Scrooge

Thank you very much for your time. I really appreciate it. The topic can be closed now.

Dear Experts, I was wondering if my computer might be infected or maybe I'm just paranoid. Although nothing seems to be out of the ordinary, please tell me I'm just paranoid here on this. I've heard about dll injection when malware authors have been exploiting Windows dynamic library where executables access the library and share the memory space, with a malicious dll beieng injected into a legitimate process. Then we won't then see a malicious process runing in memory there because it's a legitimate executable that could very well be an essential Windows operating system process but carrying out the malicious activities because it's actually executing functions that are part of a malicious dll file. Because I have Windows 10 Pro 64-bit(Version 1809 17763.134) (X64) there are obviously two rundll32.exe for calling different programs respectively. One is located in C:\Windows\System32\rundll32.exe Another one is in C:\Windows\SysWOW64\rundll32.exe Sometimes when I turn on my computer I see them both ( I guess) starting up with Windows, and sometimes they don't start up with Windows. Today for example they started up again. See attached Task Manager screenshot. I scanned my computer with Emsisoft while they were runnng. The scan result attached. I ran FRABAR scan. FRST nad Addition scans attached. I also ran cmd command (tasklist /m /fi "IMAGENAME eq rundll32.exe") to identify loaded DLLs in these running rundll32.exe,. Screenshot attached. Am I paranoid? My browsing habbits are pretty rigorous. I don't visit suspicious websites, I don't download literally anyting unless I have to. I don't even click on links that I send to myself not to mention some attachments coming in an email. My browser security settings don't have even one weak cipher siute and they are all with forward secrecy, My browser user agent only supports TLS 1.2 and obviously 1.3 and it's immune to logjam, freak and poodle attacks with a bunch other firefox about:config strengthened security settings. I know I'm probably a very sick individual in terms of this hyphened sense of security but that the way it is now. Should I be worried about these two rundll32.exe? EEK SCAN.txt FRST.txt Addition.txt

Thank you. Maybe this reparse something was caused by the fact that I wanted to install Keeper password manager from Windows store until I didn't because I changed my mind and then I messed it even more in Windows 'head' by trying to install its desktop version until again I didn't because I changed my mind the second time.

Hi, it's me again. Today I scanned my laptop with this Rkill, I don't know why, maybe I souldn''t have but earlier it never showed this: Performing miscellaneous checks: * Reparse Point/Junctions Found (Most likely legitimate)! * C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 => C:\WINDOWS\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\INetCache\IE [Dir] I attach the Rkil log. Should I be concerned about i? I immediately scan the whole computer with EEK but nothing was found, the same with Adwcleaner Just in case FARBAR logs here: Rkill.txt FRST.txt Addition.txt EEK_scan_180717-202459.txt Now it's gone but I;m curious whta that was Rkill.txt

Thank you. btw, just deleted FRST I'm planning to buy Emsisoft 3-year license. Is there such a thing like Emsisoft life time license? Anyway, I'd like to thank you for fixing my gal friday laptop. I trully appreciate it. The topic can be closed.

Thank you Kevin. If I can ask you one more thing. I was wondering would you adise to turn on this relatively recent feature "memory integrity" in Windows Defender Seurity Center with Emsisoft being installed? I've heard that some Windows users reported significant slowdowns and a decrease in system performance after they turned it on, even without any antivirus program being installed? p.s. I just tried to delete it but it doesn't want to be deleted somehow. It says the file or folder is open in another program but I don't know where it can be opened.

Fixlog here. Fixlog.txt I also have a question. What should I do with the folder FRST on my C?. Can I delete it? Because now everytime I start the Device Performace & health section it says 1 recommendation and when I run the troubleshooting it says that SASKUTL and SASDIFSV don't have drivers, which is quite understandble. I can always dismiss it but I'd like to get rid off it. They belong to SUPERAntiSpyware software and they are not essential for Windows. I don't have it any more and I don't want it. Can I just delete FRST? p.s. I'm sorry. It doesn't show any more when I restarted my computer again without dissmissing the recommendation.

Things are running smoothly thanks to you. I really appreciate it. Thank you very much Kevin. I really don't want to put you out, you helped me a lot already, but if you just could take a look at this farbar scans of another laptop for any possible signs of malware. FRST.txt Addition.txt

Done. The fixlog is attached. Fixlog.txt

I did like you said. And I changed the EEK user interface language to English before doing that. Just in case I also generated the forensics log of that entry. Here are the files. full path to installer.dat.txt Forensics_180710-082411.txt

Here they are. I ran the fresh EEK scan first and FRST second. Forensics_180709-091807.txt FRST.txt Addition.txt

Sure, I'll do it on Monday thirst thing in the morning. Thanks a lot for your patience with me.

Yes, I think I have AdwCleaner delete this TweakBit. Sorry, I must've attached the wrong file. I just ran AdwCleaner again but there is only the scan log. AdwCleaner[S00].txt

I ran the second time. the log file of the result is attached. AdwCleaner[S00].txt

Thank you , this is the log file you requested after AdwCleaner. AdwCleaner[S00].txt