Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus sealed off in thumbdrive, but unsure if laptop infected too


  • This topic is locked This topic is locked
13 replies to this topic

#1 thaiguy

thaiguy

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 11 December 2015 - 07:07 PM

Hi guys.

 

I had to print some photos at a CVS the other day and used a 15g thumbdrive to transfer the files. Felt trapped as I needed them printed right away and had to use the thumbdrive. Now when plugged into the laptop it shows 14g are sealed off with just 1 gig remaining. Avast scans of both are showing nothing, but I know something's up and I want to make sure the whole system is clean. Could I have already infected my laptop too?

 

I'll be standing by. Thanks in advance.

 

 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:26 PM

Posted 12 December 2015 - 09:10 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===


Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


How is the computer running now?
Wait for further instructions.

#3 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 13 December 2015 - 10:05 AM

Hi, Nasdaq.

 

I'm not quite sure of which ones to cut and paste vs attach, but I think I've got it right. Either way, here are all of the results. And by the way. because the thumb drive is a concern, I'm running all of these diagnostics and treatments with the thumb drive plugged into my computer.

 

Malwarebytes Anti-Malware
www.malwarebytes.org


Scan Date: 12/12/2015
Scan Time: 4:32 PM
Logfile: mbam scan.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.12.12.05
Rootkit Database: v2015.12.07.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Roger Sockwell

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 362315
Time Elapsed: 14 min, 18 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 5
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, No Action By User, [34013d67e7a439fdca849e2d29da5ba5],
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2F23AB71-4AC6-41F2-A955-EA576E553146}, No Action By User, [161f396b117afd39cd816e5ddb28956b],
PUP.Optional.WinYahoo, HKU\S-1-5-21-2277862347-689562813-1071508185-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, No Action By User, [0a2bd8cc06853ff7c08cf4d7e81bc040],
PUP.Optional.WinYahoo, HKU\S-1-5-21-2277862347-689562813-1071508185-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2F23AB71-4AC6-41F2-A955-EA576E553146}, No Action By User, [8baa2183dab12115f7557b5071922dd3],
PUP.Optional.ProductSetup, HKU\S-1-5-21-2277862347-689562813-1071508185-1000\SOFTWARE\PRODUCTSETUP, No Action By User, [64d1861e8803df578ab58526788b0ef2],

Registry Values: 9
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, https://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_45&param1=1&param2=f[34013d67e7a439fdca849e2d29da5ba5]D4%26b[34013d67e7a439fdca849e2d29da5ba5]DIE%26cc[34013d67e7a439fdca849e2d29da5ba5]Dus%26pa[34013d67e7a439fdca849e2d29da5ba5]DWincy%26cd[34013d67e7a439fdca849e2d29da5ba5]D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtDtCtN1L2XzutAtFtCyDtFtDtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyEtCzytC0ByC0AtBtGyEtDzy0CtG0EyD0E0CtGtByDyDtAtG0DtB0D0FtDyCyD0AyD0CyD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr[34013d67e7a439fdca849e2d29da5ba5]D1793446830%26a[34013d67e7a439fdca849e2d29da5ba5]Dwncy_gmmedply_15_45%26os[34013d67e7a439fdca849e2d29da5ba5]DWindowsNo Action By UserB7No Action By UserBUltimate&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|TopResultURLFallback, https://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_45&param1=1&param2=f[1421bfe5aedd9b9b96b85f6cc63dcd33]D4%26b[1421bfe5aedd9b9b96b85f6cc63dcd33]DIE%26cc[1421bfe5aedd9b9b96b85f6cc63dcd33]Dus%26pa[1421bfe5aedd9b9b96b85f6cc63dcd33]DWincy%26cd[1421bfe5aedd9b9b96b85f6cc63dcd33]D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtDtCtN1L2XzutAtFtCyDtFtDtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyEtCzytC0ByC0AtBtGyEtDzy0CtG0EyD0E0CtGtByDyDtAtG0DtB0D0FtDyCyD0AyD0CyD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr[1421bfe5aedd9b9b96b85f6cc63dcd33]D1793446830%26a[1421bfe5aedd9b9b96b85f6cc63dcd33]Dwncy_gmmedply_15_45%26os[1421bfe5aedd9b9b96b85f6cc63dcd33]DWindowsNo Action By UserB7No Action By UserBUltimate&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2f23ab71-4ac6-41f2-a955-ea576e553146}|URL, https://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f[161f396b117afd39cd816e5ddb28956b]D4%26b[161f396b117afd39cd816e5ddb28956b]DIE%26cc[161f396b117afd39cd816e5ddb28956b]Dus%26pa[161f396b117afd39cd816e5ddb28956b]DWincy%26cd[161f396b117afd39cd816e5ddb28956b]D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr[161f396b117afd39cd816e5ddb28956b]D799676936%26a[161f396b117afd39cd816e5ddb28956b]Dwncy_gmmedply_15_50%26os[161f396b117afd39cd816e5ddb28956b]DWindowsNo Action By UserB7No Action By UserBUltimate&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2f23ab71-4ac6-41f2-a955-ea576e553146}|TopResultURLFallback, https://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f[191ce8bc2566d363ea64c605aa59cb35]D4%26b[191ce8bc2566d363ea64c605aa59cb35]DIE%26cc[191ce8bc2566d363ea64c605aa59cb35]Dus%26pa[191ce8bc2566d363ea64c605aa59cb35]DWincy%26cd[191ce8bc2566d363ea64c605aa59cb35]D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr[191ce8bc2566d363ea64c605aa59cb35]D799676936%26a[191ce8bc2566d363ea64c605aa59cb35]Dwncy_gmmedply_15_50%26os[191ce8bc2566d363ea64c605aa59cb35]DWindowsNo Action By UserB7No Action By UserBUltimate&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKU\S-1-5-21-2277862347-689562813-1071508185-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, https://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_45&param1=1&param2=f[0a2bd8cc06853ff7c08cf4d7e81bc040]D4%26b[0a2bd8cc06853ff7c08cf4d7e81bc040]DIE%26cc[0a2bd8cc06853ff7c08cf4d7e81bc040]Dus%26pa[0a2bd8cc06853ff7c08cf4d7e81bc040]DWincy%26cd[0a2bd8cc06853ff7c08cf4d7e81bc040]D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtDtCtN1L2XzutAtFtCyDtFtDtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyEtCzytC0ByC0AtBtGyEtDzy0CtG0EyD0E0CtGtByDyDtAtG0DtB0D0FtDyCyD0AyD0CyD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr[0a2bd8cc06853ff7c08cf4d7e81bc040]D1793446830%26a[0a2bd8cc06853ff7c08cf4d7e81bc040]Dwncy_gmmedply_15_45%26os[0a2bd8cc06853ff7c08cf4d7e81bc040]DWindowsNo Action By UserB7No Action By UserBUltimate&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKU\S-1-5-21-2277862347-689562813-1071508185-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|TopResultURLFallback, https://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_45&param1=1&param2=f[87aee4c05932e0563c107457e122956b]D4%26b[87aee4c05932e0563c107457e122956b]DIE%26cc[87aee4c05932e0563c107457e122956b]Dus%26pa[87aee4c05932e0563c107457e122956b]DWincy%26cd[87aee4c05932e0563c107457e122956b]D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtDtCtN1L2XzutAtFtCyDtFtDtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyEtCzytC0ByC0AtBtGyEtDzy0CtG0EyD0E0CtGtByDyDtAtG0DtB0D0FtDyCyD0AyD0CyD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr[87aee4c05932e0563c107457e122956b]D1793446830%26a[87aee4c05932e0563c107457e122956b]Dwncy_gmmedply_15_45%26os[87aee4c05932e0563c107457e122956b]DWindowsNo Action By UserB7No Action By UserBUltimate&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKU\S-1-5-21-2277862347-689562813-1071508185-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2f23ab71-4ac6-41f2-a955-ea576e553146}|TopResultURLFallback, https://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f[8baa2183dab12115f7557b5071922dd3]D4%26b[8baa2183dab12115f7557b5071922dd3]DIE%26cc[8baa2183dab12115f7557b5071922dd3]Dus%26pa[8baa2183dab12115f7557b5071922dd3]DWincy%26cd[8baa2183dab12115f7557b5071922dd3]D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr[8baa2183dab12115f7557b5071922dd3]D799676936%26a[8baa2183dab12115f7557b5071922dd3]Dwncy_gmmedply_15_50%26os[8baa2183dab12115f7557b5071922dd3]DWindowsNo Action By UserB7No Action By UserBUltimate&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKU\S-1-5-21-2277862347-689562813-1071508185-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2f23ab71-4ac6-41f2-a955-ea576e553146}|URL, https://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f[b87d970d5e2d86b096b6eae160a3649c]D4%26b[b87d970d5e2d86b096b6eae160a3649c]DIE%26cc[b87d970d5e2d86b096b6eae160a3649c]Dus%26pa[b87d970d5e2d86b096b6eae160a3649c]DWincy%26cd[b87d970d5e2d86b096b6eae160a3649c]D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr[b87d970d5e2d86b096b6eae160a3649c]D799676936%26a[b87d970d5e2d86b096b6eae160a3649c]Dwncy_gmmedply_15_50%26os[b87d970d5e2d86b096b6eae160a3649c]DWindowsNo Action By UserB7No Action By UserBUltimate&p={searchTerms}, %4, %5
PUP.Optional.ProductSetup, HKU\S-1-5-21-2277862347-689562813-1071508185-1000\SOFTWARE\PRODUCTSETUP|tb, 0X1F1T1V1G1G, No Action By User, [64d1861e8803df578ab58526788b0ef2]

Registry Data: 1
PUP.Optional.WinYahoo, HKU\S-1-5-21-2277862347-689562813-1071508185-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=fBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D799676936%26a%3Dwncy_gmmedply_15_50%26os%3DWindows%2B7%2BUltimate),No Action By User,[82b3a30185068aac2c1b621ff60e48b8]D1%26bBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D799676936%26a%3Dwncy_gmmedply_15_50%26os%3DWindows%2B7%2BUltimate),No Action By User,[82b3a30185068aac2c1b621ff60e48b8]DIE%26ccBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D799676936%26a%3Dwncy_gmmedply_15_50%26os%3DWindows%2B7%2BUltimate),No Action By User,[82b3a30185068aac2c1b621ff60e48b8]Dus%26paBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D799676936%26a%3Dwncy_gmmedply_15_50%26os%3DWindows%2B7%2BUltimate),No Action By User,[82b3a30185068aac2c1b621ff60e48b8]DWincy%26cdBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D799676936%26a%3Dwncy_gmmedply_15_50%26os%3DWindows%2B7%2BUltimate),No Action By User,[82b3a30185068aac2c1b621ff60e48b8]D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26crBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D799676936%26a%3Dwncy_gmmedply_15_50%26os%3DWindows%2B7%2BUltimate),No Action By User,[82b3a30185068aac2c1b621ff60e48b8]D799676936%26aBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D799676936%26a%3Dwncy_gmmedply_15_50%26os%3DWindows%2B7%2BUltimate),No Action By User,[82b3a30185068aac2c1b621ff60e48b8]Dwncy_gmmedply_15_50%26osBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D799676936%26a%3Dwncy_gmmedply_15_50%26os%3DWindows%2B7%2BUltimate),No Action By User,[82b3a30185068aac2c1b621ff60e48b8]DWindowsGood: (www.google.com)B7Good: (www.google.com)BUltimate, %4, %5

Folders: 0
(No malicious items detected)

Files: 8
PUP.Optional.ProductKeyFinder, C:\Users\Roger Sockwell\AppData\Local\Temp\Rar$EXa0.101\KMSAuto Net 1.1.1 Portable RU\bin\pdk.dll, No Action By User, [43f25d4769222b0be1324e21649dbd43],
PUP.Optional.ProductKeyFinder, C:\Users\Roger Sockwell\AppData\Local\Temp\Rar$EXa0.292\KMSAuto Net 1.1.1 Portable RU\bin\pdk.dll, No Action By User, [46ef406491fa26107b98026db150a45c],
PUP.Optional.ProductKeyFinder, C:\Users\Roger Sockwell\AppData\Local\Temp\Rar$EXa0.369\KMSAuto Net 1.1.1 Portable RU\bin\pdk.dll, No Action By User, [6fc6733166251422ed2677f8d22ff50b],
PUP.Optional.ProductKeyFinder, C:\Users\Roger Sockwell\AppData\Local\Temp\Rar$EXa0.476\KMSAuto Net 1.1.1 Portable RU\bin\pdk.dll, No Action By User, [ef46dcc8d9b238fedc37d7988879817f],
PUP.Optional.ProductKeyFinder, C:\Users\Roger Sockwell\AppData\Local\Temp\Rar$EXa0.577\KMSAuto Net 1.1.1 Portable RU\bin\pdk.dll, No Action By User, [38fd9113b9d2e94da86bb8b761a035cb],
PUP.Optional.ProductKeyFinder, C:\Users\Roger Sockwell\AppData\Local\Temp\Rar$EXa0.766\KMSAuto Net 1.1.1 Portable RU\bin\pdk.dll, No Action By User, [56df683c0f7c2d09789b0c63d62bba46],
PUP.Optional.WinYahoo, C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\searchplugins\search-provided-by-yahoo.xml, No Action By User, [1025e7bd0a81ee48db5de9d6c04349b7],
PUP.Optional.WinYahoo, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HowToRemove.html.lnk, No Action By User, [90a5752f1378bc7ae77c14eca163b050],

Physical Sectors: 0
(No malicious items detected)

(end)

 

# AdwCleaner v5.024 - Logfile created 13/12/2015 at 06:36:51
# Updated 07/12/2015 by Xplode

# Database : 2015-12-12.1 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : Roger Sockwell - ROGERSOCKWELL
# Running from : C:\Users\Roger Sockwell\Desktop\adwcleaner_5.024.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****

[-] Service Deleted : Service KMSELDI

***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files\kmspico
[-] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\kmspico

***** [ Files ] *****

[-] File Deleted : C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\searchplugins\search-provided-by-yahoo.xml

***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****

[-] Task Deleted : updateTask

***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\PRODUCTSETUP
[-] Key Deleted : HKCU\Software\yahooprovidedsearch
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\yahooprovidedsearch

***** [ Web browsers ] *****


*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [1239 bytes] ##########
 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:12-12-2015 01
Ran by Roger Sockwell (administrator) on ROGERSOCKWELL (13-12-2015 06:45:07)

