Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norton blocks multiple attacks, runs Power Eraser, but only finds shortcuts


  • This topic is locked This topic is locked
12 replies to this topic

#1 Primo2

Primo2

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 28 April 2016 - 02:18 AM

This afternoon Norton reported:

1. Detecting excessive network traffic going from my PC to the Internet, and initiated Norton Power Eraser, which eventually rebooted the machine and reported that it had successfully removed the following dangerous shortcuts (only):

  1a. 2sql

  1b. fulldesktop

 

In the mean time Norton blocked each of the following:

2. Web Attack Fake Scan Webpage 29

3. Trojan Bedep Activity

4. Malicious Redirection 13

 

In the mean time:

5. An audio played, advertising some business opportunity, which eventually turned into a video (in Internet Explorer)

6. Task Manager showed the following processes using CPU:

  6a. Windows Installer

  6b. CMD.EXE

  6c. MakeCab.exe

  6d. DllHost.exe

  6e. Others that I didn't record

As I terminated some of those processes, they reappeared.

Those processes appeared again in Task Manager after Norton Power Eraser had rebooted my PC and supposedly resolved what it had found.

 

I then turned off my PC, restarted it in Safe Mode (without networking) , and ran the latest copy of FRST64.EXE from a USB drive.  The content of FRST.txt are below.  Addition.txt is attached.Attached File  Addition.txt   55.4KB   4 downloads

 

Thank you in advance for your help!

 

----------

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:27-04-2016
Ran by David (administrator) on THINKING (28-04-2016 16:13:31)
Running from E:\
Loaded Profiles: David (Available Profiles: David)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Safe Mode (minimal)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [TpShocks] => C:\Windows\system32\TpShocks.exe [380776 2010-12-10] (Lenovo.)
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SAIICpl.exe [316032 2010-12-14] (Conexant systems, Inc.)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [1793736 2015-02-25] (NVIDIA Corporation)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [LENOVO.TPKNRRES] => C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe [60920 2013-05-29] (Lenovo Group Limited)
HKLM\...\Run: [ForteConfig] => C:\Program Files\Conexant\ForteConfig\fmapp.exe [49056 2010-10-26] ()
HKLM\...\Run: [ALCKRESI.EXE] => C:\Program Files\Lenovo\AutoLock\ALCKRESI.EXE [388600 2013-04-15] (Lenovo Group Limited)
HKLM\...\Run: [AcWin7Hlpr] => C:\Program Files (x86)\Lenovo\Access Connections\AcTBenabler.exe [63728 2015-06-08] (Lenovo)
HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [2168976 2015-12-22] ()
HKLM-x32\...\Run: [RotateImage] => C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe [55808 2008-10-31] (Ricoh co.,Ltd.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2015-06-17] (Apple Inc.)
HKLM-x32\...\Run: [PWMTRV] => rundll32 "C:\Program Files (x86)\ThinkPad\Utilities\PWMTR64V.DLL",PwrMgrBkGndMonitor
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [115048 2011-09-16] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [MagicTuneEngine] => C:\Program Files (x86)\MagicTune Premium\MagicTuneEngine.exe [24064 2009-06-15] (Samsung Electronics Co. Ltd.)
HKLM-x32\...\Run: [Lenovo Registration] => C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe /boot
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [113656 2013-07-02] (Intel Corporation)
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [452272 2012-08-31] (CANON INC.)
HKLM-x32\...\Run: [CitrixReceiver] => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2303152 2015-07-23] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [NCInstallQueue] => rundll32 netman.dll,ProcessQueue
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\psfus: C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll (Authentec Inc.)
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-02-02] (Google Inc.)
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\Run: [MultiScreen] => C:\Program Files (x86)\MultiScreen\MultiScreen.exe [303104 2009-08-11] ()
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\Run: [ISUSPM] => C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe [213936 2006-05-16] (Macrovision Corporation)
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\Run: [Google Update] => C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-09-01] (Google Inc.)
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\Run: [Akamai NetSession Interface] => "C:\Users\David\AppData\Local\Akamai\netsession_win.exe"
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [50676864 2016-03-01] (Skype Technologies S.A.)
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\MountPoints2: {25a01f47-4d87-11e1-86fc-806e6f6e6963} - Q:\LenovoQDrive.exe
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\MountPoints2: {50e07675-caa4-11e5-a586-028037ec0200} - E:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\MountPoints2: {ac8ce2c3-cff8-11e3-b48f-028037ec0200} - D:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\MountPoints2: {ec067731-cdfb-11e5-ba86-028037ec0200} - E:\HTC_Sync_Manager_PC.exe
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [185816 2015-12-22] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [164008 2015-12-22] (NVIDIA Corporation)
AppInit_DLLs-x32: , C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dll => C:\Program Files (x86)\Citrix\ICA Client\RSHook.dll [257208 2012-07-27] (Citrix Systems, Inc.)
Lsa: [Notification Packages] scecli ACGina C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton 360\Engine64\22.6.0.142\buShell.dll [2016-02-19] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton 360\Engine64\22.6.0.142\buShell.dll [2016-02-19] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton 360\Engine64\22.6.0.142\buShell.dll [2016-02-19] (Symantec Corporation)
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2015-07-22] ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2015-07-22] ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2015-07-22] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk [2012-02-02]
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GammaTray.lnk [2012-02-17]
ShortcutTarget: GammaTray.lnk -> C:\Program Files (x86)\MagicTune Premium\GammaTray.exe ()
Startup: C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Citrix Receiver.lnk [2012-09-20]
ShortcutTarget: Citrix Receiver.lnk -> C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe (Citrix Systems, Inc.)
Startup: C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2015-09-15]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\onenotem.exe (Microsoft Corporation)
GroupPolicyScripts: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyServer: [S-1-5-21-3514529109-4073190309-4292251120-1002] => 220.173.139.172:8080
Tcpip\..\Interfaces\{A7453476-232F-4DC1-A72D-7E4FFBB69CFE}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=LENP&bmod=LENP
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com.au/
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://www.lenovo.com/welcome/thinkpad
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> DefaultScope {A2B6DCA7-91B3-4ABE-8908-967880222CB4} URL = hxxp://www.google.com.au/search?hl=en&source=hp&q={searchTerms}&btnG=Google+Search&meta=&aq=f&oq=&rlz=1I7LENP_enAU470
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {07921B9E-C4E0-41BE-9E2B-F17685907888} URL = hxxp://en.wikipedia.org/w/index.php?title=Special:Search&search={searchTerms}
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {39A5CE29-F8BE-425B-BB52-3D9FCEC0586E} URL = hxxp://www.linkedin.com/search/fpsearch?name={searchTerms}
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {595C041B-BAFB-4893-88F4-E049DB531B6E} URL = hxxp://abr.business.gov.au/search.aspx?SearchText={searchTerms}&StartSearch=True&bqs=1
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxps://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {903BF549-8979-484A-A2BD-097AF77D6FE0} URL = hxxp://dictionary.reference.com/browse/{searchTerms}?r=75&src=ref&ch=dic
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {A2B6DCA7-91B3-4ABE-8908-967880222CB4} URL = hxxp://www.google.com.au/search?hl=en&source=hp&q={searchTerms}&btnG=Google+Search&meta=&aq=f&oq=&rlz=1I7LENP_enAU470
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxps://nortonsafe.search.ask.com/web?q={searchTerms}&o=APN11913&l=dis&prt=NSBU&chn=1000&geo=AU&ver=22&locale=en_AU&gct=kwd&qsrc=2869
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {CB81E7B2-E6A9-42F6-BBA0-2ACF465F2F87} URL = hxxp://www.facebook.com/#/search/?ref=search&q={searchTerms}&init=quick
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {F94E17F4-1DB4-4700-8ADF-F1DB0605668F} URL = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=871A8FAE-CBEB-4251-B84D-A34A4ED0D763&apn_sauid=B0F14DB3-F3ED-4CC5-8D1E-F01470E19596
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2016-03-14] (Microsoft Corporation)
BHO: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files (x86)\Canon\Easy-WebPrint EX\addon64\ewpexbho.dll [2013-11-28] (CANON INC.)
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton 360\Engine64\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-22] (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-26] (Google Inc.)
BHO: Norton Identity Protection -> {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} -> C:\Program Files (x86)\Norton Identity Safe\Engine64\2014.7.11.42\coIEPlg.dll [2015-03-05] (Symantec Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL [2016-03-14] (Microsoft Corporation)
BHO: Symantec VIP Access Add-On -> {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} -> C:\Program Files (x86)\Symantec\VIP Access Client\64bit\VIPAddOnForIE64.dll [2012-04-19] (Symantec Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2016-04-19] (Microsoft Corporation)
BHO-x32: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll [2013-11-28] (CANON INC.)
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton 360\Engine\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-04-21] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-22] (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-26] (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL [2016-03-14] (Microsoft Corporation)
BHO-x32: Symantec VIP Access Add-On -> {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} -> C:\Program Files (x86)\Symantec\VIP Access Client\VIPAddOnForIE.dll [2012-04-19] (Symantec Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-04-21] (Oracle Corporation)
Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\addon64\ewpexhlp.dll [2013-11-28] (CANON INC.)
Toolbar: HKLM - Norton Identity Safe Toolbar - {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files (x86)\Norton Identity Safe\Engine64\2014.7.11.42\coIEPlg.dll [2015-03-05] (Symantec Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine64\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-26] (Google Inc.)
Toolbar: HKLM-x32 - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll [2013-11-28] (CANON INC.)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-26] (Google Inc.)
Toolbar: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-26] (Google Inc.)
Toolbar: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\addon64\ewpexhlp.dll [2013-11-28] (CANON INC.)
Toolbar: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine64\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)
DPF: HKLM-x32 {816BE035-1450-40D0-8A3B-BA7825A83A77} hxxp://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect2.cab
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} hxxps://akamaicdn.webex.com/client/WBXclient-T28L10NSP9-15980/webex/ieatgpc1.cab
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-02-01] (Skype Technologies)
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)

