Pop Up scammer got remote access. Help cleaning up anything left on the pc – Virus, Trojan, Spyware, and Malware Removal Help – BleepingComputer

Pop Up scammer got remote access. Help cleaning up anything left on the pc – Virus, Trojan, Spyware, and Malware Removal Help – BleepingComputer

I’m helping someone who got a pop that their “computer was infected,” called the number on the pop and let the bad actor onto his computer to “help remove the infection.  I saw UltraViewer was installed and I have removed that via the Apps section.  I am concerned that there still might be something on the computer.  Hoping you guys can help check it out as there are no other easy to notice issuesinfections.

 

OS: Windows 10 Home

AV: Windows Defender

Make: Lenovo

 

 

What I have done so far.

 

1) Uninstalled UltraViewer via Apps

2) Run Windows Defender offline scan.  Gets to 91% and pc reboots.  Security Settings don’t have acknowledgment of the scan

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 05-02-2022

Ran by Jim (administrator) on GOOGOOPC (LENOVO 10156) (06-02-2022 15:45:37)

Running from C:UsersJimDesktop

Loaded Profiles: Jim

Platform: Microsoft Windows 10 Home Version 21H1 19043.1466 (X64) Language: English (United States)

Default browser: Edge

Boot Mode: Normal

 

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

() [File not signed] C:WindowsjmesoftJME_LOAD.exe

() [File not signed] C:WindowsjmesoftService.exe

(Adobe Inc. -> Adobe Inc.) C:Program Files (x86)Common FilesAdobeARM1.0AdobeARM.exe

(Adobe Inc. -> Adobe Inc.) C:Program Files (x86)Common FilesAdobeARM1.0armsvc.exe

(Intel® pGFX -> Intel Corporation) C:WindowsSystem32igfxCUIService.exe

(Intel® pGFX -> Intel Corporation) C:WindowsSystem32igfxEM.exe

(Intel® pGFX -> Intel Corporation) C:WindowsSystem32igfxext.exe

(Intel® pGFX -> Intel Corporation) C:WindowsSystem32igfxHK.exe

(Intel® pGFX -> Intel Corporation) C:WindowsSystem32igfxTray.exe

(Intuit, Inc. -> Intuit Inc.) C:Program Files (x86)Common FilesIntuitUpdate Service v4IntuitUpdateService.exe

(Lenovo -> Lenovo Group Ltd.) C:Program Files (x86)LenovoVantageService3.10.26.0Lenovo.Vantage.AddinHost.Amd64.exe <2>

(Lenovo -> Lenovo Group Ltd.) C:Program Files (x86)LenovoVantageService3.10.26.0Lenovo.Vantage.AddinHost.exe <4>

(Lenovo -> Lenovo Group Ltd.) C:Program Files (x86)LenovoVantageService3.10.26.0Lenovo.Vantage.AddinHost.x86.exe

(Lenovo -> Lenovo Group Ltd.) C:Program Files (x86)LenovoVantageService3.10.26.0LenovoVantageService.exe

(Lenovo -> Lenovo Group Ltd.) C:WindowsLenovoImControllerPluginHostLenovo.Modern.ImController.PluginHost.SettingsApp.exe <2>

(Lenovo -> Lenovo Group Ltd.) C:WindowsLenovoImControllerPluginHost86Lenovo.Modern.ImController.PluginHost.Device.exe

(Lenovo -> Lenovo Group Ltd.) C:WindowsLenovoImControllerServiceLenovo.Modern.ImController.exe

(Lenovo) [File not signed] C:Windowsjmesofthotkey.exe

(Microsoft Corporation -> Microsoft Corporation) C:Program FilesCommon Filesmicrosoft sharedClickToRunOfficeClickToRun.exe

(Microsoft Corporation -> Microsoft Corporation) C:WindowsMicrosoft.NETFramework64v3.0WPFPresentationFontCache.exe

(Microsoft Corporation) C:Program FilesWindowsAppsmicrosoft.windowscommunicationsapps_16005.14326.20544.0_x64__8wekyb3d8bbweHxOutlook.exe

(Microsoft Corporation) C:Program FilesWindowsAppsmicrosoft.windowscommunicationsapps_16005.14326.20544.0_x64__8wekyb3d8bbweHxTsr.exe

(Microsoft Windows -> Microsoft Corporation) C:WindowsImmersiveControlPanelSystemSettings.exe

(Microsoft Windows -> Microsoft Corporation) C:WindowsSystem32dllhost.exe <2>

(Microsoft Windows -> Microsoft Corporation) C:WindowsSystem32LocationNotificationWindows.exe

(Microsoft Windows -> Microsoft Corporation) C:WindowsSystem32Taskmgr.exe

(Microsoft Windows -> Microsoft Corporation) C:WindowsSystem32wlanext.exe

(Microsoft Windows Publisher -> Microsoft Corporation) C:ProgramDataMicrosoftWindows DefenderPlatform4.18.2111.5-0MpCopyAccelerator.exe

(Microsoft Windows Publisher -> Microsoft Corporation) C:ProgramDataMicrosoftWindows DefenderPlatform4.18.2111.5-0MsMpEng.exe

(Microsoft Windows Publisher -> Microsoft Corporation) C:ProgramDataMicrosoftWindows DefenderPlatform4.18.2111.5-0NisSrv.exe

(Realtek Semiconductor Corp -> Realtek Semiconductor) C:Program FilesRealtekAudioHDARAVBg64.exe

(Realtek Semiconductor Corp -> Realtek Semiconductor) C:Program FilesRealtekAudioHDARAVCpl64.exe

(SEIKO EPSON Corporation -> SEIKO EPSON CORPORATION) C:WindowsSystem32spooldriversx643E_IATICEA.EXE

(Skype Software Sarl -> Skype Technologies S.A.) C:Program Files (x86)MicrosoftSkype for DesktopSkype.exe <2>

 

==================== Registry (Whitelisted) ===================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKLM…Run: [RTHDVCPL] => C:Program FilesRealtekAudioHDARAVCpl64.exe [16475392 2016-04-15] (Realtek Semiconductor Corp -> Realtek Semiconductor)

HKLM…Run: [RtHDVBg_LENOVO_MICPKEY] => C:Program FilesRealtekAudioHDARAVBg64.exe [1419008 2016-04-15] (Realtek Semiconductor Corp -> Realtek Semiconductor)

HKLM-x32…Run: [jmekey] => C:WINDOWSjmesofthotkey.exe [118784 2013-07-24] (Lenovo) [File not signed]

HKLM-x32…Run: [jmesoft] => C:WindowsjmesoftServiceLoader.exe [28672 2011-08-16] () [File not signed]

HKUS-1-5-21-2439729490-4236933183-955795659-1001…Run: [Skype for Desktop] => C:Program Files (x86)MicrosoftSkype for DesktopSkype.exe [112191904 2021-12-06] (Skype Software Sarl -> Skype Technologies S.A.)

HKUS-1-5-21-2439729490-4236933183-955795659-1001…Run: [MicrosoftEdgeAutoLaunch_D0492BB4DE118B93F253393DBF3D44AC] => “C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe” –no-startup-window –win-session-start /prefetch:5

HKUS-1-5-21-2439729490-4236933183-955795659-1001…Run: [EPSON Stylus CX8400 Series] => C:WINDOWSsystem32spoolDRIVERSx643E_IATICEA.EXE [209408 2007-02-15] (SEIKO EPSON Corporation -> SEIKO EPSON CORPORATION)

HKLM…PrintMonitorsEPSON Stylus CX8400 Series 64MonitorBA: C:WINDOWSsystem32E_ILMCEA.DLL [108032 2007-12-07] (SEIKO EPSON Corporation -> SEIKO EPSON CORPORATION)

HKLMSoftwareMicrosoftActive SetupInstalled Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:Program Files (x86)GoogleChromeApplication97.0.4692.99Installerchrmstp.exe [2022-01-25] (Google LLC -> Google LLC)

 

==================== Scheduled Tasks (Whitelisted) ============

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

Task: {0931DAC3-984D-4A6A-9C4D-402027C1D46A} – System32TasksMicrosoftOfficeOffice Feature Updates => C:Program Files (x86)Microsoft OfficerootOffice16sdxhelper.exe [108904 2022-02-02] (Microsoft Corporation -> Microsoft Corporation)

Task: {0D138A3F-22BD-4F4E-8644-C5222550ED7A} – System32TasksLenovoVantageLenovo.Vantage.ServiceMaintainance => %systemroot%system32sc.exe start LenovoVantageService

Task: {0DC7F15B-224C-4508-9C56-674DF2D0A550} – System32TasksMicrosoftWindowsWindows DefenderWindows Defender Cache Maintenance => C:ProgramDataMicrosoftWindows DefenderPlatform4.18.2111.5-0MpCmdRun.exe [901048 2021-12-16] (Microsoft Windows Publisher -> Microsoft Corporation)

Task: {13F2A6D6-BC0C-4EE4-B913-F656C4396478} – System32TasksGoogleUpdateTaskMachineUA => C:Program Files (x86)GoogleUpdateGoogleUpdate.exe [152216 2017-06-30] (Google Inc -> Google Inc.)

