Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware, Adware issues


  • This topic is locked This topic is locked
9 replies to this topic

#1 Tinman39

Tinman39

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 24 January 2016 - 08:20 PM

Good evening, my issue started last night and I have worked all day on trying to resolve it.  I have been here before many years ago so I knew some of the programs to use initially, however, I am still having issues.  Pretty much just redirecting my Firefox sites, popups, Capricornus Ads, ultimately rendering the browser inoperable.  I regularly use SpyHunter 4 as my anti malware program.  I have also scanned/repaired using AdwCleaner and Junk Removal Tool.  Any help is greatly appreciated;

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:24-01-2016
Ran by Ray (administrator) on RAYSGAMINGPC (24-01-2016 19:07:21)
Running from C:\Users\Ray\Downloads
Loaded Profiles: Ray (Available Profiles: Ray)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser not detected!)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6846096 2012-11-19] (Realtek Semiconductor)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2787264 2016-01-11] (NVIDIA Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-12-17] (Apple Inc.)
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\...\Policies\Explorer: [NoSaveSettings] 0
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\...\MountPoints2: {471bd085-bf5d-11e4-828b-d8cb8a33116e} - "E:\WD Drive Unlock.exe" autoplay=true
Startup: C:\Users\Ray\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip [2015-02-11] ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Restriction - ProxySettings)
ProxyEnable: [HKLM] => Proxy is enabled.
ProxyEnable: [HKLM-x32] => Proxy is enabled.
ProxyServer: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877
AutoConfigURL: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 172.16.12.1
Tcpip\..\Interfaces\{6e0db4ae-c72b-4422-9ba7-e3ab8deac507}: [DhcpNameServer] 172.16.12.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/p/?LinkId=619797&pc=UE03&ocid=UE03DHP
SearchScopes: HKU\S-1-5-21-3287149903-3504461084-1627932807-1002 -> {59FC0D2C-8AEC-4994-805D-70DFC602FEF5} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\ssv.dll [2016-01-22] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\jp2ssv.dll [2016-01-22] (Oracle Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\nm8gb8bw.default-1453673996232
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-14] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.71.2 -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\dtplugin\npDeployJava1.dll [2016-01-22] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.71.2 -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\plugin2\npjp2.dll [2016-01-22] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-10-13] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-10-13] (NVIDIA Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-22] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)
FF Extension: Adblock Plus - C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\nm8gb8bw.default-1453673996232\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-01-24]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - <no Path/update_url>

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-08-06] (Advanced Micro Devices, Inc.) [File not signed]
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1163200 2016-01-11] (NVIDIA Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1879488 2016-01-11] (NVIDIA Corporation)
R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [6308288 2016-01-11] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [4812736 2016-01-11] (NVIDIA Corporation)
S2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [1042304 2016-01-24] (Enigma Software Group USA, LLC.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)
S2 appreciate; C:\WINDOWS\fearless.exe [X]
S2 servant; C:\WINDOWS\courageous.exe [X]
S2 Tuhtujl; "C:\Users\Ray\AppData\Roaming\KagjBudla\Firva.exe" -cms [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 Alpham1; C:\Windows\System32\drivers\Alpham164.sys [52992 2007-07-23] (Ideazon Corporation)
R3 Alpham2; C:\Windows\System32\drivers\Alpham264.sys [21760 2007-03-20] (Ideazon Corporation)
R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices)
R1 DNE; C:\Windows\system32\DRIVERS\dnelwf64.sys [164664 2014-09-02] (Citrix Systems, Inc.)
R3 esgiguard; C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [15920 2016-01-24] (Enigma Software Group USA, LLC.)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2016-01-24] ()
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [26560 2016-01-11] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [47760 2015-12-18] (NVIDIA Corporation)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [589824 2015-10-30] (Realtek                                            )
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2015-06-10] (Apple, Inc.) [File not signed]
S1 vflt; C:\Windows\system32\DRIVERS\vfilter.sys [24064 2013-06-30] (Shrew Soft Inc) [File not signed]
S3 vnet; C:\Windows\System32\drivers\virtualnet.sys [17408 2013-06-30] (Shrew Soft Inc) [File not signed]
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
S3 vpnva; \SystemRoot\System32\drivers\vpnva64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-24 18:35 - 2016-01-24 18:35 - 00001192 _____ C:\Users\Ray\Desktop\JRT.txt
2016-01-24 17:47 - 2016-01-24 17:47 - 01600184 _____ (Malwarebytes) C:\Users\Ray\Downloads\JRT.exe
2016-01-24 17:37 - 2016-01-24 18:56 - 00000000 ____D C:\ProgramData\HitmanPro
2016-01-24 17:36 - 2016-01-24 17:37 - 11323704 _____ (SurfRight B.V.) C:\Users\Ray\Downloads\HitmanPro_x64.exe
2016-01-24 17:20 - 2016-01-24 17:21 - 00031018 _____ C:\Users\Ray\Downloads\MTB.txt
2016-01-24 17:07 - 2016-01-24 19:04 - 00032470 _____ C:\Users\Ray\Downloads\Addition.txt
2016-01-24 17:06 - 2016-01-24 19:07 - 00010074 _____ C:\Users\Ray\Downloads\FRST.txt
2016-01-24 17:06 - 2016-01-24 19:07 - 00000000 ____D C:\FRST
2016-01-24 17:05 - 2016-01-24 17:06 - 02370560 _____ (Farbar) C:\Users\Ray\Downloads\FRST64.exe
2016-01-24 16:36 - 2016-01-24 16:58 - 00000000 ____D C:\AdwCleaner
2016-01-24 16:36 - 2016-01-24 16:36 - 01505280 _____ C:\Users\Ray\Downloads\AdwCleaner.exe
2016-01-24 15:41 - 2016-01-24 15:41 - 00001310 _____ C:\Users\Ray\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-01-24 14:40 - 2016-01-24 16:13 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2016-01-24 14:39 - 2016-01-24 16:21 - 00277916 _____ C:\WINDOWS\ntbtlog.txt
2016-01-24 14:13 - 2016-01-24 14:13 - 00001110 _____ C:\Users\Ray\Documents\backup dns host file.txt
2016-01-24 14:05 - 2016-01-24 15:10 - 00000824 _____ C:\Users\Ray\Documents\hosts.txt
2016-01-24 13:31 - 2016-01-24 13:31 - 00000000 ____D C:\WINDOWS\LastGood.Tmp
2016-01-24 13:31 - 2015-12-18 00:10 - 00099472 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvaudcap64v.dll
2016-01-24 13:31 - 2015-12-18 00:10 - 00090768 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvaudcap32v.dll
2016-01-24 13:19 - 2016-01-24 16:19 - 00000000 ____D C:\Users\Ray\Desktop\Old Firefox Data
2016-01-24 13:00 - 2016-01-24 13:00 - 00005764 _____ C:\native log.txt
2016-01-24 12:57 - 2016-01-24 14:34 - 00000000 ___HD C:\dgqcjv9R5pd5XiTO
2016-01-24 12:34 - 2016-01-24 12:34 - 00022704 _____ C:\WINDOWS\system32\Drivers\EsgScanner.sys
2016-01-24 12:34 - 2016-01-24 12:34 - 00001132 _____ C:\Users\Ray\Desktop\SpyHunter.lnk
2016-01-24 11:35 - 2016-01-24 12:34 - 00003422 _____ C:\WINDOWS\System32\Tasks\SpyHunter4Startup
2016-01-24 11:22 - 2016-01-24 11:22 - 00000000 ____D C:\WINDOWS\system32\luct
2016-01-24 11:20 - 2016-01-24 11:20 - 00001127 _____ C:\Users\Ray\Desktop\RegHunter.lnk
2016-01-24 11:20 - 2016-01-24 11:20 - 00000000 ____D C:\Users\Ray\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\RegHunter
2016-01-24 11:13 - 2016-01-24 11:13 - 00000000 ____D C:\Program Files (x86)\SEARCH~1
2016-01-24 09:53 - 2016-01-24 09:53 - 00019264 _____ C:\EsgInstallerResumeAction
2016-01-24 09:53 - 2016-01-24 09:53 - 00000000 ____D C:\WINDOWS\F94A63D79A61403B8F6F90B1BF77211A.TMP
2016-01-24 09:31 - 2016-01-24 13:46 - 00001055 _____ C:\WINDOWS\system32\Internet Explorer.lnk
2016-01-24 09:05 - 2016-01-24 09:05 - 00004158 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{E00C39D3-631F-4276-94AF-E315116D2C24}
2016-01-24 08:58 - 2016-01-24 13:46 - 00001148 _____ C:\WINDOWS\system32\Mozilla Firefox.lnk
2016-01-23 22:50 - 2016-01-23 22:50 - 00000000 ____D C:\WINDOWS\system32\kob
2016-01-23 22:35 - 2016-01-24 09:45 - 00004420 _____ C:\WINDOWS\System32\Tasks\243901321850
2016-01-23 22:35 - 2016-01-24 09:45 - 00003758 _____ C:\WINDOWS\System32\Tasks\4636711463671146367114636711
2016-01-23 22:35 - 2016-01-24 09:37 - 00003840 _____ C:\WINDOWS\System32\Tasks\235112602
2016-01-23 22:35 - 2016-01-24 09:37 - 00003682 _____ C:\WINDOWS\System32\Tasks\135112602
2016-01-23 22:35 - 2016-01-24 09:31 - 00003944 _____ C:\WINDOWS\System32\Tasks\8d8J9l9Fs67nMlRFPDZC-ni-2016-01-23-ni-10924-ni-1
2016-01-23 22:35 - 2016-01-24 08:59 - 00003842 _____ C:\WINDOWS\System32\Tasks\14513701
2016-01-23 22:35 - 2016-01-24 03:47 - 00000000 ____D C:\Program Files\aotech
2016-01-23 22:35 - 2016-01-24 03:47 - 00000000 ____D C:\Program Files (x86)\room
2016-01-23 22:35 - 2016-01-24 03:47 - 00000000 ____D C:\Program Files (x86)\intend
2016-01-23 22:35 - 2016-01-23 22:35 - 00041472 _____ C:\Users\Ray\AppData\Local\Singleholding.dat
2016-01-23 22:35 - 2016-01-23 22:35 - 00000187 _____ C:\Users\Ray\AppData\Local\Singleholding.exe.config
2016-01-23 22:35 - 2016-01-23 22:35 - 00000055 _____ C:\WINDOWS\key.ini
2016-01-23 22:35 - 2016-01-23 22:35 - 00000001 _____ C:\Users\Ray\AppData\Local\dotinstall.txt
2016-01-23 22:35 - 2016-01-23 22:35 - 00000000 ____D C:\Program Files (x86)\short
2016-01-23 22:35 - 2016-01-23 22:35 - 00000000 ____D C:\Program Files (x86)\NewInternet
2016-01-23 22:34 - 2016-01-24 18:34 - 00000000 ____D C:\a
2016-01-23 22:34 - 2016-01-24 03:47 - 00000000 ____D C:\Program Files (x86)\cellar
2016-01-23 22:34 - 2016-01-23 22:35 - 00000000 ____D C:\Program Files (x86)\Setup Support for Consumer Input DH
2016-01-23 22:34 - 2016-01-23 22:34 - 00000097 _____ C:\Users\Ray\AppData\Local\dottmpfile.txt
2016-01-23 22:34 - 2016-01-23 22:34 - 00000000 ____D C:\ProgramData\e6019400-4995-1
2016-01-23 22:34 - 2016-01-23 22:34 - 00000000 ____D C:\ProgramData\e6019400-1f53-0
2016-01-23 22:34 - 2016-01-23 22:34 - 00000000 ____D C:\ProgramData\b7f9b120-5f15-0
2016-01-23 22:34 - 2016-01-23 22:34 - 00000000 ____D C:\ProgramData\b7f9b120-11f1-1
2016-01-23 22:34 - 2016-01-23 22:34 - 00000000 ____D C:\Program Files (x86)\DataHelper
2016-01-23 22:33 - 2016-01-24 10:43 - 00187904 _____ C:\WINDOWS\rsrcs.dll
2016-01-23 22:30 - 2016-01-24 10:41 - 00000000 ____D C:\Users\Ray\AppData\Local\Tempfolder
2016-01-23 22:30 - 2016-01-23 22:30 - 00000000 ____D C:\uninst
2016-01-23 22:29 - 2016-01-23 22:28 - 00000967 _____ C:\WINDOWS\system32\Drivers\etc\hp.bak
2016-01-23 22:27 - 2016-01-23 22:27 - 00000000 ____D C:\Users\Ray\AppData\Local\52510768
2016-01-23 22:27 - 2016-01-23 22:27 - 00000000 ____D C:\Users\Ray\AppData\Local\30259343
2016-01-23 22:19 - 2016-01-23 22:19 - 00042741 _____ C:\WINDOWS\direful.exe
2016-01-23 22:19 - 2016-01-23 22:19 - 00037888 _____ (windows 99) C:\WINDOWS\snakes.exe
2016-01-23 22:19 - 2016-01-23 22:19 - 00000019 _____ C:\WINDOWS\SysWOW64\7620864.bat
2016-01-15 19:12 - 2016-01-15 19:12 - 00197779 _____ C:\Users\Ray\Documents\shop cabinets.skp
2016-01-15 17:07 - 2016-01-15 17:07 - 00000000 ____D C:\Users\Ray\AppData\Roaming\SketchUp
2016-01-12 23:00 - 2016-01-04 20:51 - 07477600 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2016-01-12 23:00 - 2016-01-04 20:51 - 01317640 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.efi
2016-01-12 23:00 - 2016-01-04 20:51 - 01141496 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.exe
2016-01-12 23:00 - 2016-01-04 20:50 - 01173344 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2016-01-12 23:00 - 2016-01-04 20:50 - 00713568 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2016-01-12 23:00 - 2016-01-04 20:50 - 00671472 _____ (Microsoft Corporation) C:\WINDOWS\system32\advapi32.dll
2016-01-12 23:00 - 2016-01-04 20:49 - 00513888 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2016-01-12 23:00 - 2016-01-04 20:48 - 00499432 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\advapi32.dll
2016-01-12 23:00 - 2016-01-04 20:45 - 02587696 _____ (Microsoft Corporation) C:\WINDOWS\system32\msxml6.dll
2016-01-12 23:00 - 2016-01-04 20:42 - 02026736 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msxml6.dll
2016-01-12 23:00 - 2016-01-04 20:37 - 02544256 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfcore.dll
2016-01-12 23:00 - 2016-01-04 20:37 - 01299504 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfnetsrc.dll
2016-01-12 23:00 - 2016-01-04 20:37 - 00858952 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfnetcore.dll
2016-01-12 23:00 - 2016-01-04 20:37 - 00848160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfsvr.dll
2016-01-12 23:00 - 2016-01-04 20:37 - 00785088 _____ (Microsoft Corporation) C:\WINDOWS\system32\evr.dll
2016-01-12 23:00 - 2016-01-04 20:37 - 00245840 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfps.dll
2016-01-12 23:00 - 2016-01-04 20:37 - 00234504 _____ (Microsoft Corporation) C:\WINDOWS\system32\mftranscode.dll
2016-01-12 23:00 - 2016-01-04 20:36 - 00808800 _____ (Microsoft Corporation) C:\WINDOWS\system32\WWAHost.exe
2016-01-12 23:00 - 2016-01-04 20:33 - 02180128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfcore.dll
2016-01-12 23:00 - 2016-01-04 20:33 - 01118208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetsrc.dll
2016-01-12 23:00 - 2016-01-04 20:33 - 00709688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfsvr.dll
2016-01-12 23:00 - 2016-01-04 20:33 - 00701384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetcore.dll
2016-01-12 23:00 - 2016-01-04 20:33 - 00652312 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\evr.dll
2016-01-12 23:00 - 2016-01-04 20:33 - 00208176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mftranscode.dll
2016-01-12 23:00 - 2016-01-04 20:33 - 00116728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfps.dll
2016-01-12 23:00 - 2016-01-04 20:31 - 00703840 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WWAHost.exe
2016-01-12 23:00 - 2016-01-04 20:27 - 01594408 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2016-01-12 23:00 - 2016-01-04 20:24 - 00796352 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2016-01-12 23:00 - 2016-01-04 20:23 - 01804664 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMALFXGFXDSP.dll
2016-01-12 23:00 - 2016-01-04 20:23 - 01309376 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2016-01-12 23:00 - 2016-01-04 20:23 - 00786696 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMADMOD.DLL
2016-01-12 23:00 - 2016-01-04 20:23 - 00119320 _____ (Microsoft Corporation) C:\WINDOWS\system32\MP3DMOD.DLL
2016-01-12 23:00 - 2016-01-04 20:21 - 01371792 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2016-01-12 23:00 - 2016-01-04 20:17 - 00695752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMADMOD.DLL
2016-01-12 23:00 - 2016-01-04 20:16 - 00100160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MP3DMOD.DLL
2016-01-12 23:00 - 2016-01-04 19:59 - 22393856 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2016-01-12 23:00 - 2016-01-04 19:57 - 16986112 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Xaml.dll
2016-01-12 23:00 - 2016-01-04 19:57 - 00076288 _____ (Microsoft Corporation) C:\WINDOWS\system32\RMSRoamingSecurity.dll
2016-01-12 23:00 - 2016-01-04 19:57 - 00043520 _____ (Microsoft Corporation) C:\WINDOWS\system32\usermgrcli.dll
2016-01-12 23:00 - 2016-01-04 19:56 - 00145920 _____ (Microsoft Corporation) C:\WINDOWS\system32\omadmclient.exe
2016-01-12 23:00 - 2016-01-04 19:54 - 00162816 _____ (Microsoft Corporation) C:\WINDOWS\system32\DeviceCensus.exe
2016-01-12 23:00 - 2016-01-04 19:53 - 00148992 _____ (Microsoft Corporation) C:\WINDOWS\system32\wshom.ocx
2016-01-12 23:00 - 2016-01-04 19:52 - 00210432 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
2016-01-12 23:00 - 2016-01-04 19:51 - 00472576 _____ (Microsoft Corporation) C:\WINDOWS\system32\DscCore.dll
2016-01-12 23:00 - 2016-01-04 19:51 - 00248832 _____ (Microsoft Corporation) C:\WINDOWS\system32\UserMgrProxy.dll
2016-01-12 23:00 - 2016-01-04 19:50 - 00644096 _____ (Microsoft Corporation) C:\WINDOWS\system32\uReFS.dll
2016-01-12 23:00 - 2016-01-04 19:50 - 00638464 _____ (Microsoft Corporation) C:\WINDOWS\system32\enterprisecsps.dll
2016-01-12 23:00 - 2016-01-04 19:50 - 00208896 _____ (Microsoft Corporation) C:\WINDOWS\system32\storewuauth.dll
2016-01-12 23:00 - 2016-01-04 19:49 - 13018624 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.dll
2016-01-12 23:00 - 2016-01-04 19:49 - 01582080 _____ (Microsoft Corporation) C:\WINDOWS\system32\aitstatic.exe
2016-01-12 23:00 - 2016-01-04 19:49 - 01255936 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMSPDMOE.DLL
2016-01-12 23:00 - 2016-01-04 19:49 - 00764928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakradiag.dll
2016-01-12 23:00 - 2016-01-04 19:49 - 00749056 _____ (Microsoft Corporation) C:\WINDOWS\system32\PhoneService.dll
2016-01-12 23:00 - 2016-01-04 19:49 - 00167936 _____ (Microsoft Corporation) C:\WINDOWS\system32\ProximityCommon.dll
2016-01-12 23:00 - 2016-01-04 19:48 - 01009152 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMSPDMOD.DLL
2016-01-12 23:00 - 2016-01-04 19:48 - 00387072 _____ (Microsoft Corporation) C:\WINDOWS\system32\qdvd.dll
2016-01-12 23:00 - 2016-01-04 19:48 - 00034816 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\usermgrcli.dll
2016-01-12 23:00 - 2016-01-04 19:47 - 00628736 _____ (Microsoft Corporation) C:\WINDOWS\system32\MessagingDataModel2.dll
2016-01-12 23:00 - 2016-01-04 19:47 - 00479232 _____ (Microsoft Corporation) C:\WINDOWS\system32\schannel.dll
2016-01-12 23:00 - 2016-01-04 19:47 - 00305664 _____ (Microsoft Corporation) C:\WINDOWS\system32\ksproxy.ax
2016-01-12 23:00 - 2016-01-04 19:45 - 00678912 _____ (Microsoft Corporation) C:\WINDOWS\system32\qedit.dll
2016-01-12 23:00 - 2016-01-04 19:45 - 00275968 _____ (Microsoft Corporation) C:\WINDOWS\system32\facecredentialprovider.dll
2016-01-12 23:00 - 2016-01-04 19:44 - 00125440 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wshom.ocx
2016-01-12 23:00 - 2016-01-04 19:43 - 00912384 _____ (Microsoft Corporation) C:\WINDOWS\system32\usermgr.dll
2016-01-12 23:00 - 2016-01-04 19:43 - 00604672 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2016-01-12 23:00 - 2016-01-04 19:43 - 00584704 _____ (Microsoft Corporation) C:\WINDOWS\system32\winlogon.exe
2016-01-12 23:00 - 2016-01-04 19:42 - 00166912 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UserMgrProxy.dll
2016-01-12 23:00 - 2016-01-04 19:41 - 18677760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2016-01-12 23:00 - 2016-01-04 19:41 - 01070080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMSPDMOE.DLL
2016-01-12 23:00 - 2016-01-04 19:41 - 00558592 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\uReFS.dll
2016-01-12 23:00 - 2016-01-04 19:40 - 00890880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMSPDMOD.DLL
2016-01-12 23:00 - 2016-01-04 19:40 - 00123392 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ProximityCommon.dll
2016-01-12 23:00 - 2016-01-04 19:39 - 03428864 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.dll
2016-01-12 23:00 - 2016-01-04 19:39 - 00569856 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\qdvd.dll
2016-01-12 23:00 - 2016-01-04 19:39 - 00498176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MessagingDataModel2.dll
2016-01-12 23:00 - 2016-01-04 19:39 - 00235008 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ksproxy.ax
2016-01-12 23:00 - 2016-01-04 19:38 - 00389120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\schannel.dll
2016-01-12 23:00 - 2016-01-04 19:36 - 00573440 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\qedit.dll
2016-01-12 23:00 - 2016-01-04 19:36 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2016-01-12 23:00 - 2016-01-04 19:33 - 01674240 _____ (Microsoft Corporation) C:\WINDOWS\system32\quartz.dll
2016-01-12 23:00 - 2016-01-04 19:30 - 02796032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.dll
2016-01-12 23:00 - 2016-01-04 19:30 - 02280448 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2016-01-12 23:00 - 2016-01-04 19:29 - 03667456 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2016-01-12 23:00 - 2016-01-04 19:28 - 07826432 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2016-01-12 23:00 - 2016-01-04 19:28 - 04894720 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2016-01-12 23:00 - 2016-01-04 19:28 - 01542656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\quartz.dll
2016-01-12 23:00 - 2016-01-04 19:25 - 05660160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
2016-01-11 20:58 - 2016-01-24 16:18 - 00000000 ____D C:\Users\Ray\AppData\Local\CrashDumps
2016-01-10 19:03 - 2016-01-11 22:40 - 00112032 _____ C:\WINDOWS\system32\NvRtmpStreamer64.dll
2016-01-06 17:33 - 2016-01-09 08:42 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-12-30 19:25 - 2016-01-21 19:49 - 00000000 ____D C:\Users\Ray\AppData\Local\Deployment
2015-12-25 16:12 - 2015-12-25 16:12 - 00001822 _____ C:\Users\Public\Desktop\iTunes.lnk
2015-12-25 16:11 - 2015-12-25 16:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2015-12-25 16:11 - 2015-12-25 16:11 - 00000000 ____D C:\Program Files\iTunes
2015-12-25 16:11 - 2015-12-25 16:11 - 00000000 ____D C:\Program Files\iPod
2015-12-25 16:11 - 2015-12-25 16:11 - 00000000 ____D C:\Program Files (x86)\iTunes
2015-12-25 16:08 - 2015-12-25 16:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iCloud
2015-12-25 08:08 - 2015-12-28 13:12 - 00000000 ____D C:\Users\Ray\AppData\Roaming\Origin
2015-12-25 08:04 - 2016-01-23 22:44 - 00000000 ____D C:\ProgramData\Origin
2015-12-25 08:04 - 2016-01-23 22:44 - 00000000 ____D C:\Program Files (x86)\Origin