Running from C:\Users\Roger Sockwell\Desktop
Loaded Profiles: Roger Sockwell (Available Profiles: Roger Sockwell)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
(CyberLink) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe
(CyberLink) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\nlssrv32.exe
(Conexant Systems, Inc.) C:\Windows\SysWOW64\SASrv.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDIntelligent.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
(Power Software Ltd) C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SACpl.exe [1647616 2013-03-04] (Conexant Systems, Inc.)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2876816 2013-03-05] (ELAN Microelectronics Corp.)
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [8079408 2013-09-12] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [6199128 2013-09-12] (Lenovo(beijing) Limited)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [286192 2013-01-31] (Intel Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642656 2013-02-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7021880 2015-12-08] (AVAST Software)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5563760 2014-06-01] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [WD Drive Unlocker] => C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe [1761120 2015-03-22] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [PWRISOVM.EXE] => C:\Program Files (x86)\PowerISO\PWRISOVM.EXE [337432 2013-01-27] (Power Software Ltd)
Winlogon\Notify\igfxcui: C:\Windows\SYSTEM32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8591272 2015-11-16] (Piriform Ltd)
HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\MountPoints2: G - "G:\WD Drive Unlock.exe" autoplay=true
HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\MountPoints2: {fb986c44-52eb-11e4-9203-b8763fa21bb8} - "J:\WD Drive Unlock.exe" autoplay=true
HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\MountPoints2: {fcd9aec0-6eaa-11e5-a191-208984dc876e} - "J:\WD Drive Unlock.exe" autoplay=true
Lsa: [Notification Packages] scecli C:\Program Files\Lenovo\Bluetooth Software\BtwProximityCP.dll
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-12-08] (AVAST Software)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.17.1 192.168.1.1
Tcpip\..\Interfaces\{24AC6F63-C542-45A5-BA4E-3C74D507C4C3}: [DhcpNameServer] 192.168.17.1 192.168.1.1
Tcpip\..\Interfaces\{24B03F3A-1986-4A8B-8A9A-43DC1F3BF3D1}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-2277862347-689562813-1071508185-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D799676936%26a%3Dwncy_gmmedply_15_50%26os%3DWindows%2B7%2BUltimate
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_45&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtDtCtN1L2XzutAtFtCyDtFtDtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyEtCzytC0ByC0AtBtGyEtDzy0CtG0EyD0E0CtGtByDyDtAtG0DtB0D0FtDyCyD0AyD0CyD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D1793446830%26a%3Dwncy_gmmedply_15_45%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_45&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtDtCtN1L2XzutAtFtCyDtFtDtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyEtCzytC0ByC0AtBtGyEtDzy0CtG0EyD0E0CtGtByDyDtAtG0DtB0D0FtDyCyD0AyD0CyD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D1793446830%26a%3Dwncy_gmmedply_15_45%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
SearchScopes: HKLM -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D799676936%26a%3Dwncy_gmmedply_15_50%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2277862347-689562813-1071508185-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_45&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtDtCtN1L2XzutAtFtCyDtFtDtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyEtCzytC0ByC0AtBtGyEtDzy0CtG0EyD0E0CtGtByDyDtAtG0DtB0D0FtDyCyD0AyD0CyD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D1793446830%26a%3Dwncy_gmmedply_15_45%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2277862347-689562813-1071508185-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_45&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtDtCtN1L2XzutAtFtCyDtFtDtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyEtCzytC0ByC0AtBtGyEtDzy0CtG0EyD0E0CtGtByDyDtAtG0DtB0D0FtDyCyD0AyD0CyD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D1793446830%26a%3Dwncy_gmmedply_15_45%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2277862347-689562813-1071508185-1000 -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D799676936%26a%3Dwncy_gmmedply_15_50%26os%3DWindows%2B7%2BUltimate&p={searchTerms}
BHO: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files (x86)\TechSmith\Snagit 10\DLLx64\SnagitBHO64.dll [2011-11-07] (TechSmith Corporation)
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2013-11-15] (Microsoft Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-12-08] (AVAST Software)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-10-12] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2013-09-13] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2013-11-02] (Microsoft Corporation)
BHO-x32: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files (x86)\TechSmith\Snagit 10\SnagitBHO.dll [2011-11-07] (TechSmith Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2013-11-15] (Microsoft Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-12-08] (AVAST Software)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-10-12] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2013-09-13] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2013-11-02] (Microsoft Corporation)
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\DLLx64\SnagitIEAddin64.dll [2011-11-07] (TechSmith Corporation)
Toolbar: HKLM-x32 - Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitIEAddin.dll [2011-11-07] (TechSmith Corporation)
Toolbar: HKU\S-1-5-21-2277862347-689562813-1071508185-1000 -> No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2012-10-01] (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-10-12] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-10-12] (Microsoft Corporation)
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default
FF SearchEngineOrder.3: Bing
FF SelectedSearchEngine: Bing
FF Homepage: about:home
FF Keyword.URL: hxxp://www.bing.com/search?FORM=SK2MDF&PC=SK2M&q=
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_20_0_0_235.dll [2015-12-08] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_235.dll [2015-12-08] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-05] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-05] (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2013-11-15] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-03] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2277862347-689562813-1071508185-1000: SkypePlugin -> C:\Users\Roger Sockwell\AppData\Local\SkypePlugin\7.10.0.93\npGatewayNpapi.dll [2015-11-19] (Skype Technologies S.A.)
FF Plugin HKU\S-1-5-21-2277862347-689562813-1071508185-1000: SkypePlugin64 -> C:\Users\Roger Sockwell\AppData\Local\SkypePlugin\7.10.0.93\npGatewayNpapi-x64.dll [2015-11-19] (Skype Technologies S.A.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2013-11-15] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npwachk.dll [2011-12-09] (Nullsoft, Inc.)
FF SearchPlugin: C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\searchplugins\google-default.xml [2015-05-23]
FF SearchPlugin: C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\searchplugins\pinterest.xml [2015-12-05]
FF Extension: Adblock Plus Pop-up Addon - C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\extensions\adblockpopups@jessehakanen.net.xpi [2015-06-19]
FF Extension: Thumbnail Zoom Plus - C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\extensions\thumbnailZoom@dadler.github.com.xpi [2015-07-30]
FF Extension: Flashblock - C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2015-11-30]
FF Extension: anonymoX - C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\Extensions\client@anonymox.net.xpi [2015-09-28]
FF Extension: Blur - C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\Extensions\donottrackplus@abine.com.xpi [2015-07-15]
FF Extension: Translate This! - C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\Extensions\jid0-k75TfRGfOXPHfEZmJ9cKu5eCgLc@jetpack.xpi [2015-11-08]
FF Extension: Nimbus Screen Capture - editable screenshots. - C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\Extensions\nimbusscreencaptureff@everhelper.me.xpi [2015-10-29]
FF Extension: Video DownloadHelper - C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2015-10-29]
FF Extension: Adblock Plus - C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-11-26]
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2015-10-08] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-12-08]
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2015-12-08]
StartMenuInternet: FIREFOX.EXE - firefox.exe

Chrome:
=======
CHR Profile: C:\Users\Roger Sockwell\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (avast! Online Security) - C:\Users\Roger Sockwell\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-07-01]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-12-08]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2015-10-12]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [226440 2015-12-08] (AVAST Software)
R2 btwdins; C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe [1008344 2013-02-18] (Broadcom Corporation.)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1433216 2015-10-12] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1773696 2015-10-12] (Microsoft Corporation)
R2 CLHNServiceForPowerDVD12; C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe [87336 2012-01-12] (CyberLink Corp.)
R2 CyberLink PowerDVD 12 Media Server Monitor Service; C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe [75048 2012-01-12] (CyberLink)
R2 CyberLink PowerDVD 12 Media Server Service; C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe [296232 2012-01-12] (CyberLink)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15344 2013-01-31] (Intel Corporation)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-08-20] (Intel Corporation)
S3 Lenovo EasyPlus Hotspot; C:\Program Files (x86)\Common Files\LENOVO\easyplussdk\bin\EPHotspot64.exe [625632 2015-07-21] (Lenovo)
S3 LSCWinService; C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCWinService.exe [30184 2013-08-08] ()
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 nlsX86cc; C:\Windows\SysWOW64\nlssrv32.exe [66560 2011-12-18] (Nalpeiron Ltd.) [File not signed]
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738200 2014-04-24] (Safer-Networking Ltd.)
S3 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2081752 2014-04-24] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-24] (Safer-Networking Ltd.)
R2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1042808 2014-06-01] (Western Digital Technologies, Inc.)
R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [306552 2015-03-22] (Western Digital Technologies, Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 amdkmpfd; C:\Windows\System32\DRIVERS\amdkmpfd.sys [36520 2012-09-13] (Advanced Micro Devices, Inc.)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [28656 2015-12-08] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [97648 2015-12-08] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-12-08] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65224 2015-12-08] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1055560 2015-12-08] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [450504 2015-12-08] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [155304 2015-12-08] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [273784 2015-12-08] (AVAST Software)
S3 b06diag; C:\Windows\system32\drivers\bxdiaga.sys [88104 2012-03-08] (Broadcom Corporation)
S3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [165688 2012-09-24] (Broadcom Corporation.)
S3 BFN7x64; C:\Windows\system32\drivers\Xeno7x64.sys [157288 2012-02-22] (Bigfoot Networks, Inc.)
S3 bxfcoe; C:\Windows\system32\drivers\bxfcoe.sys [178216 2012-02-22] (Broadcom Corporation)
S3 bxois; C:\Windows\system32\drivers\bxois.sys [539176 2012-02-22] (Broadcom Corporation)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3341904 2012-03-25] (Broadcom Corporation)
S3 EtronSTOR; C:\Windows\System32\Drivers\EtronSTOR.sys [32512 2012-07-24] (Etron Technology Inc)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28656 2013-01-31] (Intel Corporation)
R3 L1C; C:\Windows\System32\DRIVERS\L1C62x64.sys [117912 2012-11-19] (Qualcomm Atheros Co., Ltd.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2015-12-12] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
R2 ntk_PowerDVD12; C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMP\CLHNServer\ntk_PowerDVD12_64.sys [82928 2011-10-26] (Cyberlink Corp.)
S3 pbfilter; C:\Program Files\PeerBlock\pbfilter.sys [22600 2014-01-14] ()
S3 Spyder4; C:\Windows\System32\DRIVERS\dccmtr.sys [15360 2011-06-02] (Datacolor)
R2 {329F96B6-DF1E-4328-BFDA-39EA953C1312}; C:\Program Files (x86)\CyberLink\PowerDVD12\Common\NavFilter\000.fcl [146928 2012-01-11] (CyberLink Corp.)
S3 BprotectEx; \??\C:\Windows\System32\drivers\BprotectEx.sys [X]
S3 PCFApiUtil; \??\C:\Program Files (x86)\Baidu Security\PC Faster\3.7.0.0\PCFApiUtil64.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-13 06:45 - 2015-12-13 06:45 - 00027741 _____ C:\Users\Roger Sockwell\Desktop\FRST.txt
2015-12-13 06:43 - 2015-12-13 06:45 - 00000000 ____D C:\FRST
2015-12-13 06:43 - 2015-12-13 06:43 - 02369536 _____ (Farbar) C:\Users\Roger Sockwell\Desktop\FRST64.exe
2015-12-13 06:39 - 2015-12-13 06:39 - 00001318 _____ C:\Users\Roger Sockwell\Desktop\AdwCleaner[C2].txt
2015-12-13 05:53 - 2015-12-13 05:54 - 00001315 _____ C:\Users\Roger Sockwell\Desktop\Computer.lnk
2015-12-13 05:40 - 2015-12-13 05:40 - 00000000 ____D C:\Users\Roger Sockwell\Documents\Custom Office Templates
2015-12-13 05:39 - 2015-12-13 05:39 - 01738240 _____ C:\Users\Roger Sockwell\Desktop\adwcleaner_5.024.exe
2015-12-13 05:37 - 2015-12-13 05:38 - 00000978 _____ C:\Users\Roger Sockwell\Desktop\CLEAN.txt
2015-12-13 05:35 - 2015-12-13 05:35 - 00017077 _____ C:\Users\Roger Sockwell\Desktop\mbam scan.txt
2015-12-13 04:59 - 2015-12-13 04:59 - 00000000 ____D C:\Users\Roger Sockwell\Desktop\Outlook.com
2015-12-12 04:42 - 2015-12-12 04:42 - 00000745 _____ C:\Users\Roger Sockwell\Desktop\39  NEW FUJI ALL - Shortcut (2).lnk
2015-12-12 01:06 - 2015-12-12 01:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2015-12-12 01:05 - 2015-12-12 01:05 - 00000000 ____D C:\Windows\PCHEALTH
2015-12-12 01:05 - 2015-12-12 01:05 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2015-12-12 01:05 - 2015-12-12 01:05 - 00000000 ____D C:\Program Files\Microsoft SQL Server
2015-12-12 01:05 - 2015-12-12 01:05 - 00000000 ____D C:\Program Files\Common Files\DESIGNER
2015-12-12 01:05 - 2015-12-12 01:05 - 00000000 ____D C:\Program Files (x86)\Microsoft SQL Server
2015-12-12 01:04 - 2015-12-12 01:05 - 00000000 ____D C:\Program Files\Microsoft Office
2015-12-12 01:04 - 2015-12-12 01:04 - 00000000 ____D C:\Program Files\Microsoft Analysis Services
2015-12-12 01:04 - 2015-12-12 01:04 - 00000000 ____D C:\Program Files (x86)\Microsoft Analysis Services
2015-12-12 00:58 - 2015-12-12 00:58 - 00019636 _____ C:\Users\Roger Sockwell\Documents\cc_20151212_005758.reg
2015-12-12 00:44 - 2015-12-12 01:17 - 00003722 _____ C:\Windows\System32\Tasks\AutoPico Daily Restart
2015-12-12 00:23 - 2015-12-13 06:38 - 00003758 _____ C:\Windows\System32\Tasks\AutoKMS
2015-12-12 00:23 - 2015-12-12 00:55 - 00000000 ____D C:\Windows\AutoKMS
2015-12-12 00:22 - 2015-12-12 00:22 - 00000000 ____D C:\ProgramData\Microsoft Toolkit
2015-12-11 23:23 - 2015-12-12 00:11 - 00000850 _____ C:\Users\Roger Sockwell\Desktop\Ebay Garage Sale.txt
2015-12-11 19:15 - 2015-12-11 19:15 - 00000000 ____D C:\x86
2015-12-11 19:15 - 2015-12-11 19:15 - 00000000 ____D C:\x64
2015-12-11 19:14 - 2015-12-11 19:14 - 00000000 ____D C:\Users\Roger Sockwell\AppData\Roaming\PowerISO
2015-12-11 19:13 - 2015-12-11 19:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerISO
2015-12-11 19:13 - 2015-12-11 19:13 - 00000000 ____D C:\Program Files (x86)\PowerISO
2015-12-11 19:13 - 2013-01-27 05:35 - 00127384 _____ (Power Software Ltd) C:\Windows\system32\Drivers\scdemu.sys
2015-12-11 00:03 - 2015-12-13 06:38 - 00008192 _____ C:\Windows\SysWOW64\WDPABKP.dat
2015-12-10 16:16 - 2015-12-10 16:16 - 01889338 _____ C:\Users\Roger Sockwell\Desktop\20151270111.pdf
2015-12-09 02:55 - 2015-12-09 02:55 - 00001431 _____ C:\Users\Roger Sockwell\Desktop\Hjurrdzenz Samkanz.lnk
2015-12-09 02:48 - 2015-12-09 02:48 - 00002697 _____ C:\Users\Public\Desktop\Skype.lnk
2015-12-09 02:48 - 2015-12-09 02:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2015-12-09 02:41 - 2015-12-09 02:41 - 00008940 _____ C:\Users\Roger Sockwell\Documents\cc_20151209_024100.reg
2015-12-09 02:34 - 2015-12-09 02:34 - 00000082 _____ C:\Users\Roger Sockwell\Documents\cc_20151209_023426.reg
2015-12-09 02:31 - 2015-12-09 02:30 - 00002137 _____ C:\Users\Roger Sockwell\Documents\Skype (2).lnk
2015-12-08 23:58 - 2015-12-08 23:58 - 00450863 ____R C:\Windows\system32\Drivers\etc\hosts.20151208-235846.backup
2015-12-08 23:58 - 2015-12-08 23:56 - 00450863 ____R C:\Windows\system32\Drivers\etc\hosts.20151208-235811.backup
2015-12-08 23:24 - 2015-12-08 23:24 - 00386096 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2015-12-08 23:24 - 2015-12-08 23:24 - 00043112 _____ (AVAST Software) C:\Windows\avastSS.scr
2015-12-08 23:13 - 2015-12-08 23:13 - 00059271 _____ C:\Users\Roger Sockwell\Desktop\212247.pdf
2015-12-08 06:32 - 2015-07-25 21:16 - 00070503 _____ C:\Users\Roger Sockwell\Desktop\Confirmation_for_Booking_ID_#_74249381_Check-in_July_26__2015(1).pdf
2015-12-05 09:57 - 2015-12-05 09:58 - 00000935 _____ C:\Users\Roger Sockwell\Desktop\CCleaner.lnk
2015-12-03 08:47 - 2015-12-03 08:47 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2015-12-01 04:52 - 2015-12-01 04:49 - 00450863 ____R C:\Windows\system32\Drivers\etc\hosts.20151201-045250.backup
2015-12-01 00:46 - 2015-12-09 11:56 - 00000000 ____D C:\Users\Roger Sockwell\Desktop\Passport
2015-11-29 18:27 - 2015-11-29 18:27 - 00000000 ____D C:\Users\Roger Sockwell\AppData\Local\SkypePlugin
2015-11-21 00:23 - 2015-12-09 03:14 - 00000000 ____D C:\Users\Roger Sockwell\AppData\LocalLow\BitTorrent