FireFox:
========
FF ProfilePath: C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default
FF Homepage: hxxp://www.google.com.au/
FF NetworkProxy: "ftp", "220.173.139.172"
FF NetworkProxy: "ftp_port", 8080
FF NetworkProxy: "gopher", "220.173.139.172"
FF NetworkProxy: "gopher_port", 8080
FF NetworkProxy: "http", "220.173.139.172"
FF NetworkProxy: "http_port", 8080
FF NetworkProxy: "no_proxies_on", "*.local"
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "socks", "220.173.139.172"
FF NetworkProxy: "socks_port", 8080
FF NetworkProxy: "ssl", "220.173.139.172"
FF NetworkProxy: "ssl_port", 8080
FF SelectedSearchEngine: Ask.com
FF SearchEngineOrder.1: Ask.com
FF DefaultSearchEngine: Ask.com
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2015-07-23] (Adobe Systems)
FF Plugin-x32: @abr.gov.au/KeyMgmtPlugin -> C:\Program Files (x86)\ABR\Plug-In\bin\npAUSkeyPlugin.dll [2010-08-19] (Commonwealth Government of Australia)
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2011-11-30] (CANON INC.)
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll [2012-07-27] (Citrix Systems, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Services\IPT\npIntelWebAPIIPT.dll [2014-07-09] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Services\IPT\npIntelWebAPIUpdater.dll [2014-07-09] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-04-21] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-04-21] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2013-07-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-11-05] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-11-05] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-03] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-19] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2015-07-23] (Adobe Systems)
FF Plugin HKU\S-1-5-21-3514529109-4073190309-4292251120-1002: @citrixonline.com/appdetectorplugin -> C:\Users\David\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2013-09-05] (Citrix Online)
FF Plugin HKU\S-1-5-21-3514529109-4073190309-4292251120-1002: @talk.google.com/GoogleTalkPlugin -> C:\Users\David\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-3514529109-4073190309-4292251120-1002: @talk.google.com/O1DPlugin -> C:\Users\David\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-3514529109-4073190309-4292251120-1002: @tools.google.com/Google Update;version=3 -> C:\Users\David\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin HKU\S-1-5-21-3514529109-4073190309-4292251120-1002: @tools.google.com/Google Update;version=9 -> C:\Users\David\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin HKU\S-1-5-21-3514529109-4073190309-4292251120-1002: LWAPlugin15.8 -> C:\Users\David\AppData\Roaming\Mozilla\Plugins\npLWAPlugin15.8.dll [2013-03-13] (Microsoft Corporation)
FF user.js: detected! => C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js [2012-02-20]
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginAOC.dll [2016-03-14] ()
FF Plugin ProgramFiles/Appdata: C:\Users\David\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\David\AppData\Roaming\mozilla\plugins\npLWAPlugin15.8.dll [2013-03-13] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Users\David\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF HKLM\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.0.124\coFFAddon
FF Extension: Norton Identity Safe - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.0.124\coFFAddon [2016-03-21]
FF HKLM-x32\...\Firefox\Extensions: [{F04D2D30-776C-4d02-8627-8E4385ECA58D}] - C:\ProgramData\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2014.6.0.27\coFFPlgn => not found
FF HKLM-x32\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.0.124\coFFAddon
FF HKLM-x32\...\Firefox\Extensions: [VIP5X@verisign.com] - C:\Program Files (x86)\Symantec\VIP Access Client
FF Extension: Symantec VIP Access Add-On - C:\Program Files (x86)\Symantec\VIP Access Client [2016-03-21] [not signed]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com.au/
CHR StartupUrls: Default -> "hxxp://google.com.au/"
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\gcswf32.dll => No File
CHR Plugin: (Norton Confidential) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\2012.5.0.140_0\npcoplgn.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (ABR_AUSkey Mozilla Plugin) - C:\Program Files (x86)\ABR\Plug-In\bin\npAUSkeyPlugin.dll (Commonwealth Government of Australia)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll => No File
CHR Plugin: (NVIDIA 3D Vision) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
CHR Plugin: (NVIDIA 3D VISION) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll => No File
CHR Profile: C:\Users\David\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Norton Identity Safe) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2014-08-19]
CHR Extension: (Chrome Web Store Payments) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-12]
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton 360\Engine\22.6.0.142\Exts\Chrome.crx [2016-03-19]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] - C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\Exts\Chrome.crx [2015-07-16]
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton 360\Engine\22.6.0.142\Exts\Chrome.crx [2016-03-19]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] - C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\Exts\Chrome.crx [2015-07-16]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2829552 2016-03-08] (Microsoft Corporation)
S3 DozeSvc; C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [326160 2016-04-14] (Lenovo.)
S2 HTCMonitorService; C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe [87368 2013-11-18] (Nero AG)
S3 Lenovo.RapidDrive.Advanced.Svc; C:\Program Files (x86)\Lenovo\RapidDrive Advanced\LenovoRapidDriveAdvancedService.exe [209920 2011-10-07] (Lenovo, Japan, Ltd. ) [File not signed]
S2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [133992 2011-07-12] (Lenovo Group Limited)
S3 LSCWinService; C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCWinService.exe [272864 2016-01-08] (Lenovo)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S2 N360; C:\Program Files (x86)\Norton 360\Engine\22.6.0.142\N360.exe [289080 2016-02-26] (Symantec Corporation)
S2 NCO; C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\NST.exe [131144 2015-03-05] (Symantec Corporation)
S2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [166912 2013-10-17] () [File not signed]
S2 QVssService; C:\Program Files\QNAP\NetBak\QVssService.exe [2203824 2015-10-07] (QNAP Systems, Inc.)
S3 ShareItSvc; C:\Program Files (x86)\Lenovo\SHAREit\Shareit.Service.exe [31176 2016-01-20] (SHAREit Technologies Co.Ltd)
S3 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [21536 2016-01-13] ()
S2 UleadBurningHelper; C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [61440 2008-01-11] (Ulead Systems, Inc.) [File not signed]
S2 VIPAppService; C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe [84080 2012-04-19] (Symantec Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 WMCoreService; C:\Program Files (x86)\Mobile Broadband drivers\WMCore\mini_WMCore.exe [594984 2011-04-08] (Ericsson AB)
S2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3817168 2014-08-18] (Intel® Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S1 BHDrvx64; C:\Program Files (x86)\Norton 360\NortonData\22.5.0.124\Definitions\BASHDefs\20160418.001\BHDrvx64.sys [1766640 2016-03-10] (Symantec Corporation)
S1 ccSet_N360; C:\Windows\system32\drivers\N360x64\1606000.08E\ccSetx64.sys [173808 2015-07-11] (Symantec Corporation)
S1 ccSet_NST; C:\Windows\system32\drivers\NSTx64\7DE070B0.02A\ccSetx64.sys [162392 2013-09-28] (Symantec Corporation)
S3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [304784 2010-03-23] ()
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-11] (Broadcom Corporation)
R3 ecnssndis; C:\Windows\System32\Drivers\wwuss64.sys [26664 2010-02-24] (Ericsson AB)
R3 ecnssndisfltr; C:\Windows\System32\Drivers\wwussf64.sys [30248 2010-02-24] (Ericsson AB)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [498512 2015-11-18] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [157520 2015-11-18] (Symantec Corporation)
S3 HtcVCom32; C:\Windows\System32\DRIVERS\HtcVComV64.sys [121800 2010-03-09] (QUALCOMM Incorporated)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2013-11-16] (Intel Corporation)
S1 IDSVia64; C:\Program Files (x86)\Norton 360\NortonData\22.5.0.124\Definitions\IPSDefs\20160426.001\IDSvia64.sys [767224 2016-02-15] (Symantec Corporation)
S3 l36wgps; C:\Windows\System32\DRIVERS\l36wgps64.sys [101416 2011-03-01] (Ericsson AB)
S3 LenovoRd; C:\Windows\System32\Drivers\LenovoRd.sys [118016 2009-05-11] (Lenovo)
R1 MagicTune; C:\Windows\system32\drivers\MTiCtwl.sys [23096 2008-11-04] (Samsung Electronics, Inc. )
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
R3 Mbm3CBus; C:\Windows\System32\DRIVERS\Mbm3CBus.sys [419400 2011-04-14] (MCCI Corporation)
S3 Mbm3DevMt; C:\Windows\System32\DRIVERS\Mbm3DevMt.sys [430664 2011-04-14] (MCCI Corporation)
S3 Mbm3mdfl; C:\Windows\System32\DRIVERS\Mbm3mdfl.sys [19528 2011-04-14] (MCCI Corporation)
S3 Mbm3Mdm; C:\Windows\System32\DRIVERS\Mbm3Mdm.sys [483400 2011-04-14] (MCCI Corporation)
S3 NAVENG; C:\Program Files (x86)\Norton 360\NortonData\22.5.0.124\Definitions\VirusDefs\20160427.001\ENG64.SYS [138488 2015-12-30] (Symantec Corporation)
S3 NAVEX15; C:\Program Files (x86)\Norton 360\NortonData\22.5.0.124\Definitions\VirusDefs\20160427.001\EX64.SYS [2148080 2015-12-30] (Symantec Corporation)
S2 npf; C:\Windows\System32\drivers\npf.sys [36600 2014-08-19] (Riverbed Technology, Inc.)
S1 nvkflt; C:\Windows\System32\DRIVERS\nvkflt.sys [308368 2015-12-22] (NVIDIA Corporation)
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [45296 2014-07-28] (Synaptics Incorporated)
S2 smihlp; C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys [13128 2011-05-30] (Authentec Inc.)
S3 SRTSP; C:\Windows\System32\Drivers\N360x64\1606000.08E\SRTSP64.SYS [928504 2016-02-24] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\N360x64\1606000.08E\SRTSPX64.SYS [50936 2015-07-11] (Symantec Corporation)
R0 SymEFASI; C:\Windows\System32\drivers\N360x64\1606000.08E\SYMEFASI64.SYS [1621232 2016-02-24] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [111344 2015-07-27] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\N360x64\1606000.08E\Ironx64.SYS [295664 2016-02-24] (Symantec Corporation)
S1 SymNetS; C:\Windows\System32\Drivers\N360x64\1606000.08E\SYMNETS.SYS [577768 2016-02-24] (Symantec Corporation)
S3 TVTI2C; C:\Windows\System32\DRIVERS\Tvti2c.sys [41536 2009-09-24] (Lenovo (United States) Inc.)
S3 WwanUsbServ; C:\Windows\System32\DRIVERS\WwanUsbMp64.sys [284912 2013-11-22] (Ericsson AB)
S3 QDrive; \??\C:\Users\David\AppData\Local\Temp\QDrive.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-28 14:47 - 2016-04-28 15:01 - 00000000 ____D C:\Users\David\AppData\Local\NPE
2016-04-28 14:40 - 2016-04-28 14:40 - 00000000 ___HD C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2016-04-28 09:16 - 2016-04-28 09:16 - 00002002 _____ C:\Users\Public\Desktop\Lenovo Solution Center.lnk
2016-04-26 16:58 - 2016-04-26 16:58 - 00000000 ____D C:\Users\David\AppData\Roaming\AccdbMerge
2016-04-21 11:38 - 2016-04-21 11:38 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-04-15 16:11 - 2016-04-15 16:11 - 00069770 _____ C:\Users\David\Desktop\David you are invited.htm
2016-04-15 16:11 - 2016-04-15 16:11 - 00000000 ____D C:\Users\David\Desktop\David you are invited_files
