Jump to content

Recommended Posts

I am locked out of all malware sites, JRT and CCleaner and windows defender. My grandson installed something and tried to Uninstall it with disastrous results. I tried booting in safe mode without any luck. I am writing this on my tablet since I can't get to the site on the windows 10 computer. When I run JRT, I get an error "could not overwrite file (directory) clean_shortcut. vbs. Access denied."  When I try to delete in directory it says I need permission. 

Link to post
Share on other sites
  • Replies 67
  • Created
  • Last Reply

Top Posters In This Topic

Hello Jpen10 and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
Link to post
Share on other sites

kevinf80, thanks for the heip.

here are the two text files:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 25-02-2017
Ran by Jim (administrator) on JIM-PC (24-02-2017 16:52:28)
Running from C:\Users\Jim\Downloads
Loaded Profiles: Jim (Available Profiles: Jim)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
() C:\Program Files (x86)\Amazon\Amazon Assistant\amazonAssistantService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Digital Wave Ltd.) C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe
(windows 99) C:\Program Files (x86)\sorrier\equalized.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
() C:\Program Files (x86)\sorrier\harold.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(© 2015 Microsoft Corporation) C:\Users\Jim\AppData\Local\Microsoft\BingSvc\BingSvc.exe
() C:\Program Files (x86)\Enervate\apocalyptic.exe
() C:\Program Files (x86)\shropshire\lobelia.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Program Files (x86)\svcvmx\svcvmx.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(qdcomsvc Inc.) C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.ZuneMusic_3.6.25021.0_x64__8wekyb3d8bbwe\Music.UI.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-24] (Microsoft Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2017-01-19] (Apple Inc.)
HKLM\...\Run: [cutoauto] => C:\Program Files (x86)\sorrier\harold.exe [41196 2017-02-18] ()
HKLM\...\Run: [toys] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
HKLM\...\Run: [interpee] => C:\Program Files (x86)\Enervate\apocalyptic.exe [10752 2017-02-18] ()
HKLM\...\Run: [clears] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
HKLM\...\Run: [autoauto] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596504 2016-04-01] (Oracle Corporation)
HKLM-x32\...\Run: [toys] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
HKLM-x32\...\Run: [svcvmx] => C:\Program Files (x86)\svcvmx\svcvmx.exe [896512 2017-01-13] ()
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\RunOnce: [Lulopelona] => C:\WINDOWS\SysWoW64\wscript.exe /E:vbscript /B "C:\Users\Jim\AppData\Roaming\Manunagadoc"
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [23818360 2016-11-30] (Google)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [BingSvc] => C:\Users\Jim\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-05] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [Chromium] => c:\users\jim\appdata\local\chromium\application\chrome.exe [1068544 2016-03-18] (The Chromium Authors)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [toys] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [ok48036327] => C:\Program Files (x86)\sorrier\harold.exe [41196 2017-02-18] ()
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [acupressure] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [changed] => C:\Program Files (x86)\Enervate\apocalyptic.exe [10752 2017-02-18] ()
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [lobelia] => C:\Program Files (x86)\shropshire\lobelia.exe [40342 2017-02-18] ()
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [apostrophes] => C:\Program Files (x86)\shropshire\alltime.exe [462336 2017-02-18] (wallah)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9363672 2017-02-07] (Piriform Ltd)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [Spybot-S&D Cleaning] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [4566952 2014-06-24] (Safer-Networking Ltd.)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\MountPoints2: {fdd1f285-096e-11e6-824f-806e6f6e6963} - "D:\setup.exe" 
HKU\S-1-5-18\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [   DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers-x32: [   DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok48036327.lnk [2017-02-23]
ShortcutTarget: ok48036327.lnk -> C:\Program Files (x86)\sorrier\equalized.exe (windows 99)
Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok48036327reisinger.lnk [2017-02-23]
ShortcutTarget: ok48036327reisinger.lnk -> C:\Program Files (x86)\Enervate\apocalyptic.exe ()
Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reisinger.lnk [2017-02-23]
ShortcutTarget: reisinger.lnk -> C:\Program Files (x86)\sorrier\equalized.exe (windows 99)
BootExecute: autocheck autochk * sdnclean64.exe
GroupPolicy: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Restriction - ProxySettings)
ProxyEnable: [HKLM] => Proxy is enabled.
ProxyEnable: [HKLM-x32] => Proxy is enabled.
ProxyServer: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877
AutoConfigURL: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
Tcpip\..\Interfaces\{5497f104-c6d0-41aa-8aec-fda2691bb19d}: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
HKU\S-1-5-21-783448517-647833336-481893931-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM-x32 -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> DefaultScope {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> {2211d4a5-48d0-47f5-a7cd-81e861470f7f} URL = hxxps://www.amazon.com/gp/bit/amazonserp/ref=bit_bds-p10_serp_ie_us_display?ie=UTF8&tagbase=bds-p10&tbrId=v1_abb-channel-10_e89f1aa5_1201_1401_20160424_US_ie_ds_&tag=bds-p10-serp-us-ie-20&query={searchTerms}
SearchScopes: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
BHO: DVDVideoSoft IE Extension -> {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} -> C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll [2016-03-28] (DVDVideoSoft Ltd.)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-04-24] (Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-04-24] (Oracle Corporation)
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

Edge: 
======
Edge HomeButtonPage: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> hxxp://foxnews.com/

FireFox:
========
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-04-24] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-04-24] (Oracle Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)

Chrome: 
=======
CHR HomePage: Default -> msn.com/?pc=__PARAM__&ocid=__PARAM__DHP&osmkt=en-us
CHR StartupUrls: Default -> "hxxp://foxnews.com/"
CHR DefaultSearchURL: Default -> hxxp://www.bing.com/search?FORM=__PARAM__DF&PC=__PARAM__&q={searchTerms}
CHR DefaultSearchKeyword: Default -> bing.com
CHR DefaultSuggestURL: Default -> hxxp://www.bing.com/osjson.aspx?FORM=__PARAM__DF&PC=__PARAM__&query={searchTerms}
CHR Profile: C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default [2017-02-24]
CHR Extension: (Google Slides) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-04-23]
CHR Extension: (Google Docs) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-04-23]
CHR Extension: (Google Drive) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-04-23]
CHR Extension: (Safer Search Results) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\begnofcbcefcedmomgdlmgcpmjafablp [2016-08-25]
CHR Extension: (WOT: Web of Trust, Website Reputation Ratings) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2017-01-29]
CHR Extension: (YouTube) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-04-23]
CHR Extension: (Ebates Cash Back) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\chhjbpecpncaggjpdakmflnfcopglcmi [2017-02-22]
CHR Extension: (Bing) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2016-08-31]
CHR Extension: (Google Sheets) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-04-23]
CHR Extension: (Google Docs Offline) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-23]
CHR Extension: (Planetarium) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\gheikhdfflhlbemfmhcfpeblehemeklp [2016-04-23]
CHR Extension: (Muzik Fury) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmgdapiklnfpdonfeopollmlpfjaphcb [2016-10-05]
CHR Extension: (CouponXplorer) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnmjjokfbcjicbibeadflnnhdaglbbga [2017-01-13]
CHR Extension: (Skype) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2017-02-24]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2016-04-23]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-18]
CHR Extension: (Gmail) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-04-23]
CHR Extension: (Chrome Media Router) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-07]
CHR Profile: C:\Users\Jim\AppData\Local\Google\Chrome\User Data\System Profile [2017-02-24]
CHR HKLM\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Amazon Assistant Service; C:\Program Files (x86)\Amazon\Amazon Assistant\amazonAssistantService.exe [100528 2017-02-17] ()
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [351944 2015-11-04] (Advanced Micro Devices, Inc.)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
S2 bottling; C:\WINDOWS\shortsightedness.exe [9728 2017-02-18] (emboldens) [File not signed]
S2 darkening; C:\WINDOWS\uniter.exe [13824 2017-02-18] (munger) [File not signed]
S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-04-23] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-04-23] (Dropbox, Inc.)
R2 DbxSvc; C:\WINDOWS\system32\DbxSvc.exe [46400 2017-02-06] (Dropbox, Inc.)
R2 DigitalWave.Update.Service; C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe [389544 2016-07-12] (Digital Wave Ltd.)
R2 qdcomsvc; C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe [755712 2017-02-23] (qdcomsvc Inc.) [File not signed]
S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 VumaaService; C:\ProgramData\Vumaa\Vumaa.Service.exe [22952 2016-03-30] (Vumaa)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AODDriver4.3; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59616 2014-02-11] (Advanced Micro Devices)
R3 AtiHDAudioService; C:\WINDOWS\system32\drivers\AtihdWT6.sys [102912 2015-07-21] (Advanced Micro Devices)
R3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.)
R1 drmkpro64; C:\WINDOWS\System32\drivers\drmkpro64.sys [51784 2017-02-22] () [File not signed]
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [589824 2016-07-16] (Realtek                                            )
R3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [165504 2016-09-05] (Samsung Electronics Co., Ltd.)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
U0 aswVmm; no ImagePath
S3 dbx; system32\DRIVERS\dbx.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-24 16:52 - 2017-02-24 16:53 - 00029495 _____ C:\Users\Jim\Downloads\FRST.txt
2017-02-24 16:51 - 2017-02-24 16:52 - 00000000 ____D C:\FRST
2017-02-24 16:50 - 2017-02-24 16:50 - 00000000 ____D C:\Users\Jim\Desktop\rkill
2017-02-24 16:49 - 2017-02-24 16:50 - 00004796 _____ C:\Users\Jim\Desktop\Rkill.txt
2017-02-24 16:49 - 2017-02-24 16:47 - 02423296 ____N (Farbar) C:\Users\Jim\Downloads\FRST64.exe
2017-02-24 16:49 - 2017-02-24 16:32 - 02030536 ____N (Bleeping Computer, LLC) C:\Users\Jim\Downloads\rkill.exe
2017-02-24 12:29 - 2017-02-24 12:32 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2017-02-24 12:29 - 2017-02-24 12:32 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2017-02-24 12:29 - 2017-02-24 12:29 - 00001456 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2017-02-24 12:29 - 2017-02-24 12:29 - 00001444 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2017-02-24 12:29 - 2017-02-24 12:29 - 00000656 _____ C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job
2017-02-24 12:29 - 2017-02-24 12:29 - 00000628 _____ C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job
2017-02-24 12:29 - 2017-02-24 12:29 - 00000458 _____ C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job
2017-02-24 12:29 - 2017-02-24 12:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2017-02-24 12:29 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\WINDOWS\system32\sdnclean64.exe
2017-02-24 12:25 - 2017-02-24 12:22 - 46525608 ____N (Safer-Networking Ltd. ) C:\Users\Jim\Downloads\spybot-2.4.exe
2017-02-24 12:06 - 2017-02-24 12:06 - 00250290 _____ C:\Users\Jim\Documents\cc_20170224_120620.reg
2017-02-24 11:57 - 2017-02-24 11:57 - 00000863 _____ C:\Users\Public\Desktop\CCleaner.lnk
2017-02-24 11:57 - 2017-02-24 11:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2017-02-24 11:57 - 2017-02-24 11:57 - 00000000 ____D C:\Program Files\CCleaner
2017-02-24 11:54 - 2017-02-24 12:28 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2017-02-24 11:51 - 2017-02-24 11:51 - 00000000 ____D C:\WINDOWS\pss
2017-02-24 09:52 - 2017-02-24 09:36 - 09261616 _____ (Piriform Ltd) C:\Users\Jim\Downloads\ccsetup527.exe
2017-02-24 09:52 - 2017-02-24 09:36 - 01663040 _____ (Malwarebytes) C:\Users\Jim\Downloads\JRT.exe
2017-02-24 09:51 - 2017-02-24 09:51 - 00000552 _____ C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive (2).lnk
2017-02-24 05:11 - 2017-02-24 11:35 - 00004140 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{36D55AF4-5ADB-451B-899E-3C12B4B42C3E}
2017-02-23 21:17 - 2017-02-23 21:17 - 00000000 ____D C:\Program Files (x86)\GUM80B4.tmp
2017-02-23 21:14 - 2017-02-23 21:17 - 00002340 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-02-23 21:13 - 2017-02-23 21:13 - 00000000 ____D C:\Program Files (x86)\GUM174A.tmp
2017-02-23 19:28 - 2017-02-23 19:28 - 00003244 _____ C:\WINDOWS\System32\Tasks\{625E8CAE-F725-4474-A26F-742B8720C4F3}
2017-02-23 18:21 - 2017-02-23 19:29 - 00000000 ____D C:\Users\Jim\AppData\Local\llssoft
2017-02-23 18:21 - 2017-02-23 19:29 - 00000000 ____D C:\Program Files (x86)\svcvmx
2017-02-23 17:21 - 2017-02-23 17:21 - 00000000 ____D C:\Program Files (x86)\winscr
2017-02-23 17:20 - 2017-02-24 16:54 - 00003842 _____ C:\WINDOWS\System32\Tasks\dA01A1vNCA6Ny4prQNRW5-ni-2017-02-23-ni-99991-ni-1
2017-02-23 17:20 - 2017-02-24 16:49 - 00004404 _____ C:\WINDOWS\System32\Tasks\76656282
2017-02-23 17:20 - 2017-02-24 15:34 - 00004014 _____ C:\WINDOWS\System32\Tasks\aA01A1vNCA6Ny4prQNRW5-ni-2017-02-23-ni-99991-ni-1
2017-02-23 17:20 - 2017-02-23 19:16 - 00000000 ____D C:\Program Files (x86)\S5
2017-02-23 17:20 - 2017-02-23 19:16 - 00000000 ____D C:\Program Files (x86)\AnonymizerGadget
2017-02-23 17:20 - 2017-02-23 17:21 - 00000000 ____D C:\Program Files (x86)\qdcomsvc
2017-02-23 17:20 - 2017-02-23 17:20 - 01852928 _____ (splsrv Corp.) C:\WINDOWS\SysWOW64\splsrv.exe
2017-02-23 17:20 - 2017-02-23 17:20 - 00000001 _____ C:\Users\Jim\AppData\Local\setupsuccessful.txt
2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\Users\Jim\AppData\Roaming\c
2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\Users\Jim\AppData\Roaming\AGData
2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\Users\Default\AppData\Local\AdvinstAnalytics
2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\Users\Default User\AppData\Local\AdvinstAnalytics
2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\ProgramData\1487895640
2017-02-23 17:19 - 2017-02-24 15:34 - 00003858 _____ C:\WINDOWS\System32\Tasks\213879593
2017-02-23 17:19 - 2017-02-24 15:34 - 00003686 _____ C:\WINDOWS\System32\Tasks\113879593
2017-02-23 17:19 - 2017-02-23 17:20 - 00000000 ____D C:\Program Files (x86)\sorrier
2017-02-23 17:19 - 2017-02-23 17:19 - 01397594 _____ C:\Users\Jim\AppData\Local\setupone.exe
2017-02-23 17:19 - 2017-02-23 17:19 - 00003850 _____ C:\WINDOWS\System32\Tasks\966848
2017-02-23 17:19 - 2017-02-23 17:19 - 00003696 _____ C:\WINDOWS\System32\Tasks\Da966848966848
2017-02-23 17:19 - 2017-02-23 17:19 - 00000055 _____ C:\WINDOWS\key.ini
2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 ____D C:\Program Files (x86)\shropshire
2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 ____D C:\Program Files (x86)\Enervate
2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 ____D C:\Program Files (x86)\daugherty
2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 _____ C:\Users\Jim\AppData\Local\tr5b.txt
2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 _____ C:\Users\Jim\AppData\Local\stxtname.txt
2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 _____ C:\Users\Jim\AppData\Local\run.txt
2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 _____ C:\Users\Jim\AppData\Local\aatxtname.txt
2017-02-23 17:16 - 2017-02-23 17:16 - 00006656 _____ (mimic) C:\Users\Jim\AppData\Local\ddnow4.exe
2017-02-22 17:12 - 2017-02-22 17:12 - 00051784 _____ C:\WINDOWS\system32\Drivers\drmkpro64.sys
2017-02-19 12:47 - 2017-02-19 12:47 - 00000000 ____D C:\Users\Jim\.ssh
2017-02-18 23:50 - 2017-02-18 23:50 - 00491520 _____ (cabinet) C:\Users\Jim\AppData\Local\cement.exe
2017-02-18 23:50 - 2017-02-18 23:50 - 00316416 _____ (windows 99) C:\WINDOWS\motorized.exe
2017-02-18 23:50 - 2017-02-18 23:50 - 00041196 _____ C:\WINDOWS\peddle.exe
2017-02-18 23:50 - 2017-02-18 23:50 - 00013824 _____ (munger) C:\WINDOWS\uniter.exe
2017-02-18 23:50 - 2017-02-18 23:50 - 00009728 _____ (emboldens) C:\WINDOWS\shortsightedness.exe
2017-02-18 22:22 - 2017-02-18 22:22 - 00080956 _____ C:\Users\Jim\Downloads\Document.pdf
2017-02-18 22:19 - 2017-02-18 22:19 - 00039150 _____ C:\Users\Jim\Downloads\SKM_284e17021410491.pdf
2017-02-12 19:09 - 2017-02-12 19:09 - 00000000 ____D C:\Users\Jim\Documents\TurboTax
2017-02-12 18:48 - 2017-02-12 19:09 - 00000000 ____D C:\Users\Jim\AppData\Roaming\Intuit
2017-02-12 18:47 - 2017-02-12 18:48 - 00000319 _____ C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2017-02-12 18:47 - 2017-02-12 18:47 - 00002547 _____ C:\Users\Public\Desktop\TurboTax 2016.lnk
2017-02-12 18:47 - 2017-02-12 18:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TurboTax 2016
2017-02-12 18:46 - 2017-02-12 18:46 - 00000000 ____D C:\Program Files (x86)\TurboTax
2017-02-12 18:45 - 2017-02-12 18:47 - 00000000 ____D C:\ProgramData\Intuit
2017-02-08 16:37 - 2017-02-08 16:37 - 00034293 _____ C:\Users\Jim\Downloads\PastBills.pdf
2017-02-07 17:41 - 2017-02-07 17:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2017-02-07 11:10 - 2017-02-07 11:10 - 00001822 _____ C:\Users\Public\Desktop\iTunes.lnk
2017-02-07 11:10 - 2017-02-07 11:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2017-02-07 11:10 - 2017-02-07 11:10 - 00000000 ____D C:\Program Files\iTunes
2017-02-07 11:10 - 2017-02-07 11:10 - 00000000 ____D C:\Program Files\iPod
2017-02-07 02:08 - 2017-02-07 02:08 - 00002221 _____ C:\Users\Public\Desktop\Google Earth.lnk
2017-02-07 02:08 - 2017-02-07 02:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth
2017-02-06 21:38 - 2017-02-06 21:38 - 00046400 _____ (Dropbox, Inc.) C:\WINDOWS\system32\DbxSvc.exe
2017-02-06 21:38 - 2017-02-06 21:38 - 00046192 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-stable.sys
2017-02-06 21:38 - 2017-02-06 21:38 - 00046192 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-dev.sys
2017-02-06 21:38 - 2017-02-06 21:38 - 00046192 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-canary.sys
2017-02-06 17:33 - 2017-02-06 17:33 - 00020823 _____ C:\Users\Jim\Downloads\Dec 01, 2016 to Dec 20, 2016.pdf
2017-02-06 17:32 - 2017-02-06 17:32 - 00020815 _____ C:\Users\Jim\Downloads\Dec 22, 2016 to Jan 20, 2017.pdf
2017-02-06 17:26 - 2017-02-06 17:26 - 00526149 _____ C:\Users\Jim\Downloads\Owner_1099_2016.pdf
2017-01-25 13:32 - 2017-01-25 13:32 - 02314240 _____ C:\Users\Jim\Downloads\MinecraftInstaller.msi
2017-01-25 09:20 - 2017-01-25 09:20 - 00337425 _____ C:\Users\Jim\Downloads\2454.pdf