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-13 06:43 - 2009-07-13 19:20 - 00000000 ____D C:\Windows
2015-12-13 06:40 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2015-12-13 06:38 - 2013-09-13 06:41 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-12-13 06:37 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-13 06:36 - 2015-05-18 19:48 - 00000000 ____D C:\AdwCleaner
2015-12-13 06:15 - 2013-10-15 06:44 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-12-13 06:05 - 2013-09-13 06:41 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-12-13 05:59 - 2014-10-13 09:12 - 00001351 _____ C:\Users\Roger Sockwell\Desktop\H Permission.lnk
2015-12-13 05:57 - 2014-05-30 20:35 - 00001260 _____ C:\Users\Roger Sockwell\Desktop\G DCIM.lnk
2015-12-13 05:57 - 2013-09-26 17:48 - 00001330 _____ C:\Users\Roger Sockwell\Desktop\E Drive.lnk
2015-12-13 05:56 - 2014-02-07 22:36 - 00001332 ____H C:\Users\Roger Sockwell\Desktop\D Drive.lnk
2015-12-13 05:53 - 2015-03-11 20:53 - 00001980 _____ C:\Users\Roger Sockwell\Desktop\Roger.lnk
2015-12-13 05:50 - 2009-07-13 20:45 - 00053536 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-13 05:50 - 2009-07-13 20:45 - 00053536 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-13 05:42 - 2009-07-13 20:45 - 00435528 _____ C:\Windows\system32\FNTCACHE.DAT
2015-12-13 05:41 - 2013-09-26 17:50 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\SWEDISH SYNDICATE
2015-12-13 05:33 - 2013-09-15 11:30 - 00000000 ____D C:\Users\Roger Sockwell\AppData\Roaming\Skype
2015-12-12 16:32 - 2015-03-05 00:11 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-12-12 16:14 - 2013-10-02 09:16 - 00664732 _____ C:\Windows\system32\perfh01D.dat
2015-12-12 16:14 - 2013-10-02 09:16 - 00143012 _____ C:\Windows\system32\perfc01D.dat
2015-12-12 16:14 - 2013-10-02 09:01 - 00746728 _____ C:\Windows\system32\perfh00C.dat
2015-12-12 16:14 - 2013-10-02 09:01 - 00150118 _____ C:\Windows\system32\perfc00C.dat
2015-12-12 16:14 - 2013-10-02 08:52 - 00746468 _____ C:\Windows\system32\perfh00A.dat
2015-12-12 16:14 - 2013-10-02 08:52 - 00159012 _____ C:\Windows\system32\perfc00A.dat
2015-12-12 16:14 - 2013-10-02 08:44 - 00393356 _____ C:\Windows\system32\perfh00D.dat
2015-12-12 16:14 - 2013-10-02 08:44 - 00085296 _____ C:\Windows\system32\perfc00D.dat
2015-12-12 16:14 - 2013-10-02 08:36 - 00741058 _____ C:\Windows\system32\perfh010.dat
2015-12-12 16:14 - 2013-10-02 08:36 - 00147384 _____ C:\Windows\system32\perfc010.dat
2015-12-12 16:14 - 2013-10-02 08:30 - 00698220 _____ C:\Windows\system32\perfh007.dat
2015-12-12 16:14 - 2013-10-02 08:30 - 00149654 _____ C:\Windows\system32\perfc007.dat
2015-12-12 16:14 - 2009-07-13 21:13 - 05553804 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-12 06:18 - 2013-09-23 09:10 - 00001769 _____ C:\Users\Roger Sockwell\Desktop\Downloads.lnk
2015-12-12 04:45 - 2015-08-25 12:29 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\Me Me Me
2015-12-12 04:45 - 2014-08-09 07:00 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\Music 2 Go
2015-12-12 04:44 - 2013-09-23 11:43 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\Trip Modz 2013
2015-12-12 04:38 - 2014-10-12 13:25 - 00000000 ___RD C:\100  ICONZ redo
2015-12-12 04:37 - 2013-08-04 05:10 - 00000000 ____D C:\MICROSOFT OFFICE 2010 Professional Plus EN-TH
2015-12-12 01:18 - 2013-09-12 14:37 - 00111520 _____ C:\Users\Roger Sockwell\AppData\Local\GDIPFONTCACHEV1.DAT
2015-12-12 01:12 - 2013-09-14 22:45 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-12-12 01:05 - 2011-04-12 00:28 - 00000000 ____D C:\Windows\ShellNew
2015-12-12 01:05 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2015-12-12 01:04 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System
2015-12-12 01:04 - 2009-07-13 18:34 - 00000478 _____ C:\Windows\win.ini
2015-12-12 00:53 - 2013-09-14 22:45 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2015-12-11 22:25 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\MSBuild
2015-12-11 22:06 - 2015-08-01 22:52 - 00000000 ____D C:\Users\Roger Sockwell\Desktop\fgvwerb 10
2015-12-11 22:01 - 2015-06-22 22:16 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\z P
2015-12-11 20:05 - 2014-01-26 02:23 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\Challenger Grabbag
2015-12-10 11:14 - 2013-09-21 07:50 - 00000000 ____D C:\Users\Roger Sockwell\AppData\Roaming\BitTorrent
2015-12-09 11:42 - 2015-10-10 12:08 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\Thai Visa 2015
2015-12-09 03:13 - 2015-10-29 09:05 - 00000000 ____D C:\Program Files\PeerBlock
2015-12-09 02:54 - 2013-09-15 11:30 - 00000000 ___RD C:\Program Files (x86)\Skype
2015-12-09 02:49 - 2013-09-15 11:30 - 00000000 ____D C:\ProgramData\Skype
2015-12-09 02:48 - 2014-03-27 22:31 - 00000000 ____D C:\Users\Roger Sockwell\AppData\Local\Skype
2015-12-09 02:36 - 2013-09-12 11:51 - 05485992 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2015-12-08 23:30 - 2013-12-03 21:55 - 00000000 ____D C:\Users\Roger Sockwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2015-12-08 23:30 - 2013-12-03 21:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2015-12-08 23:30 - 2013-11-07 12:18 - 00000000 ____D C:\Program Files\WinRAR
2015-12-08 23:24 - 2014-08-06 19:34 - 00155304 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2015-12-08 23:24 - 2014-08-06 19:34 - 00028656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2015-12-08 23:24 - 2013-09-13 06:41 - 01055560 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2015-12-08 23:24 - 2013-09-13 06:41 - 00450504 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2015-12-08 23:24 - 2013-09-13 06:41 - 00273784 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2015-12-08 23:24 - 2013-09-13 06:41 - 00097648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2015-12-08 23:24 - 2013-09-13 06:41 - 00093528 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2015-12-08 23:24 - 2013-09-13 06:41 - 00065224 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2015-12-08 23:24 - 2013-09-13 06:41 - 00003924 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2015-12-08 23:15 - 2013-10-15 06:44 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-12-08 23:15 - 2013-09-15 11:49 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-12-08 23:15 - 2013-09-15 11:49 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-12-06 22:15 - 2015-11-02 19:01 - 00000000 ____D C:\Users\Roger Sockwell\AppData\Local\{15B323EF-311B-4F57-5C83-6ABF78EB9627}
2015-12-06 22:14 - 2015-11-02 19:02 - 00002461 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HowToRemove.html.lnk
2015-12-06 22:14 - 2015-11-02 19:02 - 00000344 __RSH C:\ProgramData\ntuser.pol
2015-12-06 22:14 - 2013-09-23 09:19 - 00001209 _____ C:\Users\Roger Sockwell\AppData\Roaming\Microsoft\Windows\Start Menu\GOM Player.lnk
2015-12-06 22:14 - 2013-09-13 06:57 - 00001147 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-12-05 10:22 - 2015-08-01 22:52 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\Karen Hilltribe Lodge
2015-12-03 22:00 - 2013-09-13 06:41 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-12-03 22:00 - 2013-09-13 06:41 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-12-03 08:47 - 2015-07-31 21:22 - 00000000 ____D C:\Program Files\Common Files\AV
2015-12-03 02:55 - 2014-11-12 04:36 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\1  Photoz Diwidzen
2015-12-02 08:25 - 2013-09-15 11:09 - 00000000 ____D C:\Windows\pss
2015-12-01 14:37 - 2009-07-13 21:08 - 00032540 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-12-01 04:52 - 2009-07-13 18:34 - 00450863 ____R C:\Windows\system32\Drivers\etc\hosts.20151208-235603.backup
2015-11-28 01:48 - 2015-05-18 23:39 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-11-24 14:55 - 2015-03-27 21:57 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\Rice Mill Class
2015-11-22 14:45 - 2015-03-09 13:16 - 00000000 ____D C:\Users\Roger Sockwell\Desktop\Fun FB Pix
2015-11-19 13:33 - 2014-12-14 09:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-11-19 13:33 - 2014-12-14 09:49 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-11-19 13:28 - 2009-07-13 18:34 - 00450863 ____R C:\Windows\system32\Drivers\etc\hosts.20151201-044956.backup

==================== Files in the root of some directories =======

2013-12-18 09:01 - 2015-11-12 00:02 - 0000212 _____ () C:\Users\Roger Sockwell\AppData\Roaming\WB.CFG
2013-10-19 11:16 - 2014-02-12 20:13 - 0011264 _____ () C:\Users\Roger Sockwell\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-07-14 12:15 - 2014-07-14 12:15 - 0004096 ____H () C:\Users\Roger Sockwell\AppData\Local\keyfile3.drm
2013-09-12 12:39 - 2013-09-12 12:39 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some files in TEMP:
====================
C:\Users\Roger Sockwell\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-12-11 05:18

==================== End of FRST.txt ============================

 

 

 

 

 

 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:26 PM

Posted 13 December 2015 - 02:08 PM

Please run the MBAM program and fix every thing that will be foound.

===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKU\S-1-5-21-2277862347-689562813-1071508185-1000 -> No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (avast! Online Security) - C:\Users\Roger Sockwell\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-07-01]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-12-08]
S3 BprotectEx; \??\C:\Windows\System32\drivers\BprotectEx.sys [X]
S3 PCFApiUtil; \??\C:\Program Files (x86)\Baidu Security\PC Faster\3.7.0.0\PCFApiUtil64.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Post the logs for my review.

Include also the Addition.txt file that was vreated by the farbar tool.

How is the computer running now?

#5 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 14 December 2015 - 01:01 AM

1) Ok, so I did the MBAM scan and then quarantined everything.

