SteveE Posted September 2, 2016 ID:1059848 Share Posted September 2, 2016 Hi, I got slammed yesterday with a mega-malware/virus. It put a bunch of stuff on my computer and hijacked all my browsers. I have been cleaning for a while but have several things still on the computer. There is a service ping.exe that is in the task manager - it seems to play audio advertisement. Kill it it comes back. I installed Malwarebytes and it is now constantly popping up that it blocked various malicious websites. I followed these steps: 1. Ran Adwcleaner a couple times. 2. Ran Malwarebyes 3 times - got to zero items 3. Ran HitmanPro 3 times - got to zero items 4. Ran Zemana Anti Malware 3 times - got to clean pc. Popus still coming. Carvell.exe doesn't show up in taskmgr.exe. So I am assuming it is a svchost virus. Could be wrong. Help! Thanks in advance!!!! Link to post Share on other sites More sharing options...
SteveE Posted September 2, 2016 Author ID:1059854 Share Posted September 2, 2016 Quick update. Ran rkill again. It identifies Carvell.exe and said it deletes it. It also gave a process ID. Following the PID I fount that the process name is ZAM.exe. The system will not let me kill that process. Link to post Share on other sites More sharing options...
SteveE Posted September 2, 2016 Author ID:1059863 Share Posted September 2, 2016 1 hour ago, SteveE said: Starting a new thread with proper scans. Sorry Link to post Share on other sites More sharing options...
SteveE Posted September 2, 2016 Author ID:1059864 Share Posted September 2, 2016 OK can't delete this thread. Continuing properly: FRST Dump: Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-08-2016 Ran by Steve (administrator) on STEVE-SPLIT-X2 (02-09-2016 13:47:27) Running from C:\Users\Steve\Downloads Loaded Profiles: Steve (Available Profiles: Steve) Platform: Windows 10 Home Version 1511 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: FF) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Intel Corporation) C:\Windows\System32\igfxCUIService.exe (IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe (Intel Corporation) C:\Windows\SysWOW64\IntelCpHeciSvc.exe (SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe (Garmin Ltd. or its subsidiaries) C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe (Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe (Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe (DEVGURU Co., LTD.) C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe (Wondershare) C:\Program Files (x86)\Wondershare\WAF\2.1.6.0\WsAppService.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe (Intel Corporation) C:\Windows\System32\igfxEM.exe (Intel Corporation) C:\Windows\System32\igfxHK.exe () C:\Windows\System32\igfxTray.exe (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe (Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe (IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe (Spotify Ltd) C:\Users\Steve\AppData\Roaming\Spotify\SpotifyWebHelper.exe (Garmin Ltd. or its subsidiaries) C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe (Hewlett-Packard Development Company, LP) C:\Program Files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe (Google Inc.) C:\Users\Steve\AppData\Local\Google\Update\GoogleUpdate.exe (Sling Media Inc.) C:\Program Files (x86)\DishAnywhereDesktop\DishAnywherePlayer.exe () C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe (Sling Media Inc.) C:\Program Files (x86)\Sling Media\SlingplayerForWeb\SlingplayerForWeb.exe (Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\HP\HP System Event\HPMSGSVC.exe (Hewlett-Packard Development Company, LP) C:\Program Files\HP\HP Officejet Pro 8610\Bin\HPNetworkCommunicatorCom.exe (Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe (Sling Media Inc.) C:\Program Files (x86)\DishAnywhereDesktop\DishAnywherePlayer.exe (Sling Media Inc.) C:\Program Files (x86)\Sling Media\SlingplayerForWeb\SlingplayerForWeb.exe (Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE (HP Inc.) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe (Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe (Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7341.57671.0_x64__8wekyb3d8bbwe\onenoteim.exe (Microsoft Inc.) C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.11.7293.0_x64__8wekyb3d8bbwe\Solitaire.exe () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.722.10060.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe (Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7167.40721.0_x64__8wekyb3d8bbwe\HxMail.exe (Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7167.40721.0_x64__8wekyb3d8bbwe\HxTsr.exe () C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1608.2213.0_x64__8wekyb3d8bbwe\Calculator.exe (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Microsoft Corporation) C:\Windows\System32\Taskmgr.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe [404912 2015-10-22] () HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-12-09] (Apple Inc.) HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1703424 2015-10-22] (IDT, Inc.) HKLM\...\Run: [faribault] => "C:\Program Files (x86)\actus\carvell.exe" HKLM-x32\...\Run: [KeePass 2 PreLoad] => C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe [2779136 2016-06-11] (Dominik Reichl) HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\HP\HP System Event\HPMSGSVC.exe [657424 2015-09-03] (Hewlett-Packard Development Company, L.P.) HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard) HKLM-x32\...\Run: [] => [X] HKLM-x32\...\Run: [SunJavaUpdateSched] => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" HKLM-x32\...\Run: [win_en_77] => [X] HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.) Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X] HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\Run: [Spotify Web Helper] => C:\Users\Steve\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1523312 2016-08-29] (Spotify Ltd) HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1400232 2016-07-31] (Garmin Ltd. or its subsidiaries) HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\Run: [HP Officejet Pro 8610 (NET)] => C:\Program Files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe [3487240 2014-07-21] (Hewlett-Packard Development Company, LP) HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\Run: [Google Update] => C:\Users\Steve\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2016-01-10] (Google Inc.) HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\Run: [IRS12AUC0C] => "C:\Program Files (x86)\DPower\59CRB48DAE.exe" HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.) HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\Run: [Chromium] => "c:\users\steve\appdata\local\chromium\application\chrome.exe" --auto-launch-at-startup --profile-directory="Default" --restore-last-session HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\RunOnce: [Uninstall C:\Users\Steve\AppData\Local\Microsoft\OneDrive\17.3.6281.1202_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Steve\AppData\Local\Microsoft\OneDrive\17.3.6281.1202_1\amd64" HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\MountPoints2: {7810967f-e203-11e5-8283-485ab6b36b20} - "E:\VZW_Software_upgrade_assistant.exe" HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\Mystify.scr [150528 2015-10-30] (Microsoft Corporation) HKU\S-1-5-18\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1400232 2016-07-31] (Garmin Ltd. or its subsidiaries) Startup: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DishAnywherePlayerShortcut.lnk [2016-09-02] ShortcutTarget: DishAnywherePlayerShortcut.lnk -> C:\Program Files (x86)\DishAnywhereDesktop\DishAnywherePlayer.exe (Sling Media Inc.) Startup: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PdaNet Desktop.lnk [2016-09-02] ShortcutTarget: PdaNet Desktop.lnk -> C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe () Startup: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SlingplayerForWebShortcut.lnk [2016-09-02] ShortcutTarget: SlingplayerForWebShortcut.lnk -> C:\Program Files (x86)\Sling Media\SlingplayerForWeb\SlingplayerForWeb.exe (Sling Media Inc.) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 Tcpip\..\Interfaces\{488e5b26-fa59-4a72-816d-115d9ded13a7}: [DhcpNameServer] 8.8.8.8 Tcpip\..\Interfaces\{54baa6fc-806b-406e-a3b8-63e4b594531f}: [DhcpNameServer] 192.168.1.1 Tcpip\..\Interfaces\{7b1222b5-762c-4cf9-8a6f-445c382141e6}: [DhcpNameServer] 8.8.8.8 ManualProxies: Internet Explorer: ================== HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT14/1 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\Software\Microsoft\Internet Explorer\Main,Start Page = SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope value is missing SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms} SearchScopes: HKU\S-1-5-21-2221598115-2109861328-2175321649-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms} BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2016-07-31] (Microsoft Corporation) BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2016-07-31] (Microsoft Corporation) BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2016-07-21] (HP Inc.) DPF: HKLM-x32 {A4150320-98EC-4DB6-9BFB-EBF4B6FBEB16} hxxp://192.168.1.24/codebase/DVM_IPCam2.ocx Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-07-31] (Microsoft Corporation) Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-07-31] (Microsoft Corporation) Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-07-31] (Microsoft Corporation) Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-07-31] (Microsoft Corporation) FireFox: ======== FF ProfilePath: C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\vup3qqfp.default FF NewTab: about:newtab FF Homepage: hxxps://www.google.com/ FF Plugin: @garmin.com/GpsControl -> C:\Program Files\Garmin GPS Plugin\npGarmin.dll [2014-03-31] (GARMIN Corp.) FF Plugin: @mcafee.com/MSC,version=10 -> C:\Program Files\mcafee\msc\npMcSnFFPl64.dll [No File] FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-14] () FF Plugin-x32: @garmin.com/GpsControl -> C:\Program Files (x86)\Garmin GPS Plugin\npGarmin.dll [2014-03-31] (GARMIN Corp.) FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-12-10] (Intel Corporation) FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-12-10] (Intel Corporation) FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-04-19] (Oracle Corporation) FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-04-19] (Oracle Corporation) FF Plugin-x32: @mcafee.com/MSC,version=10 -> C:\Program Files (x86)\McAfee\msc\npMcSnFFPl.dll [No File] FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-07-31] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2016-07-31] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2013-02-06] (Microsoft Corporation) FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.) FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2015-10-12] () FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2016-06-23] (Adobe Systems Inc.) FF Plugin HKU\S-1-5-21-2221598115-2109861328-2175321649-1001: @citrixonline.com/appdetectorplugin -> C:\Users\Steve\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2016-08-30] (Citrix Online) FF Plugin HKU\S-1-5-21-2221598115-2109861328-2175321649-1001: @tools.google.com/Google Update;version=3 -> C:\Users\Steve\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.) FF Plugin HKU\S-1-5-21-2221598115-2109861328-2175321649-1001: @tools.google.com/Google Update;version=9 -> C:\Users\Steve\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.) FF Plugin HKU\S-1-5-21-2221598115-2109861328-2175321649-1001: DISH Anywhere.com/DISH Anywhere Video Player -> C:\Users\Steve\AppData\Roaming\DISH Anywhere\DISH Anywhere Video Player\npNMPCBrowserPlugin.dll [2015-11-23] (Nagravision) FF Plugin ProgramFiles/Appdata: C:\Users\Steve\AppData\Roaming\mozilla\plugins\npatgpc.dll [2016-01-12] (Cisco WebEx LLC) FF Extension: (WebSlingPlayer) - C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\vup3qqfp.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A} [2016-06-28] FF Extension: (Scrabulizer Importer) - C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\vup3qqfp.default\Extensions\{ca96eaaa-e97d-4e54-b403-b7b5a8557fad}.xpi [2016-05-29] FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found Chrome: ======= CHR HomePage: Default -> hxxp://www.google.com/ CHR Profile: C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default CHR Extension: (Google Slides) - C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-10-21] CHR Extension: (Google Docs) - C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-10-21] CHR Extension: (Google Drive) - C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21] CHR Extension: (YouTube) - C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-21] CHR Extension: (Scrabulizer Importer) - C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\bndkbbjdobgblibddjkdmecohdbbkbig [2015-10-22] CHR Extension: (Google Search) - C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-28] CHR Extension: (Google Cast (Beta)) - C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\dliochdbjfkdbacpmhlcpmleaejidimm [2016-04-13] CHR Extension: (Google Play Music) - C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\fahmaaghhglfmonjliepjlchgpgfmobi [2016-08-31] CHR Extension: (Google Sheets) - C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-10-21] CHR Extension: (Google Docs Offline) - C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-16] CHR Extension: (Kindle Cloud Reader) - C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\icdipabjmbhpdkjaihfjoikhjjeneebd [2016-03-22] CHR Extension: (HP Network Check Helper) - C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\jkfpchpiljkaemlpmpebnglgkomamfeo [2016-08-08] CHR Extension: (Cisco WebEx Extension) - C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma [2016-08-05] CHR Extension: (Qmee) - C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbaanpgkpkoamihninlcegnjclcpibde [2016-03-04] CHR Extension: (Chrome Web Store Payments) - C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-05] CHR Extension: (Gmail) - C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-10-21] CHR Extension: (Chrome Media Router) - C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-29] CHR HKLM\...\Chrome\Extension: [ihdceheklapbalfikfdppfpgdgabaglp] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [jkfpchpiljkaemlpmpebnglgkomamfeo] - hxxps://clients2.google.com/service/update2/crx ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.) R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2854640 2016-07-31] (Microsoft Corporation) R2 Garmin Device Interaction Service; C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe [809488 2016-07-31] (Garmin Ltd. or its subsidiaries) R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [135496 2016-09-02] (SurfRight B.V.) R2 HPSLPSVC; C:\Users\Steve\AppData\Local\Temp\7zS0187\hpslpsvc64.dll [1039360 2015-09-21] (Hewlett-Packard Co.) [File not signed] R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [29728 2016-08-15] (HP Inc.) R2 HPWMISVC; C:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe [606224 2015-09-03] (Hewlett-Packard Development Company, L.P.) R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-07] (Intel Corporation) R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [359856 2015-10-22] (Intel Corporation) R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel(R) Corporation) [File not signed] S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel(R) Corporation) R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-12-10] (Intel Corporation) R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-12-10] (Intel Corporation) R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes) R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes) R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.) R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.) R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.) R2 ss_conn_service; C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe [741640 2014-06-16] (DEVGURU Co., LTD.) R2 STacSV; C:\Program Files\IDT\WDM\STacSV64.exe [340480 2015-10-22] (IDT, Inc.) [File not signed] R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [268912 2016-06-08] (Synaptics Incorporated) R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [7183632 2016-07-18] (TeamViewer GmbH) S3 vmicvss; C:\Windows\System32\ICSvc.dll [511488 2015-10-30] (Microsoft Corporation) S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation) S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2016-07-01] (Microsoft Corporation) R2 WsAppService; C:\Program Files (x86)\Wondershare\WAF\2.1.6.0\WsAppService.exe [388608 2016-01-28] (Wondershare) [File not signed] S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X] S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X] S3 WsDrvInst; "C:\Program Files (x86)\Wondershare\TunesGo\DriverInstall.exe" [X] S2 ZAMSvc; "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /service [X] ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 AndNetDiag; C:\Windows\system32\DRIVERS\lgandnetdiag64.sys [30720 2015-05-12] (LG Electronics Inc.) S3 ANDNetModem; C:\Windows\system32\DRIVERS\lgandnetmodem64.sys [37376 2015-05-12] (LG Electronics Inc.) R3 libusb0; C:\Windows\system32\DRIVERS\libusb0.sys [44480 2015-11-08] (hxxp://libusb-win32.sourceforge.net) R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes) R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-09-02] (Malwarebytes) R3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation) R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [100312 2013-12-10] (Intel Corporation) R3 netr28x; C:\Windows\system32\DRIVERS\netr28x.sys [2554528 2015-06-12] (MediaTek Inc.) R3 rtbth; C:\Windows\System32\drivers\rtbth.sys [1219200 2015-10-21] (Ralink Technology, Corp.) S3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [418008 2013-06-23] (Realsil Semiconductor Corporation) S3 RTSUER; C:\Windows\system32\Drivers\RtsUer.sys [410848 2015-10-22] (Realsil Semiconductor Corporation) R3 SynRMIHID; C:\Windows\system32\DRIVERS\SynRMIHID.sys [74864 2016-06-08] (Synaptics Incorporated) R1 tmcomm; C:\Windows\system32\DRIVERS\tmcomm.sys [316168 2015-12-24] (Trend Micro Inc.) S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation) S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation) S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation) R3 WirelessButtonDriver64; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [30384 2015-06-23] (HP Inc.) S3 WsAudioDevice_383; C:\Windows\system32\drivers\VirtualAudio.sys [31080 2015-07-30] (Wondershare) R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard64.sys [203680 2016-09-02] (Zemana Ltd.) S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-09-02 13:47 - 2016-09-02 13:47 - 00027025 _____ C:\Users\Steve\Downloads\FRST.txt 2016-09-02 13:47 - 2016-09-02 13:47 - 00000000 ____D C:\FRST 2016-09-02 13:44 - 2016-09-02 13:47 - 02397696 _____ (Farbar) C:\Users\Steve\Downloads\FRST64.exe 2016-09-02 11:32 - 2016-09-02 11:32 - 05660313 _____ (Swearware) C:\Users\Steve\Downloads\ComboFix.exe 2016-09-02 11:25 - 2016-09-02 11:25 - 01046602 _____ C:\Users\Steve\AppData\Local\census.cache 2016-09-02 11:24 - 2016-09-02 11:24 - 01152062 _____ C:\Users\Steve\AppData\Local\ars.cache 2016-09-02 11:20 - 2016-09-02 11:20 - 31930936 _____ (Adlice Software ) C:\Users\Steve\Downloads\setup.exe 2016-09-02 11:11 - 2016-09-02 11:11 - 00000010 _____ C:\Users\Steve\AppData\Local\sponge.last.runtime.cache 2016-09-02 11:03 - 2016-09-02 11:03 - 00000000 ____D C:\WINDOWS\Trend Micro 2016-09-02 11:03 - 2016-09-02 11:03 - 00000000 ____D C:\ProgramData\Trend Micro 2016-09-02 11:02 - 2016-09-02 11:02 - 02527376 _____ (Trend Micro Inc.) C:\Users\Steve\Downloads\HousecallLauncher64.exe 2016-09-02 11:02 - 2016-09-02 11:02 - 00000036 _____ C:\Users\Steve\AppData\Local\housecall.guid.cache 2016-09-02 11:02 - 2015-12-24 09:03 - 00316168 _____ (Trend Micro Inc.) C:\WINDOWS\system32\Drivers\tmcomm.sys 2016-09-02 10:50 - 2016-09-02 10:50 - 00000000 ___HD C:\OneDriveTemp 2016-09-02 10:47 - 2016-09-02 13:47 - 00001944 _____ C:\Users\Steve\Desktop\Rkill.txt 2016-09-02 10:47 - 2016-09-02 10:47 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Steve\Downloads\rkill.exe 2016-09-02 10:36 - 2016-09-02 10:36 - 00000000 ____D C:\ProgramData\Sophos 2016-09-02 10:33 - 2016-09-02 10:33 - 00002775 _____ C:\Users\Public\Desktop\Sophos Virus Removal Tool.lnk 2016-09-02 10:33 - 2016-09-02 10:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos 2016-09-02 10:33 - 2016-09-02 10:33 - 00000000 ____D C:\Program Files (x86)\Sophos 2016-09-02 10:30 - 2016-09-02 13:47 - 00003718 _____ C:\WINDOWS\System32\Tasks\Da2946053129460531 2016-09-02 10:30 - 2016-09-02 10:31 - 152068736 _____ (Sophos Limited) C:\Users\Steve\Downloads\Sophos Virus Removal Tool.exe 2016-09-02 10:15 - 2016-09-02 10:15 - 00001239 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk 2016-09-02 10:15 - 2016-09-02 10:15 - 00001227 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk 2016-09-02 10:14 - 2016-09-02 10:14 - 00242136 _____ C:\Users\Steve\Downloads\Firefox Setup Stub 48.0.2.exe 2016-09-02 10:03 - 2016-09-02 13:47 - 00257048 _____ C:\WINDOWS\ZAM_Guard.krnl.trace 2016-09-02 10:03 - 2016-09-02 13:37 - 01608038 _____ C:\WINDOWS\ZAM.krnl.trace 2016-09-02 10:03 - 2016-09-02 13:37 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware 2016-09-02 10:03 - 2016-09-02 10:03 - 00203680 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zamguard64.sys 2016-09-02 10:03 - 2016-09-02 10:03 - 00000000 ____D C:\Users\Steve\AppData\Local\Zemana 2016-09-02 09:57 - 2016-09-02 09:57 - 00005856 _____ C:\WINDOWS\system32\.crusader 2016-09-02 09:55 - 2016-09-02 10:03 - 05295424 _____ ( ) C:\Users\Steve\Downloads\Zemana.AntiMalware.Setup.exe 2016-09-02 09:52 - 2016-09-02 09:58 - 00000000 ____D C:\ProgramData\HitmanPro 2016-09-02 09:52 - 2016-09-02 09:52 - 00001973 _____ C:\Users\Public\Desktop\HitmanPro.lnk 2016-09-02 09:52 - 2016-09-02 09:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro 2016-09-02 09:52 - 2016-09-02 09:52 - 00000000 ____D C:\Program Files\HitmanPro 2016-09-02 09:50 - 2016-09-01 14:45 - 00313856 _____ C:\Users\Steve\AppData\Local\settings.dll 2016-09-02 09:50 - 2016-09-01 14:45 - 00194048 _____ C:\Users\Steve\AppData\Local\carvell.exe 2016-09-02 08:59 - 2016-09-02 12:58 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys 2016-09-02 08:59 - 2016-09-02 09:30 - 00001176 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2016-09-02 08:59 - 2016-09-02 08:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware 2016-09-02 08:59 - 2016-09-02 08:59 - 00000000 ____D C:\ProgramData\Malwarebytes 2016-09-02 08:59 - 2016-09-02 08:59 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware 2016-09-02 08:59 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys 2016-09-02 08:59 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys 2016-09-02 08:59 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys 2016-09-02 08:43 - 2016-09-02 08:43 - 00000000 _____ C:\WINDOWS\SysWOW64\${FILE_SN_DLL} 2016-09-02 08:39 - 2016-09-02 09:00 - 00000000 ____D C:\AdwCleaner 2016-09-02 08:38 - 2016-09-02 08:38 - 01950720 _____ C:\Users\Steve\Downloads\AdwCleaner Setup [1].exe 2016-09-02 07:38 - 2015-06-26 15:08 - 00294400 _____ (CodePlex Community) C:\Users\Steve\AppData\Local\Microsoft.Win32.TaskScheduler.dll 2016-09-02 00:59 - 2016-09-02 00:59 - 00000000 ____D C:\Program Files\Common Files\AV 2016-09-02 00:59 - 2015-07-28 17:52 - 00821920 _____ (Safer-Networking Ltd. ) C:\Users\Public\Desktop\Post Win10 Spybot-install.exe 2016-09-02 00:54 - 2016-09-02 13:29 - 00004166 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{AD70D64C-0206-4BBF-9812-33B4EE85FA46} 2016-09-02 00:30 - 2016-09-02 09:30 - 00001459 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk 2016-09-02 00:30 - 2016-09-02 09:30 - 00001453 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk 2016-09-02 00:30 - 2016-09-02 01:07 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy 2016-09-02 00:30 - 2016-09-02 00:59 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2 2016-09-02 00:30 - 2016-09-02 00:30 - 00000656 _____ C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job 2016-09-02 00:30 - 2016-09-02 00:30 - 00000628 _____ C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job 2016-09-02 00:30 - 2016-09-02 00:30 - 00000458 _____ C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job 2016-09-02 00:30 - 2016-09-02 00:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2 2016-09-02 00:30 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\WINDOWS\system32\sdnclean64.exe 2016-09-01 23:49 - 2016-09-02 00:49 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job 2016-09-01 23:48 - 2016-09-02 09:20 - 00000000 ____D C:\WINDOWS\pss 2016-09-01 19:12 - 2016-09-02 09:19 - 00000000 ____D C:\Users\Steve\AppData\Local\Apps\2.0 2016-09-01 14:45 - 2016-09-01 14:45 - 00313856 _____ C:\WINDOWS\settings.dll 2016-09-01 14:45 - 2016-09-01 14:45 - 00194048 _____ C:\WINDOWS\disappointment.exe 2016-09-01 07:37 - 2016-09-01 07:37 - 00359910 ____T C:\Users\Steve\Documents\Adoration Monthly Prayer Assignments.pdf 2016-08-31 21:14 - 2016-09-01 15:55 - 00000000 ___HD C:\WINDOWS\AxInstSV 2016-08-30 11:31 - 2016-09-02 13:39 - 00000688 _____ C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-2221598115-2109861328-2175321649-1001.job 2016-08-30 11:31 - 2016-09-02 13:05 - 00000592 _____ C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-2221598115-2109861328-2175321649-1001.job 2016-08-30 11:31 - 2016-08-30 11:31 - 00000000 ____D C:\Users\Steve\AppData\Local\Citrix 2016-08-30 11:30 - 2016-08-30 11:31 - 00321008 _____ (Citrix Online) C:\Users\Steve\Downloads\GoToWebinar Launcher(1).exe 2016-08-30 11:10 - 2016-08-30 11:10 - 00260929 _____ C:\Users\Steve\Downloads\8.1.2.5.rar 2016-08-29 08:35 - 2016-08-29 08:35 - 00000316 _____ C:\Users\Steve\Desktop\Apply For Johnson and Johnson Area Business Specialist, CNS (Cincinnati, Ohio) - Janssen Pharmaceuticals, Inc. job - Selling.URL 2016-08-27 20:43 - 2016-08-27 20:43 - 08136256 _____ (TeamViewer) C:\Users\Steve\Downloads\TeamViewerQS_en (1).exe 2016-08-27 20:42 - 2016-08-27 20:42 - 08136256 _____ (TeamViewer) C:\Users\Steve\Downloads\TeamViewerQS_en.exe 2016-08-26 15:22 - 2016-08-26 15:22 - 00000220 _____ C:\Users\Steve\Desktop\httpjohn15-5.adorationservants.org.URL 2016-08-23 12:56 - 2016-08-23 12:57 - 00355787 _____ C:\Users\Steve\Downloads\linkedin_connections_export_microsoft_outlook(1).csv 2016-08-22 18:46 - 2016-08-22 18:46 - 00322946 _____ C:\Users\Steve\Downloads\30+60+90+Day+Template+-+Final.pptx 2016-08-21 20:51 - 2016-08-21 21:16 - 00000000 ____D C:\Users\Steve\Desktop\New folder (4) 2016-08-20 11:38 - 2016-08-20 11:40 - 00341112 ____T C:\Users\Steve\Desktop\Walmart Pirelli P4 Four Seasons Plus.pdf 2016-08-19 09:05 - 2016-08-19 09:05 - 00073375 _____ C:\Users\Steve\Downloads\CMIT_Proforma_Sheet_2016(1).xlsx 2016-08-18 17:15 - 2016-08-18 17:15 - 00045730 _____ C:\Users\Steve\Desktop\fax