Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

backdoor.agent.xn found by MBAM Premium


  • This topic is locked This topic is locked
18 replies to this topic

#1 Baenwort

Baenwort

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 25 April 2016 - 10:44 PM

Hello, I have MBAM running along with EMET 5.5 and MSE Defender.  MBAM found the following infection on my computer and I wish to ensure it was completely removed. Neither MBAM or MSE see anything infecting the computer since the detection and removal of the backdoor.agent.xn but I want to be sure as this is my wife's and I's only computer.

 

The computer is a laptop running Windows 7 Pro 64bit with all the updates through and including the April Patch Tuesday.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:25-04-2016
Ran by Charles (ATTENTION: The user is not administrator) on LAPTOT (25-04-2016 22:41:19)
Running from C:\Users\Charles\Downloads
Loaded Profiles: Baenwort & Charles (Available Profiles: Baenwort & Maureen & Charles)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

Failed to access process -> smss.exe
Failed to access process -> csrss.exe
Failed to access process -> wininit.exe
Failed to access process -> csrss.exe
Failed to access process -> services.exe
Failed to access process -> winlogon.exe
Failed to access process -> lsass.exe
Failed to access process -> lsm.exe
Failed to access process -> svchost.exe
Failed to access process -> nvvsvc.exe
Failed to access process -> svchost.exe
Failed to access process -> MsMpEng.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
Failed to access process -> igfxCUIService.exe
Failed to access process -> nvxdsync.exe
Failed to access process -> nvvsvc.exe
Failed to access process -> svchost.exe
Failed to access process -> wlanext.exe
Failed to access process -> conhost.exe
Failed to access process -> spoolsv.exe
Failed to access process -> svchost.exe
Failed to access process -> AGSService.exe
Failed to access process -> EvtEng.exe
Failed to access process -> HeciServer.exe
Failed to access process -> IntelMeFWService.exe
Failed to access process -> Jhi_service.exe
Failed to access process -> mbamscheduler.exe
Failed to access process -> mbamservice.exe
Failed to access process -> PowerBiosServer.exe
Failed to access process -> RegSrvc.exe
Failed to access process -> svchost.exe
Failed to access process -> ViakaraokeSrv.exe
Failed to access process -> xritedeviced.exe
Failed to access process -> unsecapp.exe
Failed to access process -> ZeroConfigService.exe
Failed to access process -> WmiPrvSE.exe
Failed to access process -> ColorMunkiDeviceService.exe
Failed to access process -> NisSrv.exe
Failed to access process -> svchost.exe
Failed to access process -> svchost.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
Failed to access process -> devmonsrv.exe
Failed to access process -> PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
Failed to access process -> mediasrv.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
Failed to access process -> obexsrv.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
Failed to access process -> EMET_Service.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Program Files (x86)\EMET 5.5\EMET_Agent.exe
Failed to access process -> WmiPrvSE.exe
Failed to access process -> GoogleUpdate.exe
Failed to access process -> LMS.exe
Failed to access process -> GoogleCrashHandler.exe
Failed to access process -> GoogleCrashHandler64.exe
Failed to access process -> iPodService.exe
Failed to access process -> SearchIndexer.exe
(Flux Software LLC) C:\Users\Charles\AppData\Local\FluxSoftware\Flux\flux.exe
() C:\Program Files (x86)\X-Rite\ColorMunki Photo\Tools\ColorMunki Photo Tray.exe
() C:\Program Files (x86)\Hotkey\Hotkey.exe
(VIA) C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
() C:\Windows\Samsung\PanelMgr\SSMMgr.exe
(CANON INC.) C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
() C:\Windows\Samsung\PanelMgr\caller64.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
Failed to access process -> UNS.exe
Failed to access process -> svchost.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2328360 2010-09-15] (Synaptics Incorporated)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1340192 2016-01-29] (Microsoft Corporation)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [THXCfg64] => C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-10-16] (Apple Inc.)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2655520 2015-10-11] (NVIDIA Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [508240 2015-08-05] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HDAudDeck] => C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe [5025904 2012-02-12] (VIA)
HKLM-x32\...\Run: [THX Audio Control Panel] => C:\Program Files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe [1374720 2010-11-01] (Creative Technology Ltd)
HKLM-x32\...\Run: [UpdReg] => C:\Windows\UpdReg.EXE
HKLM-x32\...\Run: [KeePass 2 PreLoad] => C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe [2756672 2016-03-09] (Dominik Reichl)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292088 2013-09-17] (Intel Corporation)
HKLM-x32\...\Run: [Samsung PanelMgr] => C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [449168 2012-03-26] (CANON INC.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
HKU\S-1-5-21-4137917702-2165307853-891469882-1002\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-4137917702-2165307853-891469882-1002\...\Run: [KeePass Password Safe 2] => C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe [2756672 2016-03-09] (Dominik Reichl)
HKU\S-1-5-21-4137917702-2165307853-891469882-1002\...\Run: [f.lux] => C:\Users\Charles\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
HKU\S-1-5-21-4137917702-2165307853-891469882-1002\...\Run: [GalaxyClient] => [X]
HKU\S-1-5-18\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1403304 2016-02-16] (Garmin Ltd. or its subsidiaries)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2015-10-25] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ColorMunki Gamma.lnk [2015-11-22]
ShortcutTarget: ColorMunki Gamma.lnk -> C:\Program Files (x86)\X-Rite\ColorMunki Photo\Gamma\CalibrationLoader.exe (LOGO Kommunikations- und Drucktechnik GmbH & Co. KG)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ColorMunkiPhotoTray.exe.lnk [2015-11-22]
ShortcutTarget: ColorMunkiPhotoTray.exe.lnk -> C:\Program Files (x86)\X-Rite\ColorMunki Photo\Tools\ColorMunki Photo Tray.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Hotkey.lnk [2015-10-25]
ShortcutTarget: Hotkey.lnk -> C:\Program Files (x86)\Hotkey\Hotkey.exe ()
Startup: C:\Users\Baenwort\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2015-12-27]
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
GroupPolicyScripts: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 64.81.159.2 209.172.128.2
Tcpip\..\Interfaces\{B9841245-1F68-4313-B2E2-C071DBCC00C1}: [DhcpNameServer] 64.81.159.2 209.172.128.2
Tcpip\..\Interfaces\{D2171CFC-D495-4551-A109-6E5C015C5F5C}: [DhcpNameServer] 64.81.159.2 209.172.128.2

Internet Explorer:
==================
HKU\S-1-5-21-4137917702-2165307853-891469882-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bing.com/
URLSearchHook: [S-1-5-21-4137917702-2165307853-891469882-1000] ATTENTION => Default URLSearchHook is missing
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-04-23] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-04-23] (Oracle Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Charles\AppData\Roaming\Mozilla\Firefox\Profiles\ptnw4y5p.default
FF DefaultSearchEngine.US: DuckDuckGo
FF Homepage: hxxps://192.168.1.113/
hxxp://192.168.1.133:8096/web/index.html
hxxp://192.168.1.109:9091/transmission/web/#upload
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2015-08-06] (Adobe Systems)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-08] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-05] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-05] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-04-23] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-04-23] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-01] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-01] (Google Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2015-08-06] (Adobe Systems)
FF Extension: NoScript - C:\Users\Charles\AppData\Roaming\Mozilla\Firefox\Profiles\ptnw4y5p.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2016-04-10]
FF Extension: HTTPS-Everywhere - C:\Users\Charles\AppData\Roaming\Mozilla\Firefox\Profiles\ptnw4y5p.default\extensions\https-everywhere@eff.org [2016-04-10]
FF Extension: Privacy Badger - C:\Users\Charles\AppData\Roaming\Mozilla\Firefox\Profiles\ptnw4y5p.default\Extensions\jid1-MnnxcxisBPnSXQ@jetpack.xpi [2016-04-09]

