

Malware Removal
4,109 posts

Hello!

Welcome to GTG Forums.

I will be assisting you regarding your computer's issues. Here, we will check your computer for malware.

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.

4. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

6. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.

==========================

1. Uninstall Online Services

Download the Revo Uninstaller (Free Download) and save it on your Desktop.
Double click on the exe file created on your Desktop to run the installer, and follow the instructions to install the program.
Double click the program's icon to open it.
Write in the search area, on the top left, the following program:

Online Services

Choose the Uninstall tab from the menu and let the program to create a Restore point.
Choose Scan, and then the Advanced mode scan.
Select all the Online Services items found, Delete and Next.
Let the procedure be completed and click on Finish.
Restart the computer.

2. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
HKLM\Software\...\Authentication\Credential Providers: [{C885AA15-1764-4293-B82A-0586ADD46B35}] -> 
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk [2022-06-28]
ShortcutTarget: $McRebootA5E6DEAA56$.lnk ->  (No File)
Task: {CCDFC0B8-01A3-4E74-A820-4F13F51D269E} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => C:\WINDOWS\System32\MbaeParserTask.exe (No File)
Edge DefaultSearchURL: Default -> hxxps://find.searchtoolshub.com?a811fc667f160ba97f5770beaa1eec28=H1xAXFNGX1xZVlQNEQQwBw9cQ1pRR1heXVRKXFVCWltcVFQJDB0LU1pWSi4nNikoW1FKWlEyX19bUEJcPkRfXls%252BQlxRRDBeW1FCM1k3Kl00WTdcVStfXypQLSlVNVtAXVVEL1lELlxaVkte&q={searchTerms}
Edge DefaultSearchKeyword: Default -> find.searchtoolshub.com
S2 0004051656432248mcinstcleanup; C:\ProgramData\McInstTemp0004051656432248\McInst.exe [913112 2022-02-18] (McAfee, LLC -> McAfee, LLC)
S3 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe" [X]
S2 mfemms; "C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe" [X]
S3 mfevtp; no ImagePath
S0 cfwids; system32\drivers\cfwids.sys [X]
R0 mfeaack; system32\drivers\mfeaack.sys [X]
R0 mfeavfk; system32\drivers\mfeavfk.sys [X]
S0 mfeelamk; system32\drivers\mfeelamk.sys [X]
S0 mfefirek; system32\drivers\mfefirek.sys [X]
R0 mfehidk; system32\drivers\mfehidk.sys [X]
R0 mfeplk; system32\drivers\mfeplk.sys [X]
R0 mfewfpk; system32\drivers\mfewfpk.sys [X]
S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X]
2022-06-28 17:05 - 2021-03-13 20:36 - 000000000 ____D C:\ProgramData\McAfee
2022-06-28 17:04 - 2021-03-13 20:36 - 000000000 ____D C:\Program Files\Common Files\McAfee
2022-06-15 22:02 - 2021-03-13 20:36 - 000000000 ____D C:\Program Files (x86)\McAfee
2022-06-28 17:05 - 2020-07-10 20:46 - 000708400 _____ (gamigo, Inc.) C:\ProgramData\uninstall314673.exe
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free Trials.lnk -> C:\Program Files (x86)\Online Services\Adobe\WizLink.exe () -> hxxp://js.redirect.hp.com/jumpstation?type=103&RedeemCode=LjWFD%2b2MAOBBaqAih8mLzO8xHawRDaYYznH5kKyccbyakTJhU3tBPfVk0KfEMKJV6vhvt1OQWppMchnU4OUWQGlHvMS8RtgesPgRYJYxEqmYdNBO6ijyegCjMgIxnrNhjc4PeNUzIDuHGSrKM0FWLEKY4JxsToehDIE7NCgUW7w%3d
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LastPass.lnk -> C:\Program Files (x86)\Online Services\LastPass\WizLink.exe () -> hxxp://js.redirect.hp.com/jumpstation?bd=lastpass&c=*&locale=*&pf=*&s=*&tp=edge
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utomik - Play over 1000 games.lnk -> C:\Program Files (x86)\Online Services\Utomik\WizLink.exe () -> hxxps://www.utomik.com/hp_desktop 
FirewallRules: [{CBDA2712-2D53-41A5-8E6F-C178112146CE}] => (Allow) C:\Users\ruthc\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{031D6228-CC2C-4BDE-B79C-5DDEACDF2E27}] => (Allow) C:\Users\ruthc\AppData\Roaming\Zoom\bin\airhost.exe => No File
C:\Program Files (x86)\Online Services
C:\ProgramData\McInstTemp0004051656432248\McInst.exe
EmptyTemp:
End::

Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
Press the Fix button once and wait.
FRST will process fixlist.txt
When finished, it will produce a log fixlog.txt on your Desktop.
Please post the log in your next reply.

