Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible virus or Malaware?


  • This topic is locked This topic is locked
35 replies to this topic

#1 compbuff

compbuff

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 15 April 2016 - 11:06 AM

Hi,

 

I tried to open my google chrome browser this afternoon and I would not open as I got the following message:

 

Attack Intercepted

'Google Chrome 49' has been terminated to prevent execution of malicious code. Please check your computer for malware and software updates

 

Below the message it shows Technical details in Blue, and also two buttons 'Scan with HitmanPro' or close

 

The technical details I clicked which expanded to show the following:

 

Mitigation            ROP

Platform              6.3.9060/x64 06_3c

PID                     3416

Application         C:\Program Files (x86)\Google\Chrome\Application\Chrome.exe

Description         Google Chrome 49

Callee Type        CreateProcess  

                           CreateProcess

 

                           C:\Program Files (x86)\Google\Chrome\Application\Chrome.exe

Stack Trace

#             Address                               Module                                Location

1              75F9CB40                          KernelBase.dll                   CreateProcessAsUserW +0x2d

2              713E0000                          (anonymous; rooksdo1.dll)

                68415caf00                        Push      DWORD 0xaf5c41

                f0832501003e7100            Lock AND             DWORD [0x713e00001], 0x0

                c3                                       RET

3              00AF4107                          Chrome.exe

4              0E1F41EB                         Chrome.dll

5              0E1F3BA8

6.             0E1F3812                         Chrome.dll

7              0E1F3AED                        Chrome.dll

8              OE157596                         Chrome.dll

9              0E1573A0                         Chrome.dll

10            0E156DB2                        Chrome.dll

 

Process Trace

1              C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1160]

2              C:\Windows\explorer.exe [2896]

3              C:\Windows\System32\userinit.exe [2888]

 

I have Hitman Pro alert 3.1.9 Build 364, which is located in the correct place it should be in C:/ProgramData/Microsoft/Windows/start menu/Programs/HitmanProAlert

 

However, I did not install or ask for HitmanPro 3.7.13 Build 258 which also popped up when I tried scanning with Hitman Pro alert. I found this application to be running from User:\AppData\Local\Temp which was very odd and must have been activate when that message popped up when Google Chrome would not open?

 

I ran a malware scan from Malwarebytes Anti-malware pro which detected 323 threats all pertaining to Chrome-User data-extensions. I have attached the files of those scans in case. I have also

 

I don't just want to kill the application from this temp folder when it could be something that might have to be dealt with properly or removed in the correct manner...so any help on the issue would be most appreciated. I have tried to provide as much info as possible and hope this is sufficient. My operating system is Windows 8.1

 

Thank you in advance.

 

               

 



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 15 April 2016 - 02:54 PM

Hi compbuff :)

My name is Aura and I'll be assisting you with your issue. To get started, please follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.
  • Download the right version of FRST for your system:
    • FRST 32-bit
    • FRST 64-bit
      Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
  • Move the executable (FRST.exe or FRST64.exe) on your Desktop;
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • Click on the Scan button;
    KSJwAxg.png
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;
  • Copy and paste the content of FRST.txt in your next reply, and attach Addition.txt to it;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 compbuff

compbuff
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 15 April 2016 - 05:22 PM

Thank you Aura. I have just seen you reply to me.

 

The contents of FRST.txt is as follows: (The Addition text is attached)

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:13-04-2016
Ran by Marcus 1 (administrator) on MARCUS (15-04-2016 23:00:16)
Running from C:\Users\Marcus 2\Desktop
Loaded Profiles: UpdatusUser & Marcus 1 & Marcus 2 (Available Profiles: UpdatusUser & Marcus 1 & Marcus 2)
Platform: Windows 8.1 (X64) Language: English (United Kingdom)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(SurfRight B.V.) C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\afwServ.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Windows ® Win 7 DDK provider) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AdminService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
(SurfRight B.V.) C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe
(Pokki) C:\Users\Marcus 2\AppData\Local\SweetLabs App Platform\Engine\ServiceHostAppUpdater.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Acer Portal\CCDMonitorService.exe
(Fitbit, Inc.) C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Launch Manager\LMSvc.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
() C:\ProgramData\MobileBrServ\mbbService.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Dolby Laboratories Inc.) C:\Program Files\Dolby Digital Plus\ddp.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-Service.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerTray.exe
(BlueStack Systems) C:\Program Files (x86)\BlueStacks\HD-Network.exe
(BlueStack Systems) C:\Program Files (x86)\BlueStacks\HD-BlockDevice.exe
(BlueStack Systems) C:\Program Files (x86)\BlueStacks\HD-SharedFolder.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Pokki) C:\Users\Marcus 2\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
(Avast Software) C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Quick Access\QASvc.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Quick Access\RMSvc.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Quick Access\QAMsg.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Launch Manager\LMTray.exe
(Qualcomm®Atheros®) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Quick Access\QuickAccess.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
() C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
(My Health Software) E:\Program Files (x86)\My-BP\My-BP.exe
(My Health Software) C:\Program Files (x86)\My-Weight\My-Weight.exe
(Fitbit, Inc.) C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe
() C:\Program Files (x86)\FileHippo.com\FileHippo.AppManager.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-Agent.exe
(Copernic, a division of N. Harris Computer Systems) C:\Program Files (x86)\Copernic\DesktopSearch\Copernic.DesktopSearch.exe
(Siber Systems) C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
(IBM Corp.) C:\Users\Marcus 2\AppData\Local\Trusteer\Rapport\app\bin\RapportService.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(AgileBits) E:\Program Files (x86)\1Password 4\Agile1pAgent.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
(Acronis International GmbH) C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(TODO: <Company name>) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(IBM Corp.) C:\Users\Marcus 2\AppData\Local\Trusteer\Rapport\app\bin\x64\RapportInjService_x64.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
(Pokki) C:\Users\Marcus 2\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
(Pokki) C:\Users\Marcus 2\AppData\Local\SweetLabs App Platform\Engine\ServiceStartMenuIndexer.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\ng\ngtool.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\ng\vbox\aswFe.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13647576 2013-08-27] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1321688 2013-08-07] (Realtek Semiconductor)
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [570152 2014-08-14] (Acronis)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7390608 2016-04-13] (AVAST Software)
HKLM-x32\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe [953880 2016-04-12] (BlueStack Systems, Inc.)
HKLM-x32\...\Run: [atr.exe] => [X]
HKLM-x32\...\Run: [AnySync] => C:\Program Files (x86)\AnySync\SyncLauncher.exe [41984 2011-03-21] (iAnywhere Solutions, Inc.)
HKLM-x32\...\Run: [Agile1pAgent] => E:\Program Files (x86)\1Password 4\Agile1pAgent.exe [4882360 2016-02-23] (AgileBits)
HKLM-x32\...\Run: [Fitbit Connect] => C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe [4567720 2015-10-28] (Fitbit, Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
HKLM-x32\...\Run: [PowerDVD14Agent] => C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe [795672 2014-08-12] (CyberLink Corp.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [164152 2016-03-19] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [595480 2016-03-20] (Oracle Corporation)
HKLM-x32\...\Run: [TrueImageMonitor.exe] => C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [5343664 2015-07-20] (Acronis)
HKLM-x32\...\Run: [AcronisTibMounterMonitor] => C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [691056 2015-07-20] (Acronis International GmbH)
HKLM\...\RunOnce: [*WerKernelReporting] => C:\Windows\SYSTEM32\WerFault.exe [465320 2014-10-29] (Microsoft Corporation)
HKLM-x32\...\RunOnce: [20150107] => C:\Program Files\AVAST Software\Avast\setup\emupdate\7e209f2c-7fd4-490a-bb5c-ced9c1a76615.exe [168336 2016-01-22] (AVAST Software)
HKLM-x32\...\RunOnce: [InnoSetupRegFile.0000000001] => "C:\WINDOWS\is-AAIJI.exe" /REG /REGSVRMODE
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe [132736 2013-09-07] (Qualcomm®Atheros®)
HKU\S-1-5-21-1438436151-582650635-3674040208-1002\...\Run: [Messenger (Yahoo!)] => C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe [6595928 2012-05-25] (Yahoo! Inc.)
HKU\S-1-5-21-1438436151-582650635-3674040208-1002\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3074128 2016-03-10] (Valve Corporation)
HKU\S-1-5-21-1438436151-582650635-3674040208-1002\...\Run: [AllMyNotes] => E:\Program Files (x86)\AllMyNotes Organizer\AllMyNotes.exe [3243120 2015-07-29] (Vladonai Software (hxxp://www.vladonai.com))
HKU\S-1-5-21-1438436151-582650635-3674040208-1002\...\Run: [FileHippo.com] => C:\Program Files (x86)\FileHippo.com\FileHippo.AppManager.exe [10566352 2015-09-02] ()
HKU\S-1-5-21-1438436151-582650635-3674040208-1002\...\Run: [Copernic Desktop Search 5] => C:\Program Files (x86)\Copernic\DesktopSearch\Copernic.DesktopSearch.exe [1173768 2016-03-08] (Copernic, a division of N. Harris Computer Systems)
HKU\S-1-5-21-1438436151-582650635-3674040208-1002\...\RunOnce: [iCloud] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloud.exe [60688 2015-12-01] (Apple Inc.)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [msnmsgr] => C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [4272840 2014-03-31] (Microsoft Corporation)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [SwiftToDoList] => C:\Users\Marcus 2\AppData\Local\Swift To-Do List\Swift To-Do List.exe [9643320 2015-08-21] (Dextronet)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [AllMyNotes] => E:\Program Files (x86)\AllMyNotes Organizer\AllMyNotes.exe [3243120 2015-07-29] (Vladonai Software (hxxp://www.vladonai.com))
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [MYBP] => E:\Program Files (x86)\My-BP\My-BP.exe [1918976 2010-01-07] (My Health Software)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [MYWS My Weight Software] => C:\Program Files (x86)\My-Weight\My-Weight.exe [1962496 2010-01-07] (My Health Software)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [MindCollected] => C:\Users\Marcus 2\Documents\Mind Collected\Mind Collected.exe [2668856 2015-09-23] (Dextronet)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [eM Client] => C:\Program Files (x86)\eM Client\MailClient.exe [15698792 2016-02-29] (eM Client s.r.o.)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [Fitbit Connect] => C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe [4567720 2015-10-28] (Fitbit, Inc.)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [GoogleChromeAutoLaunch_6480EC06B42C488AA507B63ABC0C09F0] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [874648 2016-04-06] (Google Inc.)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [FileHippo.com] => C:\Program Files (x86)\FileHippo.com\FileHippo.AppManager.exe [10566352 2015-09-02] ()
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe [953880 2016-04-12] (BlueStack Systems, Inc.)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [Copernic Desktop Search 5] => C:\Program Files (x86)\Copernic\DesktopSearch\Copernic.DesktopSearch.exe [1173768 2016-03-08] (Copernic, a division of N. Harris Computer Systems)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [RoboForm] => C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [110376 2016-04-13] (Siber Systems)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [Rapportexe] => C:\Users\Marcus 2\AppData\Local\Trusteer\Rapport\app\bin\RapportService.exe [3183088 2016-03-23] (IBM Corp.)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\RunOnce: [Application Restart #0] => C:\Users\Marcus 2\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe [7874024 2016-04-14] (Pokki)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\MountPoints2: {3ef859ae-d0a5-11e4-825d-0c54a5c7d546} - "F:\AutoRun.exe"
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\MountPoints2: {3ef85aa5-d0a5-11e4-825d-0c54a5c7d546} - "F:\AutoRun.exe"
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\MountPoints2: {76f83056-ca53-11e4-825b-0c54a5c7d546} - "F:\WD Drive Unlock.exe" autoplay=true
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [387536 2013-08-01] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [326224 2013-08-01] (NVIDIA Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-04-13] (AVAST Software)
ShellIconOverlayIdentifiers: [AcronisSyncError] -> {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncInProgress] -> {00F848DC-B1D4-4892-9C25-CAADC86A215D} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncOk] -> {71573297-552E-46fc-BE3D-3DFAF88D47B7} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2014-09-09] (Acronis)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: 127.0.0.1 skypewebexperience.live.com
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{0CDB1D0A-CC5F-48EB-9BCE-BD7010829DC0}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{270BB591-F579-4D29-8AC7-6DB08C2886D1}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{4D338E47-7065-4E2F-9DBB-883E9E5BD9BD}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{89C36890-E34F-4006-A96B-DAB3A132C093}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{91064E24-4B22-43A5-ABAD-5C23B1D452BC}: [DhcpNameServer] 10.244.128.1
Tcpip\..\Interfaces\{BB9F6779-96B0-41DC-8D08-69095E54F65C}: [DhcpNameServer] 192.168.1.1 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-1438436151-582650635-3674040208-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer13.msn.com/?pc=ACJB
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer13.msn.com/?pc=ACJB
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://homepage-web.com/?s=acer&m=start
URLSearchHook: [S-1-5-21-1438436151-582650635-3674040208-1001] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = hxxp://uk.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = hxxp://uk.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1438436151-582650635-3674040208-1002 -> DefaultScope {921825F4-418D-4C0E-B7B7-E05CB3E6D1EE} URL =
SearchScopes: HKU\S-1-5-21-1438436151-582650635-3674040208-1002 -> {921825F4-418D-4C0E-B7B7-E05CB3E6D1EE} URL =
SearchScopes: HKU\S-1-5-21-1438436151-582650635-3674040208-1002 -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = hxxp://uk.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1438436151-582650635-3674040208-1003 -> DefaultScope {921825F4-418D-4C0E-B7B7-E05CB3E6D1EE} URL =
SearchScopes: HKU\S-1-5-21-1438436151-582650635-3674040208-1003 -> {921825F4-418D-4C0E-B7B7-E05CB3E6D1EE} URL =
SearchScopes: HKU\S-1-5-21-1438436151-582650635-3674040208-1003 -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL =
BHO: 1Password -> {037C06D5-3893-49E8-9AC0-41F7524AFBF5} -> E:\Program Files (x86)\1Password 4\x64\Agile1pIE4.dll [2016-02-23] (AgileBits)
BHO: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2016-04-13] (Siber Systems Inc.)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_77\bin\ssv.dll [2016-03-29] (Oracle Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-04-13] (AVAST Software)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_77\bin\jp2ssv.dll [2016-03-29] (Oracle Corporation)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll [2015-09-22] (Eyeo GmbH)
BHO-x32: 1Password -> {037C06D5-3893-49E8-9AC0-41F7524AFBF5} -> E:\Program Files (x86)\1Password 4\x86\Agile1pIE4.dll [2016-02-23] (AgileBits)
BHO-x32: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll [2016-04-13] (Siber Systems Inc.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_77\bin\ssv.dll [2016-03-29] (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-04-13] (AVAST Software)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_77\bin\jp2ssv.dll [2016-03-29] (Oracle Corporation)
BHO-x32: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll [2015-09-22] (Eyeo GmbH)
Toolbar: HKLM - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2016-04-13] (Siber Systems Inc.)
Toolbar: HKLM-x32 - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll [2016-04-13] (Siber Systems Inc.)