Chrome:
=======
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Charles\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Charles\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-10-27]
CHR Extension: (Google Docs) - C:\Users\Charles\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-10-27]
CHR Extension: (Google Drive) - C:\Users\Charles\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-27]
CHR Extension: (YouTube) - C:\Users\Charles\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-27]
CHR Extension: (Google Search) - C:\Users\Charles\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (Google Sheets) - C:\Users\Charles\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-10-27]
CHR Extension: (HTTPS Everywhere) - C:\Users\Charles\AppData\Local\Google\Chrome\User Data\Default\Extensions\gcbommkclmclpchllfjekcdonpmejbdp [2016-04-09]
CHR Extension: (Google Docs Offline) - C:\Users\Charles\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-28]
CHR Extension: (Ghostery) - C:\Users\Charles\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2016-02-20]
CHR Extension: (JupiterRising-1280 OpticWhite Cassini1 Theme) - C:\Users\Charles\AppData\Local\Google\Chrome\User Data\Default\Extensions\ncjbiofcgfapjkjdipleglanhgjcfjnj [2015-10-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Charles\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-09]
CHR Extension: (Gmail) - C:\Users\Charles\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-10-27]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2021592 2016-04-05] (Adobe Systems, Incorporated)
R2 ColorMunkiService; C:\Program Files (x86)\X-Rite\Devices\Services\ColorMunki\ColorMunkiDeviceService.exe [147968 2009-10-21] (X-Rite Inc.) [File not signed]
R2 EMET_Service; C:\Program Files (x86)\EMET 5.5\EMET_Service.exe [33960 2016-01-29] (Microsoft Corporation)
S3 GalaxyClientService; C:\Program Files (x86)\GalaxyClient\GalaxyClientService.exe [227896 2016-04-17] (GOG.com)
S3 GalaxyCommunication; C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe [6133816 2016-04-17] (GOG.com)
S3 Garmin Device Interaction Service; C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe [846352 2016-02-16] (Garmin Ltd. or its subsidiaries)
S2 iBtSiva; C:\Program Files (x86)\Intel\Bluetooth\ibtsiva.exe [127216 2015-01-21] (Intel Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [319080 2015-06-04] (Intel Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [127320 2012-03-14] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [162648 2012-03-14] (Intel Corporation)
R2 lmhosts; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R2 lmhosts; C:\Windows\SysWOW64\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2016-01-29] (Microsoft Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268192 2015-07-09] ()
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [374344 2016-01-29] (Microsoft Corporation)
R2 NlaSvc; C:\Windows\System32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R2 NlaSvc; C:\Windows\SysWOW64\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
R2 nsi; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R2 nsi; C:\Windows\SysWOW64\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
R2 PowerBiosServer; C:\Program Files (x86)\Hotkey\PowerBiosServer.exe [35328 2011-02-18] () [File not signed]
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27760 2012-01-09] (VIA Technologies, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 xritedeviced; C:\Program Files (x86)\X-Rite\Devices\Services\xritedeviced.exe [130048 2009-10-21] (X-Rite Inc.) [File not signed]
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3831712 2015-07-09] (Intel® Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [150440 2015-12-28] (SlySoft, Inc.)
S3 AnyDVD; C:\Windows\SysWOW64\Drivers\AnyDVD.sys [150440 2015-12-28] (SlySoft, Inc.)
S3 btmaux; C:\Windows\System32\DRIVERS\btmaux.sys [141624 2014-10-28] (Motorola Solutions, Inc.)
S3 btmhsf; C:\Windows\System32\DRIVERS\btmhsf.sys [1448248 2014-11-26] (Motorola Solutions, Inc.)
S3 colormunki; C:\Windows\System32\Drivers\colormunki_x64.sys [51600 2007-10-02] (Thesycon GmbH, Germany)
S2 DgiVecp; C:\Windows\system32\Drivers\DgiVecp.sys [53816 2009-03-02] (Samsung Electronics Co., Ltd.)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [140672 2016-03-10] (Malwarebytes)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [289120 2015-11-13] (Microsoft Corporation)
R3 NETwNs64; C:\Windows\System32\DRIVERS\NETwsw01.sys [11534096 2015-05-04] (Intel Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133816 2015-11-13] (Microsoft Corporation)
R3 PdiPorts; C:\Windows\System32\DRIVERS\PdiPorts.sys [19248 2006-11-16] (Portrait Displays, Inc.)
R3 VMfilt; C:\Windows\System32\drivers\VMfilt64.sys [25600 2009-07-30] (Creative Technology Ltd.)
S3 cpuz136; \??\C:\Windows\TEMP\cpuz136\cpuz136_x64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-25 22:41 - 2016-04-25 22:41 - 00021169 _____ C:\Users\Charles\Downloads\FRST.txt
2016-04-25 22:40 - 2016-04-25 22:41 - 00000000 ____D C:\FRST
2016-04-25 22:38 - 2016-04-25 22:38 - 02376192 _____ (Farbar) C:\Users\Charles\Downloads\FRST64.exe
2016-04-25 21:39 - 2016-04-25 22:24 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-04-25 21:34 - 2016-04-25 22:24 - 00000000 ____D C:\Users\Baenwort\Desktop\mbar
2016-04-25 21:33 - 2016-04-25 21:35 - 286869504 _____ C:\Users\Charles\Downloads\kav_rescue_10.iso
2016-04-25 21:32 - 2016-04-25 21:32 - 16563352 _____ (Malwarebytes Corp.) C:\Users\Charles\Downloads\mbar-1.09.3.1001.exe
2016-04-18 14:02 - 2016-04-18 14:02 - 00251925 _____ C:\Users\Charles\Downloads\Statement (2).pdf
2016-04-18 14:01 - 2016-04-18 14:01 - 00251941 _____ C:\Users\Charles\Downloads\Statement (1).pdf
2016-04-18 14:00 - 2016-04-18 14:00 - 00251925 _____ C:\Users\Charles\Downloads\Statement.pdf
2016-04-18 13:59 - 2016-04-18 13:59 - 00056236 _____ C:\Users\Charles\Downloads\Statement_03-27-2016.PDF
2016-04-14 22:36 - 2016-04-14 22:36 - 00333824 _____ C:\Users\Charles\Downloads\thing-FreeNAS-9.3-STABLE-201604140556-20160414223714.db
2016-04-11 23:05 - 2016-04-11 23:05 - 01071515 _____ C:\Users\Charles\Downloads\SubRip-1.56.1.7z
2016-04-11 22:50 - 2016-04-24 08:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-04-10 11:22 - 2016-04-10 11:22 - 00000000 ____D C:\Users\Charles\AppData\LocalLow\Adobe
2016-04-02 19:41 - 2016-04-02 19:41 - 00331776 _____ C:\Users\Charles\Downloads\thing-FreeNAS-9.3-STABLE-201602031011-20160402194135.db
2016-03-26 20:05 - 2016-03-26 20:06 - 27362792 _____ C:\Users\Baenwort\Downloads\FPUPDATE.DAT

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-25 22:41 - 2015-10-29 21:00 - 00000000 ____D C:\Users\Charles\AppData\Roaming\KeePass
2016-04-25 21:39 - 2015-12-14 22:40 - 00000000 ____D C:\Users\Charles\AppData\Local\Adobe
2016-04-25 21:39 - 2015-10-26 16:08 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-04-25 21:37 - 2009-07-13 23:45 - 00010832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-04-25 21:37 - 2009-07-13 23:45 - 00010832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-04-25 21:33 - 2009-07-14 00:13 - 00781790 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-25 21:33 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2016-04-25 21:31 - 2015-10-27 18:36 - 00000000 __SHD C:\Users\Charles\IntelGraphicsProfiles
2016-04-25 21:31 - 2015-10-25 13:13 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-04-25 21:29 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-24 19:45 - 2016-03-19 23:39 - 00000000 ____D C:\Star Trek - Phase II
2016-04-24 08:53 - 2015-10-25 12:57 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-04-23 07:36 - 2016-02-06 11:11 - 00000000 ____D C:\Users\Charles\.oracle_jre_usage
2016-04-23 07:36 - 2016-01-19 18:19 - 00000000 ____D C:\Users\Baenwort\.oracle_jre_usage
2016-04-23 07:36 - 2015-11-22 12:28 - 00097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2016-04-23 07:36 - 2015-11-22 12:28 - 00000000 ____D C:\ProgramData\Oracle
2016-04-23 07:36 - 2015-11-22 12:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-04-23 07:36 - 2015-11-22 12:28 - 00000000 ____D C:\Program Files (x86)\Java
2016-04-22 15:10 - 2015-10-25 13:14 - 00002203 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-04-22 02:57 - 2015-10-25 10:55 - 00453288 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-04-19 18:31 - 2015-10-26 21:58 - 00000000 ____D C:\Steam
2016-04-17 12:04 - 2015-11-18 20:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com
2016-04-17 11:28 - 2015-10-25 15:36 - 00000000 ____D C:\ProgramData\Package Cache
2016-04-17 08:09 - 2015-10-30 22:44 - 00000000 ____D C:\Users\Charles\Downloads\Full_Bench
2016-04-16 12:42 - 2015-12-31 12:36 - 00000000 ____D C:\Windows\system32\appmgmt
2016-04-16 12:42 - 2015-12-14 21:57 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-04-13 19:23 - 2016-03-06 13:47 - 00000000 ____D C:\Users\Charles\Downloads\Odin3_v3.10.7
2016-04-11 22:49 - 2015-12-28 23:38 - 00000000 ____D C:\Users\Charles\AppData\Roaming\vlc
2016-04-10 11:26 - 2015-12-14 21:57 - 00000000 ____D C:\ProgramData\Adobe
2016-04-10 11:22 - 2015-10-27 18:36 - 00000000 ____D C:\Users\Charles\AppData\Roaming\Adobe
2016-04-10 11:11 - 2015-12-14 21:56 - 00000000 ____D C:\Users\Baenwort\AppData\Local\Adobe
2016-04-09 23:11 - 2015-12-02 22:14 - 00002154 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Vivaldi.lnk
2016-04-09 23:11 - 2015-12-02 22:14 - 00000000 ____D C:\Program Files\Vivaldi
2016-03-26 23:12 - 2015-10-30 21:03 - 00000000 ____D C:\Users\Baenwort\AppData\Roaming\KeePass
2016-03-26 09:07 - 2015-10-25 15:58 - 00000000 __SHD C:\Users\Baenwort\IntelGraphicsProfiles

Some files in TEMP:
====================
C:\Users\Baenwort\AppData\Local\Temp\CloudDriveInstaller.exe
C:\Users\Baenwort\AppData\Local\Temp\Execute2App.exe
C:\Users\Baenwort\AppData\Local\Temp\jre-8u71-windows-au.exe
C:\Users\Baenwort\AppData\Local\Temp\jre-8u77-windows-au.exe
C:\Users\Baenwort\AppData\Local\Temp\msvcp90.dll
C:\Users\Baenwort\AppData\Local\Temp\msvcr90.dll
C:\Users\Charles\AppData\Local\Temp\GarminExpressInstaller.exe
C:\Users\Charles\AppData\Local\Temp\jre-8u73-windows-au.exe
C:\Users\Charles\AppData\Local\Temp\jre-8u91-windows-au.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


ATTENTION: ==> Could not access BCD. The user is not administrator

==================== End of FRST.txt ============================

 

Thank you for your assistance,

Attached Files



BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:07 AM

Posted 26 April 2016 - 07:24 AM

Hello Baenwort, and    :welcome: to the Virus/Trojan/Spyware/Malware Removal forum.

I am oneof4, and I am here to help you!

