Scorpion Saver

cla · November 17, 2013

Hello and

Please read the following and post back the logs.

General P2P/Piracy Warning:

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.
Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
If the log is too large then you can use attachments by clicking on the More Reply Options button.
Please enable your system to show hidden files: How to see hidden files in Windows
Make sure you're subscribed to this topic:
Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
You can check here if you're not sure if your computer is 32-bit or 64-bit
Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners.
When we are done, I'll give you instructions on how to cleanup all the tools and logs
Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
Your topic will be closed if you haven't replied within 3 days
(If I have not responded within 24 hours, please send me a Private Message as a reminder)
STEP 0
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.
As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.
Please download Rkill by Grinler from one of the links below and save it to your desktop.
Link 1
Link 2
On Windows XP double-click on the Rkill desktop icon to run the tool.
On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.
Do not reboot the computer, you will need to run the application again.
STEP 01
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.
Please download ERUNT from one of the following links: Link1 | Link2 | Link3
ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
Double click on erunt-setup.exe to Install ERUNT by following the prompts.
NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
Choose a location for the backup.
Note: the default location is C:\Windows\ERDNT which is acceptable.
Make sure that at least the first two check boxes are selected.
Click on OK
Then click on YES to create the folder.
Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe
STEP 02
Please download RogueKiller and save it to your desktop.
You can check here if you're not sure if your computer is 32-bit or 64-bit
RogueKiller 32-bit | RogueKiller 64-bit
Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes Close the program > Don't Fix anything!
Don't run any other options, they're not all bad!!
Post back the report which should be located on your desktop.

I am plagued with the irritation of scorpion saver.

Here is the report from rogue killer. I hope you can help me

RogueKiller V8.7.8 [Nov 14 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.adlice.com/forum/

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : candrews [Admin rights]

Mode : Scan -- Date : 11/17/2013 12:14:27

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 11 ¤¤¤

[RUN][sUSP PATH] HKLM\[...]\RunOnce : DCERegBootClean64 (C:\Windows\RegBootClean64.exe [7]) -> FOUND

[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND

[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

184.178.193.201 ris.docview.simonmed.com

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) SAMSUNG MZ7PA128HMCD-010 +++++

--- User ---

[MBR] 496e6a91b9d84a5756a6db3d2f7d783d

[bSP] 611bbf06169f3f3de350ac6f943f5f2f : Lenovo MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1200 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2459648 | Size: 104901 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 217298944 | Size: 16000 Mo

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] 7f8ddf54504aeb67a38821fb25f1b737

[bSP] fc32f27c79d234681273a082a119dec7 : Windows Vista MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1200 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2459648 | Size: 104901 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 217298944 | Size: 16000 Mo

Finished : << RKreport[0]_S_11172013_121427.txt >>

AdvancedSetup · November 17, 2013

I'm going to be going on vacation in a couple of days so I may not be able to finish with you unless you reply quickly.

Please visit this webpage and read the ComboFix User's Guide:

Once you've read the article and are ready to use the program you can download it directly from the link below.
Important! - Please make sure you save combofix to your desktop and do not run it from your browser
Direct download link for: ComboFix.exe
Please make sure you disable your security applications before running ComboFix.
Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
Please attach that log file to your next reply.
If needed the file can be located here: C:\combofix.txt
NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

cla · November 18, 2013

Did not find anything with the full system antivirus scan. I can see the scorpionsaver in my programs file but when I attempt to uninstall it, I get an error message saying that it can't find the program

Here is the checkup.txt

Results of screen317's Security Check version 0.99.77

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 11

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Trend Micro Titanium Maximum Security

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.75.0.1300

Adobe Flash Player 11.9.900.117

Adobe Reader 10.1.8 Adobe Reader out of Date!

Google Chrome 31.0.1650.48

Google Chrome 31.0.1650.57

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

Trend Micro AMSP coreServiceShell.exe

Trend Micro UniClient UiFrmWrk uiWatchDog.exe

Trend Micro AMSP coreFrameworkHost.exe

Trend Micro UniClient UiFrmWrk uiSeAgnt.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 29% Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log``````````````````````

cla · November 18, 2013

Here is the log from systemlook.txt

SystemLook 30.07.11 by jpshortstuff

Log created at 20:37 on 17/11/2013 by candrews

Administrator - Elevation successful

WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "*Scorpion*"

No files found.