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-24 19:04 - 2015-10-30 00:28 - 00000000 ____D C:\Windows
2016-01-24 18:11 - 2015-10-30 01:21 - 00000000 ____D C:\WINDOWS\INF
2016-01-24 18:11 - 2015-09-26 09:23 - 00879220 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-01-24 18:04 - 2015-12-20 03:36 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-01-24 18:04 - 2015-12-20 03:15 - 00000000 ____D C:\ProgramData\NVIDIA
2016-01-24 16:57 - 2015-02-24 18:47 - 00000000 ____D C:\Program Files\Common Files\Adobe
2016-01-24 16:57 - 2015-02-11 19:03 - 00000000 ____D C:\Users\Ray\AppData\Roaming\Adobe
2016-01-24 16:56 - 2014-09-16 14:33 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-01-24 16:42 - 2015-10-30 00:28 - 00524288 ___SH C:\WINDOWS\system32\config\BBI
2016-01-24 15:28 - 2015-11-29 19:05 - 00000000 ____D C:\Users\Ray\Desktop\New folder
2016-01-24 14:54 - 2015-02-14 10:59 - 00000000 ____D C:\Users\Ray\AppData\Local\Adobe
2016-01-24 14:49 - 2014-09-16 14:33 - 00000000 ____D C:\ProgramData\Adobe
2016-01-24 13:32 - 2015-02-11 19:03 - 00000000 ____D C:\Users\Ray\AppData\Local\NVIDIA
2016-01-24 12:34 - 2015-02-14 11:36 - 00000000 ____D C:\Users\Ray\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter
2016-01-24 12:34 - 2015-02-14 11:35 - 00000000 ____D C:\sh4ldr
2016-01-24 12:33 - 2015-02-14 11:34 - 00000000 ____D C:\Program Files\Enigma Software Group
2016-01-24 11:37 - 2015-09-09 23:42 - 00000000 __RHD C:\Users\Public\AccountPictures
2016-01-24 11:26 - 2013-08-22 07:25 - 00000194 _____ C:\WINDOWS\win.ini
2016-01-24 11:20 - 2015-02-14 11:36 - 00000000 ____D C:\Users\Ray\AppData\Roaming\Enigma Software Group
2016-01-24 10:32 - 2015-03-04 18:07 - 00000000 ____D C:\Program Files\ShrewSoft
2016-01-24 10:29 - 2015-12-20 05:07 - 00000000 ___DC C:\WINDOWS\Panther
2016-01-24 09:03 - 2015-10-30 01:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-01-24 09:03 - 2015-10-30 01:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-01-24 09:03 - 2015-02-11 19:02 - 00000000 ____D C:\Users\Ray\AppData\Local\Packages
2016-01-24 09:00 - 2015-10-30 01:24 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2016-01-23 22:34 - 2015-02-11 19:04 - 00000000 ___RD C:\Users\Ray\OneDrive
2016-01-22 15:24 - 2015-01-27 13:58 - 00000000 ____D C:\ProgramData\Oracle
2016-01-22 15:20 - 2015-09-26 10:22 - 00000000 ____D C:\Users\Ray\.oracle_jre_usage
2016-01-22 15:20 - 2014-09-16 14:33 - 00097888 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2016-01-22 15:20 - 2014-09-16 14:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-01-22 15:20 - 2014-09-16 14:33 - 00000000 ____D C:\Program Files (x86)\Java
2016-01-22 13:51 - 2015-02-11 19:36 - 00000000 ____D C:\Users\Ray\AppData\Local\Battle.net
2016-01-22 09:48 - 2015-02-11 19:56 - 00000000 ____D C:\Program Files (x86)\World of Warcraft
2016-01-21 19:50 - 2015-02-11 19:30 - 00000000 ____D C:\Program Files (x86)\Battle.net
2016-01-14 19:21 - 2015-11-18 19:35 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-01-14 03:02 - 2014-09-16 14:32 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2016-01-14 03:02 - 2014-09-16 14:32 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2016-01-14 03:00 - 2015-10-30 01:24 - 00000000 ____D C:\WINDOWS\system32\appraiser
2016-01-13 17:07 - 2014-09-16 14:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2016-01-13 17:06 - 2015-10-30 01:11 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-01-13 17:05 - 2014-09-16 12:50 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-01-13 17:03 - 2014-09-16 12:50 - 143671360 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-01-11 22:41 - 2014-09-15 17:17 - 01542600 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvspcap.dll
2016-01-11 22:41 - 2014-09-15 17:17 - 01316184 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvspbridge.dll
2016-01-11 22:40 - 2014-09-15 17:17 - 01756608 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvspbridge64.dll
2016-01-10 19:04 - 2015-12-20 03:14 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2016-01-09 08:46 - 2015-12-20 03:19 - 00000000 ____D C:\Users\Ray
2016-01-09 08:42 - 2014-09-16 14:32 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-01-02 19:40 - 2015-10-30 01:26 - 00826872 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2016-01-02 19:40 - 2015-10-30 01:26 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2015-12-25 16:11 - 2015-02-14 21:39 - 00000000 ____D C:\Program Files\Common Files\Apple

==================== Files in the root of some directories =======

2016-01-23 22:35 - 2016-01-23 22:35 - 0000001 _____ () C:\Users\Ray\AppData\Local\dotinstall.txt
2016-01-23 22:34 - 2016-01-23 22:34 - 0000097 _____ () C:\Users\Ray\AppData\Local\dottmpfile.txt
2016-01-23 22:35 - 2016-01-23 22:35 - 0041472 _____ () C:\Users\Ray\AppData\Local\Singleholding.dat
2016-01-23 22:35 - 2016-01-23 22:35 - 0000187 _____ () C:\Users\Ray\AppData\Local\Singleholding.exe.config
2015-03-04 18:07 - 2015-03-04 18:07 - 0000036 ___SH () C:\ProgramData\Shrew Soft VPN.dat

Files to move or delete:
====================
C:\ProgramData\Shrew Soft VPN.dat


Some files in TEMP:
====================
C:\Users\Ray\AppData\Local\Temp\1M8F5324D.exe
C:\Users\Ray\AppData\Local\Temp\5TLS268P1.exe
C:\Users\Ray\AppData\Local\Temp\amisetup0199__1111.exe
C:\Users\Ray\AppData\Local\Temp\amisetup7935__1111.exe
C:\Users\Ray\AppData\Local\Temp\amisetup9800__1111.exe
C:\Users\Ray\AppData\Local\Temp\BJAR5FQMS.exe
C:\Users\Ray\AppData\Local\Temp\CD6T6LBQ9.exe
C:\Users\Ray\AppData\Local\Temp\compete.exe
C:\Users\Ray\AppData\Local\Temp\hib45D.exe
C:\Users\Ray\AppData\Local\Temp\io1.exe
C:\Users\Ray\AppData\Local\Temp\JEPB1RITW.exe
C:\Users\Ray\AppData\Local\Temp\LXLK4SL20.exe
C:\Users\Ray\AppData\Local\Temp\nsh3D0E.exe
C:\Users\Ray\AppData\Local\Temp\oksoft12.exe
C:\Users\Ray\AppData\Local\Temp\oprun19415.exe
C:\Users\Ray\AppData\Local\Temp\oprun7295.exe
C:\Users\Ray\AppData\Local\Temp\rkinstaller.exe
C:\Users\Ray\AppData\Local\Temp\RRJ15I888.exe
C:\Users\Ray\AppData\Local\Temp\sunnyday.exe
C:\Users\Ray\AppData\Local\Temp\TU39PW5Y5.exe
C:\Users\Ray\AppData\Local\Temp\widgett.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-01-24 12:57

==================== End of FRST.txt ============================

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:24-01-2016
Ran by Ray (2016-01-24 19:07:50)
Running from C:\Users\Ray\Downloads
Windows 10 Home (X64) (2015-12-20 09:43:42)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3287149903-3504461084-1627932807-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-3287149903-3504461084-1627932807-503 - Limited - Disabled)
Guest (S-1-5-21-3287149903-3504461084-1627932807-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3287149903-3504461084-1627932807-1004 - Limited - Enabled)
Ray (S-1-5-21-3287149903-3504461084-1627932807-1002 - Administrator - Enabled) => C:\Users\Ray