  • I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received and do not proceed if you need clarification.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.
  • At the top right-center of the topic you will see a button called Follow this topic. If you click on this, another page will open. Please choose Instantly for notification and then clicking on Follow this topic you will be advised when we respond to your topic and facilitate the cleaning of your machine.
  • If after 5 days you have not replied to this topic, I will assume it has been abandoned, and I will close it.
  • I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts.   :heart: Please be courteous and appreciative for the assistance provided!

 

  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

 

==========

 

I need you to do a couple of things before we proceed:

 

  1. Please log in to the "Baenwort" user account to run all scans and fixes. It is an "Administrator" account that will allow the scans to see everything they need to see. You and your wife's account are "limited" accounts that are prohibited from seeing certain areas and executing certain commands.
  2. Once logged into the "Baenwort" account, please do the following:

 

Please download Farbar Recovery Scan Tool and save it to your Desktop (If it goes into your "Downloads" folder, drag and drop it to the Desktop).

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.


Best Regards,
oneof4.


#3 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:07 AM

Posted 28 April 2016 - 08:24 AM

Do you still need help?


Best Regards,
oneof4.


#4 Baenwort

Baenwort
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 28 April 2016 - 05:26 PM

I attached a FRST run to the initial post. I was waiting for you to review it.



#5 Baenwort

Baenwort
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 28 April 2016 - 05:29 PM

However, here is another run.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:25-04-2016
Ran by Baenwort (administrator) on LAPTOT (28-04-2016 17:27:26)
Running from C:\Users\Charles\Desktop
Loaded Profiles: Baenwort & Charles (Available Profiles: Baenwort & Maureen & Charles)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
() C:\Program Files (x86)\Hotkey\PowerBiosServer.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(VIA Technologies, Inc.) C:\Windows\System32\ViakaraokeSrv.exe
(X-Rite Inc.) C:\Program Files (x86)\X-Rite\Devices\Services\xritedeviced.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(X-Rite Inc.) C:\Program Files (x86)\X-Rite\Devices\Services\ColorMunki\ColorMunkiDeviceService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.29.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.29.5\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Dominik Reichl) C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
(Flux Software LLC) C:\Users\Charles\AppData\Local\FluxSoftware\Flux\flux.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
() C:\Program Files (x86)\X-Rite\ColorMunki Photo\Tools\ColorMunki Photo Tray.exe
() C:\Program Files (x86)\Hotkey\Hotkey.exe
(VIA) C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
() C:\Windows\Samsung\PanelMgr\SSMMgr.exe
(CANON INC.) C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
() C:\Windows\Samsung\PanelMgr\caller64.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files (x86)\EMET 5.5\EMET_Service.exe
(Microsoft Corporation) C:\Program Files (x86)\EMET 5.5\EMET_Agent.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MpCmdRun.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2328360 2010-09-15] (Synaptics Incorporated)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1340192 2016-01-29] (Microsoft Corporation)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [THXCfg64] => C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-10-16] (Apple Inc.)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2655520 2015-10-11] (NVIDIA Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [508240 2015-08-05] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HDAudDeck] => C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe [5025904 2012-02-12] (VIA)
HKLM-x32\...\Run: [THX Audio Control Panel] => C:\Program Files (x86)\Creative\THX TruStudio Pro\THXAudioCP\THXAudio.exe [1374720 2010-11-01] (Creative Technology Ltd)
HKLM-x32\...\Run: [UpdReg] => C:\Windows\UpdReg.EXE
HKLM-x32\...\Run: [KeePass 2 PreLoad] => C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe [2756672 2016-03-09] (Dominik Reichl)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292088 2013-09-17] (Intel Corporation)
HKLM-x32\...\Run: [Samsung PanelMgr] => C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [449168 2012-03-26] (CANON INC.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
HKU\S-1-5-19\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-4137917702-2165307853-891469882-1000\...\Run: [Steam] => C:\Steam\steam.exe [3077712 2016-03-31] (Valve Corporation)
HKU\S-1-5-21-4137917702-2165307853-891469882-1000\...\Run: [ShowBatteryBar] => C:\Program Files\BatteryBar\ShowBatteryBar.exe [89600 2014-09-19] ()
HKU\S-1-5-21-4137917702-2165307853-891469882-1000\...\Run: [KeePass Password Safe 2] => C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe [2756672 2016-03-09] (Dominik Reichl)
HKU\S-1-5-21-4137917702-2165307853-891469882-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-4137917702-2165307853-891469882-1000\...\Run: [f.lux] => C:\Users\Baenwort\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
HKU\S-1-5-21-4137917702-2165307853-891469882-1000\...\Run: [AnyDVD] => C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVDtray.exe [9681832 2016-01-14] (SlySoft, Inc.)
HKU\S-1-5-21-4137917702-2165307853-891469882-1000\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1399208 2016-04-08] (Garmin Ltd. or its subsidiaries)
HKU\S-1-5-21-4137917702-2165307853-891469882-1002\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-4137917702-2165307853-891469882-1002\...\Run: [KeePass Password Safe 2] => C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe [2756672 2016-03-09] (Dominik Reichl)
HKU\S-1-5-21-4137917702-2165307853-891469882-1002\...\Run: [f.lux] => C:\Users\Charles\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
HKU\S-1-5-21-4137917702-2165307853-891469882-1002\...\Run: [GalaxyClient] => [X]
HKU\S-1-5-18\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1399208 2016-04-08] (Garmin Ltd. or its subsidiaries)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2015-10-25] (Microsoft Corporation)
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [177416 2015-11-02] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [155792 2015-11-02] (NVIDIA Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ColorMunki Gamma.lnk [2015-11-22]
ShortcutTarget: ColorMunki Gamma.lnk -> C:\Program Files (x86)\X-Rite\ColorMunki Photo\Gamma\CalibrationLoader.exe (LOGO Kommunikations- und Drucktechnik GmbH & Co. KG)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ColorMunkiPhotoTray.exe.lnk [2015-11-22]
ShortcutTarget: ColorMunkiPhotoTray.exe.lnk -> C:\Program Files (x86)\X-Rite\ColorMunki Photo\Tools\ColorMunki Photo Tray.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Hotkey.lnk [2015-10-25]
ShortcutTarget: Hotkey.lnk -> C:\Program Files (x86)\Hotkey\Hotkey.exe ()
Startup: C:\Users\Baenwort\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2015-12-27]
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
GroupPolicyScripts: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 64.81.159.2 209.172.128.2
Tcpip\..\Interfaces\{B9841245-1F68-4313-B2E2-C071DBCC00C1}: [DhcpNameServer] 64.81.159.2 209.172.128.2
Tcpip\..\Interfaces\{D2171CFC-D495-4551-A109-6E5C015C5F5C}: [DhcpNameServer] 64.81.159.2 209.172.128.2

Internet Explorer:
==================
HKU\S-1-5-21-4137917702-2165307853-891469882-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bing.com/
HKU\S-1-5-21-4137917702-2165307853-891469882-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bing.com/
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-04-23] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-04-23] (Oracle Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Baenwort\AppData\Roaming\Mozilla\Firefox\Profiles\7e30m4mi.default
FF DefaultSearchEngine.US: DuckDuckGo
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2015-08-06] (Adobe Systems)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-08] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-05] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-05] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-04-23] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-04-23] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-01] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-01] (Google Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2015-08-06] (Adobe Systems)
FF Extension: HTTPS-Everywhere - C:\Users\Baenwort\AppData\Roaming\Mozilla\Firefox\Profiles\7e30m4mi.default\extensions\https-everywhere-eff@eff.org [2016-03-23]
FF Extension: NoScript - C:\Users\Baenwort\AppData\Roaming\Mozilla\Firefox\Profiles\7e30m4mi.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2016-03-23]
FF Extension: Privacy Badger - C:\Users\Baenwort\AppData\Roaming\Mozilla\Firefox\Profiles\7e30m4mi.default\Extensions\jid1-MnnxcxisBPnSXQ@jetpack.xpi [2016-03-10]