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-24 15:34 - 2016-04-23 11:48 - 00000000 ___RD C:\Users\Jim\Google Drive
2017-02-24 15:33 - 2016-09-24 04:55 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-02-24 15:32 - 2016-07-15 23:04 - 01310720 _____ C:\WINDOWS\system32\config\BBI
2017-02-24 15:32 - 2016-05-11 18:07 - 00065536 _____ C:\WINDOWS\system32\spu_storage.bin
2017-02-24 15:08 - 2016-09-24 04:37 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-02-24 12:01 - 2016-09-24 05:36 - 00000000 ___DC C:\WINDOWS\Panther
2017-02-24 12:01 - 2016-07-16 04:45 - 00000000 ____D C:\WINDOWS\INF
2017-02-24 12:00 - 2016-07-16 04:47 - 00000000 ____D C:\WINDOWS\LiveKernelReports
2017-02-24 10:00 - 2016-04-23 11:09 - 00000000 ___RD C:\Users\Jim\OneDrive
2017-02-24 09:22 - 2016-07-16 04:47 - 00000000 ____D C:\WINDOWS\system32\NDF
2017-02-23 21:12 - 2016-04-23 11:10 - 00000000 ____D C:\Users\Jim\AppData\Local\MicrosoftEdge
2017-02-23 19:26 - 2016-09-24 04:37 - 00206352 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-02-23 19:25 - 2016-09-24 04:44 - 00000000 ____D C:\Users\Jim
2017-02-23 19:24 - 2016-05-06 16:31 - 00000000 ____D C:\Users\Jim\AppData\Roaming\Skype
2017-02-23 18:06 - 2016-04-24 18:57 - 00000000 ____D C:\Users\Jim\AppData\Roaming\.minecraft
2017-02-18 17:32 - 2016-04-24 18:57 - 00000000 ____D C:\Program Files (x86)\Amazon
2017-02-15 15:59 - 2016-04-23 11:09 - 00002353 _____ C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-02-12 18:45 - 2016-07-16 04:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-02-10 15:36 - 2016-04-23 11:45 - 00000000 ___RD C:\Users\Jim\Dropbox
2017-02-10 12:05 - 2016-04-23 11:29 - 00000000 ____D C:\Users\Jim\AppData\Roaming\DVDVideoSoft
2017-02-09 08:48 - 2016-04-23 09:35 - 00000000 ____D C:\Users\Jim\AppData\Local\ElevatedDiagnostics
2017-02-07 17:42 - 2016-04-23 11:42 - 00000000 ____D C:\Program Files (x86)\Dropbox
2017-02-07 11:14 - 2016-04-23 11:42 - 00000916 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job
2017-02-07 11:14 - 2016-04-23 11:42 - 00000912 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job
2017-02-07 11:10 - 2016-05-15 11:07 - 00000000 ____D C:\Program Files\Recuva
2017-02-07 11:09 - 2016-05-15 12:02 - 00000000 ____D C:\Program Files\Common Files\Apple
2017-02-07 02:08 - 2016-04-23 11:14 - 00000000 ____D C:\Program Files (x86)\Google
2017-01-27 13:15 - 2016-07-16 04:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-01-27 13:15 - 2016-04-23 09:27 - 00000000 ____D C:\Users\Jim\AppData\Local\Packages
2017-01-27 12:17 - 2016-07-17 12:41 - 00000000 ____D C:\Users\Jim\AppData\Roaming\vlc

==================== Files in the root of some directories =======

2016-10-19 15:10 - 2016-10-19 15:10 - 0018070 _____ () C:\Users\Jim\AppData\Roaming\Manunagadoc
2016-10-08 00:04 - 2016-10-08 00:04 - 0000043 _____ () C:\Users\Jim\AppData\Roaming\WB.CFG
2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\aatxtname.txt
2017-02-18 23:50 - 2017-02-18 23:50 - 0491520 _____ (cabinet) C:\Users\Jim\AppData\Local\cement.exe
2017-02-23 17:16 - 2017-02-23 17:16 - 0006656 _____ (mimic) C:\Users\Jim\AppData\Local\ddnow4.exe
2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\run.txt
2016-10-04 07:33 - 2016-10-04 07:33 - 0006144 _____ () C:\Users\Jim\AppData\Local\sc446872423.exe
2016-10-04 07:33 - 2016-10-04 07:33 - 0005632 _____ () C:\Users\Jim\AppData\Local\sc46872423.exe
2017-02-23 17:19 - 2017-02-23 17:19 - 1397594 _____ () C:\Users\Jim\AppData\Local\setupone.exe
2017-02-23 17:20 - 2017-02-23 17:20 - 0000001 _____ () C:\Users\Jim\AppData\Local\setupsuccessful.txt
2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\stxtname.txt
2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\tr5b.txt
2017-02-12 18:47 - 2017-02-12 18:48 - 0000319 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2016-10-08 21:04 - 2016-10-08 21:04 - 1134592 _____ () C:\ProgramData\TrezaaSetupx30044.msi
2016-10-08 17:04 - 2016-10-08 17:04 - 0533504 _____ () C:\ProgramData\Vumaa.msi

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-02-22 07:31

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 25-02-2017
Ran by Jim (24-02-2017 16:55:16)
Running from C:\Users\Jim\Downloads
Windows 10 Home Version 1607 (X64) (2016-09-24 12:08:15)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-783448517-647833336-481893931-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-783448517-647833336-481893931-503 - Limited - Disabled)
Guest (S-1-5-21-783448517-647833336-481893931-501 - Limited - Disabled)
Jim (S-1-5-21-783448517-647833336-481893931-1001 - Administrator - Enabled) => C:\Users\Jim

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Amazon Assistant (HKLM-x32\...\{C8D184AC-D6E2-411E-838C-468CB0E91DBF}) (Version: 10.17.0216 - Amazon) <==== ATTENTION
AMD Catalyst Control Center (HKLM-x32\...\WUCCCApp) (Version: 1.00.0000 - AMD)
AnyBurn (HKLM-x32\...\AnyBurn) (Version: 3.5 - Power Software Ltd)
Apple Application Support (32-bit) (HKLM-x32\...\{9BA1A894-B42F-4805-BC8C-349C905A3930}) (Version: 5.3.1 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{7EAC8A42-9FAC-4F6B-AABF-C08C9F2E0F13}) (Version: 5.3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{55BB2110-FB43-49B3-93F4-945A0CFB0A6C}) (Version: 10.0.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.27 - Piriform)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6514.5001 - Microsoft Corporation)
Dropbox (HKLM-x32\...\Dropbox) (Version: 19.4.13 - Dropbox, Inc.)
Dropbox Update Helper (x32 Version: 1.3.65.1 - Dropbox, Inc.) Hidden
Free Image Editor 2.4 (HKLM-x32\...\Free Image Editor 2.4_is1) (Version:  - AskedFiles)
Free YouTube To MP3 Converter (HKLM-x32\...\Free YouTube To MP3 Converter_is1) (Version: 4.1.21.610 - Digital Wave Ltd)
GoldWave v6.24 (HKLM\...\GoldWave v6.24) (Version: 6.24 - GoldWave Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 56.0.2924.87 - Google Inc.)
Google Drive (HKLM-x32\...\{07A12123-B717-496B-B471-48AF6407B433}) (Version: 1.32.4066.7445 - Google, Inc.)
Google Earth (HKLM-x32\...\{F6430171-B86B-4639-839E-374913E7911D}) (Version: 7.1.8.3036 - Google)
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
iTunes (HKLM\...\{9D0D2A8B-7E7B-4D88-8D50-24286ED6A5EB}) (Version: 12.5.5.5 - Apple Inc.)
Java 8 Update 91 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.14 - Oracle Corporation)
Microsoft OneDrive (HKU\S-1-5-21-783448517-647833336-481893931-1001\...\OneDriveSetup.exe) (Version: 17.3.6764.0111 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{4fcf070a-daac-45e9-a8b0-6850941f7ed8}) (Version: 12.0.21005.1 - Microsoft Corporation)
Online.io Application (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION
PhotoFiltre 7 (HKU\S-1-5-21-783448517-647833336-481893931-1001\...\PhotoFiltre 7) (Version:  - )
Recuva (HKLM\...\Recuva) (Version: 1.52 - Piriform)
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Skype™ 7.30 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.30.105 - Skype Technologies S.A.)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Traffic Exchange (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION
TurboTax 2016 (HKLM-x32\...\TurboTax 2016) (Version: 2016.0 - Intuit, Inc)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
Vumaa (x32 Version: 1.0.0 - Vumaa) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {09D89F8B-AB1A-4DF0-982F-9875236E49B1} - System32\Tasks\213879593 => C:\Program Files (x86)\shropshire\alltime.exe [2017-02-18] (wallah) <==== ATTENTION
Task: {0D37BA10-AB65-4EB1-BF12-0FDBE5A35A77} - System32\Tasks\aA01A1vNCA6Ny4prQNRW5-ni-2017-02-23-ni-99991-ni-1 => C:\Program Files (x86)\sorrier\equalized.exe [2017-02-18] (windows 99)
Task: {0E17C043-3086-425B-A76B-57A75E993E8F} - System32\Tasks\966848 => C:\Program Files (x86)\Enervate\apocalyptic.exe [2017-02-18] () <==== ATTENTION
Task: {15CF4540-72E0-46B0-970B-EA1B12CFCB5F} - \GoogleUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {19D74E7E-D9D4-4A92-A050-D5969F5C56A4} - System32\Tasks\MSFT_TaskSettings3\CaesarsSlots => powershell.exe -NoProfile -WindowStyle Hidden -command cmd.exe /c if exist C:\Users\Jim\AppData\Local\Packages\Playtika.CaesarsSlotsFreeCasino_7vjeg68vnncd2 start explorer.exe shell:appsFolder\Playtika.CaesarsSlotsFreeCasino_7vjeg68vnncd2!App
Task: {1DF06365-6B2C-4E45-AB8A-0338D5438DF6} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2016-02-23] (Apple Inc.)
Task: {296562E1-B097-463C-AB39-9523796F8761} - \DistromaticSearchProtect-logon -> No File <==== ATTENTION
Task: {352E6CA0-7314-4DF4-89C4-682368D80D57} - System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => %SystemRoot%\System32\AutoWorkplace.exe 
Task: {4B66409F-528C-4CC6-9E98-D9F5C4D563A3} - System32\Tasks\Da966848966848 => C:\Program Files (x86)\Enervate\apocalyptic.exe [2017-02-18] ()
Task: {4CEF4553-58C3-4512-8E35-E20BCCCAE4BF} - \{E93B1D8E-7144-43CF-AED7-90E7FE9B5827} -> No File <==== ATTENTION
Task: {6E0AC03E-AD18-4883-BBC5-BA77053C033C} - \DistromaticUpdater-logon -> No File <==== ATTENTION
Task: {766C52A9-B31F-4C2C-B26C-1176E17586FA} - \GoogleUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {783288D9-2E79-48D0-9E4A-AE2BB1271C46} - System32\Tasks\dA01A1vNCA6Ny4prQNRW5-ni-2017-02-23-ni-99991-ni-1 => C:\Program Files (x86)\sorrier\equalized.exe [2017-02-18] (windows 99)
Task: {78FBCF49-A629-44CF-82AE-74B9266D059B} - \{17D1B85F-0859-46E2-A8B6-00B63052A523} -> No File <==== ATTENTION
Task: {799231D8-D492-4E80-B400-64B3642849D2} - System32\Tasks\113879593 => C:\Program Files (x86)\shropshire\alltime.exe [2017-02-18] (wallah) <==== ATTENTION
Task: {8594B015-CF2B-4C8E-807E-48A2F3C5638E} - \{5EA21E3C-C6DF-4FAF-BF0A-C897623B028D} -> No File <==== ATTENTION
Task: {95C50509-4001-4D3E-9A2D-F57A90A0EA3E} - \DropboxUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {980A9FE3-D226-4BF6-A3DB-54055266C29A} - \Optimize Start Menu Cache Files-S-1-5-21-783448517-647833336-481893931-1001 -> No File <==== ATTENTION
Task: {9DEE923E-1D8E-4ECA-9A31-7EE01AA62187} - \WPD\SqmUpload_S-1-5-21-783448517-647833336-481893931-1001 -> No File <==== ATTENTION
Task: {9E11E09C-7C0E-43B8-9372-FE62CDBD3F01} - \DistromaticUpdater-periodic -> No File <==== ATTENTION
Task: {A6353DBB-3230-4E67-9F61-038F628ADCE4} - System32\Tasks\{625E8CAE-F725-4474-A26F-742B8720C4F3} => pcalua.exe -a "C:\Program Files (x86)\MaxInternet\dotuninstall.exe"
Task: {B0D68E36-3241-4912-BB9D-A8C965703C51} - \OneDrive Standalone Update Task -> No File <==== ATTENTION
Task: {D6266248-323A-4BE8-B51A-461073D7F22D} - System32\Tasks\76656282 => C:\Program Files (x86)\sorrier\equalized.exe [2017-02-18] (windows 99) <==== ATTENTION
Task: {DF8DFE89-E913-445D-A854-ABB727ED8442} - \OneDrive Standalone Update Task v2 -> No File <==== ATTENTION
Task: {EAC768E5-6FB2-4E5D-8B80-0AD7A8F4CA6A} - \DropboxUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {ED004583-CB32-4C6B-882A-CE92F3ECDB0B} - \DistromaticSearchProtect-hourly -> No File <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job => 
Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
Task: C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job => 
Task: C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job => 