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_21_0_0_213.dll [2016-04-07] ()
FF Plugin: @java.com/DTPlugin,version=11.77.2 -> C:\Program Files\Java\jre1.8.0_77\bin\dtplugin\npDeployJava1.dll [2016-03-29] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.77.2 -> C:\Program Files\Java\jre1.8.0_77\bin\plugin2\npjp2.dll [2016-03-29] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.2.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-01-20] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_213.dll [2016-04-07] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\WINDOWS\SysWOW64\Adobe\Director\np32dsw.dll [2016-02-19] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2016-03-08] ()
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-09-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-09-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-09-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-09-11] (Foxit Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-04] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-04] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.77.2 -> C:\Program Files (x86)\Java\jre1.8.0_77\bin\dtplugin\npDeployJava1.dll [2016-03-29] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.77.2 -> C:\Program Files (x86)\Java\jre1.8.0_77\bin\plugin2\npjp2.dll [2016-03-29] (Oracle Corporation)
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll [2012-05-25] (Yahoo! Inc.)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-01] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-01] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2013-07-12] ()
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-04-13]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-04-13]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF HKLM-x32\...\Firefox\Extensions: [{22119944-ED35-4ab1-910B-E619EA06A115}] - C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox\roboform.xpi
FF Extension: RoboForm Toolbar - C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox\roboform.xpi [2016-04-13]
FF HKU\S-1-5-21-1438436151-582650635-3674040208-1002\...\Firefox\Extensions: [{22119944-ED35-4ab1-910B-E619EA06A115}] - C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox\roboform.xpi
FF HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Firefox\Extensions: [{b9aa91db-385d-4c69-8a2f-96790aa9405b}] - c:\program files (x86)\copernic\desktopsearch\firefoxconnector
FF Extension: Copernic Desktop Search - Search Firefox content - c:\program files (x86)\copernic\desktopsearch\firefoxconnector [2016-04-11] [not signed]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2016-03-14]

Chrome:
=======
CHR Profile: C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-04-05]
CHR Extension: (Google Docs) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-04-05]
CHR Extension: (Google Drive) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-04-05]
CHR Extension: (YouTube) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-04-05]
CHR Extension: (Avast SafePrice) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2016-04-05]
CHR Extension: (Google Sheets) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-04-05]
CHR Extension: (Google Docs Offline) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-05]
CHR Extension: (Avast Online Security) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-04-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-05]
CHR Extension: (Gmail) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-04-05]
CHR HKLM\...\Chrome\Extension: [pnlccmojcmeohlpggmfnbbiapkmbliob] - C:\Program Files (x86)\Siber Systems\AI RoboForm\Chrome\rf-chrome.crx [2015-09-10]
CHR HKU\S-1-5-21-1438436151-582650635-3674040208-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [cnnbdaahphjgdgfhliignpepgnbnfomp] - c:\program files (x86)\copernic\desktopsearch\ChromeConnector\ChromeConnector.crx [2016-03-08]
CHR HKU\S-1-5-21-1438436151-582650635-3674040208-1003\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bbjllphbppobebmjpjcijfbakobcheof] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-1438436151-582650635-3674040208-1003\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [cnnbdaahphjgdgfhliignpepgnbnfomp] - c:\program files (x86)\copernic\desktopsearch\ChromeConnector\ChromeConnector.crx [2016-03-08]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2016-04-13]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2016-04-13]
CHR HKLM-x32\...\Chrome\Extension: [pnlccmojcmeohlpggmfnbbiapkmbliob] - C:\Program Files (x86)\Siber Systems\AI RoboForm\Chrome\rf-chrome.crx [2015-09-10]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AtherosSvc; C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe [312448 2013-09-07] (Windows ® Win 7 DDK provider) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [243296 2016-04-13] (AVAST Software)
R2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [370656 2016-04-13] (AVAST Software)
R3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [5570272 2016-04-13] (Avast Software)
R2 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [437784 2016-04-12] (BlueStack Systems, Inc.)
R2 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [417304 2016-04-12] (BlueStack Systems, Inc.)
S2 BstHdPlusAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Plus-Service.exe [433688 2016-04-12] (BlueStack Systems, Inc.)
R2 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [921112 2016-04-12] (BlueStack Systems, Inc.)
R2 CCDMonitorService; C:\Program Files (x86)\Acer\Acer Portal\CCDMonitorService.exe [2650696 2013-07-26] (Acer Incorporated)
R3 ePowerSvc; C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe [663592 2013-07-05] (Acer Incorporated)
R2 Fitbit Connect; C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe [5906088 2015-10-28] (Fitbit, Inc.)
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [235008 2013-07-16] (TODO: <Company name>) [File not signed]
R2 hmpalertsvc; C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [4383440 2016-04-11] (SurfRight B.V.)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-04] (Intel Corporation)
R2 LMSvc; C:\Program Files\Acer\Acer Launch Manager\LMSvc.exe [457768 2013-08-03] (Acer Incorporate)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219272 2013-08-07] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [182752 2013-08-07] (McAfee, Inc.)
R2 Mobile Broadband HL Service; C:\ProgramData\MobileBrServ\mbbservice.exe [233344 2012-06-28] ()
S3 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [4278112 2013-08-01] (Symantec Corporation)
R3 QASvc; C:\Program Files\Acer\Acer Quick Access\QASvc.exe [457768 2013-08-02] (Acer Incorporate)
R3 RMSvc; C:\Program Files\Acer\Acer Quick Access\RMSvc.exe [448040 2013-08-02] (Acer Incorporate)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
S2 McAfee SiteAdvisor Service; c:\PROGRA~2\mcafee\siteadvisor\mcsacore.exe [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-04-13] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-04-13] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [107792 2016-04-13] (AVAST Software)
R1 aswNetSec; C:\Windows\system32\drivers\aswNetSec.sys [536312 2016-04-13] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-04-13] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-04-13] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1070904 2016-04-13] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [465792 2016-04-13] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [166432 2016-04-13] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [287528 2016-04-13] (AVAST Software)
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3859968 2013-08-15] (Qualcomm Atheros Communications, Inc.)
S3 BCM43XX; C:\Windows\system32\DRIVERS\bcmwl63a.sys [8536752 2013-07-01] (Broadcom Corporation)
R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [154680 2016-04-12] (BlueStack Systems)
R2 BstkDrv; C:\Program Files (x86)\BlueStacks\BstkDrv.sys [270904 2016-04-06] (Bluestack System Inc. )
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2013-09-07] (Qualcomm Atheros)
R3 ccSet_NARA; C:\Windows\system32\drivers\NARAx64\0405000.009\ccSetx64.sys [150104 2013-07-30] (Symantec Corporation)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-08-07] (McAfee, Inc.)
S3 DIRECTIO; E:\Programs\PerformanceTest\DirectIo64.sys [31376 2015-03-10] ()
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R0 file_tracker; C:\Windows\System32\DRIVERS\file_tracker.sys [296736 2016-04-08] (Acronis International GmbH)
R3 hmpalert; C:\WINDOWS\system32\drivers\hmpalert.sys [177040 2016-04-11] (SurfRight B.V.)
R3 hmpnet; C:\WINDOWS\system32\drivers\hmpnet.sys [80424 2016-04-11] (SurfRight B.V.)
R3 LMDriver; C:\Windows\System32\drivers\LMDriver.sys [21360 2013-07-17] (Acer Incorporated)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-03-24] (Malwarebytes)
R3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-09-04] (Intel Corporation)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179664 2013-08-07] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [310224 2013-08-07] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [69264 2013-08-07] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [519064 2013-08-07] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [776168 2013-08-07] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [343568 2013-08-07] (McAfee, Inc.)
R0 ngvss; C:\Windows\System32\Drivers\ngvss.sys [161760 2016-04-13] (AVAST Software)
R3 RadioShim; C:\Windows\System32\drivers\RadioShim.sys [14680 2013-07-17] (Acer Incorporated)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [34544 2013-10-01] (Synaptics Incorporated)
S3 taphss6; C:\Windows\system32\DRIVERS\taphss6.sys [42064 2016-02-17] (Anchorfree Inc.)
R2 tib; C:\Windows\system32\DRIVERS\tib.sys [1058632 2016-04-08] (Acronis International GmbH)
R2 tib_mounter; C:\Windows\system32\DRIVERS\tib_mounter.sys [248648 2016-04-08] (Acronis International GmbH)
R2 VBoxAswDrv; C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [323392 2016-04-13] (Avast Software)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
R2 {C5F942FD-1110-4664-86CE-0C6BDA305235}; C:\Program Files (x86)\CyberLink\PowerDVD14\Common\NavFilter\000.fcl [32456 2014-08-12] (CyberLink Corp.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-15 23:00 - 2016-04-15 23:00 - 00036706 _____ C:\Users\Marcus 2\Desktop\FRST.txt
2016-04-15 22:58 - 2016-04-15 23:00 - 00000000 ____D C:\FRST
2016-04-15 22:54 - 2016-04-15 22:55 - 02375168 _____ (Farbar) C:\Users\Marcus 2\Desktop\FRST64.exe
2016-04-15 22:33 - 2016-04-15 22:33 - 00001413 _____ C:\Users\Marcus 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton Online Backup Toaster.lnk
2016-04-15 21:55 - 2016-04-15 21:55 - 00737284 _____ C:\Users\Marcus 2\Downloads\Rosemarys-Gravy-A-We-Sisters-Melissa-F.-Miller.azw
2016-04-15 21:47 - 2016-04-15 21:47 - 00000000 ____D C:\WINDOWS\SysWOW64\vbox
2016-04-15 21:47 - 2016-04-15 21:47 - 00000000 ____D C:\WINDOWS\system32\vbox
2016-04-15 20:33 - 2016-04-15 20:33 - 00558508 _____ C:\Users\Marcus 2\Downloads\The-Beauty-Bride-The-Jewels-of-Claire-Delacroix.azw
2016-04-15 20:25 - 2016-04-15 20:26 - 00569080 _____ C:\Users\Marcus 2\Downloads\My-Fierce-Highlander-Highland-Vonda-Sinclair.azw
2016-04-15 19:57 - 2016-04-15 19:57 - 00390631 _____ C:\Users\Marcus 2\Downloads\In-Between-Work-and-Play-The-J-Relina-Skye.azw
2016-04-15 19:35 - 2016-04-15 19:35 - 00320376 _____ C:\Users\Marcus 2\Downloads\Claimed-by-the-Viking-Warriors_-Lily-Reynard.azw
2016-04-15 19:01 - 2016-04-15 19:01 - 00469128 _____ C:\Users\Marcus 2\Downloads\Raven-and-Wolf-Lee-Savino.azw
2016-04-15 19:01 - 2016-04-15 19:01 - 00346716 _____ C:\Users\Marcus 2\Downloads\A-Vikings-Peace_-Futuristic-Sc-Zoe-York.azw
2016-04-15 14:01 - 2016-04-15 14:01 - 00000946 _____ C:\Users\Public\Desktop\calibre 64bit - E-book management.lnk
2016-04-15 14:01 - 2016-04-15 14:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\calibre 64bit - E-book Management
2016-04-15 14:01 - 2016-04-15 14:01 - 00000000 ____D C:\Program Files\Calibre2
2016-04-15 13:41 - 2016-04-15 13:41 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Trusteer Endpoint Protection
2016-04-15 12:15 - 2016-04-15 12:15 - 00483312 _____ (IBM Corp.) C:\Users\Marcus 2\Downloads\RapportSetup(2).exe
2016-04-15 09:38 - 2016-04-15 09:38 - 00001717 _____ C:\Users\Marcus 1\AppData\Roaming\Microsoft\Windows\Start Menu\BlueStacks.lnk
2016-04-15 09:38 - 2016-04-15 09:38 - 00001693 _____ C:\Users\Public\Desktop\BlueStacks.lnk
2016-04-13 23:43 - 2016-04-13 23:43 - 00510804 _____ C:\Users\Marcus 2\Downloads\B01DTVV18G_EBOK.azw
2016-04-13 21:13 - 2016-04-13 21:13 - 00483824 _____ (IBM Corp.) C:\Users\Marcus 2\Downloads\RapportSetup(1).exe
2016-04-13 09:32 - 2016-04-13 09:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RoboForm
2016-04-13 09:11 - 2016-04-13 09:11 - 00398152 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2016-04-13 09:10 - 2016-04-13 09:10 - 00052184 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2016-04-12 21:56 - 2016-04-12 21:56 - 02536516 _____ C:\Users\Marcus 2\Downloads\Mad stuff.mp4
2016-04-12 21:44 - 2016-04-12 21:44 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160412_214415
2016-04-12 21:40 - 2016-04-12 21:40 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160412_214009
2016-04-12 21:18 - 2016-04-12 21:18 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160412_211816
2016-04-12 21:17 - 2016-04-12 21:17 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160412_211755
2016-04-12 21:17 - 2016-04-12 21:17 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160412_211754
2016-04-12 21:17 - 2016-04-12 21:17 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160412_211719
2016-04-12 21:17 - 2016-04-12 21:17 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160412_211718
2016-04-12 15:04 - 2016-04-12 15:04 - 00000000 ____D C:\Users\Marcus 1\AppData\Local\Copernic
2016-04-12 09:47 - 2016-04-13 22:27 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-04-11 05:15 - 2016-04-11 05:15 - 00008581 _____ C:\Users\Marcus 2\Documents\Computer magazine.xlsx
2016-04-11 03:53 - 2016-04-15 16:48 - 00000000 ____D C:\WINDOWS\CryptoGuard
2016-04-11 03:53 - 2016-04-15 13:46 - 00000000 ____D C:\ProgramData\HitmanPro.Alert
2016-04-11 03:53 - 2016-04-11 04:28 - 00000000 ____D C:\ProgramData\HitmanPro
2016-04-11 03:53 - 2016-04-11 03:53 - 00848080 _____ (SurfRight B.V.) C:\WINDOWS\system32\hmpalert.dll
2016-04-11 03:53 - 2016-04-11 03:53 - 00767184 _____ (SurfRight B.V.) C:\WINDOWS\SysWOW64\hmpalert.dll
2016-04-11 03:53 - 2016-04-11 03:53 - 00177040 _____ (SurfRight B.V.) C:\WINDOWS\system32\Drivers\hmpalert.sys
2016-04-11 03:53 - 2016-04-11 03:53 - 00080424 _____ (SurfRight B.V.) C:\WINDOWS\system32\Drivers\hmpnet.sys
2016-04-11 03:53 - 2016-04-11 03:53 - 00016384 _____ C:\WINDOWS\SysWOW64\��T
2016-04-11 03:53 - 2016-04-11 03:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro.Alert
2016-04-11 03:53 - 2016-04-11 03:53 - 00000000 ____D C:\Program Files (x86)\HitmanPro.Alert
2016-04-11 03:49 - 2016-04-11 03:50 - 04383440 _____ (SurfRight B.V.) C:\Users\Marcus 2\Downloads\hmpalert31.exe
2016-04-11 02:29 - 2016-04-11 02:29 - 00000000 ____D C:\Users\Marcus 2\Documents\Anki
2016-04-11 02:28 - 2016-04-11 02:29 - 00000000 ____D C:\Program Files\recall
2016-04-11 02:19 - 2016-04-11 02:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\keit.co
2016-04-11 02:19 - 2016-04-11 02:19 - 00000000 ____D C:\Users\Marcus 1\AppData\Roaming\keit.co
2016-04-11 02:18 - 2016-04-11 02:18 - 07112155 _____ ( ) C:\Users\Marcus 2\Downloads\recall.exe
2016-04-11 01:15 - 2016-04-11 01:15 - 00000000 ____D C:\ProgramData\Copernic
2016-04-11 01:14 - 2016-04-11 01:14 - 00002153 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Copernic Desktop Search 5.lnk
2016-04-11 01:14 - 2016-04-11 01:14 - 00002141 _____ C:\Users\Public\Desktop\Copernic Desktop Search 5.lnk
2016-04-11 01:14 - 2016-04-11 01:14 - 00000000 ____D C:\Program Files (x86)\Copernic
2016-04-11 01:13 - 2016-04-11 01:13 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\Copernic
2016-04-11 01:11 - 2016-04-11 01:12 - 22843656 _____ (Copernic, a division of N. Harris Computer Systems) C:\Users\Marcus 2\Downloads\copernicdesktopsearch.exe
2016-04-10 23:54 - 2016-04-10 23:55 - 10185928 _____ C:\Users\Marcus 2\Desktop\Orchestral Manoeuvres In The Dark - Maid Of Orleans.flv
2016-04-08 15:01 - 2016-04-08 15:01 - 00000000 ____D C:\Users\Marcus 1\AppData\Roaming\Acronis
2016-04-08 14:37 - 2016-04-08 14:37 - 01058632 _____ (Acronis International GmbH) C:\WINDOWS\system32\Drivers\tib.sys
2016-04-08 14:37 - 2016-04-08 14:37 - 00304416 _____ (Acronis International GmbH) C:\WINDOWS\system32\Drivers\snapman.sys
2016-04-08 14:37 - 2016-04-08 14:37 - 00296736 _____ (Acronis International GmbH) C:\WINDOWS\system32\Drivers\file_tracker.sys
2016-04-08 14:37 - 2016-04-08 14:37 - 00248648 _____ (Acronis International GmbH) C:\WINDOWS\system32\Drivers\tib_mounter.sys
2016-04-08 14:37 - 2016-04-08 14:37 - 00134432 _____ (Acronis International GmbH) C:\WINDOWS\system32\Drivers\fltsrv.sys
2016-04-08 14:36 - 2016-04-08 14:37 - 00000000 ____D C:\ProgramData\Acronis
2016-04-08 14:36 - 2016-04-08 14:36 - 00001233 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acronis True Image 2015.lnk
2016-04-08 14:36 - 2016-04-08 14:36 - 00001221 _____ C:\Users\Public\Desktop\Acronis True Image 2015.lnk
2016-04-08 14:36 - 2016-04-08 14:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acronis
2016-04-08 14:36 - 2016-04-08 14:36 - 00000000 ____D C:\Program Files (x86)\Acronis
2016-04-07 20:27 - 2016-04-07 20:28 - 10162200 _____ (teorex ) C:\Users\Marcus 2\Downloads\FolderIcoSetup.exe
2016-04-07 17:57 - 2016-04-07 18:20 - 295841480 _____ (Acronis) C:\Users\Marcus 2\Downloads\AcronisTrueImage2015_6613_en-EU.exe
2016-04-07 17:57 - 2016-04-07 18:19 - 339881984 _____ C:\Users\Marcus 2\Downloads\AcronisTrueImage2015_ur_en-US.msi
2016-04-05 05:04 - 2016-04-12 12:47 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\Foxit Software
2016-04-05 04:59 - 2016-04-05 04:59 - 00001109 _____ C:\Users\Public\Desktop\Foxit PhantomPDF.lnk
2016-04-05 04:59 - 2016-04-05 04:59 - 00000000 ____D C:\Users\Public\Foxit Software
2016-04-05 04:58 - 2016-04-05 04:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Foxit PhantomPDF
2016-04-05 04:58 - 2016-04-05 04:58 - 00000000 ____D C:\Program Files (x86)\Foxit Software
2016-04-04 03:49 - 2016-04-04 03:53 - 67674112 _____ C:\Users\Marcus 2\Downloads\calibre-2.54.0.msi
2016-04-03 00:10 - 2016-04-03 00:10 - 00000000 ____D C:\Users\Marcus 2\.cache
2016-04-01 14:52 - 2016-04-01 15:06 - 299552768 _____ C:\Users\Marcus 2\Downloads\FoxitPhantomPDF703_Standard_enu_Setup.msi
2016-03-31 06:16 - 2016-03-31 06:16 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160331_061604
2016-03-31 06:16 - 2016-03-31 06:16 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160331_061603
2016-03-31 06:06 - 2016-03-31 06:06 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160331_060647
2016-03-31 06:05 - 2016-03-31 06:05 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160331_060503
2016-03-31 06:05 - 2016-03-31 06:05 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160331_060502
2016-03-30 22:21 - 2016-03-30 22:22 - 00000000 ____D C:\Users\Marcus 2\Downloads\The.Flash.2014.S02E17.HDTV.x264-LOL[ettv]
2016-03-30 22:20 - 2016-03-30 22:04 - 00000701 _____ C:\Users\Marcus 2\Desktop\qBittorrent.lnk
2016-03-30 22:04 - 2016-03-30 22:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qBittorrent
2016-03-30 21:59 - 2016-03-30 22:00 - 17141991 _____ (The qBittorrent project) C:\Users\Marcus 2\Downloads\qbittorrent_3.3.4_setup.exe
2016-03-30 01:23 - 2016-03-30 01:23 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_012346
2016-03-30 01:23 - 2016-03-30 01:23 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_012345
2016-03-30 01:05 - 2016-03-30 01:05 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_010544
2016-03-30 01:05 - 2016-03-30 01:05 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_010514
2016-03-30 01:04 - 2016-03-30 01:04 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_010457
2016-03-30 01:04 - 2016-03-30 01:04 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_010456
2016-03-30 01:04 - 2016-03-30 01:04 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_010429
2016-03-30 01:04 - 2016-03-30 01:04 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_010407
2016-03-30 01:03 - 2016-03-30 01:03 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_010345
2016-03-30 01:03 - 2016-03-30 01:03 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_010344
2016-03-30 00:56 - 2016-03-30 00:56 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_005650
2016-03-30 00:56 - 2016-03-30 00:56 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_005649
2016-03-26 09:32 - 2016-03-26 09:32 - 02572844 _____ C:\Users\Marcus 2\Downloads\0658672.mp4
2016-03-26 05:17 - 2016-03-26 05:17 - 00000000 ____D C:\Users\Marcus 2\.moneydance
2016-03-26 05:15 - 2016-03-26 05:15 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Moneydance
2016-03-26 05:14 - 2016-03-26 05:15 - 00000000 ____D C:\Program Files\Moneydance
2016-03-26 05:10 - 2016-03-26 05:11 - 54259696 _____ (The Infinite Kind) C:\Users\Marcus 2\Downloads\Moneydance_windows_amd64.exe
2016-03-26 02:26 - 2016-03-26 02:26 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160326_012656
2016-03-26 02:12 - 2016-03-26 02:12 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160326_011220
2016-03-26 02:06 - 2016-03-26 02:06 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160326_010639
2016-03-26 01:58 - 2016-03-26 01:58 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160326_005808
2016-03-26 01:54 - 2016-03-26 01:54 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160326_005411
2016-03-26 01:54 - 2016-03-26 01:54 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160326_005410
2016-03-25 01:49 - 2016-03-25 01:50 - 00000000 ____D C:\Program Files (x86)\Anki
2016-03-25 01:49 - 2016-03-25 01:49 - 00000766 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Anki.lnk
2016-03-25 01:49 - 2016-03-25 01:49 - 00000754 _____ C:\Users\UpdatusUser\Desktop\Anki.lnk
2016-03-25 01:49 - 2016-03-25 01:49 - 00000754 _____ C:\Users\Marcus 2\Desktop\Anki.lnk
2016-03-25 01:49 - 2016-03-25 01:49 - 00000754 _____ C:\Users\Marcus 1\Desktop\Anki.lnk
2016-03-25 01:41 - 2016-03-25 01:44 - 23229917 _____ C:\Users\Marcus 2\Downloads\anki-2.0.33.exe
2016-03-24 15:52 - 2016-03-24 15:52 - 00001799 _____ C:\Users\Public\Desktop\iTunes.lnk
2016-03-24 15:52 - 2016-03-24 15:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2016-03-24 15:52 - 2016-03-24 15:52 - 00000000 ____D C:\Program Files\iTunes
2016-03-24 15:52 - 2016-03-24 15:52 - 00000000 ____D C:\Program Files\iPod
2016-03-24 15:52 - 2016-03-24 15:52 - 00000000 ____D C:\Program Files (x86)\iTunes
2016-03-24 15:49 - 2016-03-24 15:49 - 00000000 ____D C:\WINDOWS\System32\Tasks\Apple
2016-03-24 15:49 - 2016-03-24 15:49 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2016-03-24 15:37 - 2016-04-15 13:55 - 00000000 ____D C:\Users\Marcus 2\Documents\My Filehippo Downloads
2016-03-23 22:55 - 2016-03-23 22:59 - 28122662 _____ C:\Users\Marcus 2\Downloads\07B6760.mp4
2016-03-23 22:49 - 2016-03-23 22:51 - 19025857 _____ C:\Users\Marcus 2\Downloads\047BC75.mp4
2016-03-22 03:01 - 2016-03-22 03:01 - 01067704 _____ C:\Users\Marcus 2\Downloads\video-1454011780.mp4
2016-03-19 01:18 - 2016-03-19 02:25 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\Smartflix
2016-03-19 01:18 - 2016-03-19 01:18 - 00002389 _____ C:\Users\Marcus 2\Desktop\Smartflix.lnk
2016-03-19 01:18 - 2016-03-19 01:18 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Smartflix
2016-03-19 01:17 - 2016-03-19 01:18 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\SquirrelTemp
2016-03-19 01:17 - 2016-03-19 01:18 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\smartflix
2016-03-19 01:12 - 2016-03-19 01:14 - 44363008 _____ (Smartflix) C:\Users\Marcus 2\Downloads\SmartflixSetup.exe
2016-03-18 16:27 - 2016-03-29 18:35 - 00000000 ____D C:\Users\Marcus 2\.grabMyBooks
2016-03-17 23:42 - 2016-03-17 23:48 - 23347420 _____ C:\Users\Marcus 2\Downloads\E267623(1).mp4
2016-03-17 23:33 - 2016-03-18 00:19 - 284813654 _____ C:\Users\Marcus 2\Downloads\4C352A4.mp4
2016-03-17 23:33 - 2016-03-18 00:11 - 218922264 _____ C:\Users\Marcus 2\Downloads\E7D2BDB.mp4
2016-03-17 23:32 - 2016-03-17 23:56 - 68458473 _____ C:\Users\Marcus 2\Downloads\B68A579.mp4
2016-03-16 22:29 - 2016-03-16 22:29 - 00000000 ____D C:\Users\Public\Documents\CyberLink
2016-03-16 21:58 - 2016-03-16 21:58 - 00000000 ____D C:\ProgramData\Trusteer
2016-03-16 21:55 - 2016-03-16 21:55 - 00443440 _____ (IBM Corp.) C:\Users\Marcus 2\Downloads\RapportSetup.exe
2016-03-16 21:55 - 2016-03-16 21:55 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\Trusteer
2016-03-16 20:00 - 2016-03-16 20:00 - 00003516 _____ C:\WINDOWS\System32\Tasks\Patch My PC
2016-03-16 15:38 - 2016-03-16 15:38 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\EncryptStick
2016-03-16 15:19 - 2016-03-16 15:19 - 00002221 _____ C:\Users\Public\Desktop\CyberLink PowerDVD 14.lnk
2016-03-16 15:19 - 2016-03-16 15:19 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD 14
2016-03-16 15:19 - 2016-03-16 15:19 - 00000000 ____D C:\Users\Marcus 1\AppData\Local\CyberLink
2016-03-16 15:19 - 2016-03-16 15:19 - 00000000 ____D C:\ProgramData\PDVD
2016-03-16 15:19 - 2016-03-16 15:19 - 00000000 ____D C:\Program Files (x86)\NSIS Uninstall Information
2016-03-16 15:17 - 2016-03-16 15:17 - 00000000 ____D C:\ProgramData\SUPPORTDIR
2016-03-16 15:16 - 2016-03-29 09:41 - 00000000 ____D C:\Users\Marcus 2\.oracle_jre_usage
2016-03-16 15:16 - 2016-03-16 15:16 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\Sun
2016-03-16 15:16 - 2016-03-16 15:16 - 00000000 ____D C:\Users\Marcus 2\AppData\LocalLow\Sun
2016-03-16 15:04 - 2016-03-16 15:04 - 00001617 _____ C:\Users\Marcus 2\Desktop\FileHippo.AppManager.lnk
2016-03-16 14:59 - 2016-03-16 14:59 - 00000000 ____D C:\Users\Marcus 1\AppData\Roaming\Mozilla
2016-03-16 14:58 - 2016-03-16 14:58 - 00000000 ____D C:\Users\Marcus 1\AppData\Local\BlueStacks
2016-03-16 13:00 - 2016-03-16 13:54 - 00000000 ____D C:\Users\Marcus 1\Documents\My Filehippo Downloads
2016-03-16 12:58 - 2016-03-16 12:58 - 00002034 _____ C:\Users\Marcus 1\Desktop\FileHippo App Manager.lnk
2016-03-16 12:58 - 2016-03-16 12:58 - 00000000 ____D C:\Program Files (x86)\FileHippo.com
2016-03-16 12:56 - 2016-03-16 12:56 - 02190552 _____ C:\Users\Marcus 2\Downloads\appmanagersetup_2.0_b4_292.exe
2016-03-16 11:47 - 2016-03-16 11:47 - 00000910 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Waterfox.lnk
2016-03-16 11:47 - 2016-03-16 11:47 - 00000898 _____ C:\Users\Public\Desktop\Waterfox.lnk
2016-03-16 11:47 - 2016-03-16 11:47 - 00000000 ____D C:\Program Files\Waterfox
2016-03-16 11:45 - 2016-03-16 11:45 - 00002519 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Safari.lnk
2016-03-16 11:45 - 2016-03-16 11:45 - 00000000 ____D C:\Program Files (x86)\Safari
2016-03-16 11:44 - 2016-03-16 11:44 - 00000913 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Pale Moon.lnk
2016-03-16 11:44 - 2016-03-16 11:44 - 00000901 _____ C:\Users\Public\Desktop\Pale Moon.lnk
2016-03-16 11:44 - 2016-03-16 11:44 - 00000000 ____D C:\Program Files\Pale Moon
2016-03-16 11:39 - 2016-03-29 08:58 - 00000000 ____D C:\Program Files\Java
2016-03-16 11:39 - 2016-03-29 05:45 - 00110144 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge-64.dll
2016-03-16 11:37 - 2016-03-29 09:42 - 00000000 ____D C:\ProgramData\Oracle
2016-03-16 11:37 - 2016-03-29 08:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-03-16 11:37 - 2016-03-29 05:46 - 00000000 ____D C:\Program Files (x86)\Java
2016-03-16 11:37 - 2016-03-29 05:45 - 00000000 ____D C:\Users\Marcus 1\.oracle_jre_usage
2016-03-16 11:37 - 2016-03-29 05:44 - 00097856 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2016-03-16 11:37 - 2016-03-16 11:37 - 00130048 _____ (CodePlex Community) C:\Users\Marcus 2\Downloads\Microsoft.Win32.TaskScheduler.dll
2016-03-16 11:37 - 2016-03-16 11:37 - 00000000 ____D C:\Users\Marcus 1\AppData\Roaming\Sun
2016-03-16 11:37 - 2016-03-16 11:37 - 00000000 ____D C:\Users\Marcus 1\AppData\LocalLow\Sun
2016-03-16 11:36 - 2016-03-16 11:36 - 00000000 ____D C:\Users\Marcus 1\AppData\LocalLow\Oracle
2016-03-16 11:34 - 2016-03-16 11:34 - 00000000 ____D C:\WINDOWS\SysWOW64\Adobe
2016-03-16 11:34 - 2016-03-16 11:34 - 00000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
2016-03-16 11:34 - 2016-03-16 11:34 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
2016-03-16 11:34 - 2016-03-16 11:34 - 00000000 ____D C:\ProgramData\Adobe
2016-03-16 11:34 - 2016-03-16 11:34 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-03-16 11:29 - 2016-03-16 11:29 - 00000000 ____D C:\Users\Marcus 1\AppData\LocalLow\Adblock Plus for IE
2016-03-16 11:29 - 2016-03-16 11:29 - 00000000 ____D C:\Program Files\Adblock Plus for IE
2016-03-16 11:19 - 2016-03-16 11:19 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2016-03-16 11:19 - 2016-03-16 11:19 - 00000000 ____D C:\Program Files\7-Zip
2016-03-16 11:18 - 2016-03-16 11:18 - 00000000 ____D C:\Program Files\VideoLAN
2016-03-16 11:14 - 2016-03-16 11:14 - 00599720 _____ (www.patchmypc.net) C:\Users\Marcus 2\Downloads\PatchMyPC.exe
2016-03-16 03:34 - 2016-03-23 00:14 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2016-03-16 03:29 - 2016-03-16 03:29 - 01856936 _____ (Malwarebytes ) C:\Users\Marcus 2\Downloads\mbae-setup-1.08.1.1189.exe
2016-03-16 01:12 - 2016-03-16 11:56 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\Skype
2016-03-16 01:12 - 2016-03-16 11:56 - 00000000 ____D C:\ProgramData\Skype
2016-03-16 01:12 - 2016-03-16 01:12 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\Skype