3. Run Malwarebytes (Clean mode)

Double click the program's icon on your Desktop, as you did before.

Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:

Under the title Scan Options, all the options are checked.
Under the title Windows Security Center (Premium only) the option is unchecked.
Under the title Potentially unwanted items all options are set to Always.

Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
When finished, you will see the Thread Scan Summary window open.
If threats are not found, click View Report and proceed to the two last steps below.
If threats are found, make sure that all threats are selected, and click on Quarantine/Remove selected.
You may need to restart the computer.
Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
Find the report with the most recent date and double click on it.
Click on Export and then Copy to Clipboard.
Paste its content here, in your next reply.

4. Run AdwCleaner (scan only)

Download AdwCleaner and save it to your desktop.

Double click AdwCleaner.exe to run it.
Click Scan Now.
- When the scan has finished, a Scan Results window will open.
- Click Cancel (at this point do not attempt to Quarantine anything that is found)
Now click the Log Files tab.
- Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
- A Notepad file will open containing the results of the scan.
- Please post the contents of the file in your next reply.

In your next reply please post:

If uninstalling Online Services went fine
The fixlog.txt
The Malwarebytes report
The AdwCleaner[S0*].txt

#3
bjorkstrait

Posted 29 June 2022 - 09:42 AM

New Member

Topic Starter
Member
9 posts

Hey Dr M,

I downloaded Revo Uninstaller - typed 'Online Services' into search box - but I found 0 programs

I also couldn't see 'scan' (or 'advanced mode scan') anywhere

Should I skip this step and proceed with the rest of your directions?

Sorry to be a pain

Thanks for the help!

#4
DR M

Posted 29 June 2022 - 09:57 AM

The Grecian Geek

Malware Removal
4,109 posts

Yes, that was something I expected.

Try this and let me know the result.

Press the Windows Key + R.
Type appwiz.cpl in the Run box and click OK.
The Add/Remove Programs list will open. Locate the following program on the list:

Online Services

Select the above program and click Uninstall.
Restart the computer.

#5
bjorkstrait

Posted 29 June 2022 - 10:08 AM

New Member

Topic Starter
Member
9 posts

The program 'online services' did not appear on the list.

I will do steps 2 onwards now and then post back after

#6
bjorkstrait

Posted 29 June 2022 - 10:25 AM

New Member

Topic Starter
Member
9 posts

Dear Dr M,

----- fixlog.txt -----

Fix result of Farbar Recovery Scan Tool (x64) Version: 29-06-2022

Ran by ruthc (29-06-2022 17:10:35) Run:1

Running from C:\Users\ruthc\OneDrive\Desktop

Loaded Profiles: ruthc

Boot Mode: Normal

==============================================

fixlist content:

*****************

CreateRestorePoint:

CloseProcesses:

HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION

HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION

HKLM\Software\...\Authentication\Credential Providers: [{C885AA15-1764-4293-B82A-0586ADD46B35}] ->

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk [2022-06-28]

ShortcutTarget: $McRebootA5E6DEAA56$.lnk -> (No File)

Task: {CCDFC0B8-01A3-4E74-A820-4F13F51D269E} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => C:\WINDOWS\System32\MbaeParserTask.exe (No File)

Edge DefaultSearchKeyword: Default -> find.searchtoolshub.com

S2 0004051656432248mcinstcleanup; C:\ProgramData\McInstTemp0004051656432248\McInst.exe [913112 2022-02-18] (McAfee, LLC -> McAfee, LLC)

S3 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe" [X]

S2 mfemms; "C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe" [X]