2016-04-13 03:19 - 2016-04-01 04:55 - 00394952 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-04-13 03:19 - 2016-04-01 04:11 - 00346320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2016-04-13 03:19 - 2016-03-31 10:24 - 25817600 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-04-13 03:19 - 2016-03-31 10:10 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-04-13 03:19 - 2016-03-31 10:10 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2016-04-13 03:19 - 2016-03-31 10:01 - 02892800 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-04-13 03:19 - 2016-03-31 09:58 - 00571904 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-04-13 03:19 - 2016-03-31 09:58 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2016-04-13 03:19 - 2016-03-31 09:57 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-04-13 03:19 - 2016-03-31 09:57 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2016-04-13 03:19 - 2016-03-31 09:57 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2016-04-13 03:19 - 2016-03-31 09:55 - 06052352 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-04-13 03:19 - 2016-03-31 09:52 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-04-13 03:19 - 2016-03-31 09:51 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2016-04-13 03:19 - 2016-03-31 09:49 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-04-13 03:19 - 2016-03-31 09:47 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-04-13 03:19 - 2016-03-31 09:47 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2016-04-13 03:19 - 2016-03-31 09:47 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-04-13 03:19 - 2016-03-31 09:47 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2016-04-13 03:19 - 2016-03-31 09:41 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2016-04-13 03:19 - 2016-03-31 09:38 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-04-13 03:19 - 2016-03-31 09:33 - 20352512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-04-13 03:19 - 2016-03-31 09:32 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2016-04-13 03:19 - 2016-03-31 09:30 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2016-04-13 03:19 - 2016-03-31 09:29 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2016-04-13 03:19 - 2016-03-31 09:27 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2016-04-13 03:19 - 2016-03-31 09:26 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-04-13 03:19 - 2016-03-31 09:25 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-04-13 03:19 - 2016-03-31 09:23 - 00496640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-04-13 03:19 - 2016-03-31 09:23 - 00152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2016-04-13 03:19 - 2016-03-31 09:22 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2016-04-13 03:19 - 2016-03-31 09:22 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2016-04-13 03:19 - 2016-03-31 09:22 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2016-04-13 03:19 - 2016-03-31 09:22 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2016-04-13 03:19 - 2016-03-31 09:21 - 02285056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-04-13 03:19 - 2016-03-31 09:18 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2016-04-13 03:19 - 2016-03-31 09:18 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2016-04-13 03:19 - 2016-03-31 09:16 - 00476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2016-04-13 03:19 - 2016-03-31 09:15 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-04-13 03:19 - 2016-03-31 09:15 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2016-04-13 03:19 - 2016-03-31 09:15 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2016-04-13 03:19 - 2016-03-31 09:15 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2016-04-13 03:19 - 2016-03-31 09:13 - 00806400 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-04-13 03:19 - 2016-03-31 09:13 - 00725504 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2016-04-13 03:19 - 2016-03-31 09:12 - 02131968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-04-13 03:19 - 2016-03-31 09:12 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2016-04-13 03:19 - 2016-03-31 09:09 - 15415808 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-04-13 03:19 - 2016-03-31 09:08 - 00416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2016-04-13 03:19 - 2016-03-31 09:04 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2016-04-13 03:19 - 2016-03-31 09:03 - 00091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2016-04-13 03:19 - 2016-03-31 09:01 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2016-04-13 03:19 - 2016-03-31 09:01 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2016-04-13 03:19 - 2016-03-31 09:00 - 04611072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-04-13 03:19 - 2016-03-31 09:00 - 02596864 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-04-13 03:19 - 2016-03-31 09:00 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2016-04-13 03:19 - 2016-03-31 08:59 - 00130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2016-04-13 03:19 - 2016-03-31 08:54 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2016-04-13 03:19 - 2016-03-31 08:53 - 02056192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2016-04-13 03:19 - 2016-03-31 08:53 - 00693248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-04-13 03:19 - 2016-03-31 08:52 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2016-04-13 03:19 - 2016-03-31 08:51 - 13811712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-04-13 03:19 - 2016-03-31 08:48 - 01547264 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-04-13 03:19 - 2016-03-31 08:36 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-04-13 03:19 - 2016-03-31 08:35 - 02121216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-04-13 03:19 - 2016-03-31 08:32 - 01311744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-04-13 03:19 - 2016-03-31 08:30 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2016-04-13 03:19 - 2016-03-30 03:23 - 03216896 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-04-13 03:19 - 2016-03-18 08:34 - 05551336 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-04-13 03:19 - 2016-03-18 08:34 - 00706280 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2016-04-13 03:19 - 2016-03-18 08:34 - 00154344 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-04-13 03:19 - 2016-03-18 08:34 - 00095464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-04-13 03:19 - 2016-03-18 08:31 - 01732864 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2016-04-13 03:19 - 2016-03-18 08:31 - 00631176 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2016-04-13 03:19 - 2016-03-18 08:28 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2016-04-13 03:19 - 2016-03-18 08:28 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2016-04-13 03:19 - 2016-03-18 08:28 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2016-04-13 03:19 - 2016-03-18 08:28 - 00215552 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2016-04-13 03:19 - 2016-03-18 08:28 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2016-04-13 03:19 - 2016-03-18 08:28 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2016-04-13 03:19 - 2016-03-18 08:28 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2016-04-13 03:19 - 2016-03-18 08:28 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2016-04-13 03:19 - 2016-03-18 08:28 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2016-04-13 03:19 - 2016-03-18 08:28 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2016-04-13 03:19 - 2016-03-18 08:27 - 01212928 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2016-04-13 03:19 - 2016-03-18 08:27 - 00344064 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-04-13 03:19 - 2016-03-18 08:27 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2016-04-13 03:19 - 2016-03-18 08:27 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2016-04-13 03:19 - 2016-03-18 08:27 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2016-04-13 03:19 - 2016-03-18 08:26 - 02084864 _____ (Microsoft Corporation) C:\Windows\system32\ole32.dll
2016-04-13 03:19 - 2016-03-18 08:26 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2016-04-13 03:19 - 2016-03-18 08:24 - 00316416 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2016-04-13 03:19 - 2016-03-18 08:24 - 00312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2016-04-13 03:19 - 2016-03-18 08:24 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2016-04-13 03:19 - 2016-03-18 08:24 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2016-04-13 03:19 - 2016-03-18 08:23 - 01464320 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-04-13 03:19 - 2016-03-18 08:23 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2016-04-13 03:19 - 2016-03-18 08:23 - 00731136 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-04-13 03:19 - 2016-03-18 08:23 - 00419840 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00880640 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00463872 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00059904 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00034816 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:06 - 03998952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2016-04-13 03:19 - 2016-03-18 08:06 - 03943144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2016-04-13 03:19 - 2016-03-18 08:03 - 01314112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2016-04-13 03:19 - 2016-03-18 08:01 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2016-04-13 03:19 - 2016-03-18 08:01 - 00666112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2016-04-13 03:19 - 2016-03-18 08:01 - 00275456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2016-04-13 03:19 - 2016-03-18 08:01 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2016-04-13 03:19 - 2016-03-18 08:01 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2016-04-13 03:19 - 2016-03-18 08:00 - 00171520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2016-04-13 03:19 - 2016-03-18 08:00 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2016-04-13 03:19 - 2016-03-18 08:00 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2016-04-13 03:19 - 2016-03-18 07:59 - 00251392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2016-04-13 03:19 - 2016-03-18 07:59 - 00141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2016-04-13 03:19 - 2016-03-18 07:59 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2016-04-13 03:19 - 2016-03-18 07:58 - 01414144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ole32.dll
2016-04-13 03:19 - 2016-03-18 07:57 - 00260608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2016-04-13 03:19 - 2016-03-18 07:57 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2016-04-13 03:19 - 2016-03-18 07:57 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2016-04-13 03:19 - 2016-03-18 07:57 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2016-04-13 03:19 - 2016-03-18 07:56 - 00553984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2016-04-13 03:19 - 2016-03-18 07:55 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00644096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:23 - 00148480 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2016-04-13 03:19 - 2016-03-18 07:22 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2016-04-13 03:19 - 2016-03-18 07:22 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2016-04-13 03:19 - 2016-03-18 07:21 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2016-04-13 03:19 - 2016-03-18 07:14 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2016-04-13 03:19 - 2016-03-18 07:13 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2016-04-13 03:19 - 2016-03-18 07:11 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2016-04-13 03:19 - 2016-03-18 07:08 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-04-13 03:19 - 2016-03-18 07:07 - 00291328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-04-13 03:19 - 2016-03-18 07:07 - 00129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-04-13 03:19 - 2016-03-18 07:05 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2016-04-13 03:19 - 2016-03-18 07:05 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2016-04-13 03:19 - 2016-03-18 07:00 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2016-04-13 03:19 - 2016-03-18 07:00 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2016-04-13 03:19 - 2016-03-18 07:00 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2016-04-13 03:19 - 2016-03-18 07:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2016-04-13 03:19 - 2016-03-18 06:59 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2016-04-13 03:19 - 2016-03-18 06:59 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 06:59 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 06:59 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 06:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2016-04-13 03:19 - 2016-03-16 09:46 - 00760320 _____ (Microsoft Corporation) C:\Windows\system32\samsrv.dll
2016-04-13 03:19 - 2016-03-16 09:46 - 00106496 _____ (Microsoft Corporation) C:\Windows\system32\samlib.dll
2016-04-13 03:19 - 2016-03-16 09:23 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\samlib.dll
2016-04-13 03:19 - 2016-03-12 04:27 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-04-13 03:19 - 2016-03-12 04:05 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2016-04-13 03:19 - 2016-03-07 04:23 - 01885696 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2016-04-13 03:19 - 2016-03-07 04:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2016-04-13 03:19 - 2016-03-07 04:08 - 01240576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2016-04-13 03:19 - 2016-03-07 04:08 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2016-04-12 23:51 - 2016-04-12 23:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Raw Image Viewer
2016-04-12 23:51 - 2016-04-12 23:51 - 00000000 ____D C:\Program Files (x86)\Raw Image Viewer
2016-04-11 20:57 - 2016-04-26 21:51 - 00000000 ____D C:\Users\David\AppData\LocalLow\uTorrent
2016-04-11 11:56 - 2016-04-11 11:56 - 00000000 ____D C:\Users\David\AppData\Local\{6F00555C-B600-4F47-9542-3D14B028719F}
2016-04-04 17:57 - 2016-04-04 18:01 - 00003418 _____ C:\Windows\System32\Tasks\CMDLine