Task: {1723348E-42E5-479E-A664-73C4F2367892} – System32TasksLenovoVantageScheduleLenovo.Vantage.SmartPerformance.SScan => C:Program Files (x86)LenovoVantageService3.10.26.0ScheduleEventAction.exe [26408 2021-12-14] (Lenovo -> Lenovo Group Ltd.)

Task: {18C5B38A-BE56-4EEB-A4BF-23A188A927AC} – System32TasksMicrosoftOfficeOffice ClickToRun Service Monitor => C:Program FilesCommon FilesMicrosoft SharedClickToRunOfficeC2RClient.exe [22880112 2022-02-02] (Microsoft Corporation -> Microsoft Corporation)

Task: {1EF7E0E3-8652-4D28-A7AA-82D0F90F3D6E} – MicrosoftWindowsUNPRunCampaignManager -> No File <==== ATTENTION

Task: {207A6205-5DBB-44F0-ACE6-7E03CF5D5348} – System32TasksLenovoImControllerTimeBasedEventsbf649924-fd4d-4520-8239-01863ffe4c91 => C:WINDOWSLenovoImControllerServiceLenovo.Modern.ImController.exe [84264 2022-01-13] (Lenovo -> Lenovo Group Ltd.)

Task: {244EA6C7-96B6-4B9D-B6A0-4C8F5AA8FAD0} – System32TasksLenovoImControllerLenovo iM Controller Scheduled Maintenance => “%windir%system32sc.exe” START ImControllerService

Task: {2C97FD32-217F-491F-B811-B5CC3E1DCF5F} – System32TasksMicrosoftOfficeOffice Automatic Updates 2.0 => C:Program FilesCommon FilesMicrosoft SharedClickToRunOfficeC2RClient.exe [22880112 2022-02-02] (Microsoft Corporation -> Microsoft Corporation)

Task: {43CB79B0-A98E-4A95-8DAC-0C95C6CA6195} – System32TasksLenovoImControllerTimeBasedEvents74796ee4-ad13-410e-b42b-df1039c10892 => C:WINDOWSLenovoImControllerServiceLenovo.Modern.ImController.exe [84264 2022-01-13] (Lenovo -> Lenovo Group Ltd.)

Task: {4BD325E3-7C79-4C3D-9E52-4F78F28B060E} – System32TasksLenovoImControllerTimeBasedEventsea69a85-7a47-47fe-913b-a762f1be7513 => C:WINDOWSLenovoImControllerServiceLenovo.Modern.ImController.exe [84264 2022-01-13] (Lenovo -> Lenovo Group Ltd.)

Task: {50868824-3719-4E8D-B859-31954420F651} – System32TasksLenovoVantageScheduleVantageTelemetryAddinTask => C:Program Files (x86)LenovoVantageService3.6.15.0ScheduleEventAction.exe VantageTelemetryAddinTask (No File)

Task: {57E4CDDF-62A4-4B2E-A3D4-EE2D854EBCF8} – System32TasksMicrosoftWindowsWindows DefenderWindows Defender Verification => C:ProgramDataMicrosoftWindows DefenderPlatform4.18.2111.5-0MpCmdRun.exe [901048 2021-12-16] (Microsoft Windows Publisher -> Microsoft Corporation)

Task: {5B0EEB1A-43D8-45CE-9B58-08E9FA6E4BE1} – System32TasksLaunchSignup => C:Program Files (x86)JustCloudSignup Wizard.exe frompopup (No File)

Task: {61EEDB42-08F0-49BE-93C8-4445BBACDB51} – System32TasksMicrosoftWindowsWindows DefenderWindows Defender Scheduled Scan => C:ProgramDataMicrosoftWindows DefenderPlatform4.18.2111.5-0MpCmdRun.exe [901048 2021-12-16] (Microsoft Windows Publisher -> Microsoft Corporation)

Task: {674E2AB2-B077-4412-A335-02503DBAD710} – System32TasksLenovoImControllerTimeBasedEventsf3fa1091-b34c-45e1-8764-8ab96309a897 => C:WINDOWSLenovoImControllerServiceLenovo.Modern.ImController.exe [84264 2022-01-13] (Lenovo -> Lenovo Group Ltd.)

Task: {6C52DE09-EDA0-4CE5-A82E-C39A3D569F56} – System32TasksAdobe Acrobat Update Task => C:Program Files (x86)Common FilesAdobeARM1.0AdobeARM.exe [1564424 2021-11-17] (Adobe Inc. -> Adobe Inc.)

Task: {71AFAC46-A96B-4D4C-A1BC-C4548D41C665} – System32TasksLenovoImControllerLenovo iM Controller Monitor => C:WINDOWSsystem32ImController.InfInstaller.exe [64248 2022-01-13] (Lenovo -> Lenovo Group Ltd.)

Task: {8470377F-F6A5-41F6-9ACF-7AB71BAA8A07} – System32TasksMicrosoftOfficeOffice Feature Updates Logon => C:Program Files (x86)Microsoft OfficerootOffice16sdxhelper.exe [108904 2022-02-02] (Microsoft Corporation -> Microsoft Corporation)

Task: {92F6CC22-FCBE-4C9A-818E-7D6D659835D8} – System32TasksLenovoImControllerPluginsLenovoSystemUpdatePlugin_WeeklyTask => %windir%System32reg.exe add hklmSOFTWARELenovoSystemUpdatePluginscheduler /v start /t reg_dword /d 1 /f /reg:32

Task: {A586AD6B-DE8D-481A-BD7C-103C26B0F86A} – System32TasksSlimCleaner Plus (Scheduled Scan – Jim) => C:Program FilesSlimCleaner PlusSlimCleanerPlus.exe /doScheduledScan (No File)

Task: {BE31505A-BBCA-4A9C-BCCA-B2921B835278} – System32TasksLenovoVantageScheduleDailyTelemetryTransmission => C:Program Files (x86)LenovoVantageService3.10.26.0ScheduleEventAction.exe [26408 2021-12-14] (Lenovo -> Lenovo Group Ltd.)

Task: {C101426F-D49A-45A4-8295-793BC0686934} – System32TasksGoogleUpdateTaskMachineCore => C:Program Files (x86)GoogleUpdateGoogleUpdate.exe [152216 2017-06-30] (Google Inc -> Google Inc.)

Task: {C494B776-9E97-43CF-A65A-53B4C936B24A} – System32TasksLaunchApp => C:Program Files (x86)JustCloudJustCloud.exe windowlaunch (No File)

Task: {C81A1744-2DC6-43CE-8330-D414871C72C0} – System32TasksLenovoLenovo MigrationAssistant start event task => C:Program FilesLenovoLenovo Migration AssistantLenovo Migration Assistant Srv.exe [291216 2020-11-11] (Lenovo -> )

Task: {F6E4F63E-9650-42F1-8C56-574D8DFBDD3C} – System32TasksLenovoBatteryGaugeBatteryGaugeMaintenance => C:ProgramDataLenovoImControllerPluginsLenovoBatteryGaugePackagex64BGHelper.exe [145480 2021-09-09] (Lenovo -> Lenovo Group Ltd.)