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-15 22:54 - 2015-02-17 11:05 - 00000000 ____D C:\Users\Marcus 2\AppData\LocalLow\LastPass
2016-04-15 22:38 - 2015-02-16 23:52 - 00003596 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1438436151-582650635-3674040208-1003
2016-04-15 22:31 - 2015-05-18 18:52 - 00000920 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-04-15 22:19 - 2015-04-05 18:08 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-04-15 21:49 - 2015-03-20 00:52 - 00003930 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{BFAFE924-9EC8-4943-AD49-935278E6A731}
2016-04-15 20:31 - 2015-05-18 18:52 - 00000916 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-04-15 14:42 - 2015-06-05 04:33 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\Deployment
2016-04-15 13:53 - 2016-01-05 11:52 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\eM Client
2016-04-15 13:52 - 2015-09-01 20:35 - 00000000 ___RD C:\Users\Marcus 2\Documents\Swift To-Do List
2016-04-15 13:51 - 2015-06-22 19:48 - 00000000 ____D C:\ProgramData\BlueStacksSetup
2016-04-15 13:50 - 2015-02-17 11:20 - 00004182 _____ C:\WINDOWS\System32\Tasks\avast! Emergency Update
2016-04-15 13:50 - 2015-02-16 23:46 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\SweetLabs App Platform
2016-04-15 13:49 - 2015-06-24 11:29 - 00000000 ____D C:\Users\Marcus 2\Tracing
2016-04-15 13:46 - 2013-08-22 15:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-04-15 09:52 - 2015-10-31 05:22 - 00003308 _____ C:\WINDOWS\System32\Tasks\SweetLabs App Platform
2016-04-15 09:52 - 2015-02-17 14:13 - 00002403 _____ C:\Users\Marcus 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PC App Store.lnk
2016-04-15 09:40 - 2016-01-22 09:21 - 00000000 ____D C:\Program Files (x86)\BlueStacks
2016-04-15 09:40 - 2013-08-22 14:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2016-04-15 09:38 - 2016-01-22 09:22 - 00000000 ____D C:\ProgramData\BlueStacksGameManager
2016-04-15 09:37 - 2013-08-22 16:36 - 00000000 __RHD C:\Users\Public\Libraries
2016-04-15 09:35 - 2015-06-22 19:58 - 00000000 ____D C:\ProgramData\BlueStacks
2016-04-15 09:03 - 2015-09-15 04:32 - 00000000 ____D C:\Users\Marcus 2\Documents\My BP
2016-04-15 00:01 - 2015-02-23 21:34 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\vlc
2016-04-14 11:31 - 2013-08-22 16:20 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-04-13 22:44 - 2015-05-18 18:53 - 00002219 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-04-13 22:44 - 2015-05-18 18:53 - 00002207 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-04-13 22:28 - 2016-02-15 14:13 - 00003044 _____ C:\WINDOWS\System32\Tasks\SafeZone scheduled Autoupdate 1455542022
2016-04-13 22:28 - 2016-02-15 14:13 - 00001057 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2016-04-13 22:27 - 2015-02-17 12:46 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-04-13 09:26 - 2015-09-07 04:06 - 00000000 ____D C:\Users\Marcus 2\Documents\My RoboForm Data
2016-04-13 09:24 - 2015-02-16 23:47 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\Adobe
2016-04-13 09:15 - 2015-05-03 04:36 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\Adobe
2016-04-13 09:12 - 2015-02-17 11:20 - 00287528 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswvmm.sys
2016-04-13 09:11 - 2015-02-17 11:20 - 00465792 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2016-04-13 09:11 - 2015-02-17 11:20 - 00166432 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStm.sys
2016-04-13 09:11 - 2015-02-17 11:20 - 00107792 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2016-04-13 09:11 - 2015-02-17 11:20 - 00103064 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr2.sys
2016-04-13 09:11 - 2015-02-17 11:20 - 00074544 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRvrt.sys
2016-04-13 09:11 - 2015-02-17 11:20 - 00037656 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswHwid.sys
2016-04-13 09:10 - 2016-02-15 11:24 - 00536312 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswNetSec.sys
2016-04-13 09:10 - 2015-08-10 04:15 - 00161760 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\ngvss.sys
2016-04-13 09:10 - 2015-02-17 11:20 - 01070904 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys
2016-04-13 09:10 - 2015-02-17 11:20 - 00037144 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswKbd.sys
2016-04-13 08:57 - 2013-08-22 14:36 - 00000000 ____D C:\WINDOWS\Inf
2016-04-13 01:31 - 2015-09-01 21:30 - 00000000 ____D C:\Users\Marcus 2\Documents\Calibre Library
2016-04-13 01:21 - 2016-02-08 23:34 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\.Ultimate
2016-04-12 21:44 - 2016-02-08 23:34 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\epubor_log
2016-04-12 21:43 - 2015-06-24 09:51 - 00000000 ____D C:\Users\Marcus 2\Documents\My Kindle Content
2016-04-12 21:18 - 2016-02-08 23:34 - 00000000 ____D C:\Users\Marcus 2\Ultimate
2016-04-12 21:18 - 2016-02-08 23:34 - 00000000 ____D C:\Users\Marcus 2\decrypt
2016-04-11 04:33 - 2013-11-14 08:50 - 00863592 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-04-10 05:03 - 2015-08-05 15:09 - 00000000 ____D C:\Program Files (x86)\Steam
2016-04-09 22:50 - 2013-08-22 16:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-04-07 21:19 - 2015-04-05 18:08 - 00003718 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2016-04-05 14:25 - 2015-02-27 15:48 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\Apple Computer
2016-04-05 14:25 - 2015-02-17 19:19 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\Apple Computer
2016-04-05 04:59 - 2016-01-29 09:49 - 00000000 ____D C:\ProgramData\Package Cache
2016-04-04 03:56 - 2015-09-01 21:30 - 00000976 _____ C:\Users\Public\Desktop\calibre - E-book management.lnk
2016-04-04 03:56 - 2015-09-01 21:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\calibre - E-book Management
2016-04-04 03:56 - 2015-09-01 21:30 - 00000000 ____D C:\Program Files (x86)\Calibre2
2016-04-03 00:10 - 2015-02-16 23:46 - 00000000 ____D C:\Users\Marcus 2
2016-03-31 00:26 - 2016-01-27 21:52 - 00000000 ____D C:\Users\Marcus 2\Desktop\Books
2016-03-30 23:20 - 2015-02-17 18:29 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\qBittorrent
2016-03-30 22:04 - 2015-02-17 18:29 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\qBittorrent
2016-03-27 23:37 - 2013-08-22 16:36 - 00000000 ____D C:\WINDOWS\system32\NDF
2016-03-26 07:32 - 2013-08-22 16:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-03-24 17:45 - 2015-08-05 19:15 - 00000000 ____D C:\Users\Public\Documents\Sports Interactive
2016-03-24 17:45 - 2015-08-05 19:15 - 00000000 ____D C:\Users\Marcus 2\Documents\Sports Interactive
2016-03-24 17:45 - 2015-08-05 19:15 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\Sports Interactive
2016-03-24 15:52 - 2015-02-17 18:13 - 00000000 ____D C:\Program Files\Common Files\Apple
2016-03-24 15:49 - 2015-02-17 18:14 - 00002535 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2016-03-24 15:27 - 2015-06-09 16:54 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-03-24 15:09 - 2015-02-17 16:09 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-03-24 14:44 - 2015-08-05 13:25 - 00000000 ___SD C:\WINDOWS\SysWOW64\GWX
2016-03-24 14:44 - 2015-08-05 13:25 - 00000000 ___SD C:\WINDOWS\system32\GWX
2016-03-24 14:44 - 2015-02-17 16:09 - 143659408 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-03-23 19:45 - 2015-06-09 16:53 - 00001118 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-03-23 19:45 - 2015-06-09 16:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-03-23 19:45 - 2015-06-09 16:53 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-03-17 06:17 - 2013-08-22 16:36 - 00000000 ____D C:\WINDOWS\rescache
2016-03-16 22:29 - 2015-09-16 00:33 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\CyberLink
2016-03-16 22:28 - 2014-01-21 06:32 - 00000000 ____D C:\Users\UpdatusUser
2016-03-16 22:10 - 2015-10-08 12:29 - 00000000 ____D C:\Users\Marcus 1\AppData\Local\ElevatedDiagnostics
2016-03-16 16:47 - 2016-03-06 23:10 - 00001229 _____ C:\Users\Marcus 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Amazon Cloud Drive.lnk
2016-03-16 16:47 - 2016-03-06 23:10 - 00001217 _____ C:\Users\Marcus 2\Desktop\Amazon Cloud Drive.lnk
2016-03-16 16:47 - 2016-03-06 23:10 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\Amazon Cloud Drive
2016-03-16 15:19 - 2014-01-21 06:51 - 00000000 ____D C:\ProgramData\CyberLink
2016-03-16 15:19 - 2014-01-21 06:19 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2016-03-16 15:17 - 2014-01-21 06:50 - 00000000 ____D C:\ProgramData\Temp
2016-03-16 15:17 - 2014-01-21 06:50 - 00000000 ____D C:\ProgramData\install_clap
2016-03-16 15:17 - 2014-01-21 06:50 - 00000000 ____D C:\Program Files (x86)\CyberLink
2016-03-16 12:06 - 2015-02-17 10:15 - 00003930 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{FA581322-9B1E-4FD8-BDE9-248511B8E05B}
2016-03-16 11:52 - 2015-08-05 15:09 - 00000979 _____ C:\Users\Public\Desktop\Steam.lnk
2016-03-16 11:41 - 2015-02-17 12:46 - 00000952 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-03-16 11:41 - 2015-02-17 12:46 - 00000940 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-03-16 11:37 - 2015-02-16 23:30 - 00000000 ____D C:\Users\Marcus 1
2016-03-16 11:34 - 2015-02-17 17:10 - 00000000 ____D C:\Users\Marcus 1\AppData\Local\Adobe
2016-03-16 11:34 - 2015-02-16 23:30 - 00000000 ____D C:\Users\Marcus 1\AppData\Roaming\Adobe
2016-03-16 11:34 - 2013-08-22 16:36 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2016-03-16 11:25 - 2014-01-21 06:32 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2016-03-16 11:19 - 2015-02-17 18:07 - 00000891 _____ C:\Users\Public\Desktop\VLC media player.lnk
2016-03-16 01:40 - 2016-01-05 11:51 - 00000982 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eM Client.lnk
2016-03-16 01:40 - 2016-01-05 11:51 - 00000000 ____D C:\Program Files (x86)\eM Client
2016-03-16 01:20 - 2013-08-22 15:44 - 00381336 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-03-16 01:18 - 2016-03-09 01:02 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-03-16 01:17 - 2015-08-05 13:41 - 00000000 ____D C:\WINDOWS\system32\appraiser
2016-03-16 01:17 - 2013-08-22 16:36 - 00000000 ____D C:\WINDOWS\SysWOW64\en-GB
2016-03-16 01:17 - 2013-08-22 16:36 - 00000000 ____D C:\WINDOWS\system32\en-GB
2016-03-16 01:15 - 2016-03-07 18:18 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\stayfocused2