rwb_worldwide_2016-08-18_21-07-44.pdf 2016-08-18 15:38 - 2016-08-18 15:38 - 05103963 _____ C:\Users\Steve\Downloads\996981530_28_IKOR_INTERNATIONAL_-_2016_FDD__V7__081816_506361674.pdf 2016-08-18 13:48 - 2016-09-02 10:15 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox 2016-08-18 12:28 - 2016-08-18 12:28 - 00000293 _____ C:\Users\Steve\Desktop\JLL Careers - Job details.URL 2016-08-18 10:45 - 2016-08-18 10:45 - 10813322 _____ C:\Users\Steve\Downloads\suck_less_search_pdf.pdf 2016-08-17 14:24 - 2016-08-17 14:24 - 00370807 ____T C:\Users\Steve\Desktop\fax test.pdf 2016-08-17 11:10 - 2016-08-17 11:10 - 00000000 ____D C:\Users\Steve\Documents\Franchise 2016-08-16 18:45 - 2016-08-16 18:45 - 20724029 _____ C:\Users\Steve\Downloads\Op-Manual-MP-C3003-C3503-C4503-C5503-C6003.pdf 2016-08-15 14:25 - 2016-08-15 14:25 - 00704872 _____ C:\Users\Steve\Documents\Scan0001.pdf 2016-08-15 10:32 - 2016-08-15 10:32 - 00073375 _____ C:\Users\Steve\Downloads\CMIT_Proforma_Sheet_2016.xlsx 2016-08-14 18:24 - 2016-08-14 18:24 - 00100675 _____ C:\Users\Steve\Downloads\SOI_List_Template.xlsx 2016-08-14 18:22 - 2016-08-14 18:22 - 01646604 _____ C:\Users\Steve\Downloads\CMIT_Solutions_Frequently_Asked_Questions.pdf 2016-08-14 18:20 - 2016-08-14 18:20 - 00330618 _____ C:\Users\Steve\Downloads\Managed_Services_Whitepaper.pdf 2016-08-14 18:15 - 2016-08-14 18:15 - 00146973 _____ C:\Users\Steve\Downloads\Initial_Investment_2016(1).pdf 2016-08-14 18:00 - 2016-08-14 18:00 - 00358442 _____ C:\Users\Steve\Downloads\Why_a_Business_Not_a_Job.pdf 2016-08-12 12:38 - 2016-08-12 12:38 - 00986528 _____ (Google Inc.) C:\Users\Steve\Downloads\GoogleVoiceAndVideoSetup.exe 2016-08-12 11:24 - 2016-08-12 11:25 - 12063336 _____ (Hewlett-Packard Company ) C:\Users\Steve\Downloads\sp76259.exe 2016-08-10 16:31 - 2016-08-10 16:31 - 18124829 _____ C:\Users\Steve\Downloads\RightatHomeinc.ppt 2016-08-09 20:12 - 2016-08-03 07:14 - 01505984 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll 2016-08-09 20:12 - 2016-08-03 07:14 - 00092352 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll 2016-08-09 20:12 - 2016-08-03 07:14 - 00050368 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe 2016-08-09 20:12 - 2016-08-03 06:36 - 07469408 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe 2016-08-09 20:12 - 2016-08-03 06:36 - 00099680 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\pdc.sys 2016-08-09 20:12 - 2016-08-03 06:36 - 00037744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wldp.dll 2016-08-09 20:12 - 2016-08-03 06:30 - 00026408 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe 2016-08-09 20:12 - 2016-08-03 06:23 - 00693600 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupEngine.dll 2016-08-09 20:12 - 2016-08-03 06:23 - 00115040 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupApi.dll 2016-08-09 20:12 - 2016-08-03 06:22 - 00808288 _____ (Microsoft Corporation) C:\WINDOWS\system32\WWAHost.exe 2016-08-09 20:12 - 2016-08-03 06:22 - 00465248 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\storport.sys 2016-08-09 20:12 - 2016-08-03 06:22 - 00331616 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\pci.sys 2016-08-09 20:12 - 2016-08-03 06:21 - 03675512 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll 2016-08-09 20:12 - 2016-08-03 06:21 - 00566112 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingSyncHost.exe 2016-08-09 20:12 - 2016-08-03 06:21 - 00303216 _____ (Microsoft Corporation) C:\WINDOWS\system32\LockAppHost.exe 2016-08-09 20:12 - 2016-08-03 06:20 - 01540224 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppobjs.dll 2016-08-09 20:12 - 2016-08-03 06:20 - 00692136 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppwinob.dll 2016-08-09 20:12 - 2016-08-03 06:19 - 00604928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys 2016-08-09 20:12 - 2016-08-03 06:19 - 00161632 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys 2016-08-09 20:12 - 2016-08-03 06:13 - 01988448 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgkrnl.sys 2016-08-09 20:12 - 2016-08-03 06:13 - 00576864 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms2.sys 2016-08-09 20:12 - 2016-08-03 06:13 - 00393056 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms1.sys 2016-08-09 20:12 - 2016-08-03 05:51 - 00123392 _____ (Microsoft Corporation) C:\WINDOWS\system32\tdlrecover.exe 2016-08-09 20:12 - 2016-08-03 05:51 - 00084480 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpudd.dll 2016-08-09 20:12 - 2016-08-03 05:46 - 22384128 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll 2016-08-09 20:12 - 2016-08-03 05:45 - 00065536 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bthmodem.sys 2016-08-09 20:12 - 2016-08-03 05:44 - 00189952 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotification.exe 2016-08-09 20:12 - 2016-08-03 05:44 - 00063488 _____ (Microsoft Corporation) C:\WINDOWS\system32\wshbth.dll 2016-08-09 20:12 - 2016-08-03 05:44 - 00044544 _____ (Microsoft Corporation) C:\WINDOWS\system32\musdialoghandlers.dll 2016-08-09 20:12 - 2016-08-03 05:43 - 16985088 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Xaml.dll 2016-08-09 20:12 - 2016-08-03 05:41 - 00128512 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bthpan.sys 2016-08-09 20:12 - 2016-08-03 05:41 - 00112640 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bthenum.sys 2016-08-09 20:12 - 2016-08-03 05:41 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.StateRepositoryClient.dll 2016-08-09 20:12 - 2016-08-03 05:41 - 00059904 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.StateRepositoryBroker.dll 2016-08-09 20:12 - 2016-08-03 05:40 - 00181248 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\rfcomm.sys 2016-08-09 20:12 - 2016-08-03 05:40 - 00127488 _____ (Microsoft Corporation) C:\WINDOWS\system32\VEDataLayerHelpers.dll 2016-08-09 20:12 - 2016-08-03 05:40 - 00058880 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotificationUx.exe 2016-08-09 20:12 - 2016-08-03 05:40 - 00047616 _____ (Microsoft Corporation) C:\WINDOWS\system32\TpmTasks.dll 2016-08-09 20:12 - 2016-08-03 05:39 - 00218624 _____ (Microsoft Corporation) C:\WINDOWS\system32\cdd.dll 2016-08-09 20:12 - 2016-08-03 05:39 - 00104448 _____ (Microsoft Corporation) C:\WINDOWS\system32\BluetoothApis.dll 2016-08-09 20:12 - 2016-08-03 05:38 - 00379392 _____ (Microsoft Corporation) C:\WINDOWS\system32\usocore.dll 2016-08-09 20:12 - 2016-08-03 05:37 - 00110080 _____ (Microsoft Corporation) C:\WINDOWS\system32\IdCtrls.dll 2016-08-09 20:12 - 2016-08-03 05:36 - 00211456 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupSvc.dll 2016-08-09 20:12 - 2016-08-03 05:36 - 00198144 _____ (Microsoft Corporation) C:\WINDOWS\system32\winsrv.dll 2016-08-09 20:12 - 2016-08-03 05:35 - 00764928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakradiag.dll 2016-08-09 20:12 - 2016-08-03 05:35 - 00200192 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUDFPlatform.dll 2016-08-09 20:12 - 2016-08-03 05:33 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\system32\VEEventDispatcher.dll 2016-08-09 20:12 - 2016-08-03 05:31 - 00506880 _____ (Microsoft Corporation) C:\WINDOWS\system32\tileobjserver.dll 2016-08-09 20:12 - 2016-08-03 05:31 - 00247296 _____ (Microsoft Corporation) C:\WINDOWS\system32\wevtutil.exe 2016-08-09 20:12 - 2016-08-03 05:30 - 00515072 _____ (Microsoft Corporation) C:\WINDOWS\system32\OneDriveSettingSyncProvider.dll 2016-08-09 20:12 - 2016-08-03 05:29 - 14252544 _____ (Microsoft Corporation) C:\WINDOWS\system32\wmp.dll 2016-08-09 20:12 - 2016-08-03 05:29 - 02127360 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl 2016-08-09 20:12 - 2016-08-03 05:29 - 01500160 _____ (Microsoft Corporation) C:\WINDOWS\system32\RecoveryDrive.exe 2016-08-09 20:12 - 2016-08-03 05:29 - 01387520 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kbase.sys 2016-08-09 20:12 - 2016-08-03 05:29 - 00954368 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bthport.sys 2016-08-09 20:12 - 2016-08-03 05:29 - 00784384 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll 2016-08-09 20:12 - 2016-08-03 05:29 - 00084992 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\BTHUSB.SYS 2016-08-09 20:12 - 2016-08-03 05:28 - 01213440 _____ (Microsoft Corporation) C:\WINDOWS\system32\wwansvc.dll 2016-08-09 20:12 - 2016-08-03 05:28 - 00848896 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll 2016-08-09 20:12 - 2016-08-03 05:27 - 07536640 _____ (Microsoft Corporation) C:\WINDOWS\system32\mstscax.dll 2016-08-09 20:12 - 2016-08-03 05:27 - 01717760 _____ (Microsoft Corporation) C:\WINDOWS\system32\GdiPlus.dll 2016-08-09 20:12 - 2016-08-03 05:27 - 00381952 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuuhext.dll 2016-08-09 20:12 - 2016-08-03 05:20 - 13390336 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll 2016-08-09 20:12 - 2016-08-03 05:18 - 06974464 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Data.Pdf.dll 2016-08-09 20:12 - 2016-08-03 05:18 - 02067968 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentExtensions.dll 2016-08-09 20:12 - 2016-08-03 05:18 - 01388032 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll 2016-08-09 20:12 - 2016-08-03 05:17 - 02175488 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentServer.dll 2016-08-09 20:12 - 2016-08-03 05:16 - 05123072 _____ (Microsoft Corporation) C:\WINDOWS\system32\dbgeng.dll 2016-08-09 20:12 - 2016-08-03 05:16 - 03589120 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys 2016-08-09 20:12 - 2016-08-03 05:16 - 02635776 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Logon.dll 2016-08-09 20:12 - 2016-08-03 05:16 - 01732096 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll 2016-08-09 20:12 - 2016-08-03 05:15 - 07833088 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll 2016-08-09 20:12 - 2016-08-03 05:14 - 04895232 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll 2016-08-09 20:12 - 2016-08-03 05:14 - 01997824 _____ (Microsoft Corporation) C:\WINDOWS\system32\ActiveSyncProvider.dll 2016-08-09 20:12 - 2016-08-03 05:13 - 03025920 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll 2016-08-09 20:12 - 2016-08-03 05:13 - 02280960 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll 2016-08-09 20:12 - 2016-08-03 05:12 - 02746368 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.StateRepository.dll 2016-08-09 20:12 - 2016-08-03 05:11 - 04171264 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpcorets.dll 2016-08-09 20:12 - 2016-08-03 01:52 - 00034088 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wldp.dll 2016-08-09 20:12 - 2016-08-03 01:34 - 00501592 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupEngine.dll 2016-08-09 20:12 - 2016-08-03 01:34 - 00084832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupApi.dll 2016-08-09 20:12 - 2016-08-03 01:33 - 00051128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SensorsNativeApi.dll 2016-08-09 20:12 - 2016-08-03 01:31 - 02921368 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll 2016-08-09 20:12 - 2016-08-03 01:31 - 00957608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ole32.dll 2016-08-09 20:12 - 2016-08-03 01:31 - 00703840 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WWAHost.exe 2016-08-09 20:12 - 2016-08-03 01:30 - 21123320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shell32.dll 2016-08-09 20:12 - 2016-08-03 01:30 - 00465760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSyncHost.exe 2016-08-09 20:12 - 2016-08-03 01:30 - 00255168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LockAppHost.exe 2016-08-09 20:12 - 2016-08-03 00:57 - 00091648 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tdlrecover.exe 2016-08-09 20:12 - 2016-08-03 00:48 - 00051712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wshbth.dll 2016-08-09 20:12 - 2016-08-03 00:47 - 13018112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.dll 2016-08-09 20:12 - 2016-08-03 00:44 - 00048640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.StateRepositoryClient.dll 2016-08-09 20:12 - 2016-08-03 00:44 - 00048128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.StateRepositoryBroker.dll 2016-08-09 20:12 - 2016-08-03 00:42 - 00080896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\BluetoothApis.dll 2016-08-09 20:12 - 2016-08-03 00:40 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\IdCtrls.dll 2016-08-09 20:12 - 2016-08-03 00:39 - 19351040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll 2016-08-09 20:12 - 2016-08-03 00:37 - 00219136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\VEEventDispatcher.dll 2016-08-09 20:12 - 2016-08-03 00:35 - 00178688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wevtutil.exe 2016-08-09 20:12 - 2016-08-03 00:34 - 00792064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kerberos.dll 2016-08-09 20:12 - 2016-08-03 00:34 - 00400896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\OneDriveSettingSyncProvider.dll 2016-08-09 20:12 - 2016-08-03 00:33 - 18677760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll 2016-08-09 20:12 - 2016-08-03 00:33 - 02050048 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl 2016-08-09 20:12 - 2016-08-03 00:33 - 00687616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll 2016-08-09 20:12 - 2016-08-03 00:32 - 12585984 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wmp.dll 2016-08-09 20:12 - 2016-08-03 00:32 - 01467392 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\GdiPlus.dll 2016-08-09 20:12 - 2016-08-03 00:32 - 00434688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LogonController.dll 2016-08-09 20:12 - 2016-08-03 00:31 - 06743040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mstscax.dll 2016-08-09 20:12 - 2016-08-03 00:31 - 00705536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll 2016-08-09 20:12 - 2016-08-03 00:29 - 12133376 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll 2016-08-09 20:12 - 2016-08-03 00:28 - 03663360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll 2016-08-09 20:12 - 2016-08-03 00:25 - 05323776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Data.Pdf.dll 2016-08-09 20:12 - 2016-08-03 00:25 - 04078080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dbgeng.dll 2016-08-09 20:12 - 2016-08-03 00:23 - 05660672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll 2016-08-09 20:12 - 2016-08-03 00:23 - 01799680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Logon.dll 2016-08-09 20:12 - 2016-08-03 00:22 - 02501120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll 2016-08-09 20:12 - 2016-08-03 00:22 - 01502208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll 2016-08-09 20:12 - 2016-08-03 00:21 - 01708032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ActiveSyncProvider.dll 2016-08-09 20:12 - 2016-08-03 00:19 - 02180096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.StateRepository.dll 2016-08-09 20:11 - 2016-08-03 06:22 - 01322760 _____ (Microsoft Corporation) C:\WINDOWS\system32\ole32.dll 2016-08-09 20:11 - 2016-08-03 06:22 - 00058408 _____ (Microsoft Corporation) C:\WINDOWS\system32\SensorsNativeApi.dll 2016-08-09 20:11 - 2016-08-03 06:21 - 22561256 _____ (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll 2016-08-09 20:11 - 2016-08-03 06:11 - 00422744 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\rdbss.sys 2016-08-09 20:11 - 2016-08-03 05:40 - 00091136 _____ (Microsoft Corporation) C:\WINDOWS\system32\bthserv.dll 2016-08-09 20:11 - 2016-08-03 05:38 - 00412160 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusUpdateHandlers.dll 2016-08-09 20:11 - 2016-08-03 05:36 - 00221696 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe 2016-08-09 20:11 - 2016-08-03 05:34 - 00383488 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll 2016-08-09 20:11 - 2016-08-03 05:33 - 00339968 _____ (Microsoft Corporation) C:\WINDOWS\system32\SensorService.dll 2016-08-09 20:11 - 2016-08-03 05:31 - 00359936 _____ (Microsoft Corporation) C:\WINDOWS\system32\SensorsApi.dll 2016-08-09 20:11 - 2016-08-03 05:30 - 24613888 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll 2016-08-09 20:11 - 2016-08-03 05:30 - 00970752 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll 2016-08-09 20:11 - 2016-08-03 05:28 - 00529920 _____ (Microsoft Corporation) C:\WINDOWS\system32\LogonController.dll 2016-08-09 20:11 - 2016-08-03 05:27 - 01752576 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll 2016-08-09 20:11 - 2016-08-03 00:37 - 00335872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll 2016-08-09 20:11 - 2016-08-03 00:35 - 00286208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SensorsApi.dll 2016-08-09 20:11 - 2016-08-03 00:32 - 01526272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll 2016-08-09 15:30 - 2016-08-09 15:30 - 04211400 _____ C:\Users\Steve\Downloads\rwbworldwide.com.zip 2016-08-08 22:35 - 2016-08-08 22:35 - 00000000 ____D C:\Users\Steve\AppData\Roaming\KompoZer 2016-08-08 22:32 - 2016-08-08 22:33 - 07949158 _____ C:\Users\Steve\Downloads\kompozer-0.7.10-win32.zip 2016-08-08 22:14 - 2016-08-08 22:15 - 36263023 _____ C:\Users\Steve\Downloads\SeaMonkey Setup 2.40.exe 2016-08-08 17:34 - 2016-08-08 17:34 - 02960443 _____ C:\Users\Steve\Downloads\FranKit-Current.pdf 2016-08-08 11:03 - 2016-08-08 11:03 - 03142706 _____ C:\Users\Steve\Downloads\stormguardfdd2016.pdf 2016-08-07 18:46 - 2016-08-07 18:46 - 02263935 ____T C:\Users\Steve\Documents\The Villas of Park Place.pdf 2016-08-07 18:45 - 2016-08-07 18:45 - 02698170 _____ C:\Users\Steve\Documents\Park Place.pdf 2016-08-07 07:43 - 2016-08-07 07:43 - 00444272 _____ C:\Users\Steve\Downloads\Letter-of-Instruction-Update_Final.pdf 2016-08-05 08:44 - 2016-08-05 08:44 - 00146973 _____ C:\Users\Steve\Downloads\Initial_Investment_2016.pdf 2016-08-03 06:41 - 2016-08-03 06:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Garmin ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-09-02 13:43 - 2015-11-03 21:05 - 00000000 ____D C:\Users\Steve\Documents\Outlook Files 2016-09-02 13:08 - 2016-01-10 23:48 - 00000938 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2221598115-2109861328-2175321649-1001UA.job 2016-09-02 12:08 - 2016-01-10 23:48 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2221598115-2109861328-2175321649-1001Core.job 2016-09-02 10:56 - 2015-12-16 20:42 - 00973984 _____ C:\WINDOWS\system32\PerfStringBackup.INI 2016-09-02 10:56 - 2015-10-30 03:21 - 00000000 ____D C:\WINDOWS\INF 2016-09-02 10:50 - 2015-10-21 22:12 - 00000000 ___RD C:\Users\Steve\OneDrive 2016-09-02 10:49 - 2015-12-16 20:51 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2016-09-02 10:49 - 2015-12-16 20:40 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat 2016-09-02 10:49 - 2015-10-21 22:32 - 00000000 __SHD C:\Users\Steve\IntelGraphicsProfiles 2016-09-02 10:48 - 2015-10-30 02:28 - 00786432 ___SH C:\WINDOWS\system32\config\BBI 2016-09-02 10:37 - 2016-05-06 07:54 - 00000000 ____D C:\Users\Steve\Documents\RWBworldwide 2016-09-02 10:37 - 2015-10-21 18:01 - 00000000 ____D C:\Users\Steve\AppData\Local\Packages 2016-09-02 10:24 - 2016-03-18 13:27 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service 2016-09-02 09:30 - 2016-06-23 23:36 - 00002529 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneDrive for Business.lnk 2016-09-02 09:30 - 2016-06-23 23:36 - 00002493 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype for Business 2016.lnk 2016-09-02 09:30 - 2016-06-23 23:36 - 00002488 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word 2016.lnk 2016-09-02 09:30 - 2016-06-23 23:36 - 00002487 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint 2016.lnk 2016-09-02 09:30 - 2016-06-23 23:36 - 00002451 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Access 2016.lnk 2016-09-02 09:30 - 2016-06-23 23:36 - 00002450 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel 2016.lnk 2016-09-02 09:30 - 2016-06-23 23:36 - 00002444 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook 2016.lnk 2016-09-02 09:30 - 2016-06-23 23:36 - 00002438 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publisher 2016.lnk 2016-09-02 09:30 - 2016-06-23 23:36 - 00002430 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk 2016-09-02 09:30 - 2016-04-14 14:12 - 00002214 _____ C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Blue Jeans.lnk 2016-09-02 09:30 - 2016-02-11 19:32 - 00001087 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk 2016-09-02 09:30 - 2016-01-10 19:55 - 00002125 _____ C:\Users\Public\Desktop\GnuCash.lnk 2016-09-02 09:30 - 2015-12-17 17:28 - 00000970 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\I.R.I.S. OCR Registration.lnk 2016-09-02 09:30 - 2015-12-16 20:47 - 00001507 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk 2016-09-02 09:30 - 2015-12-12 12:19 - 00001823 _____ C:\Users\Public\Desktop\iTunes.lnk 2016-09-02 09:30 - 2015-12-12 12:18 - 00002523 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk 2016-09-02 09:30 - 2015-12-07 22:54 - 00001035 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 11.lnk 2016-09-02 09:30 - 2015-11-06 16:21 - 00001185 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeePass 2.lnk 2016-09-02 09:30 - 2015-10-25 18:40 - 00001908 _____ C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spotify.lnk 2016-09-02 09:30 - 2015-10-25 08:16 - 00002445 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk 2016-09-02 09:30 - 2015-10-22 22:46 - 00002259 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk 2016-09-02 09:30 - 2015-10-21 22:18 - 00002267 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk 2016-09-02 09:30 - 2015-10-21 22:14 - 00002417 _____ C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk 2016-09-02 09:30 - 2013-10-16 12:19 - 00001115 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP Connected Music.lnk 2016-09-02 09:30 - 2013-10-16 12:15 - 00001378 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo Gallery.lnk 2016-09-02 09:30 - 2013-10-16 12:15 - 00001309 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movie Maker.lnk 2016-09-02 09:30 - 2013-10-16 12:08 - 00002481 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cozi Family Calendar.lnk 2016-09-02 09:29 - 2015-11-05 15:56 - 00001195 _____ C:\Users\Steve\Desktop\Kernel OST Viewer .lnk 2016-09-02 08:22 - 2013-10-16 12:12 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Communication and Chat 2016-09-02 07:31 - 2015-10-21 18:01 - 00000000 ____D C:\Users\Steve\AppData\Local\VirtualStore 2016-09-01 20:27 - 2015-10-30 03:24 - 00000000 ___HD C:\Program Files\WindowsApps 2016-09-01 20:27 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\AppReadiness 2016-09-01 19:33 - 2015-12-16 20:42 - 00000000 ____D C:\Users\Steve 2016-09-01 19:18 - 2016-01-21 17:11 - 00000362 _____ C:\WINDOWS\Tasks\HPCeeScheduleForSteve.job 2016-09-01 16:07 - 2015-11-04 16:06 - 00000000 ____D C:\Users\Steve\Documents\Resume Data 2016-09-01 15:51 - 2015-10-30 03:24 - 00000000 ___SD C:\WINDOWS\Downloaded Program Files 2016-09-01 15:27 - 2015-10-25 18:40 - 00000000 ____D C:\Users\Steve\AppData\Local\Spotify 2016-09-01 15:27 - 2015-10-25 18:39 - 00000000 ____D C:\Users\Steve\AppData\Roaming\Spotify 2016-08-31 22:37 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\appraiser 2016-08-31 22:37 - 2015-10-30 03:11 - 00000000 ____D C:\WINDOWS\CbsTemp 2016-08-30 22:14 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\NDF 2016-08-30 07:29 - 2015-11-06 18:36 - 00000000 ____D C:\Users\Steve\AppData\Roaming\KeePass 2016-08-30 07:29 - 2015-11-04 14:00 - 00000000 ____D C:\Users\Steve\Documents\KeePass2 2016-08-27 21:08 - 2015-10-30 03:24 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft 2016-08-27 21:07 - 2013-10-16 12:12 - 00000000 ____D C:\Program Files (x86)\Microsoft Office 2016-08-27 20:58 - 2015-12-07 22:54 - 00000000 ____D C:\Users\Steve\AppData\Roaming\TeamViewer 2016-08-23 17:01 - 2016-01-12 14:55 - 00000000 ____D C:\Users\Steve\AppData\LocalLow\WebEx 2016-08-22 12:12 - 2015-10-22 22:45 - 00000000 ____D C:\Program Files (x86)\Opera 2016-08-19 11:08 - 2015-12-07 22:53 - 00000000 ____D C:\Program Files (x86)\TeamViewer 2016-08-12 15:55 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\rescache 2016-08-12 11:48 - 2015-11-13 08:35 - 00000000 ____D C:\Users\Steve\AppData\Roaming\Skype 2016-08-12 11:44 - 2015-09-10 01:42 - 00000000 __RHD C:\Users\Public\AccountPictures 2016-08-12 11:38 - 2015-10-30 05:07 - 00000000 ____D C:\Program Files\Windows Journal 2016-08-12 11:38 - 2015-10-30 03:24 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel 2016-08-12 10:49 - 2013-08-31 23:49 - 00000000 ____D C:\SWSetup 2016-08-12 00:07 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\SecureBootUpdates 2016-08-12 00:07 - 2015-10-22 20:49 - 00000000 ____D C:\WINDOWS\system32\MRT 2016-08-11 23:59 - 2015-10-22 20:49 - 147640136 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe 2016-08-10 13:22 - 2016-03-04 23:09 - 00000000 ____D C:\Users\Steve\Desktop\Mojo Web Site 2016-08-08 22:19 - 2016-03-18 13:27 - 00000000 ____D C:\Users\Steve\AppData\Local\Mozilla 2016-08-08 22:19 - 2016-01-12 14:55 - 00000000 ____D C:\Users\Steve\AppData\Roaming\Mozilla 2016-08-05 09:41 - 2016-01-12 14:55 - 00000000 ____D C:\ProgramData\WebEx 2016-08-03 06:41 - 2015-11-08 17:57 - 00000000 ____D C:\Program Files (x86)\Garmin 2016-08-03 06:41 - 2015-10-22 20:00 - 00000000 ____D C:\ProgramData\Package Cache ==================== Files in the root of some directories ======= 2015-11-11 16:38 - 2015-11-11 16:38 - 0025553 _____ () C:\Users\Steve\AppData\Roaming\Comma Separated Values.ADR 2016-07-04 20:24 - 2016-07-04 20:24 - 0000000 _____ () C:\Users\Steve\AppData\Roaming\WbspInstallerTempFileToBeDeleted.txt 2016-09-02 11:24 - 2016-09-02 11:24 - 1152062 _____ () C:\Users\Steve\AppData\Local\ars.cache 2016-09-02 09:50 - 2016-09-01 14:45 - 0194048 _____ () C:\Users\Steve\AppData\Local\carvell.exe 2016-09-02 11:25 - 2016-09-02 11:25 - 1046602 _____ () C:\Users\Steve\AppData\Local\census.cache 2016-09-02 11:02 - 2016-09-02 11:02 - 0000036 _____ () C:\Users\Steve\AppData\Local\housecall.guid.cache 2016-09-02 07:38 - 2015-06-26 15:08 - 0294400 _____ (CodePlex Community) C:\Users\Steve\AppData\Local\Microsoft.Win32.TaskScheduler.dll 2016-01-10 20:25 - 2016-01-10 20:25 - 0001780 _____ () C:\Users\Steve\AppData\Local\recently-used.xbel 2016-09-02 09:50 - 2016-09-01 14:45 - 0313856 _____ () C:\Users\Steve\AppData\Local\settings.dll 2016-09-02 11:11 - 2016-09-02 11:11 - 0000010 _____ () C:\Users\Steve\AppData\Local\sponge.last.runtime.cache 2015-12-17 17:28 - 2015-12-17 17:28 - 0000057 _____ () C:\ProgramData\Ament.ini Some files in TEMP: ==================== C:\Users\Steve\AppData\Local\Temp\HPInstaller.exe C:\Users\Steve\AppData\Local\Temp\jre-8u91-windows-au.exe C:\Users\Steve\AppData\Local\Temp\libeay32.dll C:\Users\Steve\AppData\Local\Temp\msvcr120.dll C:\Users\Steve\AppData\Local\Temp\SkypeSetup.exe C:\Users\Steve\AppData\Local\Temp\sqlite3.dll ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\wininit.exe => File is digitally signed C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\dnsapi.dll => File is digitally signed C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2016-08-31 22:37 ==================== End of FRST.txt ============================ Link to post Share on other sites More sharing options...
