Hello, Stephspomer.
Can you please tell me why do you think the computer is infected? Please describe to me the symptoms in detail, if it is possible.
=====================================================
Here are my first comments/instructions regarding your logs:
1. You ran FRST in Safe mode
Any reason running the FRST tool in Safe mode? If no reason, then please sign in with Normal mode and continue from there.
2. Policies restrictions
Do you recognize these restrictions on specific policies?
HKU\S-1-5-21-2051312817-2871648933-3297728195-1010\...\Policies\system: [ConnectHomeDirToRoot] 0
HKU\S-1-5-21-2051312817-2871648933-3297728195-1010\Software\Policies\...\system: [disablecmd] 0
HKU\S-1-5-21-2051312817-2871648933-3297728195-1010\Software\Policies\...\system: [DenyRsopToInteractiveUser] 0
3. Uninstall Adobe Flash Player
Adobe Flash Player is no longer supported and keeping it installed is a security risk. You have these versions of the product installed:
Adobe Flash Player 30 ActiveX
Adobe Flash Player 30 NPAPI
Adobe Flash Player 32 PPAPI
Please go on to uninstall them all.
4. Antivirus program / malware removal tools
You have no antivirus program and the Windows Defender, functioning as anti-spyware in Windows 7 is out of date. Instead, you have several executable files leading to malware removal tools. Have in mind that many of these tools are no more used, while others have to be updated in order to run effectively. I would add the lines in regard to these tools in the fix for removal, but I thought to ask you first, in case you need them for educational purposes. If this is not the case then please remove everything:
(Trend Micro Inc.) C:\Users\Stephs HP Elite.STEPHSGRAYHP\Desktop\HijackThis.exe
(Farbar) C:\Users\Stephs HP Elite.STEPHSGRAYHP\Desktop\FarSvSca.exe
(Don HO [email protected]) C:\Users\Stephs HP Elite.STEPHSGRAYHP\Desktop\npp.8.1.4.Installer.x64.exe
20(Swearware) C:\Users\Stephs HP Elite.STEPHSGRAYHP\Desktop\ComboFix.exe
(VIPRE Security) C:\Users\Stephs HP Elite.STEPHSGRAYHP\Desktop\vipre-advanced-security-trial.exe
(Adlice Software ) C:\Users\Stephs HP Elite.STEPHSGRAYHP\Desktop\RogueKiller_setup.exe
(SUPERAntiSpyware) C:\Users\Stephs HP Elite.STEPHSGRAYHP\Desktop\SUPERAntiSpyware.exe
(SurfRight B.V.) C:\Users\Stephs HP Elite.STEPHSGRAYHP\Desktop\HitmanPro_x64.exe
(Malwarebytes) C:\Users\Stephs HP Elite.STEPHSGRAYHP\Desktop\AdwCleaner.exe
(Bleeping Computer, LLC) C:\Users\Stephs HP Elite.STEPHSGRAYHP\Desktop\rkill-unsigned.exe
(Zemana Ltd. ) C:\Users\Stephs HP Elite.STEPHSGRAYHP\Desktop\AntiMalware_Setup-z3m.exe
(Malwarebytes ) C:\Users\Stephs HP Elite.STEPHSGRAYHP\Desktop\mb3-setup-1878.1878-3.8.3.2965.exe
Regarding the antivirus, we will come to that again, when we finish cleaning.
5. FRST fix
Please do the following to run a FRST fix.