==================== Files in the root of some directories =======

2016-02-09 01:58 - 2016-02-09 01:58 - 0015720 _____ () C:\Users\Marcus 1\AppData\Roaming\books.pcl
2016-02-09 01:58 - 2016-02-09 01:58 - 0873612 _____ () C:\Users\Marcus 1\AppData\Roaming\imgs.zip
2016-02-09 01:58 - 2016-02-09 01:58 - 0000063 _____ () C:\Users\Marcus 1\AppData\Roaming\url.txt
2016-01-27 19:37 - 2016-01-27 19:37 - 0000057 _____ () C:\ProgramData\Ament.ini
2014-01-21 06:25 - 2014-01-21 06:25 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Some files in TEMP:
====================
C:\Users\Marcus 1\AppData\Local\Temp\917b0b87-3358-4e79-93de-3dfc2fc99ed0.exe
C:\Users\Marcus 1\AppData\Local\Temp\HD-ShortcutHandler.dll
C:\Users\Marcus 1\AppData\Local\Temp\HitmanPro_x64.exe
C:\Users\Marcus 1\AppData\Local\Temp\MouseKeyboardCenterx64_1033.exe
C:\Users\Marcus 1\AppData\Local\Temp\msvcp120.dll
C:\Users\Marcus 1\AppData\Local\Temp\msvcr120.dll
C:\Users\Marcus 1\AppData\Local\Temp\ose00000.exe
C:\Users\Marcus 1\AppData\Local\Temp\pc-decrapifier.exe
C:\Users\Marcus 1\AppData\Local\Temp\uninstall.exe
C:\Users\Marcus 1\AppData\Local\Temp\VSUSetup.exe
C:\Users\Marcus 2\AppData\Local\Temp\1Password-4.6.0.592.exe
C:\Users\Marcus 2\AppData\Local\Temp\1Password-4.6.0.598.exe
C:\Users\Marcus 2\AppData\Local\Temp\1Password-4.6.0.604.exe
C:\Users\Marcus 2\AppData\Local\Temp\AmazonCloudDriveSetup.exe
C:\Users\Marcus 2\AppData\Local\Temp\Booksetup.exe
C:\Users\Marcus 2\AppData\Local\Temp\CloudDriveInstaller.exe
C:\Users\Marcus 2\AppData\Local\Temp\COMAP.EXE
C:\Users\Marcus 2\AppData\Local\Temp\HitmanPro_x64.exe
C:\Users\Marcus 2\AppData\Local\Temp\i4jdel0.exe
C:\Users\Marcus 2\AppData\Local\Temp\jre-8u77-windows-au.exe
C:\Users\Marcus 2\AppData\Local\Temp\oct13E0.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\oct1612.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\oct268B.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\oct33F5.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\oct43C.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\oct4BAA.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\oct6417.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\oct6FA2.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\oct6FAB.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\oct7292.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\oct79D1.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\oct7ACC.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\oct7B85.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\oct89E4.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\octA390.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\octB113.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\octB25A.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\octDB09.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\octDED5.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\octE33B.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\octE3D0.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\octE7F8.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\octEFB6.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\octF20A.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\octF7E4.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\tmpA40E.tmp.exe
C:\Users\Marcus 2\AppData\Local\Temp\vlc-2.2.1-win32.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-04-11 20:21

==================== End of FRST.txt ============================



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 16 April 2016 - 03:35 PM

Hi compbuff :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
  • Since I'm still a trainee, all my posts have to be reviewed by an instructor prior to be posted to make sure that you receive the best assistance possible. Sorry for the inconvenience. This being said, I have a full time job, and I also have night classes on Mondays and Wednesdays, which means that if you reply during these two days, it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)
 

I tried to open my google chrome browser this afternoon and I would not open as I got the following message:

Attack Intercepted
'Google Chrome 49' has been terminated to prevent execution of malicious code. Please check your computer for malware and software updates


I have an idea of what could be causing this error message (most likely related to your Trusteer Rapport plugin under Google Chrome). We'll look into it once we'll be done with cleaning up your system :)
 

I have Hitman Pro alert 3.1.9 Build 364, which is located in the correct place it should be in C:/ProgramData/Microsoft/Windows/start menu/Programs/HitmanProAlert

However, I did not install or ask for HitmanPro 3.7.13 Build 258 which also popped up when I tried scanning with Hitman Pro alert. I found this application to be running from User:\AppData\Local\Temp which was very odd and must have been activate when that message popped up when Google Chrome would not open?


It is not unusual for programs to update in the background and drop their updater or newest version in the Temp folder (before it replaces the main files in the program installation directory). I wouldn't worry about it, even less knowing that HitmanPro.Alert is a legitimate program so you can go ahead and accept the update :)

Going over your logs I noticed that you have qBittorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall qBittorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

We'll run a quick sweep using a FRST fix, JRT and AdwCleaner. Follow the instructions below please.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste that log in your next reply;
[attachment=179336:fixlist.txt]

lv0mVRW.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), let the database update, then click on Scan;
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes;
    CfdTLN1.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
Your next reply(ies) should include:
  • Whether or not you removed the threats Malwarebytes detected earlier;
  • Copy/pasted content of the FRST fix log;
  • Copy/pasted JRT log;
  • Copy/pasted AdwCleaner clean log;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 compbuff

compbuff
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 16 April 2016 - 05:57 PM

Hi Aura,

 

Just a quick first reply to your response. Thank you for your reply and I appreciate the in-depth explanation to what you have recommended.

 

I appreciate that you have a full time job and would reply within 24 hours, or 48 at most if something unexpected happens. To follow up to your previous reply I state the following:

 

  • I would not have sought help elsewhere since it is you that I am asking for assistance; otherwise it not only defeats the purpose but can lead to complications to my system. Any issue or question I have about my computer, whilst attempting to resolve this problem, would only have been referred back to you for obvious reasons.
  • Likewise I would not carry out any modifications to my computer until the problem has been resolved, so any manipulations I wanted to carry out that are not in the above instructions that you post would not be carried out without asking you first anyway.
  • If I am unsure about any instruction I would endeavor to seek clarification before proceeding as I would want to ensure this was carried out in sync with you anyway. I have a question or two will I will post at the end.
  • I will attempt to reply to my thread within 24 hours, unless time does not permit due to other commitments, and I will then attempt asap within 48 hrs if so.Only in the event that there is some unfortunate emergency that leaves me unable to reply after 5 days then as you state, I shall PM you to get the thread reopened to continue, even though it should be unlikely.
  • I am well aware how quickly malware can work, and it would always be my intention to to want in tandem with you as promptly as possible in order that we can prevent them making changes to my system and the clean up process is carried out in good rhythm to avoid or reduce the chances of any complications taking hold.
  • Other than from one downloaded film through QBittorrent (I only recently installed it and have only used it once), I have no pirated, illegal or counterfeit software on my computer, as I am not only also against that but would not wish to compromise my system with them. Likewise, I now consider and realise it is not worth the risk of continuing using Qbittorrent, and will uninstall it, since it is easy to pick up an infected torrent through peer2peer sharing and I was complacent in thinking that because I have the premium paid Anti-virus and malware programs - Avast Premier and Malwarebytes Anti-malware Pro, that I thought it was the risk was minimal. Otherwise I can categorically tell you now, as stated already, that I have no pirated, illegal or counterfeit software on my computer.
  • Hitman Pro alert 3.1.9 I downloaded on a one month trial, hence that was why I could not understand where the Hitman Pro 3.7.13 suddenly pop up from nowhere. It is also one of the questions I have....that I don't understand how it can update? I have Hitman pro alert installed and Hitman Pro is not the same; it is what you would use when you 'purchase' Hitman Pro Alert from...you cannot use Hitman Pro Alert fully until you purchase Hitman Pro, but in the trial period, it is a standalone program; which is why I am perplexed.
  • As you said, and which I am well aware of anyway, yes, I am the one asking for assistance here, and I can state that I have no intention of deviating from the instructions you give me. I would wish in any case to avoid having to format and reinstall windows or any other method unless it became necessary for any reason, which I would not do until exhausting all other methods done through and with yourself. As such, the performance of my computer has not been affected in anyway, except with the use of being able to use Google Chrome; whilst I am also not naive enough to realise that the infection hasn't gone just because it isn't behaving erratically. I will stay the course with you until the end as I wish to ensure carry out the proper measures for treating the issue(s) at hand.
  • I appreciate you making me aware that you are still a trainee, and that all your posts have to be reviewed by an instructor prior to posting, and I trust of course that you will endeavor to the best of your ability to ensure that I am given the best assistance possible, which I appreciate. Like yourself, I also have a full time job, so I can appreciate the need for patience in replying, and also bear in mind your night classes on Mondays and Wednesdays, should I post on either day, meaning it will take a little longer for you to reply. I do fully appreciate your time and effort, and that you are making my thread your first priority.