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-28 16:13 - 2015-12-01 15:58 - 00000000 ____D C:\FRST
2016-04-28 16:13 - 2012-02-20 17:21 - 01286248 _____ C:\Windows\ntbtlog.txt
2016-04-28 15:02 - 2009-07-14 14:15 - 00031296 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-04-28 15:02 - 2009-07-14 14:15 - 00031296 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-04-28 15:01 - 2009-07-14 14:43 - 00786578 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-28 15:01 - 2009-07-14 12:50 - 00000000 ____D C:\Windows\inf
2016-04-28 15:00 - 2015-08-17 09:53 - 00000000 ____D C:\ProgramData\boost_interprocess
2016-04-28 15:00 - 2014-03-13 16:46 - 00000000 ____D C:\Users\David\AppData\Local\Deployment
2016-04-28 15:00 - 2012-02-02 20:05 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-04-28 14:59 - 2014-04-30 09:50 - 00000000 ____D C:\Users\David\AppData\Local\HTC MediaHub
2016-04-28 14:59 - 2009-07-14 14:38 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-28 14:58 - 2012-02-02 19:59 - 00000000 ____D C:\ProgramData\NVIDIA
2016-04-28 14:47 - 2012-02-02 20:08 - 00000000 ____D C:\ProgramData\Norton
2016-04-28 14:46 - 2014-11-24 21:24 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3514529109-4073190309-4292251120-1002UA.job
2016-04-28 14:44 - 2012-06-07 09:24 - 00007667 _____ C:\Users\David\AppData\Local\Resmon.ResmonCfg
2016-04-28 14:34 - 2008-01-13 13:23 - 00000000 ____D C:\Users\David\AppData\Roaming\Skype
2016-04-28 14:23 - 2012-02-02 20:05 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-04-28 14:11 - 2014-11-25 07:17 - 00000562 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3514529109-4073190309-4292251120-1002.job
2016-04-28 13:48 - 2015-06-01 18:49 - 00000658 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-3514529109-4073190309-4292251120-1002.job
2016-04-28 13:16 - 2009-07-14 15:02 - 00000000 ____D C:\Windows\system32\FxsTmp
2016-04-28 09:23 - 2014-11-24 21:24 - 00000856 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3514529109-4073190309-4292251120-1002Core.job
2016-04-28 09:17 - 2012-02-02 20:04 - 00000000 ____D C:\Windows\System32\Tasks\Lenovo
2016-04-28 09:17 - 2012-02-02 20:00 - 00003020 _____ C:\Windows\System32\Tasks\PMTask
2016-04-28 09:17 - 2009-07-14 12:50 - 00000000 __RSD C:\Windows\Media
2016-04-28 09:16 - 2012-02-02 20:04 - 00000000 ____D C:\Windows\Downloaded Installations
2016-04-28 09:16 - 2012-02-02 19:50 - 00000000 ____D C:\Program Files\Lenovo
2016-04-27 12:56 - 2013-05-21 12:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2016-04-26 21:52 - 2014-08-08 17:27 - 00000000 ____D C:\Program Files\PeerBlock
2016-04-26 21:52 - 2012-02-11 15:29 - 00000000 ____D C:\Users\David\AppData\Local\Google
2016-04-26 21:51 - 2012-12-09 20:28 - 00000000 ____D C:\Users\David\AppData\Roaming\uTorrent
2016-04-25 20:24 - 2009-07-14 12:50 - 00000000 ____D C:\Windows\rescache
2016-04-25 18:23 - 2012-01-06 15:12 - 00000000 ____D C:\Users\David\AppData\Local\Htc
2016-04-25 18:15 - 2009-07-14 14:15 - 00467896 _____ C:\Windows\system32\FNTCACHE.DAT
2016-04-21 11:41 - 2013-08-19 03:00 - 00000000 ____D C:\Windows\system32\MRT
2016-04-21 11:38 - 2012-12-12 11:50 - 00002617 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Lync 2010 Attendee.lnk
2016-04-21 11:38 - 2012-12-12 11:50 - 00000000 ____D C:\Program Files (x86)\Microsoft Lync Attendee
2016-04-21 11:38 - 2012-02-12 23:27 - 135176864 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-04-21 11:34 - 2013-10-20 20:14 - 00000000 ____D C:\ProgramData\Oracle
2016-04-21 11:33 - 2015-09-02 11:36 - 00000000 ____D C:\Users\David\.oracle_jre_usage
2016-04-21 11:33 - 2014-10-29 13:17 - 00097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2016-04-21 11:33 - 2014-10-29 13:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-04-21 11:33 - 2014-10-29 13:17 - 00000000 ____D C:\Program Files (x86)\Java
2016-04-21 08:50 - 2012-02-17 07:48 - 00000000 ____D C:\Users\David\AppData\Local\CrashDumps
2016-04-19 09:13 - 2013-05-21 12:07 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-04-19 09:13 - 2013-05-21 11:59 - 00000000 ____D C:\Program Files\Microsoft Office 15
2016-04-16 14:28 - 2009-07-14 14:38 - 00032644 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-04-15 09:18 - 2015-06-01 18:49 - 00003684 _____ C:\Windows\System32\Tasks\G2MUploadTask-S-1-5-21-3514529109-4073190309-4292251120-1002
2016-04-15 09:18 - 2014-11-25 07:17 - 00003588 _____ C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-3514529109-4073190309-4292251120-1002
2016-04-14 19:07 - 2014-05-10 15:27 - 00000316 _____ C:\Windows\Tasks\NetBak-Thinking-David-Job1.job
2016-04-14 06:08 - 2012-02-02 20:00 - 02872488 _____ (Lenovo Group Limited) C:\Windows\system32\PWMCP64V.cpl
2016-04-14 06:08 - 2012-02-02 20:00 - 02692776 ____N (Lenovo Group Limited) C:\Windows\PWMBTHLV.EXE
2016-04-14 06:08 - 2012-02-02 20:00 - 00029512 _____ (Lenovo.) C:\Windows\system32\Drivers\DZHDD64.SYS
2016-04-14 06:08 - 2012-02-02 20:00 - 00029008 _____ (Lenovo Group Limited) C:\Windows\system32\Drivers\TPPWR64V.SYS
2016-04-12 09:14 - 2016-03-21 13:26 - 00000000 ____D C:\Users\David\AppData\Local\Screencast-O-Matic-v2
2016-04-08 17:44 - 2008-01-13 13:22 - 00000000 ____D C:\ProgramData\Skype
2016-04-08 17:43 - 2014-09-26 10:18 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-04-08 06:26 - 2012-02-02 20:05 - 00002166 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-04-06 19:10 - 2014-04-30 09:45 - 00000000 ____D C:\Temp
2016-04-06 14:22 - 2011-05-03 23:52 - 00000000 ____D C:\Users\David\AppData\Roaming\AUSkey
2016-04-06 11:29 - 2009-12-28 17:24 - 00000000 ____D C:\Users\David\AppData\Local\Citrix
2016-04-04 10:55 - 2012-02-24 10:22 - 00000000 ____D C:\Users\David\AppData\Local\CutePDF Writer
2016-04-03 16:53 - 2016-01-31 13:59 - 00000000 ____D C:\Program Files (x86)\PRTG Network Monitor
2016-04-03 16:53 - 2012-05-21 18:15 - 00000000 ____D C:\ProgramData\Temp
2016-03-30 17:31 - 2016-01-31 13:59 - 00000000 ____D C:\Program Files\WinPcap