SteveE Posted September 2, 2016 Author ID:1059865 Share Posted September 2, 2016 Addition Notepad dump: Additional scan result of Farbar Recovery Scan Tool (x64) Version: 31-08-2016 Ran by Steve (02-09-2016 13:48:28) Running from C:\Users\Steve\Downloads Windows 10 Home Version 1511 (X64) (2015-12-17 00:54:42) Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-2221598115-2109861328-2175321649-500 - Administrator - Disabled) DefaultAccount (S-1-5-21-2221598115-2109861328-2175321649-503 - Limited - Disabled) Guest (S-1-5-21-2221598115-2109861328-2175321649-501 - Limited - Disabled) Steve (S-1-5-21-2221598115-2109861328-2175321649-1001 - Administrator - Enabled) => C:\Users\Steve ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) 7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov) Adobe Reader XI (11.0.17) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.17 - Adobe Systems Incorporated) ANT Drivers Installer x64 (Version: 2.3.4 - Garmin Ltd or its subsidiaries) Hidden Apple Application Support (32-bit) (HKLM-x32\...\{C5815ACF-FD34-4553-8A22-C7411B7E662B}) (Version: 4.1.1 - Apple Inc.) Apple Application Support (64-bit) (HKLM\...\{CBF12D2F-CF64-4CB7-858B-2C1F21068E5F}) (Version: 4.1.1 - Apple Inc.) Apple Mobile Device Support (HKLM\...\{3540181E-340A-4E7A-B409-31663472B2F7}) (Version: 9.1.0.6 - Apple Inc.) Apple Software Update (HKLM-x32\...\{FFD1F7F1-1AC9-4BC4-A908-0686D635ABAF}) (Version: 2.1.4.131 - Apple Inc.) ArcSoft Family Paint (HKLM-x32\...\{8393D59B-D45F-470B-90EB-EEA15E664AE7}) (Version: 1.0.5.243 - ArcSoft) Audacity 2.1.0 (HKLM-x32\...\Audacity_is1) (Version: 2.1.0 - Audacity Team) Azkend 2: The World Beneath (x32 Version: 2.2.0.98 - WildTangent) Hidden Blue Jeans (HKLM-x32\...\{12E34510-9DBD-457A-8645-5E12956602E9}) (Version: 1.10.22 - Blue Jeans) Bob the Builder Can-Do-Zoo (x32 Version: 2.2.0.95 - WildTangent) Hidden Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.) Bookworm Adventures Volume 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden Byki (x32 Version: 4.0 - Transparent Language, Inc.) Hidden Byki Express (HKLM-x32\...\Byki Express) (Version: 4.1 - Transparent Language, Inc.) ChromecastApp (HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\{079ede36-133d-44b0-8053-c7c1fa8d2e0d}_is1) (Version: 1.5.1693.0 - Google Inc.) Cisco WebEx Meetings (HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC) Citrix Online Launcher (HKLM-x32\...\{09DA5EE2-7E46-4DC4-96F9-BFEE50D40659}) (Version: 1.0.408 - Citrix) Cozi (HKLM-x32\...\{EC8228E5-80A1-42EE-BA03-DE19D8D5A1E0}) (Version: 2.0.8722.42485 - Cozi Group, Inc.) D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden DISH Anywhere Slingplayer Installer (x32 Version: 1.1.0.384 - Sling Media) Hidden DISH Anywhere Video Player (HKLM-x32\...\{19A59152-3EA7-4631-9A11-5D2DBEF29780}) (Version: 2.29.3 - DISH Anywhere) DishAnywhereDesktop (HKLM-x32\...\{64ce7194-0a6e-4b76-90e5-432d8106504f}) (Version: 1.1.0.384 - Sling Media) Elevated Installer (x32 Version: 4.1.25.0 - Garmin Ltd or its subsidiaries) Hidden Garmin Communicator Plugin (HKLM-x32\...\{71DBFBF2-F7EB-4268-8485-9471D83C4E66}) (Version: 4.2.0 - Garmin Ltd or its subsidiaries) Garmin Communicator Plugin x64 (HKLM\...\{70A381F1-C161-4D61-A20C-BE12FC6777DF}) (Version: 4.2.0 - Garmin Ltd or its subsidiaries) Garmin Express (HKLM-x32\...\{686d881a-083e-4030-80db-52c493bf89d3}) (Version: 4.1.25.0 - Garmin Ltd or its subsidiaries) Garmin Express (x32 Version: 4.1.25.0 - Garmin Ltd or its subsidiaries) Hidden Garmin Express Tray (x32 Version: 4.1.25.0 - Garmin Ltd or its subsidiaries) Hidden GnuCash 2.6.9 (HKLM-x32\...\GnuCash_is1) (Version: - GnuCash Development Team) Google Chrome (HKLM-x32\...\Google Chrome) (Version: 52.0.2743.116 - Google Inc.) Google Update Helper (x32 Version: 1.3.31.5 - Google Inc.) Hidden GoToMeeting 7.22.0.5506 (HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\GoToMeeting) (Version: 7.22.0.5506 - CitrixOnline) Hewlett-Packard ACLM.NET v1.2.2.3 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.14.265 - SurfRight B.V.) HP Connected Music (Meridian - installer) (HKLM-x32\...\StartHPConnectedMusic) (Version: 1.0 - Meridian Audio Ltd) HP Documentation (HKLM-x32\...\{5F852577-14FC-4C5D-9279-CFA90D712FCB}) (Version: 1.1.0.0 - Hewlett-Packard) HP Officejet Pro 8610 Basic Device Software (HKLM\...\{39DA3F40-0B9E-4002-8E01-108FEC9EFE43}) (Version: 32.3.198.49673 - Hewlett-Packard Co.) HP Officejet Pro 8610 Help (HKLM-x32\...\{F9569D00-4576-46C8-B6C7-207A4FD39745}) (Version: 32.0.0 - Hewlett Packard) HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.7045.4591 - Hewlett-Packard) HP Support Assistant (HKLM-x32\...\{61EB474B-67A6-47F4-B1B7-386851BAB3D0}) (Version: 8.3.34.7 - Hewlett-Packard Company) HP Support Solutions Framework (HKLM-x32\...\{F6A11738-3EE4-4573-AEA5-6CD5D491C167}) (Version: 12.5.32.37 - Hewlett-Packard Company) HP System Event Utility (HKLM-x32\...\{6B1ECC61-B581-400D-BFAF-101B1AAEA5AB}) (Version: 1.4.7 - Hewlett-Packard Company) HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard) HP Utility Center (HKLM\...\{AED1C141-3AFC-47FE-AE90-C820AA60B103}) (Version: 2.2.5 - Hewlett-Packard Company) HP Wireless Button Driver (HKLM-x32\...\{EFA01423-3857-468C-B7B6-F30AA08E50BC}) (Version: 1.1.5.1 - Hewlett-Packard) I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP) IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6498.0 - IDT) Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.23.1766 - Intel Corporation) Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.15.4248 - Intel Corporation) Intel(R) Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.0.1016 - Intel Corporation) iTunes (HKLM\...\{0D44E3A4-6C3D-45D7-B443-079509E5BE5D}) (Version: 12.3.2.35 - Apple Inc.) Java 8 Update 91 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.14 - Oracle Corporation) KeePass Password Safe 2.34 (HKLM-x32\...\KeePassPasswordSafe2_is1) (Version: 2.34 - Dominik Reichl) Kernel OST Viewer ver 15.0 (HKLM-x32\...\Kernel OST Viewer_is1) (Version: - Lepide Software Pvt.Ltd.) King Oddball (x32 Version: 3.0.2.48 - WildTangent) Hidden LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version: - ) LG Mobile Driver (HKLM-x32\...\{3F490D0E-3131-438C-BCF9-7549CB88DF41}) (Version: 4.0.4 - LG Electronics) LG USB WML Modem Driver (HKLM-x32\...\{FBA0CA60-8BF2-4381-B819-74F020E165A9}) (Version: 1.0 - LG Electronics) LinuxLive USB Creator (HKLM-x32\...\LinuxLive USB Creator) (Version: 2.9 - Thibaut Lauziere) Logitech Harmony Remote Software 7 (HKLM-x32\...\{5C6F884D-680C-448B-B4C9-22296EE1B206}) (Version: 7.7.0.0 - Logitech) Mah Jong Medley (x32 Version: 2.2.0.95 - WildTangent) Hidden Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes) Microsoft Network Monitor 3.4 (HKLM\...\{8C5B5A11-CBF8-451B-B201-77FAB0D0B77D}) (Version: 3.4.2350.0 - Microsoft Corporation) Microsoft Network Monitor: NetworkMonitor Parsers 3.4 (HKLM\...\{963E5FEB-1367-46B9-851D-A957F1A3747F}) (Version: 3.4.2350.0 - Microsoft Corporation) Microsoft Office 365 ProPlus - en-us (HKLM\...\O365ProPlusRetail - en-us) (Version: 16.0.6741.2063 - Microsoft Corporation) Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{650c9b4a-60ec-4e4e-8d8e-32d85ce3b7c5}) (Version: 11.0.61030.0 - Microsoft Corporation) Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation) Monopoly version 1.00.00.594394 (HKLM-x32\...\{d176ba37-928e-4b25-9a62-78b2c73331f8}_is1) (Version: 1.00.00.594394 - EA) Movie Maker (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden Mozilla Firefox 48.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 48.0.2 (x86 en-US)) (Version: 48.0.2 - Mozilla) Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 48.0.2 - Mozilla) MyFFVideoConverter (HKLM-x32\...\MyFFVideoConverter) (Version: 1.0.0.0 - Pergel.hu) Office 16 Click-to-Run Extensibility Component (x32 Version: 16.0.6701.1036 - Microsoft Corporation) Hidden Office 16 Click-to-Run Licensing Component (Version: 16.0.6701.1036 - Microsoft Corporation) Hidden Office 16 Click-to-Run Localization Component (x32 Version: 16.0.6701.1036 - Microsoft Corporation) Hidden Opera Stable 39.0.2256.48 (HKLM-x32\...\Opera 39.0.2256.48) (Version: 39.0.2256.48 - Opera Software) PdaNet+ for Android 4.18 (HKLM-x32\...\PdaNet_is1) (Version: - June Fabrics Technology Inc) Product Improvement Study for HP Officejet Pro 8610 (HKLM\...\{D2064264-3162-4DB1-AFE0-167BEFBBCD9C}) (Version: 32.3.198.49673 - Hewlett-Packard Co.) Ralink Bluetooth Stack64 (HKLM\...\{8A2E2A41-B814-407E-2F96-4E433C42AB78}) (Version: 11.0.739.0 - Mediatek) Ralink RT3290 802.11bgn Wi-Fi Adapter (HKLM-x32\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}) (Version: 5.0.57.0 - Mediatek) Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 3375.110 - Realtek Semiconductor Corp.) Remote Control USB Driver (HKLM-x32\...\{8471021C-F529-43DE-84DF-3612E10F58C4}) (Version: 2.3.2.317 - ) SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.45.0 - SAMSUNG Electronics Co., Ltd.) SimplePiano (remove only) (HKLM-x32\...\SimplePiano) (Version: - ) Skype™ 7.24 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.24.104 - Skype Technologies S.A.) Slingplayer for Web Installer (x32 Version: 1.2.7.358 - Sling Media) Hidden SlingplayerForWeb (HKLM-x32\...\{62a74667-8e59-4fbc-9417-ad041a630066}) (Version: 1.2.7.358 - Sling Media) Sophos Virus Removal Tool (HKLM-x32\...\{B829E117-D072-41EA-9606-9826A38D34C1}) (Version: 2.5.6 - Sophos Limited) Spotify (HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\Spotify) (Version: 1.0.36.124.g1cba1920 - Spotify AB) Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.) swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden Synaptics ClickPad Driver (HKLM\...\SynTPDeinstKey) (Version: 19.2.4.0 - Synaptics Incorporated) TeamViewer 11 (HKLM-x32\...\TeamViewer) (Version: 11.0.63017 - TeamViewer) Update Installer for WildTangent Games App (x32 Version: - WildTangent) Hidden WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.4.0 - WildTangent) WildTangent Games App (HP Games) (x32 Version: 4.0.10.15 - WildTangent) Hidden Windows Driver Package - Dynastream Innovations, Inc. ANT LibUSB Drivers (04/11/2012 1.2.40.201) (HKLM\...\F9D2A789F9CFF8CEC36B544F53877C80F1F73C46) (Version: 04/11/2012 1.2.40.201 - Dynastream Innovations, Inc.) Windows Driver Package - Silicon Labs Software (DSI_SiUSBXp_3_1) USB (02/06/2007 3.1) (HKLM\...\D1506E0025B5A3F9EB8270FE81C1EEDD9388B8A2) (Version: 02/06/2007 3.1 - Silicon Labs Software) Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3508.0205 - Microsoft Corporation) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) CustomCLSID: HKU\S-1-5-21-2221598115-2109861328-2175321649-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Steve\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-2221598115-2109861328-2175321649-1001_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\Steve\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll (Google Inc.) CustomCLSID: HKU\S-1-5-21-2221598115-2109861328-2175321649-1001_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\Steve\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\FileCoAuth.exe (Microsoft Corporation) CustomCLSID: HKU\S-1-5-21-2221598115-2109861328-2175321649-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Steve\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-2221598115-2109861328-2175321649-1001_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\Steve\AppData\Local\Citrix\GoToMeeting\5174\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.) CustomCLSID: HKU\S-1-5-21-2221598115-2109861328-2175321649-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Steve\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-2221598115-2109861328-2175321649-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Steve\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll (Google Inc.) ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {02940F68-90D9-4A70-A697-F289725B9E7E} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater - Resources => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2016-08-03] (HP Inc.) Task: {09B5AFF5-1A79-4F6D-AD61-6B041D41507A} - \Synaptics TouchPad Enhancements -> No File <==== ATTENTION Task: {0B545118-B563-42FC-8D07-B78F602FCF34} - System32\Tasks\Microsoft\Windows\WS\WSRefreshBannedAppsListTask => Rundll32.exe WSClient.dll,RefreshBannedAppsList Task: {19828BE8-181C-452A-B2CA-A663B7508256} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2016-08-03] (HP Inc.) Task: {1C00B6DA-E484-4A1D-BFE4-392CCE973648} - \G2MUploadTask-S-1-5-21-2221598115-2109861328-2175321649-1001 -> No File <==== ATTENTION Task: {22B7E457-7638-498A-94FE-9E21DD13EDCB} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2016-08-11] (Microsoft Corporation) Task: {2CD6933B-BD41-48D9-AB85-D8CC92744C26} - \GoogleUpdateTaskUserS-1-5-21-2221598115-2109861328-2175321649-1001Core -> No File <==== ATTENTION Task: {33BAA670-48FD-48A8-8512-465295168F88} - \GarminUpdaterTask -> No File <==== ATTENTION Task: {34531691-08A3-4A87-A36E-9F03BDFFA2E7} - System32\Tasks\Hewlett-Packard\HP Active Health\HP Active Health Scan (HPSA) => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [2016-08-18] (HP Inc.) Task: {416B6139-AA5C-4ECB-B381-C5564FF5E2E4} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2016-08-01] (Microsoft Corporation) Task: {42C98737-909E-4866-B1DE-8D8ED0112F4C} - \HPCustParticipation HP Officejet Pro 8610 -> No File <==== ATTENTION Task: {4DB8C1C5-8D00-4875-A972-205919238805} - \G2MUpdateTask-S-1-5-21-2221598115-2109861328-2175321649-1001 -> No File <==== ATTENTION Task: {64EBB7B5-8BBA-4FE0-AA13-36001163FB3F} - \HPCeeScheduleForSteve -> No File <==== ATTENTION Task: {65070F86-0DC9-4AEA-95A0-CD526D6F2D76} - \Opera scheduled Autoupdate 1445568390 -> No File <==== ATTENTION Task: {752D4054-9117-4B7B-A37A-CA3878C2273B} - \Optimize Start Menu Cache Files-S-1-5-21-2221598115-2109861328-2175321649-500 -> No File <==== ATTENTION Task: {7FB4B434-7419-4521-BFEA-F8D6412A9B27} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2016-08-23] (HP Inc.) Task: {8C8DE422-B1F3-4111-BB17-12967A473981} - \Adobe Acrobat Update Task -> No File <==== ATTENTION Task: {8DEA4D00-71B2-420A-A54B-D03F8688A6DF} - \GoogleUpdateTaskUserS-1-5-21-2221598115-2109861328-2175321649-1001UA -> No File <==== ATTENTION Task: {91BA9673-BAB4-4444-85B3-EF5AE916E305} - \SmartShare -> No File <==== ATTENTION Task: {A80D1B14-C64A-41A4-AC89-612DCBE6868D} - System32\Tasks\Da2946053129460531 => C:\Users\Steve\AppData\Local\carvell.exe [2016-09-01] () Task: {C43C2F13-4750-4A0E-AF71-0F0EAFF61B21} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonx86\Microsoft Shared\Office16\OLicenseHeartbeat.exe [2016-08-01] (Microsoft Corporation) Task: {C6C8FAB5-0C14-4FEC-BD19-05853FFEDE8A} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2016-08-01] (Microsoft Corporation) Task: {C87FCA00-2EFA-4C61-A767-895BCD6A2A48} - \OneDrive Standalone Update Task -> No File <==== ATTENTION Task: {E7AFCA96-4884-491D-B6F7-A9167FD50090} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Report => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSFReport.exe [2016-05-09] (Hewlett-Packard) Task: {EC1AFA24-5230-44CD-80AF-CFD3C34A4C5F} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2016-08-23] (HP Inc.) Task: {EDBAACA4-47AE-4CF3-93CD-F010AD96C017} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2016-07-31] (Microsoft Corporation) Task: {FE990390-F3B7-47A8-AC8E-3CC4F908F443} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2016-07-31] (Microsoft Corporation) Task: {FEDC2C76-EB0B-4775-B0AD-CA609B77678D} - \Optimize Start Menu Cache Files-S-1-5-21-2221598115-2109861328-2175321649-1001 -> No File <==== ATTENTION (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job => Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe Task: C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-2221598115-2109861328-2175321649-1001.job => C:\Users\Steve\AppData\Local\Citrix\GoToMeeting\5506\g2mupdate.exe Task: C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-2221598115-2109861328-2175321649-1001.job => C:\Users\Steve\AppData\Local\Citrix\GoToMeeting\5506\g2mupload.exe Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2221598115-2109861328-2175321649-1001Core.job => C:\Users\Steve\AppData\Local\Google\Update\GoogleUpdate.exe Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2221598115-2109861328-2175321649-1001UA.job => C:\Users\Steve\AppData\Local\Google\Update\GoogleUpdate.exe Task: C:\WINDOWS\Tasks\HPCeeScheduleForSteve.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe Task: C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job => Task: C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job => Task: C:\WINDOWS\Tasks\Synaptics TouchPad Enhancements.job => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe ==================== Shortcuts ============================= (The entries could be listed to be restored or removed.) ==================== Loaded Modules (Whitelisted) ============== 2015-10-30 03:17 - 2015-10-30 03:17 - 00028672 _____ () C:\WINDOWS\SYSTEM32\efsext.dll 2015-10-30 03:18 - 2015-10-30 03:18 - 00185856 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll 2015-11-20 15:57 - 2015-11-20 15:57 - 00085800 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll 2015-11-20 15:57 - 2015-11-20 15:57 - 01328912 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll 2016-05-08 08:23 - 2016-07-31 05:48 - 00173248 _____ () C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ApiClient.dll 2016-07-13 07:37 - 2016-07-01 00:48 - 02656408 _____ () C:\WINDOWS\system32\CoreUIComponents.dll 2015-10-22 20:58 - 2015-10-22 20:58 - 00404912 _____ () C:\WINDOWS\system32\igfxTray.exe 2016-07-13 07:37 - 2016-07-01 00:48 - 02656408 _____ () C:\WINDOWS\System32\CoreUIComponents.dll 2016-08-22 20:49 - 2016-08-22 20:49 - 01864384 _____ () C:\Users\Steve\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\amd64\ClientTelemetry.dll 2016-05-08 08:27 - 2016-07-31 09:27 - 08919240 _____ () C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\1033\GrooveIntlResource.dll 2016-04-19 07:16 - 2016-04-19 07:16 - 00144384 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe 2015-11-23 07:08 - 2015-09-03 15:44 - 01058616 _____ () C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe 2016-07-13 07:37 - 2016-06-30 23:27 - 07992832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll 2016-07-13 07:37 - 2016-06-30 23:21 - 00591360 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll 2016-07-13 07:37 - 2016-06-30 23:22 - 02483200 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll 2016-07-13 07:37 - 2016-06-30 23:24 - 04089856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll 2015-12-18 07:52 - 2015-12-07 00:14 - 00093696 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Windows.UI.Shell.SharedUtilities.dll 2016-07-13 07:39 - 2016-06-30 23:48 - 00472064 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\QuickActions.dll 2016-07-19 09:01 - 2016-07-19 09:01 - 01024720 _____ () C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7341.57671.0_x64__8wekyb3d8bbwe\Microsoft.Applications.Telemetry.Windows.dll 2016-08-24 06:52 - 2016-08-24 06:53 - 00150728 _____ () C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7341.57671.0_x64__8wekyb3d8bbwe\textinputdriver.dll 2016-08-24 06:52 - 2016-08-24 06:53 - 00655560 _____ () C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7341.57671.0_x64__8wekyb3d8bbwe\SignalRClient_winapp.dll 2016-06-03 07:05 - 2016-06-03 07:06 - 00173056 _____ () C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.11.7293.0_x64__8wekyb3d8bbwe\CellNativeClientUniversal.dll 2016-07-01 07:06 - 2016-07-01 07:07 - 04108184 _____ () C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.0.1606.0_x64__8wekyb3d8bbwe\Microsoft.Advertising.dll 2016-03-15 07:21 - 2016-03-15 07:21 - 03128832 _____ () C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.11.7293.0_x64__8wekyb3d8bbwe\Avatars.dll 2016-08-16 06:46 - 2016-08-16 06:47 - 00017408 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.722.10060.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe 2016-08-16 06:46 - 2016-08-16 06:47 - 13475840 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.722.10060.0_x64__8wekyb3d8bbwe\Microsoft.Photos.dll 2016-06-03 07:04 - 2016-06-03 07:05 - 00680448 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.722.10060.0_x64__8wekyb3d8bbwe\Microsoft.DesignCore.dll 2016-03-04 08:27 - 2016-03-04 08:28 - 00291328 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.722.10060.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.dll 2016-08-24 06:53 - 2016-08-24 06:53 - 00071872 _____ () C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7167.40721.0_x64__8wekyb3d8bbwe\icui18n56.dll 2016-08-24 06:53 - 2016-08-24 06:53 - 04028608 _____ () C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7167.40721.0_x64__8wekyb3d8bbwe\gfxim.dll 2016-08-25 17:57 - 2016-08-25 17:57 - 03763712 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1608.2213.0_x64__8wekyb3d8bbwe\Calculator.exe 2016-07-31 14:54 - 2016-07-31 14:54 - 00073216 _____ () C:\Program Files (x86)\Garmin\Device Interaction Service\FixBootSector.dll 2016-09-02 00:30 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl 2016-09-02 00:30 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl 2016-09-02 00:30 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl 2016-09-02 00:30 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll 2016-09-02 00:30 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll 2016-05-08 08:27 - 2016-07-31 07:57 - 08919232 _____ () C:\Program Files (x86)\Microsoft Office\root\Office16\1033\GrooveIntlResource.dll 2016-04-19 07:16 - 2016-04-19 07:16 - 00141312 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeBackgroundTasks.dll 2016-04-19 07:16 - 2016-04-19 07:17 - 22284800 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkyWrap.dll 2016-08-22 20:49 - 2016-08-22 20:49 - 01383616 _____ () C:\Users\Steve\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\ClientTelemetry.dll 2016-08-22 20:49 - 2016-08-22 20:49 - 00118976 _____ () C:\Users\Steve\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\FileSyncViews.dll 2015-01-13 16:45 - 2015-01-13 16:45 - 40578048 _____ () C:\Program Files (x86)\DishAnywhereDesktop\libcef.dll 2015-12-03 11:21 - 2015-12-03 11:21 - 40578048 _____ () C:\Program Files (x86)\Sling Media\SlingplayerForWeb\libcef.dll 2015-01-13 16:45 - 2015-01-13 16:45 - 01920000 _____ () C:\Program Files (x86)\DishAnywhereDesktop\ffmpegsumo.dll 2015-12-03 11:21 - 2015-12-03 11:21 - 01920000 _____ () C:\Program Files (x86)\Sling Media\SlingplayerForWeb\ffmpegsumo.dll 2015-11-28 18:26 - 2013-12-10 08:27 - 01242584 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\ACE.dll ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) ==================== Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) IE trusted site: HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\garmin.com -> hxxps://my.garmin.com IE trusted site: HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\wordle.net -> hxxps://www.wordle.net ==================== Hosts content: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2013-08-22 09:25 - 2016-09-02 07:37 - 00001010 ____A C:\WINDOWS\system32\Drivers\etc\hosts 127.0.0.1 down.baidu2016.com 127.0.0.1 123.sogou.com 127.0.0.1 www.czzsyzgm.com 127.0.0.1 www.czzsyzxl.com 127.0.0.1 union.baidu2019.com ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\Control Panel\Desktop\\Wallpaper -> DNS Servers: 192.168.1.1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == (Currently there is no automatic fix for this section.) HKLM\...