I shall now carry out the instructions posted by yourself, and will reply back hereafter as soon as I can.



#6 compbuff

compbuff
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 16 April 2016 - 06:56 PM

Results will be posted at the next earliest opportunity on Sunday.


Edited by compbuff, 16 April 2016 - 06:58 PM.


#7 compbuff

compbuff
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 17 April 2016 - 09:06 AM

Hi Aura,

 

I carried out the FARBAR Recovery scan in fix mode and the Junkware Removal tool and will copy/paste where relevant.

 

On running AdwCleaner I followed your instructions, clicked scan, once done checking that all the items were ticked for all the tabs listed then clicked on the clean button. That done, I restarted my PC as requested by AdwCleaner,  but after the restart it did not open a log at all.  I can't seem to copy and paste from the program's quarantine manager either, and I am concerned as whether or not I should restore them in case it is has quarantined something it should not have, such as files from a software I use that should not have been affected in anyway. Also there are too many for me to screen capture from quarantine manager that it would entail saving far too many. So please advise regarding why I am not getting a log opening after using the program, and what to do.

 

Also with respect to saving the JRT - Notepad, I seemed to be unable to save it on my desktop, and the message - not responding kept coming up each time I tried saving it to my desktop. Whether it is because Malwarebytes was interpreting this wrongly as a malicious piece of code being saved I don't know, but I had to copy and paste it onto another open notepad file, deleting the other, then saving it as JRT- N till I killed the JRT - Notepad opened from the program, then renaming it JRT - Notepad. I ran an SFC/SCANNOW from the command prompt to check my hard drive, although it said Windows Resource Protection found corrupt files but was unable to fix some of them and details are shown in the CBS.log file which I will also attach. I should also note that I have sometimes got the 'not responding' message sometimes when trying to save something on a different program/software.

 

I don't know if it is worth mentioning, but I run the Bluestacks Apps player from my PC as well? Could that also be a security issue that perhaps should be removed?

 

My reply includes the following:

  • Whether or not you removed the threats Malwarebytes detected earlier: Yes I removed the threats malwarebytes detected earlier
  • Copy/pasted content of the FRST fix log;
  • Copy/pasted JRT log;
  • Unable to Copy/pasted AdwCleaner clean log;
  • Attached 'JRT-Notepad' Not responding message when saving.
  • Attached 'Command prompt hd scan'
  • CBS.log file (Unable to upload because it said I had 730kb of files to upload and the file size was 920kb -  Did not know there would be such a limit since it's not a huge file data size wise).

 

 

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode

 

Fix result of Farbar Recovery Scan Tool (x64) Version:13-04-2016
Ran by Marcus 1 (2016-04-17 01:02:22) Run:1
Running from C:\Users\Marcus 2\Desktop
Loaded Profiles: UpdatusUser & Marcus 1 & Marcus 2 (Available Profiles: UpdatusUser & Marcus 1 & Marcus 2)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:

HKLM-x32\...\Run: [atr.exe] => [X]
HKLM-x32\...\Run: [] => [X]

HKU\S-1-5-21-1438436151-582650635-3674040208-1003\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://homepage-web.com/?s=acer&m=start
URLSearchHook: [S-1-5-21-1438436151-582650635-3674040208-1001] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = hxxp://uk.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = hxxp://uk.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1438436151-582650635-3674040208-1002 -> DefaultScope {921825F4-418D-4C0E-B7B7-E05CB3E6D1EE} URL =
SearchScopes: HKU\S-1-5-21-1438436151-582650635-3674040208-1002 -> {921825F4-418D-4C0E-B7B7-E05CB3E6D1EE} URL =
SearchScopes: HKU\S-1-5-21-1438436151-582650635-3674040208-1002 -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL = hxxp://uk.yhs4.search.yahoo.com/yhs/search?hspart=acer&hsimp=yhs-acer_001&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1438436151-582650635-3674040208-1003 -> DefaultScope {921825F4-418D-4C0E-B7B7-E05CB3E6D1EE} URL =
SearchScopes: HKU\S-1-5-21-1438436151-582650635-3674040208-1003 -> {921825F4-418D-4C0E-B7B7-E05CB3E6D1EE} URL =
SearchScopes: HKU\S-1-5-21-1438436151-582650635-3674040208-1003 -> {AA9A4890-4262-4441-8977-E2FFCBFB706C} URL =

S2 McAfee SiteAdvisor Service; c:\PROGRA~2\mcafee\siteadvisor\mcsacore.exe [X]

c:\PROGRA~2\mcafee\siteadvisor
C:\ProgramData\install_clap

EmptyTemp:
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\atr.exe => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\Software\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache => value removed successfully
Could not restore Default URLSearchHook.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}" => key removed successfully
HKCR\CLSID\{AA9A4890-4262-4441-8977-E2FFCBFB706C} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}" => key removed successfully
HKCR\Wow6432Node\CLSID\{AA9A4890-4262-4441-8977-E2FFCBFB706C} => key not found.
HKU\S-1-5-21-1438436151-582650635-3674040208-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-1438436151-582650635-3674040208-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{921825F4-418D-4C0E-B7B7-E05CB3E6D1EE}" => key removed successfully
HKCR\CLSID\{921825F4-418D-4C0E-B7B7-E05CB3E6D1EE} => key not found.
"HKU\S-1-5-21-1438436151-582650635-3674040208-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}" => key removed successfully
HKCR\CLSID\{AA9A4890-4262-4441-8977-E2FFCBFB706C} => key not found.
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-1438436151-582650635-3674040208-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{921825F4-418D-4C0E-B7B7-E05CB3E6D1EE}" => key removed successfully
HKCR\CLSID\{921825F4-418D-4C0E-B7B7-E05CB3E6D1EE} => key not found.
"HKU\S-1-5-21-1438436151-582650635-3674040208-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AA9A4890-4262-4441-8977-E2FFCBFB706C}" => key removed successfully
HKCR\CLSID\{AA9A4890-4262-4441-8977-E2FFCBFB706C} => key not found.
McAfee SiteAdvisor Service => service removed successfully
"c:\PROGRA~2\mcafee\siteadvisor" => not found.
C:\ProgramData\install_clap => moved successfully
EmptyTemp: => 12 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 01:05:18 ====

 

lv0mVRW.pngJunkware Removal Tool (JRT)

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.4 (03.14.2016)
Operating System: Windows 8.1 x64
Ran by Marcus 1 (Administrator) on 17/04/2016 at 12:43:49.48
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 17/04/2016 at 12:47:15.94
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

zcMPezJ.pngAdwCleaner - Fix Mode

 

After the restart, no log opened when logging in. Therefore unable to copy/paste the content of that log in this reply. Awaiting your advice on the this as mentioned above.


Edited by compbuff, 17 April 2016 - 10:02 AM.


#8 compbuff

compbuff
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 17 April 2016 - 12:30 PM

Hi Aura,

 

It appears, on doing some research, that what I 'should' have done after the scan had completed was to

  • Click on the Report button, where.a logfile (AdwCleaner[R0].txt) would have opened in Notepad for review, to look over the log especially under Files/Folders for any program you want to save.
  • Post to review if I wasn't sure; otherwise proceeding unchecking any elements I don't want removed.
  • Proceed to clean it all up, clicking the Clean button.
  • note that after rebooting, a logfile report (AdwCleaner[S0].txt) should have opened automatically, but didn't.
  • Find a copy of that logfile which should also have been saved in the C:\AdwCleaner folder, but there isn't any of that name.

However on inspection there are the following files in the AdwCleaner folder:

 

  • AdwCleaner[C1]
  • AdwCleaner[S2}
  • AdwCleaner[S2]

Whilst in addition there are the two quarantine files in the following folders:

  • FileQuarantine
  • RegistryQuarantine
  • AdwCleaner[S2]

Therefore I will attached those for inspection anyway, should pre-empting by doing so save time.

 

I can't post FileQuarantine2 (broke the file into two parts) as it's saying I have only 169kb of files left to upload? Not sure if this means only more files can be attached by starting a new thread, or not, which is why I could not attach the CBS.log file perhaps?


Edited by compbuff, 17 April 2016 - 12:34 PM.


#9 compbuff

compbuff
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 17 April 2016 - 12:38 PM

Continued from previous post:

 

  • RegistryQuarentine file attached.


#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 17 April 2016 - 04:17 PM

Thank you for the logs :)

Hitman Pro alert 3.1.9 I downloaded on a one month trial, hence that was why I could not understand where the Hitman Pro 3.7.13 suddenly pop up from nowhere. It is also one of the questions I have....that I don't understand how it can update? I have Hitman pro alert installed and Hitman Pro is not the same; it is what you would use when you 'purchase' Hitman Pro Alert from...you cannot use Hitman Pro Alert fully until you purchase Hitman Pro, but in the trial period, it is a standalone program; which is why I am perplexed.

Sadly I have little experience with SurfRight products, so I don't know the technicalities behind the update process. However, we have a support thread for HitmanPro.Alert on BleepingComputer, handled by the Loman brothers, so I'm sure that you can ask your question there after the clean-up and get an answer :)

HitmanPro.Alert CryptoGuard prevents files from being taken hostage
 

I ran an SFC/SCANNOW from the command prompt to check my hard drive, although it said Windows Resource Protection found corrupt files but was unable to fix some of them and details are shown in the CBS.log file which I will also attach.

I can take a look at your CBS.log after we're done with the malware removal part of the clean-up.
 

I don't know if it is worth mentioning, but I run the Bluestacks Apps player from my PC as well? Could that also be a security issue that perhaps should be removed?

I'm not aware of any security issues with BlueStacks.
 
I noticed that AdwCleaner removed the three following extensions in Google Chrome, did you install them on purpose?

https://chrome.google.com/webstore/detail/add-tasks-to-do-it-tomorr/eimhlfnbjllicocigjdalpodkokffbmm
https://chrome.google.com/webstore/detail/instapaper/ldjkgaaoikpmhmkelcgkgacicjfbofhh?hl=en
https://chrome.google.com/webstore/detail/typingclub/obdbgibnhfcjmmpfijkpcihjieedpfah?hl=en

We'll also run Emsisoft Emergency Kit and get a fresh pair of FRST logs. Follow the instructions below please.

0Wrv6UC.pngEmsisoft Emergency Kit
Follow the instructions below to run a scan using the Emsisoft Emergency Kit.
  • Download the Emsisoft Emergency Kit and execute it. From there, click on the Extract button to extract the program in the EEK folder;
  • Once the extraction is complete, Emsisoft Emergency Kit will open, and suggest you to run an online update before using the program. Click on Yes to launch it.
  • After the update, click on Malware Scan under 2. Scan and accept to let Emsisoft Emergency Kit detect PUPs (click on Yes).
  • Once the scan is complete, make sure that every item in the list is checked, and click on Quarantine selected;
    Egla2gt.png
  • If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
  • After the restart, click on the Start Emsisoft Emergency Kit icon again on your desktop to open it;
  • This time, click on Logs;
  • From there, go under the Quarantine Log tab, and click on the Export button;
    IgfWDr3.png
  • Save the log on your desktop, then open it, and copy/paste its content in your next reply;
iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • Check the Addition.txt option;
  • Click on the Scan button;
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;
  • Copy and paste the content of FRST.txt in your next reply, and attach Addition.txt to it;
Your next reply(ies) should include:
  • Answer to my question about the 3 extensions removed by AdwCleaner;
  • Copy/pasted content of the Emsisoft Emergency Kit clean log;
  • Copy/pasted content of the FRST.txt log;
  • Copy/pasted content of the Addition.txt log;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 compbuff

compbuff
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 17 April 2016 - 07:04 PM

Hi Aura,

 

Carried out the instructions as requested providing the following:

 

  • The three extensions removed by AdwCleaner were installed purposefully by myself.
  • Unable to provide a quarantine log file as there were no suspicious files detected. Scan file attached confirming this.
  • Copy/Paste content of the FRST.txt.log
  • Copy/Paste content of the Addition.text log.