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-07-16 04:42 - 2016-07-16 04:42 - 00231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2016-09-29 17:34 - 2016-09-15 10:25 - 02681200 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2017-02-17 11:24 - 2017-02-17 11:24 - 00100528 _____ () C:\Program Files (x86)\Amazon\Amazon Assistant\amazonAssistantService.exe
2016-10-05 18:17 - 2016-10-05 18:17 - 00092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2017-01-13 13:56 - 2017-01-13 13:56 - 01353528 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2016-09-29 17:34 - 2016-09-15 10:25 - 02681200 _____ () C:\WINDOWS\SYSTEM32\CoreUIComponents.dll
2016-09-24 05:32 - 2016-09-24 05:32 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2016-09-29 17:33 - 2016-09-15 09:39 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2016-09-29 17:34 - 2016-09-15 09:24 - 09760256 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-09-29 17:34 - 2016-09-15 09:18 - 01401344 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-09-29 17:34 - 2016-09-15 09:17 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2016-09-29 17:34 - 2016-09-15 09:18 - 01033216 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
2016-09-29 17:34 - 2016-09-15 09:18 - 02424832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-09-29 17:34 - 2016-09-15 09:20 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2017-02-18 23:50 - 2017-02-18 23:50 - 00041196 _____ () C:\Program Files (x86)\sorrier\harold.exe
2017-02-18 23:49 - 2017-02-18 23:49 - 00010752 _____ () C:\Program Files (x86)\Enervate\apocalyptic.exe
2017-02-18 23:50 - 2017-02-18 23:50 - 00040342 _____ () C:\Program Files (x86)\shropshire\lobelia.exe
2017-01-13 20:09 - 2017-01-13 20:09 - 00896512 _____ () C:\Program Files (x86)\svcvmx\svcvmx.exe
2017-01-20 20:18 - 2017-01-20 20:18 - 01087488 _____ () C:\Program Files (x86)\svcvmx\vmxclient.exe
2016-04-23 11:30 - 2016-07-12 21:32 - 00112552 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\zlib1.dll
2016-04-23 11:30 - 2016-07-12 21:33 - 00105896 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\boost_filesystem-vc120-mt-1_56.dll
2016-04-23 11:30 - 2016-07-12 21:33 - 00021928 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\boost_system-vc120-mt-1_56.dll
2016-04-23 11:30 - 2016-07-12 21:33 - 00045992 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\boost_date_time-vc120-mt-1_56.dll
2017-02-24 15:34 - 2017-02-24 15:34 - 00011264 _____ () C:\Users\Jim\AppData\Local\Temp\nsh9DA8.tmp\System.dll
2017-02-24 15:34 - 2017-02-24 15:34 - 00098816 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32api.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00110080 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\pywintypes27.dll
2017-02-24 15:34 - 2017-02-24 15:34 - 00364544 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\pythoncom27.dll
2017-02-24 15:34 - 2017-02-24 15:34 - 00320512 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32com.shell.shell.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00914432 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_hashlib.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 01176576 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._core_.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00806400 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._gdi_.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00816128 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._windows_.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 01067008 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._controls_.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00733184 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._misc_.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00682496 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\pysqlite2._sqlite.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00088064 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_ctypes.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00686080 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\unicodedata.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00119808 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32file.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00108544 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32security.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00007168 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\hashobjs_ext.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00017920 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\thumbnails_ext.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00088064 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\usb_ext.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00012800 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\common.time34.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00018432 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32event.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00167936 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32gui.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00046080 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_socket.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 01303552 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_ssl.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00128512 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_elementtree.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00127488 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\pyexpat.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00038912 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32inet.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00036864 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_psutil_windows.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00524248 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\windows._lib_cacheinvalidation.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00011264 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32crypt.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00123392 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._wizard.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00077312 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._html2.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00027648 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_multiprocessing.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00020480 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_yappi.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00035840 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32process.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00078848 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._animate.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00024064 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32pipe.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00010240 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\select.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00025600 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32pdh.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00017408 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32profile.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00022528 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32ts.pyd
2017-01-14 19:40 - 2017-01-14 19:40 - 53460992 _____ () C:\Program Files (x86)\svcvmx\libcef.dll
2016-05-31 11:43 - 2016-05-31 11:43 - 01976832 _____ () C:\Program Files (x86)\svcvmx\libglesv2.dll
2016-05-31 11:44 - 2016-05-31 11:44 - 00075264 _____ () C:\Program Files (x86)\svcvmx\libegl.dll
2016-09-29 17:34 - 2016-09-15 10:25 - 02681200 _____ () C:\WINDOWS\System32\CoreUIComponents.dll
2016-06-15 17:15 - 2016-06-15 17:15 - 17599640 _____ () C:\Program Files (x86)\svcvmx\pepflashplayer.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 06:25 - 2017-02-23 17:19 - 00000947 ____A C:\WINDOWS\system32\Drivers\etc\hosts

162.222.194.13       cocomo.tremorhub.com
162.222.194.13       www.virustotal.com
162.222.194.13       virustotal.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-783448517-647833336-481893931-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Jim\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\win8img.jpg
DNS Servers: 68.105.28.11 - 68.105.29.11
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: WSearch => 2

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{879D9F3D-0A73-45F1-A2DA-12ED46127E80}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{2B008137-5F84-4809-9070-5950BCA6C76A}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{250B2D45-23D5-4B74-AED0-658047E5C530}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{473AD362-1498-4AF7-9580-060C363D3A79}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{04715A09-8533-4395-83BD-24E52FF0D711}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [UDP Query User{41669055-1B9D-457D-AA0C-D7AF68CB7D9D}C:\program files (x86)\java\jre1.8.0_91\bin\javaw.exe] => (Block) C:\program files (x86)\java\jre1.8.0_91\bin\javaw.exe
FirewallRules: [TCP Query User{073CB8C7-5E33-4D29-9682-2EE6C072F931}C:\program files (x86)\java\jre1.8.0_91\bin\javaw.exe] => (Block) C:\program files (x86)\java\jre1.8.0_91\bin\javaw.exe
FirewallRules: [{57951344-6AF1-4839-9FA2-E4F1221AEA6D}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{B7B48F01-2D5E-485B-BFBA-C63F4FF753CB}] => (Allow) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
FirewallRules: [{D2BDBA2D-DC75-4777-8FD2-78F67E962DBC}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdater.exe
FirewallRules: [{8C82BE9B-F00B-4C5E-9551-C0DEB0DFBB56}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{A6978D68-7287-4C1C-A946-1178C1F65B8F}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{81416A4B-3733-45DC-8A14-2483830BC6E2}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{09D983AE-6554-4983-A380-C15E860307AF}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{FA9E2551-4FD5-4A84-903F-0F9F0123B69B}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{C5C3CC3D-9D56-4B4E-8FD8-22868FFC7E5A}] => (Allow) C:\Users\Jim\AppData\Local\Temp\1129491421\ic-0.9e6a431f3f96b8.exe
FirewallRules: [{BD81FB30-E202-4974-9CF8-EE2F49A1B93C}] => (Allow) C:\Users\Jim\AppData\Local\sc446872423.exe
FirewallRules: [{6A7A9303-0C3C-484D-9FEC-1862F82E24CD}] => (Allow) C:\Users\Jim\AppData\Local\ddnow4.exe
FirewallRules: [{5ECE3246-505E-4145-8ECE-356A488BE3C8}] => (Allow) C:\Program Files (x86)\sorrier\equalized.exe
FirewallRules: [{350422A7-6665-4018-B69A-C42A97BED256}] => (Allow) C:\Program Files (x86)\sorrier\harold.exe
FirewallRules: [{844CF719-23E4-4324-BE33-1E9523540E12}] => (Allow) C:\Program Files (x86)\shropshire\alltime.exe
FirewallRules: [{436E5307-CA7B-4E20-9F5B-A3B7F9D65B8B}] => (Allow) C:\Program Files (x86)\Enervate\apocalyptic.exe
FirewallRules: [{5E5BF097-B4F3-494E-9A44-5C210FD57D0C}] => (Allow) C:\WINDOWS\uniter.exe
FirewallRules: [TCP Query User{F567F884-272F-45FB-8141-EA51BDF61B3B}C:\program files (x86)\google\chrome\application\chrome334.exe] => (Block) C:\program files (x86)\google\chrome\application\chrome334.exe
FirewallRules: [UDP Query User{7432D085-E847-4C62-9209-7922D1B8CBD7}C:\program files (x86)\google\chrome\application\chrome334.exe] => (Block) C:\program files (x86)\google\chrome\application\chrome334.exe
FirewallRules: [{A6E8CA20-02D4-4B21-BA4B-2EBD42C99386}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

==================== Restore Points =========================

04-02-2017 08:16:53 Scheduled Checkpoint
12-02-2017 18:46:39 Installed TurboTax 2016 wrapper
19-02-2017 19:40:25 Scheduled Checkpoint
23-02-2017 19:58:25 JRT Pre-Junkware Removal
24-02-2017 15:16:43 JRT Pre-Junkware Removal

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (02/24/2017 03:34:15 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Users\Jim\AppData\Local\chromium\Application\chrome.exe".
Dependent Assembly 51.0.2683.0,language="&#x2a;",type="win32",version="51.0.2683.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (02/24/2017 03:33:47 PM) (Source: DbxSvc) (EventID: 320) (User: )
Description: Failed to connect to the driver: (-2147024894) The system cannot find the file specified.

Error: (02/24/2017 03:16:59 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (02/24/2017 12:42:20 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Users\Jim\AppData\Local\chromium\Application\chrome.exe".
Dependent Assembly 51.0.2683.0,language="&#x2a;",type="win32",version="51.0.2683.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (02/24/2017 12:41:52 PM) (Source: DbxSvc) (EventID: 320) (User: )
Description: Failed to connect to the driver: (-2147024894) The system cannot find the file specified.

Error: (02/24/2017 12:28:34 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: JIM-PC)
Description: Activation of app Microsoft.Getstarted_4.0.12.0_x64__8wekyb3d8bbwe:App.AppX7mv0s3r0wanj0n66dy6vax24ps6avzvz.mca failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (02/24/2017 12:12:48 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: MicrosoftEdge.exe, version: 11.0.14393.206, time stamp: 0x57dacb16
Faulting module name: eModel.dll, version: 11.0.14393.206, time stamp: 0x57dacc2a
Exception code: 0xc0000409
Fault offset: 0x00000000000d54e0
Faulting process id: 0x1f04
Faulting application start time: 0x01d28ed1fa752c36
Faulting application path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
Faulting module path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\eModel.dll
Report Id: 425fdbf1-4e99-4cb8-addd-0d24a1da9528
Faulting package full name: Microsoft.MicrosoftEdge_38.14393.0.0_neutral__8wekyb3d8bbwe
Faulting package-relative application ID: MicrosoftEdge

Error: (02/24/2017 12:11:15 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Users\Jim\AppData\Local\chromium\Application\chrome.exe".
Dependent Assembly 51.0.2683.0,language="&#x2a;",type="win32",version="51.0.2683.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (02/24/2017 12:10:44 PM) (Source: DbxSvc) (EventID: 320) (User: )
Description: Failed to connect to the driver: (-2147024894) The system cannot find the file specified.

Error: (02/24/2017 11:55:16 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Users\Jim\AppData\Local\Temp\jrt\CreateRestorePoint.exe  "JRT Pre-Junkware Removal"; Description = JRT Pre-Junkware Removal; Error = 0x8007043c).


System errors:
=============
Error: (02/24/2017 04:49:58 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The kolb service terminated unexpectedly.  It has done this 1 time(s).

Error: (02/24/2017 04:49:40 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The moviemaking service terminated unexpectedly.  It has done this 1 time(s).

Error: (02/24/2017 04:49:37 PM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.

Error: (02/24/2017 04:49:28 PM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.

Error: (02/24/2017 04:49:19 PM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.

Error: (02/24/2017 04:49:10 PM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.

Error: (02/24/2017 04:49:01 PM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.

Error: (02/24/2017 04:48:52 PM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.

Error: (02/24/2017 03:43:16 PM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.

Error: (02/24/2017 03:43:07 PM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.


CodeIntegrity:
===================================
  Date: 2017-02-23 17:19:17.158
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-02-23 17:19:17.157
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-02-20 09:46:50.391
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-02-20 09:46:50.387
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-01-31 10:41:20.190
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-01-31 10:41:20.189
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-01-31 10:41:03.403
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-01-31 10:41:03.401
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-01-07 11:49:55.645
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-01-07 11:49:55.639
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.


==================== Memory info =========================== 

Processor: AMD A8-5500 APU with Radeon(tm) HD Graphics 
Percentage of memory in use: 35%
Total physical RAM: 7645.61 MB
Available physical RAM: 4957.28 MB
Total Virtual: 8861.61 MB
Available Virtual: 6143.27 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:930.97 GB) (Free:878.3 GB) NTFS
Drive f: () (Removable) (Total:0.96 GB) (Free:0.77 GB) FAT

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 1667168B)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=450 MB) - (Type=27)

========================================================
Disk: 1 (Size: 979.8 MB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt ============================

Link to post
Share on other sites

Thanks for those logs, see if you can download the following Uninstaller tool:

Download GeekUninstaller from here: http://www.geekuninstaller.com/download (Choose free version) Save Geek.zip to your Desktop. (Visit the Home page at that link for necessary information)

Extract Geek Uninstaller and save to your Desktop. There is no need to install, the executable is portable and can also be run from a USB if required.