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip (HKLM-x32\...\7-Zip 9.2.0) (Version: 9.2.0 - 7-Zip)
7-Zip (Version: 9.2.0 - 7-Zip) Hidden
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.010.20056 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{E6C04CA1-C08C-D0C4-092C-94E2E59BB8E7}) (Version: 8.0.881.0 - Advanced Micro Devices, Inc.)
Apple Application Support (32-bit) (HKLM-x32\...\{7FA9ECCF-A2DE-4DA1-BFF3-81260DBDA68F}) (Version: 4.1.2 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{691F30EB-9009-475A-B8A9-E1BF39598FD5}) (Version: 4.1.2 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{3540181E-340A-4E7A-B409-31663472B2F7}) (Version: 9.1.0.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{FFD1F7F1-1AC9-4BC4-A908-0686D635ABAF}) (Version: 2.1.4.131 - Apple Inc.)
Asmedia ASM106x SATA Host Controller Driver (HKLM-x32\...\{61942EF5-2CD8-47D4-869C-2E9A8BB085F1}) (Version: 1.3.4.000 - Asmedia Technology)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Consumer Input Update Helper (x32 Version: 1.3.25.309 - Compete Inc.) Hidden <==== ATTENTION
Curse Client (HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\...\101a9f93b8f0bb6f) (Version: 5.1.1.844 - Curse)
Cybertron Support (HKLM-x32\...\{37DC4BBF-7374-4990-A794-20932267D4AC}) (Version: 1.0.0 - CybertronPC)
DNE Update (HKLM\...\{D67FE0FD-1099-49AE-8611-99C13CC556E3}) (Version: 4.18.9.18809 - Deterministic Networks, Inc.)
iCloud (HKLM\...\{4B48E22A-2FB0-4EFA-B99E-954B1E50CD69}) (Version: 5.1.0.34 - Apple Inc.)
Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) Hidden
iTunes (HKLM\...\{FBEB98F8-64E4-4FA3-A15E-4A9F42FF962E}) (Version: 12.3.2.35 - Apple Inc.)
Java 8 Update 71 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218071F0}) (Version: 8.0.710.15 - Oracle Corporation)
Microsoft ASP.NET MVC 4 Runtime (HKLM-x32\...\{3FE312D5-B862-40CE-8E4E-A6D8ABF62736}) (Version: 4.0.40804.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Mozilla Firefox 43.0.4 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 43.0.4 (x86 en-US)) (Version: 43.0.4 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 43.0.4.5848 - Mozilla)
NVIDIA 3D Vision Controller Driver 340.50 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 340.50 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 341.92 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 341.92 - NVIDIA Corporation)
NVIDIA GeForce Experience 2.9.1.22 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.9.1.22 - NVIDIA Corporation)
NVIDIA Graphics Driver 341.92 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 341.92 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.33.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.33.0 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.14.0702 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.14.0702 - NVIDIA Corporation)
QuickTime 7 (HKLM-x32\...\{80CEEB1E-0A6C-45B9-A312-37A1D25FDEBC}) (Version: 7.78.80.95 - Apple Inc.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.3.730.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6782 - Realtek Semiconductor Corp.)
RegHunter (HKLM-x32\...\RegHunter) (Version: 1.3.3.1613 - Enigma Software Group, LLC)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{17528CE4-C333-48FB-A9E4-D841E795CDCE}) (Version: 3.0.12.0 - Renesas Electronics Corporation)
Renesas Electronics USB 3.0 Host Controller Driver (x32 Version: 3.0.12.0 - Renesas Electronics Corporation) Hidden
SHIELD Streaming (Version: 4.1.0260 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (Version: 2.9.1.22 - NVIDIA Corporation) Hidden
SketchUp 2015 (HKLM\...\{350488A4-1540-4103-8F01-B27503891EB0}) (Version: 15.3.331 - Trimble Navigation Limited)
SpeedFan (remove only) (HKLM-x32\...\SpeedFan) (Version:  - )
SpyHunter 4 (HKLM-x32\...\SpyHunter) (Version: 4.21.18.4608 - Enigma Software Group, LLC)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
World of Warcraft (HKLM-x32\...\World of Warcraft) (Version:  - Blizzard Entertainment)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-3287149903-3504461084-1627932807-1002_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\Ray\AppData\Local\Microsoft\OneDrive\17.3.6281.1202_1\FileCoAuth.exe (Microsoft Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0C8FFDC0-E0AA-4622-9866-CDDAA73C450A} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {0CFE2E40-6A97-48C5-9F38-DE82315CF1B0} - System32\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig => config upnphost start= auto
Task: {0EC12751-3319-4755-8318-5215BB9B54B8} - \ConsumerInputUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {0F90C776-BE5B-45A5-8EB6-F071A466883D} - \{09050547-090C-0F78-0511-0F0A0E791105} -> No File <==== ATTENTION
Task: {29D70605-71AD-4A43-9E04-E7B618B4EEA1} - System32\Tasks\8d8J9l9Fs67nMlRFPDZC-ni-2016-01-23-ni-10924-ni-1 => C:\Program Files (x86)\cellar\incredible.exe
Task: {37D36C2A-CBCC-47EF-9D12-C15D94CDE074} - System32\Tasks\135112602 => C:\Program Files (x86)\room\birds.exe <==== ATTENTION
Task: {3CEC4616-B183-4477-A186-47D2B02B5E03} - \CIMT_S-1-5-21-3287149903-3504461084-1627932807-1002 -> No File <==== ATTENTION
Task: {3E255002-6CFD-430E-A613-1601EFFC4AF2} - System32\Tasks\SpyHunter4Startup => C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe [2016-01-24] (Enigma Software Group USA, LLC.)
Task: {3FA6F645-6BB8-42DE-9B79-11263D88032A} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2016-01-13] (Microsoft Corporation)
Task: {446CA7F4-BA00-42D0-B6C7-9FBBF2B85731} - \Sowbu -> No File <==== ATTENTION
Task: {4D8CBC6F-D450-4AD3-AC3B-D9BFF290CC38} - \Optimize Start Menu Cache Files-S-1-5-21-3287149903-3504461084-1627932807-500 -> No File <==== ATTENTION
Task: {4FA15568-BED9-41B8-AE5A-17761DB3720D} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {569155CB-6719-4605-B8D7-F8DA468E5F4B} - System32\Tasks\243901321850 => C:\Program Files (x86)\cellar\incredible.exe <==== ATTENTION
Task: {5F964D97-465D-4CD3-99B1-6C0BD5EB1FA5} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {6C6FA61C-2D78-4711-880B-C4F59F08CFE4} - System32\Tasks\14513701 => C:\Program Files (x86)\intend\excited.exe <==== ATTENTION
Task: {75340425-1FAA-4DA2-9157-5E8FA880F88F} - \CIMT_daily_S-1-5-21-3287149903-3504461084-1627932807-1002 -> No File <==== ATTENTION
Task: {76C83650-5979-482F-A86D-B5C7C3F96C4B} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {8472D036-E547-4A97-B35F-3F1489674759} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {84B01E00-C5FB-40DE-9A75-6FF66BC1EF1A} - \Adobe Flash Player Updater -> No File <==== ATTENTION
Task: {8AB89D98-D6CF-4776-B4E5-AE4AD645F585} - System32\Tasks\4636711463671146367114636711 => C:\Program Files (x86)\cellar\incredible.exe <==== ATTENTION
Task: {944F57F3-3F78-4287-A19C-90383EEA5A4D} - System32\Tasks\235112602 => C:\Program Files (x86)\room\birds.exe <==== ATTENTION
Task: {9770C44A-0849-4F6C-8E13-CF139C792A51} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2015-08-26] (Apple Inc.)
Task: {98DD428B-87EB-416D-860D-D29CFD96D1FD} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {9DA63BBE-B609-4C6A-AEEF-EEB32D93A9EA} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {A5011940-CBE7-47FD-9EC7-C07E0C2501F2} - \ConsumerInputUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {A6171B40-23DE-4806-A0BC-0A6C89D85459} - \ArcadeParlor -> No File <==== ATTENTION
Task: {A8AFE250-B91B-4F37-8D8F-D28EA561ADB2} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {A9301AF0-CB67-4056-A782-513E82CA0F87} - \Wohxi -> No File <==== ATTENTION
Task: {D071863A-AE02-4136-947F-669EBAC77C63} - \Adobe Acrobat Update Task -> No File <==== ATTENTION
Task: {DDD6CB80-266D-4D49-99A6-022202E89E1A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {DED9139D-CAAC-4860-990B-70ECFC6BD193} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {EFC4ACFA-C9FC-49DD-87FB-CE829E882E6A} - \LaunchPreSignup -> No File <==== ATTENTION
Task: {F16AFBB6-C6F0-424A-BE08-8AEDFBDD37D7} - \WindApp Update -> No File <==== ATTENTION
Task: {F88F02D4-1FBA-4A4B-81F7-BE3DBA9ECD99} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {FFB5B06E-65BB-45FA-9EFA-5A746A124924} - \Optimize Start Menu Cache Files-S-1-5-21-3287149903-3504461084-1627932807-1002 -> No File <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

ShortcutWithArgument: C:\Users\Ray\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> "microsoft-edge:hxxp://www%2dmysearch.com/?prd=set_epc&s=G1Oztuttn1,06085b26-0a67-4e5a-a7af-ad21d02f32c3,"

==================== Loaded Modules (Whitelisted) ==============

2015-10-30 01:18 - 2015-10-30 01:18 - 00185856 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2012-08-06 13:09 - 2012-08-06 13:09 - 00212480 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.PerformanceTuning.dll
2012-03-05 17:03 - 2012-03-05 17:03 - 00677376 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Device.dll
2012-02-16 15:53 - 2012-02-16 15:53 - 03642880 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Platform.dll
2016-01-10 19:03 - 2016-01-11 22:43 - 00291264 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamBase.dll
2015-01-20 22:35 - 2015-01-20 22:35 - 00085832 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2015-10-13 04:45 - 2015-10-13 04:45 - 01328912 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2015-12-20 05:04 - 2015-12-20 05:04 - 02653816 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2015-12-20 05:04 - 2015-12-20 05:04 - 02653816 _____ () C:\WINDOWS\System32\CoreUIComponents.dll
2015-12-20 09:24 - 2015-12-06 22:14 - 00093696 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Windows.UI.Shell.SharedUtilities.dll
2015-12-20 09:24 - 2015-12-06 22:00 - 00472064 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\QuickActions.dll
2016-01-12 23:00 - 2016-01-04 19:29 - 07992832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-01-12 23:00 - 2016-01-04 19:23 - 00591360 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-01-12 23:00 - 2016-01-04 19:24 - 02483200 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-01-12 23:00 - 2016-01-04 19:26 - 04089856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\...\noralinc.com -> hxxps://noralinc.com

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 07:25 - 2016-01-24 16:48 - 00001110 ____N C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1       down.baidu2016.com
127.0.0.1       123.sogou.com
127.0.0.1       www.czzsyzgm.com
127.0.0.1       www.czzsyzxl.com
127.0.0.1       down.baidu2016.com
127.0.0.1       123.sogou.com
127.0.0.1       www.czzsyzgm.com
127.0.0.1       www.czzsyzxl.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\Ray\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\internet explorer wallpaper.bmp
DNS Servers: 172.16.12.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: GrpConv => grpconv -o
HKLM\...\StartupApproved\Run: => "ShadowPlay"
HKLM\...\StartupApproved\Run: => "NvBackend"
HKLM\...\StartupApproved\Run: => "RTHDVCPL"
HKLM\...\StartupApproved\Run32: => "Adobe ARM"
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\...\StartupApproved\StartupFolder: => "CurseClientStartup.ccip"
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\...\StartupApproved\Run: => "iCloudServices"
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\...\StartupApproved\Run: => "iCloudDrive"
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\...\StartupApproved\Run: => "ApplePhotoStreams"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{ABBCAC9D-1CA6-4B75-9721-38C71B60D347}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{3968DA48-7CD2-475F-B18E-0620651C6B36}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{88943B17-4250-42EB-B09A-3752D2486385}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{05D56D8B-484C-4CE1-9481-BB1AEB2032DC}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{029645DB-8731-4FFE-AF17-8FEF9DB20C92}] => (Allow) C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{DB333647-07E5-4237-A55A-3A0CC0BF3D13}] => (Allow) C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{7526C8B2-8314-4A07-A510-00C5D52B998C}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{240CF4AA-F76C-4F1E-94C3-25356064FFA3}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{5D7AB7CC-7038-4113-A075-C365A12B5636}C:\program files (x86)\mozilla firefox\firefox.exe] => (Allow) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{111E3F07-3051-4321-A14A-8AFEBE7A187D}C:\program files (x86)\mozilla firefox\firefox.exe] => (Allow) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [{74F36B0C-D087-4740-A5C0-15A846A4A7DD}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
FirewallRules: [{EF4D9DA5-20BB-49DF-9818-B98DA5BA5A43}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
FirewallRules: [{D812CDAF-9232-45A9-9B60-E64B4AE66111}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
FirewallRules: [{F46D503A-2A17-4B27-A1DB-BBC81EEB5C5A}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{7BA9EEA0-7AD8-4758-B723-C0714ECA718F}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{FF3CD1AF-8ADB-45E3-B5C7-C0CA1688B57B}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{BB66EC35-1BA4-4D7C-8815-1698D39EDD92}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{89131F7D-FAD8-4BCD-B962-107BF28D1B9C}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{8A51FBBA-8FC2-4118-BC54-5CA219A4F016}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{3F14881B-4AA0-41DA-8689-1F1EA11FB99F}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{7E0C865A-64A1-4BF5-B29D-191235C44644}] => (Allow) C:\Program Files (x86)\cellar\getcap.exe
FirewallRules: [{6F2543AA-F10F-41E2-BD38-34114C496B80}] => (Allow) C:\Program Files (x86)\cellar\getcap.exe
FirewallRules: [{32BF9786-FE1B-493E-83C9-242E9E4E34DA}] => (Allow) C:\a\winonit.exe
FirewallRules: [{7D2EA9CC-6249-48C4-8EB5-38EECAB0D61A}] => (Allow) C:\a\winonit.exe
FirewallRules: [{2AEB12A0-C0DA-4AF5-9BF0-C5EBD0D6CDED}] => (Allow) C:\a\8d8J9l9Fs67nMlRFPDZC-ni-2016-01-23-ni-10924-ni-1.exe
FirewallRules: [{2F20AD3B-4526-4992-A35A-9C0E79602746}] => (Allow) C:\a\8d8J9l9Fs67nMlRFPDZC-ni-2016-01-23-ni-10924-ni-1.exe

==================== Restore Points =========================

06-01-2016 17:07:06 Windows Update
13-01-2016 17:02:39 Windows Update
22-01-2016 09:14:28 Scheduled Checkpoint
24-01-2016 09:52:32 Removed RegHunter
24-01-2016 17:47:31 JRT Pre-Junkware Removal
24-01-2016 18:33:40 JRT Pre-Junkware Removal

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (01/24/2016 06:33:50 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (01/24/2016 06:32:56 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program HitmanPro_x64.exe version 3.7.12.253 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Process ID: 1440

Start Time: 01d1570618378b25

Termination Time: 4294967295

Application Path: C:\Users\Ray\Downloads\HitmanPro_x64.exe

Report Id: 292d04b7-c2fb-11e5-82c9-d8cb8a33116e

Faulting package full name:

Faulting package-relative application ID:

Error: (01/24/2016 06:01:00 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: RAYSGAMINGPC)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/24/2016 06:00:47 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: RAYSGAMINGPC)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/24/2016 05:47:41 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (01/24/2016 04:18:37 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: RAYSGAMINGPC)
Description: Activation of app Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/24/2016 04:18:16 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SystemSettings.exe, version: 10.0.10586.11, time stamp: 0x56457cb1
Faulting module name: DataSenseHandlers.dll, version: 10.0.10586.0, time stamp: 0x5632d62f
Exception code: 0xc0000005
Fault offset: 0x00000000000199c6
Faulting process id: 0x644
Faulting application start time: 0xSystemSettings.exe0
Faulting application path: SystemSettings.exe1
Faulting module path: SystemSettings.exe2
Report Id: SystemSettings.exe3
Faulting package full name: SystemSettings.exe4
Faulting package-relative application ID: SystemSettings.exe5

Error: (01/24/2016 04:17:53 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: RAYSGAMINGPC)
Description: Activation of app Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/24/2016 04:14:45 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: RAYSGAMINGPC)
Description: Activation of app Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe:MicrosoftEdge.AppXeb42j1vh6rk395pm0vmcx57dxqjhej5d.mca failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/24/2016 04:11:11 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Fuel.Service.exe, version: 1.0.0.0, time stamp: 0x501fec0e
Faulting module name: Device.dll, version: 4.1.0.0, time stamp: 0x4f55e10b
Exception code: 0xc0000005
Fault offset: 0x00000000000033c1
Faulting process id: 0x8e8
Faulting application start time: 0xFuel.Service.exe0
Faulting application path: Fuel.Service.exe1
Faulting module path: Fuel.Service.exe2
Report Id: Fuel.Service.exe3
Faulting package full name: Fuel.Service.exe4
Faulting package-relative application ID: Fuel.Service.exe5


System errors:
=============
Error: (01/24/2016 06:34:12 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The NVIDIA Display Driver Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/24/2016 06:07:55 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {784E29F4-5EBE-4279-9948-1E8FE941646D}

Error: (01/24/2016 06:04:39 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Tuhtujl service failed to start due to the following error:
%%2

Error: (01/24/2016 06:04:39 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The appreciate service failed to start due to the following error:
%%2

Error: (01/24/2016 06:04:39 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The servant service failed to start due to the following error:
%%2

Error: (01/24/2016 06:04:24 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 6:03:01 PM on ‎1/‎24/‎2016 was unexpected.