    Here's the report for that.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/13/2015
Scan Time: 4:15 PM
Logfile: MBAM Scan Sun.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.12.13.04
Rootkit Database: v2015.12.07.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Roger Sockwell

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 362251
Time Elapsed: 11 min, 21 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 4
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, Quarantined, [3068871d850603336fbbf3d9e320c23e],
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2F23AB71-4AC6-41F2-A955-EA576E553146}, Quarantined, [07914064266596a0062428a40df6c43c],
PUP.Optional.WinYahoo, HKU\S-1-5-21-2277862347-689562813-1071508185-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, Quarantined, [178151531378bb7b45e3389493708d73],
PUP.Optional.WinYahoo, HKU\S-1-5-21-2277862347-689562813-1071508185-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2F23AB71-4AC6-41F2-A955-EA576E553146}, Quarantined, [7820bde72863c47244e4428ac83bce32],

Registry Values: 8
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, https://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_45&param1=1&param2=f[3068871d850603336fbbf3d9e320c23e]D4%26b[3068871d850603336fbbf3d9e320c23e]DIE%26cc[3068871d850603336fbbf3d9e320c23e]Dus%26pa[3068871d850603336fbbf3d9e320c23e]DWincy%26cd[3068871d850603336fbbf3d9e320c23e]D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtDtCtN1L2XzutAtFtCyDtFtDtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyEtCzytC0ByC0AtBtGyEtDzy0CtG0EyD0E0CtGtByDyDtAtG0DtB0D0FtDyCyD0AyD0CyD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr[3068871d850603336fbbf3d9e320c23e]D1793446830%26a[3068871d850603336fbbf3d9e320c23e]Dwncy_gmmedply_15_45%26os[3068871d850603336fbbf3d9e320c23e]DWindowsQuarantinedB7QuarantinedBUltimate&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|TopResultURLFallback, https://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_45&param1=1&param2=f[7721a400b7d4bb7beb3fd5f78380f709]D4%26b[7721a400b7d4bb7beb3fd5f78380f709]DIE%26cc[7721a400b7d4bb7beb3fd5f78380f709]Dus%26pa[7721a400b7d4bb7beb3fd5f78380f709]DWincy%26cd[7721a400b7d4bb7beb3fd5f78380f709]D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtDtCtN1L2XzutAtFtCyDtFtDtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyEtCzytC0ByC0AtBtGyEtDzy0CtG0EyD0E0CtGtByDyDtAtG0DtB0D0FtDyCyD0AyD0CyD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr[7721a400b7d4bb7beb3fd5f78380f709]D1793446830%26a[7721a400b7d4bb7beb3fd5f78380f709]Dwncy_gmmedply_15_45%26os[7721a400b7d4bb7beb3fd5f78380f709]DWindowsQuarantinedB7QuarantinedBUltimate&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2f23ab71-4ac6-41f2-a955-ea576e553146}|URL, https://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f[07914064266596a0062428a40df6c43c]D4%26b[07914064266596a0062428a40df6c43c]DIE%26cc[07914064266596a0062428a40df6c43c]Dus%26pa[07914064266596a0062428a40df6c43c]DWincy%26cd[07914064266596a0062428a40df6c43c]D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr[07914064266596a0062428a40df6c43c]D799676936%26a[07914064266596a0062428a40df6c43c]Dwncy_gmmedply_15_50%26os[07914064266596a0062428a40df6c43c]DWindowsQuarantinedB7QuarantinedBUltimate&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2f23ab71-4ac6-41f2-a955-ea576e553146}|TopResultURLFallback, https://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f[0a8e059ffb90b185e8428e3e52b1f10f]D4%26b[0a8e059ffb90b185e8428e3e52b1f10f]DIE%26cc[0a8e059ffb90b185e8428e3e52b1f10f]Dus%26pa[0a8e059ffb90b185e8428e3e52b1f10f]DWincy%26cd[0a8e059ffb90b185e8428e3e52b1f10f]D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr[0a8e059ffb90b185e8428e3e52b1f10f]D799676936%26a[0a8e059ffb90b185e8428e3e52b1f10f]Dwncy_gmmedply_15_50%26os[0a8e059ffb90b185e8428e3e52b1f10f]DWindowsQuarantinedB7QuarantinedBUltimate&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKU\S-1-5-21-2277862347-689562813-1071508185-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, https://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_45&param1=1&param2=f[178151531378bb7b45e3389493708d73]D4%26b[178151531378bb7b45e3389493708d73]DIE%26cc[178151531378bb7b45e3389493708d73]Dus%26pa[178151531378bb7b45e3389493708d73]DWincy%26cd[178151531378bb7b45e3389493708d73]D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtDtCtN1L2XzutAtFtCyDtFtDtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyEtCzytC0ByC0AtBtGyEtDzy0CtG0EyD0E0CtGtByDyDtAtG0DtB0D0FtDyCyD0AyD0CyD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr[178151531378bb7b45e3389493708d73]D1793446830%26a[178151531378bb7b45e3389493708d73]Dwncy_gmmedply_15_45%26os[178151531378bb7b45e3389493708d73]DWindowsQuarantinedB7QuarantinedBUltimate&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKU\S-1-5-21-2277862347-689562813-1071508185-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|TopResultURLFallback, https://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_45&param1=1&param2=f[3a5ec4e0711a06305ecabf0d20e3d22e]D4%26b[3a5ec4e0711a06305ecabf0d20e3d22e]DIE%26cc[3a5ec4e0711a06305ecabf0d20e3d22e]Dus%26pa[3a5ec4e0711a06305ecabf0d20e3d22e]DWincy%26cd[3a5ec4e0711a06305ecabf0d20e3d22e]D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtDtCtN1L2XzutAtFtCyDtFtDtFtDtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2SyEtCzytC0ByC0AtBtGyEtDzy0CtG0EyD0E0CtGtByDyDtAtG0DtB0D0FtDyCyD0AyD0CyD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr[3a5ec4e0711a06305ecabf0d20e3d22e]D1793446830%26a[3a5ec4e0711a06305ecabf0d20e3d22e]Dwncy_gmmedply_15_45%26os[3a5ec4e0711a06305ecabf0d20e3d22e]DWindowsQuarantinedB7QuarantinedBUltimate&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKU\S-1-5-21-2277862347-689562813-1071508185-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2f23ab71-4ac6-41f2-a955-ea576e553146}|TopResultURLFallback, https://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f[7820bde72863c47244e4428ac83bce32]D4%26b[7820bde72863c47244e4428ac83bce32]DIE%26cc[7820bde72863c47244e4428ac83bce32]Dus%26pa[7820bde72863c47244e4428ac83bce32]DWincy%26cd[7820bde72863c47244e4428ac83bce32]D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr[7820bde72863c47244e4428ac83bce32]D799676936%26a[7820bde72863c47244e4428ac83bce32]Dwncy_gmmedply_15_50%26os[7820bde72863c47244e4428ac83bce32]DWindowsQuarantinedB7QuarantinedBUltimate&p={searchTerms}, %4, %5
PUP.Optional.WinYahoo, HKU\S-1-5-21-2277862347-689562813-1071508185-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2f23ab71-4ac6-41f2-a955-ea576e553146}|URL, https://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f[0a8e772d91fa59dd1e0a0cc05ea59f61]D4%26b[0a8e772d91fa59dd1e0a0cc05ea59f61]DIE%26cc[0a8e772d91fa59dd1e0a0cc05ea59f61]Dus%26pa[0a8e772d91fa59dd1e0a0cc05ea59f61]DWincy%26cd[0a8e772d91fa59dd1e0a0cc05ea59f61]D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr[0a8e772d91fa59dd1e0a0cc05ea59f61]D799676936%26a[0a8e772d91fa59dd1e0a0cc05ea59f61]Dwncy_gmmedply_15_50%26os[0a8e772d91fa59dd1e0a0cc05ea59f61]DWindowsQuarantinedB7QuarantinedBUltimate&p={searchTerms}, %4, %5

Registry Data: 1
PUP.Optional.WinYahoo, HKU\S-1-5-21-2277862347-689562813-1071508185-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=fBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D799676936%26a%3Dwncy_gmmedply_15_50%26os%3DWindows%2B7%2BUltimate),Replaced,[26729b096328171fe06a5d2594701ae6]D1%26bBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D799676936%26a%3Dwncy_gmmedply_15_50%26os%3DWindows%2B7%2BUltimate),Replaced,[26729b096328171fe06a5d2594701ae6]DIE%26ccBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D799676936%26a%3Dwncy_gmmedply_15_50%26os%3DWindows%2B7%2BUltimate),Replaced,[26729b096328171fe06a5d2594701ae6]Dus%26paBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D799676936%26a%3Dwncy_gmmedply_15_50%26os%3DWindows%2B7%2BUltimate),Replaced,[26729b096328171fe06a5d2594701ae6]DWincy%26cdBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D799676936%26a%3Dwncy_gmmedply_15_50%26os%3DWindows%2B7%2BUltimate),Replaced,[26729b096328171fe06a5d2594701ae6]D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26crBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D799676936%26a%3Dwncy_gmmedply_15_50%26os%3DWindows%2B7%2BUltimate),Replaced,[26729b096328171fe06a5d2594701ae6]D799676936%26aBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D799676936%26a%3Dwncy_gmmedply_15_50%26os%3DWindows%2B7%2BUltimate),Replaced,[26729b096328171fe06a5d2594701ae6]Dwncy_gmmedply_15_50%26osBad: (https://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_gmmedply_15_50&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzzyByCtA0F0AtBtC0B0ByB0AtCyCyBtN0D0Tzu0StCyEtAyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StAyCyE0AyBtBtBzytGtA0F0A0EtG0CyDtC0AtGyCzytA0BtGyByD0AyBtBzztCzztB0EyE0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzzyD0FtA0B0D0C0EtG0CtBtAtBtGyEyB0BzytG0ByByEyBtG0B0CzytByCtAtA0EtAzzzztD2QtN0A0LzuyE%26cr%3D799676936%26a%3Dwncy_gmmedply_15_50%26os%3DWindows%2B7%2BUltimate),Replaced,[26729b096328171fe06a5d2594701ae6]DWindowsGood: (www.google.com)B7Good: (www.google.com)BUltimate, %4, %5

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.WinYahoo, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HowToRemove.html.lnk, Quarantined, [9bfd4b595635fc3aee51629fc44006fa],
Physical Sectors: 0
(No malicious items detected)
(end)

 

2) And here's the Fixlog

 

Fix result of Farbar Recovery Scan Tool (x64) Version:12-12-2015 01
Ran by Roger Sockwell (2015-12-13 20:18:58) Run:1
Running from C:\Users\Roger Sockwell\Desktop
Loaded Profiles: Roger Sockwell (Available Profiles: Roger Sockwell)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKU\S-1-5-21-2277862347-689562813-1071508185-1000 -> No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (avast! Online Security) - C:\Users\Roger Sockwell\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-07-01]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-12-08]
S3 BprotectEx; \??\C:\Windows\System32\drivers\BprotectEx.sys [X]
S3 PCFApiUtil; \??\C:\Program Files (x86)\Baidu Security\PC Faster\3.7.0.0\PCFApiUtil64.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

End
*****************

Error: (0) Failed to create a restore point.
Processes closed successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon" => key removed successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => value removed successfully
HKCR\CLSID\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => key not found.
HKU\S-1-5-21-2277862347-689562813-1071508185-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} => value removed successfully
HKCR\CLSID\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} => key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
C:\Users\Roger Sockwell\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki => moved successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki" => key removed successfully
Could not move "C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => Scheduled to move on reboot.
BprotectEx => service removed successfully
PCFApiUtil => service removed successfully
VGPU => service removed successfully
EmptyTemp: => 510.1 MB temporary data Removed.

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2015-12-13 20:21:25)

"C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => Could not move

==== End of Fixlog 20:21:25 ====

 

 

3) Does it look like I did it all right? Computer seems fine, but there's still the same problem with my thumb drive. It has not been scanned/ treated/ freed up. It still has a virus or something sealing off about 15 gigs of the 16 available. This is the point where I know there's a problem and I'm worried about removing it and preventing it getting into my laptop. I'll attach some screen shots....

 

You can see that my G Drive has 14.5 gigs sealed off and inoperable - that area has alot of files I want access too, and I don't know what program (Panda? Avast?) sealed them/ that section off. How to fix the virus and get access again?

 

 

 

 

 

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:26 PM

Posted 14 December 2015 - 09:49 AM


I can suggest two options. Not sure if they will correct you situation.

Download, install and run Panda USB Vaccine

The usb vaccination performed by this program will permanently disable any autorun.inf functionality of your usb stick. After the vaccination you will be able to use the usb stick normally and files (even malware) can be copied to/from it, however they will be prevented from executing automatically. This vaccination can only be reversed with a reformat of the usb stick.

Download and save Panda USB Vaccine from >>>here<<<
Double click the file USBVaccineSetup.exe to start the installation.
During setup uncheck the option to Run Panda USB Vaccine automatically when computer boots.
Start Panda USB Vaccine.
Insert your usb-stick, choose the correct drive letter (i.e "F:\") and click Vaccinate USB.
When it's finished, close the program.
You can delete the downloaded USBVaccineSetup.exe.

<<<>>>


Not sure if this will work but you can try it.

Unlocker tool.
http://download.cnet.com/Unlocker/3000-2248_4-10493998.html

If the problem persists I suggest you start a new topic in the external hardware forum.
http://www.bleepingcomputer.com/forums/f/138/external-hardware/

Some one with that type of experience may be able to guide your better than I can.

I will leave this topic open for 6 days.
If you need to return please do.

#7 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 15 December 2015 - 05:27 AM

Hi Nasdaq. I just ran a free ESET diagnosis to see if anything would show up, and something did. The thumb drive has a trojan. Can't you lead me to both a free scanner and cleaner that I can tell to just treat this specific drive? That seems even easier than cleaning the whole machine like we just did.

Here is a screen grab with the exact name BZ Trojan. Please let me know if you know what to do next or if I really have to go to the external gear subforum.

 

 

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:26 PM

Posted 15 December 2015 - 07:45 AM

Download, install and run Panda USB Vaccine

The usb vaccination performed by this program will permanently disable any autorun.inf functionality of your usb stick. After the vaccination you will be able to use the usb stick normally and files (even malware) can be copied to/from it, however they will be prevented from executing automatically. This vaccination can only be reversed with a reformat of the usb stick.

Download and save Panda USB Vaccine from >>>here<<<
Double click the file USBVaccineSetup.exe to start the installation.
During setup uncheck the option to Run Panda USB Vaccine automatically when computer boots.
Start Panda USB Vaccine.
Insert your usb-stick, choose the correct drive letter (i.e "F:\") and click Vaccinate USB.
When it's finished, close the program.
You can delete the downloaded USBVaccineSetup.exe.

===

Run the Farbar tool on your computer and post a fresh FRST log.
Before you run the tool check the box to create a new Addition.txt file. Include that that also in your next replay.

#9 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 16 December 2015 - 10:10 PM

Hi Nasdaq. I'll post what I got, but it looks like I still need to run a virus removal tool, as the thumb drive still appears to be missing/ have me locked out of 15 of 16 gigabytes of space. After you look, please advise on whether to create a new post in the other subforum or not. I'd like to scan and remove this asap so I can use the drive again. The free eset scan only identified the threat, but had no option for treatment. Thanks.

 

Please take a look....