Run the tool, the main GUI will populate with installed programs list,

Left click on Program name to highlight that entry.

Select Action from the Menu bar, then Uninstall from there follow the prompts.

If Uninstall fails open the "Action" menu one more time and use "Force Removal" option

If possible use it to Uninstall the following:

SpyBot Search and Destroy
Amazon Assistant

If not just leave alone and continue:

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Please download Zemana AntiMalware and save it to your Desktop.

  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them. to remove them.

    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.

  • Open Zemana AntiMalware again.

  • Click on 4zu6vb.jpg icon and double click the latest report.

  • Now click File > Save As and choose your Desktop before pressing Save.

  • Attach saved report in your next message.

Next,

  • Download AdwCleaner by Xplode onto your Desktop.

    Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box

  • Please wait fot the scan to finish..

  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..

  • Click on the Cleaning box.

  • Next click OK on the "Closing Programs" pop up box.

  • Click OK on the Information box & again OK to allow the necessary reboot

  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...

    Next,

    Download Sophos Free Virus Removal Tool and save it to your desktop.

    If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

    Please Do Not use your PC whilst the scan is in progress....

    •  
  • Double click the icon and select Run

  • Click Next

  • Select I accept the terms in this license agreement, then click Next twice

  • Click Install

  • Click Finish to launch the program

  • Once the virus database has been updated click Start Scanning

  • If any threats are found click Details, then View log file... (bottom left hand corner)

  • Copy and paste the results in your reply

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

  • Click Exit to close the program

  • If no threats were found please confirm that result....


    The Virus Removal Tool scans the following areas of your computer:

    •  
  • Memory, including system memory on 32-bit (x86) versions of Windows

  • The Windows registry

  • All local hard drives, fixed and removable

  • Mapped network drives are not scanned.

    Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.


    Let me see those logs, also tell me if there are any remaining issues or concerns..

    Thank you,

    Kevin...

fixlist.txt

Edited by kevinf80
Link to post
Share on other sites

when I try to run the Zemana antimalware I get a popup stating "the requested source is in use."

Here is fixlog.txt

Fix result of Farbar Recovery Scan Tool (x64) Version: 25-02-2017
Ran by Jim (25-02-2017 07:21:58) Run:1
Running from C:\Users\Jim\Downloads
Loaded Profiles: Jim (Available Profiles: Jim)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [cutoauto] => C:\Program Files (x86)\sorrier\harold.exe [41196 2017-02-18] ()
C:\Program Files (x86)\sorrier
HKLM\...\Run: [toys] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
HKLM\...\Run: [interpee] => C:\Program Files (x86)\Enervate\apocalyptic.exe [10752 2017-02-18] ()
C:\Program Files (x86)\Enervate
HKLM\...\Run: [clears] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
HKLM\...\Run: [autoauto] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
HKLM-x32\...\Run: [toys] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
HKLM-x32\...\Run: [svcvmx] => C:\Program Files (x86)\svcvmx\svcvmx.exe [896512 2017-01-13] ()
C:\Program Files (x86)\svcvmx
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [BingSvc] => C:\Users\Jim\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-05] (© 2015 Microsoft Corporation)
C:\Users\Jim\AppData\Local\Microsoft\BingSvc
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [toys] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [ok48036327] => C:\Program Files (x86)\sorrier\harold.exe [41196 2017-02-18] ()
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [acupressure] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [changed] => C:\Program Files (x86)\Enervate\apocalyptic.exe [10752 2017-02-18] ()
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [lobelia] => C:\Program Files (x86)\shropshire\lobelia.exe [40342 2017-02-18] ()
C:\Program Files (x86)\shropshire
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [apostrophes] => C:\Program Files (x86)\shropshire\alltime.exe [462336 2017-02-18] (wallah)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\MountPoints2: {fdd1f285-096e-11e6-824f-806e6f6e6963} - "D:\setup.exe" 
Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok48036327.lnk [2017-02-23]
ShortcutTarget: ok48036327.lnk -> C:\Program Files (x86)\sorrier\equalized.exe (windows 99)
Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok48036327reisinger.lnk [2017-02-23]
ShortcutTarget: ok48036327reisinger.lnk -> C:\Program Files (x86)\Enervate\apocalyptic.exe ()
Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reisinger.lnk [2017-02-23]
ShortcutTarget: reisinger.lnk -> C:\Program Files (x86)\sorrier\equalized.exe (windows 99)
BootExecute: autocheck autochk * sdnclean64.exe
GroupPolicy: Restriction <======= ATTENTION 
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Restriction - ProxySettings)
ProxyEnable: [HKLM] => Proxy is enabled.
ProxyEnable: [HKLM-x32] => Proxy is enabled.
ProxyServer: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877
AutoConfigURL: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
HKU\S-1-5-21-783448517-647833336-481893931-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM-x32 -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> DefaultScope {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> {2211d4a5-48d0-47f5-a7cd-81e861470f7f} URL = hxxps://www.amazon.com/gp/bit/amazonserp/ref=bit_bds-p10_serp_ie_us_display?ie=UTF8&tagbase=bds-p10&tbrId=v1_abb-channel-10_e89f1aa5_1201_1401_20160424_US_ie_ds_&tag=bds-p10-serp-us-ie-20&query={searchTerms}
SearchScopes: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
BHO: DVDVideoSoft IE Extension -> {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} -> C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll [2016-03-28] (DVDVideoSoft Ltd.)
U0 aswVmm; no ImagePath
S3 dbx; system32\DRIVERS\dbx.sys [X] 
C:\Program Files (x86)\daugherty
Online.io Application (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION
Traffic Exchange (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION
Task: {09D89F8B-AB1A-4DF0-982F-9875236E49B1} - System32\Tasks\213879593 => C:\Program Files (x86)\shropshire\alltime.exe [2017-02-18] (wallah) <==== ATTENTION
Task: {0D37BA10-AB65-4EB1-BF12-0FDBE5A35A77} - System32\Tasks\aA01A1vNCA6Ny4prQNRW5-ni-2017-02-23-ni-99991-ni-1 => C:\Program Files (x86)\sorrier\equalized.exe [2017-02-18] (windows 99)
Task: {0E17C043-3086-425B-A76B-57A75E993E8F} - System32\Tasks\966848 => C:\Program Files (x86)\Enervate\apocalyptic.exe [2017-02-18] () <==== ATTENTION
Task: {15CF4540-72E0-46B0-970B-EA1B12CFCB5F} - \GoogleUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {19D74E7E-D9D4-4A92-A050-D5969F5C56A4} - System32\Tasks\MSFT_TaskSettings3\CaesarsSlots => powershell.exe -NoProfile -WindowStyle Hidden -command cmd.exe /c if exist C:\Users\Jim\AppData\Local\Packages\Playtika.CaesarsSlotsFreeCasino_7vjeg68vnncd2 start explorer.exe shell:appsFolder\Playtika.CaesarsSlotsFreeCasino_7vjeg68vnncd2!App
Task: {296562E1-B097-463C-AB39-9523796F8761} - \DistromaticSearchProtect-logon -> No File <==== ATTENTION
Task: {352E6CA0-7314-4DF4-89C4-682368D80D57} - System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => %SystemRoot%\System32\AutoWorkplace.exe 
Task: {4B66409F-528C-4CC6-9E98-D9F5C4D563A3} - System32\Tasks\Da966848966848 => C:\Program Files (x86)\Enervate\apocalyptic.exe [2017-02-18] ()
Task: {4CEF4553-58C3-4512-8E35-E20BCCCAE4BF} - \{E93B1D8E-7144-43CF-AED7-90E7FE9B5827} -> No File <==== ATTENTION
Task: {6E0AC03E-AD18-4883-BBC5-BA77053C033C} - \DistromaticUpdater-logon -> No File <==== ATTENTION
Task: {766C52A9-B31F-4C2C-B26C-1176E17586FA} - \GoogleUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {783288D9-2E79-48D0-9E4A-AE2BB1271C46} - System32\Tasks\dA01A1vNCA6Ny4prQNRW5-ni-2017-02-23-ni-99991-ni-1 => C:\Program Files (x86)\sorrier\equalized.exe [2017-02-18] (windows 99)
Task: {78FBCF49-A629-44CF-82AE-74B9266D059B} - \{17D1B85F-0859-46E2-A8B6-00B63052A523} -> No File <==== ATTENTION
Task: {799231D8-D492-4E80-B400-64B3642849D2} - System32\Tasks\113879593 => C:\Program Files (x86)\shropshire\alltime.exe [2017-02-18] (wallah) <==== ATTENTION
Task: {8594B015-CF2B-4C8E-807E-48A2F3C5638E} - \{5EA21E3C-C6DF-4FAF-BF0A-C897623B028D} -> No File <==== ATTENTION
Task: {95C50509-4001-4D3E-9A2D-F57A90A0EA3E} - \DropboxUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {980A9FE3-D226-4BF6-A3DB-54055266C29A} - \Optimize Start Menu Cache Files-S-1-5-21-783448517-647833336-481893931-1001 -> No File <==== ATTENTION
Task: {9DEE923E-1D8E-4ECA-9A31-7EE01AA62187} - \WPD\SqmUpload_S-1-5-21-783448517-647833336-481893931-1001 -> No File <==== ATTENTION
Task: {9E11E09C-7C0E-43B8-9372-FE62CDBD3F01} - \DistromaticUpdater-periodic -> No File <==== ATTENTION
Task: {A6353DBB-3230-4E67-9F61-038F628ADCE4} - System32\Tasks\{625E8CAE-F725-4474-A26F-742B8720C4F3} => pcalua.exe -a "C:\Program Files (x86)\MaxInternet\dotuninstall.exe"
Task: {B0D68E36-3241-4912-BB9D-A8C965703C51} - \OneDrive Standalone Update Task -> No File <==== ATTENTION
Task: {D6266248-323A-4BE8-B51A-461073D7F22D} - System32\Tasks\76656282 => C:\Program Files (x86)\sorrier\equalized.exe [2017-02-18] (windows 99) <==== ATTENTION
Task: {DF8DFE89-E913-445D-A854-ABB727ED8442} - \OneDrive Standalone Update Task v2 -> No File <==== ATTENTION
Task: {EAC768E5-6FB2-4E5D-8B80-0AD7A8F4CA6A} - \DropboxUpdateTaskMachineUA -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job => 
CMD: ipconfig /flushDNS
RemoveProxy:
Hosts:
EmptyTemp:
end

*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\cutoauto => value removed successfully
C:\Program Files (x86)\sorrier => moved successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\toys => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\interpee => value removed successfully
C:\Program Files (x86)\Enervate => moved successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\clears => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\autoauto => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\toys => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\svcvmx => value could not remove.

"C:\Program Files (x86)\svcvmx" folder move:

Could not move "C:\Program Files (x86)\svcvmx" => Scheduled to move on reboot.

HKU\S-1-5-21-783448517-647833336-481893931-1001\Software\Microsoft\Windows\CurrentVersion\Run\\BingSvc => value removed successfully
C:\Users\Jim\AppData\Local\Microsoft\BingSvc => moved successfully
HKU\S-1-5-21-783448517-647833336-481893931-1001\Software\Microsoft\Windows\CurrentVersion\Run\\toys => value removed successfully
HKU\S-1-5-21-783448517-647833336-481893931-1001\Software\Microsoft\Windows\CurrentVersion\Run\\ok48036327 => value removed successfully
HKU\S-1-5-21-783448517-647833336-481893931-1001\Software\Microsoft\Windows\CurrentVersion\Run\\acupressure => value removed successfully
HKU\S-1-5-21-783448517-647833336-481893931-1001\Software\Microsoft\Windows\CurrentVersion\Run\\changed => value removed successfully
HKU\S-1-5-21-783448517-647833336-481893931-1001\Software\Microsoft\Windows\CurrentVersion\Run\\lobelia => value removed successfully
C:\Program Files (x86)\shropshire => moved successfully
HKU\S-1-5-21-783448517-647833336-481893931-1001\Software\Microsoft\Windows\CurrentVersion\Run\\apostrophes => value removed successfully
HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd1f285-096e-11e6-824f-806e6f6e6963} => key removed successfully
HKCR\CLSID\{fdd1f285-096e-11e6-824f-806e6f6e6963} => key not found. 
C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok48036327.lnk => moved successfully
C:\Program Files (x86)\sorrier\equalized.exe => not found.
C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok48036327reisinger.lnk => moved successfully
C:\Program Files (x86)\Enervate\apocalyptic.exe => not found.
C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reisinger.lnk => moved successfully
C:\Program Files (x86)\sorrier\equalized.exe => not found.
HKLM\System\CurrentControlSet\Control\Session Manager\\BootExecute => value restored successfully
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxySettingsPerUser => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value not found.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-783448517-647833336-481893931-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. 
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} => key removed successfully
HKCR\CLSID\{B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} => key not found. 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key removed successfully
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} => key removed successfully
HKCR\Wow6432Node\CLSID\{B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} => key not found. 
HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2211d4a5-48d0-47f5-a7cd-81e861470f7f} => key removed successfully
HKCR\CLSID\{2211d4a5-48d0-47f5-a7cd-81e861470f7f} => key not found. 
HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} => key removed successfully
HKCR\CLSID\{B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6} => key removed successfully
HKCR\CLSID\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6} => key not found. 
HKLM\System\CurrentControlSet\Services\aswVmm => key removed successfully
aswVmm => service removed successfully
HKLM\System\CurrentControlSet\Services\dbx => key removed successfully
dbx => service removed successfully
C:\Program Files (x86)\daugherty => moved successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F0847AE0-465A-4D7B-A555-AABB43B550F0}\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{52F7BE5C-2C3B-4C7B-A96D-F19B9EC1992D}\\SystemComponent => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{09D89F8B-AB1A-4DF0-982F-9875236E49B1} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{09D89F8B-AB1A-4DF0-982F-9875236E49B1} => key removed successfully
C:\WINDOWS\System32\Tasks\213879593 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\213879593 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{0D37BA10-AB65-4EB1-BF12-0FDBE5A35A77} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0D37BA10-AB65-4EB1-BF12-0FDBE5A35A77} => key removed successfully
C:\WINDOWS\System32\Tasks\aA01A1vNCA6Ny4prQNRW5-ni-2017-02-23-ni-99991-ni-1 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\aA01A1vNCA6Ny4prQNRW5-ni-2017-02-23-ni-99991-ni-1 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{0E17C043-3086-425B-A76B-57A75E993E8F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0E17C043-3086-425B-A76B-57A75E993E8F} => key removed successfully
C:\WINDOWS\System32\Tasks\966848 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\966848 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{15CF4540-72E0-46B0-970B-EA1B12CFCB5F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15CF4540-72E0-46B0-970B-EA1B12CFCB5F} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{19D74E7E-D9D4-4A92-A050-D5969F5C56A4} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{19D74E7E-D9D4-4A92-A050-D5969F5C56A4} => key removed successfully
C:\WINDOWS\System32\Tasks\MSFT_TaskSettings3\CaesarsSlots => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MSFT_TaskSettings3\CaesarsSlots => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{296562E1-B097-463C-AB39-9523796F8761} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{296562E1-B097-463C-AB39-9523796F8761} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DistromaticSearchProtect-logon => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{352E6CA0-7314-4DF4-89C4-682368D80D57} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{352E6CA0-7314-4DF4-89C4-682368D80D57} => key removed successfully
C:\WINDOWS\System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4B66409F-528C-4CC6-9E98-D9F5C4D563A3} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4B66409F-528C-4CC6-9E98-D9F5C4D563A3} => key removed successfully
C:\WINDOWS\System32\Tasks\Da966848966848 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Da966848966848 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4CEF4553-58C3-4512-8E35-E20BCCCAE4BF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4CEF4553-58C3-4512-8E35-E20BCCCAE4BF} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{E93B1D8E-7144-43CF-AED7-90E7FE9B5827} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6E0AC03E-AD18-4883-BBC5-BA77053C033C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6E0AC03E-AD18-4883-BBC5-BA77053C033C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DistromaticUpdater-logon => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{766C52A9-B31F-4C2C-B26C-1176E17586FA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{766C52A9-B31F-4C2C-B26C-1176E17586FA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{783288D9-2E79-48D0-9E4A-AE2BB1271C46} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{783288D9-2E79-48D0-9E4A-AE2BB1271C46} => key removed successfully
C:\WINDOWS\System32\Tasks\dA01A1vNCA6Ny4prQNRW5-ni-2017-02-23-ni-99991-ni-1 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\dA01A1vNCA6Ny4prQNRW5-ni-2017-02-23-ni-99991-ni-1 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{78FBCF49-A629-44CF-82AE-74B9266D059B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{78FBCF49-A629-44CF-82AE-74B9266D059B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{17D1B85F-0859-46E2-A8B6-00B63052A523} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{799231D8-D492-4E80-B400-64B3642849D2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{799231D8-D492-4E80-B400-64B3642849D2} => key removed successfully
C:\WINDOWS\System32\Tasks\113879593 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\113879593 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8594B015-CF2B-4C8E-807E-48A2F3C5638E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8594B015-CF2B-4C8E-807E-48A2F3C5638E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{5EA21E3C-C6DF-4FAF-BF0A-C897623B028D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{95C50509-4001-4D3E-9A2D-F57A90A0EA3E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{95C50509-4001-4D3E-9A2D-F57A90A0EA3E} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DropboxUpdateTaskMachineCore => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{980A9FE3-D226-4BF6-A3DB-54055266C29A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{980A9FE3-D226-4BF6-A3DB-54055266C29A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimize Start Menu Cache Files-S-1-5-21-783448517-647833336-481893931-1001 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9DEE923E-1D8E-4ECA-9A31-7EE01AA62187} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9DEE923E-1D8E-4ECA-9A31-7EE01AA62187} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WPD\SqmUpload_S-1-5-21-783448517-647833336-481893931-1001 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9E11E09C-7C0E-43B8-9372-FE62CDBD3F01} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9E11E09C-7C0E-43B8-9372-FE62CDBD3F01} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DistromaticUpdater-periodic => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A6353DBB-3230-4E67-9F61-038F628ADCE4} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A6353DBB-3230-4E67-9F61-038F628ADCE4} => key removed successfully
C:\WINDOWS\System32\Tasks\{625E8CAE-F725-4474-A26F-742B8720C4F3} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{625E8CAE-F725-4474-A26F-742B8720C4F3} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B0D68E36-3241-4912-BB9D-A8C965703C51} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B0D68E36-3241-4912-BB9D-A8C965703C51} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OneDrive Standalone Update Task => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D6266248-323A-4BE8-B51A-461073D7F22D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D6266248-323A-4BE8-B51A-461073D7F22D} => key removed successfully
C:\WINDOWS\System32\Tasks\76656282 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\76656282 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DF8DFE89-E913-445D-A854-ABB727ED8442} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF8DFE89-E913-445D-A854-ABB727ED8442} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OneDrive Standalone Update Task v2 => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EAC768E5-6FB2-4E5D-8B80-0AD7A8F4CA6A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EAC768E5-6FB2-4E5D-8B80-0AD7A8F4CA6A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DropboxUpdateTaskMachineUA => key removed successfully
C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job => moved successfully