Error: (01/24/2016 05:48:01 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The NVIDIA Display Driver Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/24/2016 04:47:10 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {784E29F4-5EBE-4279-9948-1E8FE941646D}

Error: (01/24/2016 04:44:02 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Tuhtujl service failed to start due to the following error:
%%2

Error: (01/24/2016 04:44:01 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The servant service failed to start due to the following error:
%%2


CodeIntegrity:
===================================
  Date: 2016-01-24 18:04:14.775
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-01-24 16:43:55.967
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-01-24 16:12:37.210
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-01-24 15:47:43.249
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-01-24 15:43:33.964
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\dnsapi.dll that did not meet the Store signing level requirements.

  Date: 2016-01-24 15:41:03.837
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\dnsapi.dll that did not meet the Store signing level requirements.

  Date: 2016-01-24 15:41:03.809
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\dnsapi.dll that did not meet the Store signing level requirements.

  Date: 2016-01-24 15:41:03.779
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\dnsapi.dll that did not meet the Store signing level requirements.

  Date: 2016-01-24 15:41:03.725
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\dnsapi.dll that did not meet the Store signing level requirements.

  Date: 2016-01-24 15:40:58.763
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\dnsapi.dll that did not meet the Store signing level requirements.


==================== Memory info ===========================

Processor: AMD FX™-4130 Quad-Core Processor
Percentage of memory in use: 12%
Total physical RAM: 16382.18 MB
Available physical RAM: 14302.61 MB
Total Virtual: 18814.18 MB
Available Virtual: 16619.64 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:930.73 GB) (Free:840.9 GB) NTFS
Drive e: (WD Unlocker) (CDROM) (Total:0.01 GB) (Free:0 GB) UDF

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 7B1B1765)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=930.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=449 MB) - (Type=27)
Attempted reading MBR returned 0 bytes.
 Could not read MBR for disk 1.

==================== End of Addition.txt ============================



BC AdBot (Login to Remove)

 


#2 Tinman39

Tinman39
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 24 January 2016 - 09:38 PM

I have found a removal guide for the Ads by Capricornus and will download RKill per instructions there.

 

Rkill Log:

 

Rkill 2.8.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/24/2016 08:40:51 PM in x64 mode.
Windows Version: Windows 10 Home

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * fcvsc [Missing Service]
 * HdAudAddService [Missing Service]
 * HyperVideo [Missing Service]
 * netvsc [Missing Service]
 * wfpcapture [Missing Service]

 * CompositeBus => \SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_912dfdedc3d2f520\CompositeBus.sys [Incorrect ImagePath]
 * NgcSvc => %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted [Incorrect ImagePath]
 * swenum => \SystemRoot\System32\drivers\swenum.sys [Incorrect ImagePath]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       down.baidu2016.com
  127.0.0.1       123.sogou.com
  127.0.0.1       www.czzsyzgm.com
  127.0.0.1       www.czzsyzxl.com
  127.0.0.1       down.baidu2016.com
  127.0.0.1       123.sogou.com
  127.0.0.1       www.czzsyzgm.com
  127.0.0.1       www.czzsyzxl.com

Program finished at: 01/24/2016 08:41:27 PM
Execution time: 0 hours(s), 0 minute(s), and 35 seconds(s)
 


Edited by Tinman39, 24 January 2016 - 09:42 PM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:12 PM

Posted 25 January 2016 - 10:16 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

These may be false positive. Please make sure you have the updated version.

AV: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

===

Remove via the Control Panel > Programs features applets.
Consumer Input Update Helper (x32 Version: 1.3.25.309 - Compete Inc.) Hidden <==== ATTENTION
===



Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
RemoveProxy:

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Restriction - ProxySettings)
ProxyEnable: [HKLM] => Proxy is enabled.
ProxyEnable: [HKLM-x32] => Proxy is enabled.
ProxyServer: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877
AutoConfigURL: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - <no Path/update_url>
S2 appreciate; C:\WINDOWS\fearless.exe [X]
S2 servant; C:\WINDOWS\courageous.exe [X]
S2 Tuhtujl; "C:\Users\Ray\AppData\Roaming\KagjBudla\Firva.exe" -cms [X]
S3 vpnva; \SystemRoot\System32\drivers\vpnva64.sys [X]
Task: {0C8FFDC0-E0AA-4622-9866-CDDAA73C450A} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {0EC12751-3319-4755-8318-5215BB9B54B8} - \ConsumerInputUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {0F90C776-BE5B-45A5-8EB6-F071A466883D} - \{09050547-090C-0F78-0511-0F0A0E791105} -> No File <==== ATTENTION
Task: {29D70605-71AD-4A43-9E04-E7B618B4EEA1} - System32\Tasks\8d8J9l9Fs67nMlRFPDZC-ni-2016-01-23-ni-10924-ni-1 => C:\Program Files (x86)\cellar\incredible.exe
Task: {37D36C2A-CBCC-47EF-9D12-C15D94CDE074} - System32\Tasks\135112602 => C:\Program Files (x86)\room\birds.exe <==== ATTENTION
Task: {3CEC4616-B183-4477-A186-47D2B02B5E03} - \CIMT_S-1-5-21-3287149903-3504461084-1627932807-1002 -> No File <==== ATTENTION
Task: {446CA7F4-BA00-42D0-B6C7-9FBBF2B85731} - \Sowbu -> No File <==== ATTENTION
Task: {4D8CBC6F-D450-4AD3-AC3B-D9BFF290CC38} - \Optimize Start Menu Cache Files-S-1-5-21-3287149903-3504461084-1627932807-500 -> No File <==== ATTENTION
Task: {4FA15568-BED9-41B8-AE5A-17761DB3720D} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {569155CB-6719-4605-B8D7-F8DA468E5F4B} - System32\Tasks\243901321850 => C:\Program Files (x86)\cellar\incredible.exe <==== ATTENTION
Task: {5F964D97-465D-4CD3-99B1-6C0BD5EB1FA5} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {6C6FA61C-2D78-4711-880B-C4F59F08CFE4} - System32\Tasks\14513701 => C:\Program Files (x86)\intend\excited.exe <==== ATTENTION
Task: {75340425-1FAA-4DA2-9157-5E8FA880F88F} - \CIMT_daily_S-1-5-21-3287149903-3504461084-1627932807-1002 -> No File <==== ATTENTION
Task: {76C83650-5979-482F-A86D-B5C7C3F96C4B} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {8472D036-E547-4A97-B35F-3F1489674759} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {84B01E00-C5FB-40DE-9A75-6FF66BC1EF1A} - \Adobe Flash Player Updater -> No File <==== ATTENTION
Task: {8AB89D98-D6CF-4776-B4E5-AE4AD645F585} - System32\Tasks\4636711463671146367114636711 => C:\Program Files (x86)\cellar\incredible.exe <==== ATTENTION
Task: {944F57F3-3F78-4287-A19C-90383EEA5A4D} - System32\Tasks\235112602 => C:\Program Files (x86)\room\birds.exe <==== ATTENTION
Task: {98DD428B-87EB-416D-860D-D29CFD96D1FD} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {9DA63BBE-B609-4C6A-AEEF-EEB32D93A9EA} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {A5011940-CBE7-47FD-9EC7-C07E0C2501F2} - \ConsumerInputUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {A6171B40-23DE-4806-A0BC-0A6C89D85459} - \ArcadeParlor -> No File <==== ATTENTION
Task: {A8AFE250-B91B-4F37-8D8F-D28EA561ADB2} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {A9301AF0-CB67-4056-A782-513E82CA0F87} - \Wohxi -> No File <==== ATTENTION
Task: {D071863A-AE02-4136-947F-669EBAC77C63} - \Adobe Acrobat Update Task -> No File <==== ATTENTION
Task: {DDD6CB80-266D-4D49-99A6-022202E89E1A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {DED9139D-CAAC-4860-990B-70ECFC6BD193} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {EFC4ACFA-C9FC-49DD-87FB-CE829E882E6A} - \LaunchPreSignup -> No File <==== ATTENTION
Task: {F16AFBB6-C6F0-424A-BE08-8AEDFBDD37D7} - \WindApp Update -> No File <==== ATTENTION
Task: {F88F02D4-1FBA-4A4B-81F7-BE3DBA9ECD99} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {FFB5B06E-65BB-45FA-9EFA-5A746A124924} - \Optimize Start Menu Cache Files-S-1-5-21-3287149903-3504461084-1627932807-1002 -> No File <==== ATTENTION
FirewallRules: [{32BF9786-FE1B-493E-83C9-242E9E4E34DA}] => (Allow) C:\a\winonit.exe
FirewallRules: [{7D2EA9CC-6249-48C4-8EB5-38EECAB0D61A}] => (Allow) C:\a\winonit.exe
FirewallRules: [{2AEB12A0-C0DA-4AF5-9BF0-C5EBD0D6CDED}] => (Allow) C:\a\8d8J9l9Fs67nMlRFPDZC-ni-2016-01-23-ni-10924-ni-1.exe
FirewallRules: [{2F20AD3B-4526-4992-A35A-9C0E79602746}] => (Allow) C:\a\8d8J9l9Fs67nMlRFPDZC-ni-2016-01-23-ni-10924-ni-1.exe
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm
C:\Users\Ray\AppData\Local\Temp\1M8F5324D.exe
C:\Users\Ray\AppData\Local\Temp\5TLS268P1.exe
C:\Users\Ray\AppData\Local\Temp\amisetup0199__1111.exe
C:\Users\Ray\AppData\Local\Temp\amisetup7935__1111.exe
C:\Users\Ray\AppData\Local\Temp\amisetup9800__1111.exe
C:\Users\Ray\AppData\Local\Temp\BJAR5FQMS.exe
C:\Users\Ray\AppData\Local\Temp\CD6T6LBQ9.exe
C:\Users\Ray\AppData\Local\Temp\compete.exe
C:\Users\Ray\AppData\Local\Temp\hib45D.exe
C:\Users\Ray\AppData\Local\Temp\io1.exe
C:\Users\Ray\AppData\Local\Temp\JEPB1RITW.exe
C:\Users\Ray\AppData\Local\Temp\LXLK4SL20.exe
C:\Users\Ray\AppData\Local\Temp\nsh3D0E.exe
C:\Users\Ray\AppData\Local\Temp\oksoft12.exe
C:\Users\Ray\AppData\Local\Temp\oprun19415.exe
C:\Users\Ray\AppData\Local\Temp\oprun7295.exe
C:\Users\Ray\AppData\Local\Temp\rkinstaller.exe
C:\Users\Ray\AppData\Local\Temp\RRJ15I888.exe
C:\Users\Ray\AppData\Local\Temp\sunnyday.exe
C:\Users\Ray\AppData\Local\Temp\TU39PW5Y5.exe
C:\Users\Ray\AppData\Local\Temp\widgett.exe
C:\Program Files (x86)\cellar
C:\Program Files (x86)\room
C:\Program Files (x86)\intend
C:\a

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset the browser(s) that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en
Select "From the beginning of time"

Restart Chrome.

====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.wisc.edu/page.php?id=15141
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.


Clean the Internet Explorer Cache.
https://kb.wisc.edu/page.php?id=15141

For IE 10, 11 follow the following instructions.
http://refreshyourcache.com/en/internet-explorer-11/
===

How to clear cache and browsing history with Microsoft Edge
http://www.techulator.com/resources/14556-How-to-clear-cache-and-browsing-history-with-Microsoft-Edge.aspx

How to use Microsoft Edge, Windows 10
http://www.pcworld.com/article/2952392/browsers/how-to-use-microsoft-edge-windows-10s-new-browser.html
<<<>>>

Copy the text IN THE CODE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4\InstallProperties]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{730E03E4-350E-48E5-9D3E-4329903D454D}]
Restart the when completed.

You can delete the fixme.reg file when done.

===

Restart the computer normally.

Let me know what problem persists.

#4 Tinman39

Tinman39
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 25 January 2016 - 06:10 PM

Thank you Nasdaq, before I follow through with your repair, I did not add in my reply above that I also did a scan/fix with Malewarebytes per the guide (still having the same issues).  Should I continue on with your repair, or run another FRST/Addition.txt scan?  My apologies for not stating that. 

 

Also of note, the program you wanted me to uninstall (Consumer Input Update Helper (x32 Version: 1.3.25.309 - Compete Inc.) Hidden <==== ATTENTION) is not found on my list of programs.


Edited by Tinman39, 25 January 2016 - 06:11 PM.


#5 Tinman39

Tinman39
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 26 January 2016 - 05:42 AM

Just in case, here is the latest FRST/Addition

 

fixScan result of Farbar Recovery Scan Tool (FRST) (x64) Version:24-01-2016
Ran by Ray (administrator) on RAYSGAMINGPC (25-01-2016 17:04:01)
Running from C:\Users\Ray\Desktop
Loaded Profiles: Ray (Available Profiles: Ray)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser not detected!)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.WindowsStore_2015.25.22.0_x64__8wekyb3d8bbwe\WinStore.Mobile.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6846096 2012-11-19] (Realtek Semiconductor)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2787264 2016-01-11] (NVIDIA Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-12-17] (Apple Inc.)
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\...\Policies\Explorer: [NoSaveSettings] 0
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\...\MountPoints2: {471bd085-bf5d-11e4-828b-d8cb8a33116e} - "E:\WD Drive Unlock.exe" autoplay=true
Startup: C:\Users\Ray\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip [2015-02-11] ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Restriction - ProxySettings)
ProxyEnable: [HKLM-x32] => Proxy is enabled.
ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877
AutoConfigURL: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 172.16.12.1
Tcpip\..\Interfaces\{6e0db4ae-c72b-4422-9ba7-e3ab8deac507}: [DhcpNameServer] 172.16.12.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/p/?LinkId=619797&pc=UE03&ocid=UE03DHP
SearchScopes: HKU\S-1-5-21-3287149903-3504461084-1627932807-1002 -> {59FC0D2C-8AEC-4994-805D-70DFC602FEF5} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\ssv.dll [2016-01-22] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\jp2ssv.dll [2016-01-22] (Oracle Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\nm8gb8bw.default-1453673996232
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-14] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.71.2 -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\dtplugin\npDeployJava1.dll [2016-01-22] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.71.2 -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\plugin2\npjp2.dll [2016-01-22] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-10-13] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-10-13] (NVIDIA Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-22] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)
FF Extension: Adblock Plus - C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\nm8gb8bw.default-1453673996232\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-01-24]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - <no Path/update_url>