==================== Files in the root of some directories =======

2014-07-09 09:02 - 2014-07-09 09:02 - 0205422 _____ () C:\Users\David\AppData\Roaming\2SQL.zip
2015-03-25 12:08 - 2015-06-12 16:34 - 0000034 _____ () C:\Users\David\AppData\Roaming\AdobeWLCMCache.dat
2014-07-09 12:01 - 2014-07-09 12:01 - 0022976 _____ (Intel Corporation) C:\Users\David\AppData\Roaming\JomCap.dll
2014-05-02 17:30 - 2014-05-02 17:37 - 0038418 _____ () C:\Users\David\AppData\Roaming\Microsoft Excel 97-2003.ADR
2012-02-13 16:44 - 2011-08-10 10:06 - 0223808 _____ () C:\Users\David\AppData\Roaming\wanancsp.dat
2013-09-18 17:13 - 2013-09-18 19:17 - 0000600 _____ () C:\Users\David\AppData\Local\PUTTY.RND
2012-06-07 09:24 - 2016-04-28 14:44 - 0007667 _____ () C:\Users\David\AppData\Local\Resmon.ResmonCfg
2014-08-27 21:19 - 2014-08-27 21:19 - 0015036 _____ () C:\Users\David\AppData\Local\WiDiSetupLog.20140827.211905.wdl
2014-08-27 21:23 - 2014-08-27 21:23 - 0015869 _____ () C:\Users\David\AppData\Local\WiDiSetupLog.20140827.212325.wdl
2014-08-27 22:38 - 2014-08-27 22:39 - 0015758 _____ () C:\Users\David\AppData\Local\WiDiSetupLog.20140827.223854.wdl
2014-08-27 22:39 - 2014-08-27 22:43 - 0015870 _____ () C:\Users\David\AppData\Local\WiDiSetupLog.20140827.223956.wdl
2014-10-28 11:19 - 2014-10-28 11:20 - 0015870 _____ () C:\Users\David\AppData\Local\WiDiSetupLog.20141028.121955.wdl
2014-10-28 11:31 - 2014-10-28 11:32 - 0015870 _____ () C:\Users\David\AppData\Local\WiDiSetupLog.20141028.123146.wdl
2014-12-14 22:43 - 2014-12-14 22:44 - 0015868 _____ () C:\Users\David\AppData\Local\WiDiSetupLog.20141214.234356.wdl
2014-12-14 22:48 - 2014-12-14 22:49 - 0015870 _____ () C:\Users\David\AppData\Local\WiDiSetupLog.20141214.234842.wdl
2014-12-14 22:49 - 2014-12-14 22:49 - 0015868 _____ () C:\Users\David\AppData\Local\WiDiSetupLog.20141214.234924.wdl
2012-08-14 22:22 - 2014-01-29 18:14 - 0000952 ___SH () C:\ProgramData\KGyGaAvL.sys

Files to move or delete:
====================
C:\Users\David\hex2text.exe
C:\Users\David\humbole.bat
C:\Users\David\Nightly.bat
C:\Users\David\Run.bat
C:\Users\David\sed.exe
C:\Users\David\wbstatus.bat


Some files in TEMP:
====================
C:\Users\David\AppData\Local\Temp\mpegc.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-04-28 09:13

==================== End of FRST.txt ============================



BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:14 AM

Posted 28 April 2016 - 03:53 AM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***



Re-Start the pc in NORMAL MODE!
Log on to all your user accounts now - without restarting !


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
    The actual line should say "Pending. Please uncheck elements you do not want to remove" => scan is complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


:step4:

Files to move or delete:
====================
C:\Users\David\hex2text.exe
C:\Users\David\humbole.bat
C:\Users\David\Nightly.bat
C:\Users\David\Run.bat
C:\Users\David\sed.exe
C:\Users\David\wbstatus.bat

Are these files from you or can we delete them?


Copy FRST / FSRT64.exe to your desktop!

FRST / FSRT64: run it again.
  • Right-click FRST / FSRT64 then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Put a check into the box next to Addition.txt and press the Scan button.
  • When finished, it will produce logs called FRST.txt and Addition.txt in the same directory the tool was run from.
  • Please copy and paste both logs in your next reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 Primo2

Primo2
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 28 April 2016 - 09:03 AM

Hi Jo,

 

Thanks for responding so quickly.

 

Here are the results from Security Check:

--- BEGIN ---

 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Norton 360    
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Java 8 Update 91  
 Java version 32-bit out of Date!
 Adobe Reader XI  
 Google Chrome (49.0.2623.110)
 Google Chrome (49.0.2623.112)
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 11% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
--- END ---

 

 

Before MBAR began its scan, it displayed a dialog box Attached File  AppInit_Dlls.JPG   32.39KB   0 downloads stating that this registry value has been found which may be caused by rootkit activity.  I answered "No" to remove, as I was unsure.

Here are the results from the subsequent MBAR scan:

--- BEGIN ---

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.3.1001

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 11.0.9600.18282

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 2.790000 GHz
Memory total: 8466448384, free: 5669986304

Downloaded database version: v2016.04.28.04
Downloaded database version: v2016.04.17.01
Downloaded database version: v2016.04.19.01
=======================================
Initializing...
Driver version: 0.3.0.4
------------ Kernel report ------------
     04/28/2016 22:29:19
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\compbatt.sys
\SystemRoot\system32\drivers\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\iaStor.sys
\SystemRoot\system32\DRIVERS\iaStorA.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\DRIVERS\DzHDD64.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\DRIVERS\ApsHM64.sys
\SystemRoot\system32\drivers\N360x64\1606000.08E\SYMEFASI64.SYS
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\DRIVERS\Apsx64.sys
\SystemRoot\system32\DRIVERS\nvpciflt.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\system32\DRIVERS\iaStorF.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\drivers\N360x64\1606000.08E\ccSetx64.sys
\SystemRoot\system32\drivers\NSTx64\7DE070B0.02A\ccSetx64.sys
\SystemRoot\system32\drivers\N360x64\1606000.08E\Ironx64.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\drivers\MTiCtwl.sys
\??\C:\Program Files\Lenovo\RapidBoot\PHCORE64.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\drivers\Tppwr64v.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\System32\Drivers\N360x64\1606000.08E\SYMNETS.SYS
\??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
\SystemRoot\system32\drivers\N360x64\1606000.08E\SRTSPX64.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\nvkflt.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\smiifx64.sys
\??\C:\Program Files (x86)\Norton 360\NortonData\22.5.0.124\Definitions\IPSDefs\20160426.001\IDSvia64.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\ctxusbm.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\??\C:\Program Files (x86)\Norton 360\NortonData\22.5.0.124\Definitions\BASHDefs\20160418.001\BHDrvx64.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\system32\DRIVERS\igdkmd64.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\e1c62x64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\Netwsw00.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\risdxc64.sys
\SystemRoot\system32\DRIVERS\nusb3xhc.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\drivers\tpm.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\ibmpmdrv.sys
\SystemRoot\system32\DRIVERS\Smb_driver_Intel.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\dne64x.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\Tvti2c.sys
\SystemRoot\system32\DRIVERS\psadd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\CHDRT64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\nusb3hub.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\system32\DRIVERS\Mbm3CBus.sys
\SystemRoot\system32\DRIVERS\Mbm3wh.sys
\SystemRoot\system32\DRIVERS\Mbm3Mdm.sys
\SystemRoot\system32\DRIVERS\Mbm3cm.sys
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\system32\DRIVERS\Mbm3mdfl.sys
\SystemRoot\system32\DRIVERS\Mbm3DevMt.sys
\SystemRoot\System32\Drivers\wwuss64.sys
\SystemRoot\System32\Drivers\wwussf64.sys
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\DRIVERS\WwanUsbMp64.sys
\SystemRoot\System32\Drivers\LenovoRd.sys
\SystemRoot\System32\Drivers\SMCLIB.SYS
\SystemRoot\System32\DRIVERS\scfilter.sys
\SystemRoot\system32\DRIVERS\5U877.sys
\SystemRoot\system32\DRIVERS\STREAM.SYS
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\??\C:\Windows\system32\drivers\mbam.sys
\??\C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\l36wgps64.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\DRIVERS\WinUsb.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\drivers\npf.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\??\C:\Windows\system32\Drivers\CVPNDRVA.sys
\??\C:\Users\David\AppData\Local\Temp\QDrive.sys
\SystemRoot\System32\Drivers\N360x64\1606000.08E\SRTSP64.SYS
\??\C:\Program Files (x86)\Norton 360\NortonData\22.5.0.124\Definitions\VirusDefs\20160427.001\EX64.SYS
\??\C:\Program Files (x86)\Norton 360\NortonData\22.5.0.124\Definitions\VirusDefs\20160427.001\ENG64.SYS
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\USBSTOR.SYS
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\lpk.dll
\Windows\System32\sechost.dll
\Windows\System32\ws2_32.dll
\Windows\System32\iertutil.dll
\Windows\System32\nsi.dll
\Windows\System32\advapi32.dll
\Windows\System32\user32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\gdi32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\setupapi.dll
\Windows\System32\shell32.dll
\Windows\System32\ole32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\wininet.dll
\Windows\System32\difxapi.dll
\Windows\System32\normaliz.dll
\Windows\System32\msctf.dll
\Windows\System32\urlmon.dll
\Windows\System32\kernel32.dll
\Windows\System32\usp10.dll
\Windows\System32\psapi.dll
\Windows\System32\imm32.dll
\Windows\System32\Wldap32.dll
\Windows\System32\clbcatq.dll
\Windows\System32\imagehlp.dll
\Windows\System32\comdlg32.dll
\Windows\System32\comctl32.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\devobj.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\KernelBase.dll
\Windows\System32\wintrust.dll
\Windows\System32\crypt32.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\userenv.dll
\Windows\System32\msasn1.dll
\Windows\System32\profapi.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
Done!