========= ipconfig /flushDNS =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 6331288 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 62468719 B
Java, Flash, Steam htmlcache => 11810674 B
Windows/system/drivers => 147456 B
Edge => 23437606 B
Chrome => 139766439 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 40157312 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 0 B
Jim => 289686182 B

RecycleBin => 10381317 B
EmptyTemp: => 557.1 MB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 25-02-2017 07:52:42)

"C:\Program Files (x86)\svcvmx" => Could not move

==== End of Fixlog 07:52:45 ====

Link to post
Share on other sites

Thanks for logs, continue:

Download and save RogueKiller to your Desktop from this link:

https://www.fosshub.com/RogueKiller.html/setup.exe

Right click setup.exe and select Run as Administrator to start installing RogueKiller.

At the next window Checkmark "Install 32 and 64 bit versions, then select "Next"

user posted image

In the next window skip Licence I.D. and Licence Key, select "Next"

user posted image

In the next window make no changes and select "Next"

user posted image

In the next window leave both "Additional Shortcuts" checkmarked, then select "Next"

user posted image

In the next window make no changes and select "Install"

user posted image

RogueKiller will extract and complete installation, in the new window leave "Launch Roguekiller" checkmarked, then select finish.

user posted image

RogueKiller will launch. Accept UAC, then read and accept "User Agreements"

user posted image

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

user posted image

When the scan completes select "Open Report"

user posted image

In the new Window select "Export text" name that file RK.txt, save to your Desktop and attach to your reply

user posted image

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"
 
Thank you,
Kevin...
Link to post
Share on other sites

here is the rk.txt as attachment

 

and here are frst.txt and additions.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 25-02-2017
Ran by Jim (administrator) on JIM-PC (25-02-2017 11:53:17)
Running from C:\Users\Jim\Downloads
Loaded Profiles: Jim (Available Profiles: Jim)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(munger) C:\Windows\uniter.exe
(emboldens) C:\Windows\shortsightedness.exe
(Digital Wave Ltd.) C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgentUserBroker.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files\RogueKiller\RogueKiller64.exe
Failed to access process -> WmiPrvSE.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-24] (Microsoft Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2017-01-19] (Apple Inc.)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596504 2016-04-01] (Oracle Corporation)
HKLM-x32\...\RunOnce: [Lulopelona] => C:\WINDOWS\SysWoW64\wscript.exe /E:vbscript /B "C:\Users\Jim\AppData\Roaming\Manunagadoc"
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [23818360 2016-11-30] (Google)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [Chromium] => c:\users\jim\appdata\local\chromium\application\chrome.exe [1068544 2016-03-18] (The Chromium Authors)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9363672 2017-02-07] (Piriform Ltd)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\MountPoints2: {fdd1f285-096e-11e6-824f-806e6f6e6963} - "D:\setup.exe" 
HKU\S-1-5-18\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [   DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers-x32: [   DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
Tcpip\..\Interfaces\{5497f104-c6d0-41aa-8aec-fda2691bb19d}: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12

Internet Explorer:
==================
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-04-24] (Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-04-24] (Oracle Corporation)
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

Edge: 
======
Edge HomeButtonPage: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> hxxp://foxnews.com/

FireFox:
========
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-04-24] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-04-24] (Oracle Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)