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-08-06] (Advanced Micro Devices, Inc.) [File not signed]
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1163200 2016-01-11] (NVIDIA Corporation)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1879488 2016-01-11] (NVIDIA Corporation)
R3 NvStreamNetworkSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe [6308288 2016-01-11] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [4812736 2016-01-11] (NVIDIA Corporation)
S2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [1042304 2016-01-24] (Enigma Software Group USA, LLC.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)
S2 appreciate; C:\WINDOWS\fearless.exe [X]
S2 servant; C:\WINDOWS\courageous.exe [X]
S2 Tuhtujl; "C:\Users\Ray\AppData\Roaming\KagjBudla\Firva.exe" -cms [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 Alpham1; C:\Windows\System32\drivers\Alpham164.sys [52992 2007-07-23] (Ideazon Corporation)
R3 Alpham2; C:\Windows\System32\drivers\Alpham264.sys [21760 2007-03-20] (Ideazon Corporation)
R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices)
R1 DNE; C:\Windows\system32\DRIVERS\dnelwf64.sys [164664 2014-09-02] (Citrix Systems, Inc.)
R3 esgiguard; C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [15920 2016-01-24] (Enigma Software Group USA, LLC.)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2016-01-24] ()
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [26560 2016-01-11] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [47760 2015-12-18] (NVIDIA Corporation)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [589824 2015-10-30] (Realtek                                            )
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2015-06-10] (Apple, Inc.) [File not signed]
S1 vflt; C:\Windows\system32\DRIVERS\vfilter.sys [24064 2013-06-30] (Shrew Soft Inc) [File not signed]
S3 vnet; C:\Windows\System32\drivers\virtualnet.sys [17408 2013-06-30] (Shrew Soft Inc) [File not signed]
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
S3 vpnva; \SystemRoot\System32\drivers\vpnva64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-25 17:03 - 2016-01-25 17:03 - 00006403 _____ C:\Users\Ray\Desktop\fixlist.txt
2016-01-24 20:50 - 2016-01-24 20:51 - 22908888 _____ (Malwarebytes ) C:\Users\Ray\Desktop\mbam-setup-bc.1878-2.2.0.1024.exe
2016-01-24 20:48 - 2016-01-25 15:57 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-01-24 20:47 - 2016-01-24 20:47 - 00001175 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-01-24 20:47 - 2016-01-24 20:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-01-24 20:47 - 2016-01-24 20:47 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-01-24 20:47 - 2016-01-24 20:47 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-01-24 20:47 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-01-24 20:47 - 2015-10-05 09:50 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2016-01-24 20:47 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-01-24 20:40 - 2016-01-24 20:41 - 00003746 _____ C:\Users\Ray\Desktop\Rkill.txt
2016-01-24 20:37 - 2016-01-24 20:40 - 02032072 _____ (Bleeping Computer, LLC) C:\Users\Ray\Desktop\rkill.exe
2016-01-24 18:35 - 2016-01-24 18:35 - 00001192 _____ C:\Users\Ray\Desktop\JRT.txt
2016-01-24 17:47 - 2016-01-24 17:47 - 01600184 _____ (Malwarebytes) C:\Users\Ray\Downloads\JRT.exe
2016-01-24 17:37 - 2016-01-24 18:56 - 00000000 ____D C:\ProgramData\HitmanPro
2016-01-24 17:36 - 2016-01-24 17:37 - 11323704 _____ (SurfRight B.V.) C:\Users\Ray\Downloads\HitmanPro_x64.exe
2016-01-24 17:20 - 2016-01-24 17:21 - 00031018 _____ C:\Users\Ray\Downloads\MTB.txt
2016-01-24 17:07 - 2016-01-24 19:08 - 00032469 _____ C:\Users\Ray\Desktop\Addition.txt
2016-01-24 17:06 - 2016-01-25 17:04 - 00010968 _____ C:\Users\Ray\Desktop\FRST.txt
2016-01-24 17:06 - 2016-01-25 17:04 - 00000000 ____D C:\FRST
2016-01-24 17:05 - 2016-01-24 17:06 - 02370560 _____ (Farbar) C:\Users\Ray\Desktop\FRST64.exe
2016-01-24 16:36 - 2016-01-24 16:58 - 00000000 ____D C:\AdwCleaner
2016-01-24 16:36 - 2016-01-24 16:36 - 01505280 _____ C:\Users\Ray\Downloads\AdwCleaner.exe
2016-01-24 15:41 - 2016-01-24 15:41 - 00001310 _____ C:\Users\Ray\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-01-24 14:40 - 2016-01-24 16:13 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2016-01-24 14:39 - 2016-01-24 16:21 - 00277916 _____ C:\WINDOWS\ntbtlog.txt
2016-01-24 14:13 - 2016-01-24 14:13 - 00001110 _____ C:\Users\Ray\Documents\backup dns host file.txt
2016-01-24 14:05 - 2016-01-24 15:10 - 00000824 _____ C:\Users\Ray\Documents\hosts.txt
2016-01-24 13:31 - 2016-01-24 13:31 - 00000000 ____D C:\WINDOWS\LastGood.Tmp
2016-01-24 13:31 - 2015-12-18 00:10 - 00099472 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvaudcap64v.dll
2016-01-24 13:31 - 2015-12-18 00:10 - 00090768 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvaudcap32v.dll
2016-01-24 13:19 - 2016-01-24 16:19 - 00000000 ____D C:\Users\Ray\Desktop\Old Firefox Data
2016-01-24 13:00 - 2016-01-24 13:00 - 00005764 _____ C:\native log.txt
2016-01-24 12:57 - 2016-01-24 14:34 - 00000000 ___HD C:\dgqcjv9R5pd5XiTO
2016-01-24 12:34 - 2016-01-24 12:34 - 00022704 _____ C:\WINDOWS\system32\Drivers\EsgScanner.sys
2016-01-24 12:34 - 2016-01-24 12:34 - 00001132 _____ C:\Users\Ray\Desktop\SpyHunter.lnk
2016-01-24 11:35 - 2016-01-24 12:34 - 00003422 _____ C:\WINDOWS\System32\Tasks\SpyHunter4Startup
2016-01-24 11:22 - 2016-01-24 11:22 - 00000000 ____D C:\WINDOWS\system32\luct
2016-01-24 11:20 - 2016-01-24 11:20 - 00001127 _____ C:\Users\Ray\Desktop\RegHunter.lnk
2016-01-24 11:20 - 2016-01-24 11:20 - 00000000 ____D C:\Users\Ray\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\RegHunter
2016-01-24 11:13 - 2016-01-24 11:13 - 00000000 ____D C:\Program Files (x86)\SEARCH~1
2016-01-24 09:53 - 2016-01-24 09:53 - 00019264 _____ C:\EsgInstallerResumeAction
2016-01-24 09:53 - 2016-01-24 09:53 - 00000000 ____D C:\WINDOWS\F94A63D79A61403B8F6F90B1BF77211A.TMP
2016-01-24 09:31 - 2016-01-24 13:46 - 00001055 _____ C:\WINDOWS\system32\Internet Explorer.lnk
2016-01-24 09:05 - 2016-01-24 09:05 - 00004158 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{E00C39D3-631F-4276-94AF-E315116D2C24}
2016-01-24 08:58 - 2016-01-24 13:46 - 00001148 _____ C:\WINDOWS\system32\Mozilla Firefox.lnk
2016-01-23 22:50 - 2016-01-23 22:50 - 00000000 ____D C:\WINDOWS\system32\kob
2016-01-23 22:35 - 2016-01-24 21:10 - 00000000 ____D C:\Program Files (x86)\short
2016-01-23 22:35 - 2016-01-24 09:37 - 00003840 _____ C:\WINDOWS\System32\Tasks\235112602
2016-01-23 22:35 - 2016-01-24 09:37 - 00003682 _____ C:\WINDOWS\System32\Tasks\135112602
2016-01-23 22:35 - 2016-01-24 03:47 - 00000000 ____D C:\Program Files (x86)\room
2016-01-23 22:35 - 2016-01-24 03:47 - 00000000 ____D C:\Program Files (x86)\intend
2016-01-23 22:35 - 2016-01-23 22:35 - 00041472 _____ C:\Users\Ray\AppData\Local\Singleholding.dat
2016-01-23 22:35 - 2016-01-23 22:35 - 00000187 _____ C:\Users\Ray\AppData\Local\Singleholding.exe.config
2016-01-23 22:35 - 2016-01-23 22:35 - 00000055 _____ C:\WINDOWS\key.ini
2016-01-23 22:35 - 2016-01-23 22:35 - 00000001 _____ C:\Users\Ray\AppData\Local\dotinstall.txt
2016-01-23 22:35 - 2016-01-23 22:35 - 00000000 ____D C:\Program Files (x86)\NewInternet
2016-01-23 22:34 - 2016-01-24 21:44 - 00000000 ____D C:\ProgramData\e6019400-4995-1
2016-01-23 22:34 - 2016-01-24 21:44 - 00000000 ____D C:\ProgramData\e6019400-1f53-0
2016-01-23 22:34 - 2016-01-24 21:44 - 00000000 ____D C:\ProgramData\b7f9b120-5f15-0
2016-01-23 22:34 - 2016-01-24 21:44 - 00000000 ____D C:\ProgramData\b7f9b120-11f1-1
2016-01-23 22:34 - 2016-01-24 18:34 - 00000000 ____D C:\a
2016-01-23 22:34 - 2016-01-24 03:47 - 00000000 ____D C:\Program Files (x86)\cellar
2016-01-23 22:34 - 2016-01-23 22:35 - 00000000 ____D C:\Program Files (x86)\Setup Support for Consumer Input DH
2016-01-23 22:34 - 2016-01-23 22:34 - 00000097 _____ C:\Users\Ray\AppData\Local\dottmpfile.txt
2016-01-23 22:34 - 2016-01-23 22:34 - 00000000 ____D C:\Program Files (x86)\DataHelper
2016-01-23 22:33 - 2016-01-24 10:43 - 00187904 _____ C:\WINDOWS\rsrcs.dll
2016-01-23 22:30 - 2016-01-24 10:41 - 00000000 ____D C:\Users\Ray\AppData\Local\Tempfolder
2016-01-23 22:29 - 2016-01-23 22:28 - 00000967 _____ C:\WINDOWS\system32\Drivers\etc\hp.bak
2016-01-23 22:27 - 2016-01-24 21:10 - 00000000 ____D C:\Users\Ray\AppData\Local\30259343
2016-01-23 22:27 - 2016-01-23 22:27 - 00000000 ____D C:\Users\Ray\AppData\Local\52510768
2016-01-23 22:19 - 2016-01-23 22:19 - 00042741 _____ C:\WINDOWS\direful.exe
2016-01-23 22:19 - 2016-01-23 22:19 - 00000019 _____ C:\WINDOWS\SysWOW64\7620864.bat
2016-01-15 19:12 - 2016-01-15 19:12 - 00197779 _____ C:\Users\Ray\Documents\shop cabinets.skp
2016-01-15 17:07 - 2016-01-15 17:07 - 00000000 ____D C:\Users\Ray\AppData\Roaming\SketchUp
2016-01-12 23:00 - 2016-01-04 20:51 - 07477600 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2016-01-12 23:00 - 2016-01-04 20:51 - 01317640 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.efi
2016-01-12 23:00 - 2016-01-04 20:51 - 01141496 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.exe
2016-01-12 23:00 - 2016-01-04 20:50 - 01173344 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2016-01-12 23:00 - 2016-01-04 20:50 - 00713568 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2016-01-12 23:00 - 2016-01-04 20:50 - 00671472 _____ (Microsoft Corporation) C:\WINDOWS\system32\advapi32.dll
2016-01-12 23:00 - 2016-01-04 20:49 - 00513888 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2016-01-12 23:00 - 2016-01-04 20:48 - 00499432 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\advapi32.dll
2016-01-12 23:00 - 2016-01-04 20:45 - 02587696 _____ (Microsoft Corporation) C:\WINDOWS\system32\msxml6.dll
2016-01-12 23:00 - 2016-01-04 20:42 - 02026736 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msxml6.dll
2016-01-12 23:00 - 2016-01-04 20:37 - 02544256 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfcore.dll
2016-01-12 23:00 - 2016-01-04 20:37 - 01299504 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfnetsrc.dll
2016-01-12 23:00 - 2016-01-04 20:37 - 00858952 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfnetcore.dll
2016-01-12 23:00 - 2016-01-04 20:37 - 00848160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfsvr.dll
2016-01-12 23:00 - 2016-01-04 20:37 - 00785088 _____ (Microsoft Corporation) C:\WINDOWS\system32\evr.dll
2016-01-12 23:00 - 2016-01-04 20:37 - 00245840 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfps.dll
2016-01-12 23:00 - 2016-01-04 20:37 - 00234504 _____ (Microsoft Corporation) C:\WINDOWS\system32\mftranscode.dll
2016-01-12 23:00 - 2016-01-04 20:36 - 00808800 _____ (Microsoft Corporation) C:\WINDOWS\system32\WWAHost.exe
2016-01-12 23:00 - 2016-01-04 20:33 - 02180128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfcore.dll
2016-01-12 23:00 - 2016-01-04 20:33 - 01118208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetsrc.dll
2016-01-12 23:00 - 2016-01-04 20:33 - 00709688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfsvr.dll
2016-01-12 23:00 - 2016-01-04 20:33 - 00701384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetcore.dll
2016-01-12 23:00 - 2016-01-04 20:33 - 00652312 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\evr.dll
2016-01-12 23:00 - 2016-01-04 20:33 - 00208176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mftranscode.dll
2016-01-12 23:00 - 2016-01-04 20:33 - 00116728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfps.dll
2016-01-12 23:00 - 2016-01-04 20:31 - 00703840 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WWAHost.exe
2016-01-12 23:00 - 2016-01-04 20:27 - 01594408 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2016-01-12 23:00 - 2016-01-04 20:24 - 00796352 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2016-01-12 23:00 - 2016-01-04 20:23 - 01804664 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMALFXGFXDSP.dll
2016-01-12 23:00 - 2016-01-04 20:23 - 01309376 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2016-01-12 23:00 - 2016-01-04 20:23 - 00786696 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMADMOD.DLL
2016-01-12 23:00 - 2016-01-04 20:23 - 00119320 _____ (Microsoft Corporation) C:\WINDOWS\system32\MP3DMOD.DLL
2016-01-12 23:00 - 2016-01-04 20:21 - 01371792 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2016-01-12 23:00 - 2016-01-04 20:17 - 00695752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMADMOD.DLL
2016-01-12 23:00 - 2016-01-04 20:16 - 00100160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MP3DMOD.DLL
2016-01-12 23:00 - 2016-01-04 19:59 - 22393856 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2016-01-12 23:00 - 2016-01-04 19:57 - 16986112 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Xaml.dll
2016-01-12 23:00 - 2016-01-04 19:57 - 00076288 _____ (Microsoft Corporation) C:\WINDOWS\system32\RMSRoamingSecurity.dll
2016-01-12 23:00 - 2016-01-04 19:57 - 00043520 _____ (Microsoft Corporation) C:\WINDOWS\system32\usermgrcli.dll
2016-01-12 23:00 - 2016-01-04 19:56 - 00145920 _____ (Microsoft Corporation) C:\WINDOWS\system32\omadmclient.exe
2016-01-12 23:00 - 2016-01-04 19:54 - 00162816 _____ (Microsoft Corporation) C:\WINDOWS\system32\DeviceCensus.exe
2016-01-12 23:00 - 2016-01-04 19:53 - 00148992 _____ (Microsoft Corporation) C:\WINDOWS\system32\wshom.ocx
2016-01-12 23:00 - 2016-01-04 19:52 - 00210432 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
2016-01-12 23:00 - 2016-01-04 19:51 - 00472576 _____ (Microsoft Corporation) C:\WINDOWS\system32\DscCore.dll
2016-01-12 23:00 - 2016-01-04 19:51 - 00248832 _____ (Microsoft Corporation) C:\WINDOWS\system32\UserMgrProxy.dll
2016-01-12 23:00 - 2016-01-04 19:50 - 00644096 _____ (Microsoft Corporation) C:\WINDOWS\system32\uReFS.dll
2016-01-12 23:00 - 2016-01-04 19:50 - 00638464 _____ (Microsoft Corporation) C:\WINDOWS\system32\enterprisecsps.dll
2016-01-12 23:00 - 2016-01-04 19:50 - 00208896 _____ (Microsoft Corporation) C:\WINDOWS\system32\storewuauth.dll
2016-01-12 23:00 - 2016-01-04 19:49 - 13018624 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.dll
2016-01-12 23:00 - 2016-01-04 19:49 - 01582080 _____ (Microsoft Corporation) C:\WINDOWS\system32\aitstatic.exe
2016-01-12 23:00 - 2016-01-04 19:49 - 01255936 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMSPDMOE.DLL
2016-01-12 23:00 - 2016-01-04 19:49 - 00764928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakradiag.dll
2016-01-12 23:00 - 2016-01-04 19:49 - 00749056 _____ (Microsoft Corporation) C:\WINDOWS\system32\PhoneService.dll
2016-01-12 23:00 - 2016-01-04 19:49 - 00167936 _____ (Microsoft Corporation) C:\WINDOWS\system32\ProximityCommon.dll
2016-01-12 23:00 - 2016-01-04 19:48 - 01009152 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMSPDMOD.DLL
2016-01-12 23:00 - 2016-01-04 19:48 - 00387072 _____ (Microsoft Corporation) C:\WINDOWS\system32\qdvd.dll
2016-01-12 23:00 - 2016-01-04 19:48 - 00034816 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\usermgrcli.dll
2016-01-12 23:00 - 2016-01-04 19:47 - 00628736 _____ (Microsoft Corporation) C:\WINDOWS\system32\MessagingDataModel2.dll
2016-01-12 23:00 - 2016-01-04 19:47 - 00479232 _____ (Microsoft Corporation) C:\WINDOWS\system32\schannel.dll
2016-01-12 23:00 - 2016-01-04 19:47 - 00305664 _____ (Microsoft Corporation) C:\WINDOWS\system32\ksproxy.ax
2016-01-12 23:00 - 2016-01-04 19:45 - 00678912 _____ (Microsoft Corporation) C:\WINDOWS\system32\qedit.dll
2016-01-12 23:00 - 2016-01-04 19:45 - 00275968 _____ (Microsoft Corporation) C:\WINDOWS\system32\facecredentialprovider.dll
2016-01-12 23:00 - 2016-01-04 19:44 - 00125440 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wshom.ocx
2016-01-12 23:00 - 2016-01-04 19:43 - 00912384 _____ (Microsoft Corporation) C:\WINDOWS\system32\usermgr.dll
2016-01-12 23:00 - 2016-01-04 19:43 - 00604672 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2016-01-12 23:00 - 2016-01-04 19:43 - 00584704 _____ (Microsoft Corporation) C:\WINDOWS\system32\winlogon.exe
2016-01-12 23:00 - 2016-01-04 19:42 - 00166912 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\UserMgrProxy.dll
2016-01-12 23:00 - 2016-01-04 19:41 - 18677760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2016-01-12 23:00 - 2016-01-04 19:41 - 01070080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMSPDMOE.DLL
2016-01-12 23:00 - 2016-01-04 19:41 - 00558592 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\uReFS.dll
2016-01-12 23:00 - 2016-01-04 19:40 - 00890880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMSPDMOD.DLL
2016-01-12 23:00 - 2016-01-04 19:40 - 00123392 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ProximityCommon.dll
2016-01-12 23:00 - 2016-01-04 19:39 - 03428864 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.dll
2016-01-12 23:00 - 2016-01-04 19:39 - 00569856 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\qdvd.dll
2016-01-12 23:00 - 2016-01-04 19:39 - 00498176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MessagingDataModel2.dll
2016-01-12 23:00 - 2016-01-04 19:39 - 00235008 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ksproxy.ax
2016-01-12 23:00 - 2016-01-04 19:38 - 00389120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\schannel.dll
2016-01-12 23:00 - 2016-01-04 19:36 - 00573440 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\qedit.dll
2016-01-12 23:00 - 2016-01-04 19:36 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2016-01-12 23:00 - 2016-01-04 19:33 - 01674240 _____ (Microsoft Corporation) C:\WINDOWS\system32\quartz.dll
2016-01-12 23:00 - 2016-01-04 19:30 - 02796032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.dll
2016-01-12 23:00 - 2016-01-04 19:30 - 02280448 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2016-01-12 23:00 - 2016-01-04 19:29 - 03667456 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2016-01-12 23:00 - 2016-01-04 19:28 - 07826432 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2016-01-12 23:00 - 2016-01-04 19:28 - 04894720 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2016-01-12 23:00 - 2016-01-04 19:28 - 01542656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\quartz.dll
2016-01-12 23:00 - 2016-01-04 19:25 - 05660160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
2016-01-11 20:58 - 2016-01-24 16:18 - 00000000 ____D C:\Users\Ray\AppData\Local\CrashDumps
2016-01-10 19:03 - 2016-01-11 22:40 - 00112032 _____ C:\WINDOWS\system32\NvRtmpStreamer64.dll
2016-01-06 17:33 - 2016-01-09 08:42 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-12-30 19:25 - 2016-01-21 19:49 - 00000000 ____D C:\Users\Ray\AppData\Local\Deployment

