Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infection, svchost.exe high CPU usage


  • Please log in to reply
7 replies to this topic

#1 mowersman

mowersman

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somerset, UK
  • Local time:06:03 PM

Posted 26 December 2015 - 07:24 PM

Hi all, sorry for jumping in almost straight away with a question.

I've been having some serious issues over the last couple of days, with my laptop performing very slowly and regularly crashing (No BSOD, just dies :unsure: ...)

The computer is a Lenovo Thinkpad T400, Core 2 Duo P8600 2.4Ghz with 8gb of RAM, Running Windows 7 Ultimate.

I think I have narrowed the problem down to one of the many svchost.exe processes in task manager running around 50% CPU usage. Running Process Explorer suggests that this has two "process" under it, both called taskeng.exe, one with GoogleUpdate.exe under it and one with AdobeARM under it. I kill the process, but a few minutes later it starts right back up, again, around the 50% mark. This just seems rather odd to be and to my untrained mind, suggests malware or a virus.

I have run both Avast antivirus and Malwarebytes and neither of those have thrown up anything that relates to it, only a few potentially unwanted programs.

 

I do hope I haven't missed any important information out, but if I have, let me know and I will try my best to find and include it.

 

Cheers

Andrew



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,420 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:03 PM

Posted 27 December 2015 - 06:31 AM

Uninstall Adobe ARM. Kill the Google Update. exe. While looking in your lists of installed programs for Adobe ARM, look for Google Update assistant and uninstall if there.

 

Do this, too.

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

Post the three lists mentioned below using CCleaner.

Open CCleaner and click on Tools. Choose Startups. On that page you will see a list of Windows Startups and at the top tabs for each browser and Scheduled Tasks.

At the bottom right of that page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next

post. Please do that.

 

Open CCleaner and click on Tools. Choose Uninstall. On that page you will see a list of programs installed on your computer and at the bottom right of that page you

will see a button when clicked will allow you to Copy and Paste that list in your next post. Please do that.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 mowersman

mowersman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somerset, UK
  • Local time:06:03 PM

Posted 27 December 2015 - 08:46 PM

Hi Buddy215

This is the log file for Adwcleaner


# AdwCleaner v5.026 - Logfile created 28/12/2015 at 01:17:07
# Updated 21/12/2015 by Xplode
# Database : 2015-12-23.1 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : User - USER-PC
# Running from : C:\Users\User\Downloads\AdwCleaner.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****

Service Found : vToolbarUpdater18.1.9

***** [ Folders ] *****

Folder Found : C:\Program Files (x86)\Common Files\AVG Secure Search
Folder Found : C:\ProgramData\apn
Folder Found : C:\Users\User\AppData\Local\AVG Secure Search
Folder Found : C:\Users\User\AppData\LocalLow\AVG Secure Search
Folder Found : C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FLV Player

***** [ Files ] *****

File Found : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\avg-secure-search.xml

***** [ DLL ] *****


***** [ Shortcuts ] *****

Shortcut Infected : C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FLV Player\Uninstall.lnk (  _?=C:\Users\User\AppData\Local\WebPlayer\FLV Player )

***** [ Scheduled tasks ] *****


***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Found : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Found : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Found : HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\avgsh
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]
Key Found : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Found : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CA3A5461-96B5-46DD-9341-5350D3C94615}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found : HKCU\Software\AVG Secure Search
Key Found : HKCU\Software\AVG Security Toolbar
Key Found : HKCU\Software\Webplayer
Key Found : HKLM\SOFTWARE\AVG Secure Search
Key Found : HKLM\SOFTWARE\AVG Security Toolbar

***** [ Web browsers ] *****

[C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\3euguz26.default\prefs.js] [Preference] Found : user_pref("avg.install.installDirPath", "C:\\ProgramData\\AVG Secure Search\\FireFoxExt\\18.1.9.799");
[C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\3euguz26.default\prefs.js] [Preference] Found : user_pref("avg.userPreferences.URLBarFocus.whiteList", "bing\\.com|google\\.\\w+|yahoo\\.\\w+|gmail\\.\\w+|hotmail\\.\\w+|live\\.\\w+|isearch\\.avg\\.com|mysearch\\.avg\\.com");
[C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : uk.ask.com

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [5490 bytes] ##########

 

 

This the JRT.txt log

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.1 (11.24.2015)
Operating System: Windows 7 Ultimate x64
Ran by User (Administrator) on 28/12/2015 at  1:22:03.02
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 599

