Jump to content

Possible infection Malicious Website blocked (Outgoing, multiple IPs and ports)


Recommended Posts

Hi All,

Not sure if I have a problem or not: I've recently started getting "Malicious Website blocked" notifications from Malwarebytes. I realise this may or may not be a problem, but would like some advice to decide.

A Malwarebytes scan didn't show anything and I'm currently scanning with Microsoft Security Essentials but it didn't find anything.

I also ran TCPView and watched it for a fair while, but did not see the pop up to identify the process causing it.

I have until recently been using IPVanish and in the past few days am trialling ExpressVPN, which roughly coincides with this message appearing, but I'm not sure it's related.

Is this a common situation thing for VPN software to do? Doesn't sound right to me.... Thanks in advance for any help/input!

Here are some of the IPs coming up (NONE of them have a name for the 'domain' field and ALL of them are outgoing):

1.74.70.208, port 137

121.54.32.148, port 137

115.248.248.13, port 137

203.111.224.32, same port

103.231.162.26, same port

118.69.238.20, port 8

118.69.238.20, port 137

41.74.70.208, port 137

85.196.133.98, 137

I ran FRST and got the following 2 log outputs:

FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:07-05-2016
Ran by Ben (administrator) on SILENCE (09-05-2016 21:38:32)
Running from D:\Download
Loaded Profiles: Ben (Available Profiles: Ben)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: "C:\Program Files\Pale Moon\palemoon.exe" -osint -url "%1")
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(GP Software) C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe
(Flux Software LLC) C:\Users\Ben\AppData\Local\FluxSoftware\Flux\flux.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Elaborate Bytes AG) C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(GP Software) C:\Program Files\GPSoftware\Directory Opus\dopus.exe
(Piotr Pawlowski) C:\Program Files (x86)\foobar2000\foobar2000.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Don HO don.h@free.fr) C:\Program Files (x86)\Notepad++\notepad++.exe
(Dropbox, Inc.) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Microsoft Corporation) C:\Windows\System32\mspaint.exe
(Microsoft Corporation) C:\Windows\System32\mspaint.exe
(Microsoft Corporation) C:\Windows\System32\perfmon.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Windows\System32\calc.exe
() C:\Program Files (x86)\ExpressVPN\bootstrap\AMD64\nssm.exe
(ExpressVPN) C:\Program Files (x86)\ExpressVPN\xvpn-ui\ExpressVpn.exe
() C:\Program Files (x86)\ExpressVPN\xvpnd\xvpnd.exe
(Microsoft Corporation) C:\Windows\System32\mspaint.exe
(Microsoft Corporation) C:\Windows\System32\mspaint.exe
(Kakao) C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe
(Microsoft Corporation) C:\Windows\System32\mspaint.exe
(Moonchild Productions) C:\Program Files\Pale Moon\palemoon.exe
(Sysinternals - www.sysinternals.com) D:\Download\Tcpview.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11465832 2010-09-07] (Realtek Semiconductor)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2585744 2015-10-14] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1340192 2016-01-29] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [88984 2013-03-11] (Elaborate Bytes AG)
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [23248560 2016-04-09] (Dropbox, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [595480 2016-03-20] (Oracle Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\Run: [Directory Opus Desktop Dblclk] => C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe [414408 2015-12-17] (GP Software)
HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\Run: [f.lux] => C:\Users\Ben\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-24] (Flux Software LLC)
HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8698584 2016-04-16] (Piriform Ltd)
HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\MountPoints2: {0e467821-baa1-11e5-80d9-f46d041842d0} - H:\SETUP.EXE
HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\MountPoints2: {d38134b4-cb99-11e5-ab6f-f46d041842d0} - "I:\WD SmartWare.exe" autoplay=true
ShellExecuteHooks: Directory Opus Shell Execute Hook - {3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE} - C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll [1574600 2015-12-17] (GP Software)
ShellExecuteHooks-x32: Directory Opus Shell Execute Hook - {EE761688-C137-4b04-8FAB-3C9CDF0886F0} - C:\Program Files\GPSoftware\Directory Opus\dopuslib32.dll [343240 2015-12-17] (GP Software)
ShellIconOverlayIdentifiers: [ DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.30.dll [2016-04-09] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.30.dll [2016-04-09] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt3] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.30.dll [2016-04-09] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt4] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.30.dll [2016-04-09] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt5] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.30.dll [2016-04-09] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt6] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.30.dll [2016-04-09] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt7] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.30.dll [2016-04-09] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt8] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.30.dll [2016-04-09] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.30.dll [2016-04-09] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.30.dll [2016-04-09] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt3] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.30.dll [2016-04-09] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt4] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.30.dll [2016-04-09] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt5] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.30.dll [2016-04-09] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt6] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.30.dll [2016-04-09] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt7] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.30.dll [2016-04-09] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt8] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.30.dll [2016-04-09] (Dropbox, Inc.)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 61.9.211.1 61.9.211.33
Tcpip\..\Interfaces\{62081B48-C6B2-48C9-AA94-74DC5A2D3C89}: [DhcpNameServer] 61.9.211.1 61.9.211.33
Tcpip\..\Interfaces\{62897515-A3B6-42D6-99FF-60D953456EC9}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{8F5818A0-741B-4761-A555-3762116F3EC2}: [DhcpNameServer] 198.18.0.1 198.18.0.2

Internet Explorer:
==================
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_77\bin\ssv.dll [2016-03-25] (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_77\bin\jp2ssv.dll [2016-03-25] (Oracle Corporation)

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_213.dll [2016-04-09] ()
FF Plugin: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll [2000-01-01] (Tracker Software Products Ltd.)
FF Plugin: @java.com/DTPlugin,version=11.77.2 -> C:\Program Files\Java\jre1.8.0_77\bin\dtplugin\npDeployJava1.dll [2016-03-25] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.77.2 -> C:\Program Files\Java\jre1.8.0_77\bin\plugin2\npjp2.dll [2016-03-25] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin: @tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll [2000-01-01] (Tracker Software Products Ltd.)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_213.dll [2016-04-09] ()
FF Plugin-x32: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll [2000-01-01] (Tracker Software Products Ltd.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-10-14] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-10-14] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin-x32: @tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll [2000-01-01] (Tracker Software Products Ltd.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin HKU\S-1-5-21-810482344-1227375919-1709595578-1000: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll [2000-01-01] (Tracker Software Products Ltd.)

Chrome:
=======
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-01-14]
CHR Extension: (Magic Actions for YouTube™) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\abjcfabbhafbcdfjoecdgepllmpfceif [2016-05-07]
CHR Extension: (Google Docs) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-01-14]
CHR Extension: (Google Drive) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-01-14]
CHR Extension: (YouTube) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-01-14]
CHR Extension: (Adblock Plus) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-03-11]
CHR Extension: (Google Search) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-01-14]
CHR Extension: (Dropbox for Gmail) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpdmhfocilnekecfjgimjdeckachfbec [2016-04-23]
CHR Extension: (Tabs Outliner) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\eggkanocgddhmamlbiijnphhppkpkmkl [2016-03-13]
CHR Extension: (Video Downloader professional) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil [2016-04-14]
CHR Extension: (Google Sheets) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-01-14]
CHR Extension: (Office Editing for Docs, Sheets & Slides) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbkeegbaiigmenfmjfclcdgdpimamgkj [2016-04-25]
CHR Extension: (Google Docs Offline) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-27]
CHR Extension: (The Great Suspender) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\klbibkeccnjlkjkiokjodocebajanakg [2016-03-13]
CHR Extension: (Flashcontrol) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfidmkgnfgnkihnjeklbekckimkipmoe [2016-04-30]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-08]
CHR Extension: (Gmail) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-01-14]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-01-24] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-01-24] (Dropbox, Inc.)
R2 ExpressVpnService; C:\Program Files (x86)\ExpressVPN\bootstrap\AMD64\nssm.exe [331264 2016-03-09] () [File not signed]
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148560 2015-10-14] (NVIDIA Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2016-01-29] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [374344 2016-01-29] (Microsoft Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1706128 2015-10-14] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [21833360 2015-10-14] (NVIDIA Corporation)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 CMUACWO; C:\Windows\System32\DRIVERS\CMUACWO.sys [357376 2013-02-19] (C-Media Inc.)
R3 CMUSBDAC; C:\Windows\System32\DRIVERS\CMUSBDAC.sys [594944 2014-09-19] (C-MEDIA)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-11] (Broadcom Corporation)
S3 libusb0; C:\Windows\SysWOW64\drivers\libusb0.sys [16896 2007-03-20] (hxxp://libusb-win32.sourceforge.net) [File not signed]
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-05-09] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [289120 2015-11-13] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133816 2015-11-13] (Microsoft Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19600 2015-10-14] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38032 2015-10-14] (NVIDIA Corporation)
R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2012-06-22] (Corel Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-09 21:37 - 2016-05-09 21:38 - 00000000 ____D C:\FRST
2016-05-07 22:14 - 2016-05-07 22:14 - 00002043 _____ C:\Users\Public\Desktop\ExpressVPN.lnk
2016-05-07 22:14 - 2016-05-07 22:14 - 00000000 ____D C:\Users\Ben\AppData\Local\ExpressVPN
2016-05-07 22:14 - 2016-05-07 22:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExpressVPN
2016-05-07 22:14 - 2016-05-07 22:14 - 00000000 ____D C:\ProgramData\ExpressVPN
2016-05-07 22:14 - 2016-05-07 22:14 - 00000000 ____D C:\Program Files (x86)\ExpressVPN
2016-04-23 14:08 - 2016-04-23 14:08 - 00002803 _____ C:\Users\Public\Desktop\EPubsoft Kindle MOBI AZW DRM Removal.lnk
2016-04-23 14:08 - 2016-04-23 14:08 - 00000000 ____D C:\Users\Ben\Documents\Epubsoft
2016-04-23 14:08 - 2016-04-23 14:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EPUBSOFT
2016-04-23 14:08 - 2016-04-23 14:08 - 00000000 ____D C:\ProgramData\Epubsoft
2016-04-23 14:07 - 2016-04-23 14:07 - 00000000 ____D C:\Program Files (x86)\EPUBSOFT
2016-04-23 13:59 - 2016-04-23 14:24 - 00000000 ____D C:\Users\Ben\AppData\Local\calibre-cache
2016-04-23 13:58 - 2016-04-23 14:23 - 00000000 ____D C:\Users\Ben\AppData\Roaming\calibre
2016-04-23 13:55 - 2016-05-06 21:45 - 00000960 _____ C:\Users\Public\Desktop\calibre - E-book management.lnk
2016-04-23 13:55 - 2016-05-06 21:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\calibre - E-book Management
2016-04-23 13:55 - 2016-05-06 21:45 - 00000000 ____D C:\Program Files (x86)\Calibre2
2016-04-23 13:28 - 2016-04-26 19:12 - 00000000 ____D C:\Users\Ben\Documents\My Kindle Content
2016-04-23 13:28 - 2016-04-23 13:28 - 00000000 ____D C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Amazon
2016-04-23 13:28 - 2016-04-23 13:28 - 00000000 ____D C:\Users\Ben\AppData\Local\Amazon
2016-04-21 21:33 - 2016-04-21 21:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IPVanish
2016-04-14 10:40 - 2016-04-14 10:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2016-04-10 15:13 - 2016-05-09 21:19 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-04-10 15:13 - 2016-04-10 15:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-04-10 15:13 - 2016-04-10 15:13 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-04-10 15:13 - 2016-04-10 15:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-04-10 15:13 - 2016-03-10 14:09 - 00064896 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-04-10 15:13 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-04-10 15:13 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-09 21:36 - 2016-01-14 16:51 - 00000000 ____D C:\Users\Ben\AppData\Roaming\foobar2000
2016-05-09 21:31 - 2016-01-24 20:26 - 00000902 _____ C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job
2016-05-09 21:30 - 2016-01-14 19:16 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-05-09 20:56 - 2016-01-14 16:45 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-05-09 20:31 - 2016-01-24 20:26 - 00000898 _____ C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job
2016-05-09 19:41 - 2009-07-14 13:20 - 00000000 ____D C:\Windows\tracing
2016-05-09 19:29 - 2016-01-15 18:25 - 00000000 ____D C:\Users\Ben\AppData\Local\IPVanish
2016-05-09 19:18 - 2016-01-14 19:28 - 00000000 ____D C:\Users\Ben\AppData\Roaming\Kodi
2016-05-09 06:50 - 2009-07-14 15:13 - 00752076 _____ C:\Windows\system32\PerfStringBackup.INI
2016-05-09 06:50 - 2009-07-14 13:20 - 00000000 ____D C:\Windows\inf
2016-05-09 05:56 - 2016-01-14 16:45 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-05-07 22:13 - 2016-01-14 19:23 - 00000000 ____D C:\ProgramData\Package Cache
2016-05-07 21:38 - 2016-01-15 18:24 - 00000000 ____D C:\Program Files (x86)\IPVanish
2016-05-03 21:36 - 2016-01-26 12:32 - 00000000 ____D C:\Users\Ben\AppData\Roaming\vlc
2016-05-03 04:57 - 2016-01-14 16:46 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-04-30 20:16 - 2016-01-23 13:03 - 00007607 _____ C:\Users\Ben\AppData\Local\Resmon.ResmonCfg
2016-04-27 20:31 - 2009-07-14 14:45 - 00022080 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-04-27 20:31 - 2009-07-14 14:45 - 00022080 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-04-23 15:51 - 2016-01-24 20:26 - 00000000 ____D C:\Users\Ben\AppData\Local\Dropbox
2016-04-23 13:56 - 2016-01-14 10:00 - 00000000 ____D C:\Users\Ben\Desktop\Tools
2016-04-23 13:55 - 2016-01-23 23:23 - 00000000 ____D C:\Users\Ben\Desktop\Readers
2016-04-23 13:55 - 2016-01-14 19:30 - 00000000 ____D C:\Users\Ben\Desktop\Media Players
2016-04-23 13:55 - 2016-01-14 10:00 - 00000000 ____D C:\Users\Ben\Desktop\Protection
2016-04-22 17:57 - 2010-11-21 13:27 - 00453288 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-04-14 19:49 - 2016-01-14 10:05 - 00000000 ____D C:\Program Files\Pale Moon
2016-04-14 10:40 - 2016-01-24 20:26 - 00000000 ____D C:\Program Files (x86)\Dropbox
2016-04-09 16:30 - 2016-01-14 19:16 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-04-09 16:30 - 2016-01-14 19:16 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-04-09 16:30 - 2016-01-14 19:16 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater