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
- Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Start::
CreateRestorePoint:
CloseProcesses:
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => -> No File
ContextMenuHandlers1: [SystemSpeedupFilesMenu] -> {14cb2bd0-2375-3d10-9b5d-5e18865c8959} => C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.UI.ShellExtension.DLL -> No File
ContextMenuHandlers4: [SystemSpeedupFoldersMenu] -> {700866bb-c8e9-3e71-b359-abb28baed0e8} => C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.UI.ShellExtension.DLL -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
ContextMenuHandlers5: [SystemSpeedupDesktopMenu] -> {0cab5786-30e8-3185-9b3b-ccefbf1b8afe} => C:\Program Files (x86)\Avira\System Speedup\Avira.SystemSpeedup.UI.ShellExtension.DLL -> No File
AlternateDataStreams: C:\ProgramData:Easy$Duplicate$Finder [140]
AlternateDataStreams: C:\Users\All Users:Easy$Duplicate$Finder [140]
AlternateDataStreams: C:\ProgramData\Application Data:Easy$Duplicate$Finder [140]
SearchScopes: HKU\S-1-5-21-2051312817-2871648933-3297728195-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
MSCONFIG\Services: McAfee WebAdvisor => 2
MSCONFIG\startupreg: McAfeeSafeConnect => C:\Program Files (x86)\McAfee Safe Connect\McAfee Safe Connect.exe
C:\Program Files (x86)\McAfee Safe Connect
FirewallRules: [{64F9B558-C70A-48F3-93EE-8FE949184956}] => (Allow) C:\Program Files (x86)\Steam\steam.exe => No File
FirewallRules: [{23A6D05F-5C73-4DC3-B3D3-B08A480CB162}] => (Allow) C:\Program Files (x86)\Steam\steam.exe => No File
FirewallRules: [{70359B4F-2032-4D7C-8B16-A14C8773A792}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe => No File
FirewallRules: [{468348CE-C606-4EC9-995E-FA7A877434B2}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe => No File
FirewallRules: [{DC7E3650-CD04-4AC1-BC63-B8B5583E37FF}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [{B7609DA6-24CD-4616-B2E4-600BF7A7EA3F}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe => No File
FirewallRules: [TCP Query User{D3D808CD-06BC-4112-8948-0CF19CDFDDEE}C:\users\stephs hp elite.stephsgrayhp\desktop\game\ostriv.v0.3.0.3\ostriv.v0.3.0.3\ostriv\x64\ostriv.exe] => (Allow) C:\users\stephs hp elite.stephsgrayhp\desktop\game\ostriv.v0.3.0.3\ostriv.v0.3.0.3\ostriv\x64\ostriv.exe => No File
FirewallRules: [UDP Query User{25EB54C5-CC61-4630-9118-2BA8F8174C33}C:\users\stephs hp elite.stephsgrayhp\desktop\game\ostriv.v0.3.0.3\ostriv.v0.3.0.3\ostriv\x64\ostriv.exe] => (Allow) C:\users\stephs hp elite.stephsgrayhp\desktop\game\ostriv.v0.3.0.3\ostriv.v0.3.0.3\ostriv\x64\ostriv.exe => No File
FirewallRules: [TCP Query User{6921AE2F-8751-4653-825D-36E63A6C3D08}C:\users\stephs hp elite.stephsgrayhp\desktop\game\ostriv.v0.3.0.3\ostriv.v0.3.0.3\ostriv\x32\ostriv.exe] => (Allow) C:\users\stephs hp elite.stephsgrayhp\desktop\game\ostriv.v0.3.0.3\ostriv.v0.3.0.3\ostriv\x32\ostriv.exe => No File
FirewallRules: [UDP Query User{7D8A8B1D-8336-4E1C-AFEB-DB9000ACA532}C:\users\stephs hp elite.stephsgrayhp\desktop\game\ostriv.v0.3.0.3\ostriv.v0.3.0.3\ostriv\x32\ostriv.exe] => (Allow) C:\users\stephs hp elite.stephsgrayhp\desktop\game\ostriv.v0.3.0.3\ostriv.v0.3.0.3\ostriv\x32\ostriv.exe => No File