Chrome:
=======
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Baenwort\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Baenwort\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-10-25]
CHR Extension: (Google Docs) - C:\Users\Baenwort\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-10-25]
CHR Extension: (Google Drive) - C:\Users\Baenwort\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-25]
CHR Extension: (YouTube) - C:\Users\Baenwort\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-25]
CHR Extension: (JupiterRising-1600 OpticWhite Cassini1 Theme) - C:\Users\Baenwort\AppData\Local\Google\Chrome\User Data\Default\Extensions\cbohdfjgkbkmndhdnohjgiledeajjjne [2015-10-25]
CHR Extension: (Google Search) - C:\Users\Baenwort\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-30]
CHR Extension: (Google Sheets) - C:\Users\Baenwort\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-10-25]
CHR Extension: (Google Docs Offline) - C:\Users\Baenwort\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-19]
CHR Extension: (Ghostery) - C:\Users\Baenwort\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2016-03-19]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Baenwort\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-10-25]
CHR Extension: (Gmail) - C:\Users\Baenwort\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-10-25]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2021592 2016-04-05] (Adobe Systems, Incorporated)
R2 ColorMunkiService; C:\Program Files (x86)\X-Rite\Devices\Services\ColorMunki\ColorMunkiDeviceService.exe [147968 2009-10-21] (X-Rite Inc.) [File not signed]
R2 EMET_Service; C:\Program Files (x86)\EMET 5.5\EMET_Service.exe [33960 2016-01-29] (Microsoft Corporation)
S3 GalaxyClientService; C:\Program Files (x86)\GalaxyClient\GalaxyClientService.exe [227896 2016-04-17] (GOG.com)
S3 GalaxyCommunication; C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe [6133816 2016-04-17] (GOG.com)
S3 Garmin Device Interaction Service; C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe [792592 2016-04-08] (Garmin Ltd. or its subsidiaries)
S2 iBtSiva; C:\Program Files (x86)\Intel\Bluetooth\ibtsiva.exe [127216 2015-01-21] (Intel Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [319080 2015-06-04] (Intel Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [127320 2012-03-14] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [162648 2012-03-14] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2016-01-29] (Microsoft Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [268192 2015-07-09] ()
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [374344 2016-01-29] (Microsoft Corporation)
R2 PowerBiosServer; C:\Program Files (x86)\Hotkey\PowerBiosServer.exe [35328 2011-02-18] () [File not signed]
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27760 2012-01-09] (VIA Technologies, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 xritedeviced; C:\Program Files (x86)\X-Rite\Devices\Services\xritedeviced.exe [130048 2009-10-21] (X-Rite Inc.) [File not signed]
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3831712 2015-07-09] (Intel® Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [150440 2015-12-28] (SlySoft, Inc.)
S3 AnyDVD; C:\Windows\SysWOW64\Drivers\AnyDVD.sys [150440 2015-12-28] (SlySoft, Inc.)
S3 btmaux; C:\Windows\System32\DRIVERS\btmaux.sys [141624 2014-10-28] (Motorola Solutions, Inc.)
S3 btmhsf; C:\Windows\System32\DRIVERS\btmhsf.sys [1448248 2014-11-26] (Motorola Solutions, Inc.)
S3 colormunki; C:\Windows\System32\Drivers\colormunki_x64.sys [51600 2007-10-02] (Thesycon GmbH, Germany)
S2 DgiVecp; C:\Windows\system32\Drivers\DgiVecp.sys [53816 2009-03-02] (Samsung Electronics Co., Ltd.)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [140672 2016-03-10] (Malwarebytes)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [289120 2015-11-13] (Microsoft Corporation)
R3 NETwNs64; C:\Windows\System32\DRIVERS\NETwsw01.sys [11534096 2015-05-04] (Intel Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133816 2015-11-13] (Microsoft Corporation)
R3 PdiPorts; C:\Windows\System32\DRIVERS\PdiPorts.sys [19248 2006-11-16] (Portrait Displays, Inc.)
R3 VMfilt; C:\Windows\System32\drivers\VMfilt64.sys [25600 2009-07-30] (Creative Technology Ltd.)
S3 cpuz136; \??\C:\Windows\TEMP\cpuz136\cpuz136_x64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-28 17:27 - 2016-04-28 17:27 - 00022024 _____ C:\Users\Charles\Desktop\FRST.txt
2016-04-28 17:07 - 2016-04-28 17:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Garmin
2016-04-25 22:40 - 2016-04-28 17:27 - 00000000 ____D C:\FRST
2016-04-25 22:38 - 2016-04-25 22:38 - 02376192 _____ (Farbar) C:\Users\Charles\Desktop\FRST64.exe
2016-04-25 21:39 - 2016-04-25 22:24 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-04-25 21:34 - 2016-04-25 22:24 - 00000000 ____D C:\Users\Baenwort\Desktop\mbar
2016-04-25 21:33 - 2016-04-25 21:35 - 286869504 _____ C:\Users\Charles\Downloads\kav_rescue_10.iso
2016-04-18 14:02 - 2016-04-18 14:02 - 00251925 _____ C:\Users\Charles\Downloads\Statement (2).pdf
2016-04-18 14:01 - 2016-04-18 14:01 - 00251941 _____ C:\Users\Charles\Downloads\Statement (1).pdf
2016-04-18 14:00 - 2016-04-18 14:00 - 00251925 _____ C:\Users\Charles\Downloads\Statement.pdf
2016-04-18 13:59 - 2016-04-18 13:59 - 00056236 _____ C:\Users\Charles\Downloads\Statement_03-27-2016.PDF
2016-04-14 22:36 - 2016-04-14 22:36 - 00333824 _____ C:\Users\Charles\Downloads\thing-FreeNAS-9.3-STABLE-201604140556-20160414223714.db
2016-04-11 23:05 - 2016-04-11 23:05 - 01071515 _____ C:\Users\Charles\Downloads\SubRip-1.56.1.7z
2016-04-11 22:50 - 2016-04-24 08:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-04-10 11:22 - 2016-04-10 11:22 - 00000000 ____D C:\Users\Charles\AppData\LocalLow\Adobe
2016-04-07 13:19 - 2016-04-07 13:19 - 05374632 _____ C:\Users\Maureen\Downloads\Attachments_201647.zip
2016-04-02 19:41 - 2016-04-02 19:41 - 00331776 _____ C:\Users\Charles\Downloads\thing-FreeNAS-9.3-STABLE-201602031011-20160402194135.db

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-28 17:07 - 2015-12-27 18:12 - 00003554 _____ C:\Windows\System32\Tasks\GarminUpdaterTask
2016-04-28 17:07 - 2015-12-27 18:12 - 00000000 ____D C:\Program Files (x86)\Garmin
2016-04-28 17:07 - 2015-10-25 15:36 - 00000000 ____D C:\ProgramData\Package Cache
2016-04-28 17:05 - 2015-12-14 22:40 - 00000000 ____D C:\Users\Charles\AppData\Local\Adobe
2016-04-28 17:03 - 2009-07-13 23:45 - 00010832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-04-28 17:03 - 2009-07-13 23:45 - 00010832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-04-28 17:01 - 2009-07-14 00:13 - 00781790 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-28 17:01 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2016-04-28 17:00 - 2015-10-25 13:14 - 00002203 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-04-28 16:56 - 2015-10-27 18:36 - 00000000 __SHD C:\Users\Charles\IntelGraphicsProfiles
2016-04-28 16:56 - 2015-10-25 13:13 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-04-28 16:55 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-25 22:41 - 2015-10-29 21:00 - 00000000 ____D C:\Users\Charles\AppData\Roaming\KeePass
2016-04-25 21:39 - 2015-10-26 16:08 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-04-24 19:45 - 2016-03-19 23:39 - 00000000 ____D C:\Star Trek - Phase II
2016-04-24 08:53 - 2015-10-26 13:10 - 00000000 ____D C:\Users\Maureen\AppData\Roaming\KeePass
2016-04-24 08:53 - 2015-10-25 12:57 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-04-24 08:09 - 2015-12-16 00:49 - 00000000 ____D C:\Users\Maureen\AppData\Local\Adobe
2016-04-23 07:36 - 2016-02-06 11:11 - 00000000 ____D C:\Users\Charles\.oracle_jre_usage
2016-04-23 07:36 - 2016-01-19 18:19 - 00000000 ____D C:\Users\Baenwort\.oracle_jre_usage
2016-04-23 07:36 - 2015-11-22 12:28 - 00097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2016-04-23 07:36 - 2015-11-22 12:28 - 00000000 ____D C:\ProgramData\Oracle
2016-04-23 07:36 - 2015-11-22 12:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-04-23 07:36 - 2015-11-22 12:28 - 00000000 ____D C:\Program Files (x86)\Java
2016-04-23 06:29 - 2015-11-22 12:28 - 00000000 ____D C:\Users\Maureen\.oracle_jre_usage
2016-04-22 02:57 - 2015-10-25 10:55 - 00453288 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-04-19 18:31 - 2015-10-26 21:58 - 00000000 ____D C:\Steam
2016-04-17 12:04 - 2015-11-18 20:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com
2016-04-17 08:09 - 2015-10-30 22:44 - 00000000 ____D C:\Users\Charles\Downloads\Full_Bench
2016-04-16 12:44 - 2015-12-04 22:33 - 00000000 ____D C:\Users\Maureen\AppData\Roaming\vlc
2016-04-16 12:42 - 2015-12-31 12:36 - 00000000 ____D C:\Windows\system32\appmgmt
2016-04-16 12:42 - 2015-12-14 21:57 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-04-16 12:33 - 2015-10-26 12:53 - 00000000 __SHD C:\Users\Maureen\IntelGraphicsProfiles
2016-04-13 19:23 - 2016-03-06 13:47 - 00000000 ____D C:\Users\Charles\Downloads\Odin3_v3.10.7
2016-04-11 22:49 - 2015-12-28 23:38 - 00000000 ____D C:\Users\Charles\AppData\Roaming\vlc
2016-04-10 11:26 - 2015-12-14 21:57 - 00000000 ____D C:\ProgramData\Adobe
2016-04-10 11:22 - 2015-10-27 18:36 - 00000000 ____D C:\Users\Charles\AppData\Roaming\Adobe
2016-04-10 11:11 - 2015-12-14 21:56 - 00000000 ____D C:\Users\Baenwort\AppData\Local\Adobe
2016-04-09 23:11 - 2015-12-02 22:14 - 00002154 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Vivaldi.lnk
2016-04-09 23:11 - 2015-12-02 22:14 - 00000000 ____D C:\Program Files\Vivaldi

==================== Files in the root of some directories =======

2015-06-21 08:32 - 2015-06-07 19:30 - 0000132 _____ () C:\Users\Baenwort\AppData\Roaming\Adobe PNG Format CS5 Prefs
2015-11-14 22:39 - 2015-11-15 15:55 - 2128896 _____ () C:\Users\Baenwort\AppData\Local\file__0.localstorage
2015-10-29 19:07 - 2016-01-26 23:53 - 0007593 _____ () C:\Users\Baenwort\AppData\Local\Resmon.ResmonCfg
2015-10-26 12:08 - 2015-10-26 12:08 - 0000439 _____ () C:\Users\Baenwort\AppData\Local\WiDiLog.20151026.120854.txt
2015-10-26 12:08 - 2015-10-26 12:08 - 0031837 _____ () C:\Users\Baenwort\AppData\Local\WiDiSetupLog.20151026.120805.txt