==================== Files in the root of some directories =======

2016-01-23 13:03 - 2016-04-30 20:16 - 0007607 _____ () C:\Users\Ben\AppData\Local\Resmon.ResmonCfg
2006-05-11 23:06 - 2006-05-11 23:06 - 0000000 ____H () C:\ProgramData\sdpsenv.dat

Files to move or delete:
====================
C:\ProgramData\sdpsenv.dat


Some files in TEMP:
====================
C:\Users\Ben\AppData\Local\Temp\AskSLib.dll
C:\Users\Ben\AppData\Local\Temp\IPVanish-Setup-2.0.5876.40018.exe
C:\Users\Ben\AppData\Local\Temp\IPVanish-Setup-2.1.0.29319.exe
C:\Users\Ben\AppData\Local\Temp\jre-8u71-windows-au.exe
C:\Users\Ben\AppData\Local\Temp\jre-8u77-windows-au.exe
C:\Users\Ben\AppData\Local\Temp\LgkuGAxFSJrpHvHwkCpH.DLL
C:\Users\Ben\AppData\Local\Temp\lrSvsQRSYNBmoHlHEhNH.DLL
C:\Users\Ben\AppData\Local\Temp\nvStInst.exe
C:\Users\Ben\AppData\Local\Temp\ose00000.exe
C:\Users\Ben\AppData\Local\Temp\xmlUpdater.exe
C:\Users\Ben\AppData\Local\Temp\yJjlfYLAIN.DLL


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-05-08 00:27

==================== End of FRST.txt ============================

And Addition.txt

Additional scan result of Farbar Recovery Scan Tool (x64) Version:07-05-2016
Ran by Ben (2016-05-09 21:38:51)
Running from D:\Download
Windows 7 Home Premium Service Pack 1 (X64) (2016-01-13 11:43:42)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-810482344-1227375919-1709595578-500 - Administrator - Disabled)
Ben (S-1-5-21-810482344-1227375919-1709595578-1000 - Administrator - Enabled) => C:\Users\Ben
Guest (S-1-5-21-810482344-1227375919-1709595578-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-810482344-1227375919-1709595578-1002 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {768124D7-F5F7-6D2F-DDC2-94DFA4017C95}
AS: Microsoft Security Essentials (Enabled - Up to date) {CDE0C533-D3CD-62A1-E772-AFADDF863628}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Out of date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 15.14 (x64) (HKLM\...\7-Zip) (Version: 15.14 - Igor Pavlov)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated)
Adobe Audition CS6 (HKLM-x32\...\{30FD541D-3C9D-41C4-B240-A994EE4E0231}) (Version: 5.0 - Adobe Systems Incorporated)
Adobe Flash Player 21 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 21.0.0.213 - Adobe Systems Incorporated)
Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated)
Amazon Kindle (HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\Amazon Kindle) (Version: 1.15.0.43061 - Amazon)
Asmedia ASM104x USB 3.0 Host Controller Driver (HKLM-x32\...\{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}) (Version: 1.2.9.0 - Asmedia Technology)
Beyond Compare 3.3.11 (HKLM-x32\...\BeyondCompare3_is1) (Version: 3.3.11.18371 - Scooter Software)
bl (x32 Version: 1.0.0 - Your Company Name) Hidden
calibre (HKLM-x32\...\{6C358B17-1145-46D8-85E0-57FFFCA93BFC}) (Version: 2.56.0 - Kovid Goyal)
CCleaner (HKLM\...\CCleaner) (Version: 5.17 - Piriform)
CMEDIA USB2.0 Audio Device (HKLM-x32\...\{9445E4B8-E875-470A-928A-A665D3F973B4}) (Version: 1.00.0001 - C-Media Electronics, Inc.)
Dropbox (HKLM-x32\...\Dropbox) (Version: 3.18.1 - Dropbox, Inc.)
Dropbox Update Helper (x32 Version: 1.3.27.77 - Dropbox, Inc.) Hidden
ExpressVPN (HKLM-x32\...\{7e9357d8-8bdd-4e72-88ac-1b3acedd2b32}) (Version: 5.0.1.551 - ExpressVPN)
ExpressVPN (x32 Version: 5.0.1.551 - ExpressVPN) Hidden
ExpressVPN Compatibility Checks (x32 Version: 1.0.0.0 - ExpressVPN) Hidden
f.lux (HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\Flux) (Version:  - )
foobar2000 v1.3.9 (HKLM-x32\...\foobar2000) (Version: 1.3.9 - Peter Pawlowski)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 50.0.2661.94 - Google Inc.)
Google Update Helper (x32 Version: 1.3.29.5 - Google Inc.) Hidden
GPSoftware Directory Opus (HKLM-x32\...\{0A6AA615-5321-43A0-AFAE-97BF95013EA0}) (Version: 11.17 - GPSoftware)
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.1.0.1008 - Intel Corporation)
IPVanish (x32 Version: 2.1.0.0 - IPVanish.com) Hidden
IPVanish VPN (HKLM-x32\...\{b6f928a0-7e46-42bb-bdba-f4f4a1ca842c}) (Version: 2.1.0.0 - IPVanish.com)
Java 8 Update 77 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418077F0}) (Version: 8.0.770.3 - Oracle Corporation)
Kodi (HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\Kodi) (Version:  - XBMC-Foundation)
LibreOffice 5.0.4.2 (HKLM\...\{8C3F291E-AA0A-4188-A83F-1D97103AE27C}) (Version: 5.0.4.2 - The Document Foundation)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft ASP.NET MVC 4 Runtime (HKLM-x32\...\{3FE312D5-B862-40CE-8E4E-A6D8ABF62736}) (Version: 4.0.40804.0 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office Professional Plus 2007 (HKLM-x32\...\PROPLUS) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.9.218.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
NirSoft ShellExView (HKLM-x32\...\NirSoft ShellExView) (Version:  - )
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.8.8 - Notepad++ Team)
NVIDIA 3D Vision Controller Driver 340.50 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 340.50 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 341.92 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 341.92 - NVIDIA Corporation)
NVIDIA GeForce Experience 2.2.2 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.2.2 - NVIDIA Corporation)
NVIDIA Graphics Driver 341.92 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 341.92 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.30.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.30.1 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.13.1220 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.1220 - NVIDIA Corporation)
OpenOffice 4.1.2 (HKLM-x32\...\{4E96CB8B-444E-4EA3-8EF4-26060B0B411F}) (Version: 4.12.9782 - Apache Software Foundation)
Pale Moon 26.2.1 (x64 en-US) (HKLM\...\Pale Moon 26.2.1 (x64 en-US)) (Version: 26.2.1 - Moonchild Productions)
PDF-Viewer (HKLM\...\{A278382D-4F1B-4D47-9885-8523F7261E8D}_is1) (Version: 2.5.198.0 - Tracker Software Products Ltd)
ph (x32 Version: 1.0.0 - Your Company Name) Hidden
Potplayer-64 Bits (HKLM\...\PotPlayer64) (Version:  - Kakao Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.41.216.2011 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6196 - Realtek Semiconductor Corp.)
SHIELD Streaming (Version: 4.0.1000 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (Version: 17.12.8 - NVIDIA Corporation) Hidden
Skype™ 7.3 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.3.101 - Skype Technologies S.A.)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
SpywareBlaster 5.4 (HKLM-x32\...\SpywareBlaster_is1) (Version: 5.4.0 - BrightFort LLC)
STDU Viewer version 1.6.375.0 (HKLM-x32\...\STDU Viewer_is1) (Version: 1.6.375.0 - STDUtility)
Sublime Text Build 3083 (HKLM-x32\...\Sublime Text 3_is1) (Version:  - Sublime HQ Pty Ltd)
Tag&Rename 3.9.5 (HKLM-x32\...\Tag&Rename_is1) (Version: 3.9.5 - Softpointer Inc)
UltraEdit (HKLM\...\{AFFE5F64-3248-41E9-96AE-8B475F6EFAB3}) (Version: 22.20.0.43 - IDM Computer Solutions, Inc.)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
VirtualCloneDrive (HKLM-x32\...\VirtualCloneDrive) (Version: 5.4.7.0 - Elaborate Bytes)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
WinDirStat 1.1.2 (HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\WinDirStat) (Version:  - )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-810482344-1227375919-1709595578-1000_Classes\CLSID\{04170FCD-1D60-4930-BC9D-D39F3CD3A83B}\InprocServer32 -> C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll (GP Software)
CustomCLSID: HKU\S-1-5-21-810482344-1227375919-1709595578-1000_Classes\CLSID\{070057DA-0223-4D7E-B886-7CF38806F044}\InprocServer32 -> C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll (GP Software)
CustomCLSID: HKU\S-1-5-21-810482344-1227375919-1709595578-1000_Classes\CLSID\{b5eedee0-c06e-11cf-8c56-444553540000}\InprocServer32 -> C:\Program Files\IDM Computer Solutions\UltraEdit\ue64ctmn.dll ()