Successfully deleted: C:\Windows\SysWOW64\FAP1139.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP116.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1274.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP128E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP12AD.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP12C8.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP12FA.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP12FB.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1351.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP13D8.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP140B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP147F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1483.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP14C4.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP14E4.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP14F6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1518.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1641.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1663.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP169C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP16EE.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP174B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1835.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP18B8.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP18FF.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1A62.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1A65.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1A80.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1A97.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1AE1.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1AF3.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1B07.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1B13.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1B17.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1B3B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1B3C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1B6F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1CF1.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1DB3.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1EB3.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1F7A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP1FEE.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP20DC.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2119.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP215D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP218C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2208.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2259.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2320.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2447.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP244D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP24C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP251E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP25C0.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2672.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP26D3.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP27C6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2826.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP28C9.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP28DA.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP28FB.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP290C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2923.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2926.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2949.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP296A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP29AB.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2A27.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2B06.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2B57.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2B9E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2CA.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2D47.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2D6B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2D79.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2DF1.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2E2D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2E72.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2EE1.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2F51.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP2FD6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3001.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP303C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3063.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3122.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP31B3.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP31EC.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3381.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3387.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3388.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP338C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3397.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP33A9.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP33C8.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP33C9.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP33FA.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP344A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3585.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP35A6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP35A7.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP35C6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP35D9.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP369F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP36C2.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3803.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3918.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP398D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3A4B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3A9D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3AEB.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3B1C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3B29.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3BFD.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3C77.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3D27.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3D69.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3DDE.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3DFF.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3F19.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP3F8.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP40D0.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP40D2.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP414.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4159.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4351.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4509.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4510.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4579.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP45F3.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP463F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP464.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP46A5.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP47C4.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP47F5.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4820.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4836.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4868.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4908.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP49AD.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4A73.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4AA5.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4BDA.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4C1E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4C3E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4D65.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4D78.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4DAC.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4F31.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4FEF.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP4FF6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5015.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5037.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5059.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP50CC.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP51A1.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP51CB.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP526A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP52DA.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP52FD.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP53A1.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP53DB.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5430.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP54E4.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5525.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP552C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5557.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP55AF.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP55CC.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP55FE.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP563A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP56B3.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5720.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP57E6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP595B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5B12.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5B54.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5B63.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5BA4.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5BC7.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5BD6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5BF8.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5C5F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5CFF.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5D53.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5E36.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5E4E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5EE5.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5F7A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5F7E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5F85.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5FB0.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP5FD2.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6004.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP60E0.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP61E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6287.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP62E1.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6326.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP638B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP63C6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP63DC.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6427.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6502.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP65BA.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP65CF.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP663D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP678F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6890.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP68B8.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6976.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP69BE.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6A09.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6A10.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6A19.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6AAE.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6B61.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6B83.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6B90.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6C3C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6CA4.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6E03.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6E73.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6FB0.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6FC3.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP6FF5.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7072.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP70B7.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP711C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP714F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7181.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP71B4.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP71E5.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP72A4.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP72D6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP72E2.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP72ED.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP736B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP739D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP73C9.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP73CD.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP742A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7444.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP744D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP746B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP74C0.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP74D8.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7555.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7587.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP758D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP75F4.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7616.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7648.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP778B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP77DC.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP77ED.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP791C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP791E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7940.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7958.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7979.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP79A3.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP79CE.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7A0C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7A33.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7AE6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7AEF.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7B18.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7BF2.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7C1A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7C63.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7CE6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7E07.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP7E31.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8178.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP819.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP81C9.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP82F8.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8409.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8418.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8422.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP843A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP844B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8454.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP846D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP848F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP84B1.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP84CF.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8546.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP85A6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP85B1.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP861B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP86A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP87D0.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP889A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP88CC.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP88EA.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP894.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP899F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP89C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP89D1.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8A90.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8A96.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8AB2.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8AC4.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8AD4.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8AD7.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8B88.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8BE.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8CDD.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8CE.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8D96.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8D9D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8DCC.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8E7C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8E83.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8F0.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8F9C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP8FBE.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9142.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9197.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP931D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9349.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9418.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9498.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP94B9.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP951E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP95C7.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9650.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP965D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP96C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP970D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9769.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP979B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP97B0.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP97BD.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP986E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9898.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP989D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP98CA.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9908.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP991.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP996C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9974.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9B77.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9CD5.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9D2E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9DD2.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9EE8.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9F3.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9F48.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9F64.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9F8D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9FA6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9FF0.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAP9FF8.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA022.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA029.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA02F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA04.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA056.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA05B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA07F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA0A3.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA0D0.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA13B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA204.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA38F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA3AF.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA3C3.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA449.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA47C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA4D3.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA4E8.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA4FF.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA539.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA543.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA545.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA574.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA60C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA62D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA68E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA69E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA737.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA73B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA740.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA7A3.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA7B2.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA818.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA83A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA865.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA86C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA91C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPA96A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPAAC0.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPAAF2.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPABFF.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPAD11.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPAD22.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPAD4.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPADBE.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPADD9.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPADDF.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPADED.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPAE1F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPAEB8.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPAF75.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPB012.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPB044.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPB101.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPB12C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPB158.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPB16B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPB18A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPB201.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPB241.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPB242.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPB2DF.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPB470.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPB493.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPB538.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPB6A7.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPB8F6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPB99E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPB9BD.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPB9D3.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPBB2A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPBB98.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPBBCA.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPBBD0.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPBBD9.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPBC77.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPBCC5.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPBCF7.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPBD15.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPBD3A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPBD7C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPBEC3.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPBEC8.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPBF4A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC043.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC058.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC07A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC084.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC0B6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC219.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC27D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC354.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC3A5.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC3AF.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC3F1.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC3F9.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC423.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC42B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC464.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC487.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC496.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC4F9.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC578.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC5F6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC6BF.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC706.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC735.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC77B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC8D5.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC8F7.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC90B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPC9C6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPCB96.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPCD82.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPCE2A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPCE50.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPCE86.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPCF39.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPCF43.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD06F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD076.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD0E0.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD164.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD180.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD1CF.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD1F2.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD283.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD29A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD2E6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD305.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD3B0.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD45C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD545.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD587.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD58C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD59.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD5CA.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD60A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD657.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD65B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD75C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD76E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD815.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD8F7.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPD9AE.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDA3E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDBEE.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDBFC.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDC07.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDC12.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDC47.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDCC3.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDCC6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDCDE.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDD08.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDD3C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDD5E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDDC0.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDDCD.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDE7B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDE7C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDEAD.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDEC6.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDF01.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDF08.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDF10.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDF44.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDF52.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDF61.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDF6F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDF93.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDF9F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPDFE2.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE0B8.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE1DE.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE220.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE272.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE28.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE36B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE373.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE3AF.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE3D2.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE41C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE43D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE4A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE5B8.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE5E7.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE600.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE688.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE807.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE854.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE85B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE8DB.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE8EE.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE910.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE91C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE922.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE973.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE9C1.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE9F8.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPE9FE.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPEA1F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPEA74.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPEA8E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPEA99.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPEABC.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPEB0F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPEB53.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPECAE.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPECC1.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPECDA.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPED2A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPEE7C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPEE81.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPEF77.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPEFDC.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPF09B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPF11B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPF196.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPF304.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPF31F.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPF447.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPF44B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPF50D.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPF59A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPF7A9.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPF818.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPF949.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPF9BE.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPFA12.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPFA8C.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPFB09.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPFB3.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPFB3B.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPFB6A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPFBC9.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPFC40.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPFE6A.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPFE6E.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPFE9.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPFF71.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPFF86.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\FAPFFB6.tmp (File)

Deleted the following from C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\3euguz26.default\prefs.js
user_pref(avg.install.installDirPath, C:\\ProgramData\\AVG Secure Search\\FireFoxExt\\18.1.9.799);
user_pref(avg.userPreferences.URLBarFocus.whiteList, bing\\.com|google\\.\\w+|yahoo\\.\\w+|gmail\\.\\w+|hotmail\\.\\w+|live\\.\\w+|isearch\\.avg\\.com|mysearch\\.avg\\.com



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 28/12/2015 at  1:25:54.04
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


This is the list of Windows startups

 