Scan started
Database versions:
  main:    v2016.04.28.04
  rootkit: v2016.04.17.01

<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa800a083060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800a084a00, DeviceName: \Device\DozeHDD0\, DriverName: \Driver\DzHDD64\
DevicePointer: 0xfffffa800a083b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800a084040, DeviceName: Unknown, DriverName: \Driver\Shockprf\
DevicePointer: 0xfffffa800a083060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8009ee3c50, DeviceName: Unknown, DriverName: \Driver\iaStorF\
DevicePointer: 0xfffffa80077a85d0, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa80077ac050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\partmgr\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 1A23200D

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 3072000
    Partition is bootable
    Partition file system is NTFS

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 3074048  Numsec = 276736000
    Partition is bootable
    Partition file system is NTFS

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 279810048  Numsec = 32768000
    Partition is not bootable
    Partition file system is NTFS

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition is not bootable

Disk Size: 160041885696 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa8007a0b790, DeviceName: \Device\Harddisk1\DR6\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8007605040, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8007a0b790, DeviceName: \Device\Harddisk1\DR6\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800f8fb040, DeviceName: Unknown, DriverName: \Driver\iaStorF\
DevicePointer: 0xfffffa8006efc060, DeviceName: \Device\000000c7\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR6\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 1E9F56B

Partition information:

    Partition 0 type is Other (0x6)
    Partition is ACTIVE.
    Partition starts at LBA: 32  Numsec = 2027488
    Partition is not bootable
    Partition file system is FAT

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition is not bootable

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition is not bootable

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition is not bootable

Disk Size: 1038090240 bytes
Sector size: 512 bytes

Done!
File "C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.0.124\QBackup\index.qbs" is sparse (flags = 32768)
Infected: C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\vfnws.dll --> [Trojan.Bedep]
Infected: HKLM\SOFTWARE\CLASSES\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A} --> [Trojan.Bedep]
Infected: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A} --> [Trojan.Bedep]
Infected: C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8} --> [Trojan.Clicker.FMS]
Infected: C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\8afc49b02429a --> [Trojan.Clicker.FMS]
Scan finished
--- END ---

 

 

Here are the results from AdwCleaner:

--- BEGIN ---

# AdwCleaner v5.114 - Logfile created 28/04/2016 at 22:44:51
# Updated 27/04/2016 by Xplode
# Database : 2016-04-24.3 [Local]
# Operating system : Windows 7 Professional Service Pack 1 (X64)
# Username : David - THINKING
# Running from : C:\Users\David\Desktop\AdwCleaner.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

Folder Found : C:\ProgramData\Ask
Folder Found : C:\ProgramData\Partner
Folder Found : C:\ProgramData\Application Data\Ask
Folder Found : C:\ProgramData\Application Data\Partner

***** [ Files ] *****

File Found : C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage
File Found : C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage-journal

***** [ DLL ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Found : HKLM\SOFTWARE\Classes\s
Key Found : HKLM\SOFTWARE\Classes\protector_dll.Protector
Key Found : HKLM\SOFTWARE\Classes\protector_dll.Protector.1
Key Found : HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho.1
Key Found : HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
Key Found : HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Found : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{67C71B35-A416-4A54-BD1D-15965A4FE41C}
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\IM
Key Found : HKCU\Software\ImInstaller
Key Found : HKCU\Software\Softonic
Key Found : HKCU\Software\StartSearch
Key Found : HKLM\SOFTWARE\Conduit
Key Found : HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\Software\Conduit
Key Found : HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\Software\IM
Key Found : HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\Software\ImInstaller
Key Found : HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\Software\Softonic
Key Found : HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\Software\StartSearch
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{595C041B-BAFB-4893-88F4-E049DB531B6E}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{F94E17F4-1DB4-4700-8ADF-F1DB0605668F}
Key Found : HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\Software\Microsoft\Internet Explorer\SearchScopes\{595C041B-BAFB-4893-88F4-E049DB531B6E}
Key Found : HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\Software\Microsoft\Internet Explorer\SearchScopes\{F94E17F4-1DB4-4700-8ADF-F1DB0605668F}

***** [ Web browsers ] *****

[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\prefs.js] Found : user_pref("browser.search.selectedEngine", "Ask.com");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\prefs.js] Found : user_pref("browser.search.order.1", "Ask.com");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\prefs.js] Found : user_pref("browser.search.defaultengine", "Ask.com");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\prefs.js] Found : user_pref("browser.search.defaultenginename", "Ask.com");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\prefs.js] Found : user_pref("extensions.asktb.ff-original-keyword-url", "");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.newTab", false);
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6R8kt00LrR&loc=IB_TB&i=26&search=");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.id", "34b54f6000000000000024770347b04d");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.hardId", "34b54f6000000000000024770347b04d");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.instlDay", "15390");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.vrsn", "1.5.3.27");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.vrsni", "1.5.3.27");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.vrsnTs", "1.5.3.2713:53:33");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.prtnrId", "Incredibar");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.prdct", "incredibar");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.aflt", "orgnl");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.smplGrp", "none");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.tlbrId", "base");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.instlRef", "");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.dfltLng", "");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.excTlbr", "false");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.ms_url_id", "");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.upn2", "6R8kt00LrR");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.upn2n", "92823880363176667");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.productid", "26");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.installerproductid", "26");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.did", "10606");
[C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js] Found : user_pref("extensions.incredibar_i.ppd", "1");

*************************

C:\AdwCleaner\AdwCleaner[S1].txt - [7424 bytes] - [28/04/2016 22:44:51]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [7497 bytes] ##########
--- END ---

 

 

Regarding those 6 files in C:\Users\David\:

a. All of those 4 .bat files were created by me; and

b. Both of those 2 .exe files were downloaded by me (unix style utilities) some years ago.

 

 

Here are the results from FRST - FRST.txt:

--- BEGIN ---

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:27-04-2016
Ran by David (administrator) on THINKING (28-04-2016 22:46:59)
Running from C:\Users\David\Desktop
Loaded Profiles: David (Available Profiles: David)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Lenovo.) C:\Windows\System32\ibmpmsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tphkload.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe
(Broadcom Corporation.) C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Nero AG) C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\CamMute.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\micmute.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\lvvsst.exe
(Symantec Corporation) C:\Program Files (x86)\Norton 360\Engine\22.6.0.142\n360.exe
(Authentec Inc.) C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tpnumlk.exe
(Microsoft Corporation) C:\Windows\System32\cacls.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
() C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
(Protexis Inc.) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(QNAP Systems, Inc.) C:\Program Files\QNAP\NetBak\QVssService.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Conexant Systems, Inc.) C:\Windows\SysWOW64\SASrv.exe
(Ulead Systems, Inc.) C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Ericsson AB) C:\Program Files (x86)\Mobile Broadband drivers\WMCore\mini_WMCore.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe
(Symantec Corporation) C:\Program Files (x86)\Norton 360\Engine\22.6.0.142\n360.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ZOOM\TpScrex.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\shtctky.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tpnumlkd.exe
(QNAP Systems, Inc.) C:\Program Files\QNAP\NetBak\NetBak.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
() C:\Program Files (x86)\HTC\HTC Sync Manager\HTC Sync\adb.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Lenovo, Japan, Ltd. ) C:\Program Files (x86)\Lenovo\RapidDrive Advanced\LenovoRapidDriveAdvancedService.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Lenovo.) C:\Windows\System32\TpShocks.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\Communications Utility\TpKnrres.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
() C:\Program Files\CONEXANT\ForteConfig\fmapp.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\AutoLock\ALCKRESI.exe
() C:\Program Files (x86)\MultiScreen\MultiScreen.exe
(Macrovision Corporation) C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe
(Broadcom Corporation.) C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
() C:\Program Files (x86)\MagicTune Premium\GammaTray.exe
(Ricoh co.,Ltd.) C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(CANON INC.) C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\Receiver.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe
(Lenovo) C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe
(Lenovo Group Limited) C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.EXE
() C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
() C:\Program Files\ThinkPad\Bluetooth Software\Bluetooth Headset Helper.exe
(Broadcom Corporation.) C:\Program Files\ThinkPad\Bluetooth Software\BluetoothHeadsetProxy.exe
(Broadcom Corporation.) C:\Program Files\ThinkPad\Bluetooth Software\BTStackServer.exe
(Lenovo) C:\Users\David\AppData\Local\Apps\2.0\WR6ZT4H9.1TT\TVECNGQL.8X8\lsb...tion_91a10ba61c75c82d_0001.0006_e3bbae03e10aca14\LSB.exe
(Lenovo) C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe
(Lenovo) C:\Program Files (x86)\Lenovo\Message Center Plus\MCPLaunch.exe
(Dolby Laboratories Inc.) C:\Program Files (x86)\Dolby Home Theater v4\pcee4.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [TpShocks] => C:\Windows\system32\TpShocks.exe [380776 2010-12-10] (Lenovo.)
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SAIICpl.exe [316032 2010-12-14] (Conexant systems, Inc.)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [1793736 2015-02-25] (NVIDIA Corporation)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [LENOVO.TPKNRRES] => C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe [60920 2013-05-29] (Lenovo Group Limited)
HKLM\...\Run: [ForteConfig] => C:\Program Files\Conexant\ForteConfig\fmapp.exe [49056 2010-10-26] ()
HKLM\...\Run: [ALCKRESI.EXE] => C:\Program Files\Lenovo\AutoLock\ALCKRESI.EXE [388600 2013-04-15] (Lenovo Group Limited)
HKLM\...\Run: [AcWin7Hlpr] => C:\Program Files (x86)\Lenovo\Access Connections\AcTBenabler.exe [63728 2015-06-08] (Lenovo)
HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [2168976 2015-12-22] ()
HKLM-x32\...\Run: [RotateImage] => C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe [55808 2008-10-31] (Ricoh co.,Ltd.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2015-06-17] (Apple Inc.)
HKLM-x32\...\Run: [PWMTRV] => rundll32 "C:\Program Files (x86)\ThinkPad\Utilities\PWMTR64V.DLL",PwrMgrBkGndMonitor
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [115048 2011-09-16] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [MagicTuneEngine] => C:\Program Files (x86)\MagicTune Premium\MagicTuneEngine.exe [24064 2009-06-15] (Samsung Electronics Co. Ltd.)
HKLM-x32\...\Run: [Lenovo Registration] => C:\Program Files (x86)\Lenovo Registration\LenovoReg.exe /boot
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [113656 2013-07-02] (Intel Corporation)
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [452272 2012-08-31] (CANON INC.)
HKLM-x32\...\Run: [CitrixReceiver] => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2303152 2015-07-23] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [NCInstallQueue] => rundll32 netman.dll,ProcessQueue
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\psfus: C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll (Authentec Inc.)
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-02-02] (Google Inc.)
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\Run: [MultiScreen] => C:\Program Files (x86)\MultiScreen\MultiScreen.exe [303104 2009-08-11] ()
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\Run: [ISUSPM] => C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe [213936 2006-05-16] (Macrovision Corporation)
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\Run: [Google Update] => C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-09-01] (Google Inc.)
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\Run: [Akamai NetSession Interface] => "C:\Users\David\AppData\Local\Akamai\netsession_win.exe"
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [50676864 2016-03-01] (Skype Technologies S.A.)
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\MountPoints2: {25a01f47-4d87-11e1-86fc-806e6f6e6963} - Q:\LenovoQDrive.exe
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\MountPoints2: {50e07675-caa4-11e5-a586-028037ec0200} - E:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\MountPoints2: {ac8ce2c3-cff8-11e3-b48f-028037ec0200} - D:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\MountPoints2: {ec067731-cdfb-11e5-ba86-028037ec0200} - E:\HTC_Sync_Manager_PC.exe
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [185816 2015-12-22] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [164008 2015-12-22] (NVIDIA Corporation)
AppInit_DLLs-x32: , C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dll => C:\Program Files (x86)\Citrix\ICA Client\RSHook.dll [257208 2012-07-27] (Citrix Systems, Inc.)
Lsa: [Notification Packages] scecli ACGina C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton 360\Engine64\22.6.0.142\buShell.dll [2016-02-19] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton 360\Engine64\22.6.0.142\buShell.dll [2016-02-19] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton 360\Engine64\22.6.0.142\buShell.dll [2016-02-19] (Symantec Corporation)
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2015-07-22] ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2015-07-22] ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2015-07-22] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk [2012-02-02]
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GammaTray.lnk [2012-02-17]
ShortcutTarget: GammaTray.lnk -> C:\Program Files (x86)\MagicTune Premium\GammaTray.exe ()
Startup: C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Citrix Receiver.lnk [2012-09-20]
ShortcutTarget: Citrix Receiver.lnk -> C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe (Citrix Systems, Inc.)
Startup: C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2015-09-15]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\onenotem.exe (Microsoft Corporation)
GroupPolicyScripts: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyServer: [S-1-5-21-3514529109-4073190309-4292251120-1002] => 220.173.139.172:8080
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{A7453476-232F-4DC1-A72D-7E4FFBB69CFE}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=LENP&bmod=LENP
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com.au/
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://www.lenovo.com/welcome/thinkpad
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> DefaultScope {A2B6DCA7-91B3-4ABE-8908-967880222CB4} URL = hxxp://www.google.com.au/search?hl=en&source=hp&q={searchTerms}&btnG=Google+Search&meta=&aq=f&oq=&rlz=1I7LENP_enAU470
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {07921B9E-C4E0-41BE-9E2B-F17685907888} URL = hxxp://en.wikipedia.org/w/index.php?title=Special:Search&search={searchTerms}
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {39A5CE29-F8BE-425B-BB52-3D9FCEC0586E} URL = hxxp://www.linkedin.com/search/fpsearch?name={searchTerms}
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {595C041B-BAFB-4893-88F4-E049DB531B6E} URL = hxxp://abr.business.gov.au/search.aspx?SearchText={searchTerms}&StartSearch=True&bqs=1
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxps://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {903BF549-8979-484A-A2BD-097AF77D6FE0} URL = hxxp://dictionary.reference.com/browse/{searchTerms}?r=75&src=ref&ch=dic
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {A2B6DCA7-91B3-4ABE-8908-967880222CB4} URL = hxxp://www.google.com.au/search?hl=en&source=hp&q={searchTerms}&btnG=Google+Search&meta=&aq=f&oq=&rlz=1I7LENP_enAU470
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxps://nortonsafe.search.ask.com/web?q={searchTerms}&o=APN11913&l=dis&prt=NSBU&chn=1000&geo=AU&ver=22&locale=en_AU&gct=kwd&qsrc=2869
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {CB81E7B2-E6A9-42F6-BBA0-2ACF465F2F87} URL = hxxp://www.facebook.com/#/search/?ref=search&q={searchTerms}&init=quick
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {F94E17F4-1DB4-4700-8ADF-F1DB0605668F} URL = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=871A8FAE-CBEB-4251-B84D-A34A4ED0D763&apn_sauid=B0F14DB3-F3ED-4CC5-8D1E-F01470E19596
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2016-03-14] (Microsoft Corporation)
BHO: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files (x86)\Canon\Easy-WebPrint EX\addon64\ewpexbho.dll [2013-11-28] (CANON INC.)
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton 360\Engine64\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-22] (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-26] (Google Inc.)
BHO: Norton Identity Protection -> {AB4C7833-A6EC-433f-B9FE-6B14B1A2F836} -> C:\Program Files (x86)\Norton Identity Safe\Engine64\2014.7.11.42\coIEPlg.dll [2015-03-05] (Symantec Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL [2016-03-14] (Microsoft Corporation)
BHO: Symantec VIP Access Add-On -> {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} -> C:\Program Files (x86)\Symantec\VIP Access Client\64bit\VIPAddOnForIE64.dll [2012-04-19] (Symantec Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2016-04-19] (Microsoft Corporation)
BHO-x32: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll [2013-11-28] (CANON INC.)
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton 360\Engine\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-04-21] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-22] (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-26] (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL [2016-03-14] (Microsoft Corporation)
BHO-x32: Symantec VIP Access Add-On -> {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} -> C:\Program Files (x86)\Symantec\VIP Access Client\VIPAddOnForIE.dll [2012-04-19] (Symantec Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-04-21] (Oracle Corporation)
Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\addon64\ewpexhlp.dll [2013-11-28] (CANON INC.)
Toolbar: HKLM - Norton Identity Safe Toolbar - {A13C2648-91D4-4bf3-BC6D-0079707C4389} - C:\Program Files (x86)\Norton Identity Safe\Engine64\2014.7.11.42\coIEPlg.dll [2015-03-05] (Symantec Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine64\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-26] (Google Inc.)
Toolbar: HKLM-x32 - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll [2013-11-28] (CANON INC.)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-26] (Google Inc.)
Toolbar: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-26] (Google Inc.)
Toolbar: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\addon64\ewpexhlp.dll [2013-11-28] (CANON INC.)
Toolbar: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine64\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)
DPF: HKLM-x32 {816BE035-1450-40D0-8A3B-BA7825A83A77} hxxp://support.lenovo.com/Resources/Lenovo/AutoDetect/Lenovo_AutoDetect2.cab
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} hxxps://akamaicdn.webex.com/client/WBXclient-T28L10NSP9-15980/webex/ieatgpc1.cab
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-02-01] (Skype Technologies)
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2012-07-27] (Citrix Systems, Inc.)