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {17B864F9-1093-48B9-AC97-6DE09636CA34} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)
Task: {24654B29-BE4B-4BCA-8B29-4D6470EEEA6E} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {7789941D-6124-472D-A456-55D8BE4783B2} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-01-14] (Google Inc.)
Task: {B1ABD6CD-5939-4D96-8D8E-26467945D18B} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-01-14] (Google Inc.)
Task: {C66E9C88-D9AD-47D6-9B52-C514EF1A5589} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-04-09] (Adobe Systems Incorporated)
Task: {D41E1A17-24B2-40CF-B5ED-69280BBBAF15} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {DD394E3D-FAD8-4D8A-8273-5B50C86E552B} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-04-16] (Piriform Ltd)
Task: {E12382B9-8E05-4804-A80A-FA998327082D} - System32\Tasks\DropboxUpdateTaskMachineCore => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [2016-01-24] (Dropbox, Inc.)
Task: {F1B3DFA4-A603-4270-B772-C8EBD85CC48D} - System32\Tasks\DropboxUpdateTaskMachineUA => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [2016-01-24] (Dropbox, Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-01-14 06:22 - 2015-10-14 03:26 - 00125616 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2015-11-30 21:53 - 2012-10-12 13:34 - 15072256 _____ () C:\Windows\system32\spool\DRIVERS\x64\3\fxhr5aRC.DLL
2015-04-16 06:13 - 2015-04-16 06:13 - 00222720 _____ () C:\Program Files (x86)\Notepad++\NppShell_06.dll
2016-03-09 15:56 - 2016-03-09 15:56 - 00331264 _____ () C:\Program Files (x86)\ExpressVPN\bootstrap\AMD64\nssm.exe
2016-03-10 16:56 - 2016-03-10 16:56 - 09641976 _____ () C:\Program Files (x86)\ExpressVPN\xvpnd\xvpnd.exe
2015-09-11 12:07 - 2015-09-11 12:07 - 05343744 _____ () C:\Program Files\DAUM\PotPlayer\Module\OpenCodec\OpenCodecUnity64.dll
2016-03-24 14:09 - 2016-03-24 14:09 - 14562816 _____ () C:\Program Files\DAUM\PotPlayer\ffcodec64.dll
2015-09-11 12:29 - 2016-03-31 19:21 - 00294400 _____ () C:\Program Files\DAUM\PotPlayer\Module\FFmpeg\FFmpegMininum64.dll
2016-01-14 10:05 - 2016-04-14 19:49 - 04128256 _____ () C:\Program Files\Pale Moon\mozjs.dll
2016-01-14 07:52 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2016-01-14 07:52 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2016-01-14 07:52 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2016-01-14 07:52 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2016-01-14 07:52 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2016-02-11 03:35 - 2016-02-11 03:35 - 00169472 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\5eb8f854950c428c64f668e63c5a0498\IsdiInterop.ni.dll
2016-01-13 22:08 - 2010-11-05 23:50 - 00058880 _____ () C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IsdiInterop.dll
2013-05-04 21:57 - 2013-05-04 21:57 - 00095712 _____ () C:\Program Files (x86)\foobar2000\zlib1.dll
2015-11-02 23:34 - 2015-11-02 23:34 - 00160528 _____ () C:\Program Files (x86)\foobar2000\shared.dll
2009-09-28 19:34 - 2009-09-28 19:32 - 00242176 _____ () C:\Program Files (x86)\foobar2000\components\foo_vis_shpeck.dll
2013-11-24 13:31 - 2010-06-04 08:27 - 00188416 _____ () C:\Program Files (x86)\foobar2000\components\foo_audioscrobbler.dll
2015-02-17 05:26 - 2015-02-17 05:26 - 00706048 _____ () C:\Program Files (x86)\foobar2000\components\foo_uie_lyrics3.dll
2015-11-02 23:30 - 2015-11-02 23:30 - 00204800 _____ () C:\Program Files (x86)\foobar2000\components\foo_dsp_eq.dll
2015-11-02 23:30 - 2015-11-02 23:30 - 00536064 _____ () C:\Program Files (x86)\foobar2000\components\foo_converter.dll
2015-12-26 19:05 - 2011-08-18 20:06 - 01767936 _____ () C:\Program Files (x86)\foobar2000\components\foo_facets.dll
2016-01-14 16:53 - 2016-01-14 16:53 - 01061376 _____ () C:\Users\Ben\AppData\Roaming\foobar2000\user-components\foo_jscript_panel\foo_jscript_panel.dll
2015-11-02 23:34 - 2015-11-02 23:34 - 01088296 _____ () C:\Program Files (x86)\foobar2000\components\foo_ui_std.dll
2015-11-02 23:34 - 2015-11-02 23:34 - 01398048 _____ () C:\Program Files (x86)\foobar2000\components\foo_input_std.dll
2015-11-02 23:30 - 2015-11-02 23:30 - 00250368 _____ () C:\Program Files (x86)\foobar2000\components\foo_dsp_std.dll
2015-11-02 23:31 - 2015-11-02 23:31 - 00375296 _____ () C:\Program Files (x86)\foobar2000\components\foo_rgscan.dll
2015-11-02 23:30 - 2015-11-02 23:30 - 00294912 _____ () C:\Program Files (x86)\foobar2000\components\foo_fileops.dll
2012-05-27 16:28 - 2012-02-04 14:59 - 00183296 _____ () C:\Program Files (x86)\foobar2000\components\foo_out_asio.dll
2016-01-16 23:32 - 2016-01-16 23:32 - 00271872 _____ () C:\Users\Ben\AppData\Roaming\foobar2000\user-components\foo_input_monkey\foo_input_monkey.dll
2015-12-27 18:51 - 2010-12-11 08:47 - 00337920 _____ () C:\Program Files (x86)\foobar2000\components\foo_uie_biography.dll
2015-11-02 23:30 - 2015-11-02 23:30 - 00309760 _____ () C:\Program Files (x86)\foobar2000\components\foo_cdda.dll
2015-11-02 23:30 - 2015-11-02 23:30 - 00263680 _____ () C:\Program Files (x86)\foobar2000\components\foo_unpack.dll
2015-11-02 23:31 - 2015-11-02 23:31 - 00356352 _____ () C:\Program Files (x86)\foobar2000\components\foo_albumlist.dll
2014-11-01 21:09 - 2010-10-27 11:50 - 00249344 _____ () C:\Program Files (x86)\foobar2000\components\foo_input_tta.dll
2015-11-02 23:30 - 2015-11-02 23:30 - 00307200 _____ () C:\Program Files (x86)\foobar2000\components\foo_freedb2.dll
2016-01-14 16:52 - 2016-01-14 16:52 - 00248320 _____ () \\?\C:\Users\Ben\AppData\Roaming\foobar2000\user-components\foo_wave_seekbar\frontend_direct2d.dll
2016-01-14 16:52 - 2016-01-14 16:52 - 00310784 _____ () \\?\C:\Users\Ben\AppData\Roaming\foobar2000\user-components\foo_wave_seekbar\frontend_direct3d9.dll
2015-06-09 05:06 - 2015-06-09 05:06 - 00014336 _____ () C:\Program Files (x86)\Notepad++\plugins\NppExport.dll
2016-01-24 20:38 - 2016-03-22 07:50 - 00034768 _____ () C:\Program Files (x86)\Dropbox\Client\_multiprocessing.pyd
2016-04-14 10:40 - 2016-03-22 07:51 - 00019408 _____ () C:\Program Files (x86)\Dropbox\Client\faulthandler.pyd
2016-04-14 10:40 - 2016-03-22 07:50 - 00116688 _____ () C:\Program Files (x86)\Dropbox\Client\pywintypes27.dll
2016-01-24 20:38 - 2016-03-22 07:50 - 00093640 _____ () C:\Program Files (x86)\Dropbox\Client\_ctypes.pyd
2016-01-24 20:38 - 2016-03-22 07:50 - 00018376 _____ () C:\Program Files (x86)\Dropbox\Client\select.pyd
2016-01-24 20:38 - 2016-04-09 04:20 - 00019760 _____ () C:\Program Files (x86)\Dropbox\Client\tornado.speedups.pyd
2016-01-24 20:38 - 2016-03-22 07:52 - 00105928 _____ () C:\Program Files (x86)\Dropbox\Client\win32api.pyd
2016-04-14 10:40 - 2016-03-22 07:50 - 00392144 _____ () C:\Program Files (x86)\Dropbox\Client\pythoncom27.dll
2016-01-24 20:38 - 2016-04-09 04:20 - 00381752 _____ () C:\Program Files (x86)\Dropbox\Client\win32com.shell.shell.pyd
2016-01-24 20:38 - 2016-03-22 07:50 - 00692688 _____ () C:\Program Files (x86)\Dropbox\Client\unicodedata.pyd
2016-04-14 10:40 - 2016-04-09 04:19 - 00020816 _____ () C:\Program Files (x86)\Dropbox\Client\cryptography.hazmat.bindings._constant_time.pyd
2016-01-24 20:38 - 2016-03-22 07:51 - 00112592 _____ () C:\Program Files (x86)\Dropbox\Client\_cffi_backend.pyd
2016-04-14 10:40 - 2016-04-09 04:19 - 01682760 _____ () C:\Program Files (x86)\Dropbox\Client\cryptography.hazmat.bindings._openssl.pyd
2016-04-14 10:40 - 2016-04-09 04:19 - 00020808 _____ () C:\Program Files (x86)\Dropbox\Client\cryptography.hazmat.bindings._padding.pyd
2016-01-24 20:38 - 2016-04-09 04:20 - 00021840 _____ () C:\Program Files (x86)\Dropbox\Client\_cffi_unicode_environ_win32_x8bf8e68bx9968e850.pyd
2016-04-14 10:40 - 2016-04-09 04:19 - 00038696 _____ () C:\Program Files (x86)\Dropbox\Client\fastpath.pyd
2016-04-14 10:40 - 2016-03-22 07:52 - 00020936 _____ () C:\Program Files (x86)\Dropbox\Client\mmapfile.pyd
2016-01-24 20:38 - 2016-03-22 07:52 - 00024528 _____ () C:\Program Files (x86)\Dropbox\Client\win32event.pyd
2016-01-24 20:38 - 2016-03-22 07:52 - 00114640 _____ () C:\Program Files (x86)\Dropbox\Client\win32security.pyd
2016-01-24 20:38 - 2016-03-22 07:52 - 00124880 _____ () C:\Program Files (x86)\Dropbox\Client\win32file.pyd
2016-02-19 14:25 - 2016-04-09 04:20 - 00021832 _____ () C:\Program Files (x86)\Dropbox\Client\_cffi_pywin_kernel32_x64d8f881xc8c369be.pyd
2016-01-24 20:38 - 2016-03-22 07:52 - 00024016 _____ () C:\Program Files (x86)\Dropbox\Client\win32clipboard.pyd
2016-01-24 20:38 - 2016-03-22 07:52 - 00175560 _____ () C:\Program Files (x86)\Dropbox\Client\win32gui.pyd
2016-01-24 20:38 - 2016-03-22 07:52 - 00030160 _____ () C:\Program Files (x86)\Dropbox\Client\win32pipe.pyd
2016-01-24 20:38 - 2016-03-22 07:52 - 00043472 _____ () C:\Program Files (x86)\Dropbox\Client\win32process.pyd
2016-01-24 20:38 - 2016-03-22 07:52 - 00028616 _____ () C:\Program Files (x86)\Dropbox\Client\win32ts.pyd
2016-01-24 20:38 - 2016-03-22 07:52 - 00048592 _____ () C:\Program Files (x86)\Dropbox\Client\win32service.pyd
2016-04-14 10:40 - 2016-04-09 04:19 - 00026456 _____ () C:\Program Files (x86)\Dropbox\Client\dropbox.infinite.win.compiled._driverinstallation.pyd
2016-01-24 20:38 - 2016-03-22 07:52 - 00057808 _____ () C:\Program Files (x86)\Dropbox\Client\win32evtlog.pyd
2016-01-24 20:38 - 2016-03-22 07:52 - 00024016 _____ () C:\Program Files (x86)\Dropbox\Client\win32profile.pyd
2016-04-14 10:40 - 2016-04-09 04:19 - 00117056 _____ () C:\Program Files (x86)\Dropbox\Client\breakpad.client.windows.handler.pyd
2016-01-24 20:38 - 2016-04-09 04:20 - 00023376 _____ () C:\Program Files (x86)\Dropbox\Client\winscreenshot.compiled._CaptureScreenshot.pyd
2016-01-24 20:38 - 2016-03-22 07:50 - 00134608 _____ () C:\Program Files (x86)\Dropbox\Client\_elementtree.pyd
2016-04-14 10:40 - 2016-03-22 07:50 - 00134088 _____ () C:\Program Files (x86)\Dropbox\Client\pyexpat.pyd
2016-04-14 10:40 - 2016-03-22 07:51 - 00240584 _____ () C:\Program Files (x86)\Dropbox\Client\jpegtran.pyd
2016-04-14 10:40 - 2016-04-09 04:19 - 00024392 _____ () C:\Program Files (x86)\Dropbox\Client\librsyncffi.compiled._librsyncffi.pyd
2016-04-14 10:40 - 2016-03-22 07:52 - 00036296 _____ () C:\Program Files (x86)\Dropbox\Client\librsync.dll
2016-04-14 10:40 - 2016-04-09 04:19 - 00052024 _____ () C:\Program Files (x86)\Dropbox\Client\psutil._psutil_windows.pyd
2016-02-19 14:25 - 2016-04-09 04:20 - 00020800 _____ () C:\Program Files (x86)\Dropbox\Client\winffi.iphlpapi._winffi_iphlpapi.pyd
2016-02-19 14:25 - 2016-04-09 04:20 - 00021824 _____ () C:\Program Files (x86)\Dropbox\Client\winffi.kernel32._winffi_kernel32.pyd
2016-02-19 14:25 - 2016-04-09 04:20 - 00019776 _____ () C:\Program Files (x86)\Dropbox\Client\winffi.winerror._winffi_winerror.pyd
2016-02-19 14:25 - 2016-04-09 04:20 - 00020800 _____ () C:\Program Files (x86)\Dropbox\Client\winffi.wininet._winffi_wininet.pyd
2016-04-14 10:40 - 2016-04-09 04:19 - 00020280 _____ () C:\Program Files (x86)\Dropbox\Client\cpuid.compiled._cpuid.pyd
2016-01-24 20:38 - 2016-03-22 07:52 - 00350152 _____ () C:\Program Files (x86)\Dropbox\Client\winxpgui.pyd
2016-02-19 14:25 - 2016-04-09 04:20 - 00022352 _____ () C:\Program Files (x86)\Dropbox\Client\winverifysignature.compiled._VerifySignature.pyd
2016-04-14 10:40 - 2016-04-09 04:19 - 00084280 _____ () C:\Program Files (x86)\Dropbox\Client\dropbox_sqlite_ext.DLL
2016-04-14 10:40 - 2016-04-09 04:20 - 01826096 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtCore.pyd
2016-01-24 20:38 - 2016-03-22 07:51 - 00083912 _____ () C:\Program Files (x86)\Dropbox\Client\sip.pyd
2016-04-14 10:40 - 2016-04-09 04:20 - 03928880 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtWidgets.pyd
2016-04-14 10:40 - 2016-04-09 04:20 - 01971504 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtGui.pyd
2016-04-14 10:40 - 2016-04-09 04:20 - 00531248 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtNetwork.pyd
2016-04-14 10:40 - 2016-04-09 04:20 - 00132912 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtWebKit.pyd
2016-04-14 10:40 - 2016-04-09 04:20 - 00223544 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtWebKitWidgets.pyd
2016-04-14 10:40 - 2016-04-09 04:20 - 00207672 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtPrintSupport.pyd
2016-04-14 10:40 - 2016-04-09 04:20 - 00158008 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtWebEngineWidgets.pyd
2016-04-14 10:40 - 2016-04-09 04:20 - 00042808 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtWebChannel.pyd
2016-04-14 10:40 - 2016-03-22 07:54 - 00017864 _____ () C:\Program Files (x86)\Dropbox\Client\libEGL.dll
2016-04-14 10:40 - 2016-03-22 07:54 - 01631184 _____ () C:\Program Files (x86)\Dropbox\Client\libGLESv2.dll
2016-01-24 20:38 - 2016-04-09 04:20 - 00024904 _____ () C:\Program Files (x86)\Dropbox\Client\_cffi_wpad_proxy_win_x752e3d61xdcfdcc84.pyd
2016-04-14 10:40 - 2016-04-09 04:20 - 00546096 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtQuick.pyd
2016-04-14 10:40 - 2016-04-09 04:20 - 00357680 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtQml.pyd
2016-01-24 20:38 - 2016-03-22 07:56 - 00697304 _____ () C:\Program Files (x86)\Dropbox\Client\QtQuick\Controls\qtquickcontrolsplugin.dll
2016-01-24 20:38 - 2016-03-22 07:52 - 00060880 _____ () C:\Program Files (x86)\Dropbox\Client\win32print.pyd
2016-03-10 16:56 - 2016-03-10 16:56 - 00379384 _____ () C:\Program Files (x86)\ExpressVPN\xvpnd\windows\ExpressVPN.FilterManager.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\sdpsenv.dat:naughtypirates [322]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 12:34 - 2016-01-27 20:51 - 00001093 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 licensing.ultraedit.com
127.0.0.1 licensing2.ultraedit.com
127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 lmlicenses.wip4.adobe.com
127.0.0.1 lm.licenses.adobe.com
127.0.0.1 na1r.services.adobe.com
127.0.0.1 hlrcv.stage.adobe.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-810482344-1227375919-1709595578-1000\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 61.9.211.1 - 61.9.211.33
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: Logitech Download Assistant => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
MSCONFIG\startupreg: Skype => "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{9F57085D-C6BB-409F-A26F-174FABDA3949}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{8F8021BC-4523-4B8B-A68A-2846431E268E}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{9C5F7100-FF73-4247-B7AD-EBDC3691EA4F}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{98B9F810-1091-43FF-BFA9-EFDEDE718574}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{4ED342F7-1AEC-40A1-9D3B-A4D065234779}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{E81E943B-937D-4067-A745-57993C9FF2B7}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{55C1C178-ECD1-492C-8873-A39CC3F644E6}] => (Block) %ProgramFiles% (x86)\Beyond Compare 3\BComp.exe
FirewallRules: [{133500F4-5C46-4C24-A23D-780145216192}] => (Block) %ProgramFiles% (x86)\Beyond Compare 3\BCompare.exe
FirewallRules: [{E69F7A20-F8C6-4E8A-B5B1-10C758A2A447}] => (Block) %ProgramFiles%\GPSoftware\Directory Opus\d8viewer.exe
FirewallRules: [{238BA87A-6F79-42E1-A558-CD23D5307830}] => (Block) %ProgramFiles%\GPSoftware\Directory Opus\dopus.exe
FirewallRules: [{4A61DFA7-9165-4EB8-B55A-FC29EABF808E}] => (Block) %ProgramFiles%\GPSoftware\Directory Opus\dopusrt.exe
FirewallRules: [{94BC0C53-F5C0-402E-8C0F-354C31AEC6BB}] => (Block) %ProgramFiles%\GPSoftware\Directory Opus\dowshlp.exe
FirewallRules: [{895C0CAB-BFBD-46D1-9565-8D6911F312DA}] => (Block) %ProgramFiles%\GPSoftware\Directory Opus\Viewers\docsvw32.exe
FirewallRules: [{471ABDCF-FEFA-46DC-8B0A-D4518A9CB723}] => (Block) %ProgramFiles%\GPSoftware\Directory Opus\Viewers\docsvw64.exe
FirewallRules: [{4D3CC4E2-0DD7-4ED8-BC49-FC2C649FC308}] => (Block) %ProgramFiles%\GPSoftware\Directory Opus\x86\d8viewer.exe
FirewallRules: [{582F0D33-1F4C-4F71-A5B4-F658057A71A5}] => (Block) %ProgramFiles%\GPSoftware\Directory Opus\x86\dopus.exe
FirewallRules: [{A66BB59F-2160-4801-B601-A421F7E135C5}] => (Block) %ProgramFiles%\GPSoftware\Directory Opus\x86\dopusrt.exe
FirewallRules: [{F2FBC3F5-4B4F-42F4-9DFA-7712470AB760}] => (Block) %ProgramFiles%\GPSoftware\Directory Opus\x86\dowshlp.exe
FirewallRules: [{C39BDC3A-FCD2-4888-880F-676F74A98C77}] => (Block) %ProgramFiles%\GPSoftware\Directory Opus\x86\Viewers\docsvw32.exe
FirewallRules: [TCP Query User{1F535C83-6AC2-41BA-8C26-6B90CA8B5FD2}C:\program files (x86)\kodi\kodi.exe] => (Allow) C:\program files (x86)\kodi\kodi.exe
FirewallRules: [UDP Query User{DF49D776-022E-4D0E-B5B6-5496688234A0}C:\program files (x86)\kodi\kodi.exe] => (Allow) C:\program files (x86)\kodi\kodi.exe
FirewallRules: [{AF9F5213-F739-4AA4-961C-EB5183D8A584}] => (Block) %ProgramFiles%\Tracker Software\PDF Viewer\PDFXCview.exe
FirewallRules: [{1A1153E5-3103-441F-80B7-F639394A9F42}] => (Allow) LPort=4500
FirewallRules: [{F6A78189-6FE8-48A4-89B9-1F5D01BF341B}] => (Allow) LPort=1194
FirewallRules: [{7135ACF3-010D-4126-A1A9-2A64F7427994}] => (Allow) LPort=1194
FirewallRules: [{2C292F7F-8BE5-4A97-BFDA-924A13AD72B4}] => (Block) %ProgramFiles% (x86)\Adobe\Adobe Audition CS6\Adobe Audition CS6.exe
FirewallRules: [{1E339C0A-96A6-417C-9140-E65B939C77AB}] => (Block) %ProgramFiles% (x86)\Adobe\Adobe Audition CS6\arh.exe
FirewallRules: [{A4FB6E24-EEF8-4710-A94D-DFA87483D910}] => (Block) %ProgramFiles% (x86)\Adobe\Adobe Audition CS6\dvaaudiofilterscan.exe
FirewallRules: [{EF3CB9F6-4C0E-4DDC-A2D4-2C3E82ABABD3}] => (Block) %ProgramFiles% (x86)\Adobe\Adobe Audition CS6\dynamiclinkmanager.exe
FirewallRules: [{BFF15BD5-F89D-482A-A2FF-C0543E235FCE}] => (Block) %ProgramFiles% (x86)\Adobe\Adobe Audition CS6\GPUSniffer.exe
FirewallRules: [{3E55C1D1-6097-428D-8ED4-B255E91F26F0}] => (Block) %ProgramFiles% (x86)\Adobe\Adobe Audition CS6\LogTransport2.exe
FirewallRules: [{37F72505-F716-4A06-8DCE-4A80D3B63A16}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{691A65F4-3A67-4524-A5C9-4B53D56010D1}] => (Allow) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
FirewallRules: [{9A95E354-7452-406A-A5F6-F8E640B159D6}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