Some files in TEMP:
====================
C:\Users\Baenwort\AppData\Local\Temp\CloudDriveInstaller.exe
C:\Users\Baenwort\AppData\Local\Temp\Execute2App.exe
C:\Users\Baenwort\AppData\Local\Temp\jre-8u71-windows-au.exe
C:\Users\Baenwort\AppData\Local\Temp\jre-8u77-windows-au.exe
C:\Users\Baenwort\AppData\Local\Temp\msvcp90.dll
C:\Users\Baenwort\AppData\Local\Temp\msvcr90.dll
C:\Users\Charles\AppData\Local\Temp\GarminExpressInstaller.exe
C:\Users\Charles\AppData\Local\Temp\jre-8u73-windows-au.exe
C:\Users\Charles\AppData\Local\Temp\jre-8u91-windows-au.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-04-18 00:36

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:25-04-2016
Ran by Baenwort (2016-04-28 17:27:56)
Running from C:\Users\Charles\Desktop
Windows 7 Professional Service Pack 1 (X64) (2015-10-25 01:05:19)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-4137917702-2165307853-891469882-500 - Administrator - Disabled)
Baenwort (S-1-5-21-4137917702-2165307853-891469882-1000 - Administrator - Enabled) => C:\Users\Baenwort
Charles (S-1-5-21-4137917702-2165307853-891469882-1002 - Limited - Enabled) => C:\Users\Charles
Guest (S-1-5-21-4137917702-2165307853-891469882-501 - Limited - Disabled)
Maureen (S-1-5-21-4137917702-2165307853-891469882-1001 - Limited - Enabled) => C:\Users\Maureen