Task: {FA928BEC-907B-44F5-98BE-268B1D4886E8} – System32Tasks{4728F58E-877B-42A3-ADC5-AC8BE482312B} => “c:windowssystem32launchwinapp.exe” hxxp://www.skype.com/go/downloading?source=lightinstaller&ver=6.18.0.105&LastError=404

Task: {FC3EAF3B-FD55-4A3C-818E-A3E790A457AB} – System32TasksMicrosoftOfficeOffice Subscription Maintenance => C:Program Files (x86)Microsoft OfficerootvfsProgramFilesCommonx86Microsoft SharedOffice16OLicenseHeartbeat.exe [1172360 2022-02-02] (Microsoft Corporation -> Microsoft Corporation)

Task: {FEF9911F-B819-474E-90D4-D9E37324F63E} – System32TasksMicrosoftWindowsWindows DefenderWindows Defender Cleanup => C:ProgramDataMicrosoftWindows DefenderPlatform4.18.2111.5-0MpCmdRun.exe [901048 2021-12-16] (Microsoft Windows Publisher -> Microsoft Corporation)

 

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

 

Task: C:WINDOWSTasksSlimCleaner Plus (Scheduled Scan – Jim).job => C:Program FilesSlimCleaner PlusSlimCleanerPlus.exe

 

==================== Internet (Whitelisted) ====================

 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

 

TcpipParameters: [DhcpNameServer] 192.168.1.1

Tcpip..Interfaces{fea5a3b9-2297-4478-ae7f-1808039ce62a}: [DhcpNameServer] 192.168.1.1

 

Edge: 

=======

DownloadDir: C:UsersJimDownloads

Edge Notifications: HKUS-1-5-21-2439729490-4236933183-955795659-1001 -> hxxps://mail.google.com

Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:WindowsSystemAppsMicrosoft.MicrosoftEdge_8wekyb3d8bbweAssetsHostExtensionsAutoFormFill [not found]

Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:WindowsSystemAppsMicrosoft.MicrosoftEdge_8wekyb3d8bbweAssetsBookViewer [not found]

Edge Extension: (No Name) -> EdgeExtension_BrowseTechLLCAdRemover_fstwarvhxwf4c => C:Program FilesWindowsAppsBrowseTechLLC.AdRemover_5.8.3.0_neutral__fstwarvhxwf4c [not found]

Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:WindowsSystemAppsMicrosoft.MicrosoftEdge_8wekyb3d8bbweAssetsHostExtensionsLearningTools [not found]

Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:WindowsSystemAppsMicrosoft.MicrosoftEdge_8wekyb3d8bbweAssetsHostExtensionsPinJSAPI [not found]

Edge DefaultProfile: Default

Edge Profile: C:UsersJimAppDataLocalMicrosoftEdgeUser DatacId=128000000001363769&path= [2021-03-30] <==== ATTENTION

Edge Profile: C:UsersJimAppDataLocalMicrosoftEdgeUser DataDefault [2022-02-06]

Edge DownloadDir: Default -> C:UsersJimDownloads

Edge Notifications: Default -> hxxps://mail.google.com; hxxps://www.everydaywinner.com

Edge Extension: (Ad Remover) – C:UsersJimAppDataLocalMicrosoftEdgeUser DataDefaultExtensionsojegeldnlnmnjhnlgkghkkalkingcabj [2021-06-11]

 

FireFox:

========

FF DefaultProfile: 0wawpx7t.default

FF ProfilePath: C:UsersJimAppDataRoamingMozillaFirefoxProfileswawpx7t.default [2021-07-31]

FF Extension: (Avira SafeSearch Plus) – C:UsersJimAppDataRoamin[email protected]avira.com [2017-02-22] [Legacy]

FF Extension: (SavvyConnect) – C:UsersJimAppDataRoa[email protected]surveysavvy.com.xpi [2017-03-02] [Legacy]

FF HKLM-x32…FirefoxExtensions: [[email protected]] – C:Program Files (x86)[email protected]i => not found

FF Plugin: Adobe Acrobat -> C:Program FilesAdobeAcrobat DCAcrobatAirnppdf32.dll [2021-12-24] (Adobe Inc. -> Adobe Systems Inc.)

FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:Program Files (x86)Microsoft OfficerootOffice16NPSPWRAP.DLL [2021-10-31] (Microsoft Corporation -> Microsoft Corporation)

 

Chrome: 

=======

CHR Profile: C:UsersJimAppDataLocalGoogleChromeUser DataDefault [2019-09-13]

CHR HomePage: Default -> hxxp://www.google.com/

CHR StartupUrls: Default -> “hxxp://www.google.com/”

CHR DefaultSearchURL: Default -> hxxps://search.avira.com/#web/result?source=omnibar&q={searchTerms}

CHR DefaultSearchKeyword: Default -> Avira

CHR DefaultSuggestURL: Default -> hxxps://search.avira.com/suggestions?q={searchTerms}&li=ff&hl=en

CHR Extension: (Slides) – C:UsersJimAppDataLocalGoogleChromeUser DataDefaultExtensionsaapocclcgogkmnckokdopfmhonfmgoek [2019-09-13]

CHR Extension: (Docs) – C:UsersJimAppDataLocalGoogleChromeUser DataDefaultExtensionsaohghmighlieiainnegkcijnfilokake [2019-09-13]

CHR Extension: (Google Drive) – C:UsersJimAppDataLocalGoogleChromeUser DataDefaultExtensionsapdfllckaahabafndbhieahigkjlhalf [2017-07-15]

CHR Extension: (YouTube) – C:UsersJimAppDataLocalGoogleChromeUser DataDefaultExtensionsblpcfgokakmgnkcojhhkbfbldkacnbeo [2017-07-15]

CHR Extension: (Sheets) – C:UsersJimAppDataLocalGoogleChromeUser DataDefaultExtensionsfelcaaldnbdncclmgdcncolpebgiejap [2019-09-13]

CHR Extension: (Avira Browser Safety) – C:UsersJimAppDataLocalGoogleChromeUser DataDefaultExtensionsflliilndjeohchalpbbcdekjklbdgfkk [2019-09-13]

CHR Extension: (Google Docs Offline) – C:UsersJimAppDataLocalGoogleChromeUser DataDefaultExtensionsghbmnnjooekpmoecnnnilnnbdlolhkhi [2019-09-13]

CHR Extension: (Avira SafeSearch Plus) – C:UsersJimAppDataLocalGoogleChromeUser DataDefaultExtensionsipmkfpcnmccejididiaagpgchgjfajgp [2019-09-13]

CHR Extension: (Chrome Web Store Payments) – C:UsersJimAppDataLocalGoogleChromeUser DataDefaultExtensionsnmmhkkegccagdldgiimedpiccmgmieda [2019-09-13]

CHR Extension: (Gmail) – C:UsersJimAppDataLocalGoogleChromeUser DataDefaultExtensionspjkljhegncpnkpknbcohdijeoejaedia [2019-09-13]

CHR Extension: (Chrome Media Router) – C:UsersJimAppDataLocalGoogleChromeUser DataDefaultExtensionspkedcjkdefgpdelpbcmbmeomcjbeemfm [2019-09-13]

CHR HKLM…ChromeExtension: [flliilndjeohchalpbbcdekjklbdgfkk]

CHR HKLM…ChromeExtension: [ipmkfpcnmccejididiaagpgchgjfajgp]

CHR HKLM-x32…ChromeExtension: [flliilndjeohchalpbbcdekjklbdgfkk]

CHR HKLM-x32…ChromeExtension: [ipmkfpcnmccejididiaagpgchgjfajgp]

 

==================== Services (Whitelisted) ===================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

R2 AdobeARMservice; C:Program Files (x86)Common FilesAdobeARM1.0armsvc.exe [169728 2021-11-17] (Adobe Inc. -> Adobe Inc.)

R2 ClickToRunSvc; C:Program FilesCommon FilesMicrosoft SharedClickToRunOfficeClickToRun.exe [12124536 2022-02-02] (Microsoft Corporation -> Microsoft Corporation)

R2 ImControllerService; C:WINDOWSLenovoImControllerServiceLenovo.Modern.ImController.exe [84264 2022-01-13] (Lenovo -> Lenovo Group Ltd.)

R2 JME Keyboard; C:WindowsjmesoftService.exe [32768 2011-08-16] () [File not signed]

R2 LenovoVantageService; C:Program Files (x86)LenovoVantageService3.10.26.0LenovoVantageService.exe [31016 2021-12-14] (Lenovo -> Lenovo Group Ltd.)