==================== Restore Points =========================

02-05-2016 02:44:32 Windows Update
05-05-2016 16:07:37 Windows Update
06-05-2016 21:45:14 Installed calibre
07-05-2016 22:13:55 ExpressVPN
08-05-2016 16:08:12 Windows Update

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (05/09/2016 07:18:29 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Kodi.exe version 16.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 66e0

Start Time: 01d1a9d3af3544e8

Termination Time: 38

Application Path: C:\Program Files (x86)\Kodi\Kodi.exe

Report Id: fb0c06bb-15c6-11e6-8232-f46d041842d0

Error: (05/07/2016 10:27:01 PM) (Source: nssm) (EventID: 1018) (User: )
Description: Failed to read registry value AppDirectory:
The operation completed successfully.

Error: (05/07/2016 10:14:09 PM) (Source: nssm) (EventID: 1018) (User: )
Description: Failed to read registry value AppDirectory:
The operation completed successfully.

Error: (05/03/2016 08:36:24 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program notepad.exe version 6.1.7601.18917 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 57c8

Start Time: 01d1a52797a4cdbf

Termination Time: 7

Application Path: C:\Windows\system32\notepad.exe

Report Id: daf4aa8b-111a-11e6-8232-f46d041842d0

Error: (05/03/2016 08:35:45 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program notepad.exe version 6.1.7601.18917 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 28cc

Start Time: 01d19d21da7e6886

Termination Time: 7

Application Path: C:\Windows\system32\notepad.exe

Report Id: c3f0e926-111a-11e6-8232-f46d041842d0

Error: (04/21/2016 09:35:59 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: VPNClient.exe, version: 2.1.0.0, time stamp: 0x570811cf
Faulting module name: KERNELBASE.dll, version: 6.1.7601.19160, time stamp: 0x56bcd5c3
Exception code: 0xe0434352
Fault offset: 0x0000c52f
Faulting process id: 0x432c
Faulting application start time: 0xVPNClient.exe0
Faulting application path: VPNClient.exe1
Faulting module path: VPNClient.exe2
Report Id: VPNClient.exe3

Error: (04/21/2016 09:35:58 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: VPNClient.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.IOException
   at VPNClient.App.WhW8ZoYxWM(System.Object, System.Windows.Threading.DispatcherUnhandledExceptionEventArgs)
   at System.Windows.Threading.Dispatcher.CatchException(System.Exception)
   at System.Windows.Threading.Dispatcher.CatchExceptionStatic(System.Object, System.Exception)
   at System.Windows.Threading.ExceptionWrapper.CatchException(System.Object, System.Exception, System.Delegate)
   at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(System.Object, System.Delegate, System.Object, Int32, System.Delegate)
   at System.Windows.Threading.DispatcherOperation.InvokeImpl()
   at System.Windows.Threading.DispatcherOperation.InvokeInSecurityContext(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at MS.Internal.CulturePreservingExecutionContext.Run(MS.Internal.CulturePreservingExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Windows.Threading.DispatcherOperation.Invoke()
   at System.Windows.Threading.Dispatcher.ProcessQueue()
   at System.Windows.Threading.Dispatcher.WndProcHook(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)
   at MS.Win32.HwndWrapper.WndProc(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)
   at MS.Win32.HwndSubclass.DispatcherCallbackOperation(System.Object)
   at System.Windows.Threading.ExceptionWrapper.InternalRealCall(System.Delegate, System.Object, Int32)
   at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(System.Object, System.Delegate, System.Object, Int32, System.Delegate)
   at System.Windows.Threading.Dispatcher.LegacyInvokeImpl(System.Windows.Threading.DispatcherPriority, System.TimeSpan, System.Delegate, System.Object, Int32)
   at MS.Win32.HwndSubclass.SubclassWndProc(IntPtr, Int32, IntPtr, IntPtr)
   at MS.Win32.UnsafeNativeMethods.DispatchMessage(System.Windows.Interop.MSG ByRef)
   at System.Windows.Threading.Dispatcher.PushFrameImpl(System.Windows.Threading.DispatcherFrame)
   at System.Windows.Threading.Dispatcher.PushFrame(System.Windows.Threading.DispatcherFrame)
   at System.Windows.Application.RunDispatcher(System.Object)
   at System.Windows.Application.RunInternal(System.Windows.Window)
   at System.Windows.Application.Run(System.Windows.Window)
   at VPNClient.App.Main()
   at <PrivateImplementationDetails>{E4624E0B-88AA-4F26-B4FC-42ED21D65634}.Main()

Error: (04/10/2016 10:49:57 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Explorer.EXE version 6.1.7601.19135 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: d44

Start Time: 01d19156d4582c0f

Termination Time: 20

Application Path: C:\Windows\Explorer.EXE

Report Id: 2382c80f-feb6-11e5-8232-f46d041842d0

Error: (04/08/2016 03:23:36 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/03/2016 06:23:54 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (05/09/2016 06:51:11 AM) (Source: VDS Basic Provider) (EventID: 1) (User: )
Description: Unexpected failure. Error code: 490@01010004

Error: (05/09/2016 06:50:03 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk4\DR10.