Yes    HKCU:Run    CCleaner Monitoring    Piriform Ltd    "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes    HKCU:Run    Spotify Web Helper    Spotify Ltd    "C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
Yes    HKLM:Run    AdobeAAMUpdater-1.0    Adobe Systems Incorporated    "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
No    HKLM:Run    AdobeCS6ServiceManager    Adobe Systems Incorporated    "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
Yes    HKLM:Run    AvastUI.exe    AVAST Software    "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
No    HKLM:Run    FingerPrintSoftware    AuthenTec    "C:\Program Files\Lenovo Fingerprint Software\fpapp.exe" \s
No    HKLM:Run    FingerPrintSoftwareSplashScreen    AuthenTec, Inc.    "C:\Program Files\Lenovo Fingerprint Software\SplashScreen.exe" \s
Yes    HKLM:Run    HotKeysCmds    Intel Corporation    C:\Windows\system32\hkcmd.exe
Yes    HKLM:Run    IgfxTray    Intel Corporation    C:\Windows\system32\igfxtray.exe
Yes    HKLM:Run    Persistence    Intel Corporation    C:\Windows\system32\igfxpers.exe
Yes    HKLM:Run    picon    Intel Corporation    "C:\Program Files (x86)\Common Files\Intel\Privacy Icon\PIconStartup.exe"
Yes    HKLM:Run    PWMTRV        rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
No    HKLM:Run    SDTray    Safer-Networking Ltd.    "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
Yes    HKLM:Run    StartCCC    Advanced Micro Devices, Inc.    "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
Yes    HKLM:Run    SunJavaUpdateSched    Oracle Corporation    "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
Yes    HKLM:Run    SwitchBoard    Adobe Systems Incorporated    C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
No    HKLM:Run    VirtualCloneDrive        "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
No    HKLM:Run    vProt        "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
Yes    HKLM:Run    Windows Mobile Device Center    Microsoft Corporation    %windir%\WindowsMobile\wmdc.exe
No    HKLM:Run    Wondershare Helper Compact.exe    Wondershare    C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
 

This is the list of scheduled tasks

 