R3 WdNisSvc; C:ProgramDataMicrosoftWindows DefenderPlatform4.18.2111.5-0NisSrv.exe [2876152 2021-12-16] (Microsoft Windows Publisher -> Microsoft Corporation)

R2 WinDefend; C:ProgramDataMicrosoftWindows DefenderPlatform4.18.2111.5-0MsMpEng.exe [128360 2021-12-16] (Microsoft Windows Publisher -> Microsoft Corporation)

 

===================== Drivers (Whitelisted) ===================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

S3 BthA2dp; C:WINDOWSSystem32driversBthA2dp.sys [279040 2019-12-07] (Microsoft Corporation) [File not signed]

S3 BthHFEnum; C:WINDOWSSystem32driversbthhfenum.sys [144896 2019-12-07] (Microsoft Corporation) [File not signed]

R3 GeneStor; C:WINDOWSsystem32DRIVERSGeneStor.sys [188840 2015-08-29] (GENESYS LOGIC, INC. -> GenesysLogic)

S3 mbamchameleon; C:WINDOWSsystem32driversmbamchameleon.sys [140672 2018-01-13] (Malwarebytes Corporation -> Malwarebytes)

S3 MBAMSwissArmy; C:WINDOWSsystem32driversMBAMSwissArmy.sys [192216 2018-11-06] (Malwarebytes Corporation -> Malwarebytes)

S3 phantomtap; C:WINDOWSSystem32driversphantomtap.sys [45056 2017-05-18] (Avira Operations GmbH & Co. KG -> The OpenVPN Project)

S3 SWDUMon; C:WINDOWSsystem32DRIVERSSWDUMon.sys [16152 2016-08-24] (Slimware Utilities, Inc. -> )

S3 tap0901; C:WINDOWSSystem32driverstap0901.sys [35784 2017-02-03] (Avira Operations GmbH & Co. KG -> The OpenVPN Project)

S0 WdBoot; C:WINDOWSSystem32driverswdWdBoot.sys [48536 2021-12-16] (Microsoft Windows Early Launch Anti-malware Publisher -> Microsoft Corporation)

R0 WdFilter; C:WINDOWSSystem32driverswdWdFilter.sys [435432 2021-12-16] (Microsoft Windows -> Microsoft Corporation)

R3 WdNisDrv; C:WINDOWSSystem32driverswdWdNisDrv.sys [86248 2021-12-16] (Microsoft Windows -> Microsoft Corporation)

 

==================== NetSvcs (Whitelisted) ===================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

 

==================== One month (created) (Whitelisted) =========

 

(If an entry is included in the fixlist, the file/folder will be moved.)

 

2022-02-06 15:28 – 2022-02-06 15:37 – 000030338 ____C C:UsersJimDesktopAddition.txt

2022-02-06 15:20 – 2022-02-06 15:48 – 000021475 ____C C:UsersJimDesktopFRST.txt

2022-02-06 15:19 – 2022-02-06 15:47 – 000000000 ___DC C:FRST

2022-02-06 15:17 – 2022-02-06 15:02 – 002311680 ____C (Farbar) C:UsersJimDesktopFRST64.exe

2022-02-04 12:10 – 2022-02-06 14:59 – 000000000 _____ C:WINDOWSUV_LastPW.ini

2022-02-04 11:35 – 2022-02-04 11:45 – 000000000 ____D C:UsersJimAppDataRoamingUltraViewer

2022-02-04 11:33 – 2022-02-06 14:59 – 000000000 ____D C:Program Files (x86)UltraViewer

2022-02-04 11:32 – 2022-02-04 11:32 – 003465760 _____ (DucFabulous ) C:UsersJimDownloadsUltraViewer_setup_6.5_en.exe

2022-01-30 22:09 – 2022-01-30 22:09 – 000016995 _____ C:UsersJimDownloadsStatements_01302022_210918.PDF

2022-01-30 21:36 – 2022-01-30 21:36 – 000117717 _____ C:UsersJimDownloadsdxweb (1).pdf

2022-01-30 17:58 – 2022-01-30 17:58 – 000117717 _____ C:UsersJimDownloadsdxweb.pdf

2022-01-21 10:36 – 2022-01-21 10:36 – 000016932 _____ C:UsersJimDownloadsStatements_01212022_093642.PDF

2022-01-20 13:44 – 2022-01-20 13:44 – 000018817 _____ C:UsersJimDownloadsStatements_01202022_124417.PDF

2022-01-20 13:42 – 2022-01-20 13:42 – 000016932 _____ C:UsersJimDownloadsStatements_01202022_124253.PDF

2022-01-18 22:48 – 2022-01-18 22:48 – 000000000 ____D C:WINDOWSMinidump

2022-01-18 22:48 – 2022-01-18 22:48 – 000000000 _____ C:WINDOWSMinidump11822-27687-01.dmp

2022-01-15 15:12 – 2022-01-15 15:12 – 000018817 _____ C:UsersJimDownloadsStatements_01152022_141203.PDF

2022-01-15 14:58 – 2022-01-15 14:59 – 012463904 _____ C:UsersJimDownloadsepson12226 (1).exe

2022-01-15 14:58 – 2022-01-15 14:58 – 035440928 _____ C:UsersJimDownloadseasyphotoprint_win (1).exe

2022-01-15 14:58 – 2022-01-15 14:58 – 018902128 _____ C:UsersJimDownloadsEEM_31153 (1).exe

2022-01-15 14:58 – 2022-01-15 14:58 – 012463904 _____ C:UsersJimDownloadsepson12226.exe

2022-01-15 14:57 – 2022-01-15 14:57 – 007813048 _____ C:UsersJimDownloadsepson15143.exe

2022-01-15 14:57 – 2022-01-15 14:57 – 007813048 _____ C:UsersJimDownloadsepson15143 (1).exe

2022-01-15 14:56 – 2022-01-15 14:56 – 022214584 _____ C:UsersJimDownloadsepson15145 (5).exe

2022-01-15 14:55 – 2022-01-15 14:55 – 022214584 _____ C:UsersJimDownloadsepson15145 (4).exe

2022-01-15 14:42 – 2022-01-15 14:43 – 000109356 _____ C:WINDOWSEPSTPLOG.TXT

2022-01-15 14:42 – 2022-01-15 14:42 – 000008284 _____ C:WINDOWSSysWOW64eps_icon.avi

2022-01-15 14:42 – 2022-01-15 14:42 – 000000031 _____ C:WINDOWSEPSMTL32.TXT

2022-01-15 14:42 – 2005-02-25 00:00 – 000046080 _____ (SEIKO EPSON CORP.) C:WINDOWSSysWOW64escimgd.dll

2022-01-15 14:42 – 2005-02-25 00:00 – 000029696 _____ (SEIKO EPSON CORP.) C:WINDOWSSysWOW64escwiad.dll

2022-01-15 14:42 – 2005-02-25 00:00 – 000022016 _____ (SEIKO EPSON CORP.) C:WINDOWSSysWOW64esccmd.dll

2022-01-15 14:23 – 2022-01-15 14:23 – 000000000 ____D C:UsersJimAppDataRoamingEPSON

2022-01-15 14:21 – 2022-01-15 14:21 – 000002251 ____C C:UsersPublicDesktopEpson Easy Photo Print.lnk

2022-01-15 14:21 – 2022-01-15 14:21 – 000000000 ____D C:ProgramDataUDL

2022-01-15 14:21 – 2022-01-15 14:21 – 000000000 ____D C:ProgramDataMicrosoftWindowsStart MenuProgramsEpson Software

2022-01-15 14:20 – 2022-01-15 14:20 – 000000000 ____D C:ProgramDataSony Corporation

2022-01-15 14:20 – 2022-01-15 14:20 – 000000000 ____D C:Program Files (x86)Epson Software

2022-01-15 13:43 – 2022-01-15 13:43 – 035440928 _____ C:UsersJimDownloadseasyphotoprint_win.exe

2022-01-15 13:43 – 2022-01-15 13:43 – 018902128 _____ C:UsersJimDownloadsEEM_31153.exe

2022-01-15 13:42 – 2022-01-15 13:43 – 012001056 _____ C:UsersJimDownloadsepson12347.exe

2022-01-15 13:41 – 2022-01-15 13:41 – 023828408 _____ C:UsersJimDownloadsepson15096 (6).exe

2022-01-15 13:41 – 2022-01-15 13:41 – 009861048 _____ C:UsersJimDownloadsepson15094.exe

2022-01-15 13:39 – 2022-01-15 13:40 – 023828408 _____ C:UsersJimDownloadsepson15096 (5).exe

2022-01-14 12:11 – 2022-01-26 15:16 – 000002384 _____ C:UsersJimAppDataRoamingMicrosoftWindowsStart MenuProgramsOneDrive.lnk

2022-01-14 09:28 – 2022-01-14 09:28 – 000523776 _____ (curl, hxxps://curl.se/) C:WINDOWSsystem32curl.exe

2022-01-14 09:28 – 2022-01-14 09:28 – 000464384 _____ (curl, hxxps://curl.se/) C:WINDOWSSysWOW64curl.exe

2022-01-14 09:28 – 2022-01-14 09:28 – 000011797 _____ C:WINDOWSsystem32DrtmAuthTxt.wim

2022-01-14 08:41 – 2022-01-14 08:41 – 000000000 __HDC C:$WinREAgent

2022-01-07 12:31 – 2022-01-07 12:32 – 000768410 _____ C:UsersJimDownloadsDocument (6).pdf

 

==================== One month (modified) ==================

 

(If an entry is included in the fixlist, the file/folder will be moved.)