Error: (05/09/2016 06:50:02 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk4\DR10.

Error: (05/09/2016 06:50:01 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk4\DR10.

Error: (05/09/2016 06:50:01 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk4\DR10.

Error: (05/09/2016 06:50:00 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk4\DR10.

Error: (05/09/2016 06:49:59 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk4\DR10.

Error: (05/09/2016 02:10:46 AM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 115.63.0.0

    Update Source: %NT AUTHORITY51

    Update Stage: 4.9.0218.00

    Source Path: 4.9.0218.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (05/09/2016 02:10:46 AM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.219.1122.0

    Update Source: %NT AUTHORITY51

    Update Stage: 4.9.0218.00

    Source Path: 4.9.0218.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (05/09/2016 02:10:46 AM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.219.1122.0

    Update Source: %NT AUTHORITY51

    Update Stage: 4.9.0218.00

    Source Path: 4.9.0218.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608


==================== Memory info ===========================

Processor: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz
Percentage of memory in use: 59%
Total physical RAM: 8173.42 MB
Available physical RAM: 3297.75 MB
Total Virtual: 16345.05 MB
Available Virtual: 9086.59 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:107.13 GB) (Free:61.67 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (Data) (Fixed) (Total:1863.01 GB) (Free:125.27 GB) NTFS
Drive e: (Stuff) (Fixed) (Total:2794.39 GB) (Free:135.32 GB) NTFS
Drive f: (Music) (Fixed) (Total:931.51 GB) (Free:136.54 GB) NTFS
Drive g: (BR_DANGEROUS_DAYS) (CDROM) (Total:7.73 GB) (Free:0 GB) UDF

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 107.1 GB) (Disk ID: 7B4347DB)
Partition 1: (Active) - (Size=107.1 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 725FCE8A)
Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: F7D52849)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 3 (Size: 2794.5 GB) (Disk ID: A9F7D8C1)

Partition: GPT.

==================== End of Addition.txt ============================

 

 

Link to post
Share on other sites

  • Root Admin

Hello and :welcome:

Please read the following and post back the logs when ready and we'll see about getting you cleaned up.

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.

  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
  • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
  • Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
  • Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
  • The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
  • You can check here if you're not sure if your computer is 32-bit or 64-bit
  • Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners.
  • When we are done, I'll give you instructions on how to cleanup all the tools and logs
  • Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
  • Your topic will be closed if you haven't replied within 3 days
  • (If I have not responded within 24 hours, please send me a Private Message as a reminder)



STEP 01
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 1 | Link 2

  • On Windows XP double-click on the Rkill desktop icon to run the tool.
  • On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.



STEP 02
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.
  • Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe



STEP 03
Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below please see the following:
MBAM Clean Removal Process 2x
When reinstalling the program please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

 

 

Link to post
Share on other sites

Thanks Ron,

Here's the output of RKill

START OF FILE

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 05/13/2016 06:23:09 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * TBS [Missing Service]
 * WSearch [Missing Service]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 05/13/2016 06:23:22 PM

Execution time: 0 hours(s), 0 minute(s), and 12 seconds(s)

END OF FILE

And here is the output of MBAM's scan:

START OF FILE

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/13/2016
Scan Time: 6:31 PM
Logfile:
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.05.13.02
Rootkit Database: v2016.05.06.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Ben

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 295602
Time Elapsed: 6 min, 3 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

END OF FILE

Link to post
Share on other sites

  • Root Admin

Great. Let me have you run the following then to continue.

 

Please go ahead and run through the following steps and post back the logs when ready.

STEP 04
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus



STEP 05
Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista / Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.


STEP 06
button_eos.gif

Please go here to run the online antivirus scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.



STEP 07
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

 

 

Link to post
Share on other sites

Hi Ron,

Interesting... this is a PC which other family members use, so in these scans I'm seeing some things which are news to me! Am curious which might be causing the outgoing interactions....

Here's JRT:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows 7 Home Premium x64 
Ran by Ben (Administrator) on Sun 05/15/2016 at  8:50:55.31
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


File System: 28 

Successfully deleted: C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil (Folder) 
Successfully deleted: C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\klbibkeccnjlkjkiokjodocebajanakg (Folder) 
Successfully deleted: C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_klbibkeccnjlkjkiokjodocebajanakg_0.localstorage-journal (File) 
Successfully deleted: C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_klbibkeccnjlkjkiokjodocebajanakg_0.localstorage (File) 
Successfully deleted: C:\Users\Ben\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Ben\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1FF9I5LC (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Ben\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\43RU6OU1 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Ben\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Ben\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7R8VQAW1 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Ben\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9XNLNYOK (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Ben\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ABVVM67D (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Ben\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Ben\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Ben\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O7BJPFPH (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Ben\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UDSV38N1 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Ben\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UK0I1LSN (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1FF9I5LC (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\43RU6OU1 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7R8VQAW1 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9XNLNYOK (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ABVVM67D (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O7BJPFPH (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UDSV38N1 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UK0I1LSN (Temporary Internet Files Folder) 

Registry: 0 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 05/15/2016 at  8:52:05.11
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

Here's Adwcleaner:

# AdwCleaner v5.116 - Logfile created 15/05/2016 at 09:07:03
# Updated 09/05/2016 by Xplode
# Database : 2016-05-13.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (X64)
# Username : Ben - SILENCE
# Running from : D:\Download\Malware Tools\Adwcleaner\adwcleaner_5.116.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****

[-] File Deleted : C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\elicpjhcidhpjomhibiffojpinpmmpil

***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\OCS

***** [ Web browsers ] *****

[-] [C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : elicpjhcidhpjomhibiffojpinpmmpil

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [1280 bytes] - [15/05/2016 09:07:03]
C:\AdwCleaner\AdwCleaner[S1].txt - [1273 bytes] - [11/05/2016 21:23:37]
C:\AdwCleaner\AdwCleaner[S2].txt - [1462 bytes] - [15/05/2016 09:02:32]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1499 bytes] ##########
 

Here's ESET:

C:\Users\Ben\AppData\Local\Temp\AskSLib.dll    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\Ben\AppData\Local\Temp\DMR\dmr_72.exe    a variant of Win32/DownloadSponsor.C potentially unwanted application
D:\Download\ccsetup514.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
D:\Download\ccsetup515.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
D:\Download\ccsetup516.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
D:\Download\ccsetup517.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
E:\Burn\Software\ImgBurn\SetupImgBurn_2.5.8.0.exe    Win32/OpenCandy potentially unsafe application
E:\Burn\Software\PDF-XChange Viewer Pro 2.5.198\PDFXVwer.exe    a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application

 

Here's FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:14-05-2016
Ran by Ben (administrator) on SILENCE (15-05-2016 19:48:28)
Running from D:\Download\Malware Tools\Farbar Recovery Tool
Loaded Profiles: Ben (Available Profiles: Ben)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: "C:\Program Files\Pale Moon\palemoon.exe" -osint -url "%1")
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
() C:\Program Files (x86)\ExpressVPN\bootstrap\AMD64\nssm.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
() C:\Program Files (x86)\ExpressVPN\xvpnd\xvpnd.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(GP Software) C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe
(Flux Software LLC) C:\Users\Ben\AppData\Local\FluxSoftware\Flux\flux.exe
(Don HO don.h@free.fr) C:\Program Files (x86)\Notepad++\notepad++.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Elaborate Bytes AG) C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
(Dropbox, Inc.) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(GP Software) C:\Program Files\GPSoftware\Directory Opus\dopus.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(ESET) C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineScannerApp.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11465832 2010-09-07] (Realtek Semiconductor)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2585744 2015-10-14] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1340192 2016-01-29] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [446392 2012-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [88984 2013-03-11] (Elaborate Bytes AG)
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [23745808 2016-05-07] (Dropbox, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [595480 2016-03-20] (Oracle Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\Run: [Directory Opus Desktop Dblclk] => C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe [414408 2015-12-17] (GP Software)
HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\Run: [f.lux] => C:\Users\Ben\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-24] (Flux Software LLC)
HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8698584 2016-04-16] (Piriform Ltd)
HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\MountPoints2: {0e467821-baa1-11e5-80d9-f46d041842d0} - H:\SETUP.EXE
HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\MountPoints2: {d38134b4-cb99-11e5-ab6f-f46d041842d0} - "I:\WD SmartWare.exe" autoplay=true
ShellExecuteHooks: Directory Opus Shell Execute Hook - {3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE} - C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll [1574600 2015-12-17] (GP Software)
ShellExecuteHooks-x32: Directory Opus Shell Execute Hook - {EE761688-C137-4b04-8FAB-3C9CDF0886F0} - C:\Program Files\GPSoftware\Directory Opus\dopuslib32.dll [343240 2015-12-17] (GP Software)
ShellIconOverlayIdentifiers: [ DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-05-07] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-05-07] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt3] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-05-07] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt4] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-05-07] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt5] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-05-07] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt6] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-05-07] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt7] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-05-07] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt8] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-05-07] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-05-07] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-05-07] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt3] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-05-07] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt4] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-05-07] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt5] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-05-07] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt6] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-05-07] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt7] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-05-07] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt8] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-05-07] (Dropbox, Inc.)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 61.9.211.1 61.9.211.33
Tcpip\..\Interfaces\{62081B48-C6B2-48C9-AA94-74DC5A2D3C89}: [DhcpNameServer] 61.9.211.1 61.9.211.33
Tcpip\..\Interfaces\{62897515-A3B6-42D6-99FF-60D953456EC9}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{8F5818A0-741B-4761-A555-3762116F3EC2}: [DhcpNameServer] 10.10.0.1

Internet Explorer:
==================
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_77\bin\ssv.dll [2016-03-25] (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_77\bin\jp2ssv.dll [2016-03-25] (Oracle Corporation)

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_242.dll [2016-05-13] ()
FF Plugin: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll [2000-01-01] (Tracker Software Products Ltd.)
FF Plugin: @java.com/DTPlugin,version=11.77.2 -> C:\Program Files\Java\jre1.8.0_77\bin\dtplugin\npDeployJava1.dll [2016-03-25] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.77.2 -> C:\Program Files\Java\jre1.8.0_77\bin\plugin2\npjp2.dll [2016-03-25] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin: @tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll [2000-01-01] (Tracker Software Products Ltd.)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_242.dll [2016-05-13] ()
FF Plugin-x32: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll [2000-01-01] (Tracker Software Products Ltd.)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-10-14] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-10-14] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: @tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll [2000-01-01] (Tracker Software Products Ltd.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin HKU\S-1-5-21-810482344-1227375919-1709595578-1000: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll [2000-01-01] (Tracker Software Products Ltd.)