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:17-12-2015
Ran by Roger Sockwell (administrator) on ROGERSOCKWELL (16-12-2015 18:27:17)
Running from C:\Users\Roger Sockwell\Desktop\Fix Computer 1215
Loaded Profiles: Roger Sockwell (Available Profiles: Roger Sockwell)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Broadcom Corporation.) C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
(CyberLink) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe
(CyberLink) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\nlssrv32.exe
(Conexant Systems, Inc.) C:\Windows\SysWOW64\SASrv.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDIntelligent.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
(Power Software Ltd) C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_20_0_0_235.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_20_0_0_235.exe
(Panda Security) C:\Program Files (x86)\Panda USB Vaccine\USBVaccine.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SACpl.exe [1647616 2013-03-04] (Conexant Systems, Inc.)
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2876816 2013-03-05] (ELAN Microelectronics Corp.)
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [8079408 2013-09-12] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [6199128 2013-09-12] (Lenovo(beijing) Limited)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [286192 2013-01-31] (Intel Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642656 2013-02-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7021880 2015-12-08] (AVAST Software)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5563760 2014-06-01] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [WD Drive Unlocker] => C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe [1761120 2015-03-22] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [PWRISOVM.EXE] => C:\Program Files (x86)\PowerISO\PWRISOVM.EXE [337432 2013-01-27] (Power Software Ltd)
Winlogon\Notify\igfxcui: C:\Windows\SYSTEM32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8591272 2015-11-16] (Piriform Ltd)
HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\MountPoints2: G - "G:\WD Drive Unlock.exe" autoplay=true
HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\MountPoints2: {fb986c44-52eb-11e4-9203-b8763fa21bb8} - "J:\WD Drive Unlock.exe" autoplay=true
HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\MountPoints2: {fcd9aec0-6eaa-11e5-a191-208984dc876e} - "J:\WD Drive Unlock.exe" autoplay=true
Lsa: [Notification Packages] scecli C:\Program Files\Lenovo\Bluetooth Software\BtwProximityCP.dll
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-12-08] (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.17.1 192.168.1.1
Tcpip\..\Interfaces\{24AC6F63-C542-45A5-BA4E-3C74D507C4C3}: [DhcpNameServer] 192.168.17.1 192.168.1.1
Tcpip\..\Interfaces\{24B03F3A-1986-4A8B-8A9A-43DC1F3BF3D1}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files (x86)\TechSmith\Snagit 10\DLLx64\SnagitBHO64.dll [2011-11-07] (TechSmith Corporation)
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2013-11-15] (Microsoft Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-12-08] (AVAST Software)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-10-12] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL [2013-09-13] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL [2013-11-02] (Microsoft Corporation)
BHO-x32: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files (x86)\TechSmith\Snagit 10\SnagitBHO.dll [2011-11-07] (TechSmith Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2013-11-15] (Microsoft Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-12-08] (AVAST Software)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-10-12] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL [2013-09-13] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2013-11-02] (Microsoft Corporation)
Toolbar: HKLM - Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\DLLx64\SnagitIEAddin64.dll [2011-11-07] (TechSmith Corporation)
Toolbar: HKLM-x32 - Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitIEAddin.dll [2011-11-07] (TechSmith Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL [2012-10-01] (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2015-10-12] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2015-10-12] (Microsoft Corporation)
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default
FF SearchEngineOrder.3: Bing
FF SelectedSearchEngine: Bing
FF Homepage: about:home
FF Keyword.URL: hxxp://www.bing.com/search?FORM=SK2MDF&PC=SK2M&q=
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_20_0_0_235.dll [2015-12-08] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_235.dll [2015-12-08] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-05] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-05] (Intel Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2013-11-15] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL [2012-10-01] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-03] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2277862347-689562813-1071508185-1000: SkypePlugin -> C:\Users\Roger Sockwell\AppData\Local\SkypePlugin\7.10.0.93\npGatewayNpapi.dll [2015-11-19] (Skype Technologies S.A.)
FF Plugin HKU\S-1-5-21-2277862347-689562813-1071508185-1000: SkypePlugin64 -> C:\Users\Roger Sockwell\AppData\Local\SkypePlugin\7.10.0.93\npGatewayNpapi-x64.dll [2015-11-19] (Skype Technologies S.A.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2013-11-15] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npwachk.dll [2011-12-09] (Nullsoft, Inc.)
FF SearchPlugin: C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\searchplugins\google-default.xml [2015-05-23]
FF SearchPlugin: C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\searchplugins\pinterest.xml [2015-12-05]
FF Extension: Adblock Plus Pop-up Addon - C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\extensions\adblockpopups@jessehakanen.net.xpi [2015-06-19]
FF Extension: Thumbnail Zoom Plus - C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\extensions\thumbnailZoom@dadler.github.com.xpi [2015-07-30]
FF Extension: Flashblock - C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2015-11-30]
FF Extension: anonymoX - C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\Extensions\client@anonymox.net.xpi [2015-09-28]
FF Extension: Blur - C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\Extensions\donottrackplus@abine.com.xpi [2015-07-15]
FF Extension: Translate This! - C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\Extensions\jid0-k75TfRGfOXPHfEZmJ9cKu5eCgLc@jetpack.xpi [2015-11-08]
FF Extension: Nimbus Screen Capture - editable screenshots. - C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\Extensions\nimbusscreencaptureff@everhelper.me.xpi [2015-10-29]
FF Extension: Video DownloadHelper - C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2015-10-29]
FF Extension: Adblock Plus - C:\Users\Roger Sockwell\AppData\Roaming\Mozilla\Firefox\Profiles\ad2pwg91.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-12-15]
FF Extension: Skype Click to Call - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2015-10-08] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-12-08]
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2015-12-08]
StartMenuInternet: FIREFOX.EXE - firefox.exe

Chrome:
=======
CHR Profile: C:\Users\Roger Sockwell\AppData\Local\Google\Chrome\User Data\Default
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2015-10-12]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [226440 2015-12-08] (AVAST Software)
R2 btwdins; C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe [1008344 2013-02-18] (Broadcom Corporation.)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1433216 2015-10-12] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1773696 2015-10-12] (Microsoft Corporation)
R2 CLHNServiceForPowerDVD12; C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe [87336 2012-01-12] (CyberLink Corp.)
R2 CyberLink PowerDVD 12 Media Server Monitor Service; C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe [75048 2012-01-12] (CyberLink)
R2 CyberLink PowerDVD 12 Media Server Service; C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe [296232 2012-01-12] (CyberLink)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15344 2013-01-31] (Intel Corporation)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-08-20] (Intel Corporation)
S3 Lenovo EasyPlus Hotspot; C:\Program Files (x86)\Common Files\LENOVO\easyplussdk\bin\EPHotspot64.exe [625632 2015-07-21] (Lenovo)
S3 LSCWinService; C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCWinService.exe [30184 2013-08-08] ()
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 nlsX86cc; C:\Windows\SysWOW64\nlssrv32.exe [66560 2011-12-18] (Nalpeiron Ltd.) [File not signed]
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738200 2014-04-24] (Safer-Networking Ltd.)
S3 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2081752 2014-04-24] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-24] (Safer-Networking Ltd.)
R2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1042808 2014-06-01] (Western Digital Technologies, Inc.)
R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [306552 2015-03-22] (Western Digital Technologies, Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 amdkmpfd; C:\Windows\System32\DRIVERS\amdkmpfd.sys [36520 2012-09-13] (Advanced Micro Devices, Inc.)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [28656 2015-12-08] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [97648 2015-12-08] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-12-08] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65224 2015-12-08] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1055560 2015-12-08] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [450504 2015-12-08] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [155304 2015-12-08] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [273784 2015-12-08] (AVAST Software)
S3 b06diag; C:\Windows\system32\drivers\bxdiaga.sys [88104 2012-03-08] (Broadcom Corporation)
S3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [165688 2012-09-24] (Broadcom Corporation.)
S3 BFN7x64; C:\Windows\system32\drivers\Xeno7x64.sys [157288 2012-02-22] (Bigfoot Networks, Inc.)
S3 bxfcoe; C:\Windows\system32\drivers\bxfcoe.sys [178216 2012-02-22] (Broadcom Corporation)
S3 bxois; C:\Windows\system32\drivers\bxois.sys [539176 2012-02-22] (Broadcom Corporation)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3341904 2012-03-25] (Broadcom Corporation)
S3 EtronSTOR; C:\Windows\System32\Drivers\EtronSTOR.sys [32512 2012-07-24] (Etron Technology Inc)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28656 2013-01-31] (Intel Corporation)
R3 L1C; C:\Windows\System32\DRIVERS\L1C62x64.sys [117912 2012-11-19] (Qualcomm Atheros Co., Ltd.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
R2 ntk_PowerDVD12; C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMP\CLHNServer\ntk_PowerDVD12_64.sys [82928 2011-10-26] (Cyberlink Corp.)
S3 pbfilter; C:\Program Files\PeerBlock\pbfilter.sys [22600 2014-01-14] ()
S3 Spyder4; C:\Windows\System32\DRIVERS\dccmtr.sys [15360 2011-06-02] (Datacolor)
R2 {329F96B6-DF1E-4328-BFDA-39EA953C1312}; C:\Program Files (x86)\CyberLink\PowerDVD12\Common\NavFilter\000.fcl [146928 2012-01-11] (CyberLink Corp.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-16 17:13 - 2015-12-16 17:13 - 00003108 _____ C:\Windows\System32\Tasks\PandaUSBVaccine
2015-12-16 17:13 - 2015-12-16 17:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Panda Security
2015-12-16 17:13 - 2015-12-16 17:13 - 00000000 ____D C:\Program Files (x86)\Panda USB Vaccine
2015-12-16 17:12 - 2015-12-16 17:12 - 00737736 _____ (Panda Security ) C:\Users\Roger Sockwell\Downloads\USBVaccineSetup50a.exe
2015-12-16 14:49 - 2015-12-16 14:49 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\PervsOnPatrol.com_15.11.05.Nicole.Bexley.Cutie.Does.Love.Spell.For.Dick.XXX.IMAGESET-FuGLi[rarbg]
2015-12-16 14:45 - 2015-12-16 14:49 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\Cosmid.net_15.12.15.Cameron.Camerons.Ottoman.XXX.iMAGESET-YAPG[rarbg]
2015-12-16 14:45 - 2015-12-16 14:49 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\Cosmid.net_15.12.13.Katie.Rawls.Katie.And.Her.Bikini.XXX.iMAGESET-YAPG[rarbg]
2015-12-16 14:45 - 2015-12-16 14:49 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\Cosmid.net_15.12.11.Britney.Knox.Britney.In.The.Spa.XXX.iMAGESET-YAPG[rarbg]
2015-12-16 14:45 - 2015-12-16 14:49 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\Cosmid.net_15.12.09.April.Sutton.April.Jump.Roping.XXX.iMAGESET-YAPG[rarbg]
2015-12-15 23:32 - 2015-12-15 23:32 - 00330071 _____ C:\Users\Roger Sockwell\Downloads\1366180720Team-EXR rodweekly.com
2015-12-14 22:32 - 2015-12-14 22:32 - 00000000 ____D C:\Program Files (x86)\ESET
2015-12-14 22:31 - 2015-12-14 22:31 - 02870984 _____ (ESET) C:\Users\Roger Sockwell\Downloads\esetsmartinstaller_enu.exe
2015-12-14 18:14 - 2015-12-14 18:14 - 00010790 _____ C:\Users\Roger Sockwell\Documents\cc_20151214_181441.reg
2015-12-14 04:38 - 2015-12-14 08:12 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\AVErotica.com_15.10.05.Sarita.Pines.XXX.IMAGESET-GAGBALL[rarbg]
2015-12-14 04:31 - 2015-12-14 08:46 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\FTVGirls.com_15.09.18.Kinsley.Busty.Jogger.XXX.IMAGESET-GAGBALL[rarbg]
2015-12-14 04:31 - 2015-12-14 06:53 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\HoneySchool.com_15.12.03.Paris.In.Her.Bra.And.Panties.XXX.IMAGESET-FuGLi[rarbg]
2015-12-14 04:31 - 2015-12-14 05:00 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\HoneySchool.com_15.11.29.Alina.Henessy.Madeline.Alina.And.Madeline.Ass.bleeped.In.Threeway.XXX.IMAGESET-FuGLi[rarbg]
2015-12-14 04:30 - 2015-12-14 04:31 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\AbbyWinters.15.12.07.Chloe.V.Solo.XXX.1080p.MP4.KTR
2015-12-14 03:51 - 2015-12-14 18:51 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\InTheCrack.com_14.07.28.Jamie.Jackson.Set.946.XXX.IMAGESET-FuGLi[rarbg]
2015-12-14 03:49 - 2015-12-14 18:51 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\InTheCrack.com_14.04.11.Jamie.Jackson.Set.909.XXX.IMAGESET-GAGBALL[rarbg]
2015-12-14 03:48 - 2015-12-14 04:03 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\AssParade.com_13.08.05.Jamie.Jackson.Beautiful.Round.Ass.XXX.iMAGESET-YAPG[rarbg]
2015-12-14 03:39 - 2015-12-14 23:07 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\FTVGirls.com_15.07.31.Madi.II.Poolside.Kinky.XXX.IMAGESET-GAGBALL[rarbg]
2015-12-14 03:39 - 2015-12-14 03:59 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\FTVGirls.com_15.07.31.Madi.II.Sultry.In.Black.XXX.IMAGESET-GAGBALL[rarbg]
2015-12-14 03:35 - 2015-12-14 18:51 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\FTVGirls.com_15.10.09.Molly.The.Black.Dress.XXX.IMAGESET-GAGBALL[rarbg]
2015-12-14 03:34 - 2015-12-14 03:56 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\FTVGirls.com_15.08.28.Lindsey.Poolside.Splits.XXX.IMAGESET-GAGBALL[rarbg]
2015-12-14 03:34 - 2015-12-14 03:55 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\FTVGirls.com_15.08.28.Lindsey.Penetrate.Me.XXX.IMAGESET-GAGBALL[rarbg]
2015-12-14 03:34 - 2015-12-14 03:54 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\FTVGirls.com_15.08.28.Lindsey.Busty.Schoolgirl.XXX.IMAGESET-GAGBALL[rarbg]
2015-12-14 03:34 - 2015-12-14 03:46 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\FTVGirls.com_15.08.28.Lindsey.The.Quiet.Road.XXX.IMAGESET-GAGBALL[rarbg]
2015-12-14 03:27 - 2015-12-14 11:51 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\FTVGirls.com_15.10.09.Molly.Casually.Cute.XXX.IMAGESET-GAGBALL[rarbg]
2015-12-14 03:13 - 2015-12-14 03:34 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\AVErotica.com_15.12.04.Gerda.Fell.XXX.IMAGESET-GAGBALL[rarbg]
2015-12-14 03:10 - 2015-12-14 03:58 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\AVErotica.com_15.12.07.Cecelia.Fort.XXX.IMAGESET-GAGBALL[rarbg]
2015-12-14 03:10 - 2015-12-14 03:16 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\AVErotica.com_15.12.05.Hanna.Dressing.XXX.IMAGESET-GAGBALL[rarbg]
2015-12-14 03:09 - 2015-12-14 03:49 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\AVErotica.com_15.12.11.Sanita.Garden.XXX.IMAGESET-GAGBALL[rarbg]
2015-12-14 03:09 - 2015-12-14 03:20 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\AVErotica.com_15.12.10.Nora.Violet.XXX.IMAGESET-GAGBALL[rarbg]
2015-12-14 03:09 - 2015-12-14 03:15 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\AVErotica.com_15.12.12.Hanna.Sexy.XXX.IMAGESET-GAGBALL[rarbg]
2015-12-14 03:03 - 2015-12-14 03:03 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\BigNaturals - Tiff Bannister (Stiff for tiff) 02-December-2015
2015-12-14 01:37 - 2004-04-21 05:55 - 01036854 _____ C:\Users\Roger Sockwell\Downloads\PDVD_004.BMP
2015-12-13 20:52 - 2015-12-13 20:53 - 00001392 _____ C:\Users\Roger Sockwell\Desktop\D Drive.lnk
2015-12-13 06:43 - 2015-12-16 18:27 - 00000000 ____D C:\FRST
2015-12-13 05:53 - 2015-12-13 05:54 - 00001315 _____ C:\Users\Roger Sockwell\Desktop\Computer.lnk
2015-12-13 05:40 - 2015-12-13 05:40 - 00000000 ____D C:\Users\Roger Sockwell\Documents\Custom Office Templates
2015-12-12 04:42 - 2015-12-12 04:42 - 00000745 _____ C:\Users\Roger Sockwell\Desktop\39  NEW FUJI ALL - Shortcut (2).lnk
2015-12-12 01:06 - 2015-12-12 01:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2015-12-12 01:05 - 2015-12-12 01:05 - 00000000 ____D C:\Windows\PCHEALTH
2015-12-12 01:05 - 2015-12-12 01:05 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2015-12-12 01:05 - 2015-12-12 01:05 - 00000000 ____D C:\Program Files\Microsoft SQL Server
2015-12-12 01:05 - 2015-12-12 01:05 - 00000000 ____D C:\Program Files\Common Files\DESIGNER
2015-12-12 01:05 - 2015-12-12 01:05 - 00000000 ____D C:\Program Files (x86)\Microsoft SQL Server
2015-12-12 01:04 - 2015-12-12 01:05 - 00000000 ____D C:\Program Files\Microsoft Office
2015-12-12 01:04 - 2015-12-12 01:04 - 00000000 ____D C:\Program Files\Microsoft Analysis Services
2015-12-12 01:04 - 2015-12-12 01:04 - 00000000 ____D C:\Program Files (x86)\Microsoft Analysis Services
2015-12-12 00:58 - 2015-12-12 00:58 - 00019636 _____ C:\Users\Roger Sockwell\Documents\cc_20151212_005758.reg
2015-12-12 00:44 - 2015-12-12 01:17 - 00003722 _____ C:\Windows\System32\Tasks\AutoPico Daily Restart
2015-12-12 00:23 - 2015-12-16 15:21 - 00003756 _____ C:\Windows\System32\Tasks\AutoKMS
2015-12-12 00:23 - 2015-12-12 00:55 - 00000000 ____D C:\Windows\AutoKMS
2015-12-12 00:22 - 2015-12-12 00:22 - 00000000 ____D C:\ProgramData\Microsoft Toolkit
2015-12-11 23:23 - 2015-12-12 00:11 - 00000850 _____ C:\Users\Roger Sockwell\Desktop\Ebay Garage Sale.txt
2015-12-11 19:15 - 2015-12-11 19:15 - 00000000 ____D C:\x86
2015-12-11 19:15 - 2015-12-11 19:15 - 00000000 ____D C:\x64
2015-12-11 19:14 - 2015-12-11 19:14 - 00000000 ____D C:\Users\Roger Sockwell\AppData\Roaming\PowerISO
2015-12-11 19:13 - 2015-12-11 19:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerISO
2015-12-11 19:13 - 2015-12-11 19:13 - 00000000 ____D C:\Program Files (x86)\PowerISO
2015-12-11 19:13 - 2013-01-27 05:35 - 00127384 _____ (Power Software Ltd) C:\Windows\system32\Drivers\scdemu.sys
2015-12-11 00:03 - 2015-12-16 15:19 - 00008192 _____ C:\Windows\SysWOW64\WDPABKP.dat
2015-12-09 02:55 - 2015-12-09 02:55 - 00001431 _____ C:\Users\Roger Sockwell\Desktop\Hjurrdzenz Samkanz.lnk
2015-12-09 02:48 - 2015-12-09 02:48 - 00002697 _____ C:\Users\Public\Desktop\Skype.lnk
2015-12-09 02:48 - 2015-12-09 02:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2015-12-09 02:41 - 2015-12-09 02:41 - 00008940 _____ C:\Users\Roger Sockwell\Documents\cc_20151209_024100.reg
2015-12-09 02:34 - 2015-12-09 02:34 - 00000082 _____ C:\Users\Roger Sockwell\Documents\cc_20151209_023426.reg
2015-12-09 02:31 - 2015-12-09 02:30 - 00002137 _____ C:\Users\Roger Sockwell\Documents\Skype (2).lnk
2015-12-08 23:58 - 2015-12-08 23:58 - 00450863 ____R C:\Windows\system32\Drivers\etc\hosts.20151208-235846.backup
2015-12-08 23:58 - 2015-12-08 23:56 - 00450863 ____R C:\Windows\system32\Drivers\etc\hosts.20151208-235811.backup
2015-12-08 23:24 - 2015-12-08 23:24 - 00386096 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2015-12-08 23:24 - 2015-12-08 23:24 - 00043112 _____ (AVAST Software) C:\Windows\avastSS.scr
2015-12-05 09:57 - 2015-12-05 09:58 - 00000935 _____ C:\Users\Roger Sockwell\Desktop\CCleaner.lnk
2015-12-03 08:47 - 2015-12-03 08:47 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2015-12-01 04:52 - 2015-12-01 04:49 - 00450863 ____R C:\Windows\system32\Drivers\etc\hosts.20151201-045250.backup
2015-12-01 00:46 - 2015-12-14 23:24 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\Passport
2015-11-29 18:27 - 2015-11-29 18:27 - 00000000 ____D C:\Users\Roger Sockwell\AppData\Local\SkypePlugin
2015-11-21 00:23 - 2015-12-16 14:44 - 00000000 ____D C:\Users\Roger Sockwell\AppData\LocalLow\BitTorrent