Chrome: 
=======
CHR HomePage: Default -> msn.com/?pc=__PARAM__&ocid=__PARAM__DHP&osmkt=en-us
CHR StartupUrls: Default -> "hxxp://foxnews.com/"
CHR DefaultSearchURL: Default -> hxxp://www.bing.com/search?FORM=__PARAM__DF&PC=__PARAM__&q={searchTerms}
CHR DefaultSearchKeyword: Default -> bing.com
CHR DefaultSuggestURL: Default -> hxxp://www.bing.com/osjson.aspx?FORM=__PARAM__DF&PC=__PARAM__&query={searchTerms}
CHR Profile: C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default [2017-02-25]
CHR Extension: (Google Slides) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-04-23]
CHR Extension: (Google Docs) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-04-23]
CHR Extension: (Google Drive) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-04-23]
CHR Extension: (Safer Search Results) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\begnofcbcefcedmomgdlmgcpmjafablp [2016-08-25]
CHR Extension: (WOT: Web of Trust, Website Reputation Ratings) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2017-01-29]
CHR Extension: (YouTube) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-04-23]
CHR Extension: (Ebates Cash Back) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\chhjbpecpncaggjpdakmflnfcopglcmi [2017-02-22]
CHR Extension: (Bing) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2016-08-31]
CHR Extension: (Google Sheets) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-04-23]
CHR Extension: (Google Docs Offline) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-23]
CHR Extension: (Planetarium) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\gheikhdfflhlbemfmhcfpeblehemeklp [2016-04-23]
CHR Extension: (Muzik Fury) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmgdapiklnfpdonfeopollmlpfjaphcb [2016-10-05]
CHR Extension: (CouponXplorer) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnmjjokfbcjicbibeadflnnhdaglbbga [2017-01-13]
CHR Extension: (Skype) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2017-02-24]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2016-04-23]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-18]
CHR Extension: (Gmail) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-04-23]
CHR Extension: (Chrome Media Router) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-07]
CHR Profile: C:\Users\Jim\AppData\Local\Google\Chrome\User Data\System Profile [2017-02-25]
CHR HKLM\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [351944 2015-11-04] (Advanced Micro Devices, Inc.)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
R2 bottling; C:\WINDOWS\shortsightedness.exe [9728 2017-02-18] (emboldens) [File not signed]
R2 darkening; C:\WINDOWS\uniter.exe [13824 2017-02-18] (munger) [File not signed]
S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-04-23] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-04-23] (Dropbox, Inc.)
R2 DbxSvc; C:\WINDOWS\system32\DbxSvc.exe [46400 2017-02-06] (Dropbox, Inc.)
R2 DigitalWave.Update.Service; C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe [389544 2016-07-12] (Digital Wave Ltd.)
S3 VumaaService; C:\ProgramData\Vumaa\Vumaa.Service.exe [22952 2016-03-30] (Vumaa)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AODDriver4.3; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59616 2014-02-11] (Advanced Micro Devices)
R3 AtiHDAudioService; C:\WINDOWS\system32\drivers\AtihdWT6.sys [102912 2015-07-21] (Advanced Micro Devices)
S3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.)
R1 drmkpro64; C:\WINDOWS\System32\drivers\drmkpro64.sys [51784 2017-02-22] () [File not signed]
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [589824 2016-07-16] (Realtek                                            )
S3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [165504 2016-09-05] (Samsung Electronics Co., Ltd.)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2017-02-25] ()
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-25 11:52 - 2017-02-25 11:52 - 00017748 _____ C:\Users\Jim\Desktop\rk.txt
2017-02-25 10:54 - 2017-02-25 11:54 - 00000000 ____D C:\Users\Jim\AppData\Local\CrashDumps
2017-02-25 10:54 - 2017-02-25 10:54 - 00028272 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2017-02-25 10:53 - 2017-02-25 10:53 - 00000899 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2017-02-25 10:53 - 2017-02-25 10:53 - 00000000 ____D C:\ProgramData\RogueKiller
2017-02-25 10:53 - 2017-02-25 10:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2017-02-25 10:53 - 2017-02-25 10:53 - 00000000 ____D C:\Program Files\RogueKiller
2017-02-25 10:52 - 2017-02-25 10:52 - 34820824 _____ (Adlice Software ) C:\Users\Jim\Downloads\setup.exe
2017-02-25 09:59 - 2017-02-25 09:59 - 00001912 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-02-25 09:59 - 2017-02-25 09:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-02-25 09:59 - 2017-02-25 09:59 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-02-25 09:59 - 2017-02-25 09:59 - 00000000 ____D C:\Program Files\Malwarebytes
2017-02-25 09:59 - 2017-01-20 07:47 - 00077416 _____ C:\WINDOWS\system32\Drivers\mbae64.sys
2017-02-25 09:43 - 2017-02-25 09:43 - 00000547 _____ C:\Users\Jim\Desktop\JRT.txt
2017-02-25 09:41 - 2017-02-25 09:41 - 00000000 ____D C:\Users\Jim\AppData\Local\Zemana
2017-02-25 09:38 - 2017-02-25 09:38 - 00000000 ____D C:\Program Files (x86)\sorrier
2017-02-25 09:03 - 2017-02-25 09:06 - 00000000 ____D C:\Users\Jim\AppData\Local\AdvinstAnalytics
2017-02-25 07:57 - 2017-02-25 08:03 - 05677776 _____ (Zemana Ltd. ) C:\Users\Jim\Desktop\Zemana.AntiMalware.Setup.exe
2017-02-25 07:52 - 2017-02-25 11:54 - 00004404 _____ C:\WINDOWS\System32\Tasks\76656282
2017-02-25 07:52 - 2017-02-25 07:52 - 00000000 ____D C:\Program Files (x86)\shropshire
2017-02-25 07:21 - 2017-02-25 07:52 - 00034931 _____ C:\Users\Jim\Downloads\Fixlog.txt
2017-02-25 07:15 - 2017-02-25 09:14 - 00000000 ____D C:\Users\Jim\AppData\Roaming\Geek Uninstaller
2017-02-25 07:10 - 2017-02-25 07:10 - 02793495 _____ C:\Users\Jim\Desktop\geek.zip
2017-02-24 16:55 - 2017-02-24 16:58 - 00033906 _____ C:\Users\Jim\Downloads\Addition.txt
2017-02-24 16:52 - 2017-02-25 11:53 - 00017796 _____ C:\Users\Jim\Downloads\FRST.txt
2017-02-24 16:51 - 2017-02-25 11:53 - 00000000 ____D C:\FRST
2017-02-24 16:50 - 2017-02-24 16:50 - 00000000 ____D C:\Users\Jim\Desktop\rkill
2017-02-24 16:49 - 2017-02-24 16:50 - 00004796 _____ C:\Users\Jim\Desktop\Rkill.txt
2017-02-24 16:49 - 2017-02-24 16:47 - 02423296 ____N (Farbar) C:\Users\Jim\Downloads\FRST64.exe
2017-02-24 16:49 - 2017-02-24 16:32 - 02030536 ____N (Bleeping Computer, LLC) C:\Users\Jim\Downloads\rkill.exe
2017-02-24 12:29 - 2017-02-24 12:29 - 00000628 _____ C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job
2017-02-24 12:29 - 2017-02-24 12:29 - 00000458 _____ C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job
2017-02-24 12:29 - 2017-02-24 12:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2017-02-24 12:29 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\WINDOWS\system32\sdnclean64.exe
2017-02-24 12:25 - 2017-02-24 12:22 - 46525608 ____N (Safer-Networking Ltd. ) C:\Users\Jim\Downloads\spybot-2.4.exe
2017-02-24 12:06 - 2017-02-24 12:06 - 00250290 _____ C:\Users\Jim\Documents\cc_20170224_120620.reg
2017-02-24 11:57 - 2017-02-24 11:57 - 00000863 _____ C:\Users\Public\Desktop\CCleaner.lnk
2017-02-24 11:57 - 2017-02-24 11:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2017-02-24 11:57 - 2017-02-24 11:57 - 00000000 ____D C:\Program Files\CCleaner
2017-02-24 11:54 - 2017-02-25 09:41 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2017-02-24 11:51 - 2017-02-24 11:51 - 00000000 ____D C:\WINDOWS\pss
2017-02-24 09:52 - 2017-02-24 09:36 - 01663040 _____ (Malwarebytes) C:\Users\Jim\Downloads\JRT.exe
2017-02-24 09:51 - 2017-02-24 09:51 - 00000552 _____ C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive (2).lnk
2017-02-24 05:11 - 2017-02-25 06:35 - 00004140 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{36D55AF4-5ADB-451B-899E-3C12B4B42C3E}
2017-02-23 21:17 - 2017-02-23 21:17 - 00000000 ____D C:\Program Files (x86)\GUM80B4.tmp
2017-02-23 21:14 - 2017-02-23 21:17 - 00002340 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-02-23 21:13 - 2017-02-23 21:13 - 00000000 ____D C:\Program Files (x86)\GUM174A.tmp
2017-02-23 18:21 - 2017-02-23 19:29 - 00000000 ____D C:\Users\Jim\AppData\Local\llssoft
2017-02-23 17:20 - 2017-02-23 19:16 - 00000000 ____D C:\Program Files (x86)\AnonymizerGadget
2017-02-23 17:20 - 2017-02-23 17:20 - 01852928 _____ (splsrv Corp.) C:\WINDOWS\SysWOW64\splsrv.exe
2017-02-23 17:20 - 2017-02-23 17:20 - 00000001 _____ C:\Users\Jim\AppData\Local\setupsuccessful.txt
2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\Users\Jim\AppData\Roaming\c
2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\Users\Jim\AppData\Roaming\AGData
2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\Users\Default\AppData\Local\AdvinstAnalytics
2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\Users\Default User\AppData\Local\AdvinstAnalytics
2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\ProgramData\1487895640
2017-02-23 17:19 - 2017-02-23 17:19 - 01397594 _____ C:\Users\Jim\AppData\Local\setupone.exe
2017-02-23 17:19 - 2017-02-23 17:19 - 00000055 _____ C:\WINDOWS\key.ini
2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 _____ C:\Users\Jim\AppData\Local\tr5b.txt
2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 _____ C:\Users\Jim\AppData\Local\stxtname.txt
2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 _____ C:\Users\Jim\AppData\Local\run.txt
2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 _____ C:\Users\Jim\AppData\Local\aatxtname.txt
2017-02-23 17:16 - 2017-02-23 17:16 - 00006656 _____ (mimic) C:\Users\Jim\AppData\Local\ddnow4.exe
2017-02-22 17:12 - 2017-02-22 17:12 - 00051784 _____ C:\WINDOWS\system32\Drivers\drmkpro64.sys
2017-02-19 12:47 - 2017-02-19 12:47 - 00000000 ____D C:\Users\Jim\.ssh
2017-02-18 23:50 - 2017-02-18 23:50 - 00491520 _____ (cabinet) C:\Users\Jim\AppData\Local\cement.exe
2017-02-18 23:50 - 2017-02-18 23:50 - 00316416 _____ (windows 99) C:\WINDOWS\motorized.exe
2017-02-18 23:50 - 2017-02-18 23:50 - 00041196 _____ C:\WINDOWS\peddle.exe
2017-02-18 23:50 - 2017-02-18 23:50 - 00013824 _____ (munger) C:\WINDOWS\uniter.exe
2017-02-18 23:50 - 2017-02-18 23:50 - 00009728 _____ (emboldens) C:\WINDOWS\shortsightedness.exe
2017-02-18 22:22 - 2017-02-18 22:22 - 00080956 _____ C:\Users\Jim\Downloads\Document.pdf
2017-02-18 22:19 - 2017-02-18 22:19 - 00039150 _____ C:\Users\Jim\Downloads\SKM_284e17021410491.pdf
2017-02-12 19:09 - 2017-02-12 19:09 - 00000000 ____D C:\Users\Jim\Documents\TurboTax
2017-02-12 18:48 - 2017-02-12 19:09 - 00000000 ____D C:\Users\Jim\AppData\Roaming\Intuit
2017-02-12 18:47 - 2017-02-12 18:48 - 00000319 _____ C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2017-02-12 18:47 - 2017-02-12 18:47 - 00002547 _____ C:\Users\Public\Desktop\TurboTax 2016.lnk
2017-02-12 18:47 - 2017-02-12 18:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TurboTax 2016
2017-02-12 18:46 - 2017-02-12 18:46 - 00000000 ____D C:\Program Files (x86)\TurboTax
2017-02-12 18:45 - 2017-02-12 18:47 - 00000000 ____D C:\ProgramData\Intuit
2017-02-08 16:37 - 2017-02-08 16:37 - 00034293 _____ C:\Users\Jim\Downloads\PastBills.pdf
2017-02-07 17:41 - 2017-02-07 17:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2017-02-07 11:10 - 2017-02-07 11:10 - 00001822 _____ C:\Users\Public\Desktop\iTunes.lnk
2017-02-07 11:10 - 2017-02-07 11:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2017-02-07 11:10 - 2017-02-07 11:10 - 00000000 ____D C:\Program Files\iTunes
2017-02-07 11:10 - 2017-02-07 11:10 - 00000000 ____D C:\Program Files\iPod
2017-02-07 02:08 - 2017-02-07 02:08 - 00002221 _____ C:\Users\Public\Desktop\Google Earth.lnk
2017-02-07 02:08 - 2017-02-07 02:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth
2017-02-06 21:38 - 2017-02-06 21:38 - 00046400 _____ (Dropbox, Inc.) C:\WINDOWS\system32\DbxSvc.exe
2017-02-06 21:38 - 2017-02-06 21:38 - 00046192 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-stable.sys
2017-02-06 21:38 - 2017-02-06 21:38 - 00046192 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-dev.sys
2017-02-06 21:38 - 2017-02-06 21:38 - 00046192 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-canary.sys
2017-02-06 17:33 - 2017-02-06 17:33 - 00020823 _____ C:\Users\Jim\Downloads\Dec 01, 2016 to Dec 20, 2016.pdf
2017-02-06 17:32 - 2017-02-06 17:32 - 00020815 _____ C:\Users\Jim\Downloads\Dec 22, 2016 to Jan 20, 2017.pdf
2017-02-06 17:26 - 2017-02-06 17:26 - 00526149 _____ C:\Users\Jim\Downloads\Owner_1099_2016.pdf
2017-01-26 09:08 - 2017-02-25 07:14 - 06960664 _____ (Geek Unіnstaller) C:\Users\Jim\Desktop\geek.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-25 11:49 - 2013-08-22 08:36 - 00000000 ___HD C:\WINDOWS\system32\GroupPolicy
2017-02-25 09:47 - 2016-04-23 11:48 - 00000000 ___RD C:\Users\Jim\Google Drive
2017-02-25 09:46 - 2016-09-24 04:55 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-02-25 09:45 - 2016-07-15 23:04 - 01310720 _____ C:\WINDOWS\system32\config\BBI
2017-02-25 09:43 - 2016-07-16 04:45 - 00000000 ____D C:\WINDOWS\INF
2017-02-25 09:40 - 2016-05-11 18:07 - 00065536 _____ C:\WINDOWS\system32\spu_storage.bin
2017-02-25 07:52 - 2016-10-07 09:03 - 00000008 __RSH C:\ProgramData\ntuser.pol
2017-02-25 07:42 - 2017-01-07 11:41 - 00000000 ____D C:\Users\Jim\AppData\LocalLow\Temp
2017-02-25 07:35 - 2016-10-07 09:04 - 00000000 ____D C:\WINDOWS\System32\Tasks\MSFT_TaskSettings3
2017-02-25 07:35 - 2016-07-16 04:47 - 00000000 ____D C:\WINDOWS\SysWOW64\GroupPolicy
2017-02-25 07:26 - 2016-09-24 04:37 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-02-24 12:31 - 2016-04-23 09:35 - 00000000 ____D C:\Users\Jim\AppData\Local\ElevatedDiagnostics
2017-02-24 12:01 - 2016-09-24 05:36 - 00000000 ___DC C:\WINDOWS\Panther
2017-02-24 12:00 - 2016-07-16 04:47 - 00000000 ____D C:\WINDOWS\LiveKernelReports
2017-02-24 10:00 - 2016-04-23 11:09 - 00000000 ___RD C:\Users\Jim\OneDrive
2017-02-24 09:22 - 2016-07-16 04:47 - 00000000 ____D C:\WINDOWS\system32\NDF
2017-02-23 21:12 - 2016-04-23 11:10 - 00000000 ____D C:\Users\Jim\AppData\Local\MicrosoftEdge
2017-02-23 19:26 - 2016-09-24 04:37 - 00206352 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-02-23 19:25 - 2016-09-24 04:44 - 00000000 ____D C:\Users\Jim
2017-02-23 19:24 - 2016-05-06 16:31 - 00000000 ____D C:\Users\Jim\AppData\Roaming\Skype
2017-02-23 18:06 - 2016-04-24 18:57 - 00000000 ____D C:\Users\Jim\AppData\Roaming\.minecraft
2017-02-15 15:59 - 2016-04-23 11:09 - 00002353 _____ C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-02-12 18:45 - 2016-07-16 04:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-02-10 15:36 - 2016-04-23 11:45 - 00000000 ___RD C:\Users\Jim\Dropbox
2017-02-10 12:05 - 2016-04-23 11:29 - 00000000 ____D C:\Users\Jim\AppData\Roaming\DVDVideoSoft
2017-02-07 17:42 - 2016-04-23 11:42 - 00000000 ____D C:\Program Files (x86)\Dropbox
2017-02-07 11:14 - 2016-04-23 11:42 - 00000916 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job
2017-02-07 11:14 - 2016-04-23 11:42 - 00000912 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job
2017-02-07 11:10 - 2016-05-15 11:07 - 00000000 ____D C:\Program Files\Recuva
2017-02-07 11:09 - 2016-05-15 12:02 - 00000000 ____D C:\Program Files\Common Files\Apple
2017-02-07 02:08 - 2016-04-23 11:14 - 00000000 ____D C:\Program Files (x86)\Google
2017-01-27 13:15 - 2016-07-16 04:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-01-27 13:15 - 2016-04-23 09:27 - 00000000 ____D C:\Users\Jim\AppData\Local\Packages
2017-01-27 12:17 - 2016-07-17 12:41 - 00000000 ____D C:\Users\Jim\AppData\Roaming\vlc

==================== Files in the root of some directories =======

2016-10-19 15:10 - 2016-10-19 15:10 - 0018070 _____ () C:\Users\Jim\AppData\Roaming\Manunagadoc
2016-10-08 00:04 - 2016-10-08 00:04 - 0000043 _____ () C:\Users\Jim\AppData\Roaming\WB.CFG
2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\aatxtname.txt
2017-02-18 23:50 - 2017-02-18 23:50 - 0491520 _____ (cabinet) C:\Users\Jim\AppData\Local\cement.exe
2017-02-23 17:16 - 2017-02-23 17:16 - 0006656 _____ (mimic) C:\Users\Jim\AppData\Local\ddnow4.exe
2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\run.txt
2016-10-04 07:33 - 2016-10-04 07:33 - 0006144 _____ () C:\Users\Jim\AppData\Local\sc446872423.exe
2016-10-04 07:33 - 2016-10-04 07:33 - 0005632 _____ () C:\Users\Jim\AppData\Local\sc46872423.exe
2017-02-23 17:19 - 2017-02-23 17:19 - 1397594 _____ () C:\Users\Jim\AppData\Local\setupone.exe
2017-02-23 17:20 - 2017-02-23 17:20 - 0000001 _____ () C:\Users\Jim\AppData\Local\setupsuccessful.txt
2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\stxtname.txt
2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\tr5b.txt
2017-02-12 18:47 - 2017-02-12 18:48 - 0000319 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2016-10-08 21:04 - 2016-10-08 21:04 - 1134592 _____ () C:\ProgramData\TrezaaSetupx30044.msi
2016-10-08 17:04 - 2016-10-08 17:04 - 0533504 _____ () C:\ProgramData\Vumaa.msi

Some files in TEMP:
====================
2017-02-25 10:53 - 2016-09-15 10:27 - 1883784 _____ (Microsoft Corporation) C:\Users\Jim\AppData\Local\Temp\dllnt_dump.dll
2017-02-25 09:14 - 2017-02-25 09:14 - 3957784 _____ (Geek Unіnstaller) C:\Users\Jim\AppData\Local\Temp\geek64.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-02-22 07:31
 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 25-02-2017
Ran by Jim (25-02-2017 11:55:02)
Running from C:\Users\Jim\Downloads
Windows 10 Home Version 1607 (X64) (2016-09-24 12:08:15)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-783448517-647833336-481893931-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-783448517-647833336-481893931-503 - Limited - Disabled)
Guest (S-1-5-21-783448517-647833336-481893931-501 - Limited - Disabled)
Jim (S-1-5-21-783448517-647833336-481893931-1001 - Administrator - Enabled) => C:\Users\Jim

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

AMD Catalyst Control Center (HKLM-x32\...\WUCCCApp) (Version: 1.00.0000 - AMD)
AnyBurn (HKLM-x32\...\AnyBurn) (Version: 3.5 - Power Software Ltd)
Apple Application Support (32-bit) (HKLM-x32\...\{9BA1A894-B42F-4805-BC8C-349C905A3930}) (Version: 5.3.1 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{7EAC8A42-9FAC-4F6B-AABF-C08C9F2E0F13}) (Version: 5.3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{55BB2110-FB43-49B3-93F4-945A0CFB0A6C}) (Version: 10.0.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.27 - Piriform)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6514.5001 - Microsoft Corporation)
Dropbox (HKLM-x32\...\Dropbox) (Version: 19.4.13 - Dropbox, Inc.)
Dropbox Update Helper (x32 Version: 1.3.65.1 - Dropbox, Inc.) Hidden
Free Image Editor 2.4 (HKLM-x32\...\Free Image Editor 2.4_is1) (Version:  - AskedFiles)
Free YouTube To MP3 Converter (HKLM-x32\...\Free YouTube To MP3 Converter_is1) (Version: 4.1.21.610 - Digital Wave Ltd)
GoldWave v6.24 (HKLM\...\GoldWave v6.24) (Version: 6.24 - GoldWave Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 56.0.2924.87 - Google Inc.)
Google Drive (HKLM-x32\...\{07A12123-B717-496B-B471-48AF6407B433}) (Version: 1.32.4066.7445 - Google, Inc.)
Google Earth (HKLM-x32\...\{F6430171-B86B-4639-839E-374913E7911D}) (Version: 7.1.8.3036 - Google)
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
iTunes (HKLM\...\{9D0D2A8B-7E7B-4D88-8D50-24286ED6A5EB}) (Version: 12.5.5.5 - Apple Inc.)
Java 8 Update 91 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.14 - Oracle Corporation)
Malwarebytes version 3.0.6.1469 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.6.1469 - Malwarebytes)
Microsoft OneDrive (HKU\S-1-5-21-783448517-647833336-481893931-1001\...\OneDriveSetup.exe) (Version: 17.3.6764.0111 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{4fcf070a-daac-45e9-a8b0-6850941f7ed8}) (Version: 12.0.21005.1 - Microsoft Corporation)
PhotoFiltre 7 (HKU\S-1-5-21-783448517-647833336-481893931-1001\...\PhotoFiltre 7) (Version:  - )
Recuva (HKLM\...\Recuva) (Version: 1.52 - Piriform)
RogueKiller version 12.9.8.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.9.8.0 - Adlice Software)
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Skype™ 7.30 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.30.105 - Skype Technologies S.A.)
TurboTax 2016 (HKLM-x32\...\TurboTax 2016) (Version: 2016.0 - Intuit, Inc)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
Vumaa (x32 Version: 1.0.0 - Vumaa) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1DF06365-6B2C-4E45-AB8A-0338D5438DF6} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2016-02-23] (Apple Inc.)
Task: {7CE4316C-220F-4214-8E39-F95DB9DC2BE4} - System32\Tasks\76656282 => C:\Program Files (x86)\sorrier\equalized.exe [2017-02-18] (windows 99) <==== ATTENTION
Task: {ED004583-CB32-4C6B-882A-CE92F3ECDB0B} - \DistromaticSearchProtect-hourly -> No File <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
Task: C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job => 
Task: C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job => 