Chrome: 
=======
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-01-14]
CHR Extension: (Magic Actions for YouTube™) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\abjcfabbhafbcdfjoecdgepllmpfceif [2016-05-09]
CHR Extension: (Google Docs) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-01-14]
CHR Extension: (Google Drive) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-01-14]
CHR Extension: (YouTube) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-01-14]
CHR Extension: (Adblock Plus) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-03-11]
CHR Extension: (Google Search) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-01-14]
CHR Extension: (Dropbox for Gmail) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\dpdmhfocilnekecfjgimjdeckachfbec [2016-04-23]
CHR Extension: (Tabs Outliner) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\eggkanocgddhmamlbiijnphhppkpkmkl [2016-03-13]
CHR Extension: (Video Downloader professional) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil [2016-05-15]
CHR Extension: (Google Sheets) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-01-14]
CHR Extension: (Office Editing for Docs, Sheets & Slides) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbkeegbaiigmenfmjfclcdgdpimamgkj [2016-05-09]
CHR Extension: (Google Docs Offline) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-27]
CHR Extension: (The Great Suspender) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\klbibkeccnjlkjkiokjodocebajanakg [2016-05-15]
CHR Extension: (Flashcontrol) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfidmkgnfgnkihnjeklbekckimkipmoe [2016-05-09]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-08]
CHR Extension: (Gmail) - C:\Users\Ben\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-01-14]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-01-24] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-01-24] (Dropbox, Inc.)
R2 ExpressVpnService; C:\Program Files (x86)\ExpressVPN\bootstrap\AMD64\nssm.exe [331264 2016-03-09] () [File not signed]
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148560 2015-10-14] (NVIDIA Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2016-01-29] (Microsoft Corporation)
S3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [374344 2016-01-29] (Microsoft Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1706128 2015-10-14] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [21833360 2015-10-14] (NVIDIA Corporation)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 CMUACWO; C:\Windows\System32\DRIVERS\CMUACWO.sys [357376 2013-02-19] (C-Media Inc.)
R3 CMUSBDAC; C:\Windows\System32\DRIVERS\CMUSBDAC.sys [594944 2014-09-19] (C-MEDIA)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-11] (Broadcom Corporation)
S3 libusb0; C:\Windows\SysWOW64\drivers\libusb0.sys [16896 2007-03-20] (hxxp://libusb-win32.sourceforge.net) [File not signed]
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-05-15] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [289120 2015-11-13] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133816 2015-11-13] (Microsoft Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19600 2015-10-14] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38032 2015-10-14] (NVIDIA Corporation)
R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2012-06-22] (Corel Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-15 09:10 - 2016-05-15 09:10 - 00000000 ____D C:\Program Files (x86)\ESET
2016-05-15 08:52 - 2016-05-15 08:52 - 00005091 _____ C:\Users\Ben\Desktop\JRT.txt
2016-05-13 18:27 - 2016-05-13 18:28 - 00000000 ____D C:\Program Files (x86)\ERUNT
2016-05-13 18:27 - 2016-05-13 18:27 - 00000924 _____ C:\Users\Ben\Desktop\NTREGOPT.lnk
2016-05-13 18:27 - 2016-05-13 18:27 - 00000905 _____ C:\Users\Ben\Desktop\ERUNT.lnk
2016-05-13 18:27 - 2016-05-13 18:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
2016-05-13 18:23 - 2016-05-13 18:23 - 00002708 _____ C:\Users\Ben\Desktop\Rkill.txt
2016-05-12 04:03 - 2016-05-12 04:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2016-05-11 21:23 - 2016-05-15 09:07 - 00000000 ____D C:\AdwCleaner
2016-05-09 21:37 - 2016-05-15 19:48 - 00000000 ____D C:\FRST
2016-05-07 22:14 - 2016-05-07 22:14 - 00002043 _____ C:\Users\Public\Desktop\ExpressVPN.lnk
2016-05-07 22:14 - 2016-05-07 22:14 - 00000000 ____D C:\Users\Ben\AppData\Local\ExpressVPN
2016-05-07 22:14 - 2016-05-07 22:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExpressVPN
2016-05-07 22:14 - 2016-05-07 22:14 - 00000000 ____D C:\ProgramData\ExpressVPN
2016-05-07 22:14 - 2016-05-07 22:14 - 00000000 ____D C:\Program Files (x86)\ExpressVPN
2016-04-23 13:59 - 2016-04-23 14:24 - 00000000 ____D C:\Users\Ben\AppData\Local\calibre-cache
2016-04-23 13:58 - 2016-04-23 14:23 - 00000000 ____D C:\Users\Ben\AppData\Roaming\calibre
2016-04-23 13:55 - 2016-05-06 21:45 - 00000960 _____ C:\Users\Public\Desktop\calibre - E-book management.lnk
2016-04-23 13:55 - 2016-05-06 21:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\calibre - E-book Management
2016-04-23 13:55 - 2016-05-06 21:45 - 00000000 ____D C:\Program Files (x86)\Calibre2
2016-04-23 13:28 - 2016-04-26 19:12 - 00000000 ____D C:\Users\Ben\Documents\My Kindle Content
2016-04-23 13:28 - 2016-04-23 13:28 - 00000000 ____D C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Amazon
2016-04-23 13:28 - 2016-04-23 13:28 - 00000000 ____D C:\Users\Ben\AppData\Local\Amazon
2016-04-21 21:33 - 2016-04-21 21:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IPVanish

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-15 19:31 - 2016-01-24 20:26 - 00000902 _____ C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job
2016-05-15 19:30 - 2016-01-14 19:16 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-05-15 19:16 - 2009-07-14 13:20 - 00000000 ____D C:\Windows\tracing
2016-05-15 19:03 - 2016-01-14 16:45 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-05-15 18:13 - 2016-04-10 15:13 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-05-15 18:02 - 2009-07-14 14:45 - 00022080 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-05-15 18:02 - 2009-07-14 14:45 - 00022080 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-05-15 09:13 - 2009-07-14 15:13 - 00752076 _____ C:\Windows\system32\PerfStringBackup.INI
2016-05-15 09:13 - 2009-07-14 13:20 - 00000000 ____D C:\Windows\inf
2016-05-15 09:07 - 2016-01-24 20:26 - 00000898 _____ C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job
2016-05-15 09:07 - 2016-01-21 22:51 - 00065536 _____ C:\Windows\system32\Ikeext.etl
2016-05-15 09:07 - 2016-01-14 16:45 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-05-15 09:07 - 2016-01-14 06:22 - 00000000 ____D C:\ProgramData\NVIDIA
2016-05-15 09:07 - 2009-07-14 15:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-05-15 08:49 - 2016-01-23 13:03 - 00007611 _____ C:\Users\Ben\AppData\Local\Resmon.ResmonCfg
2016-05-15 08:48 - 2016-01-14 16:51 - 00000000 ____D C:\Users\Ben\AppData\Roaming\foobar2000
2016-05-13 22:30 - 2016-01-14 19:16 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-05-13 22:30 - 2016-01-14 19:16 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-05-13 22:30 - 2016-01-14 19:16 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-05-13 11:05 - 2016-01-14 16:46 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-05-12 17:51 - 2016-01-14 10:05 - 00000000 ____D C:\Program Files\Pale Moon
2016-05-12 04:03 - 2016-01-24 20:26 - 00000000 ____D C:\Program Files (x86)\Dropbox
2016-05-11 21:47 - 2016-01-14 19:28 - 00000000 ____D C:\Users\Ben\AppData\Roaming\Kodi
2016-05-11 08:58 - 2016-01-14 16:45 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-05-11 08:58 - 2016-01-14 16:45 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-05-09 23:09 - 2016-01-14 07:48 - 00000000 ____D C:\ProgramData\TEMP
2016-05-09 23:08 - 2009-07-14 13:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2016-05-09 23:08 - 2009-07-14 13:20 - 00000000 ____D C:\Windows\SysWOW64\GroupPolicy
2016-05-09 23:07 - 2016-01-14 07:52 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2016-05-09 22:43 - 2016-01-14 07:52 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2016-05-09 19:29 - 2016-01-15 18:25 - 00000000 ____D C:\Users\Ben\AppData\Local\IPVanish
2016-05-07 22:13 - 2016-01-14 19:23 - 00000000 ____D C:\ProgramData\Package Cache
2016-05-07 21:38 - 2016-01-15 18:24 - 00000000 ____D C:\Program Files (x86)\IPVanish
2016-05-03 21:36 - 2016-01-26 12:32 - 00000000 ____D C:\Users\Ben\AppData\Roaming\vlc
2016-04-23 15:51 - 2016-01-24 20:26 - 00000000 ____D C:\Users\Ben\AppData\Local\Dropbox
2016-04-23 13:56 - 2016-01-14 10:00 - 00000000 ____D C:\Users\Ben\Desktop\Tools
2016-04-23 13:55 - 2016-01-23 23:23 - 00000000 ____D C:\Users\Ben\Desktop\Readers
2016-04-23 13:55 - 2016-01-14 19:30 - 00000000 ____D C:\Users\Ben\Desktop\Media Players
2016-04-23 13:55 - 2016-01-14 10:00 - 00000000 ____D C:\Users\Ben\Desktop\Protection
2016-04-22 17:57 - 2010-11-21 13:27 - 00453288 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe

==================== Files in the root of some directories =======

2016-01-23 13:03 - 2016-05-15 08:49 - 0007611 _____ () C:\Users\Ben\AppData\Local\Resmon.ResmonCfg
2006-05-11 23:06 - 2006-05-11 23:06 - 0000000 ____H () C:\ProgramData\sdpsenv.dat

Files to move or delete:
====================
C:\ProgramData\sdpsenv.dat


Some files in TEMP:
====================
C:\Users\Ben\AppData\Local\Temp\AskSLib.dll
C:\Users\Ben\AppData\Local\Temp\IPVanish-Setup-2.0.5876.40018.exe
C:\Users\Ben\AppData\Local\Temp\IPVanish-Setup-2.1.0.29319.exe
C:\Users\Ben\AppData\Local\Temp\jre-8u71-windows-au.exe
C:\Users\Ben\AppData\Local\Temp\jre-8u77-windows-au.exe
C:\Users\Ben\AppData\Local\Temp\LgkuGAxFSJrpHvHwkCpH.DLL
C:\Users\Ben\AppData\Local\Temp\libeay32.dll
C:\Users\Ben\AppData\Local\Temp\lrSvsQRSYNBmoHlHEhNH.DLL
C:\Users\Ben\AppData\Local\Temp\msvcr120.dll
C:\Users\Ben\AppData\Local\Temp\nvStInst.exe
C:\Users\Ben\AppData\Local\Temp\ose00000.exe
C:\Users\Ben\AppData\Local\Temp\sqlite3.dll
C:\Users\Ben\AppData\Local\Temp\xmlUpdater.exe
C:\Users\Ben\AppData\Local\Temp\yJjlfYLAIN.DLL


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-05-08 00:27

==================== End of FRST.txt ============================

 