S3 mfevtp; no ImagePath

S0 cfwids; system32\drivers\cfwids.sys [X]

R0 mfeaack; system32\drivers\mfeaack.sys [X]

R0 mfeavfk; system32\drivers\mfeavfk.sys [X]

S0 mfeelamk; system32\drivers\mfeelamk.sys [X]

S0 mfefirek; system32\drivers\mfefirek.sys [X]

R0 mfehidk; system32\drivers\mfehidk.sys [X]

R0 mfeplk; system32\drivers\mfeplk.sys [X]

R0 mfewfpk; system32\drivers\mfewfpk.sys [X]

S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X]

2022-06-28 17:05 - 2021-03-13 20:36 - 000000000 ____D C:\ProgramData\McAfee

2022-06-28 17:04 - 2021-03-13 20:36 - 000000000 ____D C:\Program Files\Common Files\McAfee

2022-06-15 22:02 - 2021-03-13 20:36 - 000000000 ____D C:\Program Files (x86)\McAfee

2022-06-28 17:05 - 2020-07-10 20:46 - 000708400 _____ (gamigo, Inc.) C:\ProgramData\uninstall314673.exe

FirewallRules: [{CBDA2712-2D53-41A5-8E6F-C178112146CE}] => (Allow) C:\Users\ruthc\AppData\Roaming\Zoom\bin\airhost.exe => No File

FirewallRules: [{031D6228-CC2C-4BDE-B79C-5DDEACDF2E27}] => (Allow) C:\Users\ruthc\AppData\Roaming\Zoom\bin\airhost.exe => No File

C:\Program Files (x86)\Online Services

C:\ProgramData\McInstTemp0004051656432248\McInst.exe

EmptyTemp:

*****************

Restore point was successfully created.

Processes closed successfully.

HKLM\SOFTWARE\Microsoft\Windows Defender\\"DisableAntiSpyware"="0" => value restored successfully

HKLM\SOFTWARE\Microsoft\Windows Defender\\"DisableAntiVirus"="0" => value restored successfully

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{C885AA15-1764-4293-B82A-0586ADD46B35} => removed successfully

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk => moved successfully

"ShortcutTarget: $McRebootA5E6DEAA56$.lnk -> (No File)" => not found

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CCDFC0B8-01A3-4E74-A820-4F13F51D269E}" => removed successfully

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CCDFC0B8-01A3-4E74-A820-4F13F51D269E}" => removed successfully

C:\WINDOWS\System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => moved successfully

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" => removed successfully

"Edge DefaultSearchURL" => removed successfully

"Edge DefaultSearchKeyword" => removed successfully

HKLM\System\CurrentControlSet\Services\0004051656432248mcinstcleanup => removed successfully

0004051656432248mcinstcleanup => service removed successfully

HKLM\System\CurrentControlSet\Services\mfefire => removed successfully

mfefire => service removed successfully

HKLM\System\CurrentControlSet\Services\mfemms => removed successfully

mfemms => service removed successfully

HKLM\System\CurrentControlSet\Services\mfevtp => removed successfully

mfevtp => service removed successfully

HKLM\System\CurrentControlSet\Services\cfwids => removed successfully

cfwids => service removed successfully

mfeaack => Unable to stop service.

HKLM\System\CurrentControlSet\Services\mfeaack => removed successfully

mfeaack => service removed successfully

mfeavfk => Unable to stop service.

HKLM\System\CurrentControlSet\Services\mfeavfk => removed successfully

mfeavfk => service removed successfully

HKLM\System\CurrentControlSet\Services\mfeelamk => removed successfully

mfeelamk => service removed successfully

HKLM\System\CurrentControlSet\Services\mfefirek => removed successfully

mfefirek => service removed successfully

mfehidk => Unable to stop service.

HKLM\System\CurrentControlSet\Services\mfehidk => removed successfully

mfehidk => service removed successfully

mfeplk => Unable to stop service.

HKLM\System\CurrentControlSet\Services\mfeplk => removed successfully

mfeplk => service removed successfully

mfewfpk => Unable to stop service.