FirewallRules: [{BF126AA4-93E0-4BB4-A936-B260BB90E6EC}] => (Block) C:\Program Files\BlueStacks\HD-Player.exe => No File
FirewallRules: [{C5AC69DF-3F96-48DE-85B9-6A584B6CB94B}] => (Allow) C:\Users\Stephs HP Elite.STEPHSGRAYHP\AppData\Local\Temp\7zS36A0\HP.EasyStart.exe => No File
FirewallRules: [TCP Query User{1AAC7C71-79DD-4726-9530-320684FEE86A}C:\users\stephs hp elite.stephsgrayhp\appdata\local\temp\7zs7117\enterprisedu.exe] => (Allow) C:\users\stephs hp elite.stephsgrayhp\appdata\local\temp\7zs7117\enterprisedu.exe => No File
FirewallRules: [UDP Query User{FFAAA1C8-2884-441F-855D-8600A71243B3}C:\users\stephs hp elite.stephsgrayhp\appdata\local\temp\7zs7117\enterprisedu.exe] => (Allow) C:\users\stephs hp elite.stephsgrayhp\appdata\local\temp\7zs7117\enterprisedu.exe => No File
FirewallRules: [{FB517CEA-5F96-41EF-952C-705527C7A60A}] => (Block) C:\users\stephs hp elite.stephsgrayhp\appdata\local\temp\7zs7117\enterprisedu.exe => No File
FirewallRules: [{E85068A4-D7D7-4672-BA3C-B395E2C17478}] => (Block) C:\users\stephs hp elite.stephsgrayhp\appdata\local\temp\7zs7117\enterprisedu.exe => No File
FirewallRules: [{13D5F55F-244C-48BE-80D6-6FA500151FA5}] => (Allow) C:\Users\Stephs HP Elite.STEPHSGRAYHP\AppData\Roaming\Zoom\bin\airhost.exe => No File
FirewallRules: [{904DD7B1-73E5-4503-9231-7AA9B1209AF7}] => (Allow) C:\Users\Stephs HP Elite.STEPHSGRAYHP\AppData\Roaming\Zoom\bin\airhost.exe => No File
HKU\S-1-5-21-2051312817-2871648933-3297728195-1001\...\Run: [Windscribe] => "C:\Program Files (x86)\Windscribe\Windscribe.exe" -os_restart
C:\Program Files (x86)\Windscribe
HKU\S-1-5-21-2051312817-2871648933-3297728195-1001\...\MountPoints2: {33586c8d-3a48-11e9-84a2-2c59e5b9da1b} - E:\windows\AutoRun.exe
HKU\S-1-5-21-2051312817-2871648933-3297728195-1001\...\MountPoints2: {5cb923ce-1e1e-11e9-9842-2c59e5b9da1b} - E:\windows\AutoRun.exe
HKU\S-1-5-21-2051312817-2871648933-3297728195-1001\...\MountPoints2: {5cb92416-1e1e-11e9-9842-2c59e5b9da1b} - E:\windows\AutoRun.exe
HKU\S-1-5-21-2051312817-2871648933-3297728195-1001\...\MountPoints2: {7cd1f3c1-59dd-11ea-b0d5-2c59e5b9da1b} - E:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-2051312817-2871648933-3297728195-1001\...\MountPoints2: {7cd1f3cf-59dd-11ea-b0d5-2c59e5b9da1b} - E:\HTC_Sync_Manager_PC.exe
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{2D00AE86-E9F9-43A0-82A4-79EBA59183E2}] -> "C:\Program Files (x86)\Avira\Scout\Application\58.0.3029.2783\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
C:\Program Files (x86)\Avira
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicy\User: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\Stephs HP Elite\NTUSER.pol: Restriction <==== ATTENTION
Policies: C:\Users\Stephs HP Elite.STEPHSGRAYHP\NTUSER.pol: Restriction <==== ATTENTION
Task: {1286D389-4890-4EDB-8115-DD3A4B18256C} - \{6C07F1FA-041D-4677-9E0E-A34AEB08A60F} -> No File <==== ATTENTION
Task: {13E72FE4-DFF2-4CDA-ABB7-959617E9A0AD} - \{DE32699B-5F53-4647-BC20-D23DA1AA995E} -> No File <==== ATTENTION
Task: {218A7FCE-B4FF-4F2C-8554-8B89773642CE} - \{3183EA9F-B79F-4348-83A8-C83F79F566F0} -> No File <==== ATTENTION
Task: {27C66E95-3C31-4F24-84EB-2F86CA876538} - \{AEC12F12-7F2F-4312-AA51-B771656A0011} -> No File <==== ATTENTION