FRST.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:13-04-2016
Ran by Marcus 1 (administrator) on MARCUS (18-04-2016 00:53:34)
Running from C:\Users\Marcus 2\Desktop
Loaded Profiles: UpdatusUser & Marcus 1 & Marcus 2 (Available Profiles: UpdatusUser & Marcus 1 & Marcus 2)
Platform: Windows 8.1 (X64) Language: English (United Kingdom)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(SurfRight B.V.) C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\afwServ.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Windows ® Win 7 DDK provider) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\AdminService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Acer Portal\CCDMonitorService.exe
(Fitbit, Inc.) C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Launch Manager\LMSvc.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
() C:\ProgramData\MobileBrServ\mbbService.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe
(Avast Software) C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe
(TODO: <Company name>) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
(SurfRight B.V.) C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Launch Manager\LMEvent.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Quick Access\QASvc.exe
(Qualcomm®Atheros®) C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Quick Access\RMSvc.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Launch Manager\LMTray.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Quick Access\QAEvent.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Quick Access\QAMsg.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Acer Incorporate) C:\Program Files\Acer\Acer Quick Access\QuickAccess.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
() C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\ActivateDesktop.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(My Health Software) E:\Program Files (x86)\My-BP\My-BP.exe
(My Health Software) C:\Program Files (x86)\My-Weight\My-Weight.exe
(Dolby Laboratories Inc.) C:\Program Files\Dolby Digital Plus\ddp.exe
(Fitbit, Inc.) C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe
() C:\Program Files (x86)\FileHippo.com\FileHippo.AppManager.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-Agent.exe
(Copernic, a division of N. Harris Computer Systems) C:\Program Files (x86)\Copernic\DesktopSearch\Copernic.DesktopSearch.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerTray.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe
(Siber Systems) C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(IBM Corp.) C:\Users\Marcus 2\AppData\Local\Trusteer\Rapport\app\bin\RapportService.exe
(AgileBits) E:\Program Files (x86)\1Password 4\Agile1pAgent.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
(Acronis International GmbH) C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(IBM Corp.) C:\Users\Marcus 2\AppData\Local\Trusteer\Rapport\app\bin\x64\RapportInjService_x64.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(BlueStack Systems, Inc.) C:\ProgramData\BlueStacksGameManager\BlueStacks.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-RunApp.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13647576 2013-08-27] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1321688 2013-08-07] (Realtek Semiconductor)
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [570152 2014-08-14] (Acronis)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7390608 2016-04-15] (AVAST Software)
HKLM-x32\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe [953880 2016-04-12] (BlueStack Systems, Inc.)
HKLM-x32\...\Run: [AnySync] => C:\Program Files (x86)\AnySync\SyncLauncher.exe [41984 2011-03-21] (iAnywhere Solutions, Inc.)
HKLM-x32\...\Run: [Agile1pAgent] => E:\Program Files (x86)\1Password 4\Agile1pAgent.exe [4882360 2016-02-23] (AgileBits)
HKLM-x32\...\Run: [Fitbit Connect] => C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe [4567720 2015-10-28] (Fitbit, Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
HKLM-x32\...\Run: [PowerDVD14Agent] => C:\Program Files (x86)\CyberLink\PowerDVD14\PowerDVD14Agent.exe [795672 2014-08-12] (CyberLink Corp.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [164152 2016-03-19] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [595480 2016-03-20] (Oracle Corporation)
HKLM-x32\...\Run: [TrueImageMonitor.exe] => C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [5343664 2015-07-20] (Acronis)
HKLM-x32\...\Run: [AcronisTibMounterMonitor] => C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [691056 2015-07-20] (Acronis International GmbH)
HKLM\...\RunOnce: [*WerKernelReporting] => C:\Windows\SYSTEM32\WerFault.exe [465320 2014-10-29] (Microsoft Corporation)
HKLM\...\RunOnce: [*EmptyTemp] => cmd /c rd /q/s C:\FRST\Temp
HKLM-x32\...\RunOnce: [20150107] => C:\Program Files\AVAST Software\Avast\setup\emupdate\7e209f2c-7fd4-490a-bb5c-ced9c1a76615.exe [168336 2016-01-22] (AVAST Software)
HKLM-x32\...\RunOnce: [InnoSetupRegFile.0000000001] => "C:\WINDOWS\is-AAIJI.exe" /REG /REGSVRMODE
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe [132736 2013-09-07] (Qualcomm®Atheros®)
HKU\S-1-5-21-1438436151-582650635-3674040208-1002\...\Run: [Messenger (Yahoo!)] => C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe [6595928 2012-05-25] (Yahoo! Inc.)
HKU\S-1-5-21-1438436151-582650635-3674040208-1002\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3074128 2016-03-10] (Valve Corporation)
HKU\S-1-5-21-1438436151-582650635-3674040208-1002\...\Run: [AllMyNotes] => E:\Program Files (x86)\AllMyNotes Organizer\AllMyNotes.exe [3243120 2015-07-29] (Vladonai Software (hxxp://www.vladonai.com))
HKU\S-1-5-21-1438436151-582650635-3674040208-1002\...\Run: [FileHippo.com] => C:\Program Files (x86)\FileHippo.com\FileHippo.AppManager.exe [10566352 2015-09-02] ()
HKU\S-1-5-21-1438436151-582650635-3674040208-1002\...\Run: [Copernic Desktop Search 5] => C:\Program Files (x86)\Copernic\DesktopSearch\Copernic.DesktopSearch.exe [1173768 2016-03-08] (Copernic, a division of N. Harris Computer Systems)
HKU\S-1-5-21-1438436151-582650635-3674040208-1002\...\RunOnce: [iCloud] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloud.exe [60688 2015-12-01] (Apple Inc.)
HKU\S-1-5-21-1438436151-582650635-3674040208-1002\...\RunOnce: [Report] => \AdwCleaner\AdwCleaner[C1].txt
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [msnmsgr] => C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [4272840 2014-03-31] (Microsoft Corporation)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [SwiftToDoList] => C:\Users\Marcus 2\AppData\Local\Swift To-Do List\Swift To-Do List.exe [9643320 2015-08-21] (Dextronet)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [AllMyNotes] => E:\Program Files (x86)\AllMyNotes Organizer\AllMyNotes.exe [3243120 2015-07-29] (Vladonai Software (hxxp://www.vladonai.com))
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [MYBP] => E:\Program Files (x86)\My-BP\My-BP.exe [1918976 2010-01-07] (My Health Software)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [MYWS My Weight Software] => C:\Program Files (x86)\My-Weight\My-Weight.exe [1962496 2010-01-07] (My Health Software)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [MindCollected] => C:\Users\Marcus 2\Documents\Mind Collected\Mind Collected.exe [2668856 2015-09-23] (Dextronet)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [eM Client] => C:\Program Files (x86)\eM Client\MailClient.exe [15698792 2016-02-29] (eM Client s.r.o.)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [Fitbit Connect] => C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe [4567720 2015-10-28] (Fitbit, Inc.)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [GoogleChromeAutoLaunch_6480EC06B42C488AA507B63ABC0C09F0] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [874648 2016-04-06] (Google Inc.)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [FileHippo.com] => C:\Program Files (x86)\FileHippo.com\FileHippo.AppManager.exe [10566352 2015-09-02] ()
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe [953880 2016-04-12] (BlueStack Systems, Inc.)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [Copernic Desktop Search 5] => C:\Program Files (x86)\Copernic\DesktopSearch\Copernic.DesktopSearch.exe [1173768 2016-03-08] (Copernic, a division of N. Harris Computer Systems)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [RoboForm] => C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [110376 2016-04-13] (Siber Systems)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Run: [Rapportexe] => C:\Users\Marcus 2\AppData\Local\Trusteer\Rapport\app\bin\RapportService.exe [3183088 2016-03-23] (IBM Corp.)
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\RunOnce: [Application Restart #0] => C:\Users\Marcus 2\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe  --disable-internal-flash --noerrdialogs --no-message-box --disable-extensions --disable-web-security --disable-web-res (the data entry has 589 more characters).
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\MountPoints2: {3ef859ae-d0a5-11e4-825d-0c54a5c7d546} - "F:\AutoRun.exe"
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\MountPoints2: {3ef85aa5-d0a5-11e4-825d-0c54a5c7d546} - "F:\AutoRun.exe"
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\MountPoints2: {76f83056-ca53-11e4-825b-0c54a5c7d546} - "F:\WD Drive Unlock.exe" autoplay=true
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [387536 2013-08-01] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [326224 2013-08-01] (NVIDIA Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-04-13] (AVAST Software)
ShellIconOverlayIdentifiers: [AcronisSyncError] -> {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncInProgress] -> {00F848DC-B1D4-4892-9C25-CAADC86A215D} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncOk] -> {71573297-552E-46fc-BE3D-3DFAF88D47B7} => C:\Program Files (x86)\Acronis\TrueImageHome\tishell64.dll [2014-09-09] (Acronis)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 01 C:\WINDOWS\SysWOW64\napinsp.dll [55296 2014-10-29] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\napinsp.dll"
Winsock: Catalog5 02 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70144 2014-10-29] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\pnrpnsp.dll"
Winsock: Catalog5 03 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70144 2014-10-29] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\pnrpnsp.dll"
Winsock: Catalog5 04 C:\WINDOWS\SysWOW64\NLAapi.dll [65536 2014-10-29] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 C:\WINDOWS\SysWOW64\mswsock.dll [286208 2014-10-29] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 06 C:\WINDOWS\SysWOW64\winrnr.dll [23040 2014-10-29] (Microsoft Corporation)ATTENTION: LibraryPath should be "%SystemRoot%\System32\winrnr.dll"
Hosts: 127.0.0.1 skypewebexperience.live.com
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{0CDB1D0A-CC5F-48EB-9BCE-BD7010829DC0}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{270BB591-F579-4D29-8AC7-6DB08C2886D1}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{4D338E47-7065-4E2F-9DBB-883E9E5BD9BD}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{89C36890-E34F-4006-A96B-DAB3A132C093}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{91064E24-4B22-43A5-ABAD-5C23B1D452BC}: [DhcpNameServer] 10.244.128.1
Tcpip\..\Interfaces\{BB9F6779-96B0-41DC-8D08-69095E54F65C}: [DhcpNameServer] 192.168.1.1 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-1438436151-582650635-3674040208-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer13.msn.com/?pc=ACJB
HKU\S-1-5-21-1438436151-582650635-3674040208-1003\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer13.msn.com/?pc=ACJB
URLSearchHook: [S-1-5-21-1438436151-582650635-3674040208-1001] ATTENTION => Default URLSearchHook is missing
BHO: 1Password -> {037C06D5-3893-49E8-9AC0-41F7524AFBF5} -> E:\Program Files (x86)\1Password 4\x64\Agile1pIE4.dll [2016-02-23] (AgileBits)
BHO: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2016-04-13] (Siber Systems Inc.)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_77\bin\ssv.dll [2016-03-29] (Oracle Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-04-13] (AVAST Software)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_77\bin\jp2ssv.dll [2016-03-29] (Oracle Corporation)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll [2015-09-22] (Eyeo GmbH)
BHO-x32: 1Password -> {037C06D5-3893-49E8-9AC0-41F7524AFBF5} -> E:\Program Files (x86)\1Password 4\x86\Agile1pIE4.dll [2016-02-23] (AgileBits)
BHO-x32: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll [2016-04-13] (Siber Systems Inc.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_77\bin\ssv.dll [2016-03-29] (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-04-13] (AVAST Software)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_77\bin\jp2ssv.dll [2016-03-29] (Oracle Corporation)
BHO-x32: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll [2015-09-22] (Eyeo GmbH)
Toolbar: HKLM - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2016-04-13] (Siber Systems Inc.)
Toolbar: HKLM-x32 - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll [2016-04-13] (Siber Systems Inc.)

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_21_0_0_213.dll [2016-04-07] ()
FF Plugin: @java.com/DTPlugin,version=11.77.2 -> C:\Program Files\Java\jre1.8.0_77\bin\dtplugin\npDeployJava1.dll [2016-03-29] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.77.2 -> C:\Program Files\Java\jre1.8.0_77\bin\plugin2\npjp2.dll [2016-03-29] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.2.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-01-20] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_213.dll [2016-04-07] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\WINDOWS\SysWOW64\Adobe\Director\np32dsw.dll [2016-02-19] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2016-03-08] ()
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-09-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-09-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-09-11] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-09-11] (Foxit Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-04] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-04] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.77.2 -> C:\Program Files (x86)\Java\jre1.8.0_77\bin\dtplugin\npDeployJava1.dll [2016-03-29] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.77.2 -> C:\Program Files (x86)\Java\jre1.8.0_77\bin\plugin2\npjp2.dll [2016-03-29] (Oracle Corporation)
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll [2012-05-25] (Yahoo! Inc.)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-01] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-01] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2013-07-12] ()
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-04-13]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-04-13]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF HKLM-x32\...\Firefox\Extensions: [{22119944-ED35-4ab1-910B-E619EA06A115}] - C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox\roboform.xpi
FF Extension: RoboForm Toolbar - C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox\roboform.xpi [2016-04-13]
FF HKU\S-1-5-21-1438436151-582650635-3674040208-1002\...\Firefox\Extensions: [{22119944-ED35-4ab1-910B-E619EA06A115}] - C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox\roboform.xpi
FF HKU\S-1-5-21-1438436151-582650635-3674040208-1003\...\Firefox\Extensions: [{b9aa91db-385d-4c69-8a2f-96790aa9405b}] - c:\program files (x86)\copernic\desktopsearch\firefoxconnector
FF Extension: Copernic Desktop Search - Search Firefox content - c:\program files (x86)\copernic\desktopsearch\firefoxconnector [2016-04-11] [not signed]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2016-03-14]