Yes    Task    ActivateWindowsSearch    Microsoft Corporation    %SystemRoot%\ehome\ehPrivJob.exe /DoActivateWindowsSearch    \Microsoft\Windows\Media Center
No    Task    AD RMS Rights Policy Template Management (Automated)            \Microsoft\Windows\Active Directory Rights Management Services Client
Yes    Task    AD RMS Rights Policy Template Management (Manual)            \Microsoft\Windows\Active Directory Rights Management Services Client
Yes    Task    Adobe Acrobat Update Task    Adobe Systems Incorporated    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe    \
Yes    Task    Adobe Flash Player Updater    Adobe Systems Incorporated    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe    \
Yes    Task    AdobeAAMUpdater-1.0-User-PC-User    Adobe Systems Incorporated    C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe -mode=scheduled    \
Yes    Task    AitAgent        aitagent    \Microsoft\Windows\Application Experience
Yes    Task    AnalyzeSystem    Microsoft Corporation    %SystemRoot%\System32\powercfg.exe -energy -auto    \Microsoft\Windows\Power Efficiency Diagnostics
No    Task    AutoWake            \Microsoft\Windows\SideShow
Yes    Task    Avast settings backup    AVAST Software    C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe /backup /iavs    \AVAST Software
No    Task    Background Synchronization            \Microsoft\Windows\Offline Files
Yes    Task    CacheTask            \Microsoft\Windows\Wininet
No    Task    Calibration Loader            \Microsoft\Windows\WindowsColorSystem
Yes    Task    CCleanerSkipUAC    Piriform Ltd    "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)    \
Yes    Task    Check for updates    Safer-Networking Ltd.    "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe" /autoupdate /silent /autoclose /background    \Safer-Networking\Spybot - Search and Destroy
Yes    Task    ConfigNotification    Microsoft Corporation    %systemroot%\System32\sdclt.exe /CONFIGNOTIFICATION    \Microsoft\Windows\WindowsBackup
Yes    Task    ConfigureInternetTimeService    Microsoft Corporation    %SystemRoot%\ehome\ehPrivJob.exe /DoConfigureInternetTimeService    \Microsoft\Windows\Media Center
Yes    Task    Consolidator    Microsoft Corporation    %SystemRoot%\System32\wsqmcons.exe    \Microsoft\Windows\Customer Experience Improvement Program
Yes    Task    CreateChoiceProcessTask    Microsoft Corporation    C:\Windows\System32\browserchoice.exe /launch    \
Yes    Task    DispatchRecoveryTasks    Microsoft Corporation    %SystemRoot%\ehome\ehPrivJob.exe /DoRecoveryTasks $(Arg0)    \Microsoft\Windows\Media Center
Yes    Task    ehDRMInit    Microsoft Corporation    %SystemRoot%\ehome\ehPrivJob.exe /DRMInit    \Microsoft\Windows\Media Center
Yes    Task    Extractor Definitions Update Task            \Microsoft\Windows Live\SOXE
Yes    Task    GadgetManager            \Microsoft\Windows\SideShow
Yes    Task    GatherNetworkInfo        %windir%\system32\gatherNetworkInfo.vbs    \Microsoft\Windows\NetTrace
Yes    Task    GoogleUpdateTaskMachineCore    Google Inc.    C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c    \
Yes    Task    GoogleUpdateTaskMachineUA    Google Inc.    C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler    \
No    Task    HiveUploadTask            \Microsoft\Windows\User Profile Service
Yes    Task    HotStart            \Microsoft\Windows\MobilePC
Yes    Task    InstallPlayReady    Microsoft Corporation    %SystemRoot%\ehome\ehPrivJob.exe /InstallPlayReady $(Arg0)    \Microsoft\Windows\Media Center
Yes    Task    IpAddressConflict1    Microsoft Corporation    %windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem    \Microsoft\Windows\Tcpip
Yes    Task    IpAddressConflict2    Microsoft Corporation    %windir%\system32\rundll32.exe ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem    \Microsoft\Windows\Tcpip
Yes    Task    launchtrayprocess    Microsoft Corporation    %windir%\system32\GWX\GWX.exe /tasklaunch    \Microsoft\Windows\Setup\gwx
No    Task    Logon Synchronization            \Microsoft\Windows\Offline Files
Yes    Task    Logon-5d    Microsoft Corporation    %windir%\system32\GWX\GWX.exe /event:7    \Microsoft\Windows\Setup\GWXTriggers
Yes    Task    LPRemove    Microsoft Corporation    %windir%\system32\lpremove.exe    \Microsoft\Windows\MUI
Yes    Task    MachineUnlock-5d    Microsoft Corporation    %windir%\system32\GWX\GWX.exe /event:8    \Microsoft\Windows\Setup\GWXTriggers
Yes    Task    mcupdate        %SystemRoot%\ehome\mcupdate $(Arg0)    \Microsoft\Windows\Media Center
Yes    Task    MediaCenterRecoveryTask    Microsoft Corporation    %SystemRoot%\ehome\mcupdate.exe -MediaCenterRecoveryTask    \Microsoft\Windows\Media Center
Yes    Task    Microsoft Antimalware Scheduled Scan        c:\Program Files\Microsoft Security Client\MpCmdRun.exe Scan -ScheduleJob -RestrictPrivileges    \Microsoft\Microsoft Antimalware
Yes    Task    Microsoft Compatibility Appraiser    Microsoft Corporation    %windir%\system32\compattel\DiagTrackRunner.exe /UploadEtlFilesOnly    \Microsoft\Windows\Application Experience
Yes    Task    MobilityManager            \Microsoft\Windows\Ras
Yes    Task    Notifications    Microsoft Corporation    %windir%\System32\LocationNotifications.exe    \Microsoft\Windows\Location
Yes    Task    ObjectStoreRecoveryTask    Microsoft Corporation    %SystemRoot%\ehome\mcupdate.exe -ObjectStoreRecoveryTask    \Microsoft\Windows\Media Center
Yes    Task    OCURActivate    Microsoft Corporation    %SystemRoot%\ehome\ehPrivJob.exe /OCURActivate    \Microsoft\Windows\Media Center
Yes    Task    OCURDiscovery    Microsoft Corporation    %SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery $(Arg0)    \Microsoft\Windows\Media Center
Yes    Task    OutOfIdle-5d    Microsoft Corporation    %windir%\system32\GWX\GWX.exe /event:6    \Microsoft\Windows\Setup\GWXTriggers
Yes    Task    OutOfSleep-5d    Microsoft Corporation    %windir%\system32\GWX\GWX.exe /event:9    \Microsoft\Windows\Setup\GWXTriggers
Yes    Task    PBDADiscovery    Microsoft Corporation    %SystemRoot%\ehome\ehPrivJob.exe /PBDADiscovery    \Microsoft\Windows\Media Center
Yes    Task    PBDADiscoveryW1    Microsoft Corporation    %SystemRoot%\ehome\ehPrivJob.exe /wait:7 /PBDADiscovery    \Microsoft\Windows\Media Center
Yes    Task    PBDADiscoveryW2    Microsoft Corporation    %SystemRoot%\ehome\ehPrivJob.exe /wait:90 /PBDADiscovery    \Microsoft\Windows\Media Center
No    Task    PeriodicScanRetry    Microsoft Corporation    %windir%\ehome\MCUpdate.exe -pscn 0    \Microsoft\Windows\Media Center
Yes    Task    PMTask    Lenovo Group Limited    C:\PROGRA~2\ThinkPad\UTILIT~1\PwmIdTsv.exe    \
No    Task    PolicyConverter    Microsoft Corporation    %windir%\system32\appidpolicyconverter.exe    \Microsoft\Windows\AppID
Yes    Task    ProgramDataUpdater    Microsoft Corporation    %windir%\system32\rundll32.exe aepdu.dll,AePduRunUpdate    \Microsoft\Windows\Application Experience
Yes    Task    Proxy    Microsoft Corporation    %windir%\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations    \Microsoft\Windows\Autochk
Yes    Task    PvrRecoveryTask    Microsoft Corporation    %SystemRoot%\ehome\mcupdate.exe -PvrRecoveryTask    \Microsoft\Windows\Media Center
Yes    Task    PvrScheduleTask    Microsoft Corporation    %SystemRoot%\ehome\mcupdate.exe -PvrSchedule    \Microsoft\Windows\Media Center
Yes    Task    QueueReporting    Microsoft Corporation    %windir%\system32\wermgr.exe -queuereporting    \Microsoft\Windows\Windows Error Reporting
No    Task    RecordingRestart        %SystemRoot%\ehome\ehrec /RestartRecording    \Microsoft\Windows\Media Center
Yes    Task    Refresh immunization    Safer-Networking Ltd.    "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe" /immunize /silent /autoclose    \Safer-Networking\Spybot - Search and Destroy
Yes    Task    refreshgwxconfig    Microsoft Corporation    %windir%\system32\GWX\GWXConfigManager.exe /RefreshConfig    \Microsoft\Windows\Setup\gwx
Yes    Task    refreshgwxconfig-B    Microsoft Corporation    %windir%\system32\GWX\GWXConfigManager.exe /RefreshConfigAndContent    \Microsoft\Windows\Setup\GWXTriggers
Yes    Task    refreshgwxconfigandcontent    Microsoft Corporation    %windir%\system32\GWX\GWXConfigManager.exe /RefreshConfigAndContent    \Microsoft\Windows\Setup\gwx
Yes    Task    refreshgwxcontent    Microsoft Corporation    %windir%\system32\GWX\GWXConfigManager.exe /RefreshContent    \Microsoft\Windows\Setup\gwx
Yes    Task    RegisterSearch    Microsoft Corporation    %SystemRoot%\ehome\ehPrivJob.exe /DoRegisterSearch $(Arg0)    \Microsoft\Windows\Media Center
Yes    Task    ReindexSearchRoot    Microsoft Corporation    %SystemRoot%\ehome\ehPrivJob.exe /DoReindexSearchRoot    \Microsoft\Windows\Media Center
Yes    Task    Scan the system    Safer-Networking Ltd.    "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe" /scan /cleanclose    \Safer-Networking\Spybot - Search and Destroy
Yes    Task    ScheduledDefrag    Microsoft Corp.    %windir%\system32\defrag.exe -c    \Microsoft\Windows\Defrag
No    Task    SessionAgent            \Microsoft\Windows\SideShow
Yes    Task    SidebarExecute    Microsoft Corporation    C:\Program Files\Windows Sidebar\sidebar.exe /addGadget    \
Yes    Task    SqlLiteRecoveryTask    Microsoft Corporation    %SystemRoot%\ehome\mcupdate.exe -SqlLiteRecoveryTask    \Microsoft\Windows\Media Center
Yes    Task    SR    Microsoft Corporation    %windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation    \Microsoft\Windows\SystemRestore
Yes    Task    StartRecording        %SystemRoot%\ehome\ehrec /StartRecording    \Microsoft\Windows\Media Center
Yes    Task    SynchronizeTime    Microsoft Corporation    %windir%\system32\sc.exe start w32time task_started    \Microsoft\Windows\Time Synchronization
No    Task    SystemDataProviders            \Microsoft\Windows\SideShow
Yes    Task    SystemSoundsService            \Microsoft\Windows\Multimedia
Yes    Task    SystemTask            \Microsoft\Windows\CertificateServicesClient
Yes    Task    Time-5d    Microsoft Corporation    %windir%\system32\GWX\GWX.exe /event:10    \Microsoft\Windows\Setup\GWXTriggers
Yes    Task    UninstallDeviceTask    Microsoft Corporation    BthUdTask.exe $(Arg0)    \Microsoft\Windows\Bluetooth
Yes    Task    UpdateLibrary        "%ProgramFiles%\Windows Media Player\wmpnscfg.exe"    \Microsoft\Windows\Windows Media Sharing
Yes    Task    UpdateRecordPath    Microsoft Corporation    %SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)    \Microsoft\Windows\Media Center
Yes    Task    UPnPHostConfig    Microsoft Corporation    sc.exe config upnphost start= auto    \Microsoft\Windows\UPnP
Yes    Task    UserTask            \Microsoft\Windows\CertificateServicesClient
No    Task    UserTask-Roam            \Microsoft\Windows\CertificateServicesClient
No    Task    VerifiedPublisherCertStoreCheck    Microsoft Corporation    %windir%\system32\appidcertstorecheck.exe    \Microsoft\Windows\AppID
Yes    Task    WinSAT            \Microsoft\Windows\Maintenance
Yes    Task    {05048E44-C7DD-414F-BAE0-3EA0C57910AC}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a C:\Users\User\Downloads\Serialio.com_PL2303_DriverInstaller_v1210\PL2303_Prolific_DriverInstaller_v1210.exe -d C:\Users\User\Downloads\Serialio.com_PL2303_DriverInstaller_v1210    \
Yes    Task    {590D32C4-B139-44BA-8C72-51465DF7BD10}        D:\Setup.exe    \
Yes    Task    {BFC7781F-786B-46D1-95BA-F0562A195C5C}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a C:\Users\User\Downloads\mp3gain-win-1_2_5(1).exe -d C:\Users\User\Downloads    \
Yes    Task    {E0543823-0756-40F1-A75D-D76BFAB83634}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a C:\Users\User\Downloads\sp53631.exe -d C:\Users\User\Downloads    \
 