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {768124D7-F5F7-6D2F-DDC2-94DFA4017C95}
AS: Microsoft Security Essentials (Enabled - Up to date) {CDE0C533-D3CD-62A1-E772-AFADDF863628}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 15.09 beta (x64) (HKLM\...\7-Zip) (Version: 15.09 - Igor Pavlov)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.5.1.17730 - Adobe Systems Inc.)
Adobe Community Help (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 3.4.980 - Adobe Systems Incorporated.)
Adobe Photoshop CS5.1 (HKLM-x32\...\{9158FF30-78D7-40EF-B83E-451AC5334640}) (Version: 12.1 - Adobe Systems Incorporated)
Adobe Photoshop Lightroom 4.4 64-bit (HKLM\...\{11A955CD-4398-405A-886D-E464C3618FBF}) (Version: 4.4.1 - Adobe)
Amazon Cloud Drive (HKU\S-1-5-21-4137917702-2165307853-891469882-1000\...\Amazon Cloud Drive) (Version: 3.1.2.21 - Amazon.com, Inc.)
ANT Drivers Installer x64 (Version: 2.3.4 - Garmin Ltd or its subsidiaries) Hidden
AnyDVD (HKLM-x32\...\AnyDVD) (Version: 7.6.8.0 - SlySoft)
Apple Application Support (64-bit) (HKLM\...\{0DE0A178-AC7B-4650-806C-CF226DE03766}) (Version: 4.1 - Apple Inc.)
BatteryBar (remove only) (HKLM\...\BatteryBar) (Version:  - )
calibre 64bit (HKLM\...\{2E0DEF55-D1D3-493C-8673-D4B30F12B9CE}) (Version: 2.51.0 - Kovid Goyal)
CameraBag 2 (HKLM-x32\...\Steam App 100410) (Version:  - Nevercenter Ltd. Co.)
Canon IJ Network Scanner Selector EX (HKLM-x32\...\Canon_IJ_Network_Scanner_Selector_EX) (Version:  - ‎Canon Inc.‬)
Canon IJ Network Tool (HKLM-x32\...\Canon_IJ_Network_UTILITY) (Version: 3.1.1 - Canon Inc.)
Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version:  - ‪Canon Inc.‬)
Canon MG6300 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG6300_series) (Version: 1.01 - Canon Inc.)
ColorMunki Photo 1.1.1 (HKLM-x32\...\ColorMunki Photo_is1) (Version:  - X-Rite)
CutePDF Writer 3.1 (HKLM\...\CutePDF Writer Installation) (Version:  3.1 - Acro Software Inc.)
DDC Driver 1.5 (HKLM-x32\...\DDC Driver_is1) (Version:  - )
DVD Profiler Version 3.9.1 (HKLM-x32\...\InvelosDVDProfiler_is1) (Version:  - )
Elevated Installer (x32 Version: 4.1.19.0 - Garmin Ltd or its subsidiaries) Hidden
EMET 5.5 (HKLM-x32\...\{9A251E18-E3D5-4013-A85D-A780E8D4B43B}) (Version: 5.5 - Microsoft Corporation)
EMET 5.5 (HKLM-x32\...\{E27E74F0-0EAD-4C5D-8F6F-1C9192D24AA5}) (Version: 5.5 - Microsoft Corporation)
f.lux (HKU\S-1-5-21-4137917702-2165307853-891469882-1000\...\Flux) (Version:  - )
f.lux (HKU\S-1-5-21-4137917702-2165307853-891469882-1002\...\Flux) (Version:  - )
foobar2000 v1.3.9 (HKLM-x32\...\foobar2000) (Version: 1.3.9 - Peter Pawlowski)
Garmin Express (HKLM-x32\...\{2639b4f0-83b4-4f3d-942f-e4ba22a40b9b}) (Version: 4.1.19.0 - Garmin Ltd or its subsidiaries)
Garmin Express (x32 Version: 4.1.19.0 - Garmin Ltd or its subsidiaries) Hidden
Garmin Express Tray (x32 Version: 4.1.19.0 - Garmin Ltd or its subsidiaries) Hidden
GOG Galaxy (HKLM-x32\...\{7258BA11-600C-430E-A759-27E2C691A335}_is1) (Version:  - GOG.com)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 50.0.2661.94 - Google Inc.)
Google Update Helper (x32 Version: 1.3.29.5 - Google Inc.) Hidden
GPL Ghostscript (HKLM\...\GPL Ghostscript 9.18) (Version: 9.18 - Artifex Software Inc.)
Grim Fandango Remastered (HKLM-x32\...\Steam App 316790) (Version:  - Double Fine Productions)
HandBrake 0.10.2 (HKLM-x32\...\HandBrake) (Version: 0.10.2 - )
HashTab 5.2.0.14 (HKLM\...\HashTab) (Version: 5.2.0.14 - Implbits Software)
Hotkey 6.0045 (HKLM-x32\...\InstallShield_{164714B6-46BC-4649-9A30-A6ED32F03B5A}) (Version: 6.0045 - NoteBook)
Hotkey 6.0045 (x32 Version: 6.0045 - NoteBook) Hidden
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Intel Driver Update Utility (HKLM-x32\...\{fe92d390-13ee-4660-a2f8-39a066fdffe0}) (Version: 2.2.0.5 - Intel)
Intel® Chipset Device Software (x32 Version: 10.0.27 - Intel® Corporation) Hidden
Intel® Driver Update Utility 2.2.0.5 (x32 Version: 2.2.0.1 - Intel) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.4.1441 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.4226 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.10.255 - Intel Corporation)
Intel® WiDi (HKLM\...\{4E4282C3-F66E-4852-837A-7675527178C2}) (Version: 3.1.26.0 - Intel Corporation)
Intel® Wireless Bluetooth®(patch version 17.1.1504.516) (HKLM\...\{302600C1-6BDF-4FD1-1411-148929CC1385}) (Version: 17.1.1411.0506 - Intel Corporation)
Intel® Wireless Display (HKLM\...\{28EF7372-9087-4AC3-9B9F-D9751FCDF830}) (Version:  - )
Intel® PROSet/Wireless Software (HKLM-x32\...\{795ee3a0-97fa-489a-9543-7564ccc43be4}) (Version: 18.12.0 - Intel Corporation)
Intel® Trusted Connect Service Client (HKLM\...\{09536BA1-E498-4CC3-B834-D884A67D7E34}) (Version: 1.23.605.1 - Intel Corporation)
iTunes (HKLM\...\{E690A491-702F-4DEC-9977-C015D1DBB57C}) (Version: 12.3.1.23 - Apple Inc.)
Java 8 Update 91 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.14 - Oracle Corporation)
KeePass Password Safe 2.32 (HKLM-x32\...\KeePassPasswordSafe2_is1) (Version: 2.32 - Dominik Reichl)
Logitech Unifying Software 2.50 (HKLM\...\Logitech Unifying) (Version: 2.50.25 - Logitech)
MakeMKV v1.9.9 (HKLM-x32\...\MakeMKV) (Version: v1.9.9 - GuinpinSoft inc)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Metro 2033 Redux (HKLM-x32\...\Steam App 286690) (Version:  - 4A GAMES)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office Professional 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.9.218.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026 (HKLM-x32\...\{74d0e5db-b326-4dae-a6b2-445b9de1836e}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Mozilla Firefox 45.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 45.0.2 (x86 en-US)) (Version: 45.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 45.0.2.5941 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.8.6 - Notepad++ Team)
NVIDIA Graphics Driver 358.87 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 358.87 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.15.0428 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.15.0428 - NVIDIA Corporation)
PDF Settings CS5 (x32 Version: 10.0 - Adobe Systems Incorporated) Hidden
Platform (x32 Version: 1.39 - VIA Technologies, Inc.) Hidden
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.54.309.2012 - Realtek)
Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.1.7601.27015 - Realtek Semiconductor Corp.)
Samsung CLP-300 Series (HKLM-x32\...\Samsung CLP-300 Series) (Version:  - )
Samsung CLP-300 Series SmartPanel (HKLM-x32\...\Samsung CLP-300 Series SmartPanel) (Version:  - )
SDK (x32 Version: 1.40.002 - Portrait Displays, Inc.) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Shadowrun: Dragonfall - Director's Cut (HKLM-x32\...\Steam App 300550) (Version:  - Harebrained Schemes)
SongKong (64-bit) 3.21 (HKLM\...\SongKong (64-bit) 3.21) (Version: 3.21 - JThink.)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.1.14.0 - Synaptics Incorporated)
The Wolf Among Us (HKLM-x32\...\1432213513_is1) (Version: 2.0.0.1 - GOG.com)
THX TruStudio Pro (HKLM-x32\...\{82F99DC9-389A-4528-940C-88248731A620}) (Version: TAMB-CVS1D-1-LB R07 - Creative Technology Limited)
UninstallDeviceDll 1.1 (HKLM-x32\...\UninstallDeviceDll_is1) (Version:  - X-Rite)
VIA Platform Device Manager (HKLM-x32\...\InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}) (Version: 1.39 - VIA Technologies, Inc.)
Vivaldi (HKLM-x32\...\Vivaldi) (Version: 1.0.435.42 - Vivaldi)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.1 - VideoLAN)
Windows Driver Package - Dynastream Innovations, Inc. ANT LibUSB Drivers (04/11/2012 1.2.40.201) (HKLM\...\F9D2A789F9CFF8CEC36B544F53877C80F1F73C46) (Version: 04/11/2012 1.2.40.201 - Dynastream Innovations, Inc.)
Windows Driver Package - Silicon Labs Software (DSI_SiUSBXp_3_1) USB  (02/06/2007 3.1) (HKLM\...\D1506E0025B5A3F9EB8270FE81C1EEDD9388B8A2) (Version: 02/06/2007 3.1 - Silicon Labs Software)
X-Rite Device ColorMunki Service (HKLM-x32\...\{EAEFA1B2-64E3-4B8E-942F-F57A73BC1CAE}_is1) (Version: 1.0 - X-Rite Inc.)
X-Rite Device Manager (HKLM-x32\...\{9ACEA9CD-63B9-4784-807B-EA295E96A7C3}_is1) (Version: 1.0 - X-Rite Inc.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-4137917702-2165307853-891469882-1000_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1C73EE61-9E3E-4F16-A1B9-2BAB26B825EF} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-10-25] (Google Inc.)
Task: {2AB58EFC-29A0-476C-A310-784A0594AE10} - System32\Tasks\{EE75DA6B-51AD-47C1-9572-72E653758DEA} => pcalua.exe -a C:\Full_Bench\PCMark7\Systeminfo_Installer.exe -d C:\Full_Bench\PCMark7
Task: {382F5CD8-57A5-4B5F-8C00-93CAA2F353B0} - System32\Tasks\AdobeAAMUpdater-1.0-Laptot-Baenwort => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2015-08-05] (Adobe Systems Incorporated)
Task: {6543A2FA-D8C8-49AF-8441-67AD63B38674} - System32\Tasks\GarminUpdaterTask => C:\Program Files (x86)\Garmin\Express SelfUpdater\ExpressSelfUpdater.exe [2016-04-08] ()
Task: {671E04FE-8D9A-4B2B-93C0-4DD8E4FDD2D9} - System32\Tasks\AdobeAAMUpdater-1.0-Laptot-Charles => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2015-08-05] (Adobe Systems Incorporated)
Task: {8C5DFBA4-5763-4A9E-8224-11B19C2CD2D2} - System32\Tasks\AdobeAAMUpdater-1.0-Laptot-Maureen => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2015-08-05] (Adobe Systems Incorporated)
Task: {A513A558-4085-4DE6-A21B-E4807B5D917C} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-10-25] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2015-11-11 08:20 - 2015-11-02 08:22 - 00116528 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2016-03-04 20:46 - 2016-01-22 17:57 - 00089008 _____ () C:\Windows\System32\cpwmon64.dll
2015-12-03 22:37 - 2006-12-04 02:26 - 00022016 _____ () C:\Windows\System32\SUGG1l6.DLL
2015-10-25 07:58 - 2012-03-14 20:48 - 00127320 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
2011-02-18 15:57 - 2011-02-18 15:57 - 00035328 _____ () C:\Program Files (x86)\Hotkey\PowerBiosServer.exe
2015-11-07 19:47 - 2015-11-02 12:10 - 00012080 _____ () C:\Program Files\NVIDIA Corporation\CoProcManager\detoured.dll
2015-04-15 15:13 - 2015-04-15 15:13 - 00222720 _____ () C:\Program Files (x86)\Notepad++\NppShell_06.dll
2015-10-26 00:09 - 2010-11-12 12:38 - 00241152 _____ () C:\Windows\SYSTEM32\APOMgr64.DLL
2015-11-22 12:24 - 2009-10-23 10:26 - 01921024 _____ () C:\Program Files (x86)\X-Rite\ColorMunki Photo\Tools\ColorMunki Photo Tray.exe
2012-04-11 12:12 - 2012-04-11 12:12 - 04727296 _____ () C:\Program Files (x86)\Hotkey\Hotkey.exe
2015-10-26 00:04 - 2012-02-12 09:28 - 00078448 _____ () C:\Program Files (x86)\VIA\VIAudioi\VDeck\QsApoApi64.dll
2015-10-26 00:04 - 2012-02-12 09:28 - 00386160 _____ () C:\Program Files (x86)\VIA\VIAudioi\VDeck\Dts2ApoApi64.dll
2015-12-03 21:39 - 2009-09-11 19:38 - 00614400 _____ () C:\Windows\Samsung\PanelMgr\SSMMgr.exe
2015-12-03 21:39 - 2008-07-28 15:26 - 00306688 _____ () C:\Windows\Samsung\PanelMgr\caller64.exe
2015-11-22 12:24 - 2008-09-03 17:12 - 02592768 _____ () C:\Program Files (x86)\X-Rite\Devices\Services\ColorMunki\colormunki.dll
2015-11-07 19:47 - 2015-11-02 12:10 - 00011896 _____ () C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll
2015-11-11 08:20 - 2015-10-11 22:05 - 00013088 _____ () C:\Program Files (x86)\NVIDIA Corporation\Update Core\detoured.dll
2015-11-22 12:24 - 2009-10-22 15:33 - 07053312 _____ () C:\Program Files (x86)\X-Rite\ColorMunki Photo\Tools\QtGui4.dll
2015-11-22 12:24 - 2009-10-22 15:33 - 01970176 _____ () C:\Program Files (x86)\X-Rite\ColorMunki Photo\Tools\QtCore4.dll
2015-11-22 12:24 - 2009-10-22 15:29 - 00131072 _____ () C:\Program Files (x86)\X-Rite\ColorMunki Photo\Tools\imageformats\qjpeg4.dll
2015-11-22 12:24 - 2009-10-22 15:29 - 00278528 _____ () C:\Program Files (x86)\X-Rite\ColorMunki Photo\Tools\imageformats\qtiff4.dll
2009-06-06 14:50 - 2009-06-06 14:50 - 00019968 _____ () C:\Program Files (x86)\Hotkey\Audiodll.dll
2015-10-25 07:57 - 2012-03-05 23:27 - 01198872 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4137917702-2165307853-891469882-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Baenwort\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-4137917702-2165307853-891469882-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\Charles\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 64.81.159.2 - 209.172.128.2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{BD2160F8-30E4-4EE9-B663-5F1BE0579528}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{339A7482-C936-404A-AAFD-DB32CBD9BAF3}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{5C7AE42E-5325-47D8-91E4-CD216A46B8E9}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [{6916A609-8B34-4A3E-B9B3-0166A7B6C0BA}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\WiDiApp.exe
FirewallRules: [{D14AB0D3-2042-4087-9761-941EB48955CE}] => (Allow) C:\Steam\Steam.exe
FirewallRules: [{52342C94-2C50-4E50-9514-7B80E78291B6}] => (Allow) C:\Steam\Steam.exe
FirewallRules: [{69521968-B695-4EDA-8056-757E0F13E975}] => (Allow) C:\Steam\bin\steamwebhelper.exe
FirewallRules: [{8B4B48AF-C991-4F40-A380-7C6E3126C98D}] => (Allow) C:\Steam\bin\steamwebhelper.exe
FirewallRules: [{CFFBBC43-7CB7-4899-8A3F-B97862444578}] => (Allow) C:\Steam\steamapps\common\CameraBag 2\CameraBag 2.exe
FirewallRules: [{66C802ED-104C-4E54-BE8A-DAC6800DDEC9}] => (Allow) C:\Steam\steamapps\common\CameraBag 2\CameraBag 2.exe
FirewallRules: [{C2DC86D2-2FC5-45C3-AC55-78606145DD2D}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{4DAF1C04-A863-4090-B7E3-B1C9C3E314D7}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{A33A8301-9435-436C-8CC7-EC48D1C4BAA8}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{3B4E0083-4FB9-4CFB-910D-E629751140F9}] => (Allow) LPort=5454
FirewallRules: [{59204BCA-C61A-4184-A97A-2DCA2FA38B80}] => (Allow) LPort=5454
FirewallRules: [{ACD41391-44FD-4E5C-9888-ABDE22018BBA}] => (Allow) C:\Steam\steamapps\common\CameraBag 2\CameraBag 2.exe
FirewallRules: [{669B9CC4-5AF1-4BAA-A351-C46FD9EB1D13}] => (Allow) C:\Steam\steamapps\common\CameraBag 2\CameraBag 2.exe
FirewallRules: [{3088548C-A3A1-42E2-9E5F-349308628994}] => (Allow) C:\Steam\steamapps\common\CameraBag 2\CameraBag 2.exe
FirewallRules: [{35A6A496-2065-40F9-AB7E-32F338AE599D}] => (Allow) C:\Steam\steamapps\common\CameraBag 2\CameraBag 2.exe
FirewallRules: [{F29A151E-A8FB-46F2-B50A-62FA9CAA6904}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{D0E34C9F-EEBF-4802-B76F-22F6EFFD6419}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{D0B7B52A-A28C-45EF-A451-65A14F723314}] => (Allow) C:\Steam\Steam.exe
FirewallRules: [{750858C6-9778-447C-B33A-D32FC3940ACE}] => (Allow) C:\Steam\Steam.exe
FirewallRules: [{A0DF0341-CB2D-4218-96C8-4200729F5764}] => (Allow) C:\Steam\Steam.exe
FirewallRules: [{09824C80-81AF-4B20-AEBF-E6B8B41FE48B}] => (Allow) C:\Steam\Steam.exe
FirewallRules: [{27E685E2-425A-46BC-8AE8-4613DC643C7B}] => (Allow) C:\Steam\bin\steamwebhelper.exe
FirewallRules: [{A61BFEB2-0BFD-4354-AAB3-DDC9A5934670}] => (Allow) C:\Steam\bin\steamwebhelper.exe
FirewallRules: [{E6289ED8-4A1F-464C-AA40-ED1FD90AECC4}] => (Allow) C:\Steam\bin\steamwebhelper.exe
FirewallRules: [{BDFC23B6-8C95-4411-BA42-24F368351E68}] => (Allow) C:\Steam\bin\steamwebhelper.exe
FirewallRules: [{A2A230EC-108C-4DF1-AFC8-8689928CE263}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\WiDiApp.exe
FirewallRules: [{9E35EA12-2EC2-470F-9F3C-850F5F6C637E}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\WiDiApp.exe
FirewallRules: [TCP Query User{828CC215-68D2-4785-815F-24B6AC0F0679}C:\program files\jthink\songkong\songkong64.exe] => (Block) C:\program files\jthink\songkong\songkong64.exe
FirewallRules: [UDP Query User{D6D5587E-65D4-4FE2-83F2-1973DFCF2A0E}C:\program files\jthink\songkong\songkong64.exe] => (Block) C:\program files\jthink\songkong\songkong64.exe
FirewallRules: [{ED3CE1DA-38F8-41F0-8BC4-A0B3F7E989A4}] => (Allow) C:\Steam\steamapps\common\Metro 2033 Redux\metro.exe
FirewallRules: [{2DEA2B6E-1956-4831-9161-1CF13FFCDE31}] => (Allow) C:\Steam\steamapps\common\Metro 2033 Redux\metro.exe
FirewallRules: [{333BE0E5-7E9E-4636-8AC2-501B0B8C8066}] => (Allow) C:\Steam\steamapps\common\Shadowrun Dragonfall Director's Cut\Dragonfall.exe
FirewallRules: [{81C0DAA4-CB8E-4FDD-8A7D-604CDFD3202F}] => (Allow) C:\Steam\steamapps\common\Shadowrun Dragonfall Director's Cut\Dragonfall.exe
FirewallRules: [{37314FFC-2815-4A3C-8B37-20137C9C75DD}] => (Allow) C:\Steam\steamapps\common\Grim Fandango Remastered\GrimFandango.exe
FirewallRules: [{F9EE9DB9-9103-4C26-A3EE-8C83CFBC58A5}] => (Allow) C:\Steam\steamapps\common\Grim Fandango Remastered\GrimFandango.exe
FirewallRules: [{609941B0-7F3E-4085-B4F1-9BD489ACE05D}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [TCP Query User{0CA723AE-E584-4933-80C4-A62BD4300637}C:\program files (x86)\iometer.org\iometer 1.1\iometer.exe] => (Block) C:\program files (x86)\iometer.org\iometer 1.1\iometer.exe
FirewallRules: [UDP Query User{DFD54ED6-C7CE-4E1E-9C5F-DA7BE81A73BB}C:\program files (x86)\iometer.org\iometer 1.1\iometer.exe] => (Block) C:\program files (x86)\iometer.org\iometer 1.1\iometer.exe
FirewallRules: [TCP Query User{EF6C35F1-939D-4FF0-A2DC-99D1E51CD5DA}C:\program files (x86)\iometer.org\iometer 1.1\dynamo.exe] => (Block) C:\program files (x86)\iometer.org\iometer 1.1\dynamo.exe
FirewallRules: [UDP Query User{B5591039-A442-4782-B9D5-D7E9E07EC24E}C:\program files (x86)\iometer.org\iometer 1.1\dynamo.exe] => (Block) C:\program files (x86)\iometer.org\iometer 1.1\dynamo.exe
FirewallRules: [{B3613CC9-B2A8-4D64-A27E-381B72118131}] => (Allow) C:\Program Files\Vivaldi\Application\vivaldi.exe
FirewallRules: [{D29E9774-0E6A-4AE2-A509-7DF9AE2347B1}] => (Allow) C:\Program Files\Vivaldi\Application\vivaldi.exe
FirewallRules: [{2991948A-C91C-4C2E-AF6B-6737E19236F0}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