Chrome:
=======
CHR Profile: C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-04-05]
CHR Extension: (Google Docs) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-04-05]
CHR Extension: (Google Drive) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-04-05]
CHR Extension: (YouTube) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-04-05]
CHR Extension: (Avast SafePrice) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2016-04-05]
CHR Extension: (Google Sheets) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-04-05]
CHR Extension: (Google Docs Offline) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-05]
CHR Extension: (Avast Online Security) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-04-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-05]
CHR Extension: (Gmail) - C:\Users\Marcus 1\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-04-05]
CHR HKLM\...\Chrome\Extension: [pnlccmojcmeohlpggmfnbbiapkmbliob] - C:\Program Files (x86)\Siber Systems\AI RoboForm\Chrome\rf-chrome.crx [2015-09-10]
CHR HKU\S-1-5-21-1438436151-582650635-3674040208-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [cnnbdaahphjgdgfhliignpepgnbnfomp] - c:\program files (x86)\copernic\desktopsearch\ChromeConnector\ChromeConnector.crx [2016-03-08]
CHR HKU\S-1-5-21-1438436151-582650635-3674040208-1003\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bbjllphbppobebmjpjcijfbakobcheof] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-1438436151-582650635-3674040208-1003\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [cnnbdaahphjgdgfhliignpepgnbnfomp] - c:\program files (x86)\copernic\desktopsearch\ChromeConnector\ChromeConnector.crx [2016-03-08]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2016-04-13]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2016-04-13]
CHR HKLM-x32\...\Chrome\Extension: [pnlccmojcmeohlpggmfnbbiapkmbliob] - C:\Program Files (x86)\Siber Systems\AI RoboForm\Chrome\rf-chrome.crx [2015-09-10]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AtherosSvc; C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe [312448 2013-09-07] (Windows ® Win 7 DDK provider) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [243296 2016-04-13] (AVAST Software)
R2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [370656 2016-04-13] (AVAST Software)
R3 AvastVBoxSvc; C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe [5570272 2016-04-13] (Avast Software)
S2 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [437784 2016-04-12] (BlueStack Systems, Inc.)
R2 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [417304 2016-04-12] (BlueStack Systems, Inc.)
S3 BstHdPlusAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Plus-Service.exe [433688 2016-04-12] (BlueStack Systems, Inc.)
R2 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [921112 2016-04-12] (BlueStack Systems, Inc.)
R2 CCDMonitorService; C:\Program Files (x86)\Acer\Acer Portal\CCDMonitorService.exe [2650696 2013-07-26] (Acer Incorporated)
R3 ePowerSvc; C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe [663592 2013-07-05] (Acer Incorporated)
R2 Fitbit Connect; C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe [5906088 2015-10-28] (Fitbit, Inc.)
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [235008 2013-07-16] (TODO: <Company name>) [File not signed]
R2 hmpalertsvc; C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [4383440 2016-04-11] (SurfRight B.V.)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-04] (Intel Corporation)
R2 LMSvc; C:\Program Files\Acer\Acer Launch Manager\LMSvc.exe [457768 2013-08-03] (Acer Incorporate)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219272 2013-08-07] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [182752 2013-08-07] (McAfee, Inc.)
R2 Mobile Broadband HL Service; C:\ProgramData\MobileBrServ\mbbservice.exe [233344 2012-06-28] ()
S3 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [4278112 2013-08-01] (Symantec Corporation)
R3 QASvc; C:\Program Files\Acer\Acer Quick Access\QASvc.exe [457768 2013-08-02] (Acer Incorporate)
R3 RMSvc; C:\Program Files\Acer\Acer Quick Access\RMSvc.exe [448040 2013-08-02] (Acer Incorporate)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-04-13] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-04-13] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [107792 2016-04-13] (AVAST Software)
R1 aswNetSec; C:\Windows\system32\drivers\aswNetSec.sys [536312 2016-04-13] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-04-13] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-04-13] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1070904 2016-04-13] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [465792 2016-04-13] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [166432 2016-04-13] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [287528 2016-04-13] (AVAST Software)
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3859968 2013-08-15] (Qualcomm Atheros Communications, Inc.)
S3 BCM43XX; C:\Windows\system32\DRIVERS\bcmwl63a.sys [8536752 2013-07-01] (Broadcom Corporation)
R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [154680 2016-04-12] (BlueStack Systems)
R2 BstkDrv; C:\Program Files (x86)\BlueStacks\BstkDrv.sys [270904 2016-04-06] (Bluestack System Inc. )
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2013-09-07] (Qualcomm Atheros)
S3 ccSet_NARA; C:\Windows\system32\drivers\NARAx64\0405000.009\ccSetx64.sys [150104 2013-07-30] (Symantec Corporation)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-08-07] (McAfee, Inc.)
S3 DIRECTIO; E:\Programs\PerformanceTest\DirectIo64.sys [31376 2015-03-10] ()
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R4 epp; C:\EEK\bin64\epp.sys [124080 2016-02-11] (Emsisoft Ltd)
R0 file_tracker; C:\Windows\System32\DRIVERS\file_tracker.sys [296736 2016-04-08] (Acronis International GmbH)
R3 hmpalert; C:\WINDOWS\system32\drivers\hmpalert.sys [177040 2016-04-11] (SurfRight B.V.)
R3 hmpnet; C:\WINDOWS\system32\drivers\hmpnet.sys [80424 2016-04-11] (SurfRight B.V.)
R3 LMDriver; C:\Windows\System32\drivers\LMDriver.sys [21360 2013-07-17] (Acer Incorporated)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-03-24] (Malwarebytes)
R3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-09-04] (Intel Corporation)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179664 2013-08-07] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [310224 2013-08-07] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [69264 2013-08-07] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [519064 2013-08-07] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [776168 2013-08-07] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [343568 2013-08-07] (McAfee, Inc.)
R0 ngvss; C:\Windows\System32\Drivers\ngvss.sys [161760 2016-04-13] (AVAST Software)
R3 RadioShim; C:\Windows\System32\drivers\RadioShim.sys [14680 2013-07-17] (Acer Incorporated)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [34544 2013-10-01] (Synaptics Incorporated)
S3 taphss6; C:\Windows\system32\DRIVERS\taphss6.sys [42064 2016-02-17] (Anchorfree Inc.)
R2 tib; C:\Windows\system32\DRIVERS\tib.sys [1058632 2016-04-08] (Acronis International GmbH)
R2 tib_mounter; C:\Windows\system32\DRIVERS\tib_mounter.sys [248648 2016-04-08] (Acronis International GmbH)
R2 VBoxAswDrv; C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [323392 2016-04-13] (Avast Software)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
R2 {C5F942FD-1110-4664-86CE-0C6BDA305235}; C:\Program Files (x86)\CyberLink\PowerDVD14\Common\NavFilter\000.fcl [32456 2014-08-12] (CyberLink Corp.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-18 00:48 - 2016-04-18 00:40 - 00000868 _____ C:\Users\Marcus 2\Desktop\scan_160418-003210.txt
2016-04-18 00:44 - 2016-04-18 00:44 - 00000352 _____ C:\Users\Marcus 1\Desktop\Scan_160418-004347.txt
2016-04-18 00:21 - 2016-04-18 00:44 - 00000000 ____D C:\EEK
2016-04-18 00:09 - 2016-04-18 00:18 - 227732664 _____ C:\Users\Marcus 2\Downloads\EmsisoftEmergencyKit.exe
2016-04-17 23:41 - 2016-04-17 23:41 - 13595200 _____ (IPA S.A. ) C:\Users\Marcus 2\Downloads\emailtray_setup.exe
2016-04-17 22:10 - 2016-04-17 22:21 - 00000000 ____D C:\tmp
2016-04-17 18:36 - 2016-04-17 18:36 - 00000655 _____ C:\Users\Marcus 2\Desktop\RegistryQuarantine.txt
2016-04-17 18:28 - 2016-04-17 18:28 - 00524370 _____ C:\Users\Marcus 2\Desktop\FileQuarentine2.txt
2016-04-17 18:26 - 2016-04-17 18:26 - 00574022 _____ C:\Users\Marcus 2\Desktop\FileQuarentine1.txt
2016-04-17 13:16 - 2016-04-17 13:28 - 00000000 ____D C:\AdwCleaner
2016-04-17 13:13 - 2016-04-17 13:13 - 03677760 _____ C:\Users\Marcus 2\Desktop\AdwCleaner.exe
2016-04-17 12:50 - 2016-04-17 12:50 - 00000549 _____ C:\Users\Marcus 2\Desktop\JRT - Notepad.txt
2016-04-17 12:23 - 2016-04-17 12:56 - 00000000 ____D C:\Users\Marcus 2\Desktop\Problem logs
2016-04-17 11:04 - 2016-04-17 12:47 - 00000546 _____ C:\Users\Marcus 1\Desktop\JRT.txt
2016-04-17 10:59 - 2016-04-17 10:59 - 00016384 _____ C:\WINDOWS\SysWOW64\x�o
2016-04-17 10:48 - 2016-04-17 10:48 - 01610352 _____ (Malwarebytes) C:\Users\Marcus 2\Desktop\JRT.exe
2016-04-17 10:01 - 2016-04-17 10:01 - 00000000 ____D C:\WINDOWS\SysWOW64\vbox
2016-04-17 10:01 - 2016-04-17 10:01 - 00000000 ____D C:\WINDOWS\system32\vbox
2016-04-17 01:02 - 2016-04-17 01:05 - 00004993 _____ C:\Users\Marcus 2\Desktop\Fixlog.txt
2016-04-17 01:02 - 2016-04-17 01:03 - 00016384 _____ C:\WINDOWS\SysWOW64\(�
2016-04-15 23:25 - 2016-04-18 00:52 - 00062968 _____ C:\Users\Marcus 1\Desktop\FRST.txt
2016-04-15 23:14 - 2016-04-15 23:14 - 00065499 _____ C:\Users\Marcus 1\Desktop\Addition.txt
2016-04-15 23:01 - 2016-04-15 23:01 - 00065499 _____ C:\Users\Marcus 2\Desktop\Addition.txt
2016-04-15 23:00 - 2016-04-18 00:53 - 00035960 _____ C:\Users\Marcus 2\Desktop\FRST.txt
2016-04-15 22:58 - 2016-04-18 00:53 - 00000000 ____D C:\FRST
2016-04-15 22:54 - 2016-04-15 22:55 - 02375168 _____ (Farbar) C:\Users\Marcus 2\Desktop\FRST64.exe
2016-04-15 22:33 - 2016-04-15 22:33 - 00001413 _____ C:\Users\Marcus 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton Online Backup Toaster.lnk
2016-04-15 21:55 - 2016-04-15 21:55 - 00737284 _____ C:\Users\Marcus 2\Downloads\Rosemarys-Gravy-A-We-Sisters-Melissa-F.-Miller.azw
2016-04-15 20:33 - 2016-04-15 20:33 - 00558508 _____ C:\Users\Marcus 2\Downloads\The-Beauty-Bride-The-Jewels-of-Claire-Delacroix.azw
2016-04-15 20:25 - 2016-04-15 20:26 - 00569080 _____ C:\Users\Marcus 2\Downloads\My-Fierce-Highlander-Highland-Vonda-Sinclair.azw
2016-04-15 19:57 - 2016-04-15 19:57 - 00390631 _____ C:\Users\Marcus 2\Downloads\In-Between-Work-and-Play-The-J-Relina-Skye.azw
2016-04-15 19:35 - 2016-04-15 19:35 - 00320376 _____ C:\Users\Marcus 2\Downloads\Claimed-by-the-Viking-Warriors_-Lily-Reynard.azw
2016-04-15 19:01 - 2016-04-15 19:01 - 00469128 _____ C:\Users\Marcus 2\Downloads\Raven-and-Wolf-Lee-Savino.azw
2016-04-15 19:01 - 2016-04-15 19:01 - 00346716 _____ C:\Users\Marcus 2\Downloads\A-Vikings-Peace_-Futuristic-Sc-Zoe-York.azw
2016-04-15 14:01 - 2016-04-15 14:01 - 00000946 _____ C:\Users\Public\Desktop\calibre 64bit - E-book management.lnk
2016-04-15 14:01 - 2016-04-15 14:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\calibre 64bit - E-book Management
2016-04-15 14:01 - 2016-04-15 14:01 - 00000000 ____D C:\Program Files\Calibre2
2016-04-15 13:41 - 2016-04-15 13:41 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Trusteer Endpoint Protection
2016-04-15 12:15 - 2016-04-15 12:15 - 00483312 _____ (IBM Corp.) C:\Users\Marcus 2\Downloads\RapportSetup(2).exe
2016-04-15 09:38 - 2016-04-15 09:38 - 00001717 _____ C:\Users\Marcus 1\AppData\Roaming\Microsoft\Windows\Start Menu\BlueStacks.lnk
2016-04-15 09:38 - 2016-04-15 09:38 - 00001693 _____ C:\Users\Public\Desktop\BlueStacks.lnk
2016-04-13 23:43 - 2016-04-13 23:43 - 00510804 _____ C:\Users\Marcus 2\Downloads\B01DTVV18G_EBOK.azw
2016-04-13 21:13 - 2016-04-13 21:13 - 00483824 _____ (IBM Corp.) C:\Users\Marcus 2\Downloads\RapportSetup(1).exe
2016-04-13 09:32 - 2016-04-13 09:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RoboForm
2016-04-13 09:11 - 2016-04-13 09:11 - 00398152 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2016-04-13 09:10 - 2016-04-13 09:10 - 00052184 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2016-04-12 21:56 - 2016-04-12 21:56 - 02536516 _____ C:\Users\Marcus 2\Downloads\Mad stuff.mp4
2016-04-12 21:44 - 2016-04-12 21:44 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160412_214415
2016-04-12 21:40 - 2016-04-12 21:40 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160412_214009
2016-04-12 21:18 - 2016-04-12 21:18 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160412_211816
2016-04-12 21:17 - 2016-04-12 21:17 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160412_211755
2016-04-12 21:17 - 2016-04-12 21:17 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160412_211754
2016-04-12 21:17 - 2016-04-12 21:17 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160412_211719
2016-04-12 21:17 - 2016-04-12 21:17 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160412_211718
2016-04-12 15:04 - 2016-04-12 15:04 - 00000000 ____D C:\Users\Marcus 1\AppData\Local\Copernic
2016-04-12 09:47 - 2016-04-13 22:27 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-04-11 05:15 - 2016-04-11 05:15 - 00008581 _____ C:\Users\Marcus 2\Documents\Computer magazine.xlsx
2016-04-11 03:53 - 2016-04-18 00:15 - 00000000 ____D C:\WINDOWS\CryptoGuard
2016-04-11 03:53 - 2016-04-17 01:16 - 00000000 ____D C:\ProgramData\HitmanPro.Alert
2016-04-11 03:53 - 2016-04-11 04:28 - 00000000 ____D C:\ProgramData\HitmanPro
2016-04-11 03:53 - 2016-04-11 03:53 - 00848080 _____ (SurfRight B.V.) C:\WINDOWS\system32\hmpalert.dll
2016-04-11 03:53 - 2016-04-11 03:53 - 00767184 _____ (SurfRight B.V.) C:\WINDOWS\SysWOW64\hmpalert.dll
2016-04-11 03:53 - 2016-04-11 03:53 - 00177040 _____ (SurfRight B.V.) C:\WINDOWS\system32\Drivers\hmpalert.sys
2016-04-11 03:53 - 2016-04-11 03:53 - 00080424 _____ (SurfRight B.V.) C:\WINDOWS\system32\Drivers\hmpnet.sys
2016-04-11 03:53 - 2016-04-11 03:53 - 00016384 _____ C:\WINDOWS\SysWOW64\��T
2016-04-11 03:53 - 2016-04-11 03:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro.Alert
2016-04-11 03:53 - 2016-04-11 03:53 - 00000000 ____D C:\Program Files (x86)\HitmanPro.Alert
2016-04-11 03:49 - 2016-04-11 03:50 - 04383440 _____ (SurfRight B.V.) C:\Users\Marcus 2\Downloads\hmpalert31.exe
2016-04-11 02:29 - 2016-04-11 02:29 - 00000000 ____D C:\Users\Marcus 2\Documents\Anki
2016-04-11 02:28 - 2016-04-11 02:29 - 00000000 ____D C:\Program Files\recall
2016-04-11 02:19 - 2016-04-11 02:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\keit.co
2016-04-11 02:19 - 2016-04-11 02:19 - 00000000 ____D C:\Users\Marcus 1\AppData\Roaming\keit.co
2016-04-11 02:18 - 2016-04-11 02:18 - 07112155 _____ ( ) C:\Users\Marcus 2\Downloads\recall.exe
2016-04-11 01:15 - 2016-04-11 01:15 - 00000000 ____D C:\ProgramData\Copernic
2016-04-11 01:14 - 2016-04-11 01:14 - 00002153 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Copernic Desktop Search 5.lnk
2016-04-11 01:14 - 2016-04-11 01:14 - 00002141 _____ C:\Users\Public\Desktop\Copernic Desktop Search 5.lnk
2016-04-11 01:14 - 2016-04-11 01:14 - 00000000 ____D C:\Program Files (x86)\Copernic
2016-04-11 01:13 - 2016-04-11 01:13 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\Copernic
2016-04-11 01:11 - 2016-04-11 01:12 - 22843656 _____ (Copernic, a division of N. Harris Computer Systems) C:\Users\Marcus 2\Downloads\copernicdesktopsearch.exe
2016-04-10 23:54 - 2016-04-10 23:55 - 10185928 _____ C:\Users\Marcus 2\Desktop\Orchestral Manoeuvres In The Dark - Maid Of Orleans.flv
2016-04-08 15:01 - 2016-04-08 15:01 - 00000000 ____D C:\Users\Marcus 1\AppData\Roaming\Acronis
2016-04-08 14:37 - 2016-04-08 14:37 - 01058632 _____ (Acronis International GmbH) C:\WINDOWS\system32\Drivers\tib.sys
2016-04-08 14:37 - 2016-04-08 14:37 - 00304416 _____ (Acronis International GmbH) C:\WINDOWS\system32\Drivers\snapman.sys
2016-04-08 14:37 - 2016-04-08 14:37 - 00296736 _____ (Acronis International GmbH) C:\WINDOWS\system32\Drivers\file_tracker.sys
2016-04-08 14:37 - 2016-04-08 14:37 - 00248648 _____ (Acronis International GmbH) C:\WINDOWS\system32\Drivers\tib_mounter.sys
2016-04-08 14:37 - 2016-04-08 14:37 - 00134432 _____ (Acronis International GmbH) C:\WINDOWS\system32\Drivers\fltsrv.sys
2016-04-08 14:36 - 2016-04-08 14:37 - 00000000 ____D C:\ProgramData\Acronis
2016-04-08 14:36 - 2016-04-08 14:36 - 00001233 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acronis True Image 2015.lnk
2016-04-08 14:36 - 2016-04-08 14:36 - 00001221 _____ C:\Users\Public\Desktop\Acronis True Image 2015.lnk
2016-04-08 14:36 - 2016-04-08 14:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acronis
2016-04-08 14:36 - 2016-04-08 14:36 - 00000000 ____D C:\Program Files (x86)\Acronis
2016-04-07 20:27 - 2016-04-07 20:28 - 10162200 _____ (teorex ) C:\Users\Marcus 2\Downloads\FolderIcoSetup.exe
2016-04-07 17:57 - 2016-04-07 18:20 - 295841480 _____ (Acronis) C:\Users\Marcus 2\Downloads\AcronisTrueImage2015_6613_en-EU.exe
2016-04-07 17:57 - 2016-04-07 18:19 - 339881984 _____ C:\Users\Marcus 2\Downloads\AcronisTrueImage2015_ur_en-US.msi
2016-04-05 05:04 - 2016-04-12 12:47 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\Foxit Software
2016-04-05 04:59 - 2016-04-05 04:59 - 00001109 _____ C:\Users\Public\Desktop\Foxit PhantomPDF.lnk
2016-04-05 04:59 - 2016-04-05 04:59 - 00000000 ____D C:\Users\Public\Foxit Software
2016-04-05 04:58 - 2016-04-05 04:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Foxit PhantomPDF
2016-04-05 04:58 - 2016-04-05 04:58 - 00000000 ____D C:\Program Files (x86)\Foxit Software
2016-04-04 03:49 - 2016-04-04 03:53 - 67674112 _____ C:\Users\Marcus 2\Downloads\calibre-2.54.0.msi
2016-04-03 00:10 - 2016-04-03 00:10 - 00000000 ____D C:\Users\Marcus 2\.cache
2016-04-01 14:52 - 2016-04-01 15:06 - 299552768 _____ C:\Users\Marcus 2\Downloads\FoxitPhantomPDF703_Standard_enu_Setup.msi
2016-03-31 06:16 - 2016-03-31 06:16 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160331_061604
2016-03-31 06:16 - 2016-03-31 06:16 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160331_061603
2016-03-31 06:06 - 2016-03-31 06:06 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160331_060647
2016-03-31 06:05 - 2016-03-31 06:05 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160331_060503
2016-03-31 06:05 - 2016-03-31 06:05 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160331_060502
2016-03-30 22:21 - 2016-03-30 22:22 - 00000000 ____D C:\Users\Marcus 2\Downloads\The.Flash.2014.S02E17.HDTV.x264-LOL[ettv]
2016-03-30 21:59 - 2016-03-30 22:00 - 17141991 _____ (The qBittorrent project) C:\Users\Marcus 2\Downloads\qbittorrent_3.3.4_setup.exe
2016-03-30 01:23 - 2016-03-30 01:23 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_012346
2016-03-30 01:23 - 2016-03-30 01:23 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_012345
2016-03-30 01:05 - 2016-03-30 01:05 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_010544
2016-03-30 01:05 - 2016-03-30 01:05 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_010514
2016-03-30 01:04 - 2016-03-30 01:04 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_010457
2016-03-30 01:04 - 2016-03-30 01:04 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_010456
2016-03-30 01:04 - 2016-03-30 01:04 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_010429
2016-03-30 01:04 - 2016-03-30 01:04 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_010407
2016-03-30 01:03 - 2016-03-30 01:03 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_010345
2016-03-30 01:03 - 2016-03-30 01:03 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_010344
2016-03-30 00:56 - 2016-03-30 00:56 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_005650
2016-03-30 00:56 - 2016-03-30 00:56 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160330_005649
2016-03-26 09:32 - 2016-03-26 09:32 - 02572844 _____ C:\Users\Marcus 2\Downloads\0658672.mp4
2016-03-26 05:17 - 2016-03-26 05:17 - 00000000 ____D C:\Users\Marcus 2\.moneydance
2016-03-26 05:15 - 2016-03-26 05:15 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Moneydance
2016-03-26 05:14 - 2016-03-26 05:15 - 00000000 ____D C:\Program Files\Moneydance
2016-03-26 05:10 - 2016-03-26 05:11 - 54259696 _____ (The Infinite Kind) C:\Users\Marcus 2\Downloads\Moneydance_windows_amd64.exe
2016-03-26 02:26 - 2016-03-26 02:26 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160326_012656
2016-03-26 02:12 - 2016-03-26 02:12 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160326_011220
2016-03-26 02:06 - 2016-03-26 02:06 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160326_010639
2016-03-26 01:58 - 2016-03-26 01:58 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160326_005808
2016-03-26 01:54 - 2016-03-26 01:54 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160326_005411
2016-03-26 01:54 - 2016-03-26 01:54 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\ebook_convert_20160326_005410
2016-03-25 01:49 - 2016-03-25 01:50 - 00000000 ____D C:\Program Files (x86)\Anki
2016-03-25 01:49 - 2016-03-25 01:49 - 00000766 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Anki.lnk
2016-03-25 01:49 - 2016-03-25 01:49 - 00000754 _____ C:\Users\UpdatusUser\Desktop\Anki.lnk
2016-03-25 01:49 - 2016-03-25 01:49 - 00000754 _____ C:\Users\Marcus 2\Desktop\Anki.lnk
2016-03-25 01:49 - 2016-03-25 01:49 - 00000754 _____ C:\Users\Marcus 1\Desktop\Anki.lnk
2016-03-25 01:41 - 2016-03-25 01:44 - 23229917 _____ C:\Users\Marcus 2\Downloads\anki-2.0.33.exe
2016-03-24 15:52 - 2016-03-24 15:52 - 00001799 _____ C:\Users\Public\Desktop\iTunes.lnk
2016-03-24 15:52 - 2016-03-24 15:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2016-03-24 15:52 - 2016-03-24 15:52 - 00000000 ____D C:\Program Files\iTunes
2016-03-24 15:52 - 2016-03-24 15:52 - 00000000 ____D C:\Program Files\iPod
2016-03-24 15:52 - 2016-03-24 15:52 - 00000000 ____D C:\Program Files (x86)\iTunes
2016-03-24 15:49 - 2016-03-24 15:49 - 00000000 ____D C:\WINDOWS\System32\Tasks\Apple
2016-03-24 15:49 - 2016-03-24 15:49 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2016-03-24 15:37 - 2016-04-15 13:55 - 00000000 ____D C:\Users\Marcus 2\Documents\My Filehippo Downloads
2016-03-23 22:55 - 2016-03-23 22:59 - 28122662 _____ C:\Users\Marcus 2\Downloads\07B6760.mp4
2016-03-23 22:49 - 2016-03-23 22:51 - 19025857 _____ C:\Users\Marcus 2\Downloads\047BC75.mp4
2016-03-22 03:01 - 2016-03-22 03:01 - 01067704 _____ C:\Users\Marcus 2\Downloads\video-1454011780.mp4
2016-03-19 01:18 - 2016-03-19 02:25 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\Smartflix
2016-03-19 01:18 - 2016-03-19 01:18 - 00002389 _____ C:\Users\Marcus 2\Desktop\Smartflix.lnk
2016-03-19 01:18 - 2016-03-19 01:18 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Smartflix
2016-03-19 01:17 - 2016-03-19 01:18 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\SquirrelTemp
2016-03-19 01:17 - 2016-03-19 01:18 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\smartflix
2016-03-19 01:12 - 2016-03-19 01:14 - 44363008 _____ (Smartflix) C:\Users\Marcus 2\Downloads\SmartflixSetup.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-18 00:48 - 2015-03-20 00:52 - 00003930 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{BFAFE924-9EC8-4943-AD49-935278E6A731}
2016-04-18 00:31 - 2015-05-18 18:52 - 00000920 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-04-18 00:19 - 2015-04-05 18:08 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-04-18 00:09 - 2015-02-17 11:05 - 00000000 ____D C:\Users\Marcus 2\AppData\LocalLow\LastPass
2016-04-17 20:31 - 2015-05-18 18:52 - 00000916 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-04-17 20:26 - 2013-08-22 16:36 - 00000000 ____D C:\WINDOWS\LiveKernelReports
2016-04-17 20:17 - 2015-06-05 04:33 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\Deployment
2016-04-17 15:12 - 2015-02-16 23:52 - 00003598 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1438436151-582650635-3674040208-1003
2016-04-17 13:57 - 2016-01-05 11:52 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\eM Client
2016-04-17 13:57 - 2015-09-01 20:35 - 00000000 ___RD C:\Users\Marcus 2\Documents\Swift To-Do List
2016-04-17 13:47 - 2015-06-24 11:29 - 00000000 ____D C:\Users\Marcus 2\Tracing
2016-04-17 13:46 - 2015-06-22 19:48 - 00000000 ____D C:\ProgramData\BlueStacksSetup
2016-04-17 13:40 - 2013-08-22 15:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-04-17 11:12 - 2013-08-22 14:36 - 00000000 ____D C:\WINDOWS\Inf
2016-04-17 09:23 - 2015-09-15 04:32 - 00000000 ____D C:\Users\Marcus 2\Documents\My BP
2016-04-15 13:50 - 2015-02-17 11:20 - 00004182 _____ C:\WINDOWS\System32\Tasks\avast! Emergency Update
2016-04-15 09:40 - 2016-01-22 09:21 - 00000000 ____D C:\Program Files (x86)\BlueStacks
2016-04-15 09:40 - 2013-08-22 14:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2016-04-15 09:38 - 2016-01-22 09:22 - 00000000 ____D C:\ProgramData\BlueStacksGameManager
2016-04-15 09:37 - 2013-08-22 16:36 - 00000000 __RHD C:\Users\Public\Libraries
2016-04-15 09:35 - 2015-06-22 19:58 - 00000000 ____D C:\ProgramData\BlueStacks
2016-04-15 00:01 - 2015-02-23 21:34 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\vlc
2016-04-14 11:31 - 2013-08-22 16:20 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-04-13 22:44 - 2015-05-18 18:53 - 00002219 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-04-13 22:44 - 2015-05-18 18:53 - 00002207 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-04-13 22:28 - 2016-02-15 14:13 - 00003044 _____ C:\WINDOWS\System32\Tasks\SafeZone scheduled Autoupdate 1455542022
2016-04-13 22:28 - 2016-02-15 14:13 - 00001057 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2016-04-13 22:27 - 2015-02-17 12:46 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-04-13 09:26 - 2015-09-07 04:06 - 00000000 ____D C:\Users\Marcus 2\Documents\My RoboForm Data
2016-04-13 09:24 - 2015-02-16 23:47 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\Adobe
2016-04-13 09:15 - 2015-05-03 04:36 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\Adobe
2016-04-13 09:12 - 2015-02-17 11:20 - 00287528 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswvmm.sys
2016-04-13 09:11 - 2015-02-17 11:20 - 00465792 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2016-04-13 09:11 - 2015-02-17 11:20 - 00166432 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStm.sys
2016-04-13 09:11 - 2015-02-17 11:20 - 00107792 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2016-04-13 09:11 - 2015-02-17 11:20 - 00103064 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr2.sys
2016-04-13 09:11 - 2015-02-17 11:20 - 00074544 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRvrt.sys
2016-04-13 09:11 - 2015-02-17 11:20 - 00037656 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswHwid.sys
2016-04-13 09:10 - 2016-02-15 11:24 - 00536312 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswNetSec.sys
2016-04-13 09:10 - 2015-08-10 04:15 - 00161760 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\ngvss.sys
2016-04-13 09:10 - 2015-02-17 11:20 - 01070904 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys
2016-04-13 09:10 - 2015-02-17 11:20 - 00037144 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswKbd.sys
2016-04-13 01:31 - 2015-09-01 21:30 - 00000000 ____D C:\Users\Marcus 2\Documents\Calibre Library
2016-04-13 01:21 - 2016-02-08 23:34 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\.Ultimate
2016-04-12 21:44 - 2016-02-08 23:34 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\epubor_log
2016-04-12 21:43 - 2015-06-24 09:51 - 00000000 ____D C:\Users\Marcus 2\Documents\My Kindle Content
2016-04-12 21:18 - 2016-02-08 23:34 - 00000000 ____D C:\Users\Marcus 2\Ultimate
2016-04-12 21:18 - 2016-02-08 23:34 - 00000000 ____D C:\Users\Marcus 2\decrypt
2016-04-11 04:33 - 2013-11-14 08:50 - 00863592 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-04-10 05:03 - 2015-08-05 15:09 - 00000000 ____D C:\Program Files (x86)\Steam
2016-04-09 22:50 - 2013-08-22 16:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-04-07 21:19 - 2015-04-05 18:08 - 00003718 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2016-04-05 14:25 - 2015-02-27 15:48 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\Apple Computer
2016-04-05 14:25 - 2015-02-17 19:19 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\Apple Computer
2016-04-05 04:59 - 2016-01-29 09:49 - 00000000 ____D C:\ProgramData\Package Cache
2016-04-04 03:56 - 2015-09-01 21:30 - 00000976 _____ C:\Users\Public\Desktop\calibre - E-book management.lnk
2016-04-04 03:56 - 2015-09-01 21:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\calibre - E-book Management
2016-04-04 03:56 - 2015-09-01 21:30 - 00000000 ____D C:\Program Files (x86)\Calibre2
2016-04-03 00:10 - 2015-02-16 23:46 - 00000000 ____D C:\Users\Marcus 2
2016-03-31 00:26 - 2016-01-27 21:52 - 00000000 ____D C:\Users\Marcus 2\Desktop\Books
2016-03-30 23:20 - 2015-02-17 18:29 - 00000000 ____D C:\Users\Marcus 2\AppData\Roaming\qBittorrent
2016-03-30 22:04 - 2015-02-17 18:29 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\qBittorrent
2016-03-29 18:35 - 2016-03-18 16:27 - 00000000 ____D C:\Users\Marcus 2\.grabMyBooks
2016-03-29 09:42 - 2016-03-16 11:37 - 00000000 ____D C:\ProgramData\Oracle
2016-03-29 09:41 - 2016-03-16 15:16 - 00000000 ____D C:\Users\Marcus 2\.oracle_jre_usage
2016-03-29 08:58 - 2016-03-16 11:39 - 00000000 ____D C:\Program Files\Java
2016-03-29 08:58 - 2016-03-16 11:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-03-29 05:46 - 2016-03-16 11:37 - 00000000 ____D C:\Program Files (x86)\Java
2016-03-29 05:45 - 2016-03-16 11:39 - 00110144 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge-64.dll
2016-03-29 05:45 - 2016-03-16 11:37 - 00000000 ____D C:\Users\Marcus 1\.oracle_jre_usage
2016-03-29 05:44 - 2016-03-16 11:37 - 00097856 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2016-03-27 23:37 - 2013-08-22 16:36 - 00000000 ____D C:\WINDOWS\system32\NDF
2016-03-26 07:32 - 2013-08-22 16:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-03-24 17:45 - 2015-08-05 19:15 - 00000000 ____D C:\Users\Public\Documents\Sports Interactive
2016-03-24 17:45 - 2015-08-05 19:15 - 00000000 ____D C:\Users\Marcus 2\Documents\Sports Interactive
2016-03-24 17:45 - 2015-08-05 19:15 - 00000000 ____D C:\Users\Marcus 2\AppData\Local\Sports Interactive
2016-03-24 15:52 - 2015-02-17 18:13 - 00000000 ____D C:\Program Files\Common Files\Apple
2016-03-24 15:49 - 2015-02-17 18:14 - 00002535 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2016-03-24 15:27 - 2015-06-09 16:54 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-03-24 15:09 - 2015-02-17 16:09 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-03-24 14:44 - 2015-08-05 13:25 - 00000000 ___SD C:\WINDOWS\SysWOW64\GWX
2016-03-24 14:44 - 2015-08-05 13:25 - 00000000 ___SD C:\WINDOWS\system32\GWX
2016-03-24 14:44 - 2015-02-17 16:09 - 143659408 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-03-23 19:45 - 2015-06-09 16:53 - 00001118 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-03-23 19:45 - 2015-06-09 16:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-03-23 19:45 - 2015-06-09 16:53 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-03-23 00:14 - 2016-03-16 03:34 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit

==================== Files in the root of some directories =======

2016-02-09 01:58 - 2016-02-09 01:58 - 0015720 _____ () C:\Users\Marcus 1\AppData\Roaming\books.pcl
2016-02-09 01:58 - 2016-02-09 01:58 - 0873612 _____ () C:\Users\Marcus 1\AppData\Roaming\imgs.zip
2016-02-09 01:58 - 2016-02-09 01:58 - 0000063 _____ () C:\Users\Marcus 1\AppData\Roaming\url.txt
2016-01-27 19:37 - 2016-01-27 19:37 - 0000057 _____ () C:\ProgramData\Ament.ini
2014-01-21 06:25 - 2014-01-21 06:25 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-04-11 20:21

==================== End of FRST.txt ============================

 



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 18 April 2016 - 06:40 AM

Thank you for the logs :)

The three extensions removed by AdwCleaner were installed purposefully by myself.


I looked into them and they do not look malicious at all. Might be a false positive on AdwCleaner's end (I'll report it to the developer). Since you installed them on purpose, you are free to reinstall them.

I would like you to upload two files from your SysWOW64 folder on VirusTotal. These 2 files have special Unicode characters in them (which means, they are characters other than letters, numbers or standard -, _, etc.). I listed their "name" as I see them in the FRST logs. The � is a special character.

5KB3EXa.pngFollow the instructions below and upload the following files (one at the time) on VirusTotal
C:\WINDOWS\SysWOW64\x�o
C:\WINDOWS\SysWOW64\(�
C:\WINDOWS\SysWOW64\��T
  • Open your favorite web browser, and go on virustotal.com;
  • From there, click on the Select a file button and wait for the Windows Explorer to open;
  • Browse to the file you want to upload, then click on Open;
  • Once it's done, click on the Analyze button;
  • If you get a message that the file was already analyzed, click on the Re-analyze button;
  • At the end of the analysis, copy and paste the VirusTotal report URL in your next reply (I need the report URL of every file you uploaded);
Now, let's look into your Google Chrome and HitmanPro.Alert issue. Close any Google Chrome windows you have open, then press on the Windows + R keys, and in the Run box, type in the following command:
chrome --disable-plugins
This should launch Google Chrome without the plugins (which means, with Trusteer Rapport which I suspect is triggering HitmanPro.Alert). Does Chrome launches properly? If Chrome doesn't launch properly, then try this command.
chrome --disable-extensions
And if it still doesn't launch properly, try this one.
chrome --disable-plugins --disable-extensions
Let me know in which situations Google Chrome launches properly, and in which ones it doesn't.

Your next reply(ies) should include:
  • VirusTotal URLs for the two files I asked you to upload;
  • Results of launching Google Chrome without plugins, without extensions and without plugins + extensions;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 compbuff

compbuff
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 18 April 2016 - 07:03 PM

Hi Aura,

 

Thank you for your reply, and I carried out what was asked.

 

 

I looked into them and they do not look malicious at all. Might be a false positive on AdwCleaner's end (I'll report it to the developer). Since you installed them on purpose, you are free to reinstall them.

 

As you stated they did not look malicious and were probably a false positive, I will endeavor to reinstall them once I do get my chrome back up and running again.

 

 

I would like you to upload two files from your SysWOW64 folder on VirusTotal. These 2 files have special Unicode characters in them (which means, they are characters other than letters, numbers or standard -, _, etc.). I listed their "name" as I see them in the FRST logs. The � is a special character.

 

Except you have asked me to upload three files on virus total, and to upload them one by one, clicking the Analyze button, and that if file was already analysed, to reanalyse them, which I did for all three, then added the URL of the analysis report for all three.

 

C:\WINDOWS\SysWOW64\xo
C
:\WINDOWS\SysWOW64\(
C:\WINDOWS\SysWOW64\�T

 

https://www.virustotal.com/en/file/0be905dc6b2853080e26f19870d7e45465af155bfdfdfedb57b7334a483ea50c/analysis/1461020865/
https://www.virustotal.com/en/file/0be905dc6b2853080e26f19870d7e45465af155bfdfdfedb57b7334a483ea50c/analysis/1461021997/

https://www.virustotal.com/en/file/0be905dc6b2853080e26f19870d7e45465af155bfdfdfedb57b7334a483ea50c/analysis/1461022302/

 

 

Now, let's look into your Google Chrome and HitmanPro.Alert issue. Close any Google Chrome windows you have open, then press on the Windows + R keys, and in the Run box, type in the following command:

 

I had no Google chrome windows open because I have not been able to use it, and there was no lingering google chrome still open in Task manager which I had checked a few days ago as well.

 

chrome --disable-plugins

 

It failed to open the above one. I got the same attack intercepted message with Hitman Pro that I had got before when trying to open it when the problem first appeared.

 

 

This should launch Google Chrome without the plugins (which means, with Trusteer Rapport which I suspect is triggering HitmanPro.Alert). Does Chrome launches properly? If Chrome doesn't launch properly, then try this command.

 

chrome --disable-extensions

 

Again, same as with the first one. Repeated the same attack intercepted message.

 

 

And if it still doesn't launch properly, try this one.

 

chrome --disable-plugins --disable-extensions

 

Once again, it also failed to open and the same message as before came up.

 

This reply, as requested, has included:

  • VirusTotal URLs for the three, not two, files you asked me to upload;
  • The results of launching Google Chrome without plugins, without extensions and without plugins + extensions.


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 19 April 2016 - 07:22 AM

Thank you for the VirusTotal reports. You uploaded the three files asked, but in the end, they were all a copy of the same file (which I noticed). I don't know what creates multiple copy of this file, but I suspect that HitmanPro.Alert is the culprit, so I might ask that question myself in the support thread for it after we're done here.

Open HitmanPro.Alert, and under Exploit mitigation, click on the Google Chrome icon to open its protection settings. Adjust them so they look like mine in the screenshot below.
Ar4D3Et.png
Once done, try to open Google Chrome and see if HPA still blocks it or not.

If it still blocks the execution, try to disable HPA completely, then open Google Chrome and see if it works.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 compbuff

compbuff
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:45 AM

Posted 19 April 2016 - 05:11 PM

Hi Aura,

 

Sorry for the late reply as due to work and the other commitments, I only got a chance to reply now.

 

I followe your instructions, opening HPA and unchecking the boxes under exploit mitigation as suggested from your screenshot so that it mirrored yours. Then I attempted to open google chrome and it did work.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users