 

And this is the list of installed programs

 

Adobe AIR    Adobe Systems Incorporated    11/05/2014        13.0.0.83
Adobe Flash Player 20 ActiveX    Adobe Systems Incorporated    09/12/2015    8.46 MB    20.0.0.228
Adobe Flash Player 20 NPAPI    Adobe Systems Incorporated    09/12/2015    9.05 MB    20.0.0.235
Adobe Photoshop CS6    Adobe Systems Incorporated    17/11/2013    2.43 GB    13.0
Adobe Reader XI (11.0.13)    Adobe Systems Incorporated    29/10/2015    185 MB    11.0.13
Adobe Shockwave Player 12.1    Adobe Systems, Inc.    02/11/2014        12.1.3.153
ATI Catalyst Install Manager    ATI Technologies, Inc.    06/09/2013    22.4 MB    3.0.800.0
ATI Uninstaller    ATI Technologies, Inc.    06/09/2013        8.792.5.2-120504a-138564C-Lenovo
Audacity 2.0.5    Audacity Team    07/03/2014    45.5 MB    2.0.5
Auslogics DiskDefrag    Auslogics Labs Pty Ltd    02/11/2014    21.8 MB    4.5.4.0
Avast Free Antivirus    AVAST Software    20/07/2015        10.3.2223
BBC iPlayer Downloads    BBC    05/10/2015    46.3 MB    1.14.1
CCleaner    Piriform    28/12/2015        5.13
Conexant 20561 SmartAudio HD    Conexant    05/09/2013        4.92.10.0
Convert Audio Free WMA to MP3 version 1.0        26/09/2014    4.56 MB    1.0
CPUCooL (remove only)        26/12/2015       
Free ISO Creator version 1.0    freeisocreator.com    31/03/2014    746 KB    1.0
FrostWire 5.7.2    FrostWire LLC    17/04/2014        5.7.2.1
get_iplayer 4.9    infradead.org    25/10/2014        4.9
Google Chrome    Google Inc.    15/12/2013        47.0.2526.106
HTC Driver Installer    HTC Corporation    15/09/2014    3.07 MB    4.13.0.003
HTC Sync Manager    HTC    15/09/2014    164 MB    3.1.24.5
Intel® Graphics Media Accelerator Driver    Intel Corporation    06/09/2013        8.15.10.2869
Intel® Management Engine Interface    Intel Corporation    05/09/2013        
Intel® Network Connections 18.5.54.0    Intel    06/09/2013    25.0 MB    18.5.54.0
Intel® Active Management Technology    Intel Corporation    05/09/2013        
IPTInstaller    HTC    01/11/2013    300 KB    4.0.8
Java 8 Update 65    Oracle Corporation    27/10/2015    21.0 MB    8.0.650.17
Kate's Video Toolkit 7.0    Web Solution Mart    01/08/2015    21.6 MB    7.0.0
LAME v3.99.3 (for Windows)        07/03/2014    1.52 MB    
LatencyMon 6.00    Resplendence Software Projects Sp.    23/02/2014    8.62 MB    
Lenovo Fingerprint Software    AuthenTec, Inc.    06/09/2013    33.6 MB    3.3.2.50
Lenovo Patch Utility    Lenovo Group Limited    06/09/2013    1.33 MB    1.3.1.1
Lenovo Patch Utility 64 bit    Lenovo Group Limited    06/09/2013    298 KB    1.3.1.1
Lenovo Power Management Driver        02/11/2014        1.67.04.05
Lenovo System Interface Driver        06/09/2013        1.05
Malwarebytes Anti-Malware version 2.2.0.1024    Malwarebytes    26/12/2015    66.0 MB    2.2.0.1024
Microsoft .NET Framework 4.5.2    Microsoft Corporation    13/06/2015    38.8 MB    4.5.51209
Microsoft OneDrive    Microsoft Corporation    01/08/2015    26.7 MB    17.0.4035.0328
Microsoft Silverlight    Microsoft Corporation    14/06/2015    100 MB    5.1.40416.0
Microsoft SQL Server 2005 Compact Edition [ENU]    Microsoft Corporation    28/08/2014    1.69 MB    3.1.0000
Microsoft Virtual PC 2007    Microsoft Corporation    11/02/2014    36.9 MB    6.0.156.0
Microsoft Visual C++ 2005 Redistributable    Microsoft Corporation    04/11/2013    300 KB    8.0.59193
Microsoft Visual C++ 2005 Redistributable (x64)    Microsoft Corporation    01/11/2013    620 KB    8.0.61000
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148    Microsoft Corporation    17/11/2013    788 KB    9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161    Microsoft Corporation    19/11/2013    788 KB    9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17    Microsoft Corporation    06/09/2013    596 KB    9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148    Microsoft Corporation    17/11/2013    232 KB    9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161    Microsoft Corporation    12/09/2013    600 KB    9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219    Microsoft Corporation    19/11/2013    15.2 MB    10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219    Microsoft Corporation    19/11/2013    15.0 MB    10.0.40219
Mozilla Firefox 43.0.1 (x86 en-GB)    Mozilla    26/12/2015    89.3 MB    43.0.1
Mozilla Maintenance Service    Mozilla    26/12/2015    341 KB    43.0.1.5828
Mozilla Thunderbird 38.2.0 (x86 en-GB)    Mozilla    27/10/2015    75.7 MB    38.2.0
MS-I/II Download Utility 2.00    Eric Fahlgren <eric@wryday.com>    12/11/2015        2.00
MSXML 4.0 SP2 (KB954430)    Microsoft Corporation    04/11/2013    1.27 MB    4.20.9870.0
MSXML 4.0 SP2 (KB973688)    Microsoft Corporation    04/11/2013    1.33 MB    4.20.9876.0
Network Play System (Patching)        29/03/2014        
On Screen Display        06/09/2013        6.70.00
OpenOffice 4.0.1    Apache Software Foundation    15/10/2013    335 MB    4.01.9714
Perfect Free Alarm Clock 2.0    Celescom.com    01/01/2014    1.67 MB    2.0
PL-2303 USB-to-Serial    Prolific Technology INC    12/11/2015        1.00.000
Power Manager    Lenovo Group Limited    05/09/2013        6.61.1
Realtek High Definition Audio Driver    Realtek Semiconductor Corp.    29/01/2015        6.0.1.6418
SIW version 2011.10.29    Topala Software Solutions    24/01/2015    5.83 MB    2011.10.29
Skype™ 7.0    Skype Technologies S.A.    14/06/2015    47.8 MB    7.0.102
Spotify    Spotify AB    27/11/2014        0.9.14.13.gba5645ad
Spybot - Search & Destroy    Safer-Networking Ltd.    17/10/2013    132 MB    2.2.25
System Requirements Lab for Intel    Husdawg, LLC    06/09/2013    1.03 MB    4.5.15.0
The Sims        29/03/2014        
TunerStudio MS 2.6.19    EFI Analytics    06/11/2015    195 MB    
VirtualCloneDrive    Elaborate Bytes    31/03/2014        5.4.7.0
Visual Studio 2012 x64 Redistributables    AVG Technologies    17/10/2013    12.9 MB    14.0.0.1
Visual Studio 2012 x86 Redistributables    AVG Technologies CZ, s.r.o.    17/10/2013    10.5 MB    14.0.0.1
VLC media player    VideoLAN    02/11/2014        2.1.5
Windows Driver Package - AuthenTec Inc. (ATSwpWDF) Biometric  (07/02/2010 8.6.0.29)    AuthenTec Inc.    05/09/2013        07/02/2010 8.6.0.29
Windows Mobile Device Center    Microsoft Corporation    01/01/2014    27.4 MB    6.1.6965.0
WinRAR 5.01 beta 1 (32-bit)    win.rar GmbH    16/11/2013        5.01.1
Wondershare Streaming Audio Recorder(Build 2.2.0)    Wondershare Software    04/03/2014    33.5 MB    2.2.0.4
wxMP3gain v2.4.3    Cristiano Nunes    26/09/2014    4.59 MB    2.4.3
 