========== folderfind ==========

Searching for "*Scorpion*"

C:\Program Files (x86)\ScorpionSaver d------ [03:14 17/11/2013]

C:\Users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack d------ [03:14 17/11/2013]

C:\Users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\ScorpionSaver d------ [03:14 17/11/2013]

========== regfind ==========

Searching for "Scorpion"

[HKEY_CURRENT_USER\Software\Adpeak, Inc.\ScorpionSaver]

[HKEY_CURRENT_USER\Software\AppDataLow\Software\ScorpionSaver]

[HKEY_CURRENT_USER\Software\ScorpionSaver]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{273E1F1A-7B1A-436C-A783-A4A8C97AD036}]

"DisplayName"="ScorpionSaver"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10AD2C61-0898-4348-8600-14A342F22AC3}]

@="ScorpionSaver"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10AD2C61-0898-4348-8600-14A342F22AC3}\InProcServer32]

@="C:\Program Files (x86)\ScorpionSaver\IECore.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\8BA5CD9129705784F8B198C6A5C96EEA\SourceList]

"PackageName"="scorpionsaver_10232013.msi"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A1F1E372A1B7C6347A384A8A9CA70D63]

"ProductName"="ScorpionSaver"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\A1F1E372A1B7C6347A384A8A9CA70D63\SourceList]

"PackageName"="ScorpionSaver.msi"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\Wow6432Node\CLSID\70060DFA-34EC-4098-A17C-EB73AA8D0853]

@="ScorpionSaver"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SOFTWARE\Wow6432Node\CLSID\70060DFA-34EC-4098-A17C-EB73AA8D0853\InProcServer32]

@="C:\Program Files(x86)\ScorpionSaver\IECore.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10AD2C61-0898-4348-8600-14A342F22AC3}]

@="ScorpionSaver"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10AD2C61-0898-4348-8600-14A342F22AC3}\InProcServer32]

@="C:\Program Files (x86)\ScorpionSaver\IECore.dll"

[HKEY_USERS\S-1-5-21-4182128424-483147172-123557929-1000\Software\Adpeak, Inc.\ScorpionSaver]

[HKEY_USERS\S-1-5-21-4182128424-483147172-123557929-1000\Software\AppDataLow\Software\ScorpionSaver]

[HKEY_USERS\S-1-5-21-4182128424-483147172-123557929-1000\Software\ScorpionSaver]

-= EOF =-

AdvancedSetup · November 18, 2013

Please save the attached file "CFScript.txt" to the same location as Combofix.exe
Then quit your browser and drag-and-drop "CFScript.txt" onto Combofix to run it again and post back the new log file.

CFScript.txt

AdvancedSetup · November 20, 2013

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

AdvancedSetup · November 20, 2013

Topic reopened per user request. I am going on vacation so will probably have to turn this over to another helper.

Please run the CFScript.txt file as outlined above and post back the new log.

cla · November 20, 2013

I ComboFix 13-11-19.01 - candrews 11/20/2013 17:42:22.4.4 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8074.6062 [GMT -5:00]

Running from: c:\users\candrews\Downloads\ComboFix.exe

AV: Trend Micro Titanium Maximum Security *Disabled/Updated* {5D349EF8-873B-C657-917F-F1D93E101A7C}

SP: Trend Micro Titanium Maximum Security *Disabled/Updated* {E6557F1C-A101-C9D9-ABCF-CAAB459750C1}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Service_NPF

.

((((((((((((((((((((((((( Files Created from 2013-10-20 to 2013-11-20 )))))))))))))))))))))))))))))))

.