\StartupApproved\Run: => "faribault" HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\StartupApproved\StartupFolder: => "Send to OneNote.lnk" HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\StartupApproved\Run: => "IRS12AUC0C" HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\StartupApproved\Run: => "kozma" ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139 FirewallRules: [{76F6D9EC-26C1-45A3-A3E0-45746147D442}] => (Allow) C:\Program Files\iTunes\iTunes.exe FirewallRules: [{5426E4B7-480B-4E97-A12F-AF43AB344813}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe FirewallRules: [{D3F06588-1AD9-4A72-964B-2B5157E8FFF9}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe FirewallRules: [{A93BE479-007B-4E7A-A4B6-9BB64330B239}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe FirewallRules: [{AA6D6E77-0DD9-4BE7-B3E1-9ECF53C1C194}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe FirewallRules: [{7794176B-3A48-4942-9823-6CB54A84107D}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe FirewallRules: [{2663DD07-706F-4A66-A4A2-A20CA8858A85}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe FirewallRules: [{AEE6B7E2-812B-49DB-AB8B-6158F0B93316}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe FirewallRules: [{B5C08E6F-44BA-4199-B7F9-D50C55AF35E1}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe FirewallRules: [UDP Query User{04FF4C40-77D5-4517-911B-A16A9660251E}C:\users\steve\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\steve\appdata\roaming\spotify\spotify.exe FirewallRules: [TCP Query User{E8594489-F06F-479F-82E3-EA718C0343F7}C:\users\steve\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\steve\appdata\roaming\spotify\spotify.exe FirewallRules: [UDP Query User{13D6C8F6-2B68-4396-94F9-E5EAA95392B2}C:\program files (x86)\internet explorer\iexplore.exe] => (Allow) C:\program files (x86)\internet explorer\iexplore.exe FirewallRules: [TCP Query User{9B7D2E36-3DCE-43C3-A3A3-6CD927A29505}C:\program files (x86)\internet explorer\iexplore.exe] => (Allow) C:\program files (x86)\internet explorer\iexplore.exe FirewallRules: [UDP Query User{33BAFCD6-19FC-4FC0-8538-535993D55E2E}C:\program files (x86)\dishanywheredesktop\dishanywhereplayer.exe] => (Allow) C:\program files (x86)\dishanywheredesktop\dishanywhereplayer.exe FirewallRules: [TCP Query User{169CBFA5-8F9E-4F64-BDD7-78533CF12835}C:\program files (x86)\dishanywheredesktop\dishanywhereplayer.exe] => (Allow) C:\program files (x86)\dishanywheredesktop\dishanywhereplayer.exe FirewallRules: [UDP Query User{1B609FA4-2A12-489E-AF41-31F799CD7E48}C:\program files (x86)\slingplayerforchrome\slingplayerforchrome.exe] => (Allow) C:\program files (x86)\slingplayerforchrome\slingplayerforchrome.exe FirewallRules: [TCP Query User{CD46FD49-A72F-45F6-91BC-F336A7E2E6DC}C:\program files (x86)\slingplayerforchrome\slingplayerforchrome.exe] => (Allow) C:\program files (x86)\slingplayerforchrome\slingplayerforchrome.exe FirewallRules: [{18C07216-136D-45D6-8B77-239F92B7E7E6}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe FirewallRules: [UDP Query User{D6F6B990-1C63-4358-8217-D90F8F52F3A0}C:\users\steve\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\steve\appdata\roaming\spotify\spotify.exe FirewallRules: [TCP Query User{E2A84E87-396A-4848-A0E1-15A19FE00D59}C:\users\steve\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\steve\appdata\roaming\spotify\spotify.exe FirewallRules: [{C05ACE9A-7119-483F-9190-D9D71F251374}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe FirewallRules: [{215B4E2E-C7D9-4692-A521-217B33FCD927}] => (Allow) LPort=2869 FirewallRules: [{30CE10FE-CC1B-4D6F-A476-50D356714537}] => (Allow) LPort=1900 FirewallRules: [{1996AE36-20AC-4A67-84CB-B7914FD961D2}] => (Allow) C:\Program Files (x86)\HPConnectedMusic\HPConnectedMusic.exe FirewallRules: [{26AF7472-CA24-4BA4-A633-6D331160BDBA}] => (Allow) C:\Program Files (x86)\HPConnectedMusic\HPConnectedMusic.exe FirewallRules: [{E55B12EE-99C1-4969-83E3-A8BAA0969E1B}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\HPConnectedMusic.exe FirewallRules: [{65AD5E75-BC55-4CBC-B25C-ABB78B3BDF8B}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\HPConnectedMusic.exe FirewallRules: [{979C2B52-B08D-462E-9968-789BF25D90EF}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\spotify_helper.exe FirewallRules: [{60B1080B-AD9D-47A1-AC73-602E5103D53B}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\spotify_helper.exe FirewallRules: [{36DA00D6-A3E7-4EB0-950C-3057936977EA}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe FirewallRules: [{13848EEA-76BA-461B-A4E8-5D53D7038675}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe FirewallRules: [{D0130353-D5B9-4ED6-9799-0937A4F4F65D}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe FirewallRules: [{0BDF3FBB-9088-4691-BA0B-260BBA5E0004}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe FirewallRules: [{094EE917-BB3A-492D-BC14-53F6193B30A0}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe FirewallRules: [{C4FF9712-60D5-4B9F-897C-280E5C28A247}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe FirewallRules: [{267AEAB5-A5A2-4AE7-8DCC-D276343177C5}] => (Allow) C:\Users\Steve\AppData\Local\Temp\7zS0187\hppiw.exe FirewallRules: [{8335D25B-B2BB-46B7-BDC0-F8DE581A3F95}] => (Allow) C:\Users\Steve\AppData\Local\Temp\7zS0187\hppiw.exe FirewallRules: [{E3B63B22-5170-400B-8296-D88307D406C6}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8610\bin\FaxApplications.exe FirewallRules: [{9B61F742-F736-4F3E-9B96-D0E01E7E8B02}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8610\bin\DigitalWizards.exe FirewallRules: [{3BAF6F9D-62CA-4136-B57A-17CD96307727}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8610\bin\SendAFax.exe FirewallRules: [{31232DA8-0DD8-4398-AC6B-8856771CD2E6}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8610\Bin\DeviceSetup.exe FirewallRules: [{290C13A9-4916-4975-A84C-33F6457515FF}] => (Allow) LPort=5357 FirewallRules: [{67B529A1-8EBB-4A25-B62D-788CBF8C9289}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8610\Bin\HPNetworkCommunicatorCom.exe FirewallRules: [TCP Query User{E69FCBC5-041F-4281-B28C-844E8B6C70AA}C:\program files (x86)\slingplayerforchrome\slingplayerforchrome.exe] => (Allow) C:\program files (x86)\slingplayerforchrome\slingplayerforchrome.exe FirewallRules: [UDP Query User{91E22D2F-FBC5-484E-AA4B-A02C7A327DC8}C:\program files (x86)\slingplayerforchrome\slingplayerforchrome.exe] => (Allow) C:\program files (x86)\slingplayerforchrome\slingplayerforchrome.exe FirewallRules: [{6FED3A5F-9677-4430-84DC-8F236D46F8C7}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [{7BFB8633-26D5-4466-AFF1-1C51787B8EEC}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [TCP Query User{846F6B5E-7233-46F0-8EE3-79C0A30E89B2}C:\program files (x86)\sling media\slingplayerforweb\slingplayerforweb.exe] => (Allow) C:\program files (x86)\sling media\slingplayerforweb\slingplayerforweb.exe FirewallRules: [UDP Query User{448498B2-47B4-4E84-AE17-8B976069D332}C:\program files (x86)\sling media\slingplayerforweb\slingplayerforweb.exe] => (Allow) C:\program files (x86)\sling media\slingplayerforweb\slingplayerforweb.exe FirewallRules: [TCP Query User{D8FA3EA8-20F4-44D0-9DE7-2B8BB981F2DE}C:\users\steve\appdata\local\blue jeans\app\bluejeans.exe] => (Allow) C:\users\steve\appdata\local\blue jeans\app\bluejeans.exe FirewallRules: [UDP Query User{EFF5C9B9-1671-4551-8BF4-6D1EB3D39866}C:\users\steve\appdata\local\blue jeans\app\bluejeans.exe] => (Allow) C:\users\steve\appdata\local\blue jeans\app\bluejeans.exe FirewallRules: [{891D766F-2040-41BD-9A23-A0B6374E16B9}] => (Allow) C:\Users\Steve\AppData\Local\Temp\7zS459F\HPDiagnosticCoreUI.exe FirewallRules: [{F2578D8B-95ED-4217-BC90-D5E6B90DE9B9}] => (Allow) C:\Users\Steve\AppData\Local\Temp\7zS459F\HPDiagnosticCoreUI.exe FirewallRules: [{F4880976-7F09-4380-921B-7AA9A354CF31}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe FirewallRules: [{2329453D-F21C-4BD1-9880-2C5291263F5D}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe FirewallRules: [{BC2D753F-C4B0-4984-8549-957C5EB0AC1F}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe FirewallRules: [{4363EEBC-84FA-4C24-B0E6-C3B23CC46064}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe FirewallRules: [{2D9A3BFE-FB4E-4BE2-8192-EFD5B0376D33}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe FirewallRules: [TCP Query User{0A811D6F-368D-4B5D-A22E-A4998D7F051B}C:\program files (x86)\mozilla firefox\plugin-container.exe] => (Allow) C:\program files (x86)\mozilla firefox\plugin-container.exe FirewallRules: [UDP Query User{7AD2BC93-7F4A-4BEE-9F76-FA0B570132E3}C:\program files (x86)\mozilla firefox\plugin-container.exe] => (Allow) C:\program files (x86)\mozilla firefox\plugin-container.exe FirewallRules: [{CD295A4B-C521-478A-99F7-860F17572EB4}] => (Allow) C:\Program Files (x86)\LG Software\LG Smart Share\DMS\SmartShareDMS.exe FirewallRules: [{BC54E356-BE60-4289-8ABC-9EDA361608E2}] => (Allow) C:\Program Files (x86)\LG Software\LG Smart Share\DMS\SmartShareDMS.exe FirewallRules: [{D47099B2-3777-4224-AE1F-8C9713BD81D9}] => (Allow) C:\Program Files (x86)\LG Software\LG Smart Share\DMR\SmartShareDMR.exe FirewallRules: [{1BDBF9CA-24BA-4317-932B-26D921A94C54}] => (Allow) C:\Program Files (x86)\LG Software\LG Smart Share\DMR\SmartShareDMR.exe FirewallRules: [{932CE933-F297-499B-8132-E656A6839C7C}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe FirewallRules: [{12F09071-CB57-439E-B03B-19E7BF021516}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe FirewallRules: [{0054481D-ECC7-447A-822D-19D858DDDA80}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe FirewallRules: [{FE63E93C-A3FE-4F4F-820B-80E5A4E7E5F7}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe FirewallRules: [{995BA47B-B2EA-4E85-9D27-6437DDDE7CD5}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe FirewallRules: [{3D890FD4-97FA-4AF7-B142-C2B3C6E73468}] => (Allow) C:\Program Files (x86)\SrpnFiles\SrpnFiles.exe FirewallRules: [{160639E4-F9CF-4CAE-BF36-27B2C48EA80F}] => (Allow) C:\Program Files (x86)\SrpnFiles\SrpnFiles.exe FirewallRules: [{70530226-5C5D-4970-B2A5-F05151521009}] => (Allow) C:\Program Files (x86)\SrpnFiles\downloader.exe FirewallRules: [{BD159D5B-EE6C-4884-9CBB-B6B388330D79}] => (Allow) C:\Program Files (x86)\SrpnFiles\downloader.exe FirewallRules: [{31BB6551-303C-4C1F-B59E-896AB89EE147}] => (Allow) C:\Users\Steve\AppData\Local\ddnowyes.exe FirewallRules: [{B67C7528-4760-443C-9E02-46E41FD8A4F9}] => (Allow) C:\Users\Steve\AppData\Local\Temp\nsf9799.tmp\setup.exe FirewallRules: [{C5A344A6-5F8B-4761-83CD-DF5D9F76F77F}] => (Allow) C:\Users\Steve\AppData\Local\86947498.exe FirewallRules: [{81C8EB87-D53E-4E32-B89E-1BCE26B30E0F}] => (Allow) C:\Users\Steve\AppData\Local\tinstall.exe FirewallRules: [{365894D8-CFDD-4819-B2DF-1761A84561ED}] => (Allow) C:\Users\Steve\AppData\Local\Temp\MPCOnline\MPCDownload.exe FirewallRules: [{2A9E2A5E-2BD4-4765-9578-77C770E061A6}] => (Allow) C:\Users\Steve\AppData\Local\Temp\MPCOnline\MPCDownload.exe FirewallRules: [{F16B85B2-2DE7-4215-99A7-A43DF261766D}] => (Allow) C:\Program Files (x86)\actus\carvell.exe FirewallRules: [TCP Query User{965D539F-8C29-4EB3-9C46-8A9CBD9692B5}C:\program files (x86)\google\chrome\application\chrome334.exe] => (Block) C:\program files (x86)\google\chrome\application\chrome334.exe FirewallRules: [UDP Query User{085C406A-1D62-430F-948D-4558F1065575}C:\program files (x86)\google\chrome\application\chrome334.exe] => (Block) C:\program files (x86)\google\chrome\application\chrome334.exe FirewallRules: [{73A5FAE4-1A74-49CD-89FC-5AF2681CEFF2}] => (Allow) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe DomainProfile\AuthorizedApplications: [C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe] => Enabled:Logitech Harmony Remote Software 7 StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe] => Enabled:Logitech Harmony Remote Software 7 StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service ==================== Restore Points ========================= ATTENTION: System Restore is disabled ==================== Faulty Device Manager Devices ============= Name: HP Officejet Pro 8610 Description: HP Officejet Pro 8610 Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318} Manufacturer: HP Service: Problem: : This device is disabled. (Code 22) Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions. Name: Photosmart D7400 series Description: Photosmart D7400 series Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318} Manufacturer: HP Service: Problem: : This device is disabled. (Code 22) Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions. ==================== Event log errors: ========================= Application errors: ================== Error: (09/02/2016 10:19:15 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: regedit.exe, version: 10.0.10586.0, time stamp: 0x5632d798 Faulting module name: KERNELBASE.dll, version: 10.0.10586.494, time stamp: 0x5775e4c5 Exception code: 0xc000041d Fault offset: 0x000000000001cd65 Faulting process id: 0x2404 Faulting application start time: 0x01d2052472dd8bd1 Faulting application path: C:\WINDOWS\regedit.exe Faulting module path: C:\WINDOWS\system32\KERNELBASE.dll Report Id: 643464a4-5cf8-4166-9b88-cfa8772b859c Faulting package full name: Faulting package-relative application ID: Error: (09/02/2016 10:19:12 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: ShellExperienceHost.exe, version: 10.0.10586.494, time stamp: 0x5775e94c Faulting module name: StartUI.dll, version: 10.0.10586.494, time stamp: 0x5775e851 Exception code: 0xc000041d Fault offset: 0x00000000002990c8 Faulting process id: 0x2a90 Faulting application start time: 0x01d20523727c74d2 Faulting application path: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe Faulting module path: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\StartUI.dll Report Id: 1f74e4d2-43fd-47ba-a375-6895a6b56496 Faulting package full name: Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy Faulting package-relative application ID: App Error: (09/02/2016 10:19:02 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: ShellExperienceHost.exe, version: 10.0.10586.494, time stamp: 0x5775e94c Faulting module name: StartUI.dll, version: 10.0.10586.494, time stamp: 0x5775e851 Exception code: 0xc0000005 Fault offset: 0x00000000002990c8 Faulting process id: 0x2a90 Faulting application start time: 0x01d20523727c74d2 Faulting application path: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe Faulting module path: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\StartUI.dll Report Id: f195076e-4b7f-484c-b8a8-f94ece9d9ab1 Faulting package full name: Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy Faulting package-relative application ID: App Error: (09/02/2016 10:18:16 AM) (Source: SideBySide) (EventID: 35) (User: ) Description: Activation context generation failed for "C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.DLL" on line 1. Component identity found in manifest does not match the identity of the component requested. Reference is UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0". Definition is UccApi,processorArchitecture="x86",type="win32",version="16.0.0.0". Please use sxstrace.exe for detailed diagnosis. Error: (09/02/2016 10:16:41 AM) (Source: SideBySide) (EventID: 35) (User: ) Description: Activation context generation failed for "C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.DLL" on line 1. Component identity found in manifest does not match the identity of the component requested. Reference is UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0". Definition is UccApi,processorArchitecture="x86",type="win32",version="16.0.0.0". Please use sxstrace.exe for detailed diagnosis. Error: (09/02/2016 10:04:15 AM) (Source: SideBySide) (EventID: 35) (User: ) Description: Activation context generation failed for "C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.DLL" on line 1. Component identity found in manifest does not match the identity of the component requested. Reference is UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0". Definition is UccApi,processorArchitecture="x86",type="win32",version="16.0.0.0". Please use sxstrace.exe for detailed diagnosis. Error: (09/02/2016 09:58:03 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: STEVE-SPLIT-X2) Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information. Error: (09/02/2016 09:52:05 AM) (Source: SideBySide) (EventID: 35) (User: ) Description: Activation context generation failed for "C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.DLL" on line 1. Component identity found in manifest does not match the identity of the component requested. Reference is UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0". Definition is UccApi,processorArchitecture="x86",type="win32",version="16.0.0.0". Please use sxstrace.exe for detailed diagnosis. Error: (09/02/2016 09:48:40 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: regedit.exe, version: 10.0.10586.0, time stamp: 0x5632d798 Faulting module name: KERNELBASE.dll, version: 10.0.10586.494, time stamp: 0x5775e4c5 Exception code: 0xc000041d Fault offset: 0x000000000001cd70 Faulting process id: 0x28b0 Faulting application start time: 0x01d2051fc7785ab0 Faulting application path: C:\WINDOWS\regedit.exe Faulting module path: C:\WINDOWS\system32\KERNELBASE.dll Report Id: 8bf68deb-5bff-449c-b1d9-0eeff26b1f43 Faulting package full name: Faulting package-relative application ID: Error: (09/02/2016 09:23:28 AM) (Source: SideBySide) (EventID: 35) (User: ) Description: Activation context generation failed for "C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.DLL" on line 1. Component identity found in manifest does not match the identity of the component requested. Reference is UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0". Definition is UccApi,processorArchitecture="x86",type="win32",version="16.0.0.0". Please use sxstrace.exe for detailed diagnosis. System errors: ============= Error: (09/02/2016 01:38:33 PM) (Source: DCOM) (EventID: 10016) (User: STEVE-SPLIT-X2) Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user Steve-Split-x2\Steve SID (S-1-5-21-2221598115-2109861328-2175321649-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool. Error: (09/02/2016 01:38:33 PM) (Source: DCOM) (EventID: 10016) (User: STEVE-SPLIT-X2) Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user Steve-Split-x2\Steve SID (S-1-5-21-2221598115-2109861328-2175321649-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool. Error: (09/02/2016 01:38:33 PM) (Source: DCOM) (EventID: 10016) (User: STEVE-SPLIT-X2) Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user Steve-Split-x2\Steve SID (S-1-5-21-2221598115-2109861328-2175321649-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool. Error: (09/02/2016 01:38:11 PM) (Source: DCOM) (EventID: 10016) (User: STEVE-SPLIT-X2) Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user Steve-Split-x2\Steve SID (S-1-5-21-2221598115-2109861328-2175321649-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool. Error: (09/02/2016 01:38:11 PM) (Source: DCOM) (EventID: 10016) (User: STEVE-SPLIT-X2) Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user Steve-Split-x2\Steve SID (S-1-5-21-2221598115-2109861328-2175321649-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool. Error: (09/02/2016 01:38:08 PM) (Source: DCOM) (EventID: 10016) (User: STEVE-SPLIT-X2) Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user Steve-Split-x2\Steve SID (S-1-5-21-2221598115-2109861328-2175321649-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool. Error: (09/02/2016 01:38:08 PM) (Source: DCOM) (EventID: 10016) (User: STEVE-SPLIT-X2) Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user Steve-Split-x2\Steve SID (S-1-5-21-2221598115-2109861328-2175321649-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool. Error: (09/02/2016 01:26:59 PM) (Source: DCOM) (EventID: 10016) (User: STEVE-SPLIT-X2) Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user Steve-Split-x2\Steve SID (S-1-5-21-2221598115-2109861328-2175321649-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool. Error: (09/02/2016 01:26:59 PM) (Source: DCOM) (EventID: 10016) (User: STEVE-SPLIT-X2) Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user Steve-Split-x2\Steve SID (S-1-5-21-2221598115-2109861328-2175321649-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool. Error: (09/02/2016 12:31:50 PM) (Source: Service Control Manager) (EventID: 7034) (User: ) Description: The ZAM Controller Service service terminated unexpectedly. It has done this 1 time(s). CodeIntegrity: =================================== Date: 2016-09-01 19:15:48.691 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system. Date: 2016-09-01 19:15:48.595 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system. Date: 2016-09-01 19:15:43.693 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system. Date: 2016-09-01 19:15:41.138 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system. Date: 2016-09-01 19:15:41.052 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system. Date: 2016-09-01 19:15:17.878 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system. Date: 2016-09-01 19:15:17.632 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system. Date: 2016-09-01 19:15:15.748 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system. Date: 2016-09-01 19:15:11.810 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system. Date: 2016-09-01 19:15:11.725 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system. ==================== Memory info =========================== Processor: Intel(R) Core(TM) i3-4020Y CPU @ 1.50GHz Percentage of memory in use: 68% Total physical RAM: 4028.15 MB Available physical RAM: 1249.3 MB Total Virtual: 7740.15 MB Available Virtual: 4100.32 MB ==================== Drives ================================ Drive c: (Windows) (Fixed) (Total:106.33 GB) (Free:21.88 GB) NTFS Drive d: (RECOVERY) (Fixed) (Total:11.36 GB) (Free:1.19 GB) NTFS ==>[system with boot components (obtained from drive)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 119.2 GB) (Disk ID: 0F3E11DE) Partition: GPT. ==================== End of Addition.txt ============================ Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 6, 2016 Root Admin ID:1060489 Share Posted September 6, 2016 Hello @SteveE and I realize you've run a few tools already but let's start out and go through a bit more methodical routine to ensure we find and remove things properly. Unless asked otherwise please ATTACH all logs. Please read the following and post back the logs when ready and we'll see about getting you cleaned up. Before we proceed further, please read all of the following instructions carefully. If there is anything that you do not understand kindly ask before proceeding. If needed, please print out these instructions. Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text. If the log is too large, then you can use attachments by clicking on the More Reply Options button. Please enable your system to show hidden files: How to see hidden files in Windows Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly Removing malware can be unpredictable, it is unlikely, but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. The removal of malware is not instantaneous; please be patient. Often we are also in a different Time Zone. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. You can check here if you're not sure if your computer is 32-bit or 64-bit Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners. When we are done, I'll give you instructions on how to clean up all the tools and logs Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. Your topic will be closed if you haven't replied within 3 days (If I have not responded within 24 hours, please send me a Private Message as a reminder) STEP 01RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. When RKill runs, it will kill malware processes and then removes incorrect executable associations and fixes policies that stop us from using certain tools. When finished it will display a log file that shows the processes that were terminated while the program was running. As RKill only terminates a program's running process and does not delete any files, after running it, you should not reboot your computer as any malware processes that are configured to start automatically will just be started again. Instead, after running RKill, you should immediately scan your computer using the requested scans I've included. Please download Rkill by Grinler from one of the links below and save it to your desktop.Link 1 | Link 2 On Windows XP Double-click on the Rkill desktop icon to run the tool. On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator A black DOS box will briefly flash and then disappear, this is normal and indicates the tool ran successfully. If not, delete the file, then download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs. If the tool does not run from any of the links provided, please let me know. Do not reboot the computer; you will need to run the application again. STEP 02Backup the Registry:Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so. Please download ERUNT from one of the following links: Link1 | Link2 | Link3 ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed. Double click on erunt-setup.exe to Install ERUNT by following the prompts. NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO. Start ERUNT either by double-clicking on the desktop icon or choosing to start the program at the end of the setup process. Choose a location for the backup. Note: the default location is C:\Windows\ERDNT which is acceptable. Make sure that at least the first two check boxes are selected. Click on OK Then click on YES to create the folder. Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe STEP 03 Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below, please see the following:MBAM Clean Removal Process 2x When reinstalling the program, please try the latest version. Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware. Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button. Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply. Link to post Share on other sites More sharing options...
SteveE Posted September 7, 2016 Author ID:1060653 Share Posted September 7, 2016 Hello Ron, Thanks for replying. Followed the process above. Just an update from stuff I did on Friday: The problem seems to be isolated to chrome now - after using MBAM and Hitman and Zemana, the system was clean until I run chrome. System is fine if I only use Mozilla or IE. I ran chrome - started getting the "malicious website blocked" from proccess caravell.exe. Also 3 programs get loaded and show up in task manager Ping, PresentationFontCache.exe and Runtime Broker. These seem to play an audio ad every few minutes. I ran chrome prior to this process so the machine was infected. MBAM will eliminate these from the system after a reboot, and I am fine until I run chrome. Here is the log file: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 9/7/2016 Scan Time: 8:06 AM Logfile: Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.09.07.04 Rootkit Database: v2016.08.15.01 License: Trial Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows 10 CPU: x64 File System: NTFS User: Steve Scan Type: Threat Scan Result: Completed Objects Scanned: 371769 Time Elapsed: 47 min, 12 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 2 PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{65767E3E-E7C6-42E5-A867-F0CFFCDAF169}, Delete-on-Reboot, [cd8387e80a90cc6acfac18b203ff2fd1], PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Da2946053129460531, Delete-on-Reboot, [b49ca1ce8515f93dc9b5be0c90722fd1], Registry Values: 1 PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{65767E3E-E7C6-42E5-A867-F0CFFCDAF169}|Path, \Da2946053129460531, Delete-on-Reboot, [cd8387e80a90cc6acfac18b203ff2fd1] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 1 PUP.Optional.MultiPlug.PrxySvrRST, C:\Windows\System32\Tasks\Da2946053129460531, Quarantined, [0848b9b64a5021152d4805c507fbbe42], Physical Sectors: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 7, 2016 Root Admin ID:1060692 Share Posted September 7, 2016 Let's go ahead and reset Chrome then before we run anymore scans. I would like to reset Chrome back to defaults to completely clear out what is going on with Chrome. You can keep your “Bookmarks” if you want to keep them, but you have to export them first – >> Export Bookmarks << – Everything else should be removed. Then I need you to go to >> Google Sync << and sign into your account. Scroll down until you see the “reset sync” button and click on the button At the prompt click on “Ok”. .Reset Your Browser Settings . In the top-right corner of the browser window, click the “Chrome Menu” icon (Three horizontal lines) Select “Settings”. At the bottom, click “Show advanced settings…” Scroll down until you see “Reset settings”, Then click on the button “Reset Settings”. In the dialog that appears, click “Reset”. .Close Chrome and restart it and check it out for me please Link to post Share on other sites More sharing options...
SteveE Posted September 7, 2016 Author ID:1060698 Share Posted September 7, 2016 Hi, Just to clarify.... I am not sure what you mean by the last statement "Close Chrome and restart it and check it our for me please". Chrome currently works fine, except for launching the malware. So, when I open chrome to export bookmarks Ping and Caravell will start up. So even after resetting chrome, those malware programs will still be running. Not sure what I will see differently after just resetting. After resetting chrome I can re-run MBAM and reboot to get rid of the malware and then test chrome to see if we removed? OR do I need to check something else. Waiting on your reply to proceed. THANK YOU!!! Steve Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 8, 2016 Root Admin ID:1060734 Share Posted September 8, 2016 Well, you need to launch Chrome in order to clean and reset it. So please try those instructions for resetting Chrome. Then we'll look at running the other scans for detection and removal. Thanks Link to post Share on other sites More sharing options...
SteveE Posted September 8, 2016 Author ID:1060790 Share Posted September 8, 2016 OK, I deleted all of my Sync Data and did not log back in. I went to chrome settings, clicked "show advanced settings" and there is no option to reset Chrome. I copied everything on the page and posted below. (Maybe part of the problem?). I did a quick search and found you can reset by entering this link: chrome://settings/resetProfileSettings. Which I did, and the box came up to reset. Seemed to work - extensions disabled. Current state of system - MBAM is blocking Websites access from Carvell continuously and I am getting audio adverts from Ping.exe. Running MBAM to clear the malware and will reboot when it finishes. Settings Sign in Sign in to get your bookmarks, history, passwords and other settings on all your devices. You'll also automatically be signed in to your Google services. Learn more Sign in to Chrome Appearance Get themes Reset to default theme Show Home button www.google.com/ Change Always show the bookmarks bar Default browser Make Google Chrome the default browser Google Chrome is not currently your default browser. Privacy Content settings... Clear browsing data... Google Chrome may use web services to improve your browsing experience. You may optionally disable these services. Learn more Use a web service to help resolve navigation errors Use a prediction service to help complete searches and URLs typed in the address bar Use a prediction service to load pages more quickly Automatically report details of possible security incidents to Google Protect you and your device from dangerous sites Use a web service to help resolve spelling errors Automatically send usage statistics and crash reports to Google Send a "Do Not Track" request with your browsing traffic Passwords and forms Enable Autofill to fill out web forms in a single click. Manage Autofill settings Offer to save your web passwords. Manage passwords Web content Font size: Very Small Small Medium Large Very Large Customize fonts... Page zoom: 25%33%50%67%75%90%100%110%125%150%175%200%250%300%400%500% Network Google Chrome is using your computer's system proxy settings to connect to the network. Change proxy settings... Languages Change how Chrome handles and displays languages. Learn more Language and input settings... Offer to translate pages that aren't in a language you read. Manage languages Downloads Download location: Change... Ask where to save each file before downloading HTTPS/SSL Manage certificates... Google Cloud Print Set up or manage printers in Google Cloud Print. Learn more Manage Show notifications when new printers are detected on the network Accessibility Add additional accessibility features System Continue running background apps when Google Chrome is closed Use hardware acceleration when available Hide advanced settings... Link to post Share on other sites More sharing options...
SteveE Posted September 8, 2016 Author ID:1060800 Share Posted September 8, 2016 OK - After reboot system was clean. No ping.exe in task manager and no pop-up warnings on blocked web sites. Firefox running fine. Did some work via Foxfire. Then started Chrome. After a few seconds Ping.exe showed up in task manager (along with audio adverts) and pop-ups for blocked website access started again. Steve Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 9, 2016 Root Admin ID:1061042 Share Posted September 9, 2016 Please fully remove Chrome following this guide. Make sure you export your bookmarks first as this method will remove everything from Chrome. http://www.wintips.org/how-to-completely-uninstall-re-install-google-chrome/ Then DO NOT reinstall Chrome yet. After you have fully removed Chrome then restart the computer and run a new FRST scan and make sure you put a checkmark in the Additions.txt check box and attach both new logs on your next reply. For now use Firefox until we get you cleaned up. Link to post Share on other sites More sharing options...
SteveE Posted September 9, 2016 Author ID:1061064 Share Posted September 9, 2016 Hi, Chome has been deleted per the web link article. Uninstalling chrome, caused chrome to open and then the malware started up. I ran MBAM cleaned before running FRST64.exe. FRST.TXT Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-08-2016 Ran by Steve (administrator) on STEVE-SPLIT-X2 (09-09-2016 15:26:50) Running from C:\Users\Steve\Desktop Loaded Profiles: Steve (Available Profiles: Steve) Platform: Windows 10 Home Version 1511 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: FF) Boot Mode: NAormal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Intel Corporation) C:\Windows\System32\igfxCUIService.exe (IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe (Intel Corporation) C:\Windows\SysWOW64\IntelCpHeciSvc.exe (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe (Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe (Garmin Ltd. or its subsidiaries) C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe (Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe (DEVGURU Co., LTD.) C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe (Wondershare) C:\Program Files (x86)\Wondershare\WAF\2.1.6.0\WsAppService.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe (Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe (Intel Corporation) C:\Windows\System32\igfxEM.exe (Intel Corporation) C:\Windows\System32\igfxHK.exe () C:\Windows\System32\igfxTray.exe (Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe (Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe (SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe (Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe (IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe (Spotify Ltd) C:\Users\Steve\AppData\Roaming\Spotify\SpotifyWebHelper.exe (Garmin Ltd. or its subsidiaries) C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe (Hewlett-Packard Development Company, LP) C:\Program Files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe (Sling Media Inc.) C:\Program Files (x86)\DishAnywhereDesktop\DishAnywherePlayer.exe () C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe (Sling Media Inc.) C:\Program Files (x86)\Sling Media\SlingplayerForWeb\SlingplayerForWeb.exe (Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\HP\HP System Event\HPMSGSVC.exe (Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe (Hewlett-Packard Development Company, LP) C:\Program Files\HP\HP Officejet Pro 8610\Bin\HPNetworkCommunicatorCom.exe (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe (Sling Media Inc.) C:\Program Files (x86)\Sling Media\SlingplayerForWeb\SlingplayerForWeb.exe (Sling Media Inc.) C:\Program Files (x86)\DishAnywhereDesktop\DishAnywherePlayer.exe (Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE (Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSYNC.EXE (HP Inc.) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe (Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe (Microsoft Corporation) C:\Windows\splwow64.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe [404912 2015-10-22] () HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-12-09] (Apple Inc.) HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1703424 2015-10-22] (IDT, Inc.) HKLM\...\Run: [faribault] => "C:\Program Files (x86)\actus\carvell.exe" HKLM-x32\...\Run: [KeePass 2 PreLoad] => C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe [2779136 2016-06-11] (Dominik Reichl) HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\HP\HP System Event\HPMSGSVC.exe [657424 2015-09-03] (Hewlett-Packard Development Company, L.P.) HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard) HKLM-x32\...\Run: [] => [X] HKLM-x32\...\Run: [SunJavaUpdateSched] => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" HKLM-x32\...\Run: [win_en_77] => [X] HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.) Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X] HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\Run: [Spotify Web Helper] => C:\Users\Steve\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1523312 2016-08-29] (Spotify Ltd) HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1400232 2016-07-31] (Garmin Ltd. or its subsidiaries) HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\Run: [HP Officejet Pro 8610 (NET)] => C:\Program Files\HP\HP Officejet Pro 8610\Bin\ScanToPCActivationApp.exe [3487240 2014-07-21] (Hewlett-Packard Development Company, LP) HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\Run: [IRS12AUC0C] => "C:\Program Files (x86)\DPower\59CRB48DAE.exe" HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.) HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\Run: [Chromium] => "c:\users\steve\appdata\local\chromium\application\chrome.exe" --auto-launch-at-startup --profile-directory="Default" --restore-last-session HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\RunOnce: [Uninstall C:\Users\Steve\AppData\Local\Microsoft\OneDrive\17.3.6281.1202_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Steve\AppData\Local\Microsoft\OneDrive\17.3.6281.1202_1\amd64" HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\MountPoints2: {7810967f-e203-11e5-8283-485ab6b36b20} - "E:\VZW_Software_upgrade_assistant.exe" HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\Mystify.scr [150528 2015-10-30] (Microsoft Corporation) HKU\S-1-5-18\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1400232 2016-07-31] (Garmin Ltd. or its subsidiaries) Startup: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DishAnywherePlayerShortcut.lnk [2016-09-02] ShortcutTarget: DishAnywherePlayerShortcut.lnk -> C:\Program Files (x86)\DishAnywhereDesktop\DishAnywherePlayer.exe (Sling Media Inc.) Startup: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PdaNet Desktop.lnk [2016-09-02] ShortcutTarget: PdaNet Desktop.lnk -> C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe () Startup: C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SlingplayerForWebShortcut.lnk [2016-09-02] ShortcutTarget: SlingplayerForWebShortcut.lnk -> C:\Program Files (x86)\Sling Media\SlingplayerForWeb\SlingplayerForWeb.exe (Sling Media Inc.) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 Tcpip\..\Interfaces\{488e5b26-fa59-4a72-816d-115d9ded13a7}: [DhcpNameServer] 8.8.8.8 Tcpip\..\Interfaces\{54baa6fc-806b-406e-a3b8-63e4b594531f}: [DhcpNameServer] 192.168.1.1 Tcpip\..\Interfaces\{7b1222b5-762c-4cf9-8a6f-445c382141e6}: [DhcpNameServer] 8.8.8.8 Tcpip\..\Interfaces\{e366439c-b631-4823-b6bf-c41eabf5bb3d}: [DhcpNameServer] 172.20.10.1 ManualProxies: Internet Explorer: ================== HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT14/1 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?gws_rd=ssl SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope value is missing SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms} SearchScopes: HKU\S-1-5-21-2221598115-2109861328-2175321649-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms} BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2016-07-31] (Microsoft Corporation) BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2016-07-31] (Microsoft Corporation) BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2016-07-21] (HP Inc.) DPF: HKLM-x32 {A4150320-98EC-4DB6-9BFB-EBF4B6FBEB16} hxxp://192.168.1.24/codebase/DVM_IPCam2.ocx Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-07-31] (Microsoft Corporation) Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-07-31] (Microsoft Corporation) Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-07-31] (Microsoft Corporation) Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-07-31] (Microsoft Corporation) FireFox: ======== FF ProfilePath: C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\vup3qqfp.default FF NewTab: about:newtab FF DefaultSearchEngine: Avast Search FF DefaultSearchUrl: hxxps://search.avast.com/AV772/search/web?q={searchTerms} FF SearchEngineOrder.1: Avast Search FF SelectedSearchEngine: Avast Search FF Homepage: hxxps://www.google.com/ FF Keyword.URL: hxxps://search.avast.com/AV772/search/web?q={searchTerms} FF Plugin: @garmin.com/GpsControl -> C:\Program Files\Garmin GPS Plugin\npGarmin.dll [2014-03-31] (GARMIN Corp.) FF Plugin: @mcafee.com/MSC,version=10 -> C:\Program Files\mcafee\msc\npMcSnFFPl64.dll [No File] FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-14] () FF Plugin-x32: @garmin.com/GpsControl -> C:\Program Files (x86)\Garmin GPS Plugin\npGarmin.dll [2014-03-31] (GARMIN Corp.) FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-12-10] (Intel Corporation) FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-12-10] (Intel Corporation) FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-04-19] (Oracle Corporation) FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-04-19] (Oracle Corporation) FF Plugin-x32: @mcafee.com/MSC,version=10 -> C:\Program Files (x86)\McAfee\msc\npMcSnFFPl.dll [No File] FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-07-31] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2016-07-31] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2013-02-06] (Microsoft Corporation) FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [No File] FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [No File] FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2015-10-12] () FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2016-06-23] (Adobe Systems Inc.) FF Plugin HKU\S-1-5-21-2221598115-2109861328-2175321649-1001: @citrixonline.com/appdetectorplugin -> C:\Users\Steve\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2016-08-30] (Citrix Online) FF Plugin HKU\S-1-5-21-2221598115-2109861328-2175321649-1001: DISH Anywhere.com/DISH Anywhere Video Player -> C:\Users\Steve\AppData\Roaming\DISH Anywhere\DISH Anywhere Video Player\npNMPCBrowserPlugin.dll [2015-11-23] (Nagravision) FF Plugin ProgramFiles/Appdata: C:\Users\Steve\AppData\Roaming\mozilla\plugins\npatgpc.dll [2016-01-12] (Cisco WebEx LLC) FF SearchPlugin: C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\vup3qqfp.default\searchplugins\avast-search.xml [2016-09-06] FF Extension: (WebSlingPlayer) - C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\vup3qqfp.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A} [2016-06-28] FF Extension: (Firefox Hotfix) - C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\vup3qqfp.default\Extensions\firefox-hotfix@mozilla.org.xpi [2016-09-09] FF Extension: (Scrabulizer Importer) - C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\vup3qqfp.default\Extensions\{ca96eaaa-e97d-4e54-b403-b7b5a8557fad}.xpi [2016-05-29] FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found Chrome: ======= CHR HKLM\...