Here's Addition.txt

Additional scan result of Farbar Recovery Scan Tool (x64) Version:14-05-2016
Ran by Ben (2016-05-15 19:48:44)
Running from D:\Download\Malware Tools\Farbar Recovery Tool
Windows 7 Home Premium Service Pack 1 (X64) (2016-01-13 11:43:42)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-810482344-1227375919-1709595578-500 - Administrator - Disabled)
Ben (S-1-5-21-810482344-1227375919-1709595578-1000 - Administrator - Enabled) => C:\Users\Ben
Guest (S-1-5-21-810482344-1227375919-1709595578-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-810482344-1227375919-1709595578-1002 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Disabled - Up to date) {768124D7-F5F7-6D2F-DDC2-94DFA4017C95}
AS: Microsoft Security Essentials (Disabled - Up to date) {CDE0C533-D3CD-62A1-E772-AFADDF863628}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 15.14 (x64) (HKLM\...\7-Zip) (Version: 15.14 - Igor Pavlov)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated)
Adobe Audition CS6 (HKLM-x32\...\{30FD541D-3C9D-41C4-B240-A994EE4E0231}) (Version: 5.0 - Adobe Systems Incorporated)
Adobe Flash Player 21 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 21.0.0.242 - Adobe Systems Incorporated)
Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated)
Amazon Kindle (HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\Amazon Kindle) (Version: 1.15.0.43061 - Amazon)
Asmedia ASM104x USB 3.0 Host Controller Driver (HKLM-x32\...\{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}) (Version: 1.2.9.0 - Asmedia Technology)
Beyond Compare 3.3.11 (HKLM-x32\...\BeyondCompare3_is1) (Version: 3.3.11.18371 - Scooter Software)
bl (x32 Version: 1.0.0 - Your Company Name) Hidden
calibre (HKLM-x32\...\{6C358B17-1145-46D8-85E0-57FFFCA93BFC}) (Version: 2.56.0 - Kovid Goyal)
CCleaner (HKLM\...\CCleaner) (Version: 5.17 - Piriform)
CMEDIA USB2.0 Audio Device (HKLM-x32\...\{9445E4B8-E875-470A-928A-A665D3F973B4}) (Version: 1.00.0001 - C-Media Electronics, Inc.)
Dropbox (HKLM-x32\...\Dropbox) (Version: 3.20.1 - Dropbox, Inc.)
Dropbox Update Helper (x32 Version: 1.3.27.77 - Dropbox, Inc.) Hidden
ERUNT 1.1j (HKLM-x32\...\ERUNT_is1) (Version:  - Lars Hederer)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
ExpressVPN (HKLM-x32\...\{7e9357d8-8bdd-4e72-88ac-1b3acedd2b32}) (Version: 5.0.1.551 - ExpressVPN)
ExpressVPN (x32 Version: 5.0.1.551 - ExpressVPN) Hidden
ExpressVPN Compatibility Checks (x32 Version: 1.0.0.0 - ExpressVPN) Hidden
f.lux (HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\Flux) (Version:  - )
foobar2000 v1.3.9 (HKLM-x32\...\foobar2000) (Version: 1.3.9 - Peter Pawlowski)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 50.0.2661.102 - Google Inc.)
Google Update Helper (x32 Version: 1.3.30.3 - Google Inc.) Hidden
GPSoftware Directory Opus (HKLM-x32\...\{0A6AA615-5321-43A0-AFAE-97BF95013EA0}) (Version: 11.17 - GPSoftware)
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.1.0.1008 - Intel Corporation)
IPVanish (x32 Version: 2.1.0.0 - IPVanish.com) Hidden
IPVanish VPN (HKLM-x32\...\{b6f928a0-7e46-42bb-bdba-f4f4a1ca842c}) (Version: 2.1.0.0 - IPVanish.com)
Java 8 Update 77 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418077F0}) (Version: 8.0.770.3 - Oracle Corporation)
Kodi (HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\Kodi) (Version:  - XBMC-Foundation)
LibreOffice 5.0.4.2 (HKLM\...\{8C3F291E-AA0A-4188-A83F-1D97103AE27C}) (Version: 5.0.4.2 - The Document Foundation)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft ASP.NET MVC 4 Runtime (HKLM-x32\...\{3FE312D5-B862-40CE-8E4E-A6D8ABF62736}) (Version: 4.0.40804.0 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.9.218.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
NirSoft ShellExView (HKLM-x32\...\NirSoft ShellExView) (Version:  - )
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.8.8 - Notepad++ Team)
NVIDIA 3D Vision Controller Driver 340.50 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 340.50 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 341.92 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 341.92 - NVIDIA Corporation)
NVIDIA GeForce Experience 2.2.2 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.2.2 - NVIDIA Corporation)
NVIDIA Graphics Driver 341.92 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 341.92 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.30.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.30.1 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.13.1220 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.1220 - NVIDIA Corporation)
OpenOffice 4.1.2 (HKLM-x32\...\{4E96CB8B-444E-4EA3-8EF4-26060B0B411F}) (Version: 4.12.9782 - Apache Software Foundation)
Pale Moon 26.2.2 (x64 en-US) (HKLM\...\Pale Moon 26.2.2 (x64 en-US)) (Version: 26.2.2 - Moonchild Productions)
PDF-Viewer (HKLM\...\{A278382D-4F1B-4D47-9885-8523F7261E8D}_is1) (Version: 2.5.198.0 - Tracker Software Products Ltd)
ph (x32 Version: 1.0.0 - Your Company Name) Hidden
Potplayer-64 Bits (HKLM\...\PotPlayer64) (Version:  - Kakao Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.41.216.2011 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6196 - Realtek Semiconductor Corp.)
SHIELD Streaming (Version: 4.0.1000 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (Version: 17.12.8 - NVIDIA Corporation) Hidden
Skype™ 7.3 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.3.101 - Skype Technologies S.A.)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
SpywareBlaster 5.4 (HKLM-x32\...\SpywareBlaster_is1) (Version: 5.4.0 - BrightFort LLC)
STDU Viewer version 1.6.375.0 (HKLM-x32\...\STDU Viewer_is1) (Version: 1.6.375.0 - STDUtility)
Sublime Text Build 3083 (HKLM-x32\...\Sublime Text 3_is1) (Version:  - Sublime HQ Pty Ltd)
Tag&Rename 3.9.5 (HKLM-x32\...\Tag&Rename_is1) (Version: 3.9.5 - Softpointer Inc)
VirtualCloneDrive (HKLM-x32\...\VirtualCloneDrive) (Version: 5.4.7.0 - Elaborate Bytes)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
WinDirStat 1.1.2 (HKU\S-1-5-21-810482344-1227375919-1709595578-1000\...\WinDirStat) (Version:  - )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-810482344-1227375919-1709595578-1000_Classes\CLSID\{04170FCD-1D60-4930-BC9D-D39F3CD3A83B}\InprocServer32 -> C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll (GP Software)
CustomCLSID: HKU\S-1-5-21-810482344-1227375919-1709595578-1000_Classes\CLSID\{070057DA-0223-4D7E-B886-7CF38806F044}\InprocServer32 -> C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll (GP Software)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {17B864F9-1093-48B9-AC97-6DE09636CA34} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)
Task: {24654B29-BE4B-4BCA-8B29-4D6470EEEA6E} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2016-03-21] (Safer-Networking Ltd.)
Task: {7789941D-6124-472D-A456-55D8BE4783B2} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-01-14] (Google Inc.)
Task: {B1ABD6CD-5939-4D96-8D8E-26467945D18B} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-01-14] (Google Inc.)
Task: {C66E9C88-D9AD-47D6-9B52-C514EF1A5589} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-05-13] (Adobe Systems Incorporated)
Task: {D41E1A17-24B2-40CF-B5ED-69280BBBAF15} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2016-03-21] (Safer-Networking Ltd.)
Task: {DD394E3D-FAD8-4D8A-8273-5B50C86E552B} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-04-16] (Piriform Ltd)
Task: {E12382B9-8E05-4804-A80A-FA998327082D} - System32\Tasks\DropboxUpdateTaskMachineCore => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [2016-01-24] (Dropbox, Inc.)
Task: {F1B3DFA4-A603-4270-B772-C8EBD85CC48D} - System32\Tasks\DropboxUpdateTaskMachineUA => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [2016-01-24] (Dropbox, Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-01-14 06:22 - 2015-10-14 03:26 - 00125616 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2015-11-30 21:53 - 2012-10-12 13:34 - 15072256 _____ () C:\Windows\system32\spool\DRIVERS\x64\3\fxhr5aRC.DLL
2016-03-09 15:56 - 2016-03-09 15:56 - 00331264 _____ () C:\Program Files (x86)\ExpressVPN\bootstrap\AMD64\nssm.exe
2016-03-10 16:56 - 2016-03-10 16:56 - 09641976 _____ () C:\Program Files (x86)\ExpressVPN\xvpnd\xvpnd.exe
2015-04-16 06:13 - 2015-04-16 06:13 - 00222720 _____ () C:\Program Files (x86)\Notepad++\NppShell_06.dll
2016-03-10 16:56 - 2016-03-10 16:56 - 00379384 _____ () C:\Program Files (x86)\ExpressVPN\xvpnd\windows\ExpressVPN.FilterManager.dll
2016-01-14 07:52 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2016-01-14 07:52 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2016-01-14 07:52 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2016-01-14 07:52 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2016-01-14 07:52 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2015-06-09 05:06 - 2015-06-09 05:06 - 00014336 _____ () C:\Program Files (x86)\Notepad++\plugins\NppExport.dll
2016-01-24 20:38 - 2016-04-20 05:47 - 00034768 _____ () C:\Program Files (x86)\Dropbox\Client\_multiprocessing.pyd
2016-05-12 04:03 - 2016-04-20 05:48 - 00019408 _____ () C:\Program Files (x86)\Dropbox\Client\faulthandler.pyd
2016-05-12 04:03 - 2016-04-20 05:47 - 00116688 _____ () C:\Program Files (x86)\Dropbox\Client\pywintypes27.dll
2016-01-24 20:38 - 2016-04-20 05:47 - 00093640 _____ () C:\Program Files (x86)\Dropbox\Client\_ctypes.pyd
2016-01-24 20:38 - 2016-04-20 05:47 - 00018376 _____ () C:\Program Files (x86)\Dropbox\Client\select.pyd
2016-01-24 20:38 - 2016-05-07 08:35 - 00019760 _____ () C:\Program Files (x86)\Dropbox\Client\tornado.speedups.pyd
2016-01-24 20:38 - 2016-04-20 05:49 - 00105928 _____ () C:\Program Files (x86)\Dropbox\Client\win32api.pyd
2016-05-12 04:03 - 2016-04-20 05:47 - 00392144 _____ () C:\Program Files (x86)\Dropbox\Client\pythoncom27.dll
2016-01-24 20:38 - 2016-05-07 08:35 - 00381752 _____ () C:\Program Files (x86)\Dropbox\Client\win32com.shell.shell.pyd
2016-01-24 20:38 - 2016-04-20 05:47 - 00692688 _____ () C:\Program Files (x86)\Dropbox\Client\unicodedata.pyd
2016-05-12 04:03 - 2016-05-07 08:34 - 00020816 _____ () C:\Program Files (x86)\Dropbox\Client\cryptography.hazmat.bindings._constant_time.pyd
2016-01-24 20:38 - 2016-04-20 05:48 - 00121296 _____ () C:\Program Files (x86)\Dropbox\Client\_cffi_backend.pyd
2016-05-12 04:03 - 2016-05-07 08:34 - 01682760 _____ () C:\Program Files (x86)\Dropbox\Client\cryptography.hazmat.bindings._openssl.pyd
2016-05-12 04:03 - 2016-05-07 08:34 - 00020808 _____ () C:\Program Files (x86)\Dropbox\Client\cryptography.hazmat.bindings._padding.pyd
2016-01-24 20:38 - 2016-05-07 08:35 - 00021840 _____ () C:\Program Files (x86)\Dropbox\Client\_cffi_unicode_environ_win32_x8bf8e68bx9968e850.pyd
2016-05-12 04:03 - 2016-05-07 08:34 - 00038696 _____ () C:\Program Files (x86)\Dropbox\Client\fastpath.pyd
2016-05-12 04:03 - 2016-04-20 05:49 - 00020936 _____ () C:\Program Files (x86)\Dropbox\Client\mmapfile.pyd
2016-01-24 20:38 - 2016-04-20 05:49 - 00024528 _____ () C:\Program Files (x86)\Dropbox\Client\win32event.pyd
2016-01-24 20:38 - 2016-04-20 05:49 - 00114640 _____ () C:\Program Files (x86)\Dropbox\Client\win32security.pyd
2016-01-24 20:38 - 2016-04-20 05:49 - 00124880 _____ () C:\Program Files (x86)\Dropbox\Client\win32file.pyd
2016-02-19 14:25 - 2016-05-07 08:35 - 00021832 _____ () C:\Program Files (x86)\Dropbox\Client\_cffi_pywin_kernel32_x64d8f881xc8c369be.pyd
2016-01-24 20:38 - 2016-04-20 05:49 - 00024016 _____ () C:\Program Files (x86)\Dropbox\Client\win32clipboard.pyd
2016-01-24 20:38 - 2016-04-20 05:49 - 00175560 _____ () C:\Program Files (x86)\Dropbox\Client\win32gui.pyd
2016-01-24 20:38 - 2016-04-20 05:49 - 00030160 _____ () C:\Program Files (x86)\Dropbox\Client\win32pipe.pyd
2016-01-24 20:38 - 2016-04-20 05:49 - 00043472 _____ () C:\Program Files (x86)\Dropbox\Client\win32process.pyd
2016-01-24 20:38 - 2016-04-20 05:49 - 00028616 _____ () C:\Program Files (x86)\Dropbox\Client\win32ts.pyd
2016-01-24 20:38 - 2016-04-20 05:49 - 00048592 _____ () C:\Program Files (x86)\Dropbox\Client\win32service.pyd
2016-05-12 04:03 - 2016-05-07 08:34 - 00026456 _____ () C:\Program Files (x86)\Dropbox\Client\dropbox.infinite.win.compiled._driverinstallation.pyd
2016-01-24 20:38 - 2016-04-20 05:49 - 00057808 _____ () C:\Program Files (x86)\Dropbox\Client\win32evtlog.pyd
2016-01-24 20:38 - 2016-04-20 05:49 - 00024016 _____ () C:\Program Files (x86)\Dropbox\Client\win32profile.pyd
2016-05-12 04:03 - 2016-05-07 08:34 - 00117056 _____ () C:\Program Files (x86)\Dropbox\Client\breakpad.client.windows.handler.pyd
2016-05-12 04:03 - 2016-05-07 08:34 - 00052024 _____ () C:\Program Files (x86)\Dropbox\Client\psutil._psutil_windows.pyd
2016-01-24 20:38 - 2016-04-20 05:47 - 00134608 _____ () C:\Program Files (x86)\Dropbox\Client\_elementtree.pyd
2016-05-12 04:03 - 2016-04-20 05:47 - 00134088 _____ () C:\Program Files (x86)\Dropbox\Client\pyexpat.pyd
2016-05-12 04:03 - 2016-04-20 05:48 - 00240584 _____ () C:\Program Files (x86)\Dropbox\Client\jpegtran.pyd
2016-02-19 14:25 - 2016-05-07 08:35 - 00020800 _____ () C:\Program Files (x86)\Dropbox\Client\winffi.iphlpapi._winffi_iphlpapi.pyd
2016-02-19 14:25 - 2016-05-07 08:35 - 00021824 _____ () C:\Program Files (x86)\Dropbox\Client\winffi.kernel32._winffi_kernel32.pyd
2016-02-19 14:25 - 2016-05-07 08:35 - 00019776 _____ () C:\Program Files (x86)\Dropbox\Client\winffi.winerror._winffi_winerror.pyd
2016-02-19 14:25 - 2016-05-07 08:35 - 00020800 _____ () C:\Program Files (x86)\Dropbox\Client\winffi.wininet._winffi_wininet.pyd
2016-05-12 04:03 - 2016-05-07 08:34 - 00024392 _____ () C:\Program Files (x86)\Dropbox\Client\librsyncffi.compiled._librsyncffi.pyd
2016-05-12 04:03 - 2016-04-20 05:50 - 00036296 _____ () C:\Program Files (x86)\Dropbox\Client\librsync.dll
2016-05-12 04:03 - 2016-05-07 08:34 - 00020280 _____ () C:\Program Files (x86)\Dropbox\Client\cpuid.compiled._cpuid.pyd
2016-01-24 20:38 - 2016-05-07 08:35 - 00023376 _____ () C:\Program Files (x86)\Dropbox\Client\winscreenshot.compiled._CaptureScreenshot.pyd
2016-01-24 20:38 - 2016-04-20 05:49 - 00350152 _____ () C:\Program Files (x86)\Dropbox\Client\winxpgui.pyd
2016-02-19 14:25 - 2016-05-07 08:35 - 00022352 _____ () C:\Program Files (x86)\Dropbox\Client\winverifysignature.compiled._VerifySignature.pyd
2016-05-12 04:03 - 2016-05-07 08:34 - 00084280 _____ () C:\Program Files (x86)\Dropbox\Client\dropbox_sqlite_ext.DLL
2016-05-12 04:03 - 2016-05-07 08:34 - 01826096 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtCore.pyd
2016-01-24 20:38 - 2016-04-20 05:48 - 00083912 _____ () C:\Program Files (x86)\Dropbox\Client\sip.pyd
2016-05-12 04:03 - 2016-05-07 08:35 - 03928880 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtWidgets.pyd
2016-05-12 04:03 - 2016-05-07 08:34 - 01971504 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtGui.pyd
2016-05-12 04:03 - 2016-05-07 08:34 - 00531248 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtNetwork.pyd
2016-05-12 04:03 - 2016-05-07 08:35 - 00132912 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtWebKit.pyd
2016-05-12 04:03 - 2016-05-07 08:35 - 00223544 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtWebKitWidgets.pyd
2016-05-12 04:03 - 2016-05-07 08:34 - 00207672 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtPrintSupport.pyd
2016-01-24 20:38 - 2016-04-20 05:49 - 00060880 _____ () C:\Program Files (x86)\Dropbox\Client\win32print.pyd
2016-01-24 20:38 - 2016-05-07 08:35 - 00024904 _____ () C:\Program Files (x86)\Dropbox\Client\_cffi_wpad_proxy_win_x752e3d61xdcfdcc84.pyd
2016-05-12 04:03 - 2016-05-07 08:35 - 00546096 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtQuick.pyd
2016-05-12 04:03 - 2016-05-07 08:35 - 00357680 _____ () C:\Program Files (x86)\Dropbox\Client\PyQt5.QtQml.pyd
2016-02-11 03:35 - 2016-02-11 03:35 - 00169472 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\5eb8f854950c428c64f668e63c5a0498\IsdiInterop.ni.dll
2016-01-13 22:08 - 2010-11-05 23:50 - 00058880 _____ () C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IsdiInterop.dll
2016-05-13 11:05 - 2016-05-11 21:48 - 01738904 _____ () C:\Program Files (x86)\Google\Chrome\Application\50.0.2661.102\libglesv2.dll
2016-05-13 11:05 - 2016-05-11 21:48 - 00086168 _____ () C:\Program Files (x86)\Google\Chrome\Application\50.0.2661.102\libegl.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\sdpsenv.dat:naughtypirates [322]
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [134]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 12:34 - 2016-01-27 20:51 - 00001093 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-810482344-1227375919-1709595578-1000\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 61.9.211.1 - 61.9.211.33
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: Logitech Download Assistant => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
MSCONFIG\startupreg: Skype => "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{9F57085D-C6BB-409F-A26F-174FABDA3949}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{8F8021BC-4523-4B8B-A68A-2846431E268E}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{9C5F7100-FF73-4247-B7AD-EBDC3691EA4F}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{98B9F810-1091-43FF-BFA9-EFDEDE718574}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{4ED342F7-1AEC-40A1-9D3B-A4D065234779}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{E81E943B-937D-4067-A745-57993C9FF2B7}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [TCP Query User{1F535C83-6AC2-41BA-8C26-6B90CA8B5FD2}C:\program files (x86)\kodi\kodi.exe] => (Allow) C:\program files (x86)\kodi\kodi.exe
FirewallRules: [UDP Query User{DF49D776-022E-4D0E-B5B6-5496688234A0}C:\program files (x86)\kodi\kodi.exe] => (Allow) C:\program files (x86)\kodi\kodi.exe
FirewallRules: [{AF9F5213-F739-4AA4-961C-EB5183D8A584}] => (Block) %ProgramFiles%\Tracker Software\PDF Viewer\PDFXCview.exe
FirewallRules: [{1A1153E5-3103-441F-80B7-F639394A9F42}] => (Allow) LPort=4500
FirewallRules: [{F6A78189-6FE8-48A4-89B9-1F5D01BF341B}] => (Allow) LPort=1194
FirewallRules: [{7135ACF3-010D-4126-A1A9-2A64F7427994}] => (Allow) LPort=1194
FirewallRules: [{37F72505-F716-4A06-8DCE-4A80D3B63A16}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{D0F8657A-F8BB-4435-8EF9-79F06A931261}] => (Allow) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
FirewallRules: [{80084337-6C2A-4BF6-BA0E-4AD7E359069B}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