2013-11-17 17:10 . 2013-11-17 17:10 -------- d-----w- c:\program files (x86)\ERUNT

2013-11-17 12:28 . 2013-11-17 12:28 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2013-11-17 12:28 . 2013-04-04 19:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-11-17 03:14 . 2013-11-17 03:14 -------- d-----w- c:\program files (x86)\Smart-ActiveX

2013-11-17 03:14 . 2013-11-19 02:37 -------- d-----w- c:\program files (x86)\ScorpionSaver

2013-11-17 03:13 . 2013-11-17 22:35 231960 ----a-w- c:\windows\RegBootClean64.exe

2013-11-17 03:13 . 2013-11-17 03:13 -------- d-----w- c:\users\candrews\AppData\Roaming\MyWordTool

2013-11-17 03:05 . 2013-11-17 03:05 -------- d-----w- C:\TMRescueDisk

2013-11-17 03:00 . 2013-06-13 06:35 100640 ----a-w- c:\windows\system32\drivers\tmeevw.sys

2013-11-17 03:00 . 2013-05-15 10:23 303392 ----a-w- c:\windows\system32\drivers\tmnciesc.sys

2013-11-17 03:00 . 2011-08-22 15:33 105744 ----a-w- c:\windows\system32\drivers\tmtdi.sys

2013-11-17 03:00 . 2013-09-04 06:24 116264 ----a-w- c:\windows\system32\drivers\tmactmon.sys

2013-11-17 03:00 . 2013-09-04 06:22 85424 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys

2013-11-17 03:00 . 2013-09-04 06:17 282624 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2013-11-17 03:00 . 2013-07-01 13:08 50976 ----a-w- c:\windows\system32\drivers\TMEBC64.sys

2013-11-17 03:00 . 2013-11-17 03:00 59 ----a-w- c:\windows\system32\SupportTool.exe.bat

2013-11-17 02:59 . 2013-11-17 02:59 -------- d-----w- c:\program files\Trend Micro

2013-11-17 02:59 . 2013-11-17 21:55 -------- d-----w- c:\programdata\Trend Micro

2013-11-16 22:29 . 2013-11-17 03:00 -------- d-----w- c:\users\candrews\AppData\Local\Trend Micro

2013-11-16 22:06 . 2013-11-17 21:55 -------- d-----w- c:\programdata\Trend Micro Installer

2013-11-16 21:17 . 2013-10-14 23:00 28368 ----a-w- c:\windows\system32\IEUDINIT.EXE

2013-11-16 19:48 . 2013-11-16 19:48 -------- d-----w- c:\users\candrews\AppData\Roaming\Malwarebytes

2013-11-16 19:48 . 2013-11-16 19:48 -------- d-----w- c:\programdata\Malwarebytes

2013-11-16 19:48 . 2013-11-16 19:48 -------- d-----w- c:\users\candrews\AppData\Local\Programs

2013-11-14 06:42 . 2013-10-05 20:25 1474048 ----a-w- c:\windows\system32\crypt32.dll

2013-11-02 18:25 . 2013-11-03 11:48 -------- d-----w- c:\users\candrews\AppData\Roaming\ControlCenter4

2013-11-02 18:15 . 2013-11-02 18:15 -------- d-----w- C:\Brother

2013-11-02 18:15 . 2013-11-02 18:15 -------- d-----w- c:\programdata\ControlCenter4

2013-11-02 18:15 . 2013-11-02 18:15 -------- d-----w- c:\program files (x86)\Browny02

2013-11-02 18:15 . 2013-11-02 18:15 -------- d-----w- c:\program files (x86)\ControlCenter4

2013-10-30 17:57 . 2013-10-30 18:00 -------- d-----w- c:\users\candrews\AppData\Local\ElevatedDiagnostics

2013-10-30 17:43 . 2013-10-07 10:45 388912 ----a-w- c:\windows\system32\drivers\dlkmd.sys

2013-10-30 17:43 . 2013-10-07 10:45 15664 ----a-w- c:\windows\system32\drivers\dlkmdldr.sys

2013-10-28 17:03 . 2013-10-30 17:43 -------- d-----w- c:\program files\DisplayLink Core Software

2013-10-24 17:55 . 2013-10-24 17:55 -------- d-----w- c:\users\candrews\AppData\Local\Spoon

2013-10-24 01:35 . 2013-10-24 01:35 -------- d-----w- c:\program files\Citrix

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-11-14 08:00 . 2011-07-27 12:50 82896128 ----a-w- c:\windows\system32\MRT.exe