\Chrome\Extension: [ihdceheklapbalfikfdppfpgdgabaglp] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [jkfpchpiljkaemlpmpebnglgkomamfeo] - hxxps://clients2.google.com/service/update2/crx ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.) R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2854640 2016-07-31] (Microsoft Corporation) R2 Garmin Device Interaction Service; C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe [809488 2016-07-31] (Garmin Ltd. or its subsidiaries) R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [135496 2016-09-09] (SurfRight B.V.) R2 HPSLPSVC; C:\Users\Steve\AppData\Local\Temp\7zS0187\hpslpsvc64.dll [1039360 2015-09-21] (Hewlett-Packard Co.) [File not signed] R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [29728 2016-08-15] (HP Inc.) R2 HPWMISVC; C:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe [606224 2015-09-03] (Hewlett-Packard Development Company, L.P.) R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-07] (Intel Corporation) R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [359856 2015-10-22] (Intel Corporation) R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel(R) Corporation) [File not signed] S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel(R) Corporation) R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-12-10] (Intel Corporation) R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-12-10] (Intel Corporation) R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes) R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes) R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.) R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.) R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.) R2 ss_conn_service; C:\Program Files\SAMSUNG\USB Drivers\25_escape\conn\ss_conn_service.exe [741640 2014-06-16] (DEVGURU Co., LTD.) R2 STacSV; C:\Program Files\IDT\WDM\STacSV64.exe [340480 2015-10-22] (IDT, Inc.) [File not signed] R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [268912 2016-06-08] (Synaptics Incorporated) R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [7183632 2016-07-18] (TeamViewer GmbH) S3 vmicvss; C:\Windows\System32\ICSvc.dll [511488 2015-10-30] (Microsoft Corporation) R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation) S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2016-07-01] (Microsoft Corporation) R2 WsAppService; C:\Program Files (x86)\Wondershare\WAF\2.1.6.0\WsAppService.exe [388608 2016-01-28] (Wondershare) [File not signed] S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X] S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X] S3 WsDrvInst; "C:\Program Files (x86)\Wondershare\TunesGo\DriverInstall.exe" [X] S2 ZAMSvc; "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /service [X] ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 AndNetDiag; C:\Windows\system32\DRIVERS\lgandnetdiag64.sys [30720 2015-05-12] (LG Electronics Inc.) S3 ANDNetModem; C:\Windows\system32\DRIVERS\lgandnetmodem64.sys [37376 2015-05-12] (LG Electronics Inc.) S3 libusb0; C:\Windows\system32\DRIVERS\libusb0.sys [44480 2015-11-08] (hxxp://libusb-win32.sourceforge.net) R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes) R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-09-09] (Malwarebytes) R3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation) R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [100312 2013-12-10] (Intel Corporation) R3 netr28x; C:\Windows\system32\DRIVERS\netr28x.sys [2554528 2015-06-12] (MediaTek Inc.) R3 rtbth; C:\Windows\System32\drivers\rtbth.sys [1219200 2015-10-21] (Ralink Technology, Corp.) S3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [418008 2013-06-23] (Realsil Semiconductor Corporation) R3 RTSUER; C:\Windows\system32\Drivers\RtsUer.sys [410848 2015-10-22] (Realsil Semiconductor Corporation) R3 SynRMIHID; C:\Windows\system32\DRIVERS\SynRMIHID.sys [74864 2016-06-08] (Synaptics Incorporated) S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation) R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation) R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation) R3 WirelessButtonDriver64; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [30384 2015-06-23] (HP Inc.) S3 WsAudioDevice_383; C:\Windows\system32\drivers\VirtualAudio.sys [31080 2015-07-30] (Wondershare) R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard64.sys [203680 2016-09-02] (Zemana Ltd.) S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-09-09 15:26 - 2016-09-09 15:27 - 00023767 _____ C:\Users\Steve\Desktop\FRST.txt 2016-09-09 15:25 - 2016-09-09 15:26 - 02397696 _____ (Farbar) C:\Users\Steve\Downloads\FRST64(1).exe 2016-09-09 15:14 - 2016-09-09 15:14 - 00000000 ___HD C:\OneDriveTemp 2016-09-09 13:43 - 2016-09-09 13:43 - 00073375 _____ C:\Users\Steve\Downloads\CMIT_Proforma_Sheet_2016(2).xlsx 2016-09-08 19:21 - 2016-09-08 23:56 - 00003254 _____ C:\WINDOWS\System32\Tasks\HPCeeScheduleForSteve 2016-09-07 22:11 - 2016-09-07 22:11 - 00747800 _____ C:\Users\Steve\Downloads\CHM_Guidelines_2016_V2(2).pdf 2016-09-07 22:11 - 2016-09-07 22:11 - 00747800 _____ C:\Users\Steve\Downloads\CHM_Guidelines_2016_V2(1).pdf 2016-09-07 17:28 - 2016-09-07 17:28 - 00110119 _____ C:\Users\Steve\Desktop\bookmarks_9_7_16.html 2016-09-07 13:22 - 2016-09-07 13:22 - 00003968 _____ C:\WINDOWS\System32\Tasks\Opera scheduled Autoupdate 1445568390 2016-09-07 08:03 - 2016-09-07 08:03 - 00000000 ____D C:\WINDOWS\ERDNT 2016-09-07 08:02 - 2016-09-07 08:03 - 00000000 ____D C:\Program Files (x86)\ERUNT 2016-09-07 08:02 - 2016-09-07 08:02 - 00001004 _____ C:\Users\Steve\Desktop\NTREGOPT.lnk 2016-09-07 08:02 - 2016-09-07 08:02 - 00000985 _____ C:\Users\Steve\Desktop\ERUNT.lnk 2016-09-07 08:02 - 2016-09-07 08:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT 2016-09-07 07:57 - 2016-09-07 07:57 - 00791393 _____ (Lars Hederer ) C:\Users\Steve\Downloads\erunt-setup(1).exe 2016-09-07 07:54 - 2016-09-07 07:55 - 00791393 _____ (Lars Hederer ) C:\Users\Steve\Downloads\erunt-setup.exe 2016-09-06 16:35 - 2016-09-06 16:36 - 01257552 _____ C:\Users\Steve\Downloads\merged_document(1).pdf 2016-09-06 10:57 - 2016-09-06 11:02 - 02953520 _____ (AVAST Software) C:\Users\Steve\Downloads\avast-browser-cleanup.exe 2016-09-06 10:57 - 2016-09-06 10:59 - 03826240 _____ C:\Users\Steve\Downloads\adwcleaner_6.010.exe 2016-09-06 08:30 - 2016-09-06 08:30 - 00747800 _____ C:\Users\Steve\Downloads\CHM_Guidelines_2016_V2.pdf 2016-09-02 18:14 - 2016-09-02 18:23 - 01106888 _____ (Bleeping Computer, LLC) C:\Users\Steve\Downloads\rkill64.exe 2016-09-02 18:13 - 2016-09-07 07:53 - 00002834 _____ C:\Users\Steve\Desktop\Rkill.txt 2016-09-02 18:11 - 2016-09-01 14:45 - 00313856 _____ C:\Users\Steve\AppData\Local\settings.dll 2016-09-02 18:11 - 2016-09-01 14:45 - 00194048 _____ C:\Users\Steve\AppData\Local\carvell.exe 2016-09-02 16:27 - 2016-09-02 16:27 - 00000000 ___HD C:\$WINDOWS.~BT 2016-09-02 14:24 - 2016-09-02 14:24 - 00002014 _____ C:\Users\Steve\Downloads\mbyte.txt 2016-09-02 14:02 - 2016-09-02 14:02 - 00000240 _____ C:\Users\Steve\Downloads\SearchReg.txt 2016-09-02 13:48 - 2016-09-02 13:49 - 00061320 _____ C:\Users\Steve\Downloads\Addition.txt 2016-09-02 13:47 - 2016-09-09 15:26 - 00000000 ____D C:\FRST 2016-09-02 13:47 - 2016-09-02 13:49 - 00065225 _____ C:\Users\Steve\Downloads\FRST.txt 2016-09-02 13:44 - 2016-09-02 13:47 - 02397696 _____ (Farbar) C:\Users\Steve\Desktop\FRST64.exe 2016-09-02 11:32 - 2016-09-02 11:32 - 05660313 _____ (Swearware) C:\Users\Steve\Downloads\ComboFix.exe 2016-09-02 11:20 - 2016-09-02 11:20 - 31930936 _____ (Adlice Software ) C:\Users\Steve\Downloads\setup.exe 2016-09-02 11:03 - 2016-09-02 11:03 - 00000000 ____D C:\WINDOWS\Trend Micro 2016-09-02 11:03 - 2016-09-02 11:03 - 00000000 ____D C:\ProgramData\Trend Micro 2016-09-02 11:02 - 2016-09-02 11:02 - 02527376 _____ (Trend Micro Inc.) C:\Users\Steve\Downloads\HousecallLauncher64.exe 2016-09-02 11:02 - 2015-12-24 09:03 - 00316168 _____ (Trend Micro Inc.) C:\WINDOWS\system32\Drivers\tmcomm.sys 2016-09-02 10:47 - 2016-09-02 10:47 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Steve\Downloads\rkill.exe 2016-09-02 10:36 - 2016-09-02 10:36 - 00000000 ____D C:\ProgramData\Sophos 2016-09-02 10:30 - 2016-09-02 10:31 - 152068736 _____ (Sophos Limited) C:\Users\Steve\Downloads\Sophos Virus Removal Tool.exe 2016-09-02 10:15 - 2016-09-06 11:03 - 00001215 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk 2016-09-02 10:15 - 2016-09-06 11:03 - 00001215 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk 2016-09-02 10:14 - 2016-09-02 10:14 - 00242136 _____ C:\Users\Steve\Downloads\Firefox Setup Stub 48.0.2.exe 2016-09-02 10:03 - 2016-09-09 15:26 - 00044298 _____ C:\WINDOWS\ZAM_Guard.krnl.trace 2016-09-02 10:03 - 2016-09-02 14:24 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware 2016-09-02 10:03 - 2016-09-02 13:37 - 01608038 _____ C:\WINDOWS\ZAM.krnl.trace 2016-09-02 10:03 - 2016-09-02 10:03 - 00203680 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zamguard64.sys 2016-09-02 09:57 - 2016-09-02 09:57 - 00005856 _____ C:\WINDOWS\system32\.crusader 2016-09-02 09:55 - 2016-09-02 10:03 - 05295424 _____ ( ) C:\Users\Steve\Downloads\Zemana.AntiMalware.Setup.exe 2016-09-02 09:52 - 2016-09-02 09:58 - 00000000 ____D C:\ProgramData\HitmanPro 2016-09-02 09:52 - 2016-09-02 09:52 - 00001973 _____ C:\Users\Public\Desktop\HitmanPro.lnk 2016-09-02 09:52 - 2016-09-02 09:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro 2016-09-02 09:52 - 2016-09-02 09:52 - 00000000 ____D C:\Program Files\HitmanPro 2016-09-02 08:59 - 2016-09-09 15:14 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys 2016-09-02 08:59 - 2016-09-02 09:30 - 00001176 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2016-09-02 08:59 - 2016-09-02 08:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware 2016-09-02 08:59 - 2016-09-02 08:59 - 00000000 ____D C:\ProgramData\Malwarebytes 2016-09-02 08:59 - 2016-09-02 08:59 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware 2016-09-02 08:59 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys 2016-09-02 08:59 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys 2016-09-02 08:59 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys 2016-09-02 08:43 - 2016-09-02 08:43 - 00000000 _____ C:\WINDOWS\SysWOW64\${FILE_SN_DLL} 2016-09-02 08:39 - 2016-09-06 11:01 - 00000000 ____D C:\AdwCleaner 2016-09-02 08:38 - 2016-09-02 08:38 - 01950720 _____ C:\Users\Steve\Downloads\AdwCleaner Setup [1].exe 2016-09-02 07:38 - 2015-06-26 15:08 - 00294400 _____ (CodePlex Community) C:\Users\Steve\AppData\Local\Microsoft.Win32.TaskScheduler.dll 2016-09-02 00:59 - 2016-09-02 00:59 - 00000000 ____D C:\Program Files\Common Files\AV 2016-09-02 00:59 - 2015-07-28 17:52 - 00821920 _____ (Safer-Networking Ltd. ) C:\Users\Public\Desktop\Post Win10 Spybot-install.exe 2016-09-02 00:54 - 2016-09-09 13:52 - 00004166 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{AD70D64C-0206-4BBF-9812-33B4EE85FA46} 2016-09-02 00:30 - 2016-09-02 09:30 - 00001459 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk 2016-09-02 00:30 - 2016-09-02 09:30 - 00001453 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk 2016-09-02 00:30 - 2016-09-02 01:07 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy 2016-09-02 00:30 - 2016-09-02 00:59 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2 2016-09-02 00:30 - 2016-09-02 00:30 - 00000656 _____ C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job 2016-09-02 00:30 - 2016-09-02 00:30 - 00000628 _____ C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job 2016-09-02 00:30 - 2016-09-02 00:30 - 00000458 _____ C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job 2016-09-02 00:30 - 2016-09-02 00:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2 2016-09-02 00:30 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\WINDOWS\system32\sdnclean64.exe 2016-09-01 23:49 - 2016-09-02 00:49 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job 2016-09-01 23:48 - 2016-09-02 09:20 - 00000000 ____D C:\WINDOWS\pss 2016-09-01 19:12 - 2016-09-02 09:19 - 00000000 ____D C:\Users\Steve\AppData\Local\Apps\2.0 2016-09-01 14:45 - 2016-09-01 14:45 - 00313856 _____ C:\WINDOWS\settings.dll 2016-09-01 14:45 - 2016-09-01 14:45 - 00194048 _____ C:\WINDOWS\disappointment.exe 2016-09-01 07:37 - 2016-09-01 07:37 - 00359910 ____T C:\Users\Steve\Documents\Adoration Monthly Prayer Assignments.pdf 2016-08-31 21:14 - 2016-09-01 15:55 - 00000000 ___HD C:\WINDOWS\AxInstSV 2016-08-30 11:31 - 2016-09-09 15:13 - 00000688 _____ C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-2221598115-2109861328-2175321649-1001.job 2016-08-30 11:31 - 2016-09-09 15:13 - 00000592 _____ C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-2221598115-2109861328-2175321649-1001.job 2016-08-30 11:31 - 2016-08-30 11:31 - 00000000 ____D C:\Users\Steve\AppData\Local\Citrix 2016-08-30 11:30 - 2016-08-30 11:31 - 00321008 _____ (Citrix Online) C:\Users\Steve\Downloads\GoToWebinar Launcher(1).exe 2016-08-30 11:10 - 2016-08-30 11:10 - 00260929 _____ C:\Users\Steve\Downloads\8.1.2.5.rar 2016-08-29 08:35 - 2016-08-29 08:35 - 00000316 _____ C:\Users\Steve\Desktop\Apply For Johnson and Johnson Area Business Specialist, CNS (Cincinnati, Ohio) - Janssen Pharmaceuticals, Inc. job - Selling.URL 2016-08-27 20:43 - 2016-08-27 20:43 - 08136256 _____ (TeamViewer) C:\Users\Steve\Downloads\TeamViewerQS_en (1).exe 2016-08-27 20:42 - 2016-08-27 20:42 - 08136256 _____ (TeamViewer) C:\Users\Steve\Downloads\TeamViewerQS_en.exe 2016-08-26 15:22 - 2016-08-26 15:22 - 00000220 _____ C:\Users\Steve\Desktop\httpjohn15-5.adorationservants.org.URL 2016-08-23 12:56 - 2016-08-23 12:57 - 00355787 _____ C:\Users\Steve\Downloads\linkedin_connections_export_microsoft_outlook(1).csv 2016-08-22 18:46 - 2016-08-22 18:46 - 00322946 _____ C:\Users\Steve\Downloads\30+60+90+Day+Template+-+Final.pptx 2016-08-21 20:51 - 2016-08-21 21:16 - 00000000 ____D C:\Users\Steve\Desktop\New folder (4) 2016-08-20 11:38 - 2016-08-20 11:40 - 00341112 ____T C:\Users\Steve\Desktop\Walmart Pirelli P4 Four Seasons Plus.pdf 2016-08-19 09:05 - 2016-08-19 09:05 - 00073375 _____ C:\Users\Steve\Downloads\CMIT_Proforma_Sheet_2016(1).xlsx 2016-08-18 17:15 - 2016-08-18 17:15 - 00045730 _____ C:\Users\Steve\Desktop\fax rwb_worldwide_2016-08-18_21-07-44.pdf 2016-08-18 15:38 - 2016-08-18 15:38 - 05103963 _____ C:\Users\Steve\Downloads\996981530_28_IKOR_INTERNATIONAL_-_2016_FDD__V7__081816_506361674.pdf 2016-08-18 13:48 - 2016-09-02 10:15 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox 2016-08-18 12:28 - 2016-08-18 12:28 - 00000293 _____ C:\Users\Steve\Desktop\JLL Careers - Job details.URL 2016-08-18 10:45 - 2016-08-18 10:45 - 10813322 _____ C:\Users\Steve\Downloads\suck_less_search_pdf.pdf 2016-08-17 14:24 - 2016-08-17 14:24 - 00370807 ____T C:\Users\Steve\Desktop\fax test.pdf 2016-08-17 11:10 - 2016-09-09 09:34 - 00000000 ____D C:\Users\Steve\Documents\Franchise 2016-08-16 18:45 - 2016-08-16 18:45 - 20724029 _____ C:\Users\Steve\Downloads\Op-Manual-MP-C3003-C3503-C4503-C5503-C6003.pdf 2016-08-15 14:25 - 2016-08-15 14:25 - 00704872 _____ C:\Users\Steve\Documents\Scan0001.pdf 2016-08-15 10:32 - 2016-08-15 10:32 - 00073375 _____ C:\Users\Steve\Downloads\CMIT_Proforma_Sheet_2016.xlsx 2016-08-14 18:24 - 2016-08-14 18:24 - 00100675 _____ C:\Users\Steve\Downloads\SOI_List_Template.xlsx 2016-08-14 18:22 - 2016-08-14 18:22 - 01646604 _____ C:\Users\Steve\Downloads\CMIT_Solutions_Frequently_Asked_Questions.pdf 2016-08-14 18:20 - 2016-08-14 18:20 - 00330618 _____ C:\Users\Steve\Downloads\Managed_Services_Whitepaper.pdf 2016-08-14 18:15 - 2016-08-14 18:15 - 00146973 _____ C:\Users\Steve\Downloads\Initial_Investment_2016(1).pdf 2016-08-14 18:00 - 2016-08-14 18:00 - 00358442 _____ C:\Users\Steve\Downloads\Why_a_Business_Not_a_Job.pdf 2016-08-12 12:38 - 2016-08-12 12:38 - 00986528 _____ (Google Inc.) C:\Users\Steve\Downloads\GoogleVoiceAndVideoSetup.exe 2016-08-12 11:24 - 2016-08-12 11:25 - 12063336 _____ (Hewlett-Packard Company ) C:\Users\Steve\Downloads\sp76259.exe 2016-08-10 16:31 - 2016-08-10 16:31 - 18124829 _____ C:\Users\Steve\Downloads\RightatHomeinc.ppt ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-09-09 15:17 - 2015-12-16 20:42 - 00973984 _____ C:\WINDOWS\system32\PerfStringBackup.INI 2016-09-09 15:17 - 2015-10-30 03:21 - 00000000 ____D C:\WINDOWS\INF 2016-09-09 15:14 - 2015-10-30 03:24 - 00000000 ___HD C:\Program Files\WindowsApps 2016-09-09 15:14 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\AppReadiness 2016-09-09 15:14 - 2015-10-21 22:12 - 00000000 ___RD C:\Users\Steve\OneDrive 2016-09-09 15:13 - 2016-01-21 17:11 - 00000362 _____ C:\WINDOWS\Tasks\HPCeeScheduleForSteve.job 2016-09-09 15:13 - 2015-12-16 20:51 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2016-09-09 15:13 - 2015-12-16 20:40 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat 2016-09-09 15:13 - 2015-10-21 22:32 - 00000000 __SHD C:\Users\Steve\IntelGraphicsProfiles 2016-09-09 15:12 - 2015-10-30 02:28 - 00786432 ___SH C:\WINDOWS\system32\config\BBI 2016-09-09 15:10 - 2015-11-03 21:05 - 00000000 ____D C:\Users\Steve\Documents\Outlook Files 2016-09-09 14:07 - 2015-10-21 18:01 - 00000000 ____D C:\Users\Steve\AppData\Local\Packages 2016-09-08 17:10 - 2016-05-06 07:54 - 00000000 ____D C:\Users\Steve\Documents\RWBworldwide 2016-09-08 11:38 - 2015-10-30 03:24 - 00000000 ___HD C:\WINDOWS\ELAMBKUP 2016-09-07 18:01 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\System 2016-09-07 14:35 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\ADFS 2016-09-07 13:22 - 2015-10-22 22:45 - 00000000 ____D C:\Program Files (x86)\Opera 2016-09-07 13:16 - 2015-10-30 03:24 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel 2016-09-07 12:37 - 2015-12-07 22:53 - 00000000 ____D C:\Program Files (x86)\TeamViewer 2016-09-07 11:06 - 2015-11-04 16:06 - 00000000 ____D C:\Users\Steve\Documents\Resume Data 2016-09-06 08:52 - 2015-10-25 18:39 - 00000000 ____D C:\Users\Steve\AppData\Roaming\Spotify 2016-09-06 08:47 - 2015-10-25 18:40 - 00000000 ____D C:\Users\Steve\AppData\Local\Spotify 2016-09-04 21:36 - 2016-03-04 23:09 - 00000000 ____D C:\Users\Steve\Desktop\Mojo Web Site 2016-09-02 23:49 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\SchCache 2016-09-02 18:30 - 2015-10-30 03:26 - 00000000 ____D C:\WINDOWS\Setup 2016-09-02 16:27 - 2015-12-16 23:36 - 00000000 ___DC C:\WINDOWS\Panther 2016-09-02 10:24 - 2016-03-18 13:27 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service 2016-09-02 09:30 - 2016-06-23 23:36 - 00002529 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneDrive for Business.lnk 2016-09-02 09:30 - 2016-06-23 23:36 - 00002493 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype for Business 2016.lnk 2016-09-02 09:30 - 2016-06-23 23:36 - 00002488 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word 2016.lnk 2016-09-02 09:30 - 2016-06-23 23:36 - 00002487 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint 2016.lnk 2016-09-02 09:30 - 2016-06-23 23:36 - 00002451 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Access 2016.lnk 2016-09-02 09:30 - 2016-06-23 23:36 - 00002450 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel 2016.lnk 2016-09-02 09:30 - 2016-06-23 23:36 - 00002444 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook 2016.lnk 2016-09-02 09:30 - 2016-06-23 23:36 - 00002438 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publisher 2016.lnk 2016-09-02 09:30 - 2016-06-23 23:36 - 00002430 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk 2016-09-02 09:30 - 2016-04-14 14:12 - 00002214 _____ C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Blue Jeans.lnk 2016-09-02 09:30 - 2016-02-11 19:32 - 00001087 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk 2016-09-02 09:30 - 2016-01-10 19:55 - 00002125 _____ C:\Users\Public\Desktop\GnuCash.lnk 2016-09-02 09:30 - 2015-12-17 17:28 - 00000970 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\I.R.I.S. OCR Registration.lnk 2016-09-02 09:30 - 2015-12-16 20:47 - 00001507 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk 2016-09-02 09:30 - 2015-12-12 12:19 - 00001823 _____ C:\Users\Public\Desktop\iTunes.lnk 2016-09-02 09:30 - 2015-12-12 12:18 - 00002523 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk 2016-09-02 09:30 - 2015-12-07 22:54 - 00001035 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 11.lnk 2016-09-02 09:30 - 2015-11-06 16:21 - 00001185 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeePass 2.lnk 2016-09-02 09:30 - 2015-10-25 18:40 - 00001908 _____ C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spotify.lnk 2016-09-02 09:30 - 2015-10-25 08:16 - 00002445 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk 2016-09-02 09:30 - 2015-10-21 22:14 - 00002417 _____ C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk 2016-09-02 09:30 - 2013-10-16 12:19 - 00001115 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP Connected Music.lnk 2016-09-02 09:30 - 2013-10-16 12:15 - 00001378 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo Gallery.lnk 2016-09-02 09:30 - 2013-10-16 12:15 - 00001309 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movie Maker.lnk 2016-09-02 09:30 - 2013-10-16 12:08 - 00002481 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cozi Family Calendar.lnk 2016-09-02 09:29 - 2015-11-05 15:56 - 00001195 _____ C:\Users\Steve\Desktop\Kernel OST Viewer .lnk 2016-09-02 08:22 - 2013-10-16 12:12 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Communication and Chat 2016-09-02 07:31 - 2015-10-21 18:01 - 00000000 ____D C:\Users\Steve\AppData\Local\VirtualStore 2016-09-01 19:33 - 2015-12-16 20:42 - 00000000 ____D C:\Users\Steve 2016-09-01 15:51 - 2015-10-30 03:24 - 00000000 ___SD C:\WINDOWS\Downloaded Program Files 2016-08-31 22:37 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\appraiser 2016-08-31 22:37 - 2015-10-30 03:11 - 00000000 ____D C:\WINDOWS\CbsTemp 2016-08-30 22:14 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\NDF 2016-08-30 07:29 - 2015-11-06 18:36 - 00000000 ____D C:\Users\Steve\AppData\Roaming\KeePass 2016-08-30 07:29 - 2015-11-04 14:00 - 00000000 ____D C:\Users\Steve\Documents\KeePass2 2016-08-27 21:08 - 2015-10-30 03:24 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft 2016-08-27 21:07 - 2013-10-16 12:12 - 00000000 ____D C:\Program Files (x86)\Microsoft Office 2016-08-27 20:58 - 2015-12-07 22:54 - 00000000 ____D C:\Users\Steve\AppData\Roaming\TeamViewer 2016-08-23 17:01 - 2016-01-12 14:55 - 00000000 ____D C:\Users\Steve\AppData\LocalLow\WebEx 2016-08-12 15:55 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\rescache 2016-08-12 11:48 - 2015-11-13 08:35 - 00000000 ____D C:\Users\Steve\AppData\Roaming\Skype 2016-08-12 11:44 - 2015-09-10 01:42 - 00000000 __RHD C:\Users\Public\AccountPictures 2016-08-12 11:38 - 2015-10-30 05:07 - 00000000 ____D C:\Program Files\Windows Journal 2016-08-12 10:49 - 2013-08-31 23:49 - 00000000 ____D C:\SWSetup 2016-08-12 00:07 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\SecureBootUpdates 2016-08-12 00:07 - 2015-10-22 20:49 - 00000000 ____D C:\WINDOWS\system32\MRT 2016-08-11 23:59 - 2015-10-22 20:49 - 147640136 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe ==================== Files in the root of some directories ======= 2015-11-11 16:38 - 2015-11-11 16:38 - 0025553 _____ () C:\Users\Steve\AppData\Roaming\Comma Separated Values.ADR 2016-07-04 20:24 - 2016-07-04 20:24 - 0000000 _____ () C:\Users\Steve\AppData\Roaming\WbspInstallerTempFileToBeDeleted.txt 2016-09-02 18:11 - 2016-09-01 14:45 - 0194048 _____ () C:\Users\Steve\AppData\Local\carvell.exe 2016-09-02 07:38 - 2015-06-26 15:08 - 0294400 _____ (CodePlex Community) C:\Users\Steve\AppData\Local\Microsoft.Win32.TaskScheduler.dll 2016-01-10 20:25 - 2016-01-10 20:25 - 0001780 _____ () C:\Users\Steve\AppData\Local\recently-used.xbel 2016-09-02 18:11 - 2016-09-01 14:45 - 0313856 _____ () C:\Users\Steve\AppData\Local\settings.dll 2015-12-17 17:28 - 2015-12-17 17:28 - 0000057 _____ () C:\ProgramData\Ament.ini Some files in TEMP: ==================== C:\Users\Steve\AppData\Local\Temp\HPInstaller.exe C:\Users\Steve\AppData\Local\Temp\jre-8u91-windows-au.exe C:\Users\Steve\AppData\Local\Temp\SkypeSetup.exe ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\wininit.exe => File is digitally signed C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\dnsapi.dll => File is digitally signed C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2016-08-31 22:37 ==================== End of FRST.txt ============================ ADDITION.TXT Additional scan result of Farbar Recovery Scan Tool (x64) Version: 31-08-2016 Ran by Steve (09-09-2016 15:27:54) Running from C:\Users\Steve\Desktop Windows 10 Home Version 1511 (X64) (2015-12-17 00:54:42) Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-2221598115-2109861328-2175321649-500 - Administrator - Disabled) DefaultAccount (S-1-5-21-2221598115-2109861328-2175321649-503 - Limited - Disabled) Guest (S-1-5-21-2221598115-2109861328-2175321649-501 - Limited - Disabled) Steve (S-1-5-21-2221598115-2109861328-2175321649-1001 - Administrator - Enabled) => C:\Users\Steve ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) 7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov) Adobe Reader XI (11.0.17) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.17 - Adobe Systems Incorporated) ANT Drivers Installer x64 (Version: 2.3.4 - Garmin Ltd or its subsidiaries) Hidden Apple Application Support (32-bit) (HKLM-x32\...