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-25 09:13 - 2015-10-30 01:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-01-25 09:13 - 2015-10-30 01:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-01-24 21:49 - 2015-10-30 01:21 - 00000000 ____D C:\WINDOWS\INF
2016-01-24 21:49 - 2015-09-26 09:23 - 00879220 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-01-24 21:42 - 2015-12-20 03:36 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-01-24 21:42 - 2015-12-20 03:15 - 00000000 ____D C:\ProgramData\NVIDIA
2016-01-24 21:35 - 2015-10-30 00:28 - 00524288 ___SH C:\WINDOWS\system32\config\BBI
2016-01-24 21:34 - 2015-10-30 01:24 - 00000000 ____D C:\WINDOWS\tracing
2016-01-24 21:33 - 2015-12-20 03:19 - 00000000 ____D C:\Users\Ray
2016-01-24 21:10 - 2015-10-30 00:28 - 00000000 ____D C:\Windows
2016-01-24 16:57 - 2015-02-24 18:47 - 00000000 ____D C:\Program Files\Common Files\Adobe
2016-01-24 16:57 - 2015-02-11 19:03 - 00000000 ____D C:\Users\Ray\AppData\Roaming\Adobe
2016-01-24 16:56 - 2014-09-16 14:33 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-01-24 15:28 - 2015-11-29 19:05 - 00000000 ____D C:\Users\Ray\Desktop\New folder
2016-01-24 14:54 - 2015-02-14 10:59 - 00000000 ____D C:\Users\Ray\AppData\Local\Adobe
2016-01-24 14:49 - 2014-09-16 14:33 - 00000000 ____D C:\ProgramData\Adobe
2016-01-24 13:32 - 2015-02-11 19:03 - 00000000 ____D C:\Users\Ray\AppData\Local\NVIDIA
2016-01-24 12:34 - 2015-02-14 11:36 - 00000000 ____D C:\Users\Ray\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter
2016-01-24 12:34 - 2015-02-14 11:35 - 00000000 ____D C:\sh4ldr
2016-01-24 12:33 - 2015-02-14 11:34 - 00000000 ____D C:\Program Files\Enigma Software Group
2016-01-24 11:37 - 2015-09-09 23:42 - 00000000 __RHD C:\Users\Public\AccountPictures
2016-01-24 11:26 - 2013-08-22 07:25 - 00000194 _____ C:\WINDOWS\win.ini
2016-01-24 11:20 - 2015-02-14 11:36 - 00000000 ____D C:\Users\Ray\AppData\Roaming\Enigma Software Group
2016-01-24 10:32 - 2015-03-04 18:07 - 00000000 ____D C:\Program Files\ShrewSoft
2016-01-24 10:29 - 2015-12-20 05:07 - 00000000 ___DC C:\WINDOWS\Panther
2016-01-24 09:03 - 2015-02-11 19:02 - 00000000 ____D C:\Users\Ray\AppData\Local\Packages
2016-01-24 09:00 - 2015-10-30 01:24 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2016-01-23 22:44 - 2015-12-25 08:04 - 00000000 ____D C:\ProgramData\Origin
2016-01-23 22:44 - 2015-12-25 08:04 - 00000000 ____D C:\Program Files (x86)\Origin
2016-01-23 22:34 - 2015-02-11 19:04 - 00000000 ___RD C:\Users\Ray\OneDrive
2016-01-22 15:24 - 2015-01-27 13:58 - 00000000 ____D C:\ProgramData\Oracle
2016-01-22 15:20 - 2015-09-26 10:22 - 00000000 ____D C:\Users\Ray\.oracle_jre_usage
2016-01-22 15:20 - 2014-09-16 14:33 - 00097888 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2016-01-22 15:20 - 2014-09-16 14:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-01-22 15:20 - 2014-09-16 14:33 - 00000000 ____D C:\Program Files (x86)\Java
2016-01-22 13:51 - 2015-02-11 19:36 - 00000000 ____D C:\Users\Ray\AppData\Local\Battle.net
2016-01-22 09:48 - 2015-02-11 19:56 - 00000000 ____D C:\Program Files (x86)\World of Warcraft
2016-01-21 19:50 - 2015-02-11 19:30 - 00000000 ____D C:\Program Files (x86)\Battle.net
2016-01-14 19:21 - 2015-11-18 19:35 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-01-14 03:02 - 2014-09-16 14:32 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2016-01-14 03:02 - 2014-09-16 14:32 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2016-01-14 03:00 - 2015-10-30 01:24 - 00000000 ____D C:\WINDOWS\system32\appraiser
2016-01-13 17:07 - 2014-09-16 14:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2016-01-13 17:06 - 2015-10-30 01:11 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-01-13 17:05 - 2014-09-16 12:50 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-01-13 17:03 - 2014-09-16 12:50 - 143671360 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-01-11 22:41 - 2014-09-15 17:17 - 01542600 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvspcap.dll
2016-01-11 22:41 - 2014-09-15 17:17 - 01316184 _____ (NVIDIA Corporation) C:\WINDOWS\SysWOW64\nvspbridge.dll
2016-01-11 22:40 - 2014-09-15 17:17 - 01756608 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvspbridge64.dll
2016-01-10 19:04 - 2015-12-20 03:14 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2016-01-09 08:42 - 2014-09-16 14:32 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-01-02 19:40 - 2015-10-30 01:26 - 00826872 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2016-01-02 19:40 - 2015-10-30 01:26 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2015-12-28 13:12 - 2015-12-25 08:08 - 00000000 ____D C:\Users\Ray\AppData\Roaming\Origin

==================== Files in the root of some directories =======

2016-01-23 22:35 - 2016-01-23 22:35 - 0000001 _____ () C:\Users\Ray\AppData\Local\dotinstall.txt
2016-01-23 22:34 - 2016-01-23 22:34 - 0000097 _____ () C:\Users\Ray\AppData\Local\dottmpfile.txt
2016-01-23 22:35 - 2016-01-23 22:35 - 0041472 _____ () C:\Users\Ray\AppData\Local\Singleholding.dat
2016-01-23 22:35 - 2016-01-23 22:35 - 0000187 _____ () C:\Users\Ray\AppData\Local\Singleholding.exe.config
2015-03-04 18:07 - 2015-03-04 18:07 - 0000036 ___SH () C:\ProgramData\Shrew Soft VPN.dat

Files to move or delete:
====================
C:\ProgramData\Shrew Soft VPN.dat


Some files in TEMP:
====================
C:\Users\Ray\AppData\Local\Temp\BJAR5FQMS.exe
C:\Users\Ray\AppData\Local\Temp\LXLK4SL20.exe
C:\Users\Ray\AppData\Local\Temp\oksoft12.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-01-24 12:57

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version:24-01-2016
Ran by Ray (2016-01-25 17:04:32)
Running from C:\Users\Ray\Desktop
Windows 10 Home (X64) (2015-12-20 09:43:42)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3287149903-3504461084-1627932807-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-3287149903-3504461084-1627932807-503 - Limited - Disabled)
Guest (S-1-5-21-3287149903-3504461084-1627932807-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3287149903-3504461084-1627932807-1004 - Limited - Enabled)
Ray (S-1-5-21-3287149903-3504461084-1627932807-1002 - Administrator - Enabled) => C:\Users\Ray

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip (HKLM-x32\...\7-Zip 9.2.0) (Version: 9.2.0 - 7-Zip)
7-Zip (Version: 9.2.0 - 7-Zip) Hidden
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.010.20056 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{E6C04CA1-C08C-D0C4-092C-94E2E59BB8E7}) (Version: 8.0.881.0 - Advanced Micro Devices, Inc.)
Apple Application Support (32-bit) (HKLM-x32\...\{7FA9ECCF-A2DE-4DA1-BFF3-81260DBDA68F}) (Version: 4.1.2 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{691F30EB-9009-475A-B8A9-E1BF39598FD5}) (Version: 4.1.2 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{3540181E-340A-4E7A-B409-31663472B2F7}) (Version: 9.1.0.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{FFD1F7F1-1AC9-4BC4-A908-0686D635ABAF}) (Version: 2.1.4.131 - Apple Inc.)
Asmedia ASM106x SATA Host Controller Driver (HKLM-x32\...\{61942EF5-2CD8-47D4-869C-2E9A8BB085F1}) (Version: 1.3.4.000 - Asmedia Technology)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Curse Client (HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\...\101a9f93b8f0bb6f) (Version: 5.1.1.844 - Curse)
Cybertron Support (HKLM-x32\...\{37DC4BBF-7374-4990-A794-20932267D4AC}) (Version: 1.0.0 - CybertronPC)
DNE Update (HKLM\...\{D67FE0FD-1099-49AE-8611-99C13CC556E3}) (Version: 4.18.9.18809 - Deterministic Networks, Inc.)
iCloud (HKLM\...\{4B48E22A-2FB0-4EFA-B99E-954B1E50CD69}) (Version: 5.1.0.34 - Apple Inc.)
Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) Hidden
iTunes (HKLM\...\{FBEB98F8-64E4-4FA3-A15E-4A9F42FF962E}) (Version: 12.3.2.35 - Apple Inc.)
Java 8 Update 71 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218071F0}) (Version: 8.0.710.15 - Oracle Corporation)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft ASP.NET MVC 4 Runtime (HKLM-x32\...\{3FE312D5-B862-40CE-8E4E-A6D8ABF62736}) (Version: 4.0.40804.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Mozilla Firefox 43.0.4 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 43.0.4 (x86 en-US)) (Version: 43.0.4 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 43.0.4.5848 - Mozilla)
NVIDIA 3D Vision Controller Driver 340.50 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 340.50 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 341.92 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 341.92 - NVIDIA Corporation)
NVIDIA GeForce Experience 2.9.1.22 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.9.1.22 - NVIDIA Corporation)
NVIDIA Graphics Driver 341.92 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 341.92 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.33.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.33.0 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.14.0702 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.14.0702 - NVIDIA Corporation)
QuickTime 7 (HKLM-x32\...\{80CEEB1E-0A6C-45B9-A312-37A1D25FDEBC}) (Version: 7.78.80.95 - Apple Inc.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.3.730.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6782 - Realtek Semiconductor Corp.)
RegHunter (HKLM-x32\...\RegHunter) (Version: 1.3.3.1613 - Enigma Software Group, LLC)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{17528CE4-C333-48FB-A9E4-D841E795CDCE}) (Version: 3.0.12.0 - Renesas Electronics Corporation)
Renesas Electronics USB 3.0 Host Controller Driver (x32 Version: 3.0.12.0 - Renesas Electronics Corporation) Hidden
SHIELD Streaming (Version: 4.1.0260 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (Version: 2.9.1.22 - NVIDIA Corporation) Hidden
SketchUp 2015 (HKLM\...\{350488A4-1540-4103-8F01-B27503891EB0}) (Version: 15.3.331 - Trimble Navigation Limited)
SpeedFan (remove only) (HKLM-x32\...\SpeedFan) (Version:  - )
SpyHunter 4 (HKLM-x32\...\SpyHunter) (Version: 4.21.18.4608 - Enigma Software Group, LLC)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
World of Warcraft (HKLM-x32\...\World of Warcraft) (Version:  - Blizzard Entertainment)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-3287149903-3504461084-1627932807-1002_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\Ray\AppData\Local\Microsoft\OneDrive\17.3.6281.1202_1\FileCoAuth.exe (Microsoft Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0C8FFDC0-E0AA-4622-9866-CDDAA73C450A} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {0CFE2E40-6A97-48C5-9F38-DE82315CF1B0} - System32\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig => config upnphost start= auto
Task: {0EC12751-3319-4755-8318-5215BB9B54B8} - \ConsumerInputUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {0F90C776-BE5B-45A5-8EB6-F071A466883D} - \{09050547-090C-0F78-0511-0F0A0E791105} -> No File <==== ATTENTION
Task: {29D70605-71AD-4A43-9E04-E7B618B4EEA1} - \8d8J9l9Fs67nMlRFPDZC-ni-2016-01-23-ni-10924-ni-1 -> No File <==== ATTENTION
Task: {37D36C2A-CBCC-47EF-9D12-C15D94CDE074} - System32\Tasks\135112602 => C:\Program Files (x86)\room\birds.exe <==== ATTENTION
Task: {3CEC4616-B183-4477-A186-47D2B02B5E03} - \CIMT_S-1-5-21-3287149903-3504461084-1627932807-1002 -> No File <==== ATTENTION
Task: {3E255002-6CFD-430E-A613-1601EFFC4AF2} - System32\Tasks\SpyHunter4Startup => C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe [2016-01-24] (Enigma Software Group USA, LLC.)
Task: {446CA7F4-BA00-42D0-B6C7-9FBBF2B85731} - \Sowbu -> No File <==== ATTENTION
Task: {4D8CBC6F-D450-4AD3-AC3B-D9BFF290CC38} - \Optimize Start Menu Cache Files-S-1-5-21-3287149903-3504461084-1627932807-500 -> No File <==== ATTENTION
Task: {4FA15568-BED9-41B8-AE5A-17761DB3720D} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {569155CB-6719-4605-B8D7-F8DA468E5F4B} - \243901321850 -> No File <==== ATTENTION
Task: {5F964D97-465D-4CD3-99B1-6C0BD5EB1FA5} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {62C8E679-4845-4013-9FB0-F18A3A6E6449} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2016-01-13] (Microsoft Corporation)
Task: {6C6FA61C-2D78-4711-880B-C4F59F08CFE4} - \14513701 -> No File <==== ATTENTION
Task: {75340425-1FAA-4DA2-9157-5E8FA880F88F} - \CIMT_daily_S-1-5-21-3287149903-3504461084-1627932807-1002 -> No File <==== ATTENTION
Task: {76C83650-5979-482F-A86D-B5C7C3F96C4B} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {8472D036-E547-4A97-B35F-3F1489674759} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {84B01E00-C5FB-40DE-9A75-6FF66BC1EF1A} - \Adobe Flash Player Updater -> No File <==== ATTENTION
Task: {8AB89D98-D6CF-4776-B4E5-AE4AD645F585} - \4636711463671146367114636711 -> No File <==== ATTENTION
Task: {944F57F3-3F78-4287-A19C-90383EEA5A4D} - System32\Tasks\235112602 => C:\Program Files (x86)\room\birds.exe <==== ATTENTION
Task: {9770C44A-0849-4F6C-8E13-CF139C792A51} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2015-08-26] (Apple Inc.)
Task: {98DD428B-87EB-416D-860D-D29CFD96D1FD} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {9DA63BBE-B609-4C6A-AEEF-EEB32D93A9EA} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {A5011940-CBE7-47FD-9EC7-C07E0C2501F2} - \ConsumerInputUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {A6171B40-23DE-4806-A0BC-0A6C89D85459} - \ArcadeParlor -> No File <==== ATTENTION
Task: {A8AFE250-B91B-4F37-8D8F-D28EA561ADB2} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {A9301AF0-CB67-4056-A782-513E82CA0F87} - \Wohxi -> No File <==== ATTENTION
Task: {D071863A-AE02-4136-947F-669EBAC77C63} - \Adobe Acrobat Update Task -> No File <==== ATTENTION
Task: {DDD6CB80-266D-4D49-99A6-022202E89E1A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {DED9139D-CAAC-4860-990B-70ECFC6BD193} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {EFC4ACFA-C9FC-49DD-87FB-CE829E882E6A} - \LaunchPreSignup -> No File <==== ATTENTION
Task: {F16AFBB6-C6F0-424A-BE08-8AEDFBDD37D7} - \WindApp Update -> No File <==== ATTENTION
Task: {F88F02D4-1FBA-4A4B-81F7-BE3DBA9ECD99} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {FFB5B06E-65BB-45FA-9EFA-5A746A124924} - \Optimize Start Menu Cache Files-S-1-5-21-3287149903-3504461084-1627932807-1002 -> No File <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