HKLM\System\CurrentControlSet\Services\mfewfpk => removed successfully

mfewfpk => service removed successfully

HKLM\System\CurrentControlSet\Services\WinSetupMon => removed successfully

WinSetupMon => service removed successfully

C:\ProgramData\McAfee => moved successfully

C:\Program Files\Common Files\McAfee => moved successfully

C:\Program Files (x86)\McAfee => moved successfully

C:\ProgramData\uninstall314673.exe => moved successfully

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free Trials.lnk => Shortcut argument removed successfully

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LastPass.lnk => Shortcut argument removed successfully

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Utomik - Play over 1000 games.lnk => Shortcut argument removed successfully

"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CBDA2712-2D53-41A5-8E6F-C178112146CE}" => removed successfully

"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{031D6228-CC2C-4BDE-B79C-5DDEACDF2E27}" => removed successfully

C:\Program Files (x86)\Online Services => moved successfully

C:\ProgramData\McInstTemp0004051656432248\McInst.exe => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 1310720 B

DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 27467497 B

Java, Discord, Steam htmlcache => 0 B

Windows/system/drivers => 5678230 B

Edge => 0 B

Firefox => 0 B

Opera => 0 B

Temp, IE cache, history, cookies, recent:

Default => 0 B

ProgramData => 0 B

Public => 0 B

systemprofile => 1456202 B

systemprofile32 => 1456202 B

LocalService => 1760898 B

NetworkService => 2056772 B

ruthc => 82402664 B

RecycleBin => 6030832 B

EmptyTemp: => 123.6 MB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 17:10:51 ====

---- mbam report -----

Malwarebytes

www.malwarebytes.com

-Log Details-

Scan Date: 29/06/2022

Scan Time: 17:15

Log File: a192d0f8-f7c6-11ec-9dc0-646c80a21792.json

-Software Information-

Version: 4.5.10.200

Components Version: 1.0.1702

Update Package Version: 1.0.56565

Licence: Trial

-System Information-

OS: Windows 11 (Build 22000.739)

CPU: x64

File System: NTFS

User: LAPTOP-21SARBCO\ruthc

-Scan Summary-

Scan Type: Threat Scan

Scan Initiated By: Manual

Result: Completed

Objects Scanned: 279907

Threats Detected: 0

Threats Quarantined: 0

Time Elapsed: 4 min, 25 sec

-Scan Options-

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Detect

PUM: Detect

-Scan Details-

Process: 0

(No malicious items detected)

Module: 0

(No malicious items detected)

Registry Key: 0

(No malicious items detected)

Registry Value: 0

(No malicious items detected)

Registry Data: 0

(No malicious items detected)

Data Stream: 0

(No malicious items detected)

Folder: 0

(No malicious items detected)

File: 0

(No malicious items detected)

Physical Sector: 0

(No malicious items detected)

WMI: 0

(No malicious items detected)

(end)

-----

----- AdwCleaner -----

# -------------------------------

# Malwarebytes AdwCleaner 8.3.2.0

# -------------------------------

# Build: 03-23-2022

# Database: 2022-06-24.1 (Cloud)

# Support: https://www.malwarebytes.com/support

# -------------------------------

# Mode: Scan

# -------------------------------

# Start: 06-29-2022

# Duration: 00:00:09

# OS: Windows 10 Home

# Scanned: 32058

# Detected: 21

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

Preinstalled.HPAudioSwitch Folder C:\Program Files (x86)\HP\HPAUDIOSWITCH

Preinstalled.HPAudioSwitch Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{47A77A86-5C9B-4DAF-9CDD-00A48A4D44A8}

Preinstalled.HPAudioSwitch Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HPAudioSwitch

Preinstalled.HPAudioSwitch Task C:\Windows\System32\Tasks\HPAUDIOSWITCH

Preinstalled.HPCleanFLC Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|HPSEU_Host_Launcher

Preinstalled.HPCleanFLC Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Run|HPSEU_Host_Launcher

Preinstalled.HPCleanFLC Registry HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run|HPSEU_Host_Launcher

Preinstalled.HPCleanFLC Registry HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run|HPSEU_Host_Launcher

Preinstalled.HPRegistrationService Folder C:\ProgramData\HP\HP REGISTRATION SERVICE

Preinstalled.HPSupportAssistant Folder C:\HP\SUPPORT

Preinstalled.HPSupportAssistant Folder C:\Program Files (x86)\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK

Preinstalled.HPSupportAssistant Folder C:\ProgramData\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK

Preinstalled.HPSupportAssistant Folder C:\Users\ruthc\AppData\Roaming\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK

Preinstalled.HPSupportAssistant Registry HKLM\Software\Classes\CLSID\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}

Preinstalled.HPSupportAssistant Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}

Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Classes\CLSID\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}

Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}

Preinstalled.HPSureConnect Folder C:\Program Files\HPCOMMRECOVERY

Preinstalled.HPSureConnect Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{6468C4A5-E47E-405F-B675-A70A70983EA6}

Preinstalled.HPTouchpointAnalyticsClient Folder C:\ProgramData\HP\HP TOUCHPOINT ANALYTICS CLIENT

Preinstalled.HPTouchpointAnalyticsClient Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{E5FB98E0-0784-44F0-8CEC-95CD4690C43F}

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

#7
DR M

Posted 29 June 2022 - 10:27 AM

The Grecian Geek

Malware Removal
4,109 posts

Online Services is "preinstalled" in HP laptops, along with these:

HP Audio Switch

HP Connection Optimizer

HP Documentation

The FRST fix will remove the folder in Program Files, as well as a few shortcuts related to it. There is nothing to worry about. I was just trying to see if we can remove it with some known ways.

#8
DR M

Posted 29 June 2022 - 10:34 AM

The Grecian Geek

Malware Removal
4,109 posts

Just saw your reply above.

Glad to see that Malwarebytes returned a clean log now. When you first posted, the detected items were not deleted yet.

AdwCleaner detected only items related to what I told you above: Preinstalled Software. This is software that was apparently installed when the device was new, which you may or may not use. Personally, I do not keep anything I don't use/need. But it's your computer, so your decision.

In case you want to remove the preinstalled software:

To proceed, please do the following:

Double click AdwCleaner.exe on your Desktop, to run it as you did before.
Click Scan Now.
When the scan has finished a Scan Results window will open.
Please check all the boxes and then click Quarantine.
Click Next.
- If any pre-installed software was found on your machine, a prompt window will open. Click OK to close it.
- Check any pre-installed software items you want to remove.
- Click Quarantine.
A prompt to save your work will appear.
- Click Continue when you're ready to proceed.
A prompt to restart your computer will appear.
- Click Restart Now.
Once your computer has restarted:
- If it doesn't open automatically, please start AdwCleaner.
- Click the Log Files tab.
- Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
- A Notepad file will open containing the results of the removal.
- Please post the contents of the file in your next reply.

Just to ensure that everything is clean:

Download ESET Online Scanner and save it to your desktop.

Right-click on esetonlinescanner.exe and select Run as Administrator.
When the tool opens, click Computer Scan.
Click Yes to allow the tool run.
At the Welcome to ESET Online Scanner window, click Get Started.
Select whether you would like to send anonymous data to ESET.
Click on the Full Scan option.
Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
After downloading updates, ESET will begin scanning your computer. This may take some time.
When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Disable the feature and click on Save and continue.
On the next screen, you can leave feedback about the program if you wish. If you left feedback, click Submit and continue. If not, Close the application.
Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.

#9
bjorkstrait

Posted 29 June 2022 - 11:35 AM

New Member

Topic Starter
Member
9 posts

Hey Dr M,

Thanks for all the help so far!

Here are the reports:

----- AdwCleaner -----

# -------------------------------

# Malwarebytes AdwCleaner 8.3.2.0

# -------------------------------

# Build: 03-23-2022

# Database: 2022-06-24.1 (Cloud)

# Support: https://www.malwarebytes.com/support

# -------------------------------

# Mode: Clean

# -------------------------------

# Start: 06-29-2022

# Duration: 00:00:01

# OS: Windows 10 Home

# Cleaned: 21

# Failed: 0

***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

No malicious registry entries cleaned.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

Deleted Preinstalled.HPAudioSwitch Folder C:\Program Files (x86)\HP\HPAUDIOSWITCH

Deleted Preinstalled.HPAudioSwitch Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{47A77A86-5C9B-4DAF-9CDD-00A48A4D44A8}

Deleted Preinstalled.HPAudioSwitch Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HPAudioSwitch