\{C5815ACF-FD34-4553-8A22-C7411B7E662B}) (Version: 4.1.1 - Apple Inc.) Apple Application Support (64-bit) (HKLM\...\{CBF12D2F-CF64-4CB7-858B-2C1F21068E5F}) (Version: 4.1.1 - Apple Inc.) Apple Mobile Device Support (HKLM\...\{3540181E-340A-4E7A-B409-31663472B2F7}) (Version: 9.1.0.6 - Apple Inc.) Apple Software Update (HKLM-x32\...\{FFD1F7F1-1AC9-4BC4-A908-0686D635ABAF}) (Version: 2.1.4.131 - Apple Inc.) ArcSoft Family Paint (HKLM-x32\...\{8393D59B-D45F-470B-90EB-EEA15E664AE7}) (Version: 1.0.5.243 - ArcSoft) Audacity 2.1.0 (HKLM-x32\...\Audacity_is1) (Version: 2.1.0 - Audacity Team) Azkend 2: The World Beneath (x32 Version: 2.2.0.98 - WildTangent) Hidden Blue Jeans (HKLM-x32\...\{12E34510-9DBD-457A-8645-5E12956602E9}) (Version: 1.10.22 - Blue Jeans) Bob the Builder Can-Do-Zoo (x32 Version: 2.2.0.95 - WildTangent) Hidden Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.) Bookworm Adventures Volume 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden Byki (x32 Version: 4.0 - Transparent Language, Inc.) Hidden Byki Express (HKLM-x32\...\Byki Express) (Version: 4.1 - Transparent Language, Inc.) Cisco WebEx Meetings (HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC) Citrix Online Launcher (HKLM-x32\...\{09DA5EE2-7E46-4DC4-96F9-BFEE50D40659}) (Version: 1.0.408 - Citrix) Cozi (HKLM-x32\...\{EC8228E5-80A1-42EE-BA03-DE19D8D5A1E0}) (Version: 2.0.8722.42485 - Cozi Group, Inc.) D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden DISH Anywhere Slingplayer Installer (x32 Version: 1.1.0.384 - Sling Media) Hidden DISH Anywhere Video Player (HKLM-x32\...\{19A59152-3EA7-4631-9A11-5D2DBEF29780}) (Version: 2.29.3 - DISH Anywhere) DishAnywhereDesktop (HKLM-x32\...\{64ce7194-0a6e-4b76-90e5-432d8106504f}) (Version: 1.1.0.384 - Sling Media) Elevated Installer (x32 Version: 4.1.25.0 - Garmin Ltd or its subsidiaries) Hidden ERUNT 1.1j (HKLM-x32\...\ERUNT_is1) (Version: - Lars Hederer) Garmin Communicator Plugin (HKLM-x32\...\{71DBFBF2-F7EB-4268-8485-9471D83C4E66}) (Version: 4.2.0 - Garmin Ltd or its subsidiaries) Garmin Communicator Plugin x64 (HKLM\...\{70A381F1-C161-4D61-A20C-BE12FC6777DF}) (Version: 4.2.0 - Garmin Ltd or its subsidiaries) Garmin Express (HKLM-x32\...\{686d881a-083e-4030-80db-52c493bf89d3}) (Version: 4.1.25.0 - Garmin Ltd or its subsidiaries) Garmin Express (x32 Version: 4.1.25.0 - Garmin Ltd or its subsidiaries) Hidden Garmin Express Tray (x32 Version: 4.1.25.0 - Garmin Ltd or its subsidiaries) Hidden GnuCash 2.6.9 (HKLM-x32\...\GnuCash_is1) (Version: - GnuCash Development Team) Google Update Helper (x32 Version: 1.3.31.5 - Google Inc.) Hidden GoToMeeting 7.22.0.5506 (HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\GoToMeeting) (Version: 7.22.0.5506 - CitrixOnline) Hewlett-Packard ACLM.NET v1.2.2.3 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.14.276 - SurfRight B.V.) HP Connected Music (Meridian - installer) (HKLM-x32\...\StartHPConnectedMusic) (Version: 1.0 - Meridian Audio Ltd) HP Documentation (HKLM-x32\...\{5F852577-14FC-4C5D-9279-CFA90D712FCB}) (Version: 1.1.0.0 - Hewlett-Packard) HP Officejet Pro 8610 Basic Device Software (HKLM\...\{39DA3F40-0B9E-4002-8E01-108FEC9EFE43}) (Version: 32.3.198.49673 - Hewlett-Packard Co.) HP Officejet Pro 8610 Help (HKLM-x32\...\{F9569D00-4576-46C8-B6C7-207A4FD39745}) (Version: 32.0.0 - Hewlett Packard) HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.7045.4591 - Hewlett-Packard) HP Support Assistant (HKLM-x32\...\{61EB474B-67A6-47F4-B1B7-386851BAB3D0}) (Version: 8.3.34.7 - Hewlett-Packard Company) HP Support Solutions Framework (HKLM-x32\...\{F6A11738-3EE4-4573-AEA5-6CD5D491C167}) (Version: 12.5.32.37 - Hewlett-Packard Company) HP System Event Utility (HKLM-x32\...\{6B1ECC61-B581-400D-BFAF-101B1AAEA5AB}) (Version: 1.4.7 - Hewlett-Packard Company) HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard) HP Utility Center (HKLM\...\{AED1C141-3AFC-47FE-AE90-C820AA60B103}) (Version: 2.2.5 - Hewlett-Packard Company) HP Wireless Button Driver (HKLM-x32\...\{EFA01423-3857-468C-B7B6-F30AA08E50BC}) (Version: 1.1.5.1 - Hewlett-Packard) I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP) IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6498.0 - IDT) Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.23.1766 - Intel Corporation) Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.15.4248 - Intel Corporation) Intel(R) Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.0.1016 - Intel Corporation) iTunes (HKLM\...\{0D44E3A4-6C3D-45D7-B443-079509E5BE5D}) (Version: 12.3.2.35 - Apple Inc.) Java 8 Update 91 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.14 - Oracle Corporation) KeePass Password Safe 2.34 (HKLM-x32\...\KeePassPasswordSafe2_is1) (Version: 2.34 - Dominik Reichl) Kernel OST Viewer ver 15.0 (HKLM-x32\...\Kernel OST Viewer_is1) (Version: - Lepide Software Pvt.Ltd.) King Oddball (x32 Version: 3.0.2.48 - WildTangent) Hidden LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version: - ) LG Mobile Driver (HKLM-x32\...\{3F490D0E-3131-438C-BCF9-7549CB88DF41}) (Version: 4.0.4 - LG Electronics) LG USB WML Modem Driver (HKLM-x32\...\{FBA0CA60-8BF2-4381-B819-74F020E165A9}) (Version: 1.0 - LG Electronics) LinuxLive USB Creator (HKLM-x32\...\LinuxLive USB Creator) (Version: 2.9 - Thibaut Lauziere) Logitech Harmony Remote Software 7 (HKLM-x32\...\{5C6F884D-680C-448B-B4C9-22296EE1B206}) (Version: 7.7.0.0 - Logitech) Mah Jong Medley (x32 Version: 2.2.0.95 - WildTangent) Hidden Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes) Microsoft Network Monitor 3.4 (HKLM\...\{8C5B5A11-CBF8-451B-B201-77FAB0D0B77D}) (Version: 3.4.2350.0 - Microsoft Corporation) Microsoft Network Monitor: NetworkMonitor Parsers 3.4 (HKLM\...\{963E5FEB-1367-46B9-851D-A957F1A3747F}) (Version: 3.4.2350.0 - Microsoft Corporation) Microsoft Office 365 ProPlus - en-us (HKLM\...\O365ProPlusRetail - en-us) (Version: 16.0.6741.2063 - Microsoft Corporation) Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{650c9b4a-60ec-4e4e-8d8e-32d85ce3b7c5}) (Version: 11.0.61030.0 - Microsoft Corporation) Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation) Monopoly version 1.00.00.594394 (HKLM-x32\...\{d176ba37-928e-4b25-9a62-78b2c73331f8}_is1) (Version: 1.00.00.594394 - EA) Movie Maker (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden Mozilla Firefox 48.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 48.0.2 (x86 en-US)) (Version: 48.0.2 - Mozilla) Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 48.0.2 - Mozilla) MyFFVideoConverter (HKLM-x32\...\MyFFVideoConverter) (Version: 1.0.0.0 - Pergel.hu) Office 16 Click-to-Run Extensibility Component (x32 Version: 16.0.6701.1036 - Microsoft Corporation) Hidden Office 16 Click-to-Run Licensing Component (Version: 16.0.6701.1036 - Microsoft Corporation) Hidden Office 16 Click-to-Run Localization Component (x32 Version: 16.0.6701.1036 - Microsoft Corporation) Hidden Opera Stable 39.0.2256.71 (HKLM-x32\...\Opera 39.0.2256.71) (Version: 39.0.2256.71 - Opera Software) PdaNet+ for Android 4.18 (HKLM-x32\...\PdaNet_is1) (Version: - June Fabrics Technology Inc) Product Improvement Study for HP Officejet Pro 8610 (HKLM\...\{D2064264-3162-4DB1-AFE0-167BEFBBCD9C}) (Version: 32.3.198.49673 - Hewlett-Packard Co.) Ralink Bluetooth Stack64 (HKLM\...\{8A2E2A41-B814-407E-2F96-4E433C42AB78}) (Version: 11.0.739.0 - Mediatek) Ralink RT3290 802.11bgn Wi-Fi Adapter (HKLM-x32\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}) (Version: 5.0.57.0 - Mediatek) Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 3375.110 - Realtek Semiconductor Corp.) Remote Control USB Driver (HKLM-x32\...\{8471021C-F529-43DE-84DF-3612E10F58C4}) (Version: 2.3.2.317 - ) SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.45.0 - SAMSUNG Electronics Co., Ltd.) SimplePiano (remove only) (HKLM-x32\...\SimplePiano) (Version: - ) Skype™ 7.24 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.24.104 - Skype Technologies S.A.) Slingplayer for Web Installer (x32 Version: 1.2.7.358 - Sling Media) Hidden SlingplayerForWeb (HKLM-x32\...\{62a74667-8e59-4fbc-9417-ad041a630066}) (Version: 1.2.7.358 - Sling Media) Spotify (HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\Spotify) (Version: 1.0.36.124.g1cba1920 - Spotify AB) Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.) swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden Synaptics ClickPad Driver (HKLM\...\SynTPDeinstKey) (Version: 19.2.4.0 - Synaptics Incorporated) TeamViewer 11 (HKLM-x32\...\TeamViewer) (Version: 11.0.63017 - TeamViewer) Update Installer for WildTangent Games App (x32 Version: - WildTangent) Hidden WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.4.0 - WildTangent) WildTangent Games App (HP Games) (x32 Version: 4.0.10.15 - WildTangent) Hidden Windows Driver Package - Dynastream Innovations, Inc. ANT LibUSB Drivers (04/11/2012 1.2.40.201) (HKLM\...\F9D2A789F9CFF8CEC36B544F53877C80F1F73C46) (Version: 04/11/2012 1.2.40.201 - Dynastream Innovations, Inc.) Windows Driver Package - Silicon Labs Software (DSI_SiUSBXp_3_1) USB (02/06/2007 3.1) (HKLM\...\D1506E0025B5A3F9EB8270FE81C1EEDD9388B8A2) (Version: 02/06/2007 3.1 - Silicon Labs Software) Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3508.0205 - Microsoft Corporation) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) CustomCLSID: HKU\S-1-5-21-2221598115-2109861328-2175321649-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Steve\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-2221598115-2109861328-2175321649-1001_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\Steve\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\FileCoAuth.exe (Microsoft Corporation) CustomCLSID: HKU\S-1-5-21-2221598115-2109861328-2175321649-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Steve\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-2221598115-2109861328-2175321649-1001_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\Steve\AppData\Local\Citrix\GoToMeeting\5174\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.) CustomCLSID: HKU\S-1-5-21-2221598115-2109861328-2175321649-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Steve\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {02940F68-90D9-4A70-A697-F289725B9E7E} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater - Resources => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2016-08-03] (HP Inc.) Task: {09B5AFF5-1A79-4F6D-AD61-6B041D41507A} - \Synaptics TouchPad Enhancements -> No File <==== ATTENTION Task: {0B545118-B563-42FC-8D07-B78F602FCF34} - System32\Tasks\Microsoft\Windows\WS\WSRefreshBannedAppsListTask => Rundll32.exe WSClient.dll,RefreshBannedAppsList Task: {19828BE8-181C-452A-B2CA-A663B7508256} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2016-08-03] (HP Inc.) Task: {1C00B6DA-E484-4A1D-BFE4-392CCE973648} - \G2MUploadTask-S-1-5-21-2221598115-2109861328-2175321649-1001 -> No File <==== ATTENTION Task: {22B7E457-7638-498A-94FE-9E21DD13EDCB} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2016-08-11] (Microsoft Corporation) Task: {33BAA670-48FD-48A8-8512-465295168F88} - \GarminUpdaterTask -> No File <==== ATTENTION Task: {416B6139-AA5C-4ECB-B381-C5564FF5E2E4} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2016-08-01] (Microsoft Corporation) Task: {42C98737-909E-4866-B1DE-8D8ED0112F4C} - \HPCustParticipation HP Officejet Pro 8610 -> No File <==== ATTENTION Task: {47A0C646-C75F-4B9B-AFA0-84DE0C8ABE40} - System32\Tasks\Hewlett-Packard\HP Active Health\HP Active Health Scan (HPSA) => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [2016-08-18] (HP Inc.) Task: {4DB8C1C5-8D00-4875-A972-205919238805} - \G2MUpdateTask-S-1-5-21-2221598115-2109861328-2175321649-1001 -> No File <==== ATTENTION Task: {752D4054-9117-4B7B-A37A-CA3878C2273B} - \Optimize Start Menu Cache Files-S-1-5-21-2221598115-2109861328-2175321649-500 -> No File <==== ATTENTION Task: {7DF9EE71-6DEE-400B-B6C2-E2EA26FAF05B} - System32\Tasks\HPCeeScheduleForSteve => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2015-06-16] (Hewlett-Packard) Task: {7FB4B434-7419-4521-BFEA-F8D6412A9B27} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2016-08-23] (HP Inc.) Task: {8C8DE422-B1F3-4111-BB17-12967A473981} - \Adobe Acrobat Update Task -> No File <==== ATTENTION Task: {91BA9673-BAB4-4444-85B3-EF5AE916E305} - \SmartShare -> No File <==== ATTENTION Task: {B2E7149C-6382-4F1C-892E-777BB33BAA79} - System32\Tasks\Opera scheduled Autoupdate 1445568390 => C:\Program Files (x86)\Opera\launcher.exe [2016-09-05] (Opera Software) Task: {C43C2F13-4750-4A0E-AF71-0F0EAFF61B21} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonx86\Microsoft Shared\Office16\OLicenseHeartbeat.exe [2016-08-01] (Microsoft Corporation) Task: {C6C8FAB5-0C14-4FEC-BD19-05853FFEDE8A} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2016-08-01] (Microsoft Corporation) Task: {C87FCA00-2EFA-4C61-A767-895BCD6A2A48} - \OneDrive Standalone Update Task -> No File <==== ATTENTION Task: {E7AFCA96-4884-491D-B6F7-A9167FD50090} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Report => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSFReport.exe [2016-05-09] (Hewlett-Packard) Task: {EC1AFA24-5230-44CD-80AF-CFD3C34A4C5F} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2016-08-23] (HP Inc.) Task: {EDBAACA4-47AE-4CF3-93CD-F010AD96C017} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2016-07-31] (Microsoft Corporation) Task: {FE990390-F3B7-47A8-AC8E-3CC4F908F443} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2016-07-31] (Microsoft Corporation) Task: {FEDC2C76-EB0B-4775-B0AD-CA609B77678D} - \Optimize Start Menu Cache Files-S-1-5-21-2221598115-2109861328-2175321649-1001 -> No File <==== ATTENTION (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job => Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe Task: C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-2221598115-2109861328-2175321649-1001.job => C:\Users\Steve\AppData\Local\Citrix\GoToMeeting\5506\g2mupdate.exe Task: C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-2221598115-2109861328-2175321649-1001.job => C:\Users\Steve\AppData\Local\Citrix\GoToMeeting\5506\g2mupload.exe Task: C:\WINDOWS\Tasks\HPCeeScheduleForSteve.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe Task: C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job => Task: C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job => Task: C:\WINDOWS\Tasks\Synaptics TouchPad Enhancements.job => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe ==================== Shortcuts ============================= (The entries could be listed to be restored or removed.) ==================== Loaded Modules (Whitelisted) ============== 2015-10-30 03:17 - 2015-10-30 03:17 - 00028672 _____ () C:\WINDOWS\SYSTEM32\efsext.dll 2015-10-30 03:18 - 2015-10-30 03:18 - 00185856 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll 2015-11-20 15:57 - 2015-11-20 15:57 - 00085800 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll 2015-11-20 15:57 - 2015-11-20 15:57 - 01328912 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll 2016-05-08 08:23 - 2016-07-31 05:48 - 00173248 _____ () C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ApiClient.dll 2016-07-13 07:37 - 2016-07-01 00:48 - 02656408 _____ () C:\WINDOWS\system32\CoreUIComponents.dll 2015-10-22 20:58 - 2015-10-22 20:58 - 00404912 _____ () C:\WINDOWS\system32\igfxTray.exe 2016-07-13 07:37 - 2016-07-01 00:48 - 02656408 _____ () C:\WINDOWS\System32\CoreUIComponents.dll 2016-08-22 20:49 - 2016-08-22 20:49 - 01864384 _____ () C:\Users\Steve\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\amd64\ClientTelemetry.dll 2016-05-08 08:27 - 2016-07-31 09:27 - 08919240 _____ () C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\1033\GrooveIntlResource.dll 2016-04-19 07:16 - 2016-04-19 07:16 - 00144384 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe 2016-07-13 07:37 - 2016-06-30 23:27 - 07992832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll 2016-07-13 07:37 - 2016-06-30 23:21 - 00591360 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll 2016-07-13 07:37 - 2016-06-30 23:22 - 02483200 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll 2016-07-13 07:37 - 2016-06-30 23:24 - 04089856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll 2015-12-18 07:52 - 2015-12-07 00:14 - 00093696 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Windows.UI.Shell.SharedUtilities.dll 2016-07-13 07:39 - 2016-06-30 23:48 - 00472064 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\QuickActions.dll 2015-11-23 07:08 - 2015-09-03 15:44 - 01058616 _____ () C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe 2016-07-31 14:54 - 2016-07-31 14:54 - 00073216 _____ () C:\Program Files (x86)\Garmin\Device Interaction Service\FixBootSector.dll 2016-09-02 00:30 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl 2016-09-02 00:30 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl 2016-09-02 00:30 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl 2016-09-02 00:30 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll 2016-09-02 00:30 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll 2016-05-08 08:27 - 2016-07-31 07:57 - 08919232 _____ () C:\Program Files (x86)\Microsoft Office\root\Office16\1033\GrooveIntlResource.dll 2016-04-19 07:16 - 2016-04-19 07:16 - 00141312 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeBackgroundTasks.dll 2016-04-19 07:16 - 2016-04-19 07:17 - 22284800 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkyWrap.dll 2016-08-22 20:49 - 2016-08-22 20:49 - 01383616 _____ () C:\Users\Steve\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\ClientTelemetry.dll 2016-08-22 20:49 - 2016-08-22 20:49 - 00118976 _____ () C:\Users\Steve\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\FileSyncViews.dll 2015-01-13 16:45 - 2015-01-13 16:45 - 40578048 _____ () C:\Program Files (x86)\DishAnywhereDesktop\libcef.dll 2015-12-03 11:21 - 2015-12-03 11:21 - 40578048 _____ () C:\Program Files (x86)\Sling Media\SlingplayerForWeb\libcef.dll 2015-12-03 11:21 - 2015-12-03 11:21 - 01920000 _____ () C:\Program Files (x86)\Sling Media\SlingplayerForWeb\ffmpegsumo.dll 2015-01-13 16:45 - 2015-01-13 16:45 - 01920000 _____ () C:\Program Files (x86)\DishAnywhereDesktop\ffmpegsumo.dll 2015-11-28 18:26 - 2013-12-10 08:27 - 01242584 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\ACE.dll ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) ==================== Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) IE trusted site: HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\garmin.com -> hxxps://my.garmin.com IE trusted site: HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\wordle.net -> hxxps://www.wordle.net ==================== Hosts content: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2013-08-22 09:25 - 2016-09-02 07:37 - 00001010 ____A C:\WINDOWS\system32\Drivers\etc\hosts 127.0.0.1 down.baidu2016.com 127.0.0.1 123.sogou.com 127.0.0.1 www.czzsyzgm.com 127.0.0.1 www.czzsyzxl.com 127.0.0.1 union.baidu2019.com ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\Control Panel\Desktop\\Wallpaper -> DNS Servers: 192.168.1.1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == (Currently there is no automatic fix for this section.) HKLM\...\StartupApproved\Run: => "faribault" HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\StartupApproved\StartupFolder: => "Send to OneNote.lnk" HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\StartupApproved\Run: => "IRS12AUC0C" HKU\S-1-5-21-2221598115-2109861328-2175321649-1001\...