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-07-16 04:42 - 2016-07-16 04:42 - 00231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2016-09-29 17:34 - 2016-09-15 10:25 - 02681200 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2016-10-05 18:17 - 2016-10-05 18:17 - 00092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2017-01-13 13:56 - 2017-01-13 13:56 - 01353528 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2016-09-29 17:34 - 2016-09-15 10:25 - 02681200 _____ () C:\WINDOWS\SYSTEM32\CoreUIComponents.dll
2016-07-16 04:42 - 2016-07-16 04:42 - 00130048 _____ () C:\WINDOWS\SYSTEM32\CHARTV.dll
2016-09-24 05:32 - 2016-09-24 05:32 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2016-09-29 17:33 - 2016-09-15 09:39 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2016-09-29 17:34 - 2016-09-15 09:24 - 09760256 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-09-29 17:34 - 2016-09-15 09:18 - 01401344 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-09-29 17:34 - 2016-09-15 09:17 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2016-09-29 17:34 - 2016-09-15 09:18 - 01033216 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
2016-09-29 17:34 - 2016-09-15 09:18 - 02424832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-09-29 17:34 - 2016-09-15 09:20 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2016-07-16 04:42 - 2016-07-16 04:42 - 00236488 _____ () c:\windows\system32\WerEtw.dll
2017-02-23 21:14 - 2017-02-01 02:47 - 02459992 _____ () C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\libglesv2.dll
2017-02-23 21:14 - 2017-02-01 02:47 - 00099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\libegl.dll
2017-02-25 10:53 - 2017-02-21 08:07 - 25994312 _____ () C:\Program Files\RogueKiller\RogueKiller64.exe
2016-04-23 11:30 - 2016-07-12 21:32 - 00112552 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\zlib1.dll
2016-04-23 11:30 - 2016-07-12 21:33 - 00105896 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\boost_filesystem-vc120-mt-1_56.dll
2016-04-23 11:30 - 2016-07-12 21:33 - 00021928 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\boost_system-vc120-mt-1_56.dll
2016-04-23 11:30 - 2016-07-12 21:33 - 00045992 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\boost_date_time-vc120-mt-1_56.dll
2017-02-25 09:47 - 2017-02-25 09:47 - 00098816 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\win32api.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00110080 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\pywintypes27.dll
2017-02-25 09:47 - 2017-02-25 09:47 - 00364544 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\pythoncom27.dll
2017-02-25 09:47 - 2017-02-25 09:47 - 00320512 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\win32com.shell.shell.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00914432 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\_hashlib.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 01176576 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\wx._core_.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00806400 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\wx._gdi_.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00816128 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\wx._windows_.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 01067008 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\wx._controls_.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00733184 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\wx._misc_.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00682496 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\pysqlite2._sqlite.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00088064 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\_ctypes.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00686080 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\unicodedata.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00119808 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\win32file.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00108544 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\win32security.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00007168 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\hashobjs_ext.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00017920 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\thumbnails_ext.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00088064 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\usb_ext.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00012800 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\common.time34.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00018432 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\win32event.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00167936 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\win32gui.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00046080 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\_socket.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 01303552 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\_ssl.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00128512 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\_elementtree.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00127488 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\pyexpat.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00038912 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\win32inet.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00036864 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\_psutil_windows.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00524248 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\windows._lib_cacheinvalidation.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00011264 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\win32crypt.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00123392 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\wx._wizard.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00077312 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\wx._html2.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00027648 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\_multiprocessing.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00020480 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\_yappi.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00035840 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\win32process.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00078848 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\wx._animate.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00024064 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\win32pipe.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00010240 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\select.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00025600 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\win32pdh.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00017408 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\win32profile.pyd
2017-02-25 09:47 - 2017-02-25 09:47 - 00022528 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI60842\win32ts.pyd

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 06:25 - 2017-02-25 07:36 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-783448517-647833336-481893931-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Jim\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\win8img.jpg
DNS Servers: 68.105.28.11 - 68.105.29.11
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: WSearch => 2

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{879D9F3D-0A73-45F1-A2DA-12ED46127E80}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{2B008137-5F84-4809-9070-5950BCA6C76A}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{250B2D45-23D5-4B74-AED0-658047E5C530}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{473AD362-1498-4AF7-9580-060C363D3A79}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{04715A09-8533-4395-83BD-24E52FF0D711}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [UDP Query User{41669055-1B9D-457D-AA0C-D7AF68CB7D9D}C:\program files (x86)\java\jre1.8.0_91\bin\javaw.exe] => (Block) C:\program files (x86)\java\jre1.8.0_91\bin\javaw.exe
FirewallRules: [TCP Query User{073CB8C7-5E33-4D29-9682-2EE6C072F931}C:\program files (x86)\java\jre1.8.0_91\bin\javaw.exe] => (Block) C:\program files (x86)\java\jre1.8.0_91\bin\javaw.exe
FirewallRules: [{57951344-6AF1-4839-9FA2-E4F1221AEA6D}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{B7B48F01-2D5E-485B-BFBA-C63F4FF753CB}] => (Allow) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
FirewallRules: [{D2BDBA2D-DC75-4777-8FD2-78F67E962DBC}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdater.exe
FirewallRules: [{8C82BE9B-F00B-4C5E-9551-C0DEB0DFBB56}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{A6978D68-7287-4C1C-A946-1178C1F65B8F}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{81416A4B-3733-45DC-8A14-2483830BC6E2}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{09D983AE-6554-4983-A380-C15E860307AF}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{FA9E2551-4FD5-4A84-903F-0F9F0123B69B}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{BD81FB30-E202-4974-9CF8-EE2F49A1B93C}] => (Allow) C:\Users\Jim\AppData\Local\sc446872423.exe
FirewallRules: [{6A7A9303-0C3C-484D-9FEC-1862F82E24CD}] => (Allow) C:\Users\Jim\AppData\Local\ddnow4.exe
FirewallRules: [{5ECE3246-505E-4145-8ECE-356A488BE3C8}] => (Allow) C:\Program Files (x86)\sorrier\equalized.exe
FirewallRules: [{350422A7-6665-4018-B69A-C42A97BED256}] => (Allow) C:\Program Files (x86)\sorrier\harold.exe
FirewallRules: [{5E5BF097-B4F3-494E-9A44-5C210FD57D0C}] => (Allow) C:\WINDOWS\uniter.exe
FirewallRules: [TCP Query User{F567F884-272F-45FB-8141-EA51BDF61B3B}C:\program files (x86)\google\chrome\application\chrome334.exe] => (Block) C:\program files (x86)\google\chrome\application\chrome334.exe
FirewallRules: [UDP Query User{7432D085-E847-4C62-9209-7922D1B8CBD7}C:\program files (x86)\google\chrome\application\chrome334.exe] => (Block) C:\program files (x86)\google\chrome\application\chrome334.exe
FirewallRules: [{A6E8CA20-02D4-4B21-BA4B-2EBD42C99386}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

==================== Restore Points =========================

04-02-2017 08:16:53 Scheduled Checkpoint
12-02-2017 18:46:39 Installed TurboTax 2016 wrapper
19-02-2017 19:40:25 Scheduled Checkpoint
23-02-2017 19:58:25 JRT Pre-Junkware Removal
24-02-2017 15:16:43 JRT Pre-Junkware Removal
25-02-2017 09:02:17 Removed Online.io Application
25-02-2017 09:03:53 Removed Online.io Application
25-02-2017 09:05:47 Removed Traffic Exchange

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (02/25/2017 11:55:16 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: equalized.exe, version: 1.0.2.0, time stamp: 0x58a94020
Faulting module name: KERNELBASE.dll, version: 10.0.14393.206, time stamp: 0x57dac9f3
Exception code: 0xe0434352
Fault offset: 0x0000000000017788
Faulting process id: 0x337c
Faulting application start time: 0x01d28f98b3b74de0
Faulting application path: C:\Program Files (x86)\sorrier\equalized.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report Id: 4738d5cb-071e-4edf-a73e-20f79e46af67
Faulting package full name: 
Faulting package-relative application ID:

Error: (02/25/2017 11:55:16 AM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: equalized.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.FileNotFoundException
   at Demo.Program.Main(System.String[])

Error: (02/25/2017 11:54:16 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: equalized.exe, version: 1.0.2.0, time stamp: 0x58a94020
Faulting module name: KERNELBASE.dll, version: 10.0.14393.206, time stamp: 0x57dac9f3
Exception code: 0xe0434352
Fault offset: 0x0000000000017788
Faulting process id: 0x15b0
Faulting application start time: 0x01d28f988ff44d29
Faulting application path: C:\Program Files (x86)\sorrier\equalized.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report Id: 522affe3-d366-469e-be42-6f965cf57686
Faulting package full name: 
Faulting package-relative application ID:

Error: (02/25/2017 11:54:16 AM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: equalized.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.FileNotFoundException
   at Demo.Program.Main(System.String[])

Error: (02/25/2017 11:53:16 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: equalized.exe, version: 1.0.2.0, time stamp: 0x58a94020
Faulting module name: KERNELBASE.dll, version: 10.0.14393.206, time stamp: 0x57dac9f3
Exception code: 0xe0434352
Fault offset: 0x0000000000017788
Faulting process id: 0x2828
Faulting application start time: 0x01d28f986c310fff
Faulting application path: C:\Program Files (x86)\sorrier\equalized.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report Id: 8593121c-2ad7-4017-8106-7c2c3b406b49
Faulting package full name: 
Faulting package-relative application ID:

Error: (02/25/2017 11:53:16 AM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: equalized.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.FileNotFoundException
   at Demo.Program.Main(System.String[])

Error: (02/25/2017 11:52:16 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: equalized.exe, version: 1.0.2.0, time stamp: 0x58a94020
Faulting module name: KERNELBASE.dll, version: 10.0.14393.206, time stamp: 0x57dac9f3
Exception code: 0xe0434352
Fault offset: 0x0000000000017788
Faulting process id: 0x3260
Faulting application start time: 0x01d28f98486d278c
Faulting application path: C:\Program Files (x86)\sorrier\equalized.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report Id: 38db979f-8cc5-4423-8b84-1a8f8a867946
Faulting package full name: 
Faulting package-relative application ID:

Error: (02/25/2017 11:52:16 AM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: equalized.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.FileNotFoundException
   at Demo.Program.Main(System.String[])

Error: (02/25/2017 11:51:19 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: equalized.exe, version: 1.0.2.0, time stamp: 0x58a94020
Faulting module name: KERNELBASE.dll, version: 10.0.14393.206, time stamp: 0x57dac9f3
Exception code: 0xe0434352
Fault offset: 0x0000000000017788
Faulting process id: 0x14c
Faulting application start time: 0x01d28f9826738a29
Faulting application path: C:\Program Files (x86)\sorrier\equalized.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report Id: 589572cd-87f5-470a-bafa-40b47176a940
Faulting package full name: 
Faulting package-relative application ID:

Error: (02/25/2017 11:51:19 AM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: equalized.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.FileNotFoundException
   at Demo.Program.Main(System.String[])


System errors:
=============
Error: (02/25/2017 10:03:01 AM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.

Error: (02/25/2017 10:02:52 AM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.

Error: (02/25/2017 10:02:43 AM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.

Error: (02/25/2017 10:02:34 AM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.

Error: (02/25/2017 10:02:25 AM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.

Error: (02/25/2017 10:02:16 AM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.

Error: (02/25/2017 10:02:07 AM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.

Error: (02/25/2017 10:01:58 AM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.

Error: (02/25/2017 10:01:49 AM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.

Error: (02/25/2017 10:01:40 AM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.


CodeIntegrity:
===================================
  Date: 2017-02-23 17:19:17.158
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-02-23 17:19:17.157
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-02-20 09:46:50.391
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-02-20 09:46:50.387
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-01-31 10:41:20.190
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-01-31 10:41:20.189
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-01-31 10:41:03.403
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-01-31 10:41:03.401
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-01-07 11:49:55.645
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-01-07 11:49:55.639
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.


==================== Memory info =========================== 

Processor: AMD A8-5500 APU with Radeon(tm) HD Graphics 
Percentage of memory in use: 38%
Total physical RAM: 7645.61 MB
Available physical RAM: 4670.77 MB
Total Virtual: 8861.61 MB
Available Virtual: 6484.79 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:930.97 GB) (Free:878.01 GB) NTFS
Drive d: (TurboTax 2016) (CDROM) (Total:0.54 GB) (Free:0 GB) CDFS
Drive f: () (Removable) (Total:0.96 GB) (Free:0.77 GB) FAT

==================== MBR & Partition Table ==================

==================== End of Addition.txt ============================

 

 

rk.txt

Link to post
Share on other sites

Thanks for those logs, continue as follows:

Right click on RogueKiller.exe and select "Run as Administrator" to start the tool, accept UAC..

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

user posted image

When the scan completes checkmark (tick) the following against Process entries, ensure that all other entries are not Checkmarked.

[Suspicious.Path|VT.Unknown] uniter.exe(2384) -- C:\Windows\uniter.exe[-] -> Found
[Suspicious.Path|VT.Unknown] shortsightedness.exe(2376) -- C:\Windows\shortsightedness.exe[-] -> Found
[Suspicious.Path|VT.PUP.Optional.DotDo.PrxySvrRST] (SVC) bottling -- C:\WINDOWS\shortsightedness.exe[-] -> Found


Checkmark (tick) the following against Registry entries, ensure that all other entries are not Checkmarked

[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{2AED0EAB-229F-43DB-9E6C-714753369B11} (C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll) -> Found
[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6} (C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll) -> Found
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\Software\AppApcVerifier -> Found
[PUP.EventMonitor|PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Event Monitor -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Jawego -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\PC -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\simplitec -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\ACPTab -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\csastats -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\Distromatic -> Found
[PUP.EventMonitor|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\Event Monitor -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\InSTab -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\jawego -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\PC -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\ProductSetup -> Found
[PUP.StackPlayer] (X64) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\StackPlayer -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\ACPTab -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\csastats -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\Distromatic -> Found
[PUP.EventMonitor|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\Event Monitor -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\InSTab -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\jawego -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\PC -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\ProductSetup -> Found
[PUP.StackPlayer] (X86) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\StackPlayer -> Found
[Suspicious.Path|VT.PUP.Optional.DotDo.PrxySvrRST] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bottling (C:\WINDOWS\shortsightedness.exe) -> Found
[Suspicious.Path|VT.PUP.Optional.DotDo.PrxySvrRST] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\darkening (C:\WINDOWS\uniter.exe) -> Found
[PUP.Gen0|VT.PUP.Optional.FusionCore] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DigitalWave.Update.Service ("C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe") -> Found
[Suspicious.Path|VT.Adware.DotDo] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {BD81FB30-E202-4974-9CF8-EE2F49A1B93C} : v2.26|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Jim\AppData\Local\sc446872423.exe|Name=DW41533289|Desc=Allow|EmbedCtxt=@C:\Users\Jim\AppData\Local\sc446872423.exe,-10000| [-] -> Found
[Suspicious.Path|VT.Unknown] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6A7A9303-0C3C-484D-9FEC-1862F82E24CD} : v2.26|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Jim\AppData\Local\ddnow4.exe|Name=now45|Desc=Allow internet|EmbedCtxt=@C:\Users\Jim\AppData\Local\ddnow4.exe,-10000| [-] -> Found
[Suspicious.Path|VT.PUP.Optional.DotDo.PrxySvrRST] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5E5BF097-B4F3-494E-9A44-5C210FD57D0C} : v2.26|Action=Allow|Active=TRUE|Dir=Out|App=C:\WINDOWS\uniter.exe|Name=darkening|Desc=Allow|EmbedCtxt=@C:\WINDOWS\uniter.exe,-10000| [-] -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-783448517-647833336-481893931-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found