2013-10-28 17:03 . 2011-08-03 23:26 18960 ----a-w- c:\windows\system32\drivers\LNonPnP.sys

2013-10-28 17:01 . 2011-07-14 20:46 107368 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2013-10-28 17:01 . 2011-07-14 20:46 92488 ----a-w- c:\windows\system32\LMIinit.dll

2013-10-28 17:01 . 2011-07-14 20:46 35656 ----a-w- c:\windows\system32\LMIport.dll

2013-10-20 12:40 . 2013-10-20 12:40 369168 ----a-w- c:\windows\system32\wpcap.dll

2013-10-20 12:40 . 2013-10-20 12:40 35344 ----a-w- c:\windows\system32\drivers\npf.sys

2013-10-20 12:40 . 2013-10-20 12:40 106000 ----a-w- c:\windows\system32\packet.dll

2013-10-09 14:16 . 2011-07-28 23:46 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-10-08 18:02 . 2013-10-08 18:02 46384 ----a-w- c:\windows\system32\drivers\DisplayLinkUsbIo_x64_7.4.51572.0.sys

2013-10-08 18:02 . 2013-10-08 18:02 947200 ----a-w- c:\windows\system32\DisplayLinkUsbCo64_7.4.51572.0.dll

2013-10-07 10:43 . 2013-10-07 10:43 1227056 ----a-w- c:\windows\system32\dlumd9.dll

2013-10-07 10:43 . 2013-10-07 10:43 1227056 ----a-w- c:\windows\system32\dlumd64.dll

2013-10-07 10:43 . 2013-10-07 10:43 1227056 ----a-w- c:\windows\system32\dlumd11.dll

2013-10-07 10:43 . 2013-10-07 10:43 1227056 ----a-w- c:\windows\system32\dlumd10.dll

2013-10-07 10:43 . 2013-10-07 10:43 1010480 ----a-w- c:\windows\SysWow64\dlumd9.dll

2013-10-07 10:43 . 2013-10-07 10:43 1010480 ----a-w- c:\windows\SysWow64\dlumd32.dll

2013-10-07 10:43 . 2013-10-07 10:43 1010480 ----a-w- c:\windows\SysWow64\dlumd11.dll

2013-10-07 10:43 . 2013-10-07 10:43 1010480 ----a-w- c:\windows\SysWow64\dlumd10.dll

2013-09-08 02:30 . 2013-10-10 12:19 1903552 ----a-w- c:\windows\system32\drivers\tcpip.sys

2013-09-08 02:27 . 2013-10-10 12:19 327168 ----a-w- c:\windows\system32\mswsock.dll

2013-09-08 02:03 . 2013-10-10 12:19 231424 ----a-w- c:\windows\SysWow64\mswsock.dll

2013-09-04 12:12 . 2013-10-21 11:00 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys

2013-09-04 12:11 . 2013-10-21 11:00 325120 ----a-w- c:\windows\system32\drivers\usbport.sys

2013-09-04 12:11 . 2013-10-21 11:00 99840 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2013-09-04 12:11 . 2013-10-21 11:00 52736 ----a-w- c:\windows\system32\drivers\usbehci.sys

2013-09-04 12:11 . 2013-10-21 11:00 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys

2013-09-04 12:11 . 2013-10-21 11:00 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys

2013-09-04 12:11 . 2013-10-21 11:00 7808 ----a-w- c:\windows\system32\drivers\usbd.sys

2013-08-29 02:17 . 2013-10-10 12:19 5549504 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-08-29 02:16 . 2013-10-10 12:19 1732032 ----a-w- c:\windows\system32\ntdll.dll

2013-08-29 02:16 . 2013-10-10 12:19 243712 ----a-w- c:\windows\system32\wow64.dll

2013-08-29 02:16 . 2013-10-10 12:19 859648 ----a-w- c:\windows\system32\tdh.dll

2013-08-29 02:13 . 2013-10-10 12:19 878080 ----a-w- c:\windows\system32\advapi32.dll