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-12-16 18:26 - 2015-08-01 22:52 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\Fix Computer 1215
2015-12-16 18:15 - 2013-10-15 06:44 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-12-16 18:05 - 2013-09-13 06:41 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-12-16 15:36 - 2013-09-21 07:50 - 00000000 ____D C:\Users\Roger Sockwell\AppData\Roaming\BitTorrent
2015-12-16 15:36 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2015-12-16 15:36 - 2009-07-13 19:20 - 00000000 ____D C:\Windows
2015-12-16 15:34 - 2009-07-13 20:45 - 00053536 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-16 15:34 - 2009-07-13 20:45 - 00053536 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-16 15:21 - 2013-09-13 06:41 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-12-16 15:19 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-16 15:18 - 2015-10-29 09:05 - 00000000 ____D C:\Program Files\PeerBlock
2015-12-15 00:36 - 2015-10-10 12:08 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\Thai Visa 2015
2015-12-15 00:23 - 2015-03-27 21:57 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\Rice Mill Class
2015-12-15 00:18 - 2015-03-05 00:11 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-12-14 23:58 - 2015-06-22 22:16 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\Folder Folder
2015-12-14 23:24 - 2013-09-23 11:43 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\Trip Modz 2013
2015-12-14 20:47 - 2015-08-25 12:29 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\Me Me Me
2015-12-14 12:57 - 2013-09-12 12:01 - 00000000 ___RD C:\Users\Roger Sockwell
2015-12-14 04:03 - 2015-03-09 13:16 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\Fun FB Pix
2015-12-14 04:01 - 2015-11-01 15:07 - 00002177 _____ C:\Users\Roger Sockwell\Desktop\Meme Crash.lnk
2015-12-14 04:00 - 2014-10-13 09:12 - 00001353 _____ C:\Users\Roger Sockwell\Desktop\H Permission.lnk
2015-12-13 21:04 - 2014-08-09 07:00 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\Music 2 Go
2015-12-13 20:58 - 2015-10-10 12:14 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\Jack Astro Suparerk
2015-12-13 20:56 - 2014-05-28 07:10 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\Fitness
2015-12-13 20:54 - 2015-03-11 20:53 - 00001940 _____ C:\Users\Roger Sockwell\Desktop\Roger.lnk
2015-12-13 06:36 - 2015-05-18 19:48 - 00000000 ____D C:\AdwCleaner
2015-12-13 05:57 - 2014-05-30 20:35 - 00001260 _____ C:\Users\Roger Sockwell\Desktop\G DCIM.lnk
2015-12-13 05:57 - 2013-09-26 17:48 - 00001330 _____ C:\Users\Roger Sockwell\Desktop\E Drive.lnk
2015-12-13 05:42 - 2009-07-13 20:45 - 00435528 _____ C:\Windows\system32\FNTCACHE.DAT
2015-12-13 05:41 - 2013-09-26 17:50 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\SWEDISH SYNDICATE
2015-12-13 05:33 - 2013-09-15 11:30 - 00000000 ____D C:\Users\Roger Sockwell\AppData\Roaming\Skype
2015-12-12 16:14 - 2013-10-02 09:16 - 00664732 _____ C:\Windows\system32\perfh01D.dat
2015-12-12 16:14 - 2013-10-02 09:16 - 00143012 _____ C:\Windows\system32\perfc01D.dat
2015-12-12 16:14 - 2013-10-02 09:01 - 00746728 _____ C:\Windows\system32\perfh00C.dat
2015-12-12 16:14 - 2013-10-02 09:01 - 00150118 _____ C:\Windows\system32\perfc00C.dat
2015-12-12 16:14 - 2013-10-02 08:52 - 00746468 _____ C:\Windows\system32\perfh00A.dat
2015-12-12 16:14 - 2013-10-02 08:52 - 00159012 _____ C:\Windows\system32\perfc00A.dat
2015-12-12 16:14 - 2013-10-02 08:44 - 00393356 _____ C:\Windows\system32\perfh00D.dat
2015-12-12 16:14 - 2013-10-02 08:44 - 00085296 _____ C:\Windows\system32\perfc00D.dat
2015-12-12 16:14 - 2013-10-02 08:36 - 00741058 _____ C:\Windows\system32\perfh010.dat
2015-12-12 16:14 - 2013-10-02 08:36 - 00147384 _____ C:\Windows\system32\perfc010.dat
2015-12-12 16:14 - 2013-10-02 08:30 - 00698220 _____ C:\Windows\system32\perfh007.dat
2015-12-12 16:14 - 2013-10-02 08:30 - 00149654 _____ C:\Windows\system32\perfc007.dat
2015-12-12 16:14 - 2009-07-13 21:13 - 05553804 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-12 06:18 - 2013-09-23 09:10 - 00001769 _____ C:\Users\Roger Sockwell\Desktop\Downloads.lnk
2015-12-12 04:38 - 2014-10-12 13:25 - 00000000 ___RD C:\100  ICONZ redo
2015-12-12 04:37 - 2013-08-04 05:10 - 00000000 ____D C:\MICROSOFT OFFICE 2010 Professional Plus EN-TH
2015-12-12 01:18 - 2013-09-12 14:37 - 00111520 _____ C:\Users\Roger Sockwell\AppData\Local\GDIPFONTCACHEV1.DAT
2015-12-12 01:12 - 2013-09-14 22:45 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-12-12 01:05 - 2011-04-12 00:28 - 00000000 ____D C:\Windows\ShellNew
2015-12-12 01:05 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2015-12-12 01:04 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\System
2015-12-12 01:04 - 2009-07-13 18:34 - 00000478 _____ C:\Windows\win.ini
2015-12-12 00:53 - 2013-09-14 22:45 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2015-12-11 22:25 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\MSBuild
2015-12-11 22:06 - 2015-08-01 22:52 - 00000000 ____D C:\Users\Roger Sockwell\Desktop\Merch Sell 2015
2015-12-11 20:05 - 2014-01-26 02:23 - 00000000 ____D C:\Users\Roger Sockwell\Downloads\Challenger Grabbag
2015-12-09 02:54 - 2013-09-15 11:30 - 00000000 ___RD C:\Program Files (x86)\Skype
2015-12-09 02:49 - 2013-09-15 11:30 - 00000000 ____D C:\ProgramData\Skype
2015-12-09 02:48 - 2014-03-27 22:31 - 00000000 ____D C:\Users\Roger Sockwell\AppData\Local\Skype
2015-12-09 02:36 - 2013-09-12 11:51 - 05485992 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2015-12-08 23:58 - 2009-07-13 18:34 - 00450863 ____R C:\Windows\system32\Drivers\etc\hosts.20151215-001149.backup
2015-12-08 23:30 - 2013-12-03 21:55 - 00000000 ____D C:\Users\Roger Sockwell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2015-12-08 23:30 - 2013-12-03 21:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2015-12-08 23:30 - 2013-11-07 12:18 - 00000000 ____D C:\Program Files\WinRAR
2015-12-08 23:24 - 2014-08-06 19:34 - 00155304 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2015-12-08 23:24 - 2014-08-06 19:34 - 00028656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2015-12-08 23:24 - 2013-09-13 06:41 - 01055560 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2015-12-08 23:24 - 2013-09-13 06:41 - 00450504 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2015-12-08 23:24 - 2013-09-13 06:41 - 00273784 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2015-12-08 23:24 - 2013-09-13 06:41 - 00097648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2015-12-08 23:24 - 2013-09-13 06:41 - 00093528 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2015-12-08 23:24 - 2013-09-13 06:41 - 00065224 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2015-12-08 23:24 - 2013-09-13 06:41 - 00003924 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2015-12-08 23:15 - 2013-10-15 06:44 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-12-08 23:15 - 2013-09-15 11:49 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-12-08 23:15 - 2013-09-15 11:49 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-12-06 22:15 - 2015-11-02 19:01 - 00000000 ____D C:\Users\Roger Sockwell\AppData\Local\{15B323EF-311B-4F57-5C83-6ABF78EB9627}
2015-12-06 22:14 - 2015-11-02 19:02 - 00000344 __RSH C:\ProgramData\ntuser.pol
2015-12-06 22:14 - 2013-09-23 09:19 - 00001209 _____ C:\Users\Roger Sockwell\AppData\Roaming\Microsoft\Windows\Start Menu\GOM Player.lnk
2015-12-06 22:14 - 2013-09-13 06:57 - 00001147 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-12-05 10:22 - 2015-08-01 22:52 - 00000000 ___RD C:\Users\Roger Sockwell\Desktop\Karen Hilltribe Lodge
2015-12-03 22:00 - 2013-09-13 06:41 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-12-03 22:00 - 2013-09-13 06:41 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-12-03 08:47 - 2015-07-31 21:22 - 00000000 ____D C:\Program Files\Common Files\AV
2015-12-02 08:25 - 2013-09-15 11:09 - 00000000 ____D C:\Windows\pss
2015-12-01 14:37 - 2009-07-13 21:08 - 00032540 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-12-01 04:52 - 2009-07-13 18:34 - 00450863 ____R C:\Windows\system32\Drivers\etc\hosts.20151208-235603.backup
2015-11-28 01:48 - 2015-05-18 23:39 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-11-19 13:33 - 2014-12-14 09:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-11-19 13:33 - 2014-12-14 09:49 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-11-19 13:28 - 2009-07-13 18:34 - 00450863 ____R C:\Windows\system32\Drivers\etc\hosts.20151201-044956.backup