Checkmark (tick) the following against Tasks entries, ensure that all other entries are not Checkmarked

[PUP.Gen1] \DistromaticSearchProtect-hourly -- C:\Program Files (x86)\Amazon Browser Settings\AmznSearchProtect.exe (--start --launcher=hourly-task) -> Found


Checkmark (tick) the following against File entries, ensure that all other entries are not Checkmarked

[PUP.Gen1][Folder] C:\ProgramData\simplitec -> Found
[PUP.Trezaa][Folder] C:\ProgramData\Trezaa -> Found
[PUP.Gen0][File] C:\Users\Public\Desktop\DVDVideoSoft Free Studio.lnk [LNK@] C:\PROGRA~2\COMMON~1\DVDVID~1\FREEST~1.EXE -> Found
[PUP.Gen1][Folder] C:\Users\Jim\AppData\Roaming\AGData -> Found
[PUP.Gen1][Folder] C:\Users\Jim\AppData\Roaming\InstantSupport -> Found
[PUP.StackPlayer|PUP.Gen0][Folder] C:\Users\Jim\AppData\Local\StackPlayer -> Found
[PUP.Gen1][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget -> Found
[PUP.Gen0][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DVDVideoSoft\DVDVideoSoft Free Studio.lnk [LNK@] C:\PROGRA~2\COMMON~1\DVDVID~1\FREEST~1.EXE -> Found
[PUP.Gen0][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DVDVideoSoft\Premium Membership.lnk [LNK@] C:\PROGRA~2\COMMON~1\DVDVID~1\PREMIU~1.EXE -> Found
[PUP.Gen0][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DVDVideoSoft\Uninstall.lnk [LNK@] C:\PROGRA~2\COMMON~1\DVDVID~1\lib\UNINST~1.EXE -> Found
[PUP.Gen1][Folder] C:\ProgramData\simplitec -> Found
[PUP.Trezaa][Folder] C:\ProgramData\Trezaa -> Found
[PUP.Gen1][Folder] C:\Program Files (x86)\AnonymizerGadget -> Found
[PUP.Gen0][Folder] C:\Program Files (x86)\Common Files\DVDVideoSoft -> Found
[PUP.Gen0][File] C:\Users\Public\Desktop\DVDVideoSoft Free Studio.lnk [LNK@] C:\PROGRA~2\COMMON~1\DVDVID~1\FREEST~1.EXE -> Found


Checkmark (tick) the following against Web Browser entries, ensure that all other entries are not Checkmarked

[PUP.Gen0][Chrome:Addon] Default : MSN Homepage & Bing Search Engine [fcfenmboojpjinhpgggodefccipikbpd] -> Found


Hit the Delete button, when complete select "Open Report" in the next window select "Export txt" the log will open. Save to your Desktop for reference, also attach to next reply.
 
Next,
 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.


Next,

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan Scan within Archives are both on.... Leave all other settings to default..

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

Let me see those logs in your reply....

Thank you,

Kevin...

 

fixlist.txt

Edited by kevinf80
Link to post
Share on other sites

when I try to open Malwarebytes I get a "The requested resource is in use"

here is the fixlog 

Fix result of Farbar Recovery Scan Tool (x64) Version: 25-02-2017
Ran by Jim (25-02-2017 15:19:19) Run:2
Running from C:\Users\Jim\Downloads
Loaded Profiles: Jim (Available Profiles: Jim)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\RunOnce: [Lulopelona] => C:\WINDOWS\SysWoW64\wscript.exe /E:vbscript /B "C:\Users\Jim\AppData\Roaming\Manunagadoc"
C:\Users\Jim\AppData\Roaming\Manunagadoc
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
CHR Extension: (Bing) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2016-08-31]
CHR Extension: (Chrome Media Router) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-07]
R2 bottling; C:\WINDOWS\shortsightedness.exe [9728 2017-02-18] (emboldens) [File not signed]
C:\Windows\shortsightedness.exe
R2 darkening; C:\WINDOWS\uniter.exe [13824 2017-02-18] (munger) [File not signed]
C:\Windows\uniter.exe
S3 VumaaService; C:\ProgramData\Vumaa\Vumaa.Service.exe [22952 2016-03-30] (Vumaa)
C:\ProgramData\Vumaa
2016-10-19 15:10 - 2016-10-19 15:10 - 0018070 _____ () C:\Users\Jim\AppData\Roaming\Manunagadoc
2016-10-08 00:04 - 2016-10-08 00:04 - 0000043 _____ () C:\Users\Jim\AppData\Roaming\WB.CFG
2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\aatxtname.txt
2017-02-18 23:50 - 2017-02-18 23:50 - 0491520 _____ (cabinet) C:\Users\Jim\AppData\Local\cement.exe
2017-02-23 17:16 - 2017-02-23 17:16 - 0006656 _____ (mimic) C:\Users\Jim\AppData\Local\ddnow4.exe
2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\run.txt
2016-10-04 07:33 - 2016-10-04 07:33 - 0006144 _____ () C:\Users\Jim\AppData\Local\sc446872423.exe
2016-10-04 07:33 - 2016-10-04 07:33 - 0005632 _____ () C:\Users\Jim\AppData\Local\sc46872423.exe
2017-02-23 17:19 - 2017-02-23 17:19 - 1397594 _____ () C:\Users\Jim\AppData\Local\setupone.exe
2017-02-23 17:20 - 2017-02-23 17:20 - 0000001 _____ () C:\Users\Jim\AppData\Local\setupsuccessful.txt
2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\stxtname.txt
2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\tr5b.txt
2017-02-12 18:47 - 2017-02-12 18:48 - 0000319 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2016-10-08 21:04 - 2016-10-08 21:04 - 1134592 _____ () C:\ProgramData\TrezaaSetupx30044.msi
2016-10-08 17:04 - 2016-10-08 17:04 - 0533504 _____ () C:\ProgramData\Vumaa.msi 
Task: {7CE4316C-220F-4214-8E39-F95DB9DC2BE4} - System32\Tasks\76656282 => C:\Program Files (x86)\sorrier\equalized.exe [2017-02-18] (windows 99) <==== ATTENTION
C:\Program Files (x86)\sorrier
Task: C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job => 
Task: C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job =>  
Task: {ED004583-CB32-4C6B-882A-CE92F3ECDB0B} - \DistromaticSearchProtect-hourly -> No File <==== ATTENTION 
CMD: ipconfig /flushDNS
EmptyTemp:
end

*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\Lulopelona => value removed successfully
C:\Users\Jim\AppData\Roaming\Manunagadoc => moved successfully
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon => key removed successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd => moved successfully
C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
bottling => service not found.
C:\Windows\shortsightedness.exe => moved successfully
darkening => service not found.
C:\Windows\uniter.exe => moved successfully
HKLM\System\CurrentControlSet\Services\VumaaService => key removed successfully
VumaaService => service removed successfully
C:\ProgramData\Vumaa => moved successfully
"C:\Users\Jim\AppData\Roaming\Manunagadoc" => not found.
C:\Users\Jim\AppData\Roaming\WB.CFG => moved successfully
C:\Users\Jim\AppData\Local\aatxtname.txt => moved successfully
C:\Users\Jim\AppData\Local\cement.exe => moved successfully
C:\Users\Jim\AppData\Local\ddnow4.exe => moved successfully
C:\Users\Jim\AppData\Local\run.txt => moved successfully
C:\Users\Jim\AppData\Local\sc446872423.exe => moved successfully
C:\Users\Jim\AppData\Local\sc46872423.exe => moved successfully
C:\Users\Jim\AppData\Local\setupone.exe => moved successfully
C:\Users\Jim\AppData\Local\setupsuccessful.txt => moved successfully
C:\Users\Jim\AppData\Local\stxtname.txt => moved successfully
C:\Users\Jim\AppData\Local\tr5b.txt => moved successfully
C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc => moved successfully
C:\ProgramData\TrezaaSetupx30044.msi => moved successfully
C:\ProgramData\Vumaa.msi => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{7CE4316C-220F-4214-8E39-F95DB9DC2BE4} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7CE4316C-220F-4214-8E39-F95DB9DC2BE4} => key removed successfully
C:\WINDOWS\System32\Tasks\76656282 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\76656282 => key removed successfully
C:\Program Files (x86)\sorrier => moved successfully
C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job => moved successfully
C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{ED004583-CB32-4C6B-882A-CE92F3ECDB0B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{ED004583-CB32-4C6B-882A-CE92F3ECDB0B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DistromaticSearchProtect-hourly => key removed successfully

========= ipconfig /flushDNS =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 5639096 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 134384 B
Edge => 943 B
Chrome => 393134593 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 0 B
Jim => 65360243 B

RecycleBin => 64828654 B
EmptyTemp: => 504.6 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 15:20:30 ====

Link to post
Share on other sites
Download RKill from here: http://www.bleepingcomputer.com/download/rkill/

There are three buttons to choose from with different names on, select the first one and save it to your desktop.
 
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7/8/10, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
  • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
  • If the tool does not run from any of the links provided, please let me know.

Post log from RKIll,

 

Try Malwarebytes, does it run now...?

Link to post
Share on other sites

No. Malwarebytes still doesn't rum

 

rkill log

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 02/25/2017 03:43:35 PM in x64 mode.
Windows Version: Windows 10 Home 

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity: 

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Disabled

 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]

 * agp440 [Missing ImagePath]

 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]

 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]

Searching for Missing Digital Signatures: 

 * No issues found.

Checking HOSTS File: 

 * HOSTS file entries found: 

  127.0.0.1       localhost

Program finished at: 02/25/2017 03:44:35 PM
Execution time: 0 hours(s), 0 minute(s), and 59 seconds(s)
 

Link to post
Share on other sites
Farbar scanner, for use when connection or redirect issues:

Download Farbar Service Scanner from here: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ and run it on the computer with the issue.

Make sure the following options are checked:
 
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
 
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Next,

Please create an mbam-check log:
 
  • Download mbam-check.exe from here: https://downloads.malwarebytes.org/file/mb3_check and save it to your desktop
  • Double-click on mbam-check.exe to run it, it should then open a log file
  • Please do not copy and paste the entire contents of the log into your next post, instead, please attach the log CheckResults.txt file which should now be located on your desktop to your next post.
  • Attach the log to your reply
Link to post
Share on other sites

fss log

Farbar Service Scanner Version: 27-01-2016
Ran by Jim (administrator) on 25-02-2017 at 16:03:00
Running from "C:\Users\Jim\Downloads"
Microsoft Windows 10 Home  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy: 
==================


System Restore:
============

System Restore Policy: 
========================


Security Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy: 
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.


Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

Link to post
Share on other sites

Uninstall Malwarebytes with GeekUninstaller, instructions are in reply ID 4

Next,

Download "Set Windows Services To Default Startup" from here to your desktop http://www.tweaking.com/content/page/set_windows_services_to_default_startup.html

Run the file and once it has extracted click start

It should take no more than a few seconds

On completion run FSS again as before and post that log....
Link to post
Share on other sites

Fss log

Farbar Service Scanner Version: 27-01-2016
Ran by Jim (administrator) on 25-02-2017 at 16:56:36
Running from "C:\Users\Jim\Downloads"
Microsoft Windows 10 Home  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy: 
==================


System Restore:
============

System Restore Policy: 
========================


Security Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy: 
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.


Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

 

Link to post
Share on other sites
Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download a fresh version of Malwarebytes from here: https://malwarebytes.app.box.com/s/d15nhbepqn0kdzc0iacrzypyic1gbkam

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes and is updated do the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

fixlist.txt

Link to post
Share on other sites

apparently i did something wrong? couldn't find the  "Set Windows Services To Default Startup" all that was there was a "windows repair v3.9.25 I ran the first tab and, since the others were optional, i skipped to the "repairs" tab and it is taking a long time.

 

Link to post
Share on other sites

Fix result of Farbar Recovery Scan Tool (x64) Version: 25-02-2017
Ran by Jim (25-02-2017 17:33:50) Run:3
Running from C:\Users\Jim\Downloads
Loaded Profiles: Jim (Available Profiles: Jim)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
Reg: reg add "HKLM\SYSTEM\CurrentControlSet\services\wscsvc" /v Start /t REG_DWORD /d 2 /f
Reg: reg add "HKLM\SYSTEM\CurrentControlSet\services\wuauserv" /v Start /t REG_DWORD /d 2 /f
CMD: net start wscsvc
CMD: net start wuauserv
End


*****************


========= reg add "HKLM\SYSTEM\CurrentControlSet\services\wscsvc" /v Start /t REG_DWORD /d 2 /f =========

The operation completed successfully.


========= End of Reg: =========


========= reg add "HKLM\SYSTEM\CurrentControlSet\services\wuauserv" /v Start /t REG_DWORD /d 2 /f =========

The operation completed successfully.


========= End of Reg: =========


========= net start wscsvc =========

System error 1058 has occurred.

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.


========= End of CMD: =========


========= net start wuauserv =========

System error 1058 has occurred.

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.


========= End of CMD: =========


==== End of Fixlog 17:33:50 ====

Link to post
Share on other sites
Download and save RogueKiller to your Desktop from this link:

https://www.fosshub.com/RogueKiller.html/setup.exe

Right click setup.exe and select Run as Administrator to start installing RogueKiller.

At the next window Checkmark "Install 32 and 64 bit versions, then select "Next"

user posted image

In the next window skip Licence I.D. and Licence Key, select "Next"

user posted image

In the next window make no changes and select "Next"

user posted image

In the next window leave both "Additional Shortcuts" checkmarked, then select "Next"

user posted image

In the next window make no changes and select "Install"

user posted image

RogueKiller will extract and complete installation, in the new window leave "Launch Roguekiller" checkmarked, then select finish.

user posted image

RogueKiller will launch. Accept UAC, then read and accept "User Agreements"

user posted image

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

user posted image

When the scan completes select "Open Report"

user posted image

In the new Window select "Export text" name that file RK.txt, save to your Desktop and attach to your reply

user posted image
Link to post
Share on other sites

Thanks for that log, continue as follows:

Right click on RogueKiller.exe and select "Run as Administrator" to start the tool, accept UAC..

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

user posted image

When the scan completes checkmark (tick) the following against Registry entries, ensure that all other entries are not Checkmarked

[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Jawego -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\PC -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6A7A9303-0C3C-484D-9FEC-1862F82E24CD} : v2.26|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Jim\AppData\Local\ddnow4.exe|Name=now45|Desc=Allow internet|EmbedCtxt=@C:\Users\Jim\AppData\Local\ddnow4.exe,-10000| [x] -> Found


Checkmark (tick) the following against Web Browser entries, ensure that all other entries are not Checkmarked

[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [http://foxnews.com/] -> Found
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://foxnews.com/] -> Found


Hit the Delete button, when complete select "Open Report" in the next window select "Export txt" the log will open. Save to your Desktop for reference, also attach to next reply.
 
Next,
 
user posted imageEmsisoft Emergency Kit
  • Click Here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8/10 users: Accept UAC warning if it is enabled). A screen like this will appear:
    user posted image
     
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
    user posted image
     
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    user posted image
     
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    user posted image
     
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    user posted image
     
  • Please Copy and Paste the contents of the scan log in your next reply.

Let me see those logs in your reply....

Thank you,

Kevin...

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.