2013-08-29 01:51 . 2013-10-10 12:19 3969472 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2013-08-29 01:51 . 2013-10-10 12:19 3914176 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2013-08-29 01:50 . 2013-10-10 12:19 5120 ----a-w- c:\windows\SysWow64\wow32.dll

2013-08-29 01:50 . 2013-10-10 12:19 1292192 ----a-w- c:\windows\SysWow64\ntdll.dll

2013-08-29 01:50 . 2013-10-10 12:19 619520 ----a-w- c:\windows\SysWow64\tdh.dll

2013-08-29 01:48 . 2013-10-10 12:19 640512 ----a-w- c:\windows\SysWow64\advapi32.dll

2013-08-29 01:48 . 2013-10-10 12:19 44032 ----a-w- c:\windows\apppatch\acwow64.dll

2013-08-29 00:49 . 2013-10-10 12:19 25600 ----a-w- c:\windows\SysWow64\setup16.exe

2013-08-29 00:49 . 2013-10-10 12:19 7680 ----a-w- c:\windows\SysWow64\instnm.exe

2013-08-29 00:49 . 2013-10-10 12:19 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll

2013-08-29 00:49 . 2013-10-10 12:19 2048 ----a-w- c:\windows\SysWow64\user.exe

2013-08-28 01:21 . 2013-10-10 12:19 3155968 ----a-w- c:\windows\system32\win32k.sys

2013-08-28 01:12 . 2013-10-10 12:19 461312 ----a-w- c:\windows\system32\scavengeui.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]

@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"

[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]

2013-08-14 01:15 222832 ----a-w- c:\users\candrews\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\SkyDriveShell.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]

@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"

[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]

2013-08-14 01:15 222832 ----a-w- c:\users\candrews\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\SkyDriveShell.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]

@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"

[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]

2013-08-14 01:15 222832 ----a-w- c:\users\candrews\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\SkyDriveShell.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2013-05-25 00:36 130736 ----a-w- c:\users\candrews\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2013-05-25 00:36 130736 ----a-w- c:\users\candrews\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2013-05-25 00:36 130736 ----a-w- c:\users\candrews\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Akamai NetSession Interface"="c:\users\candrews\AppData\Local\Akamai\netsession_win.exe" [2013-06-05 4489472]

"OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2013-04-22 720064]

"SkyDrive"="c:\users\candrews\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" [2013-08-14 257136]

"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-05 222496]

"NETGEARGenie"="c:\program files (x86)\NETGEAR Genie\bin\NETGEARGenie.exe" [2013-04-07 1044224]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808]

"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-17 113288]

"IMSS"="c:\program files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2011-01-17 112152]

"PWMTRV"="c:\progra~2\ThinkPad\UTILIT~1\PWMTR64V.DLL" [2011-02-03 1543016]

"ISUSScheduler"="c:\program files (x86)\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]

"BrMfcWnd"="c:\program files (x86)\Brother\Brmfcmon\BrMfcWnd.exe" [2011-04-01 1163264]

"ControlCenter3"="c:\program files (x86)\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]

"IndexSearch"="c:\program files (x86)\Nuance\PaperPort\IndexSearch.exe" [2010-03-09 46368]

"PaperPort PTD"="c:\program files (x86)\Nuance\PaperPort\pptd40nt.exe" [2010-03-09 29984]

"PPort12reminder"="c:\program files (x86)\Nuance\PaperPort\Ereg\Ereg.exe" [2010-02-09 328992]

"PDFHook"="c:\program files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe" [2010-03-06 636192]

"PDF5 Registry Controller"="c:\program files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe" [2010-03-05 62752]

"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2013-07-07 295512]

"ControlCenter4"="c:\program files (x86)\ControlCenter4\BrCcBoot.exe" [2012-09-07 143360]

"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2012-06-06 3076096]

.

c:\users\candrews\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dropbox.lnk - c:\users\candrews\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2013-6-25 228552]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2010-12-18 1202976]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"EnableUIADesktopToggle"= 0 (0x0)

.