 

Thanks hugely for taking the time to look at this, it is really appreciated.

Thanks

Andrew



#4 buddy215

buddy215

  • Moderator
  • 13,420 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:03 PM

Posted 28 December 2015 - 06:00 AM

Rerun AdwCleaner and be sure to click on Clean when the scan finishes. As you can see there is a lot of

adware. I know you have MBAM so run a scan with it using the settings below and post its log.

 

  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • When MBAM is finished scanning it will display a screen that displays any malware that it has detected.
  • Click the Remove Selected button.
  • MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.

POST THE LOG FOR  REVIEW.

 

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

 


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 buddy215

buddy215

  • Moderator
  • 13,420 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:03 PM

Posted 28 December 2015 - 06:57 AM

Disable these Windows Startups: Use CCleaner by clicking on each item and then choose Disable on the right.

Yes    HKCU:Run    CCleaner Monitoring    Piriform Ltd    "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes    HKCU:Run    Spotify Web Helper    Spotify Ltd    "C:\Users\User\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
Yes    HKLM:Run    AdobeAAMUpdater-1.0    Adobe Systems Incorporated    "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"

Yes    HKLM:Run    IgfxTray    Intel Corporation    C:\Windows\system32\igfxtray.exe

Yes    HKLM:Run    SunJavaUpdateSched    Oracle Corporation    "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
Yes    HKLM:Run    SwitchBoard    Adobe Systems Incorporated    C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

Yes    HKLM:Run    Windows Mobile Device Center    Microsoft Corporation    %windir%\WindowsMobile\wmdc.exe

 

Disable these Tasks:

Yes    Task    ActivateWindowsSearch    Microsoft Corporation    %SystemRoot%\ehome\ehPrivJob.exe /DoActivateWindowsSearch    \Microsoft\Windows\Media Center

Yes    Task    Adobe Acrobat Update Task    Adobe Systems Incorporated    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe    \
Yes    Task    Adobe Flash Player Updater    Adobe Systems Incorporated    C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe    \
Yes    Task    AdobeAAMUpdater-1.0-User-PC-User    Adobe Systems Incorporated    C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe -mode=scheduled  

Yes    Task    Check for updates    Safer-Networking Ltd.    "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe" /autoupdate /silent /autoclose /background    \Safer-Networking\Spybot - Search and Destroy

Yes    Task    Consolidator    Microsoft Corporation    %SystemRoot%\System32\wsqmcons.exe    \Microsoft\Windows\Customer Experience Improvement Program

Yes    Task    GoogleUpdateTaskMachineCore    Google Inc.    C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c    \
Yes    Task    GoogleUpdateTaskMachineUA    Google Inc.    C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler    \

Yes    Task    InstallPlayReady    Microsoft Corporation    %SystemRoot%\ehome\ehPrivJob.exe /InstallPlayReady $(Arg0)    \Microsoft\Windows\Media Center