==================== Files in the root of some directories =======

2013-12-18 09:01 - 2015-11-12 00:02 - 0000212 _____ () C:\Users\Roger Sockwell\AppData\Roaming\WB.CFG
2013-10-19 11:16 - 2014-02-12 20:13 - 0011264 _____ () C:\Users\Roger Sockwell\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-07-14 12:15 - 2014-07-14 12:15 - 0004096 ____H () C:\Users\Roger Sockwell\AppData\Local\keyfile3.drm
2013-09-12 12:39 - 2013-09-12 12:39 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-12-11 05:18

==================== End of FRST.txt ============================

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:17-12-2015
Ran by Roger Sockwell (2015-12-16 18:27:45)
Running from C:\Users\Roger Sockwell\Desktop\Fix Computer 1215
Windows 7 Ultimate Service Pack 1 (X64) (2013-09-12 20:01:13)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2277862347-689562813-1071508185-500 - Administrator - Disabled)
Guest (S-1-5-21-2277862347-689562813-1071508185-501 - Limited - Disabled)
Roger Sockwell (S-1-5-21-2277862347-689562813-1071508185-1000 - Administrator - Enabled) => C:\Users\Roger Sockwell

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

AC3Filter 2.5b (HKLM-x32\...\AC3Filter_is1) (Version: 2.5b - Alexander Vigovsky)
ACDSee Pro 7 (64-bit) (HKLM\...\{D2A6EC54-CB46-49E4-A6FC-A9179F9D9D12}) (Version: 7.0.137 - ACD Systems International Inc.)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.009.20079 - Adobe Systems Incorporated)
Adobe Flash Player 20 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 20.0.0.235 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{72B00742-24A4-76E6-5740-E41DA195473A}) (Version: 8.0.911.0 - Advanced Micro Devices, Inc.)
Apple Application Support (HKLM-x32\...\{3FA365DF-2D68-45ED-8F83-8C8A33E65143}) (Version: 1.1.0 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}) (Version: 2.1.1.116 - Apple Inc.)
Avast Free Antivirus (HKLM-x32\...\avast) (Version: 11.1.2245 - AVAST Software)
BitTorrent (HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\BitTorrent) (Version: 7.9.5.41373 - BitTorrent Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.12 - Piriform)
Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.64.49.0 - Conexant)
CyberLink PowerDVD 12 (HKLM-x32\...\InstallShield_{B46BEA36-0B71-4A4E-AE41-87241643FA0A}) (Version: 12.0.1312.54 - CyberLink Corp.)
Dolby Advanced Audio v2 (HKLM-x32\...\{B9E70C7A-9F85-4A39-A4A3-BFA3C3BF7613}) (Version: 7.2.8000.17 - Dolby Laboratories Inc)
Energy Management (HKLM-x32\...\InstallShield_{D0956C11-0F60-43FE-99AD-524E833471BB}) (Version: 7.0.3.4 - Lenovo)
Energy Management (x32 Version: 7.0.3.4 - Lenovo) Hidden
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
Extended Asian Language font pack for Adobe Reader XI (HKLM-x32\...\{AC76BA86-7AD7-2530-0000-A00000000004}) (Version: 11.0.0 - Adobe Systems Incorporated)
FUJIFILM MyFinePix Studio 4.2 (HKLM-x32\...\MyFinePix Studio_is1) (Version:  - )
GOM Player (HKLM-x32\...\GOM Player) (Version: 2.2.74.5237 - Gretech Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 47.0.2526.106 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.29.1 - Google Inc.) Hidden
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.241 - SurfRight B.V.)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1281 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.2932 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.0.0.1083 - Intel Corporation)
Lenovo Bluetooth with Enhanced Data Rate Software (HKLM\...\{A1439D4F-FD46-47F2-A1D3-FEE097C29A09}) (Version: 6.5.1.4000 - Broadcom Corporation)
Lenovo pointing device (HKLM\...\Elantech) (Version: 11.4.14.1 - ELAN Microelectronic Corp.)
Lenovo Solution Center (HKLM\...\{B73D2BF9-2C82-40A4-AFA8-32CE2E501640}) (Version: 2.2.002.00 - Lenovo Group Limited)
Lenovo_Wireless_Driver (HKLM-x32\...\{36CE10BD-A076-4DE3-A8A7-2F61E3FB2E6A}) (Version: 6.20.55.14 - Lenovo)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Metric Collection SDK 35 (x32 Version: 1.2.0010.00 - Lenovo Group Limited) Hidden
Microsoft .NET Framework 4.5.2 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (español) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 3082) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (Français) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1036) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (Italiano) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1040) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (svenska) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1053) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (עברית) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1037) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft LifeCam (HKLM\...\{5CE7E3F5-9803-4F32-AA89-2D8848A80109}) (Version: 3.60.253.0 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 (HKLM\...\Office15.PROPLUS) (Version: 15.0.4420.1017 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729 (HKLM\...\{4FFA2088-8317-3B14-93CD-4C699DB37843}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Mozilla Firefox 42.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 42.0 (x86 en-US)) (Version: 42.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 42.0.0.5780 - Mozilla)
OEM Application Profile (HKLM-x32\...\{C89A97B6-F991-EBB5-77B7-927BCF420EBE}) (Version: 1.00.0000 - Advanced Micro Devices, Inc.)
Outils de vérification linguistique 2013 de Microsoft Office - Français (Version: 15.0.4420.1017 - Microsoft Corporation) Hidden
Pamela Basic 4.8 (HKLM-x32\...\Pamela) (Version: 4.8 - Scendix Software-Vertriebsges. mbH)
Panda USB Vaccine 1.0.0.50a (HKLM-x32\...\{55A41219-9B22-4098-BAE7-AE289B3C569A}_is1) (Version:  - Panda Security)
PeerBlock 1.2 (r693) (HKLM\...\{015C5B35-B678-451C-9AEE-821E8D69621C}_is1) (Version: 1.2.0.693 - PeerBlock, LLC)
Perfect Portrait (HKLM-x32\...\{61B36E76-3C5D-44F0-980C-61AF679008B8}) (Version: 1.0.1 - onOne Software)
PowerISO (HKLM-x32\...\PowerISO) (Version: 5.5 - Power Software Ltd)
PowerXpressHybrid (x32 Version: 1.00.0000 - Advanced Micro Devices, Inc.) Hidden
PX Profile Update (x32 Version: 1.00.1. - AMD) Hidden
Qualcomm Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 2.1.0.12 - Qualcomm Atheros Communications Inc.)
RAF (HKLM-x32\...\{E6B43401-E818-4961-AFED-118DD8E87642}) (Version: 1.00.0001 - FUJIFILM Corporation)
RAW FILE CONVERTER EX powered by SILKYPIX (HKLM-x32\...\InstallShield_{30B1CCDB-209B-4E94-8311-379F2E6B6B59}) (Version: 3 - Ichikawa Soft Laboratory)
RAW FILE CONVERTER EX powered by SILKYPIX (x32 Version: 3 - Ichikawa Soft Laboratory) Hidden
Realtek USB Card Reader (HKLM-x32\...\{1E496A68-4943-424E-829D-5C3C85B7B8F2}) (Version: 6.2.9200.39041 - Realtek Semiconductor Corp.)
Recuva (HKLM\...\Recuva) (Version: 1.51 - Piriform)
SHAREit (HKLM-x32\...\SHAREit_is1) (Version: 2.5.1.5 - Lenovo Group Limited)
Skype Click to Call (HKLM-x32\...\{6D1221A9-17BF-4EC0-81F2-27D30EC30701}) (Version: 7.5.0.9082 - Microsoft Corporation)
Skype Web Plugin (HKLM-x32\...\{8BEE5ACB-38F9-442F-9AA5-A543929FF40B}) (Version: 7.10.0.93 - Skype Technologies S.A.)
Skype™ 7.16 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.16.101 - Skype Technologies S.A.)
Snagit 10.0.2 (HKLM-x32\...\{92D194E7-AEF9-4A9E-8620-8F3AE712E3F7}) (Version: 10.0.2 - TechSmith Corporation)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.3.39 - Safer-Networking Ltd.)
TOEFL Official Guide 4.0 (HKLM-x32\...\TOEFL Official Guide) (Version: 4.0 - McGraw-Hill)
WD Drive Utilities (HKLM-x32\...\{F9784E1D-4455-4BFF-A97A-1B1355A4FFDB}) (Version: 1.0.6.3 - Western Digital Technologies, Inc.)
WD Quick View (HKLM-x32\...\{324C58C7-A292-4523-A943-91DE1EB6A1FE}) (Version: 2.4.1.9 - Western Digital Technologies, Inc.)
WD Security (HKLM-x32\...\{b304f1ed-b08a-4d51-882b-fd651777d297}) (Version: 1.2.0.83 - Western Digital Technologies, Inc.)
WD Security (x32 Version: 1.2.0.83 - Western Digital Technologies, Inc.) Hidden
WD SmartWare (HKLM\...\{F6ABA2F3-9759-48CD-B25B-A07A811E92E4}) (Version: 2.4.1.9 - Western Digital Technologies, Inc.)
WD SmartWare Installer (HKLM-x32\...\{72fda14f-5a07-49d5-b7f7-202377e9b522}) (Version: 2.4.1.9 - Western Digital Technologies, Inc.)
Winamp (HKLM-x32\...\Winamp) (Version: 5.623  - Nullsoft, Inc)
Winamp Detector Plug-in (HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\Winamp Detect) (Version: 1.0.0.1 - Nullsoft, Inc)
Windows Driver Package - Lenovo (ACPIVPC) System  (12/15/2011 7.1.0.1) (HKLM\...\99841829BE839365AA67B2AD0E50D371F59F8A1E) (Version: 12/15/2011 7.1.0.1 - Lenovo)
WinRAR 5.21 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.21.0 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2277862347-689562813-1071508185-1000_Classes\CLSID\{6BF4677D-E377-4F8E-853F-5188F4644E5D}\localserver32 -> C:\Users\Roger Sockwell\AppData\Local\SkypePlugin\7.10.0.93\GatewayVersion-x64.exe (Skype Technologies S.A.)
CustomCLSID: HKU\S-1-5-21-2277862347-689562813-1071508185-1000_Classes\CLSID\{A7F95602-7A35-4A15-B88E-7C55B7EE956C}\InprocServer32 -> C:\Users\Roger Sockwell\AppData\Local\SkypePlugin\7.10.0.93\GatewayActiveX-x64.dll (Skype Technologies S.A.)
CustomCLSID: HKU\S-1-5-21-2277862347-689562813-1071508185-1000_Classes\CLSID\{CBF9CD8C-2714-4F36-B76A-43E6C7547BC2}\localserver32 -> C:\Users\Roger Sockwell\AppData\Local\SkypePlugin\7.10.0.93\EdgeCalling.exe (Skype Technologies S.A.)

==================== Restore Points =========================


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 18:34 - 2015-12-15 00:11 - 00450863 ____R C:\Windows\system32\Drivers\etc\hosts

127.0.0.1    acdid.acdsystems.com127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    100sexlinks.com
127.0.0.1    10sek.com
127.0.0.1    www.10sek.com
127.0.0.1    www.1-2005-search.com
127.0.0.1    1-2005-search.com
127.0.0.1    123fporn.info
127.0.0.1    www.123fporn.info
127.0.0.1    123haustiereundmehr.com
127.0.0.1    www.123haustiereundmehr.com
127.0.0.1    123moviedownload.com
127.0.0.1    www.123moviedownload.com

There are 15464 more lines.