R2 AdobeActiveFileMonitor11.0;Adobe Active File Monitor V11;c:\program files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe;c:\program files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe [x]

R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [x]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

R2 HyperW7Svc;HyperW7 Service;c:\program files\Lenovo\RapidBoot\HyperW7Svc64.exe;c:\program files\Lenovo\RapidBoot\HyperW7Svc64.exe [x]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]

R3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe;c:\program files (x86)\Browny02\BrYNSvc.exe [x]

R3 BTWAMPFL;BTWAMPFL;c:\windows\system32\DRIVERS\btwampfl.sys;c:\windows\SYSNATIVE\DRIVERS\btwampfl.sys [x]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys [x]

R3 ctxva51;Citrix Virtual Adapter;c:\windows\system32\DRIVERS\ctxva51.sys;c:\windows\SYSNATIVE\DRIVERS\ctxva51.sys [x]

R3 DisplayLinkUsbIo_x64;DisplayLinkUsbIo_x64;c:\windows\system32\DRIVERS\DisplayLinkUsbIo_x64_7.4.51572.0.sys;c:\windows\SYSNATIVE\DRIVERS\DisplayLinkUsbIo_x64_7.4.51572.0.sys [x]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]

R3 DozeSvc;Lenovo Doze Mode Service;c:\program files (x86)\ThinkPad\Utilities\DZSVC64.EXE;c:\program files (x86)\ThinkPad\Utilities\DZSVC64.EXE [x]

R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\DRIVERS\LEqdUsb.Sys;c:\windows\SYSNATIVE\DRIVERS\LEqdUsb.Sys [x]

R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\DRIVERS\LHidEqd.Sys;c:\windows\SYSNATIVE\DRIVERS\LHidEqd.Sys [x]

R3 PCDSRVC{127174DC-C366ED8B-06020101}_0;PCDSRVC{127174DC-C366ED8B-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc_x64.pkms;c:\program files\pc-doctor\pcdsrvc_x64.pkms [x]

R3 pmxdrv;pmxdrv;c:\windows\system32\drivers\pmxdrv.sys;c:\windows\SYSNATIVE\drivers\pmxdrv.sys [x]

R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE;c:\program files (x86)\ThinkPad\Utilities\PWMDBSVC.EXE [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]

S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys;c:\windows\SYSNATIVE\drivers\dlkmdldr.sys [x]

S0 DzHDD64;DzHDD64;c:\windows\System32\DRIVERS\DzHDD64.sys;c:\windows\SYSNATIVE\DRIVERS\DzHDD64.sys [x]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]

S0 TMEBC;TMEBC;c:\windows\system32\DRIVERS\TMEBC64.sys;c:\windows\SYSNATIVE\DRIVERS\TMEBC64.sys [x]

S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys;c:\windows\SYSNATIVE\DRIVERS\ApsHM64.sys [x]

S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys;c:\windows\SYSNATIVE\DRIVERS\smiifx64.sys [x]

S1 PHCORE;PHCORE;c:\program files\Lenovo\RapidBoot\PHCORE64.SYS;c:\program files\Lenovo\RapidBoot\PHCORE64.SYS [x]

S1 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys;c:\windows\SYSNATIVE\DRIVERS\tmevtmgr.sys [x]

S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]

S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe;c:\windows\SYSNATIVE\CxAudMsg64.exe [x]

S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [x]

S2 IRTransportService;IRTransportService;c:\vrs\bin\IRTransportService.exe;c:\vrs\bin\IRTransportService.exe [x]

S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [x]

S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [x]

S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x]

S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [x]

S2 Lenovo.VIRTSCRLSVC;Lenovo Auto Scroll;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe;c:\program files\LENOVO\VIRTSCRL\lvvsst.exe [x]

S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe;c:\program files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [x]

S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files (x86)\LogMeIn\x64\RaInfo.sys;c:\program files (x86)\LogMeIn\x64\RaInfo.sys [x]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]

S2 NETGEARGenieDaemon;NETGEARGenieDaemon;c:\program files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe;c:\program files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe [x]

S2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [x]

S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [x]

S2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys;c:\windows\SYSNATIVE\DRIVERS\risdxc64.sys [x]

S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe;c:\windows\SYSNATIVE\SAsrv.exe [x]