 

2022-02-06 15:45 – 2017-06-30 20:05 – 000000000 ____D C:Program Files (x86)Google

2022-02-06 15:44 – 2019-12-07 04:14 – 000000000 ____D C:ProgramDataregid.1991-06.com.microsoft

2022-02-06 15:36 – 2019-12-07 04:13 – 000000000 ____D C:WINDOWSINF

2022-02-06 14:56 – 2019-09-13 16:58 – 000000000 ____D C:UsersJimAppDataLocalD3DSCache

2022-02-06 14:33 – 2015-08-06 07:35 – 000000000 __SHD C:UsersJimIntelGraphicsProfiles

2022-02-06 14:30 – 2020-09-10 03:46 – 000000006 ___HC C:WINDOWSTasksSA.DAT

2022-02-06 14:30 – 2020-09-10 03:08 – 000000000 ____D C:WINDOWSsystem32SleepStudy

2022-02-06 14:30 – 2020-09-10 03:07 – 000008192 ___SH C:DumpStack.log.tmp

2022-02-06 14:30 – 2019-12-07 04:14 – 000000000 ____D C:WINDOWSServiceState

2022-02-04 07:05 – 2019-12-07 04:14 – 000000000 ___HD C:Program FilesWindowsApps

2022-02-04 07:05 – 2019-12-07 04:14 – 000000000 ____D C:WINDOWSAppReadiness

2022-02-02 22:53 – 2016-06-07 11:32 – 000000000 ___DC C:Program Files (x86)Microsoft Office

2022-02-02 22:35 – 2019-12-07 04:03 – 000524288 _____ C:WINDOWSsystem32configBBI

2022-02-02 22:34 – 2020-09-10 03:11 – 000000000 ____D C:UsersJim

2022-01-30 17:28 – 2014-06-29 13:28 – 000000000 ____D C:UsersJimDocumentsAccess Jim’s Files

2022-01-28 18:13 – 2020-06-14 20:15 – 000002449 _____ C:ProgramDataMicrosoftWindowsStart MenuProgramsMicrosoft Edge.lnk

2022-01-28 18:13 – 2020-06-14 20:15 – 000002287 ____C C:UsersPublicDesktopMicrosoft Edge.lnk

2022-01-26 15:16 – 2021-12-13 10:49 – 000003588 _____ C:WINDOWSsystem32TasksOneDrive Reporting Task-S-1-5-21-2439729490-4236933183-955795659-1001

2022-01-26 15:16 – 2020-09-10 03:46 – 000003360 _____ C:WINDOWSsystem32TasksOneDrive Standalone Update Task-S-1-5-21-2439729490-4236933183-955795659-1001

2022-01-25 23:05 – 2020-09-10 03:46 – 000003480 _____ C:WINDOWSsystem32TasksMicrosoftEdgeUpdateTaskMachineUA

2022-01-25 23:05 – 2020-09-10 03:46 – 000003356 _____ C:WINDOWSsystem32TasksMicrosoftEdgeUpdateTaskMachineCore

2022-01-25 19:01 – 2018-01-08 16:02 – 000000000 __RDC C:UsersJimDocumentsWright, Christina

2022-01-25 18:41 – 2020-11-13 14:52 – 000000000 ___DC C:UsersJimDocumentsLogitech C270 HD Webcam, 720p Video with Noise Reducing Mic_files

2022-01-25 02:05 – 2017-06-30 20:05 – 000002312 _____ C:ProgramDataMicrosoftWindowsStart MenuProgramsGoogle Chrome.lnk

2022-01-25 02:05 – 2017-06-30 20:05 – 000002271 ____C C:UsersPublicDesktopGoogle Chrome.lnk

2022-01-21 09:39 – 2020-09-10 03:46 – 000003420 _____ C:WINDOWSsystem32TasksGoogleUpdateTaskMachineUA

2022-01-21 09:39 – 2020-09-10 03:46 – 000003296 _____ C:WINDOWSsystem32TasksGoogleUpdateTaskMachineCore

2022-01-18 22:48 – 2020-01-15 23:51 – 795879414 _____ C:WINDOWSMEMORY.DMP

2022-01-15 14:42 – 2016-09-19 15:53 – 000001014 ____C C:UsersPublicDesktopEPSON Scan.lnk

2022-01-15 14:42 – 2016-06-07 13:12 – 000000000 ___DC C:Program Files (x86)epson

2022-01-15 14:41 – 2016-06-06 17:25 – 000000000 ___DC C:UsersJimAppDataLocalVirtualStore

2022-01-15 14:21 – 2017-04-15 09:19 – 000000000 ____D C:ProgramDataEPSON

2022-01-15 14:20 – 2016-06-07 13:12 – 000000000 __HDC C:Program Files (x86)InstallShield Installation Information

2022-01-14 22:30 – 2020-07-25 14:18 – 000000000 __RDC C:UsersJimDocumentsWright, Gregory

2022-01-14 22:30 – 2017-10-04 16:37 – 000000000 __RDC C:UsersJimDesktopHardware Scans

2022-01-14 22:04 – 2020-09-10 03:29 – 000840598 _____ C:WINDOWSsystem32PerfStringBackup.INI

2022-01-14 22:01 – 2020-09-10 03:08 – 000448408 _____ C:WINDOWSsystem32FNTCACHE.DAT

2022-01-14 21:58 – 2019-12-07 04:14 – 000000000 ___SD C:WINDOWSsystem32DiagSvcs

2022-01-14 21:58 – 2019-12-07 04:14 – 000000000 ____D C:WINDOWSSysWOW64Dism

2022-01-14 21:58 – 2019-12-07 04:14 – 000000000 ____D C:WINDOWSSystemResources

2022-01-14 21:58 – 2019-12-07 04:14 – 000000000 ____D C:WINDOWSsystem32setup

2022-01-14 21:58 – 2019-12-07 04:14 – 000000000 ____D C:WINDOWSsystem32oobe

2022-01-14 21:58 – 2019-12-07 04:14 – 000000000 ____D C:WINDOWSsystem32Dism

2022-01-14 21:58 – 2019-12-07 04:14 – 000000000 ____D C:WINDOWSbcastdvr

2022-01-14 20:58 – 2019-12-07 04:14 – 000000000 ____D C:WINDOWSLiveKernelReports

2022-01-14 20:55 – 2020-09-10 03:46 – 000004562 _____ C:WINDOWSsystem32TasksAdobe Acrobat Update Task

2022-01-14 20:47 – 2021-12-14 04:04 – 000002084 _____ C:ProgramDataMicrosoftWindowsStart MenuProgramsAdobe Acrobat DC.lnk

2022-01-14 20:47 – 2021-12-14 04:04 – 000002072 ____C C:UsersPublicDesktopAdobe Acrobat DC.lnk

2022-01-14 09:39 – 2019-12-07 04:03 – 000000000 ____D C:WINDOWSCbsTemp

2022-01-14 08:37 – 2016-06-07 07:33 – 000000000 ___DC C:WINDOWSsystem32MRT

2022-01-14 08:25 – 2016-06-07 07:33 – 145765912 ____C (Microsoft Corporation) C:WINDOWSsystem32MRT.exe

2022-01-13 01:07 – 2021-11-07 22:36 – 000064248 _____ (Lenovo Group Ltd.) C:WINDOWSsystem32ImController.InfInstaller.exe

2022-01-13 01:06 – 2021-11-07 22:36 – 000109312 _____ (Lenovo Group Ltd.) C:WINDOWSsystem32WudfUpdate_02000.dll

2022-01-13 01:06 – 2020-07-31 19:08 – 000431016 _____ (Lenovo Group Limited) C:WINDOWSsystem32iMDriverHelper.dll

2022-01-13 01:06 – 2017-10-05 15:06 – 000109312 _____ (Lenovo Group Ltd.) C:WINDOWSsystem32ImController.CoInstaller.dll

 

==================== FLock ==============================

 

2022-02-06 14:59 C:WINDOWSUV_LastPW.ini

 

==================== SigCheck ============================

 

(There is no automatic fix for files that do not pass verification.)

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 05-02-2022

Ran by Jim (06-02-2022 15:52:17)

Running from C:UsersJimDesktop

Microsoft Windows 10 Home Version 21H1 19043.1466 (X64) (2020-09-10 08:47:30)

Boot Mode: Normal

==========================================================

 

 

==================== Accounts: =============================

 

 

(If an entry is included in the fixlist, it will be removed.)

 

Administrator (S-1-5-21-2439729490-4236933183-955795659-500 – Administrator – Disabled)

DefaultAccount (S-1-5-21-2439729490-4236933183-955795659-503 – Limited – Disabled)

Guest (S-1-5-21-2439729490-4236933183-955795659-501 – Limited – Disabled)

HomeGroupUser$ (S-1-5-21-2439729490-4236933183-955795659-1003 – Limited – Enabled)

Jim (S-1-5-21-2439729490-4236933183-955795659-1001 – Administrator – Enabled) => C:UsersJim

WDAGUtilityAccount (S-1-5-21-2439729490-4236933183-955795659-504 – Limited – Disabled)

 

==================== Security Center ========================

 

(If an entry is included in the fixlist, it will be removed.)