ShortcutWithArgument: C:\Users\Ray\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> "microsoft-edge:hxxp://www%2dmysearch.com/?prd=set_epc&s=G1Oztuttn1,06085b26-0a67-4e5a-a7af-ad21d02f32c3,"

==================== Loaded Modules (Whitelisted) ==============

2015-10-30 01:18 - 2015-10-30 01:18 - 00185856 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2015-12-20 03:14 - 2015-10-13 11:26 - 00125616 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2012-08-06 13:09 - 2012-08-06 13:09 - 00212480 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.PerformanceTuning.dll
2012-03-05 17:03 - 2012-03-05 17:03 - 00677376 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Device.dll
2012-02-16 15:53 - 2012-02-16 15:53 - 03642880 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Platform.dll
2015-01-20 22:35 - 2015-01-20 22:35 - 00085832 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2015-10-13 04:45 - 2015-10-13 04:45 - 01328912 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2016-01-10 19:03 - 2016-01-11 22:43 - 00291264 _____ () C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamBase.dll
2015-12-20 05:04 - 2015-12-20 05:04 - 02653816 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2015-12-20 05:04 - 2015-12-20 05:04 - 02653816 _____ () C:\WINDOWS\System32\CoreUIComponents.dll
2015-12-20 09:24 - 2015-12-06 22:14 - 00093696 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Windows.UI.Shell.SharedUtilities.dll
2015-12-20 09:24 - 2015-12-06 22:00 - 00472064 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\QuickActions.dll
2016-01-12 23:00 - 2016-01-04 19:29 - 07992832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-01-12 23:00 - 2016-01-04 19:23 - 00591360 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-01-12 23:00 - 2016-01-04 19:24 - 02483200 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-01-12 23:00 - 2016-01-04 19:26 - 04089856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2016-01-25 09:12 - 2016-01-25 09:12 - 09737216 _____ () C:\Program Files\WindowsApps\Microsoft.WindowsStore_2015.25.22.0_x64__8wekyb3d8bbwe\WinStore.Entertainment.Mobile.dll
2015-03-31 17:28 - 2016-01-11 22:43 - 00018880 _____ () C:\Program Files (x86)\NVIDIA Corporation\Update Core\detoured.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\...\noralinc.com -> hxxps://noralinc.com

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 07:25 - 2016-01-24 16:48 - 00001110 ____N C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1       down.baidu2016.com
127.0.0.1       123.sogou.com
127.0.0.1       www.czzsyzgm.com
127.0.0.1       www.czzsyzxl.com
127.0.0.1       down.baidu2016.com
127.0.0.1       123.sogou.com
127.0.0.1       www.czzsyzgm.com
127.0.0.1       www.czzsyzxl.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\Ray\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\internet explorer wallpaper.bmp
DNS Servers: 172.16.12.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: GrpConv => grpconv -o
HKLM\...\StartupApproved\Run: => "ShadowPlay"
HKLM\...\StartupApproved\Run: => "NvBackend"
HKLM\...\StartupApproved\Run: => "RTHDVCPL"
HKLM\...\StartupApproved\Run32: => "Adobe ARM"
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\...\StartupApproved\StartupFolder: => "CurseClientStartup.ccip"
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\...\StartupApproved\Run: => "iCloudServices"
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\...\StartupApproved\Run: => "iCloudDrive"
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\...\StartupApproved\Run: => "ApplePhotoStreams"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{ABBCAC9D-1CA6-4B75-9721-38C71B60D347}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{3968DA48-7CD2-475F-B18E-0620651C6B36}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{88943B17-4250-42EB-B09A-3752D2486385}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{05D56D8B-484C-4CE1-9481-BB1AEB2032DC}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{029645DB-8731-4FFE-AF17-8FEF9DB20C92}] => (Allow) C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{DB333647-07E5-4237-A55A-3A0CC0BF3D13}] => (Allow) C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{7526C8B2-8314-4A07-A510-00C5D52B998C}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{240CF4AA-F76C-4F1E-94C3-25356064FFA3}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{5D7AB7CC-7038-4113-A075-C365A12B5636}C:\program files (x86)\mozilla firefox\firefox.exe] => (Allow) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{111E3F07-3051-4321-A14A-8AFEBE7A187D}C:\program files (x86)\mozilla firefox\firefox.exe] => (Allow) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [{74F36B0C-D087-4740-A5C0-15A846A4A7DD}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
FirewallRules: [{EF4D9DA5-20BB-49DF-9818-B98DA5BA5A43}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
FirewallRules: [{D812CDAF-9232-45A9-9B60-E64B4AE66111}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
FirewallRules: [{F46D503A-2A17-4B27-A1DB-BBC81EEB5C5A}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{7BA9EEA0-7AD8-4758-B723-C0714ECA718F}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{FF3CD1AF-8ADB-45E3-B5C7-C0CA1688B57B}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{BB66EC35-1BA4-4D7C-8815-1698D39EDD92}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{89131F7D-FAD8-4BCD-B962-107BF28D1B9C}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{8A51FBBA-8FC2-4118-BC54-5CA219A4F016}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{3F14881B-4AA0-41DA-8689-1F1EA11FB99F}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{7E0C865A-64A1-4BF5-B29D-191235C44644}] => (Allow) C:\Program Files (x86)\cellar\getcap.exe
FirewallRules: [{6F2543AA-F10F-41E2-BD38-34114C496B80}] => (Allow) C:\Program Files (x86)\cellar\getcap.exe
FirewallRules: [{32BF9786-FE1B-493E-83C9-242E9E4E34DA}] => (Allow) C:\a\winonit.exe
FirewallRules: [{7D2EA9CC-6249-48C4-8EB5-38EECAB0D61A}] => (Allow) C:\a\winonit.exe
FirewallRules: [{2AEB12A0-C0DA-4AF5-9BF0-C5EBD0D6CDED}] => (Allow) C:\a\8d8J9l9Fs67nMlRFPDZC-ni-2016-01-23-ni-10924-ni-1.exe
FirewallRules: [{2F20AD3B-4526-4992-A35A-9C0E79602746}] => (Allow) C:\a\8d8J9l9Fs67nMlRFPDZC-ni-2016-01-23-ni-10924-ni-1.exe

==================== Restore Points =========================

13-01-2016 17:02:39 Windows Update
22-01-2016 09:14:28 Scheduled Checkpoint
24-01-2016 09:52:32 Removed RegHunter
24-01-2016 17:47:31 JRT Pre-Junkware Removal
24-01-2016 18:33:40 JRT Pre-Junkware Removal

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (01/24/2016 09:35:46 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Fuel.Service.exe, version: 1.0.0.0, time stamp: 0x501fec0e
Faulting module name: Device.dll, version: 4.1.0.0, time stamp: 0x4f55e10b
Exception code: 0xc0000005
Fault offset: 0x00000000000033c1
Faulting process id: 0x5bc
Faulting application start time: 0xFuel.Service.exe0
Faulting application path: Fuel.Service.exe1
Faulting module path: Fuel.Service.exe2
Report Id: Fuel.Service.exe3
Faulting package full name: Fuel.Service.exe4
Faulting package-relative application ID: Fuel.Service.exe5

Error: (01/24/2016 09:33:04 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Fuel.Service.exe, version: 1.0.0.0, time stamp: 0x501fec0e
Faulting module name: Device.dll, version: 4.1.0.0, time stamp: 0x4f55e10b
Exception code: 0xc0000005
Fault offset: 0x00000000000033c1
Faulting process id: 0x720
Faulting application start time: 0xFuel.Service.exe0
Faulting application path: Fuel.Service.exe1
Faulting module path: Fuel.Service.exe2
Report Id: Fuel.Service.exe3
Faulting package full name: Fuel.Service.exe4
Faulting package-relative application ID: Fuel.Service.exe5

Error: (01/24/2016 06:33:50 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (01/24/2016 06:32:56 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program HitmanPro_x64.exe version 3.7.12.253 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Process ID: 1440

Start Time: 01d1570618378b25

Termination Time: 4294967295

Application Path: C:\Users\Ray\Downloads\HitmanPro_x64.exe

Report Id: 292d04b7-c2fb-11e5-82c9-d8cb8a33116e

Faulting package full name:

Faulting package-relative application ID:

Error: (01/24/2016 06:01:00 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: RAYSGAMINGPC)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/24/2016 06:00:47 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: RAYSGAMINGPC)
Description: Activation of app Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/24/2016 05:47:41 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (01/24/2016 04:18:37 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: RAYSGAMINGPC)
Description: Activation of app Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/24/2016 04:18:16 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SystemSettings.exe, version: 10.0.10586.11, time stamp: 0x56457cb1
Faulting module name: DataSenseHandlers.dll, version: 10.0.10586.0, time stamp: 0x5632d62f
Exception code: 0xc0000005
Fault offset: 0x00000000000199c6
Faulting process id: 0x644
Faulting application start time: 0xSystemSettings.exe0
Faulting application path: SystemSettings.exe1
Faulting module path: SystemSettings.exe2
Report Id: SystemSettings.exe3
Faulting package full name: SystemSettings.exe4
Faulting package-relative application ID: SystemSettings.exe5

Error: (01/24/2016 04:17:53 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: RAYSGAMINGPC)
Description: Activation of app Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.


System errors:
=============
Error: (01/24/2016 09:46:11 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {784E29F4-5EBE-4279-9948-1E8FE941646D}

Error: (01/24/2016 09:42:47 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The servant service failed to start due to the following error:
%%2

Error: (01/24/2016 09:42:47 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The appreciate service failed to start due to the following error:
%%2

Error: (01/24/2016 09:42:47 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Tuhtujl service failed to start due to the following error:
%%2

Error: (01/24/2016 09:35:47 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The AMD FUEL Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/24/2016 09:35:43 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable

Error: (01/24/2016 09:34:17 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Tuhtujl service failed to start due to the following error:
%%2

Error: (01/24/2016 09:34:17 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The servant service failed to start due to the following error:
%%2

Error: (01/24/2016 09:34:17 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The appreciate service failed to start due to the following error:
%%2

Error: (01/24/2016 09:33:04 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The AMD FUEL Service service terminated unexpectedly.  It has done this 1 time(s).


CodeIntegrity:
===================================
  Date: 2016-01-24 21:42:34.608
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-01-24 21:34:03.641
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-01-24 18:04:14.775
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-01-24 16:43:55.967
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-01-24 16:12:37.210
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-01-24 15:47:43.249
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\vfilter.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-01-24 15:43:33.964
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\dnsapi.dll that did not meet the Store signing level requirements.

  Date: 2016-01-24 15:41:03.837
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\dnsapi.dll that did not meet the Store signing level requirements.

  Date: 2016-01-24 15:41:03.809
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\dnsapi.dll that did not meet the Store signing level requirements.

  Date: 2016-01-24 15:41:03.779
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume2\Windows\System32\dnsapi.dll that did not meet the Store signing level requirements.


==================== Memory info ===========================

Processor: AMD FX™-4130 Quad-Core Processor
Percentage of memory in use: 10%
Total physical RAM: 16382.18 MB
Available physical RAM: 14625.97 MB
Total Virtual: 18814.18 MB
Available Virtual: 16773.27 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:930.73 GB) (Free:841.86 GB) NTFS
Drive e: (WD Unlocker) (CDROM) (Total:0.01 GB) (Free:0 GB) UDF

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 7B1B1765)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=930.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=449 MB) - (Type=27)
Attempted reading MBR returned 0 bytes.
 Could not read MBR for disk 1.

==================== End of Addition.txt ============================



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:12 PM

Posted 26 January 2016 - 08:40 AM


My previous suggested fix did not go as I had hoped.



Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
RemoveProxy:

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Restriction - ProxySettings)
ProxyEnable: [HKLM-x32] => Proxy is enabled.
ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877
AutoConfigURL: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 172.16.12.1
Tcpip\..\Interfaces\{6e0db4ae-c72b-4422-9ba7-e3ab8deac507}: [DhcpNameServer] 172.16.12.1
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - <no Path/update_url>
S2 appreciate; C:\WINDOWS\fearless.exe [X]
S2 servant; C:\WINDOWS\courageous.exe [X]
S2 Tuhtujl; "C:\Users\Ray\AppData\Roaming\KagjBudla\Firva.exe" -cms [X]
S3 vpnva; \SystemRoot\System32\drivers\vpnva64.sys [X]

AV: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) Hidden
Task: {0C8FFDC0-E0AA-4622-9866-CDDAA73C450A} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {0EC12751-3319-4755-8318-5215BB9B54B8} - \ConsumerInputUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {0F90C776-BE5B-45A5-8EB6-F071A466883D} - \{09050547-090C-0F78-0511-0F0A0E791105} -> No File <==== ATTENTION
Task: {29D70605-71AD-4A43-9E04-E7B618B4EEA1} - \8d8J9l9Fs67nMlRFPDZC-ni-2016-01-23-ni-10924-ni-1 -> No File <==== ATTENTION
Task: {37D36C2A-CBCC-47EF-9D12-C15D94CDE074} - System32\Tasks\135112602 => C:\Program Files (x86)\room\birds.exe <==== ATTENTION
Task: {3CEC4616-B183-4477-A186-47D2B02B5E03} - \CIMT_S-1-5-21-3287149903-3504461084-1627932807-1002 -> No File <==== ATTENTION
Task: {446CA7F4-BA00-42D0-B6C7-9FBBF2B85731} - \Sowbu -> No File <==== ATTENTION
Task: {4D8CBC6F-D450-4AD3-AC3B-D9BFF290CC38} - \Optimize Start Menu Cache Files-S-1-5-21-3287149903-3504461084-1627932807-500 -> No File <==== ATTENTION
Task: {4FA15568-BED9-41B8-AE5A-17761DB3720D} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {569155CB-6719-4605-B8D7-F8DA468E5F4B} - \243901321850 -> No File <==== ATTENTION
Task: {5F964D97-465D-4CD3-99B1-6C0BD5EB1FA5} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {6C6FA61C-2D78-4711-880B-C4F59F08CFE4} - \14513701 -> No File <==== ATTENTION
Task: {75340425-1FAA-4DA2-9157-5E8FA880F88F} - \CIMT_daily_S-1-5-21-3287149903-3504461084-1627932807-1002 -> No File <==== ATTENTION
Task: {76C83650-5979-482F-A86D-B5C7C3F96C4B} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {8472D036-E547-4A97-B35F-3F1489674759} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {84B01E00-C5FB-40DE-9A75-6FF66BC1EF1A} - \Adobe Flash Player Updater -> No File <==== ATTENTION
Task: {8AB89D98-D6CF-4776-B4E5-AE4AD645F585} - \4636711463671146367114636711 -> No File <==== ATTENTION
Task: {944F57F3-3F78-4287-A19C-90383EEA5A4D} - System32\Tasks\235112602 => C:\Program Files (x86)\room\birds.exe <==== ATTENTION
Task: {98DD428B-87EB-416D-860D-D29CFD96D1FD} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {9DA63BBE-B609-4C6A-AEEF-EEB32D93A9EA} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {A5011940-CBE7-47FD-9EC7-C07E0C2501F2} - \ConsumerInputUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {A6171B40-23DE-4806-A0BC-0A6C89D85459} - \ArcadeParlor -> No File <==== ATTENTION
Task: {A8AFE250-B91B-4F37-8D8F-D28EA561ADB2} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {A9301AF0-CB67-4056-A782-513E82CA0F87} - \Wohxi -> No File <==== ATTENTION
Task: {D071863A-AE02-4136-947F-669EBAC77C63} - \Adobe Acrobat Update Task -> No File <==== ATTENTION
Task: {DDD6CB80-266D-4D49-99A6-022202E89E1A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {DED9139D-CAAC-4860-990B-70ECFC6BD193} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {EFC4ACFA-C9FC-49DD-87FB-CE829E882E6A} - \LaunchPreSignup -> No File <==== ATTENTION
Task: {F16AFBB6-C6F0-424A-BE08-8AEDFBDD37D7} - \WindApp Update -> No File <==== ATTENTION
Task: {F88F02D4-1FBA-4A4B-81F7-BE3DBA9ECD99} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {FFB5B06E-65BB-45FA-9EFA-5A746A124924} - \Optimize Start Menu Cache Files-S-1-5-21-3287149903-3504461084-1627932807-1002 -> No File <==== ATTENTION
ShortcutWithArgument: C:\Users\Ray\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> "microsoft-edge:hxxp://www%2dmysearch.com/?prd=set_epc&s=G1Oztuttn1,06085b26-0a67-4e5a-a7af-ad21d02f32c3,"
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm
C:\Program Files (x86)\room
C:\Users\Ray\AppData\Local\Temp\BJAR5FQMS.exe
C:\Users\Ray\AppData\Local\Temp\LXLK4SL20.exe
C:\Users\Ray\AppData\Local\Temp\oksoft12.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Clear the cache and browsing history with Microsoft Edge
http://www.techulator.com/resources/14556-How-to-clear-cache-and-browsing-history-with-Microsoft-Edge.aspx

===

Please post the Fixlog.txt that will be created by the Farbar tool.
Let me know what problem persists.

#7 Tinman39

Tinman39
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 26 January 2016 - 06:10 PM

Fixlog

 

Fix result of Farbar Recovery Scan Tool (x64) Version:24-01-2016
Ran by Ray (2016-01-26 16:33:12) Run:1
Running from C:\Users\Ray\Desktop
Loaded Profiles: Ray (Available Profiles: Ray)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
RemoveProxy:

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Restriction - ProxySettings)
ProxyEnable: [HKLM-x32] => Proxy is enabled.
ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877
AutoConfigURL: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 172.16.12.1
Tcpip\..\Interfaces\{6e0db4ae-c72b-4422-9ba7-e3ab8deac507}: [DhcpNameServer] 172.16.12.1
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - <no Path/update_url>
S2 appreciate; C:\WINDOWS\fearless.exe [X]
S2 servant; C:\WINDOWS\courageous.exe [X]
S2 Tuhtujl; "C:\Users\Ray\AppData\Roaming\KagjBudla\Firva.exe" -cms [X]
S3 vpnva; \SystemRoot\System32\drivers\vpnva64.sys [X]

AV: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) Hidden
Task: {0C8FFDC0-E0AA-4622-9866-CDDAA73C450A} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {0EC12751-3319-4755-8318-5215BB9B54B8} - \ConsumerInputUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {0F90C776-BE5B-45A5-8EB6-F071A466883D} - \{09050547-090C-0F78-0511-0F0A0E791105} -> No File <==== ATTENTION
Task: {29D70605-71AD-4A43-9E04-E7B618B4EEA1} - \8d8J9l9Fs67nMlRFPDZC-ni-2016-01-23-ni-10924-ni-1 -> No File <==== ATTENTION
Task: {37D36C2A-CBCC-47EF-9D12-C15D94CDE074} - System32\Tasks\135112602 => C:\Program Files (x86)\room\birds.exe <==== ATTENTION
Task: {3CEC4616-B183-4477-A186-47D2B02B5E03} - \CIMT_S-1-5-21-3287149903-3504461084-1627932807-1002 -> No File <==== ATTENTION
Task: {446CA7F4-BA00-42D0-B6C7-9FBBF2B85731} - \Sowbu -> No File <==== ATTENTION
Task: {4D8CBC6F-D450-4AD3-AC3B-D9BFF290CC38} - \Optimize Start Menu Cache Files-S-1-5-21-3287149903-3504461084-1627932807-500 -> No File <==== ATTENTION
Task: {4FA15568-BED9-41B8-AE5A-17761DB3720D} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {569155CB-6719-4605-B8D7-F8DA468E5F4B} - \243901321850 -> No File <==== ATTENTION
Task: {5F964D97-465D-4CD3-99B1-6C0BD5EB1FA5} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {6C6FA61C-2D78-4711-880B-C4F59F08CFE4} - \14513701 -> No File <==== ATTENTION
Task: {75340425-1FAA-4DA2-9157-5E8FA880F88F} - \CIMT_daily_S-1-5-21-3287149903-3504461084-1627932807-1002 -> No File <==== ATTENTION
Task: {76C83650-5979-482F-A86D-B5C7C3F96C4B} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {8472D036-E547-4A97-B35F-3F1489674759} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {84B01E00-C5FB-40DE-9A75-6FF66BC1EF1A} - \Adobe Flash Player Updater -> No File <==== ATTENTION
Task: {8AB89D98-D6CF-4776-B4E5-AE4AD645F585} - \4636711463671146367114636711 -> No File <==== ATTENTION
Task: {944F57F3-3F78-4287-A19C-90383EEA5A4D} - System32\Tasks\235112602 => C:\Program Files (x86)\room\birds.exe <==== ATTENTION
Task: {98DD428B-87EB-416D-860D-D29CFD96D1FD} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {9DA63BBE-B609-4C6A-AEEF-EEB32D93A9EA} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {A5011940-CBE7-47FD-9EC7-C07E0C2501F2} - \ConsumerInputUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {A6171B40-23DE-4806-A0BC-0A6C89D85459} - \ArcadeParlor -> No File <==== ATTENTION
Task: {A8AFE250-B91B-4F37-8D8F-D28EA561ADB2} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {A9301AF0-CB67-4056-A782-513E82CA0F87} - \Wohxi -> No File <==== ATTENTION
Task: {D071863A-AE02-4136-947F-669EBAC77C63} - \Adobe Acrobat Update Task -> No File <==== ATTENTION
Task: {DDD6CB80-266D-4D49-99A6-022202E89E1A} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {DED9139D-CAAC-4860-990B-70ECFC6BD193} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {EFC4ACFA-C9FC-49DD-87FB-CE829E882E6A} - \LaunchPreSignup -> No File <==== ATTENTION
Task: {F16AFBB6-C6F0-424A-BE08-8AEDFBDD37D7} - \WindApp Update -> No File <==== ATTENTION
Task: {F88F02D4-1FBA-4A4B-81F7-BE3DBA9ECD99} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {FFB5B06E-65BB-45FA-9EFA-5A746A124924} - \Optimize Start Menu Cache Files-S-1-5-21-3287149903-3504461084-1627932807-1002 -> No File <==== ATTENTION
ShortcutWithArgument: C:\Users\Ray\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> "microsoft-edge:hxxp://www%2dmysearch.com/?prd=set_epc&s=G1Oztuttn1,06085b26-0a67-4e5a-a7af-ad21d02f32c3,"
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm
C:\Program Files (x86)\room
C:\Users\Ray\AppData\Local\Temp\BJAR5FQMS.exe
C:\Users\Ray\AppData\Local\Temp\LXLK4SL20.exe
C:\Users\Ray\AppData\Local\Temp\oksoft12.exe

End
*****************

Restore point was successfully created.
Processes closed successfully.

========= RemoveProxy: =========

"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxySettingsPerUser => value removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========

HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxySettingsPerUser => value not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value not found.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer => value removed successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6e0db4ae-c72b-4422-9ba7-e3ab8deac507}\\DhcpNameServer => value removed successfully
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found.
HKU\S-1-5-21-3287149903-3504461084-1627932807-1002\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found.
"HKLM\SOFTWARE\Google\Chrome\Extensions\jeaohhlajejodfjadcponpnjgkiikocn" => key removed successfully
appreciate => service removed successfully
servant => service removed successfully
Tuhtujl => service removed successfully
vpnva => service removed successfully
AV: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} => removed successfully
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} => removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{730E03E4-350E-48E5-9D3E-4329903D454D}\\SystemComponent => value removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{0C8FFDC0-E0AA-4622-9866-CDDAA73C450A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0C8FFDC0-E0AA-4622-9866-CDDAA73C450A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0EC12751-3319-4755-8318-5215BB9B54B8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0EC12751-3319-4755-8318-5215BB9B54B8}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ConsumerInputUpdateTaskMachineUA => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0F90C776-BE5B-45A5-8EB6-F071A466883D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0F90C776-BE5B-45A5-8EB6-F071A466883D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{09050547-090C-0F78-0511-0F0A0E791105}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{29D70605-71AD-4A43-9E04-E7B618B4EEA1}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{29D70605-71AD-4A43-9E04-E7B618B4EEA1}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\8d8J9l9Fs67nMlRFPDZC-ni-2016-01-23-ni-10924-ni-1 => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{37D36C2A-CBCC-47EF-9D12-C15D94CDE074}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{37D36C2A-CBCC-47EF-9D12-C15D94CDE074}" => key removed successfully
C:\WINDOWS\System32\Tasks\135112602 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\135112602" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3CEC4616-B183-4477-A186-47D2B02B5E03}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3CEC4616-B183-4477-A186-47D2B02B5E03}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CIMT_S-1-5-21-3287149903-3504461084-1627932807-1002 => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{446CA7F4-BA00-42D0-B6C7-9FBBF2B85731}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{446CA7F4-BA00-42D0-B6C7-9FBBF2B85731}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Sowbu" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4D8CBC6F-D450-4AD3-AC3B-D9BFF290CC38}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4D8CBC6F-D450-4AD3-AC3B-D9BFF290CC38}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimize Start Menu Cache Files-S-1-5-21-3287149903-3504461084-1627932807-500" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4FA15568-BED9-41B8-AE5A-17761DB3720D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4FA15568-BED9-41B8-AE5A-17761DB3720D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{569155CB-6719-4605-B8D7-F8DA468E5F4B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{569155CB-6719-4605-B8D7-F8DA468E5F4B}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\243901321850 => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5F964D97-465D-4CD3-99B1-6C0BD5EB1FA5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5F964D97-465D-4CD3-99B1-6C0BD5EB1FA5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6C6FA61C-2D78-4711-880B-C4F59F08CFE4}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6C6FA61C-2D78-4711-880B-C4F59F08CFE4}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\14513701 => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{75340425-1FAA-4DA2-9157-5E8FA880F88F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{75340425-1FAA-4DA2-9157-5E8FA880F88F}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CIMT_daily_S-1-5-21-3287149903-3504461084-1627932807-1002 => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{76C83650-5979-482F-A86D-B5C7C3F96C4B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{76C83650-5979-482F-A86D-B5C7C3F96C4B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8472D036-E547-4A97-B35F-3F1489674759}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8472D036-E547-4A97-B35F-3F1489674759}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{84B01E00-C5FB-40DE-9A75-6FF66BC1EF1A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{84B01E00-C5FB-40DE-9A75-6FF66BC1EF1A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Adobe Flash Player Updater" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8AB89D98-D6CF-4776-B4E5-AE4AD645F585}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8AB89D98-D6CF-4776-B4E5-AE4AD645F585}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\4636711463671146367114636711 => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{944F57F3-3F78-4287-A19C-90383EEA5A4D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{944F57F3-3F78-4287-A19C-90383EEA5A4D}" => key removed successfully
C:\WINDOWS\System32\Tasks\235112602 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\235112602" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{98DD428B-87EB-416D-860D-D29CFD96D1FD}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{98DD428B-87EB-416D-860D-D29CFD96D1FD}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9DA63BBE-B609-4C6A-AEEF-EEB32D93A9EA}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9DA63BBE-B609-4C6A-AEEF-EEB32D93A9EA}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{A5011940-CBE7-47FD-9EC7-C07E0C2501F2}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A5011940-CBE7-47FD-9EC7-C07E0C2501F2}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ConsumerInputUpdateTaskMachineCore => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A6171B40-23DE-4806-A0BC-0A6C89D85459}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A6171B40-23DE-4806-A0BC-0A6C89D85459}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ArcadeParlor => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A8AFE250-B91B-4F37-8D8F-D28EA561ADB2}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A8AFE250-B91B-4F37-8D8F-D28EA561ADB2}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A9301AF0-CB67-4056-A782-513E82CA0F87}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A9301AF0-CB67-4056-A782-513E82CA0F87}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Wohxi" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D071863A-AE02-4136-947F-669EBAC77C63}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D071863A-AE02-4136-947F-669EBAC77C63}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Adobe Acrobat Update Task" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DDD6CB80-266D-4D49-99A6-022202E89E1A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DDD6CB80-266D-4D49-99A6-022202E89E1A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DED9139D-CAAC-4860-990B-70ECFC6BD193}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DED9139D-CAAC-4860-990B-70ECFC6BD193}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EFC4ACFA-C9FC-49DD-87FB-CE829E882E6A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EFC4ACFA-C9FC-49DD-87FB-CE829E882E6A}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\LaunchPreSignup => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F16AFBB6-C6F0-424A-BE08-8AEDFBDD37D7}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F16AFBB6-C6F0-424A-BE08-8AEDFBDD37D7}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WindApp Update => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F88F02D4-1FBA-4A4B-81F7-BE3DBA9ECD99}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F88F02D4-1FBA-4A4B-81F7-BE3DBA9ECD99}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FFB5B06E-65BB-45FA-9EFA-5A746A124924}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FFB5B06E-65BB-45FA-9EFA-5A746A124924}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimize Start Menu Cache Files-S-1-5-21-3287149903-3504461084-1627932807-1002" => key removed successfully
C:\Users\Ray\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk => Shortcut argument removed successfully.
C:\ProgramData\Reprise => ":wupeogjxldtlfudivq`qsp`26hfm" ADS removed successfully.
C:\Program Files (x86)\room => moved successfully
C:\Users\Ray\AppData\Local\Temp\BJAR5FQMS.exe => moved successfully
C:\Users\Ray\AppData\Local\Temp\LXLK4SL20.exe => moved successfully
C:\Users\Ray\AppData\Local\Temp\oksoft12.exe => moved successfully
EmptyTemp: => 121.3 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 16:33:47 ====



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:12 PM

Posted 27 January 2016 - 09:03 AM

How is the computer running now?

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:12 PM

Posted 01 February 2016 - 08:46 AM

Are you still with me?

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:12 PM

Posted 07 February 2016 - 08:31 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users