17-04-2016 11:28:42 Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026
20-04-2016 11:56:09 Windows Update
20-04-2016 19:00:16 Windows Backup
23-04-2016 12:43:34 Windows Update
28-04-2016 17:06:12 Windows Backup
28-04-2016 17:06:42 Garmin Express

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (04/23/2016 07:36:30 AM) (Source: MsiInstaller) (EventID: 11303) (User: Laptot)
Description: Product: Java Auto Updater -- Error 1303. The installer has insufficient privileges to access this directory: C:\Program Files (x86)\Common Files\Java\Java Update.  The installation cannot continue.  Log on as administrator or contact your system administrator.

Error: (04/12/2016 12:57:51 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 11.0.9600.18231 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1d7c

Start Time: 01d194d967be6d01

Termination Time: 36

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id:

Error: (03/10/2016 12:07:29 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: EvtEng.exe, version: 18.12.0.0, time stamp: 0x559e46b0
Faulting module name: EvtEng.exe, version: 18.12.0.0, time stamp: 0x559e46b0
Exception code: 0xc0000005
Fault offset: 0x0000000000034811
Faulting process id: 0x798
Faulting application start time: 0xEvtEng.exe0
Faulting application path: EvtEng.exe1
Faulting module path: EvtEng.exe2
Report Id: EvtEng.exe3

Error: (02/24/2016 08:31:08 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: The backup did not complete because of an error writing to the backup location \\THING\Backup\Laptot\. The error is: The system cannot find the file specified. (0x80070002).

Error: (02/19/2016 12:31:45 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 11.0.9600.18163 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: b14

Start Time: 01d16b3af8c48e02

Termination Time: 20

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id:

Error: (02/10/2016 08:00:01 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: The backup did not complete because of an error writing to the backup location \\THING\Backup\Laptot\. The error is: The system cannot find the file specified. (0x80070002).

Error: (02/08/2016 10:26:24 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ZeroConfigService.exe, version: 18.12.0.0, time stamp: 0x559e44eb
Faulting module name: ZeroConfigService.exe, version: 18.12.0.0, time stamp: 0x559e44eb
Exception code: 0xc0000005
Fault offset: 0x000000000003dbfb
Faulting process id: 0x8f8
Faulting application start time: 0xZeroConfigService.exe0
Faulting application path: ZeroConfigService.exe1
Faulting module path: ZeroConfigService.exe2
Report Id: ZeroConfigService.exe3

Error: (02/08/2016 10:26:21 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ZeroConfigService.exe, version: 18.12.0.0, time stamp: 0x559e44eb
Faulting module name: ZeroConfigService.exe, version: 18.12.0.0, time stamp: 0x559e44eb
Exception code: 0xc0000005
Fault offset: 0x000000000003dbfb
Faulting process id: 0x1a64
Faulting application start time: 0xZeroConfigService.exe0
Faulting application path: ZeroConfigService.exe1
Faulting module path: ZeroConfigService.exe2
Report Id: ZeroConfigService.exe3

Error: (02/08/2016 10:20:19 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ZeroConfigService.exe, version: 18.12.0.0, time stamp: 0x559e44eb
Faulting module name: ZeroConfigService.exe, version: 18.12.0.0, time stamp: 0x559e44eb
Exception code: 0xc0000005
Fault offset: 0x000000000003dbfb
Faulting process id: 0x14e4
Faulting application start time: 0xZeroConfigService.exe0
Faulting application path: ZeroConfigService.exe1
Faulting module path: ZeroConfigService.exe2
Report Id: ZeroConfigService.exe3

Error: (02/08/2016 10:20:03 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ZeroConfigService.exe, version: 18.12.0.0, time stamp: 0x559e44eb
Faulting module name: ZeroConfigService.exe, version: 18.12.0.0, time stamp: 0x559e44eb
Exception code: 0xc0000005
Fault offset: 0x000000000003dbfb
Faulting process id: 0xa98
Faulting application start time: 0xZeroConfigService.exe0
Faulting application path: ZeroConfigService.exe1
Faulting module path: ZeroConfigService.exe2
Report Id: ZeroConfigService.exe3


System errors:
=============
Error: (04/28/2016 04:55:58 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (04/28/2016 04:55:54 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The DgiVecp service failed to start due to the following error:
%%20

Error: (04/26/2016 12:42:30 AM) (Source: Microsoft-Windows-Kernel-General) (EventID: 5) (User: NT AUTHORITY)
Description: 0x8000002a171\??\Volume{6f0d08ad-7ac4-11e5-b42e-806e6f6e6963}\System Volume Information\SPP\SppCbsHiveStore\{cd42efe1-f6f1-427c-b004-033192c625a4}{A9791F4D-4241-462D-97B4-86D2E6730059}

Error: (04/25/2016 10:06:45 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 115.57.0.0

    Update Source: %NT AUTHORITY51

    Update Stage: 4.9.0218.00

    Source Path: 4.9.0218.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (04/25/2016 10:06:45 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.217.2157.0