Deleted Preinstalled.HPAudioSwitch Task C:\Windows\System32\Tasks\HPAUDIOSWITCH

Deleted Preinstalled.HPCleanFLC Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|HPSEU_Host_Launcher

Deleted Preinstalled.HPCleanFLC Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Run|HPSEU_Host_Launcher

Deleted Preinstalled.HPCleanFLC Registry HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run|HPSEU_Host_Launcher

Deleted Preinstalled.HPCleanFLC Registry HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run|HPSEU_Host_Launcher

Deleted Preinstalled.HPRegistrationService Folder C:\ProgramData\HP\HP REGISTRATION SERVICE

Deleted Preinstalled.HPSupportAssistant Folder C:\HP\SUPPORT

Deleted Preinstalled.HPSupportAssistant Folder C:\Program Files (x86)\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK

Deleted Preinstalled.HPSupportAssistant Folder C:\ProgramData\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK

Deleted Preinstalled.HPSupportAssistant Folder C:\Users\ruthc\AppData\Roaming\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK

Deleted Preinstalled.HPSupportAssistant Registry HKLM\Software\Classes\CLSID\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}

Deleted Preinstalled.HPSupportAssistant Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}

Deleted Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Classes\CLSID\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}

Deleted Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}

Deleted Preinstalled.HPSureConnect Folder C:\Program Files\HPCOMMRECOVERY

Deleted Preinstalled.HPSureConnect Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{6468C4A5-E47E-405F-B675-A70A70983EA6}

Deleted Preinstalled.HPTouchpointAnalyticsClient Folder C:\ProgramData\HP\HP TOUCHPOINT ANALYTICS CLIENT

Deleted Preinstalled.HPTouchpointAnalyticsClient Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{E5FB98E0-0784-44F0-8CEC-95CD4690C43F}

*************************

[+] Delete Tracing Keys

[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [3826 octets] - [29/06/2022 17:21:49]

AdwCleaner[S01].txt - [3887 octets] - [29/06/2022 17:36:40]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C01].txt ##########

-----

----- ESET Online scanner -----

29/06/2022 18:32:28

Files scanned: 333678

Detected files: 1

Cleaned files: 1

Total scan time 00:46:36

Scan status: Finished

C:\Users\ruthc\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_04842d HTML/FakeAlert.TS trojan cleaned by deleting

#10
DR M

Posted 29 June 2022 - 11:47 AM

The Grecian Geek

Malware Removal
4,109 posts

Thank you.

You can read here about the item detected by Eset: ESET warns of global wave of HTML/FakeAlert malware | ESET

Now, I would like to check fresh FRST logs.

Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
Press Scan button and wait for a while.
The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
Please attach these two logs in your next reply.

P.S. I'll review the logs tomorrow. Mow here is almost 9 p.m.

#11
bjorkstrait

Posted 29 June 2022 - 11:53 AM

New Member

Topic Starter
Member
9 posts

Dear Dr M,

No problem, please check at your convenience - thanks again for all the help.

Here are the 2 reports:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 29-06-2022

Ran by ruthc (administrator) on LAPTOP-21SARBCO (HP HP Laptop 14s-fq0xxx) (29-06-2022 18:50:32)

Running from C:\Users\ruthc\OneDrive\Desktop

Loaded Profiles: ruthc

Platform: Microsoft Windows 11 Home Version 21H2 22000.739 (X64) Language: English (United Kingdom)

Default browser: Edge

Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe ->) (Malwarebytes Inc. -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe

(DriverStore\FileRepository͵335.inf_amd64_7de275617d9da25a\B374868\atiesrxx.exe ->) (Advanced Micro Devices Inc. -> AMD) C:\Windows\System32\DriverStore\FileRepository͵335.inf_amd64_7de275617d9da25a\B374868\atieclxx.exe

(explorer.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe <10>

(HP Inc.) C:\Program Files\WindowsApps\AD2F1837.HPSystemEventUtility_1.2.15.0_x64__v10z8vjag6ke6\SystemEventUtility\HPSystemEventUtilityHost.exe

(services.exe ->) (Advanced Micro Devices Inc. -> AMD) C:\Windows\System32\DriverStore\FileRepository͵335.inf_amd64_7de275617d9da25a\B374868\atiesrxx.exe