Task: {2FD3EF11-397D-44E4-9E81-D6DABDC8267D} - \{4A46DB2C-1BF0-4E42-A3B6-4DD59A66B8D8} -> No File <==== ATTENTION
Task: {3A059635-30A9-4F83-80D7-0DC80C89912F} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {496197B3-7355-4A5E-A25F-62284A003E0C} - \{19B904CD-55C2-43AB-A0AF-A143A5EC39D9} -> No File <==== ATTENTION
Task: {8023BB4E-DEBF-45F4-BB9B-F141F73BDD32} - \Microsoft\Windows\Media Center\DispatchRecoveryTasks -> No File <==== ATTENTION
Task: {898A47E3-0320-45CA-81E5-BB4A3284F805} - \{D5143D3E-57D0-437D-A153-934233133CB6} -> No File <==== ATTENTION
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - System32\Tasks\Microsoft\Windows\Application Experience\AitAgent => aitagent.exe <==== ATTENTION
Task: {B6C80976-BA3B-4572-950A-263783BC89B8} - \Games\UpdateCheck_S-1-5-21-2051312817-2871648933-3297728195-1001 -> No File <==== ATTENTION
Task: {C8E2143C-EFC4-4EDB-8C3C-314B04725042} - \{06830E4B-CEB4-4B53-A258-9E4AB44B9287} -> No File <==== ATTENTION
Task: {CB3D64BF-C0C9-45FF-BFB0-FF1A8F680186} - \Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask -> No File <==== ATTENTION
Task: {D7904B9D-AD56-4A18-A371-B4170AC856F7} - \{ECB6370C-17B3-45F3-B9E6-ECDDE736A4B3} -> No File <==== ATTENTION
Task: {DC8784C2-B5E8-49A2-AD98-F315C3FF25C8} - \{7DC38035-F04B-4A85-831B-8AEB2C7D92AF} -> No File <==== ATTENTION
Task: {E207A07D-88CA-41DD-A23B-456BAA88103F} - \{53E90FAB-5F85-4EFB-8553-69293AAAA6DB} -> No File <==== ATTENTION
Task: {E2CBE2F0-4114-4CDB-822F-CA7199D72C0A} - \{84EF4C11-F574-486D-8055-46EC9B5E58CE} -> No File <==== ATTENTION
Task: {EEBDA907-EE80-488D-BD76-5602FAFF13F0} - \Microsoft\Windows\Media Center\StartRecording -> No File <==== ATTENTION
Task: {F1AF1AF3-B7E0-4CF0-84C8-454BC656F16B} - \{903A76E8-FF34-441C-9CBC-8509B1F048EE} -> No File <==== ATTENTION
Task: {FF409BC3-5D1D-499D-9D98-EA7E679E9EA3} - \{5D420FA5-C70D-4BD3-8594-1164BA08204A} -> No File <==== ATTENTION
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_30_0_0_154.dll [2018-08-14] (Adobe Systems Incorporated -> )
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk]
S4 AGMService; "C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGMService.exe" [X]
S4 AGSService; "C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe" [X]
S4 AviraOptimizerHost; "C:\Program Files (x86)\Avira\Optimizer Host\Avira.OptimizerHost.exe" [X]
U3 aswbdisk; no ImagePath
U1 avgbdisk; no ImagePath
S3 clwvd; system32\DRIVERS\clwvd.sys [X]
S3 esihdrv; \??\C:\Users\STEPHS~1.STE\AppData\Local\Temp\esihdrv.sys [X] <==== ATTENTION
S3 MFE_RR; \??\C:\Users\STEPHS~1.STE\AppData\Local\Temp\mfe_rr.sys [X] <==== ATTENTION
S2 NDivert; system32\DRIVERS\NDivert.sys [X]
S4 nvlddmkm; system32\DRIVERS\nvlddmkm.sys [X]
S3 SWDUMon; system32\DRIVERS\SWDUMon.sys [X]
S3 TsUsbGD; \SystemRoot\system32\drivers\TsUsbGD.sys [X]
U0 vlflt; no ImagePath
2017-04-25 19:23 - 2017-04-25 19:23 - 005478400 _____ () C:\Program Files (x86)\GUT58B7.tmp
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3: <==== ATTENTION (Restriction - Zones)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
EmptyTemp:
End::
- Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
- Press the Fix button once and wait.
- FRST will process fixlist.txt
- When finished, it will produce a log fixlog.txt on your Desktop.
- Please post the log in your next reply.