\StartupApproved\Run: => "kozma" ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139 FirewallRules: [{76F6D9EC-26C1-45A3-A3E0-45746147D442}] => (Allow) C:\Program Files\iTunes\iTunes.exe FirewallRules: [{5426E4B7-480B-4E97-A12F-AF43AB344813}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe FirewallRules: [{D3F06588-1AD9-4A72-964B-2B5157E8FFF9}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe FirewallRules: [{A93BE479-007B-4E7A-A4B6-9BB64330B239}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe FirewallRules: [{AA6D6E77-0DD9-4BE7-B3E1-9ECF53C1C194}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe FirewallRules: [{7794176B-3A48-4942-9823-6CB54A84107D}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe FirewallRules: [{2663DD07-706F-4A66-A4A2-A20CA8858A85}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe FirewallRules: [{AEE6B7E2-812B-49DB-AB8B-6158F0B93316}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe FirewallRules: [{B5C08E6F-44BA-4199-B7F9-D50C55AF35E1}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe FirewallRules: [UDP Query User{04FF4C40-77D5-4517-911B-A16A9660251E}C:\users\steve\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\steve\appdata\roaming\spotify\spotify.exe FirewallRules: [TCP Query User{E8594489-F06F-479F-82E3-EA718C0343F7}C:\users\steve\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\steve\appdata\roaming\spotify\spotify.exe FirewallRules: [UDP Query User{13D6C8F6-2B68-4396-94F9-E5EAA95392B2}C:\program files (x86)\internet explorer\iexplore.exe] => (Allow) C:\program files (x86)\internet explorer\iexplore.exe FirewallRules: [TCP Query User{9B7D2E36-3DCE-43C3-A3A3-6CD927A29505}C:\program files (x86)\internet explorer\iexplore.exe] => (Allow) C:\program files (x86)\internet explorer\iexplore.exe FirewallRules: [UDP Query User{33BAFCD6-19FC-4FC0-8538-535993D55E2E}C:\program files (x86)\dishanywheredesktop\dishanywhereplayer.exe] => (Allow) C:\program files (x86)\dishanywheredesktop\dishanywhereplayer.exe FirewallRules: [TCP Query User{169CBFA5-8F9E-4F64-BDD7-78533CF12835}C:\program files (x86)\dishanywheredesktop\dishanywhereplayer.exe] => (Allow) C:\program files (x86)\dishanywheredesktop\dishanywhereplayer.exe FirewallRules: [UDP Query User{1B609FA4-2A12-489E-AF41-31F799CD7E48}C:\program files (x86)\slingplayerforchrome\slingplayerforchrome.exe] => (Allow) C:\program files (x86)\slingplayerforchrome\slingplayerforchrome.exe FirewallRules: [TCP Query User{CD46FD49-A72F-45F6-91BC-F336A7E2E6DC}C:\program files (x86)\slingplayerforchrome\slingplayerforchrome.exe] => (Allow) C:\program files (x86)\slingplayerforchrome\slingplayerforchrome.exe FirewallRules: [{18C07216-136D-45D6-8B77-239F92B7E7E6}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe FirewallRules: [UDP Query User{D6F6B990-1C63-4358-8217-D90F8F52F3A0}C:\users\steve\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\steve\appdata\roaming\spotify\spotify.exe FirewallRules: [TCP Query User{E2A84E87-396A-4848-A0E1-15A19FE00D59}C:\users\steve\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\steve\appdata\roaming\spotify\spotify.exe FirewallRules: [{C05ACE9A-7119-483F-9190-D9D71F251374}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe FirewallRules: [{215B4E2E-C7D9-4692-A521-217B33FCD927}] => (Allow) LPort=2869 FirewallRules: [{30CE10FE-CC1B-4D6F-A476-50D356714537}] => (Allow) LPort=1900 FirewallRules: [{1996AE36-20AC-4A67-84CB-B7914FD961D2}] => (Allow) C:\Program Files (x86)\HPConnectedMusic\HPConnectedMusic.exe FirewallRules: [{26AF7472-CA24-4BA4-A633-6D331160BDBA}] => (Allow) C:\Program Files (x86)\HPConnectedMusic\HPConnectedMusic.exe FirewallRules: [{E55B12EE-99C1-4969-83E3-A8BAA0969E1B}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\HPConnectedMusic.exe FirewallRules: [{65AD5E75-BC55-4CBC-B25C-ABB78B3BDF8B}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\HPConnectedMusic.exe FirewallRules: [{979C2B52-B08D-462E-9968-789BF25D90EF}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\spotify_helper.exe FirewallRules: [{60B1080B-AD9D-47A1-AC73-602E5103D53B}] => (Allow) %LocalAppData%\HPConnectedMusic\Application\spotify_helper.exe FirewallRules: [{36DA00D6-A3E7-4EB0-950C-3057936977EA}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe FirewallRules: [{13848EEA-76BA-461B-A4E8-5D53D7038675}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe FirewallRules: [{D0130353-D5B9-4ED6-9799-0937A4F4F65D}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe FirewallRules: [{0BDF3FBB-9088-4691-BA0B-260BBA5E0004}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe FirewallRules: [{094EE917-BB3A-492D-BC14-53F6193B30A0}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe FirewallRules: [{C4FF9712-60D5-4B9F-897C-280E5C28A247}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe FirewallRules: [{267AEAB5-A5A2-4AE7-8DCC-D276343177C5}] => (Allow) C:\Users\Steve\AppData\Local\Temp\7zS0187\hppiw.exe FirewallRules: [{8335D25B-B2BB-46B7-BDC0-F8DE581A3F95}] => (Allow) C:\Users\Steve\AppData\Local\Temp\7zS0187\hppiw.exe FirewallRules: [{E3B63B22-5170-400B-8296-D88307D406C6}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8610\bin\FaxApplications.exe FirewallRules: [{9B61F742-F736-4F3E-9B96-D0E01E7E8B02}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8610\bin\DigitalWizards.exe FirewallRules: [{3BAF6F9D-62CA-4136-B57A-17CD96307727}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8610\bin\SendAFax.exe FirewallRules: [{31232DA8-0DD8-4398-AC6B-8856771CD2E6}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8610\Bin\DeviceSetup.exe FirewallRules: [{290C13A9-4916-4975-A84C-33F6457515FF}] => (Allow) LPort=5357 FirewallRules: [{67B529A1-8EBB-4A25-B62D-788CBF8C9289}] => (Allow) C:\Program Files\HP\HP Officejet Pro 8610\Bin\HPNetworkCommunicatorCom.exe FirewallRules: [TCP Query User{E69FCBC5-041F-4281-B28C-844E8B6C70AA}C:\program files (x86)\slingplayerforchrome\slingplayerforchrome.exe] => (Allow) C:\program files (x86)\slingplayerforchrome\slingplayerforchrome.exe FirewallRules: [UDP Query User{91E22D2F-FBC5-484E-AA4B-A02C7A327DC8}C:\program files (x86)\slingplayerforchrome\slingplayerforchrome.exe] => (Allow) C:\program files (x86)\slingplayerforchrome\slingplayerforchrome.exe FirewallRules: [{6FED3A5F-9677-4430-84DC-8F236D46F8C7}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [{7BFB8633-26D5-4466-AFF1-1C51787B8EEC}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [TCP Query User{846F6B5E-7233-46F0-8EE3-79C0A30E89B2}C:\program files (x86)\sling media\slingplayerforweb\slingplayerforweb.exe] => (Allow) C:\program files (x86)\sling media\slingplayerforweb\slingplayerforweb.exe FirewallRules: [UDP Query User{448498B2-47B4-4E84-AE17-8B976069D332}C:\program files (x86)\sling media\slingplayerforweb\slingplayerforweb.exe] => (Allow) C:\program files (x86)\sling media\slingplayerforweb\slingplayerforweb.exe FirewallRules: [TCP Query User{D8FA3EA8-20F4-44D0-9DE7-2B8BB981F2DE}C:\users\steve\appdata\local\blue jeans\app\bluejeans.exe] => (Allow) C:\users\steve\appdata\local\blue jeans\app\bluejeans.exe FirewallRules: [UDP Query User{EFF5C9B9-1671-4551-8BF4-6D1EB3D39866}C:\users\steve\appdata\local\blue jeans\app\bluejeans.exe] => (Allow) C:\users\steve\appdata\local\blue jeans\app\bluejeans.exe FirewallRules: [{891D766F-2040-41BD-9A23-A0B6374E16B9}] => (Allow) C:\Users\Steve\AppData\Local\Temp\7zS459F\HPDiagnosticCoreUI.exe FirewallRules: [{F2578D8B-95ED-4217-BC90-D5E6B90DE9B9}] => (Allow) C:\Users\Steve\AppData\Local\Temp\7zS459F\HPDiagnosticCoreUI.exe FirewallRules: [{F4880976-7F09-4380-921B-7AA9A354CF31}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe FirewallRules: [{2329453D-F21C-4BD1-9880-2C5291263F5D}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe FirewallRules: [{BC2D753F-C4B0-4984-8549-957C5EB0AC1F}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe FirewallRules: [{4363EEBC-84FA-4C24-B0E6-C3B23CC46064}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe FirewallRules: [{2D9A3BFE-FB4E-4BE2-8192-EFD5B0376D33}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe FirewallRules: [TCP Query User{0A811D6F-368D-4B5D-A22E-A4998D7F051B}C:\program files (x86)\mozilla firefox\plugin-container.exe] => (Allow) C:\program files (x86)\mozilla firefox\plugin-container.exe FirewallRules: [UDP Query User{7AD2BC93-7F4A-4BEE-9F76-FA0B570132E3}C:\program files (x86)\mozilla firefox\plugin-container.exe] => (Allow) C:\program files (x86)\mozilla firefox\plugin-container.exe FirewallRules: [{CD295A4B-C521-478A-99F7-860F17572EB4}] => (Allow) C:\Program Files (x86)\LG Software\LG Smart Share\DMS\SmartShareDMS.exe FirewallRules: [{BC54E356-BE60-4289-8ABC-9EDA361608E2}] => (Allow) C:\Program Files (x86)\LG Software\LG Smart Share\DMS\SmartShareDMS.exe FirewallRules: [{D47099B2-3777-4224-AE1F-8C9713BD81D9}] => (Allow) C:\Program Files (x86)\LG Software\LG Smart Share\DMR\SmartShareDMR.exe FirewallRules: [{1BDBF9CA-24BA-4317-932B-26D921A94C54}] => (Allow) C:\Program Files (x86)\LG Software\LG Smart Share\DMR\SmartShareDMR.exe FirewallRules: [{932CE933-F297-499B-8132-E656A6839C7C}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe FirewallRules: [{12F09071-CB57-439E-B03B-19E7BF021516}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe FirewallRules: [{0054481D-ECC7-447A-822D-19D858DDDA80}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe FirewallRules: [{FE63E93C-A3FE-4F4F-820B-80E5A4E7E5F7}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe FirewallRules: [{3D890FD4-97FA-4AF7-B142-C2B3C6E73468}] => (Allow) C:\Program Files (x86)\SrpnFiles\SrpnFiles.exe FirewallRules: [{160639E4-F9CF-4CAE-BF36-27B2C48EA80F}] => (Allow) C:\Program Files (x86)\SrpnFiles\SrpnFiles.exe FirewallRules: [{70530226-5C5D-4970-B2A5-F05151521009}] => (Allow) C:\Program Files (x86)\SrpnFiles\downloader.exe FirewallRules: [{BD159D5B-EE6C-4884-9CBB-B6B388330D79}] => (Allow) C:\Program Files (x86)\SrpnFiles\downloader.exe FirewallRules: [{31BB6551-303C-4C1F-B59E-896AB89EE147}] => (Allow) C:\Users\Steve\AppData\Local\ddnowyes.exe FirewallRules: [{B67C7528-4760-443C-9E02-46E41FD8A4F9}] => (Allow) C:\Users\Steve\AppData\Local\Temp\nsf9799.tmp\setup.exe FirewallRules: [{C5A344A6-5F8B-4761-83CD-DF5D9F76F77F}] => (Allow) C:\Users\Steve\AppData\Local\86947498.exe FirewallRules: [{81C8EB87-D53E-4E32-B89E-1BCE26B30E0F}] => (Allow) C:\Users\Steve\AppData\Local\tinstall.exe FirewallRules: [{365894D8-CFDD-4819-B2DF-1761A84561ED}] => (Allow) C:\Users\Steve\AppData\Local\Temp\MPCOnline\MPCDownload.exe FirewallRules: [{2A9E2A5E-2BD4-4765-9578-77C770E061A6}] => (Allow) C:\Users\Steve\AppData\Local\Temp\MPCOnline\MPCDownload.exe FirewallRules: [{F16B85B2-2DE7-4215-99A7-A43DF261766D}] => (Allow) C:\Program Files (x86)\actus\carvell.exe FirewallRules: [TCP Query User{965D539F-8C29-4EB3-9C46-8A9CBD9692B5}C:\program files (x86)\google\chrome\application\chrome334.exe] => (Block) C:\program files (x86)\google\chrome\application\chrome334.exe FirewallRules: [UDP Query User{085C406A-1D62-430F-948D-4558F1065575}C:\program files (x86)\google\chrome\application\chrome334.exe] => (Block) C:\program files (x86)\google\chrome\application\chrome334.exe FirewallRules: [{73A5FAE4-1A74-49CD-89FC-5AF2681CEFF2}] => (Allow) C:\Users\Steve\AppData\Local\Chromium\Application\chrome.exe DomainProfile\AuthorizedApplications: [C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe] => Enabled:Logitech Harmony Remote Software 7 StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe] => Enabled:Logitech Harmony Remote Software 7 StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service ==================== Restore Points ========================= ATTENTION: System Restore is disabled ==================== Faulty Device Manager Devices ============= Name: HP Officejet Pro 8610 Description: HP Officejet Pro 8610 Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318} Manufacturer: HP Service: Problem: : This device is disabled. (Code 22) Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions. Name: Photosmart D7400 series Description: Photosmart D7400 series Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318} Manufacturer: HP Service: Problem: : This device is disabled. (Code 22) Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions. Name: HP LaserJet P4014 Description: HP LaserJet P4014 Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318} Manufacturer: Hewlett-Packard Service: Problem: : This device is disabled. (Code 22) Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions. ==================== Event log errors: ========================= Application errors: ================== Error: (09/09/2016 03:14:40 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: MsMpEng.exe, version: 4.9.10586.494, time stamp: 0x5775ea45 Faulting module name: mpsvc.dll, version: 4.9.10586.494, time stamp: 0x5775e2d8 Exception code: 0xc0000005 Fault offset: 0x00000000000188f4 Faulting process id: 0xf68 Faulting application start time: 0x01d20ace3bb08a4d Faulting application path: C:\Program Files\Windows Defender\MsMpEng.exe Faulting module path: C:\Program Files\Windows Defender\mpsvc.dll Report Id: d579a51d-3d40-4578-a98d-da114fdf89e5 Faulting package full name: Faulting package-relative application ID: Error: (09/09/2016 03:14:05 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: STEVE-SPLIT-X2) Description: Package Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy+App was terminated because it took too long to suspend. Error: (09/09/2016 07:58:48 AM) (Source: Office 2016 Licensing Service) (EventID: 0) (User: ) Description: Event-ID 0 Error: (09/09/2016 12:14:01 AM) (Source: Bonjour Service) (EventID: 100) (User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 1375 Error: (09/09/2016 12:14:01 AM) (Source: Bonjour Service) (EventID: 100) (User: ) Description: Task Scheduling Error: m->NextScheduledEvent 1375 Error: (09/09/2016 12:14:01 AM) (Source: Bonjour Service) (EventID: 100) (User: ) Description: Task Scheduling Error: Continuously busy for more than a second Error: (09/08/2016 11:49:27 PM) (Source: Bonjour Service) (EventID: 100) (User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 7963860 Error: (09/08/2016 11:49:27 PM) (Source: Bonjour Service) (EventID: 100) (User: ) Description: Task Scheduling Error: m->NextScheduledEvent 7963860 Error: (09/08/2016 11:49:27 PM) (Source: Bonjour Service) (EventID: 100) (User: ) Description: Task Scheduling Error: Continuously busy for more than a second Error: (09/08/2016 11:49:23 PM) (Source: Bonjour Service) (EventID: 100) (User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 7959969 System errors: ============= Error: (09/09/2016 03:22:41 PM) (Source: DCOM) (EventID: 10016) (User: STEVE-SPLIT-X2) Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user Steve-Split-x2\Steve SID (S-1-5-21-2221598115-2109861328-2175321649-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool. Error: (09/09/2016 03:22:41 PM) (Source: DCOM) (EventID: 10016) (User: STEVE-SPLIT-X2) Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user Steve-Split-x2\Steve SID (S-1-5-21-2221598115-2109861328-2175321649-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool. Error: (09/09/2016 03:22:40 PM) (Source: DCOM) (EventID: 10016) (User: STEVE-SPLIT-X2) Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user Steve-Split-x2\Steve SID (S-1-5-21-2221598115-2109861328-2175321649-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool. Error: (09/09/2016 03:22:40 PM) (Source: DCOM) (EventID: 10016) (User: STEVE-SPLIT-X2) Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user Steve-Split-x2\Steve SID (S-1-5-21-2221598115-2109861328-2175321649-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool. Error: (09/09/2016 03:22:40 PM) (Source: DCOM) (EventID: 10016) (User: STEVE-SPLIT-X2) Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user Steve-Split-x2\Steve SID (S-1-5-21-2221598115-2109861328-2175321649-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool. Error: (09/09/2016 03:22:40 PM) (Source: DCOM) (EventID: 10016) (User: STEVE-SPLIT-X2) Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user Steve-Split-x2\Steve SID (S-1-5-21-2221598115-2109861328-2175321649-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool. Error: (09/09/2016 03:22:40 PM) (Source: DCOM) (EventID: 10016) (User: STEVE-SPLIT-X2) Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user Steve-Split-x2\Steve SID (S-1-5-21-2221598115-2109861328-2175321649-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool. Error: (09/09/2016 03:19:36 PM) (Source: DCOM) (EventID: 10016) (User: STEVE-SPLIT-X2) Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user Steve-Split-x2\Steve SID (S-1-5-21-2221598115-2109861328-2175321649-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool. Error: (09/09/2016 03:19:36 PM) (Source: DCOM) (EventID: 10016) (User: STEVE-SPLIT-X2) Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user Steve-Split-x2\Steve SID (S-1-5-21-2221598115-2109861328-2175321649-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool. Error: (09/09/2016 03:19:36 PM) (Source: DCOM) (EventID: 10016) (User: STEVE-SPLIT-X2) Description: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C2F03A33-21F5-47FA-B4BB-156362A2F239} and APPID {316CDED5-E4AE-4B15-9113-7055D84DCC97} to the user Steve-Split-x2\Steve SID (S-1-5-21-2221598115-2109861328-2175321649-1001) from address LocalHost (Using LRPC) running in the application container Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy SID (S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742). This security permission can be modified using the Component Services administrative tool. CodeIntegrity: =================================== Date: 2016-09-09 15:14:45.621 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system. Date: 2016-09-02 14:26:52.175 Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\msiexec.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Sophos\Sophos Virus Removal Tool\SVRTcli.exe that did not meet the Microsoft signing level requirements. Date: 2016-09-01 19:15:48.691 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system. Date: 2016-09-01 19:15:48.595 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system. Date: 2016-09-01 19:15:43.693 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system. Date: 2016-09-01 19:15:41.138 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system. Date: 2016-09-01 19:15:41.052 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system. Date: 2016-09-01 19:15:17.878 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system. Date: 2016-09-01 19:15:17.632 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system. Date: 2016-09-01 19:15:15.748 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system. ==================== Memory info =========================== Processor: Intel(R) Core(TM) i3-4020Y CPU @ 1.50GHz Percentage of memory in use: 62% Total physical RAM: 4028.15 MB Available physical RAM: 1510.95 MB Total Virtual: 7612.15 MB Available Virtual: 4589.62 MB ==================== Drives ================================ Drive c: (Windows) (Fixed) (Total:106.33 GB) (Free:26.06 GB) NTFS Drive d: (RECOVERY) (Fixed) (Total:11.36 GB) (Free:1.19 GB) NTFS ==>[system with boot components (obtained from drive)] Drive f: () (Removable) (Total:29.27 GB) (Free:19.83 GB) FAT32 ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 119.2 GB) (Disk ID: 0F3E11DE) Partition: GPT. ======================================================== Disk: 1 (Size: 29.3 GB) (Disk ID: 00000000) Partition: GPT. ==================== End of Addition.txt ============================ Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 10, 2016 Root Admin ID:1061125 Share Posted September 10, 2016 Please temporarily uninstall "Spybot - Search & Destroy 2" as it can interfere with the cleanup processes. Then restart the computer again and run a new FRST scan and ATTACH logs. Please don't copy/paste logs as the forum software can sometimes post invalid characters or data. Thanks Link to post Share on other sites More sharing options...
SteveE Posted September 10, 2016 Author ID:1061184 Share Posted September 10, 2016 Spybot removed. Rebooted and not re-installed. FRST and Additional files attached. Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 11, 2016 Root Admin ID:1061283 Share Posted September 11, 2016 Please download the attached fixlist.txt file and save it to the Desktop.NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. fixlist.txt Thanks Link to post Share on other sites More sharing options...
SteveE Posted September 11, 2016 Author ID:1061340 Share Posted September 11, 2016 fixlist.txt was download and a fix was executed from FRST64.exe. Reboot occurred. fixlist.log is attached. Fixlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 12, 2016 Root Admin ID:1061389 Share Posted September 12, 2016 This part is not good from the log. Error: (0) Failed to create a restore point. Do you have the service disabled or know why a Restore Point was not created? Are you able to create one manually ? Link to post Share on other sites More sharing options...
SteveE Posted September 14, 2016 Author ID:1061868 Share Posted September 14, 2016 OK. I went to the System Properties applet and then to the System Protection Tab. The option to create a restore point was greyed out. So, I looked under Configure... and the "Disable system protection" radio button was selected. I switched it to Turn on system protection and allocated 3GB of Disk Space. Hit apply, then OK. I was able to create a restore point with out any issues. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 16, 2016 Root Admin ID:1062118 Share Posted September 16, 2016 Great, how is the computer running now? Link to post Share on other sites More sharing options...
SteveE Posted September 16, 2016 Author ID:1062158 Share Posted September 16, 2016 The computer is running fine. But, I have not re-installed Chrome (where the malware was hiding). I will download a clean copy and see if there is still an issue. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 17, 2016 Root Admin ID:1062295 Share Posted September 17, 2016 Well, I'm probably too late but not what I wanted. Wanted to make sure the computer was good first. Then we would go in and surgically remove all traces of Chrome. But since it's been 18 hours I'm guessing you've reinstalled and more than likely still having an issue with Chrome. Let me know though please, thanks Ron Link to post Share on other sites More sharing options...
SteveE Posted September 17, 2016 Author ID:1062339 Share Posted September 17, 2016 HI Ron, Thanks. I have re-installed and used Chrome and everything seems to be working fine. I did not get an pop-up warnings about a blocked website from carvell.exe and ping.exe and associated programs do not show up in taskmgr. So I am thinking the machine is OK at this point. Steve Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 19, 2016 Root Admin ID:1062600 Share Posted September 19, 2016 At this time there are no more signs of an infection on your system.However if you are still seeing any signs of an infection please let me know. Let's go ahead and remove the tools and logs we've used during this process. Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time. They are often updated daily so if you went to use them again in the future they would be outdated anyways. The following procedures will implement some cleanup procedures to remove these tools. Download Delfix from here and save it to your desktop. (you may already have this) Ensure Remove disinfection tools is checked. Click the Run button. Reboot Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete) IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall. If there are any other left over Folders, Files, Logs then you can delete them on your own. Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.How to Delete System Protection Restore Points in Windows 7 and Windows 8 Remove all but the most recent Restore Point on Windows XP As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsersHow do I disable Java in my web browser? - Disable Java A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data. Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor. How Malware Spreads - How did I get infected Best Practices for Safe Computing - Prevention of Malware Infection Avoiding those unwanted free applications A close look at how Oracle installs deceptive software with Java updates IAC / Ask.com toolbars Malwarebytes Unpacked Blog If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection. Link to post Share on other sites More sharing options...
Recommended Posts