S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x]

S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]

S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys;c:\windows\SYSNATIVE\DRIVERS\5U877.sys [x]

S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys;c:\windows\SYSNATIVE\drivers\dlkmd.sys [x]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]

S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]

S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]

S3 tmeevw;tmeevw;c:\windows\system32\DRIVERS\tmeevw.sys;c:\windows\SYSNATIVE\DRIVERS\tmeevw.sys [x]

S3 tmnciesc;tmnciesc;c:\windows\system32\DRIVERS\tmnciesc.sys;c:\windows\SYSNATIVE\DRIVERS\tmnciesc.sys [x]

S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys;c:\windows\SYSNATIVE\DRIVERS\Tvti2c.sys [x]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - NPF

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-11-15 01:23 1210320 ----a-w- c:\program files (x86)\Google\Chrome\Application\31.0.1650.57\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-11-20 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 14:16]

.

2013-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-05 18:47]

.

2013-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-05 18:47]

.

2013-11-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4182128424-483147172-123557929-1000Core.job

- c:\users\candrews\AppData\Local\Google\Update\GoogleUpdate.exe [2013-08-30 20:19]

.

2013-11-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4182128424-483147172-123557929-1000UA.job

- c:\users\candrews\AppData\Local\Google\Update\GoogleUpdate.exe [2013-08-30 20:19]

.

2011-07-15 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job

- c:\program files\PC-Doctor\uaclauncher.exe [2010-12-09 22:52]

.

2013-11-20 c:\windows\Tasks\SystemToolsDailyTest.job

- c:\program files\PC-Doctor\pcdrcui.exe [2010-12-09 22:52]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]

@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"

[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]

2013-08-14 01:15 261744 ----a-w- c:\users\candrews\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64\SkyDriveShell64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]

@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"

[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]

2013-08-14 01:15 261744 ----a-w- c:\users\candrews\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64\SkyDriveShell64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]

@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"

[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]

2013-08-14 01:15 261744 ----a-w- c:\users\candrews\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64\SkyDriveShell64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2013-05-25 00:36 164016 ----a-w- c:\users\candrews\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2013-05-25 00:36 164016 ----a-w- c:\users\candrews\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2013-05-25 00:36 164016 ----a-w- c:\users\candrews\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2013-05-25 00:36 164016 ----a-w- c:\users\candrews\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TpShocks"="TpShocks.exe" [2010-12-09 380776]

"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2011-01-07 316032]

"ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-03-11 167960]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-03-11 391704]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-03-11 418840]

"LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2011-02-26 41320]

"ALCKRESI.EXE"="c:\program files\Lenovo\AutoLock\ALCKRESI.EXE" [2010-12-17 281448]

"LogMeIn GUI"="c:\program files (x86)\LogMeIn\x64\LogMeInSystray.exe" [2011-01-11 57928]

"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2010-11-04 1580368]

"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1744152]

"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-06-16 499608]

"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2013-07-23 221584]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = about:blank

mStart Page = about:blank

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = <local>

Trusted Zone: simonmed.com\ris.docview

Trusted Zone: upmc.com

TCP: DhcpNameServer = 10.10.200.1

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{10AD2C61-0898-4348-8600-14A342F22AC3} - c:\program files (x86)\ScorpionSaver\IECore.dll

Toolbar-Locked - (no file)

Wow6432Node-HKCU-Run-ISUSPM Startup - c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start

Toolbar-Locked - (no file)

WebBrowser-{0FAA306F-470A-4B3C-A38B-820EB91D2F36} - (no file)

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

AddRemove-File Download ActiveX - c:\windows\system32\uninst.exe

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{127174DC-C366ED8B-06020101}_0]

"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc_x64.pkms"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_117_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_117.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe

c:\windows\SysWOW64\SAsrv.exe

c:\program files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\progra~1\LENOVO\VIRTSCRL\virtscrl.exe

c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

c:\progra~1\Lenovo\Zoom\TPSCREX.EXE

c:\progra~1\Lenovo\HOTKEY\TPONSCR.EXE

c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

c:\program files (x86)\Lenovo\System Update\SUService.exe

.