Yes    Task    launchtrayprocess    Microsoft Corporation    %windir%\system32\GWX\GWX.exe /tasklaunch    \Microsoft\Windows\Setup\gwx

Yes    Task    Logon-5d    Microsoft Corporation    %windir%\system32\GWX\GWX.exe /event:7    \Microsoft\Windows\Setup\GWXTriggers

Yes    Task    LPRemove    Microsoft Corporation    %windir%\system32\lpremove.exe    \Microsoft\Windows\MUI
Yes    Task    MachineUnlock-5d    Microsoft Corporation    %windir%\system32\GWX\GWX.exe /event:8    \Microsoft\Windows\Setup\GWXTriggers
Yes    Task    mcupdate        %SystemRoot%\ehome\mcupdate $(Arg0)    \Microsoft\Windows\Media Center

Yes    Task    MediaCenterRecoveryTask    Microsoft Corporation    %SystemRoot%\ehome\mcupdate.exe -MediaCenterRecoveryTask    \Microsoft\Windows\Media Center

Yes    Task    ObjectStoreRecoveryTask    Microsoft Corporation    %SystemRoot%\ehome\mcupdate.exe -ObjectStoreRecoveryTask    \Microsoft\Windows\Media Center
Yes    Task    OCURActivate    Microsoft Corporation    %SystemRoot%\ehome\ehPrivJob.exe /OCURActivate    \Microsoft\Windows\Media Center
Yes    Task    OCURDiscovery    Microsoft Corporation    %SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery $(Arg0)    \Microsoft\Windows\Media Center
Yes    Task    OutOfIdle-5d    Microsoft Corporation    %windir%\system32\GWX\GWX.exe /event:6    \Microsoft\Windows\Setup\GWXTriggers
Yes    Task    OutOfSleep-5d    Microsoft Corporation    %windir%\system32\GWX\GWX.exe /event:9    \Microsoft\Windows\Setup\GWXTriggers

Yes    Task    Refresh immunization    Safer-Networking Ltd.    "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe" /immunize /silent /autoclose    \Safer-Networking\Spybot - Search and Destroy
Yes    Task    refreshgwxconfig    Microsoft Corporation    %windir%\system32\GWX\GWXConfigManager.exe /RefreshConfig    \Microsoft\Windows\Setup\gwx
Yes    Task    refreshgwxconfig-B    Microsoft Corporation    %windir%\system32\GWX\GWXConfigManager.exe /RefreshConfigAndContent    \Microsoft\Windows\Setup\GWXTriggers
Yes    Task    refreshgwxconfigandcontent    Microsoft Corporation    %windir%\system32\GWX\GWXConfigManager.exe /RefreshConfigAndContent    \Microsoft\Windows\Setup\gwx
Yes    Task    refreshgwxcontent    Microsoft Corporation    %windir%\system32\GWX\GWXConfigManager.exe /RefreshContent    \Microsoft\Windows\Setup\gwx

Yes    Task    Scan the system    Safer-Networking Ltd.    "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe" /scan /cleanclose    \Safer-Networking\Spybot - Search and Destroy

Yes    Task    SidebarExecute    Microsoft Corporation    C:\Program Files\Windows Sidebar\sidebar.exe /addGadget    \

Yes    Task    Time-5d    Microsoft Corporation    %windir%\system32\GWX\GWX.exe /event:10    \Microsoft\Windows\Setup\GWXTriggers

Yes    Task    UpdateLibrary        "%ProgramFiles%\Windows Media Player\wmpnscfg.exe"    \Microsoft\Windows\Windows Media Sharing
Yes    Task    UpdateRecordPath    Microsoft Corporation    %SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)    \Microsoft\Windows\Media Center

Yes    Task    {05048E44-C7DD-414F-BAE0-3EA0C57910AC}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a C:\Users\User\Downloads\Serialio.com_PL2303_DriverInstaller_v1210\PL2303_Prolific_DriverInstaller_v1210.exe -d C:\Users\User\Downloads\Serialio.com_PL2303_DriverInstaller_v1210    \
Yes    Task    {590D32C4-B139-44BA-8C72-51465DF7BD10}        D:\Setup.exe    \
Yes    Task    {BFC7781F-786B-46D1-95BA-F0562A195C5C}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a C:\Users\User\Downloads\mp3gain-win-1_2_5(1).exe -d C:\Users\User\Downloads    \
Yes    Task    {E0543823-0756-40F1-A75D-D76BFAB83634}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a C:\Users\User\Downloads\sp53631.exe -d C:\Users\User\Downloads    \
 

Uninstall these Programs:

Adobe AIR    Adobe Systems Incorporated    11/05/2014        13.0.0.83

Spybot - Search & Destroy    Safer-Networking Ltd.    17/10/2013    132 MB    2.2.25


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 mowersman

mowersman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somerset, UK
  • Local time:06:03 PM

Posted 29 December 2015 - 08:44 PM

Hello Buddy215

I rerun ADWcleaner, cleaned it, then re ran again, nothing came up the 2nd time.

 

This is the Malwarebytes scan log

I deleted all of these.

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 29/12/2015
Scan Time: 00:38
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.12.28.08
Rootkit Database: v2015.12.26.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: User