==================== Restore Points =========================

06-05-2016 21:45:14 Installed calibre
07-05-2016 22:13:55 ExpressVPN
08-05-2016 16:08:12 Windows Update
11-05-2016 16:40:41 Windows Update
15-05-2016 08:50:55 JRT Pre-Junkware Removal

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (05/15/2016 09:10:48 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (05/15/2016 09:07:43 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/15/2016 09:07:40 AM) (Source: nssm) (EventID: 1018) (User: )
Description: Failed to read registry value AppDirectory:
The operation completed successfully.

Error: (05/11/2016 09:47:24 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Kodi.exe version 16.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 6048

Start Time: 01d1ab7acfa3daf1

Termination Time: 31

Application Path: C:\Program Files (x86)\Kodi\Kodi.exe

Report Id: 1df087fd-176e-11e6-8232-f46d041842d0

Error: (05/09/2016 07:18:29 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Kodi.exe version 16.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 66e0

Start Time: 01d1a9d3af3544e8

Termination Time: 38

Application Path: C:\Program Files (x86)\Kodi\Kodi.exe

Report Id: fb0c06bb-15c6-11e6-8232-f46d041842d0

Error: (05/07/2016 10:27:01 PM) (Source: nssm) (EventID: 1018) (User: )
Description: Failed to read registry value AppDirectory:
The operation completed successfully.

Error: (05/07/2016 10:14:09 PM) (Source: nssm) (EventID: 1018) (User: )
Description: Failed to read registry value AppDirectory:
The operation completed successfully.

Error: (05/03/2016 08:36:24 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program notepad.exe version 6.1.7601.18917 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 57c8

Start Time: 01d1a52797a4cdbf

Termination Time: 7

Application Path: C:\Windows\system32\notepad.exe

Report Id: daf4aa8b-111a-11e6-8232-f46d041842d0

Error: (05/03/2016 08:35:45 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program notepad.exe version 6.1.7601.18917 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 28cc

Start Time: 01d19d21da7e6886

Termination Time: 7

Application Path: C:\Windows\system32\notepad.exe

Report Id: c3f0e926-111a-11e6-8232-f46d041842d0

Error: (04/21/2016 09:35:59 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: VPNClient.exe, version: 2.1.0.0, time stamp: 0x570811cf
Faulting module name: KERNELBASE.dll, version: 6.1.7601.19160, time stamp: 0x56bcd5c3
Exception code: 0xe0434352
Fault offset: 0x0000c52f
Faulting process id: 0x432c
Faulting application start time: 0xVPNClient.exe0
Faulting application path: VPNClient.exe1
Faulting module path: VPNClient.exe2
Report Id: VPNClient.exe3


System errors:
=============
Error: (05/15/2016 09:29:38 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error: 
%%1275

Error: (05/15/2016 09:29:38 AM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Ben\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (05/15/2016 09:29:37 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error: 
%%1275

Error: (05/15/2016 09:29:37 AM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Ben\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (05/15/2016 09:29:37 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error: 
%%1275

Error: (05/15/2016 09:29:37 AM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Ben\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (05/15/2016 09:12:33 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error: 
%%1275

Error: (05/15/2016 09:12:33 AM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Ben\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (05/15/2016 09:12:33 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error: 
%%1275

Error: (05/15/2016 09:12:33 AM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\Ben\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.


==================== Memory info =========================== 

Processor: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz
Percentage of memory in use: 40%
Total physical RAM: 8173.42 MB
Available physical RAM: 4881.26 MB
Total Virtual: 16345.05 MB
Available Virtual: 12804.61 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:107.13 GB) (Free:61.01 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (Data) (Fixed) (Total:1863.01 GB) (Free:125.67 GB) NTFS
Drive e: (Stuff) (Fixed) (Total:2794.39 GB) (Free:135.31 GB) NTFS
Drive f: (Music) (Fixed) (Total:931.51 GB) (Free:136.54 GB) NTFS
Drive g: (BR_DANGEROUS_DAYS) (CDROM) (Total:7.73 GB) (Free:0 GB) UDF

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 107.1 GB) (Disk ID: 7B4347DB)
Partition 1: (Active) - (Size=107.1 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 725FCE8A)
Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: F7D52849)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 3 (Size: 2794.5 GB) (Disk ID: A9F7D8C1)

Partition: GPT.

==================== End of Addition.txt ============================

 

Thanks again for the help!

 

Link to post
Share on other sites

  • Root Admin

Without a lot of forensic type work it's often difficult to tell which specific one is causing it. It can be done but when you're trying to clean hundreds of computers one doesn't have time to investigate. The tools used can detect and clean 99% of all computers. Every once in a while you really have to dig in deeper but not too often.

Please uninstall All versions of Java and restart the computer and then run the following.

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

 

Link to post
Share on other sites

Hey Ron. Understood @ might be a complex case. As long as you can't see anything obvious that shouldn't be causing these outgoing messages.... although it was occurring without any browsers open (possibly some background chrome processes until I disabled them from running). I haven't seen it since the day I posted asking about it (before taking any steps you provided), but I'm not sure what was running that day that isn't now that might have been causing it (and I tried re-running all the programs I'd used recently and leaving them open for hours on end, but couldn't replicate it). The ComboBox.txt output is attached, thank you

ComboFix.txt

Link to post
Share on other sites

  • Root Admin

The Combofix log looks okay. Not sure what was causing it at the time. We've removed mostly just minor stuff.

 

At this time there are no more signs of an infection on your system.
However if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
 
bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot


Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.


 
If there are any other left over Folders, Files, Logs then you can delete them on your own.
 
Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP


As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.


If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.

 

Link to post
Share on other sites

  • 1 month later...

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.