 

AV: Windows Defender (Enabled – Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

AS: Windows Defender (Enabled – Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

 

==================== Installed Programs ======================

 

(Only the adware programs with “Hidden” flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

 

Adobe Acrobat DC (64-bit) (HKLM…{AC76BA86-1033-1033-7760-BC15014EA700}) (Version: 21.011.20039 – Adobe)

Adobe Connect (HKUS-1-5-21-2439729490-4236933183-955795659-1001…Adobe Connect App) (Version: 2020.1.5.32 – Adobe Systems Inc.)

ArcSoft PhotoImpression 6 (HKLM-x32…{D03E7B00-CA85-4684-9321-1888873C34BD}) (Version: 6 – ArcSoft)

ArcSoft Print Creations (HKLM-x32…{0D6D96F4-0CAF-4522-B05F-70A88EDECDFD}) (Version:  – ArcSoft)

Cisco EAP-FAST Module (HKLM-x32…{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 – Cisco Systems, Inc.)

Cisco LEAP Module (HKLM-x32…{AF312B06-5C5C-468E-89B3-BE6DE2645722}) (Version: 1.0.19 – Cisco Systems, Inc.)

Cisco PEAP Module (HKLM-x32…{0A4EF0E6-A912-4CDE-A7F3-6E56E7C13A2F}) (Version: 1.1.6 – Cisco Systems, Inc.)

EPSON CX8400 User’s Guide (HKLM-x32…Silent Package Run-Time Sample) (Version:  – )

Epson Easy Photo Print 2 (HKLM-x32…{674E262F-72EA-41C1-AF16-9727311A4553}) (Version: 2.4.1.0 – SEIKO EPSON CORPORATION)

EPSON Printer Software (HKLM…EPSON Printer and Utilities) (Version:  – SEIKO EPSON Corporation)

EPSON Printer Software (HKLM-x32…EPSON Printer and Utilities) (Version:  – )

EPSON Scan (HKLM-x32…EPSON Scanner) (Version:  – )

EPSON Stylus CX8400 Series Scanner Driver Update (HKLM-x32…{24ADC0E4-8D3E-40C4-9106-F2DE5E9112F1}) (Version:  – )

EPSON Web-To-Page (HKLM-x32…{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}) (Version:  – )

Genesys USB Mass Storage Device (HKLM-x32…{959B7F35-2819-40C5-A0CD-3C53B5FCC935}) (Version: 4.5.0.8.1001 – Genesys Logic)

Google Chrome (HKLM-x32…Google Chrome) (Version: 97.0.4692.99 – Google LLC)

Intel® Chipset Device Software (HKLM-x32…{fb610cea-ba50-4d4b-a717-cf025419035c}) (Version: 10.1.1.13 – Intel® Corporation) Hidden

Intel® Processor Graphics (HKLM-x32…{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.4358 – Intel Corporation)

Intel® Trusted Execution Engine (HKLM…{176E2755-0A17-42C6-88E2-192AB2131278}) (Version: 1.0.0.1064 – Intel Corporation)

Just Cloud _ Control Panel (HKUS-1-5-21-2439729490-4236933183-955795659-1001…ccbd4b783635ae0e8a32802d171cab4f) (Version: 1.0 – Just Cloud _ Control Panel)

Lenovo Blacksilk USB Keyboard Driver (HKLM-x32…{B266E062-D6C5-485B-B426-51B152B041A6}) (Version: V1.6.13.0724 – Lenovo)

Lenovo Migration Assistant (HKLM…Lenovo Migration Assistant_is1) (Version: 2.1.4.6 – Lenovo)

Lenovo Vantage Service (HKLM-x32…VantageSRV_is1) (Version: 3.10.26.0 – Lenovo Group Ltd.)

Microsoft 365 – en-us (HKLM…O365HomePremRetail – en-us) (Version: 16.0.14827.20158 – Microsoft Corporation)

Microsoft Edge (HKLM-x32…Microsoft Edge) (Version: 97.0.1072.76 – Microsoft Corporation)

Microsoft Edge WebView2 Runtime (HKLM-x32…Microsoft EdgeWebView) (Version: 97.0.1072.76 – Microsoft Corporation)

Microsoft OneDrive (HKUS-1-5-21-2439729490-4236933183-955795659-1001…OneDriveSetup.exe) (Version: 22.002.0103.0004 – Microsoft Corporation)

Microsoft Support and Recovery Assistant for Office 365 (HKUS-1-5-21-2439729490-4236933183-955795659-1001…4415f693b586d348) (Version: 16.0.1389.12 – Microsoft Corporation)

Microsoft Update Health Tools (HKLM…{29B15818-E79F-4AB0-8938-9410C807AD76}) (Version: 2.84.0.0 – Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (HKLM-x32…{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 – Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable – x64 9.0.30729.17 (HKLM…{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 – Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable – x64 9.0.30729.6161 (HKLM…{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 – Microsoft Corporation)

Microsoft Visual C++ 2013 Redistributable (x64) – 12.0.30501 (HKLM-x32…{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 – Microsoft Corporation)

Microsoft Visual C++ 2013 Redistributable (x64) – 12.0.40649 (HKLM-x32…{5d0723d3-cff7-4e07-8d0b-ada737deb5e6}) (Version: 12.0.40649.5 – Microsoft Corporation)

Microsoft Visual C++ 2013 Redistributable (x86) – 12.0.30501 (HKLM-x32…{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 – Microsoft Corporation)

Microsoft Visual C++ 2013 Redistributable (x86) – 12.0.40649 (HKLM-x32…{35b83883-40fa-423c-ae73-2aff7e1ea820}) (Version: 12.0.40649.5 – Microsoft Corporation)

Microsoft Visual C++ 2015 Redistributable (x64) – 14.0.23026 (HKLM-x32…{e46eca4f-393b-40df-9f49-076faf788d83}) (Version: 14.0.23026.0 – Microsoft Corporation)

Mozilla Firefox 47.0 (x86 en-US) (HKLM-x32…Mozilla Firefox 47.0 (x86 en-US)) (Version: 47.0 – Mozilla)

Mozilla Maintenance Service (HKLM-x32…MozillaMaintenanceService) (Version: 47.0 – Mozilla)

Office 16 Click-to-Run Extensibility Component (HKLM-x32…{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.14827.20088 – Microsoft Corporation) Hidden

Office 16 Click-to-Run Extensibility Component 64-bit Registration (HKLM…{90160000-00DD-0000-1000-0000000FF1CE}) (Version: 16.0.14827.20088 – Microsoft Corporation) Hidden

Office 16 Click-to-Run Licensing Component (HKLM…{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.14827.20158 – Microsoft Corporation) Hidden

Office 16 Click-to-Run Localization Component (HKLM-x32…{90160000-008C-0409-0000-0000000FF1CE}) (Version: 16.0.14131.20278 – Microsoft Corporation) Hidden

Realtek Ethernet Controller Driver (HKLM-x32…{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 10.6.1001.2015 – Realtek)

Realtek High Definition Audio Driver (HKLM-x32…{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7796 – Realtek Semiconductor Corp.)

REALTEK Wireless LAN Driver (HKLM-x32…{9DAABC60-A5EF-41FF-B2B9-17329590CD5}) (Version: 1.213.243 – REALTEK Semiconductor Corp.)

Skype version 8.79 (HKLM-x32…Skype_is1) (Version: 8.79 – Skype Technologies S.A.)

Skype™ 7.24 (HKLM-x32…{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.24.104 – Skype Technologies S.A.)

TurboTax 2013 (HKLM-x32…TurboTax 2013) (Version: 2013.0 – Intuit, Inc)

TurboTax 2014 (HKLM-x32…TurboTax 2014) (Version: 2014.0 – Intuit, Inc)

TurboTax 2015 (HKLM-x32…TurboTax 2015) (Version: 2015.0 – Intuit, Inc)

TurboTax 2016 (HKLM-x32…TurboTax 2016) (Version: 2016.0 – Intuit, Inc)

TurboTax 2017 (HKLM-x32…TurboTax 2017) (Version: 2017.0 – Intuit, Inc)

TurboTax 2018 (HKLM-x32…TurboTax 2018) (Version: 2018.0 – Intuit, Inc)

Update for Windows 10 for x64-based Systems (KB4023057) (HKLM…{16AD6161-2E47-4BF1-AA77-0946EFE93E08}) (Version: 2.61.0.0 – Microsoft Corporation)

Windows PC Health Check (HKLM…{B1E7D0FD-7CFE-4E0C-A5DA-0F676499DB91}) (Version: 3.2.2110.14001 – Microsoft Corporation)

Zoom (HKUS-1-5-21-2439729490-4236933183-955795659-1001…ZoomUMX) (Version: 5.7.7 (1105) – Zoom Video Communications, Inc.)