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 330943
Time Elapsed: 10 min, 20 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 19
PUP.Optional.OpenCandy, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],
PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\INTERFACE\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],
PUP.Optional.OpenCandy, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],
PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],
PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],
PUP.Optional.OpenCandy, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{B9D64D3B-BE75-4FA2-B94A-C4AE772A0146}, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],
PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\TYPELIB\{1112F282-7099-4624-A439-DB29D6551552}, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],
PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\INTERFACE\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],
PUP.Optional.OpenCandy, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],
PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],
PUP.Optional.OpenCandy, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{1112F282-7099-4624-A439-DB29D6551552}, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],
PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{1112F282-7099-4624-A439-DB29D6551552}, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],
PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\OCComSDK.ComSDK.1, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],
PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\OCComSDK.ComSDK, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],
PUP.Optional.OpenCandy, HKLM\SOFTWARE\WOW6432NODE\CLASSES\OCComSDK.ComSDK, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],
PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\WOW6432NODE\OCComSDK.ComSDK, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],
PUP.Optional.OpenCandy, HKLM\SOFTWARE\WOW6432NODE\CLASSES\OCComSDK.ComSDK.1, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],
PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\WOW6432NODE\OCComSDK.ComSDK.1, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],
PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B9D64D3B-BE75-4FA2-B94A-C4AE772A0146}, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 9
PUP.Optional.OpenCandy, C:\Users\User\AppData\Local\Temp\HYD23E6.tmp.1451265307\HTA\install.1451265307.zip, Quarantined, [d5a34c5e5338c17515121804ef13649c],
PUP.Optional.OpenCandy, C:\Users\User\AppData\Local\Temp\HYD23E6.tmp.1451265307\HTA\3rdparty\OCComSDK.dll, Quarantined, [46329713b3d86ec8ce592af2de244eb2],
PUP.Optional.OpenCandy, C:\Users\User\AppData\Local\Temp\HYD23E6.tmp.1451265307\HTA\3rdparty\OCSetupHlp.dll, Quarantined, [3543614975167eb8da3bac0046bed12f],
PUP.Optional.OpenCandy, C:\Users\User\AppData\Local\Temp\HYD3B8A.tmp.1451265313\HTA\install.1451265313.zip, Quarantined, [3d3b03a7a3e8e74ff037a27ac0427789],
PUP.Optional.OpenCandy, C:\Users\User\AppData\Local\Temp\HYD3B8A.tmp.1451265313\HTA\3rdparty\OCComSDK.dll, Quarantined, [0d6bb5f5c9c20c2ac562809c00028a76],
PUP.Optional.OpenCandy, C:\Users\User\AppData\Local\Temp\HYD3B8A.tmp.1451265313\HTA\3rdparty\OCSetupHlp.dll, Quarantined, [294f08a29af1ee48af661a9262a28977],
PUP.Optional.OpenCandy, C:\Users\User\AppData\Local\Temp\HYDC2A4.tmp.1451265347\HTA\install.1451265347.zip, Quarantined, [c1b7e5c5f49752e454d357c5cc36d12f],
PUP.Optional.OpenCandy, C:\Users\User\AppData\Local\Temp\HYDC2A4.tmp.1451265347\HTA\3rdparty\OCComSDK.dll, Quarantined, [1b5d0e9c3b50e94d1611f02cb74b1ae6],
PUP.Optional.OpenCandy, C:\Users\User\AppData\Local\Temp\HYDC2A4.tmp.1451265347\HTA\3rdparty\OCSetupHlp.dll, Quarantined, [43357733f596c2746aab0aa29d678d73],

Physical Sectors: 0
(No malicious items detected)


(end)

 

This is the Eset scan log, There doesn't seem to be anything serious there, but they are all now deleted.

 

C:\Program Files (x86)\SIW\siw.exe    a variant of Win32/RemoteAdmin.RemoteExec.AA potentially unsafe application    deleted - quarantined
C:\Users\User\AppData\Local\Temp\HYD23E6.tmp.1451265307_permissionsCopy\uTorrent.exe    a variant of Win32/OpenCandy.A potentially unsafe application    cleaned by deleting - quarantined
C:\Users\User\AppData\Local\Temp\HYD23E6.tmp.1451265307_permissionsCopy\updates\3.4.3_40298.exe    a variant of Win32/OpenCandy.A potentially unsafe application    cleaned by deleting - quarantined
C:\Users\User\AppData\Local\Temp\HYDA94A.tmp.1451265341_permissionsCopy\uTorrent.exe    a variant of Win32/OpenCandy.A potentially unsafe application    cleaned by deleting - quarantined
C:\Users\User\AppData\Local\Temp\HYDA94A.tmp.1451265341_permissionsCopy\updates\3.4.3_40298.exe    a variant of Win32/OpenCandy.A potentially unsafe application    cleaned by deleting - quarantined
C:\Users\User\Downloads\ccsetup513.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted - quarantined
C:\Windows\Installer\MSI31E6.tmp    a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application    cleaned by deleting - quarantined
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AskToolbarInstaller-FWV7[1].7z    a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application    deleted - quarantined
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AskToolbarInstaller-FWV7[2].7z    a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application    deleted - quarantined
 

 

 

 

I've deleted the start up items and scheduled tasks you mentioned, except these ones, as it comes up with error

"Failed to enable/disable startup item:
Access is denied"
 

 

Yes    Task    Logon-5d    Microsoft Corporation    %windir%\system32\GWX\GWX.exe /event:7    \Microsoft\Windows\Setup\GWXTriggers

Yes    Task    MachineUnlock-5d    Microsoft Corporation    %windir%\system32\GWX\GWX.exe /event:8    \Microsoft\Windows\Setup\GWXTriggers

Yes    Task    OutOfIdle-5d    Microsoft Corporation    %windir%\system32\GWX\GWX.exe /event:6    \Microsoft\Windows\Setup\GWXTriggers

Yes    Task    OutOfSleep-5d    Microsoft Corporation    %windir%\system32\GWX\GWX.exe /event:9    \Microsoft\Windows\Setup\GWXTriggers

Yes    Task    refreshgwxconfig-B    Microsoft Corporation    %windir%\system32\GWX\GWXConfigManager.exe /RefreshConfigAndContent    \Microsoft\Windows\Setup\GWXTriggers

Yes    Task    Time-5d    Microsoft Corporation    %windir%\system32\GWX\GWX.exe /event:10    \Microsoft\Windows\Setup\GWXTriggers
 

 

 

 

However... I'm now thinking it may not be a virus etc.

Rather than going into process explorer, I'm right clicking on the svchost.exe process in task manager and going to "Go to services".

A whole list comes up, which I've googled and none appear suspicious. However, when I kill "wuauserv" (Which appears to be something to do with Windows update) the CPU usage drops back to normal. Odd... I have left it running for about 8 hours now, with the computer doing nothing, to see if it sorts its self out, but its still up around 50%.

Cheers

Andrew



#7 buddy215

buddy215

  • Moderator
  • 13,420 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:03 PM

Posted 30 December 2015 - 06:01 AM

As you probably know, those GWX tasks...GET WINDOWS TEN...

Microsoft is acting more like malware in trying to force users to upgrade. I know when I booted into Windows 7 to

get Decembers updates it wouldn't display the updates until I killed the GWX process under All Users. I've always disabled 

Microsoft updates and run it on demand at least once a month. Now I only accept critical/ security updates to avoid downloading

and upgrading to 10.

 

You may be able to kill those tasks after booting into Safe Mode....I think your CPU usage is related to those, too.

 

I suggest you start a new topic in the Malware Removal Forum to be certain malware is no longer involved.

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 mowersman

mowersman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somerset, UK
  • Local time:06:03 PM

Posted 02 January 2016 - 08:20 PM

Thanks for all your help Buddy215, I really appreciate it.

I tried disabling those scheduled tasks in safe mode, but they don't even appear then. I'll do some more research into that.

I have now started a topic in the other forum.

Thanks

Andrew






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users