**************************************************************************

.

Completion time: 2013-11-20 17:49:37 - machine was rebooted

ComboFix-quarantined-files.txt 2013-11-20 22:49

.

Pre-Run: 18,870,611,968 bytes free

Post-Run: 17,878,118,400 bytes free

.

- - End Of File - - D24430A329C52F03ECC1666267BDC8F4

actually ran combofix again and am inserting that log since it has been a few days since we last talked

AdvancedSetup · November 20, 2013

Okay, please run Combofix again but this time drag-and-drop that CFScript.txt file onto combofix to run it.
In the log it will show that it was run with that script when ran correctly.

cla · November 21, 2013

It was run with the CFScript.txt file

The log reads as follows:

ComboFix 13-11-19.01 - candrews 11/20/2013 19:03:55.7.4 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8074.6027 [GMT -5:00]

Running from: c:\users\candrews\Desktop\combo fix\ComboFix.exe

Command switches used :: c:\users\candrews\Desktop\combo fix\CFScript.txt

AV: Trend Micro Titanium Maximum Security *Disabled/Updated* {5D349EF8-873B-C657-917F-F1D93E101A7C}

SP: Trend Micro Titanium Maximum Security *Disabled/Updated* {E6557F1C-A101-C9D9-ABCF-CAAB459750C1}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

FILE ::

"c:\temp\ScorpionSaver.msi"

"c:\temp\scorpionsaver_10232013.msi"

"c:\windows\Installer\scorpionsaver_10232013.msi"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files (x86)\ScorpionSaver

c:\program files (x86)\ScorpionSaver\CustomActionInstall

c:\program files (x86)\ScorpionSaver\CustomActionUninstall

c:\program files (x86)\ScorpionSaver\Microsoft.Deployment.WindowsInstaller.dll

c:\program files (x86)\ScorpionSaver\Microsoft.Deployment.WindowsInstaller.xml

c:\program files (x86)\ScorpionSaver\SendJson.dll

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\bootstrap.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\defaults\preferences\prefs.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\harness-options.json

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\icon.png

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\install.rdf

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\locales.json

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\addon-kit\lib\page-mod.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\addon-kit\lib\private-browsing.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\addon-kit\lib\request.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\addon-kit\lib\windows.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\addon\runner.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\api-utils.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\base64.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\byte-streams.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\collection.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\content.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\content\content-proxy.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\content\content-worker.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\content\loader.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\content\symbiont.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\content\worker.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\cortex.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\cuddlefish.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\deprecate.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\dom\events.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\environment.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\errors.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\event\core.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\event\target.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\events.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\events\assembler.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\file.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\functional.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\globals.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\heritage.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\hidden-frame.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\l10n\core.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\l10n\html.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\l10n\loader.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\l10n\locale.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\l10n\prefs.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\light-traits.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\list.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\loader.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\match-pattern.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\memory.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\namespace.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\observer-service.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\plain-text-console.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\preferences-service.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\private-browsing\utils.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\promise.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\querystring.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\runtime.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\sandbox.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\self.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\system.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\system\events.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\tabs\events.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\tabs\observer.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\tabs\tab.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\tabs\utils.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\text-streams.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\timer.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\traceback.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\traits.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\traits\core.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\unload.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\url.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\utils\data.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\utils\object.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\utils\registry.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\utils\thumbnail.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\uuid.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\window-utils.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\window\utils.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\windows\dom.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\windows\loader.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\windows\observer.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\windows\tabs.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\xhr.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\xpcom.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\api-utils\lib\xul-app.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\ScorpionSaver\data\icon64.png

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\ScorpionSaver\lib\main.js

c:\users\candrews\AppData\Roaming\Mozilla\Firefox\Profiles\qs8m73z9.default\extensions\ScorpionSaver@jetpack\resources\ScorpionSaver\lib\main.js.old

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Service_NPF

.

((((((((((((((((((((((((( Files Created from 2013-10-21 to 2013-11-21 )))))))))))))))))))))))))))))))

.

2013-11-21 00:07 . 2013-11-21 00:07 -------- d-----w- c:\users\Default\AppData\Local\temp