    Update Source: %NT AUTHORITY51

    Update Stage: 4.9.0218.00

    Source Path: 4.9.0218.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (04/25/2016 10:06:45 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.217.2157.0

    Update Source: %NT AUTHORITY51

    Update Stage: 4.9.0218.00

    Source Path: 4.9.0218.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (04/25/2016 10:06:45 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.217.2157.0

    Update Source: %NT AUTHORITY59

    Update Stage: 4.9.0218.00

    Source Path: 4.9.0218.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\SYSTEM

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (04/25/2016 09:29:42 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (04/25/2016 09:29:38 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The DgiVecp service failed to start due to the following error:
%%20

Error: (04/24/2016 12:01:33 PM) (Source: Microsoft-Windows-Directory-Services-SAM) (EventID: 12291) (User: NT AUTHORITY)
Description: SAM failed to start the TCP/IP or SPX/IPX listening thread


==================== Memory info ===========================

Processor: Intel® Core™ i7-3610QM CPU @ 2.30GHz
Percentage of memory in use: 35%
Total physical RAM: 8087.55 MB
Available physical RAM: 5192.47 MB
Total Virtual: 16173.32 MB
Available Virtual: 13196.47 MB

==================== Drives ================================

Drive c: (Internal) (Fixed) (Total:662.68 GB) (Free:223.93 GB) NTFS ==>[drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 894.3 GB) (Disk ID: 00926D26)
Partition 1: (Active) - (Size=662.7 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=8 GB) - (Type=27)

==================== End of Addition.txt ============================



#6 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:07 AM

Posted 29 April 2016 - 04:08 PM

Hey, :)

 

 

Download attached fixlist.txt file and save it to the Desktop.

 


NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Also, please update me on how your computer is behaving after the fix.

Attached Files


Best Regards,
oneof4.


#7 Baenwort

Baenwort
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 29 April 2016 - 11:10 PM

The computer seems fine and MBAM and MSE still do not see anything. I have attached the fixlog. Are there any other steps I can take to verify that there is no lingering infection?

 

Fix result of Farbar Recovery Scan Tool (x64) Version:27-04-2016
Ran by Charles (2016-04-29 22:38:00) Run:1
Running from C:\Users\Charles\Desktop
Loaded Profiles: Charles (Available Profiles: Baenwort & Maureen & Charles)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:

CloseProcesses:


HKU\S-1-5-21-4137917702-2165307853-891469882-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-4137917702-2165307853-891469882-1002\...\Run: [GalaxyClient] => [X]
GroupPolicyScripts: Restriction <======= ATTENTION
S3 cpuz136; \??\C:\Windows\TEMP\cpuz136\cpuz136_x64.sys [X]
C:\Users\Baenwort\AppData\Local\Temp\CloudDriveInstaller.exe
C:\Users\Baenwort\AppData\Local\Temp\Execute2App.exe
C:\Users\Baenwort\AppData\Local\Temp\jre-8u71-windows-au.exe
C:\Users\Baenwort\AppData\Local\Temp\jre-8u77-windows-au.exe
C:\Users\Baenwort\AppData\Local\Temp\msvcp90.dll
C:\Users\Baenwort\AppData\Local\Temp\msvcr90.dll
C:\Users\Charles\AppData\Local\Temp\GarminExpressInstaller.exe
C:\Users\Charles\AppData\Local\Temp\jre-8u73-windows-au.exe
C:\Users\Charles\AppData\Local\Temp\jre-8u91-windows-au.exe


*****************

Error: (0) Failed to create a restore point.
Processes closed successfully.
HKU\S-1-5-21-4137917702-2165307853-891469882-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value not found.
HKU\S-1-5-21-4137917702-2165307853-891469882-1002\Software\Microsoft\Windows\CurrentVersion\Run\\GalaxyClient => value removed successfully

"C:\Windows\system32\GroupPolicy\Machine" folder move:

Could not move "C:\Windows\system32\GroupPolicy\Machine" => Scheduled to move on reboot.

Could not move "C:\Windows\system32\GroupPolicy\GPT.ini" => Scheduled to move on reboot.
Could not move "C:\Windows\SysWOW64\GroupPolicy\GPT.ini" => Scheduled to move on reboot.
cpuz136 => service could not remove
C:\Users\Baenwort\AppData\Local\Temp\CloudDriveInstaller.exe => moved successfully
C:\Users\Baenwort\AppData\Local\Temp\Execute2App.exe => moved successfully
C:\Users\Baenwort\AppData\Local\Temp\jre-8u71-windows-au.exe => moved successfully
C:\Users\Baenwort\AppData\Local\Temp\jre-8u77-windows-au.exe => moved successfully
C:\Users\Baenwort\AppData\Local\Temp\msvcp90.dll => moved successfully
C:\Users\Baenwort\AppData\Local\Temp\msvcr90.dll => moved successfully
C:\Users\Charles\AppData\Local\Temp\GarminExpressInstaller.exe => moved successfully
C:\Users\Charles\AppData\Local\Temp\jre-8u73-windows-au.exe => moved successfully
C:\Users\Charles\AppData\Local\Temp\jre-8u91-windows-au.exe => moved successfully
 

Attached Files


Edited by Baenwort, 30 April 2016 - 12:21 PM.


#8 Baenwort

Baenwort
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 30 April 2016 - 12:24 PM

After another reboot I attempted to apply some Windows Updates.

 

The error code when the optional updates + one important .net update (KB3142042) failed was: 800F0902



#9 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:07 AM

Posted 30 April 2016 - 06:46 PM

Try following the link below and running the Windows Update Troubleshooter:

 

http://windows.microsoft.com/en-us/windows/troubleshoot-problems-installing-updates#1TC=windows-7

 

Let me know how it goes afterward.


Best Regards,
oneof4.


#10 Baenwort

Baenwort
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 02 May 2016 - 10:39 PM

All of the updates succeeded after completing the Fixit.

 

Are there any further steps I can perform to verify that the original infection was contained and removed?  I'm willing to try learning to use a LiveCD if necessary to ensure that there is nothing further hiding that was added by the original infection or what ever method resulted in the positive scan result.



#11 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:07 AM

Posted 03 May 2016 - 10:28 AM

Let's run these two scans to check for leftovers:

 

 

I see you have Malwarebytes installed, please open > update > run a scan and post the log.

 

Next,

 

ESET Online Scanner using Internet Explorer:


Note 1: These instructions are for Internet Explorer only! If you're using another browser, please stop here and let me know!
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Click this link to open ESET OnlineScan.
  • Place a checkmark next to "Yes, I accept the Terms of Use", then click the greenstart.png button.
  • When prompted allow the Add-On/Active X to install.
  • In the new window that opens, tic the radio button next to Enable detection of potentially unwanted applications.
  • Then click "Advanced settings", and make sure there is a checkmark next to only the following items (uncheck everything else):
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Then click the shieldstart.png button and ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Found Threats (only if anything is found).
  • Then click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click back.png, then click finish.png to exit ESET Online Scanner.

Don't forget to re-enable your antivirus when finished! <script src="safari-extension://com.ebay.safari.myebaymanager-QYHMMGCMJR/f4b6eaca/background/helpers/prefilterHelper.js" type="text/javascript"> </script>


Best Regards,
oneof4.


#12 Baenwort

Baenwort
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 03 May 2016 - 10:28 PM

Let's run these two scans to check for leftovers:

 

 

I see you have Malwarebytes installed, please open > update > run a scan and post the log.

 

Next,

 

ESET Online Scanner using Internet Explorer:


Note 1: These instructions are for Internet Explorer only! If you're using another browser, please stop here and let me know!
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Click this link to open ESET OnlineScan.
  • Place a checkmark next to "Yes, I accept the Terms of Use", then click the greenstart.png button.
  • When prompted allow the Add-On/Active X to install.
  • In the new window that opens, tic the radio button next to Enable detection of potentially unwanted applications.
  • Then click "Advanced settings", and make sure there is a checkmark next to only the following items (uncheck everything else):
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Then click the shieldstart.png button and ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Found Threats (only if anything is found).
  • Then click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click back.png, then click finish.png to exit ESET Online Scanner.

Don't forget to re-enable your antivirus when finished! <script src="safari-extension://com.ebay.safari.myebaymanager-QYHMMGCMJR/f4b6eaca/background/helpers/prefilterHelper.js" type="text/javascript"> </script>

 

I've attached the MBAM run.

 

However, when I disable MSE and attempt to use the ESET site with IE11 I reach the point where I click "Install" to the ActiveX control and it then prompts me to resend the acceptance. Clicking either "Retry" or "Cancel" takes me back to the TOS and the check box. This loop continues after 8 tries.

Attached Files



#13 Baenwort

Baenwort
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 03 May 2016 - 11:36 PM

I used Firefox and downloaded and used the ESET Smart Installer for ESET Online Scanner and it completed with no detection.



#14 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:04:07 AM

Posted 04 May 2016 - 06:25 PM

Let's run one more scan:

 

screen317's Security Check


--------------------

  • Please download screen317's Security Check to your desktop
  • Double-click icon then click Run
  • Press any key to launch the program
  • Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
  • Allow the program to run
  • When completed a Notepad document will open on your desktop. Please copy and paste the contents in your reply

Best Regards,
oneof4.


#15 Baenwort

Baenwort
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 04 May 2016 - 10:51 PM

 

Let's run one more scan:

 

screen317's Security Check


--------------------

  • Please download screen317's Security Check to your desktop
  • Double-click icon then click Run
  • Press any key to launch the program
  • Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
  • Allow the program to run
  • When completed a Notepad document will open on your desktop. Please copy and paste the contents in your reply

 

As requested:

 

 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Mozilla Firefox (46.0)
 Google Chrome (50.0.2661.87)
 Google Chrome (50.0.2661.94)
 Google Chrome (SetupMetrics.pma..)
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 33% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users