 

Packages:

=========

Converter Bot -> C:Program FilesWindowsApps16200DatassemblyResearch.ConverterBot_1.1.22.0_x64__pzzx47jxjmsae [2018-04-06] (Datassembly Research)

Lenovo Vantage -> C:Program FilesWindowsAppsE046963F.LenovoCompanion_10.2112.10.0_x64__k1h2ywk1493x8 [2021-12-21] (LENOVO INC.)

Microsoft Advertising SDK for XAML -> C:Program FilesWindowsAppsMicrosoft.Advertising.Xaml_10.1811.1.0_x64__8wekyb3d8bbwe [2019-01-18] (Microsoft Corporation) [MS Ad]

Microsoft Advertising SDK for XAML -> C:Program FilesWindowsAppsMicrosoft.Advertising.Xaml_10.1811.1.0_x86__8wekyb3d8bbwe [2019-01-18] (Microsoft Corporation) [MS Ad]

Microsoft Solitaire Collection -> C:Program FilesWindowsAppsMicrosoft.MicrosoftSolitaireCollection_4.12.1050.0_x64__8wekyb3d8bbwe [2022-01-11] (Microsoft Studios) [MS Ad]

Photos Media Engine Add-on -> C:Program FilesWindowsAppsMicrosoft.Photos.MediaEngineDLC_1.0.0.0_x64__8wekyb3d8bbwe [2020-10-18] (Microsoft Corporation)

 

==================== Custom CLSID (Whitelisted): ==============

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

CustomCLSID: HKUS-1-5-21-2439729490-4236933183-955795659-1001_ClassesCLSID{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}localserver32 -> C:WINDOWSsystem32igfxEM.exe (Intel® pGFX -> Intel Corporation)

ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:Program Files (x86)Malwarebytes Anti-Malwarembamext.dll [2016-03-10] (Malwarebytes Corporation -> Malwarebytes)

ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File

ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:WINDOWSsystem32igfxDTCM.dll [2016-05-03] (Microsoft Windows Hardware Compatibility Publisher -> Intel Corporation)

ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:Program Files (x86)Malwarebytes Anti-Malwarembamext.dll [2016-03-10] (Malwarebytes Corporation -> Malwarebytes)

 

==================== Codecs (Whitelisted) ====================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKLM…Drivers32: [vidc.i420] => C:WINDOWSsystem32lvcod64.dll [475936 2007-05-11] (Logitech Inc -> Logitech Inc.)

HKLM…Drivers32: [vidc.i420] => C:WindowsSysWOW64lvcodec2.dll [416544 2007-05-11] (Logitech Inc -> Logitech Inc.)

 

==================== Shortcuts & WMI ========================

 

(The entries could be listed to be restored or removed.)

 

Shortcut: C:UsersJimDocumentsOld FilesPCHP_PAVILION ©FROM OLD COMPUTERDocuments and SettingsComputerNetHoodMy Web Sites on MSNtarget.lnk -> hxxp://www.msnusers.co

Shortcut: C:UsersJimDocumentsOld FilesPCHP_PAVILION ©Documents and SettingsHP_AdministratorNetHoodMy Web Sites on MSNtarget.lnk -> hxxp://www.msnusers.co

ShortcutWithArgument: C:UsersJimAppDataRoamingMicrosoftWindowsStart MenuProgramsJust Cloud _ Control Panel.lnk -> C:Program Files (x86)MicrosoftEdgeApplicationmsedge_proxy.exe (Microsoft Corporation) ->  –profile-directory=Default –app-id=naelehcmpjfgoonpgdpcoaijcjkncing –app-url=hxxps://my.justcloud.com/

 

==================== Loaded Modules (Whitelisted) =============

 

2017-01-20 13:47 – 2011-05-17 13:27 – 000028672 _____ () [File not signed] C:Windowsjmesofthidhook.dll

2021-10-14 04:51 – 2021-10-14 04:51 – 000453632 _____ (Intuit Inc.) [File not signed] C:WINDOWSassemblyNativeImages_v4.0.30319_32Intuit.Spc.09f690bd#a08fe9769ddaa5439a5f996c3e8403c8Intuit.Spc.Esd.Client.BusinessLogic.ni.dll

2021-06-21 10:25 – 2013-04-01 22:19 – 000574464 _____ (Realtek Semiconductor Corp.) [File not signed] C:WINDOWSsystem32Rtlihvs.dll

 

==================== Alternate Data Streams (Whitelisted) ========

 

==================== Safe Mode (Whitelisted) ==================

 

==================== Association (Whitelisted) =================

 

==================== Internet Explorer (Whitelisted) ==========

 

BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:Program Files (x86)Microsoft OfficerootVFSProgramFilesX64Microsoft OfficeOffice16OCHelper.dll [2022-02-02] (Microsoft Corporation -> Microsoft Corporation)

BHO: Easy Photo Print -> {9421DD08-935F-4701-A9CA-22DF90AC4EA6} -> C:Program Files (x86)Epson SoftwareEasy Photo PrintEPTBL.dll [2012-01-25] (SEIKO EPSON Corporation -> SEIKO EPSON CORPORATION)

BHO-x32: EpsonToolBandKicker Class -> {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} -> C:Program Files (x86)EPSONEPSON Web-To-PageEPSON Web-To-Page.dll [2005-02-22] (SEIKO EPSON CORPORATION) [File not signed]

Toolbar: HKLM – Easy Photo Print – {9421DD08-935F-4701-A9CA-22DF90AC4EA6} – C:Program Files (x86)Epson SoftwareEasy Photo PrintEPTBL.dll [2012-01-25] (SEIKO EPSON Corporation -> SEIKO EPSON CORPORATION)

Toolbar: HKLM-x32 – EPSON Web-To-Page – {EE5D279F-081B-4404-994D-C6B60AAEBA6D} – C:Program Files (x86)EPSONEPSON Web-To-PageEPSON Web-To-Page.dll [2005-02-22] (SEIKO EPSON CORPORATION) [File not signed]

Toolbar: HKUS-1-5-21-2439729490-4236933183-955795659-1001 -> No Name – {EE5D279F-081B-4404-994D-C6B60AAEBA6D} –  No File

Handler-x32: mso-minsb-roaming.16 – {83C25742-A9F7-49FB-9138-434302C88D07} – C:Program Files (x86)Microsoft OfficerootOffice16MSOSB.DLL [2022-02-02] (Microsoft Corporation -> Microsoft Corporation)

Handler-x32: mso-minsb.16 – {42089D2D-912D-4018-9087-2B87803E93FB} – C:Program Files (x86)Microsoft OfficerootOffice16MSOSB.DLL [2022-02-02] (Microsoft Corporation -> Microsoft Corporation)

Handler-x32: osf-roaming.16 – {42089D2D-912D-4018-9087-2B87803E93FB} – C:Program Files (x86)Microsoft OfficerootOffice16MSOSB.DLL [2022-02-02] (Microsoft Corporation -> Microsoft Corporation)

Handler-x32: osf.16 – {5504BE45-A83B-4808-900A-3A5C36E7F77A} – C:Program Files (x86)Microsoft OfficerootOffice16MSOSB.DLL [2022-02-02] (Microsoft Corporation -> Microsoft Corporation)

 

==================== Hosts content: =========================

 

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

 

2016-06-06 20:47 – 2016-06-06 20:43 – 000000824 ____C C:WINDOWSsystem32driversetchosts

 

==================== Other Areas ===========================

 

(Currently there is no automatic fix for this section.)

 

HKLMSystemCurrentControlSetControlSession ManagerEnvironment\Path -> C:Program Files (x86)IntelTXE ComponentsTCS;C:Program FilesIntelTXE ComponentsTCS;%SystemRoot%system32;%SystemRoot%;%SystemRoot%System32Wbem;%SYSTEMROOT%System32WindowsPowerShellv1.0;C:Program Files (x86)SkypePhone;%SYSTEMROOT%System32OpenSSH

HKUS-1-5-21-2439729490-4236933183-955795659-1001Control PanelDesktop\Wallpaper -> C:UsersJimAppDataLocalMicrosoftWindowsThemesRoamedThemeFilesDesktopBackgroundantarctic7.jpg

DNS Servers: Media is not connected to internet.

HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)

HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorer => (SmartScreenEnabled: RequireAdmin)

Windows Firewall is enabled.

 

==================== MSCONFIG/TASK MANAGER disabled items ==

 

==================== FirewallRules (Whitelisted) ================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

FirewallRules: [{31493F3C-534B-40A8-9E3F-41A9EBE88F0A}] => (Allow) C:UsersJimAppDataRoamingZoombinairhost.exe (Zoom Video Communications, Inc. -> Zoom Video Communications, Inc.)

FirewallRules: [{830F4A8E-9B18-4550-8255-AD308E05FA17}] => (Allow) C:UsersJimAppDataRoamingZoombinZoom.exe (Zoom Video Communications, Inc. -> Zoom Video Communications, Inc.)

FirewallRules: [{471346AA-981A-4ABA-9D7A-E81C3519C945}] => (Allow) C:Program Files (x86)NetRatingsNetSightNetSightNielsenOnline.exe => No File

FirewallRules: [{F18230BD-63C8-46AC-A361-236634D289F3}] => (Allow) C:Program Files (x86)NetRatingsNetSightNetSightNielsenOnline.exe => No File

FirewallRules: [{87E73A51-7EDE-4B75-93B3-24A94D834BB0}] => (Allow) C:Program Files (x86)SkypePhoneSkype.exe (Skype Software Sarl -> Skype Technologies S.A.)

FirewallRules: [{644FD484-FFD8-453B-A145-41155B517F84}] => (Allow) C:Program Files (x86)Mozilla Firefoxfirefox.exe (Mozilla Corporation -> Mozilla Corporation)

FirewallRules: [{4A9827B0-CD71-4030-AFAE-335032FE5A25}] => (Allow) C:Program Files (x86)Mozilla Firefoxfirefox.exe (Mozilla Corporation -> Mozilla Corporation)

FirewallRules: [{40417ADE-EB20-4283-9277-F844D4ED658C}] => (Allow) C:Program Files (x86)Common FilesIntuitUpdate Service v4IntuitUpdater.exe (Intuit, Inc. -> Intuit Inc.)

FirewallRules: [{48FFFF47-EE21-41EB-8C91-5B63F9DBE384}] => (Allow) C:Program Files (x86)Common FilesIntuitUpdate Service v4IntuitUpdateService.exe (Intuit, Inc. -> Intuit Inc.)

FirewallRules: [{925FDC7C-A369-472C-95B0-E5A315E97395}] => (Allow) C:Program Files (x86)Common FilesIntuitUpdate Service v4IntuitUpdateService.exe (Intuit, Inc. -> Intuit Inc.)

FirewallRules: [{9A6BDFA7-D02C-43C1-8B28-A5BF2C88CD97}] => (Allow) C:Program Files (x86)Common FilesIntuitUpdate Service v4IntuitUpdateService.exe (Intuit, Inc. -> Intuit Inc.)

FirewallRules: [{624237EE-BC36-4C6E-A539-229C88CC8D22}] => (Allow) C:Program Files (x86)Common FilesIntuitUpdate Service v4IntuitUpdateService.exe (Intuit, Inc. -> Intuit Inc.)

FirewallRules: [{FD2D5808-6826-4E07-A08C-A5F4DDA6EE8B}] => (Allow) C:Program Files (x86)Common FilesIntuitUpdate Service v4IntuitUpdateService.exe (Intuit, Inc. -> Intuit Inc.)

FirewallRules: [{2F4F9165-448F-4FD8-962A-CE32892693A0}] => (Allow) C:Program Files (x86)MicrosoftSkype for DesktopSkype.exe (Skype Software Sarl -> Skype Technologies S.A.)

FirewallRules: [{CD0B89CF-F403-4D99-8897-E5E77838009A}] => (Allow) C:Program Files (x86)MicrosoftSkype for DesktopSkype.exe (Skype Software Sarl -> Skype Technologies S.A.)

FirewallRules: [{4D039E71-3813-4408-BDB1-A5DFABA7BF2A}] => (Allow) C:Program FilesWindowsAppsMicrosoft.SkypeApp_15.79.95.0_x86__kzf8qxf38zg5cSkypeSkype.exe (Skype Software Sarl -> Skype Technologies S.A.)

FirewallRules: [{E1BF4E6A-BFD9-4BDD-8952-F913C66B2BDB}] => (Allow) C:Program FilesWindowsAppsMicrosoft.SkypeApp_15.79.95.0_x86__kzf8qxf38zg5cSkypeSkype.exe (Skype Software Sarl -> Skype Technologies S.A.)

FirewallRules: [{7C9BF2BD-1DB5-4D56-AE39-4F2BC0566249}] => (Allow) C:Program FilesWindowsAppsMicrosoft.SkypeApp_15.79.95.0_x86__kzf8qxf38zg5cSkypeSkype.exe (Skype Software Sarl -> Skype Technologies S.A.)

FirewallRules: [{8EDC1F4B-9D36-4CAD-8347-BC007DE3E81F}] => (Allow) C:Program FilesWindowsAppsMicrosoft.SkypeApp_15.79.95.0_x86__kzf8qxf38zg5cSkypeSkype.exe (Skype Software Sarl -> Skype Technologies S.A.)

FirewallRules: [{73C48676-20BE-4525-A9BA-4EDC6D5D8367}] => (Allow) C:Program FilesLenovoLenovo Migration AssistantMigrationAssistant.exe (Lenovo -> )

FirewallRules: [{1639A2D8-22AA-4C2A-B60E-030598DDB035}] => (Allow) C:Program FilesLenovoLenovo Migration AssistantMigrationAssistant.exe (Lenovo -> )

FirewallRules: [{5C3626B0-A4E5-4951-8C8D-6E669A7DC8D4}] => (Allow) C:Program FilesLenovoLenovo Migration AssistantLenovo Migration Assistant Srv.exe (Lenovo -> )

FirewallRules: [{AA81D4DA-B035-4366-BF3D-1DBE7F033525}] => (Allow) C:Program FilesLenovoLenovo Migration AssistantLenovo Migration Assistant Srv.exe (Lenovo -> )

FirewallRules: [{1E3E74DB-8935-4AF5-A162-1369D97A8126}] => (Allow) C:Program Files (x86)Microsoft OfficerootOffice16outlook.exe (Microsoft Corporation -> Microsoft Corporation)

FirewallRules: [{F1A38531-65C4-484D-BFC0-DBA2C34C6FC6}] => (Allow) C:Program Files (x86)GoogleChromeApplicationchrome.exe (Google LLC -> Google LLC)

FirewallRules: [{1DF49B40-FCB6-4199-84A8-D19285FC595C}] => (Allow) C:Program Files (x86)MicrosoftEdgeWebViewApplication97.0.1072.76msedgewebview2.exe (Microsoft Corporation -> Microsoft Corporation)

 

==================== Restore Points =========================

 

25-01-2022 10:01:59 Scheduled Checkpoint

03-02-2022 09:30:06 Scheduled Checkpoint

 

==================== Faulty Device Manager Devices ============

 

 

==================== Event log errors: ========================

 

Application errors:

==================

Error: (02/03/2022 03:05:07 PM) (Source: Office 2016 Licensing Service) (EventID: 0) (User: )

Description: Event-ID 0

 

Error: (02/02/2022 10:35:16 PM) (Source: Microsoft-Windows-Perflib) (EventID: 1000) (User: NT AUTHORITY)

Description: Access to performance data was denied to user “SYSTEM” (value from GetUserName() for the running thread) as attempted from module “C:Program Files (x86)LenovoVantageService3.10.26.0Lenovo.Vantage.AddinHost.Amd64.exe” (value from GetModuleFileName() for the binary that issued the query).

 

Error: (02/02/2022 10:34:33 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1512) (User: NT AUTHORITY)

Description: Windows cannot unload your registry file. The memory used by the registry has not been freed. This problem is often caused by services running as a user account. Try configuring services to run in either the LocalService or NetworkService account. 

 

 DETAIL – Access is denied.

 

Error: (02/02/2022 10:34:33 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1512) (User: NT AUTHORITY)

Description: Windows cannot unload your registry file. The memory used by the registry has not been freed. This problem is often caused by services running as a user account. Try configuring services to run in either the LocalService or NetworkService account. 

 

 DETAIL – Access is denied.

 

Error: (02/02/2022 02:20:57 PM) (Source: Office 2016 Licensing Service) (EventID: 0) (User: )

Description: Event-ID 0

 

 

Source: https://www.bleepingcomputer.com/forums/t/768221/pop-up-scammer-got-remote-access-help-cleaning-up-anything-left-on-the-pc/