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {00BDF87F-2F64-4A0A-A161-BB6841210D34} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2015-12-08] (AVAST Software)
Task: {0FFE3D09-5DCF-4CEA-8D61-55490ACF52E1} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-11-16] (Piriform Ltd)
Task: {14B961F9-16F1-4E46-AF49-8894FDE640B0} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-10-28] (Adobe Systems Incorporated)
Task: {150F4879-E3D6-4A6C-9AAF-331756B9FA05} - System32\Tasks\Lenovo\LSC\LSCHardwareScanPostpone => C:\Program Files\Lenovo\Lenovo Solution Center\LSC.exe [2013-08-08] ()
Task: {15EBD671-742D-4942-AF4C-900A4997CA48} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe
Task: {19BBEB43-39B3-4C00-A19A-F63CC3CAD72A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {1ACFF341-7E7F-448A-84B9-D9B4CE3E2347} - System32\Tasks\Lenovo\Lenovo Solution Center Launcher => C:\Program Files\lenovo\lenovo solution center\App\LSCService.exe [2013-08-08] (Lenovo)
Task: {30DB35CD-0BDB-489A-8B17-A4B208920CDA} - System32\Tasks\Baidu PC Faster Update => $szInstallingDir\Updater.exe
Task: {3B73D372-45CF-4FBB-A8D0-86A47AD40613} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program => C:\Program Files\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2013-08-08] (Lenovo)
Task: {3D2E5784-5999-4D95-823A-FA0BF48D2320} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {4F103466-A2D3-4DB7-9AFD-841C9DEF165F} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2015-12-15] (AVAST Software)
Task: {4FB8EEB4-BD6F-4B8C-8429-ADF5469F376B} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2014-04-24] (Safer-Networking Ltd.)
Task: {67662A33-4987-44D9-B791-9B2ABEF386E4} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 35 => C:\Program Files (x86)\Lenovo\Customer Feedback Program 35\Lenovo.TVT.CustomerFeedback.Agent35.exe [2015-07-06] (Lenovo)
Task: {6DC3C5C1-F5DD-4894-8A3F-2569F8CF185D} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-12-08] (Adobe Systems Incorporated)
Task: {8593A272-5A3F-4854-B356-0A678D34F7A4} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2014-04-24] (Safer-Networking Ltd.)
Task: {8A2F85C9-3D36-4288-BAFA-F27539E2CDFF} - System32\Tasks\Lenovo\LSC\LSCHardwareScan => C:\Program Files\Lenovo\Lenovo Solution Center\LSC.exe [2013-08-08] ()
Task: {98356145-C11B-4793-8DEF-1F3864E77789} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office15\OLicenseHeartbeat.exe [2012-10-01] (Microsoft Corporation)
Task: {BA497DA9-A29D-42A4-9259-A76832C8C71F} - System32\Tasks\PandaUSBVaccine => C:\Program Files (x86)\Panda USB Vaccine\RunInteractiveWin.exe [2009-06-16] ()
Task: {CACD67A3-1054-4AFD-B11D-926DF1E0BB13} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office\Office15\msoia.exe [2012-10-01] (Microsoft Corporation)
Task: {D8C7EFC0-A691-44BE-BDA3-F24741C82A70} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office\Office15\msoia.exe [2012-10-01] (Microsoft Corporation)
Task: {FC3F73FE-0A03-40A4-865F-965BAA8A1A93} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2015-12-12] ()

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2012-10-01 20:36 - 2012-10-01 20:36 - 06522480 _____ () C:\Program Files\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2008-12-19 12:20 - 2013-09-12 14:28 - 00054088 _____ () C:\Program Files (x86)\Lenovo\Energy Management\HookLib.dll
2012-03-10 01:30 - 2013-09-12 14:28 - 01509936 _____ () C:\Program Files (x86)\Lenovo\Energy Management\EMWpfUI.dll
2008-12-19 12:20 - 2013-09-12 14:28 - 00054088 _____ () C:\Program Files (x86)\Lenovo\Energy Management\kbdhook.dll
2012-12-13 11:42 - 2012-12-13 11:42 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2015-12-08 23:24 - 2015-12-08 23:24 - 00103888 _____ () C:\Program Files\AVAST Software\Avast\log.dll
2015-12-08 23:24 - 2015-12-08 23:24 - 00125512 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2015-12-16 14:09 - 2015-12-16 14:09 - 02803712 _____ () C:\Program Files\AVAST Software\Avast\defs\15121600\algo.dll
2015-12-08 23:24 - 2015-12-08 23:24 - 00469008 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2015-02-14 20:49 - 2012-01-08 19:48 - 00541683 _____ () C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\sqlite3.dll
2014-04-30 15:35 - 2014-04-24 23:11 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2014-04-30 15:35 - 2014-04-24 23:11 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2014-04-30 15:35 - 2014-04-24 23:11 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2014-04-30 15:35 - 2012-08-22 19:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2014-04-30 15:35 - 2012-04-03 02:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2013-09-12 13:49 - 2012-07-17 15:55 - 01198912 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll
2015-12-08 23:24 - 2015-12-08 23:24 - 40539648 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2012-10-01 20:37 - 2012-10-01 20:37 - 06522480 _____ () C:\Program Files (x86)\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2015-12-08 23:15 - 2015-12-08 23:15 - 17647296 _____ () C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_235.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Windows:nlsPreferences

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

There are 7867 more sites.

IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-2277862347-689562813-1071508185-1000\...\123simsen.com -> www.123simsen.com

There are 7867 more sites.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2277862347-689562813-1071508185-1000\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.17.1 - 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk => C:\Windows\pss\Bluetooth.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SpyderUtility.lnk => C:\Windows\pss\SpyderUtility.lnk.CommonStartup
MSCONFIG\startupreg: ACPW05EN => "C:\Program Files (x86)\ACD Systems\ACDSee Pro\5.0\ACDSeeProInTouch2.exe" /pid ACPW05EN
MSCONFIG\startupreg: ACPW07EN => "C:\Program Files\ACD Systems\ACDSee Pro\7.0\acdIDInTouch2.exe"
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: BingSvc => C:\Users\Roger Sockwell\AppData\Local\Microsoft\BingSvc\BingSvc.exe
MSCONFIG\startupreg: BitTorrent => "C:\Users\Roger Sockwell\AppData\Roaming\BitTorrent\BitTorrent.exe"  /MINIMIZED
MSCONFIG\startupreg: cAudioFilterAgent => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
MSCONFIG\startupreg: Dolby Advanced Audio v2 => "C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe" -autostart
MSCONFIG\startupreg: LifeCam => "C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe"
MSCONFIG\startupreg: MMReminderService => C:\Program Files (x86)\Mindjet\MindManager 10\MMReminderService.exe
MSCONFIG\startupreg: PeerBlock => C:\Program Files\PeerBlock\peerblock.exe
MSCONFIG\startupreg: PowerDVD12Agent => "C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12Agent.exe"
MSCONFIG\startupreg: PowerDVD12DMREngine => "C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe"
MSCONFIG\startupreg: SDTray => "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
MSCONFIG\startupreg: Skype => "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [TCP Query User{0796EA04-A5F9-42D3-A174-DFCAFF550C24}C:\program files (x86)\winamp\winamp.exe] => (Block) C:\program files (x86)\winamp\winamp.exe
FirewallRules: [UDP Query User{02990DA6-C4CE-4B9A-94F1-4E5661E9D89D}C:\program files (x86)\winamp\winamp.exe] => (Block) C:\program files (x86)\winamp\winamp.exe
FirewallRules: [TCP Query User{781AAE15-F753-4294-9796-49CF6AC51DD3}C:\users\roger sockwell\appdata\roaming\bittorrent\bittorrent.exe] => (Allow) C:\users\roger sockwell\appdata\roaming\bittorrent\bittorrent.exe
FirewallRules: [UDP Query User{AFFCAC40-8C03-4DAB-830F-3DC7425BD15D}C:\users\roger sockwell\appdata\roaming\bittorrent\bittorrent.exe] => (Allow) C:\users\roger sockwell\appdata\roaming\bittorrent\bittorrent.exe
FirewallRules: [{6D52F469-0746-41FC-9B24-3E605CBC3247}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeCam.exe
FirewallRules: [{B58BC09D-D81E-4813-ADEB-A80E5693088E}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeCam.exe
FirewallRules: [{0B1C7B8F-3550-43FA-BAF6-F958DE954583}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeEnC2.exe
FirewallRules: [{2C782384-F35C-44D5-9246-270AAF685F53}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeEnC2.exe
FirewallRules: [{B1FB0649-26D8-486B-BA0A-FE11519E50F1}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe
FirewallRules: [{0C161ECB-5EA7-4D0D-89BE-245EF10AE257}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe
FirewallRules: [{5FC7DFBF-396E-48C9-9EA0-6A03ABFD663C}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeTray.exe
FirewallRules: [{82ABBE0C-F034-42DA-912D-9BE827878E5F}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeTray.exe
FirewallRules: [{79E40F30-42A7-4E36-B1FF-43814F73E965}] => (Allow) C:\Users\Roger Sockwell\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{FC57C5D2-FB95-4826-A302-C351AE9FE8BE}] => (Allow) C:\Users\Roger Sockwell\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [TCP Query User{887FABFA-F8B4-46AB-A220-5BE94613E34F}C:\program files (x86)\winamp\winamp.exe] => (Block) C:\program files (x86)\winamp\winamp.exe
FirewallRules: [UDP Query User{5EB239A5-6EB3-44E7-95BB-159866BA1B5D}C:\program files (x86)\winamp\winamp.exe] => (Block) C:\program files (x86)\winamp\winamp.exe
FirewallRules: [{48294F5F-B372-49BF-97E3-5B3212D15A6E}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{D7506E58-027B-4910-AA9D-7FC5EAEE6DE5}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{0B1E8E46-F3B6-443C-8E69-B0D2D3D5D40C}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12.exe
FirewallRules: [{B40DBD9E-E26F-4B55-BDC5-393E6D894176}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe
FirewallRules: [{7247376E-FEEA-4D22-82DC-B374FBA281B7}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe
FirewallRules: [{18ADC928-B7F2-4943-84DA-F7FAC75E1DF1}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12Agent.exe
FirewallRules: [{2E145D4F-B68C-4B57-A615-135D0D72EE06}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12ML.exe
FirewallRules: [{FB83B4D7-E683-456D-AA9A-33C1E59B7F9B}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD12\Movie\PowerDVD Cinema\PowerDVDCinema12.exe
FirewallRules: [TCP Query User{ADCEBC21-5919-47E4-851B-0070D81D81FD}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{3A227F4B-53D1-452E-9168-108935039A21}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [{F371900D-AEC4-4510-91A3-2DC2A4B52A68}] => (Allow) C:\Program Files (x86)\Lenovo\SHAREit\SHAREit.exe
FirewallRules: [{E51D7263-40A6-4664-8EF6-8AB9CA8CDD93}] => (Allow) C:\Program Files (x86)\Lenovo\SHAREit\SHAREit.exe
FirewallRules: [{EC3C1F1F-CA51-41EC-86AB-830FD7FCBA24}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{FEF8E6DB-5738-462A-B17A-511C4133BB85}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{4C4B62AC-85B7-4F22-85B5-67380289D4E6}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{8FDD5654-C5DA-456A-831F-5FA1CC7FC7AC}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{F67598A8-F483-48E9-A848-83076E8D201B}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{0F116B3D-A042-4164-BAD7-A7F3A495B37E}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{6F12A56E-20C2-4F7C-BD82-27EC8D587B95}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{7845C838-5E40-4307-99C8-BFA32E080081}] => (Allow) LPort=1688
FirewallRules: [{ADCC7E29-0A01-4F50-AD01-07B7C3A17E9C}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (12/16/2015 04:25:18 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x80070422).

Error: (12/16/2015 03:19:15 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/16/2015 10:35:20 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x80070422).

Error: (12/16/2015 03:12:41 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.

Error: (12/15/2015 10:07:58 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/15/2015 05:12:14 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/15/2015 04:07:05 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x80070422).

Error: (12/15/2015 12:23:50 AM) (Source: ThreadLib) (EventID: 0) (User: )
Description: ThreadLib::Thread Exception::

Error: (12/15/2015 12:22:49 AM) (Source: ThreadLib) (EventID: 0) (User: )
Description: ThreadLib::Thread Exception::

Error: (12/15/2015 12:07:49 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manifest.


System errors:
=============
Error: (12/16/2015 03:18:28 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (12/15/2015 05:26:27 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (12/15/2015 11:33:16 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (12/14/2015 10:35:16 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
%%1275

Error: (12/14/2015 10:35:16 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\ROGERS~1\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (12/14/2015 10:35:16 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
%%1275

Error: (12/14/2015 10:35:16 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\ROGERS~1\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (12/14/2015 10:35:16 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
%%1275

Error: (12/14/2015 10:35:16 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Users\ROGERS~1\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (12/14/2015 10:33:34 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The eapihdrv service failed to start due to the following error:
%%1275


==================== Memory info ===========================

Processor: Intel® Core™ i5-3230M CPU @ 2.60GHz
Percentage of memory in use: 67%
Total physical RAM: 3964.85 MB
Available physical RAM: 1293.95 MB
Total Virtual: 7927.91 MB
Available Virtual: 4915.12 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:120.04 GB) (Free:39.56 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: () (Fixed) (Total:345.72 GB) (Free:156.54 GB) NTFS
Drive e: () (Fixed) (Total:428.49 GB) (Free:233.02 GB) NTFS
Drive g: () (Removable) (Total:14.55 GB) (Free:0.89 GB) FAT32
Drive h: () (Removable) (Total:0.95 GB) (Free:0.66 GB) FAT

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 894.3 GB) (Disk ID: 05BDBE4D)
Partition 1: (Active) - (Size=120 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=345.7 GB) - (Type=OF Extended)
Partition 3: (Not Active) - (Size=428.5 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 970.5 MB) (Disk ID: 00000000)

Partition: GPT.

========================================================
Disk: 2 (Size: 14.6 GB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt ============================



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:26 PM

Posted 17 December 2015 - 11:09 AM


You should remove this. It will not solve your Flash drive problem.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Task: {15EBD671-742D-4942-AF4C-900A4997CA48} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe
Task: {FC3F73FE-0A03-40A4-865F-965BAA8A1A93} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2015-12-12] ()
AlternateDataStreams: C:\Windows:nlsPreferences
C:\Program Files\KMSpico

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

You should start a new topic in the External Hardware forum.
http://www.bleepingcomputer.com/forums/f/138/external-hardware/
Someone may be able to help you. This is not caused by malware and is not may forte.

I will leave this topic open for 6 days if you need to return please do.

#11 thaiguy

thaiguy
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:09:26 AM

Posted 18 December 2015 - 06:37 AM

Here's that fixlog, Nasdaq. Let me know if everything's set back to how it should be after that last run, and then I'll know we're done. Thanks.

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:17-12-2015
Ran by Roger Sockwell (2015-12-18 02:29:04) Run:2
Running from C:\Users\Roger Sockwell\Desktop\Fix Computer 1215
Loaded Profiles: Roger Sockwell (Available Profiles: Roger Sockwell)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Task: {15EBD671-742D-4942-AF4C-900A4997CA48} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe
Task: {FC3F73FE-0A03-40A4-865F-965BAA8A1A93} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2015-12-12] ()
AlternateDataStreams: C:\Windows:nlsPreferences
C:\Program Files\KMSpico

End
*****************

Error: (0) Failed to create a restore point.
Processes closed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{15EBD671-742D-4942-AF4C-900A4997CA48}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{15EBD671-742D-4942-AF4C-900A4997CA48}" => key removed successfully
C:\Windows\System32\Tasks\AutoPico Daily Restart => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoPico Daily Restart" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FC3F73FE-0A03-40A4-865F-965BAA8A1A93} => key not found.
C:\Windows\System32\Tasks\AutoKMS => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS" => key removed successfully
C:\Windows => ":nlsPreferences" ADS removed successfully.
"C:\Program Files\KMSpico" => not found.
EmptyTemp: => 356.4 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 02:29:12 ====



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:26 PM

Posted 18 December 2015 - 10:49 AM

Error: (0) Failed to create a restore point.

We should take care of this.

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:26 PM

Posted 24 December 2015 - 10:43 AM

Are you still with me?

#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:26 PM

Posted 30 December 2015 - 10:20 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users