FireFox:
========
FF ProfilePath: C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default
FF Homepage: hxxp://www.google.com.au/
FF NetworkProxy: "ftp", "220.173.139.172"
FF NetworkProxy: "ftp_port", 8080
FF NetworkProxy: "gopher", "220.173.139.172"
FF NetworkProxy: "gopher_port", 8080
FF NetworkProxy: "http", "220.173.139.172"
FF NetworkProxy: "http_port", 8080
FF NetworkProxy: "no_proxies_on", "*.local"
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "socks", "220.173.139.172"
FF NetworkProxy: "socks_port", 8080
FF NetworkProxy: "ssl", "220.173.139.172"
FF NetworkProxy: "ssl_port", 8080
FF SelectedSearchEngine: Ask.com
FF SearchEngineOrder.1: Ask.com
FF DefaultSearchEngine: Ask.com
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2015-07-23] (Adobe Systems)
FF Plugin-x32: @abr.gov.au/KeyMgmtPlugin -> C:\Program Files (x86)\ABR\Plug-In\bin\npAUSkeyPlugin.dll [2010-08-19] (Commonwealth Government of Australia)
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2011-11-30] (CANON INC.)
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll [2012-07-27] (Citrix Systems, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Services\IPT\npIntelWebAPIIPT.dll [2014-07-09] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Services\IPT\npIntelWebAPIUpdater.dll [2014-07-09] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-04-21] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-04-21] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2013-07-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-11-05] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-11-05] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-03] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-19] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2015-07-23] (Adobe Systems)
FF Plugin HKU\S-1-5-21-3514529109-4073190309-4292251120-1002: @citrixonline.com/appdetectorplugin -> C:\Users\David\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2013-09-05] (Citrix Online)
FF Plugin HKU\S-1-5-21-3514529109-4073190309-4292251120-1002: @talk.google.com/GoogleTalkPlugin -> C:\Users\David\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-3514529109-4073190309-4292251120-1002: @talk.google.com/O1DPlugin -> C:\Users\David\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-3514529109-4073190309-4292251120-1002: @tools.google.com/Google Update;version=3 -> C:\Users\David\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin HKU\S-1-5-21-3514529109-4073190309-4292251120-1002: @tools.google.com/Google Update;version=9 -> C:\Users\David\AppData\Local\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-02] (Google Inc.)
FF Plugin HKU\S-1-5-21-3514529109-4073190309-4292251120-1002: LWAPlugin15.8 -> C:\Users\David\AppData\Roaming\Mozilla\Plugins\npLWAPlugin15.8.dll [2013-03-13] (Microsoft Corporation)
FF user.js: detected! => C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fk8n9qcc.default\user.js [2012-02-20]
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginAOC.dll [2016-03-14] ()
FF Plugin ProgramFiles/Appdata: C:\Users\David\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\David\AppData\Roaming\mozilla\plugins\npLWAPlugin15.8.dll [2013-03-13] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Users\David\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF HKLM\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.0.124\coFFAddon
FF Extension: Norton Identity Safe - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.0.124\coFFAddon [2016-03-21]
FF HKLM-x32\...\Firefox\Extensions: [{F04D2D30-776C-4d02-8627-8E4385ECA58D}] - C:\ProgramData\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_2014.6.0.27\coFFPlgn => not found
FF HKLM-x32\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.0.124\coFFAddon
FF HKLM-x32\...\Firefox\Extensions: [VIP5X@verisign.com] - C:\Program Files (x86)\Symantec\VIP Access Client
FF Extension: Symantec VIP Access Add-On - C:\Program Files (x86)\Symantec\VIP Access Client [2016-03-21] [not signed]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com.au/
CHR StartupUrls: Default -> "hxxp://google.com.au/"
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\gcswf32.dll => No File
CHR Plugin: (Norton Confidential) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\2012.5.0.140_0\npcoplgn.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (ABR_AUSkey Mozilla Plugin) - C:\Program Files (x86)\ABR\Plug-In\bin\npAUSkeyPlugin.dll (Commonwealth Government of Australia)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll => No File
CHR Plugin: (NVIDIA 3D Vision) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
CHR Plugin: (NVIDIA 3D VISION) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll => No File
CHR Profile: C:\Users\David\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Norton Identity Safe) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2014-08-19]
CHR Extension: (Chrome Web Store Payments) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-12]
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton 360\Engine\22.6.0.142\Exts\Chrome.crx [2016-03-19]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] - C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\Exts\Chrome.crx [2015-07-16]
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton 360\Engine\22.6.0.142\Exts\Chrome.crx [2016-03-19]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [nppllibpnmahfaklnpggkibhkapjkeob] - C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\Exts\Chrome.crx [2015-07-16]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2829552 2016-03-08] (Microsoft Corporation)
S3 DozeSvc; C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [326160 2016-04-14] (Lenovo.)
R2 HTCMonitorService; C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe [87368 2013-11-18] (Nero AG)
R3 Lenovo.RapidDrive.Advanced.Svc; C:\Program Files (x86)\Lenovo\RapidDrive Advanced\LenovoRapidDriveAdvancedService.exe [209920 2011-10-07] (Lenovo, Japan, Ltd. ) [File not signed]
R2 Lenovo.VIRTSCRLSVC; C:\Program Files\LENOVO\VIRTSCRL\lvvsst.exe [133992 2011-07-12] (Lenovo Group Limited)
S3 LSCWinService; C:\Program Files\Lenovo\Lenovo Solution Center\App\LSCWinService.exe [272864 2016-01-08] (Lenovo)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 N360; C:\Program Files (x86)\Norton 360\Engine\22.6.0.142\N360.exe [289080 2016-02-26] (Symantec Corporation)
S2 NCO; C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\NST.exe [131144 2015-03-05] (Symantec Corporation)
R2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [166912 2013-10-17] () [File not signed]
R2 QVssService; C:\Program Files\QNAP\NetBak\QVssService.exe [2203824 2015-10-07] (QNAP Systems, Inc.)
S3 ShareItSvc; C:\Program Files (x86)\Lenovo\SHAREit\Shareit.Service.exe [31176 2016-01-20] (SHAREit Technologies Co.Ltd)
S3 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [21536 2016-01-13] ()
R2 UleadBurningHelper; C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [61440 2008-01-11] (Ulead Systems, Inc.) [File not signed]
R2 VIPAppService; C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe [84080 2012-04-19] (Symantec Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 WMCoreService; C:\Program Files (x86)\Mobile Broadband drivers\WMCore\mini_WMCore.exe [594984 2011-04-08] (Ericsson AB)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3817168 2014-08-18] (Intel® Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 BHDrvx64; C:\Program Files (x86)\Norton 360\NortonData\22.5.0.124\Definitions\BASHDefs\20160418.001\BHDrvx64.sys [1766640 2016-03-10] (Symantec Corporation)
R1 ccSet_N360; C:\Windows\system32\drivers\N360x64\1606000.08E\ccSetx64.sys [173808 2015-07-11] (Symantec Corporation)
R1 ccSet_NST; C:\Windows\system32\drivers\NSTx64\7DE070B0.02A\ccSetx64.sys [162392 2013-09-28] (Symantec Corporation)
R3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [304784 2010-03-23] ()
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-11] (Broadcom Corporation)
R3 ecnssndis; C:\Windows\System32\Drivers\wwuss64.sys [26664 2010-02-24] (Ericsson AB)
R3 ecnssndisfltr; C:\Windows\System32\Drivers\wwussf64.sys [30248 2010-02-24] (Ericsson AB)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [498512 2015-11-18] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [157520 2015-11-18] (Symantec Corporation)
S3 HtcVCom32; C:\Windows\System32\DRIVERS\HtcVComV64.sys [121800 2010-03-09] (QUALCOMM Incorporated)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2013-11-16] (Intel Corporation)
R1 IDSVia64; C:\Program Files (x86)\Norton 360\NortonData\22.5.0.124\Definitions\IPSDefs\20160426.001\IDSvia64.sys [767224 2016-02-15] (Symantec Corporation)
R3 l36wgps; C:\Windows\System32\DRIVERS\l36wgps64.sys [101416 2011-03-01] (Ericsson AB)
R3 LenovoRd; C:\Windows\System32\Drivers\LenovoRd.sys [118016 2009-05-11] (Lenovo)
R1 MagicTune; C:\Windows\system32\drivers\MTiCtwl.sys [23096 2008-11-04] (Samsung Electronics, Inc. )
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
R3 Mbm3CBus; C:\Windows\System32\DRIVERS\Mbm3CBus.sys [419400 2011-04-14] (MCCI Corporation)
R3 Mbm3DevMt; C:\Windows\System32\DRIVERS\Mbm3DevMt.sys [430664 2011-04-14] (MCCI Corporation)
R3 Mbm3mdfl; C:\Windows\System32\DRIVERS\Mbm3mdfl.sys [19528 2011-04-14] (MCCI Corporation)
R3 Mbm3Mdm; C:\Windows\System32\DRIVERS\Mbm3Mdm.sys [483400 2011-04-14] (MCCI Corporation)
R3 NAVENG; C:\Program Files (x86)\Norton 360\NortonData\22.5.0.124\Definitions\VirusDefs\20160427.001\ENG64.SYS [138488 2015-12-30] (Symantec Corporation)
R3 NAVEX15; C:\Program Files (x86)\Norton 360\NortonData\22.5.0.124\Definitions\VirusDefs\20160427.001\EX64.SYS [2148080 2015-12-30] (Symantec Corporation)
R2 npf; C:\Windows\System32\drivers\npf.sys [36600 2014-08-19] (Riverbed Technology, Inc.)
R1 nvkflt; C:\Windows\System32\DRIVERS\nvkflt.sys [308368 2015-12-22] (NVIDIA Corporation)
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [45296 2014-07-28] (Synaptics Incorporated)
R2 smihlp; C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys [13128 2011-05-30] (Authentec Inc.)
R3 SRTSP; C:\Windows\System32\Drivers\N360x64\1606000.08E\SRTSP64.SYS [928504 2016-02-24] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\N360x64\1606000.08E\SRTSPX64.SYS [50936 2015-07-11] (Symantec Corporation)
R0 SymEFASI; C:\Windows\System32\drivers\N360x64\1606000.08E\SYMEFASI64.SYS [1621232 2016-02-24] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [111344 2015-07-27] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\N360x64\1606000.08E\Ironx64.SYS [295664 2016-02-24] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\N360x64\1606000.08E\SYMNETS.SYS [577768 2016-02-24] (Symantec Corporation)
R3 TVTI2C; C:\Windows\System32\DRIVERS\Tvti2c.sys [41536 2009-09-24] (Lenovo (United States) Inc.)
R3 WwanUsbServ; C:\Windows\System32\DRIVERS\WwanUsbMp64.sys [284912 2013-11-22] (Ericsson AB)
R3 QDrive; \??\C:\Users\David\AppData\Local\Temp\QDrive.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-28 22:46 - 2016-04-28 22:47 - 00043660 _____ C:\Users\David\Desktop\FRST.txt
2016-04-28 22:44 - 2016-04-28 22:44 - 00000000 ____D C:\AdwCleaner
2016-04-28 22:29 - 2016-04-28 22:44 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-04-28 22:26 - 2016-04-28 22:44 - 00000000 ____D C:\Users\David\Desktop\mbar
2016-04-28 22:22 - 2016-04-28 22:02 - 03581504 _____ C:\Users\David\Desktop\AdwCleaner.exe
2016-04-28 22:22 - 2016-04-28 21:58 - 16563352 _____ (Malwarebytes Corp.) C:\Users\David\Desktop\mbar-1.09.3.1001.exe
2016-04-28 22:22 - 2016-04-28 21:55 - 00852798 _____ C:\Users\David\Desktop\SecurityCheck.exe
2016-04-28 22:22 - 2016-04-28 15:53 - 02376704 _____ (Farbar) C:\Users\David\Desktop\FRST64.exe
2016-04-28 22:18 - 2016-04-28 22:18 - 00000000 ____D C:\Users\David\AppData\Roaming\LSC
2016-04-28 14:47 - 2016-04-28 15:01 - 00000000 ____D C:\Users\David\AppData\Local\NPE
2016-04-28 14:40 - 2016-04-28 14:40 - 00000000 ___HD C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2016-04-28 09:16 - 2016-04-28 09:16 - 00002002 _____ C:\Users\Public\Desktop\Lenovo Solution Center.lnk
2016-04-26 16:58 - 2016-04-26 16:58 - 00000000 ____D C:\Users\David\AppData\Roaming\AccdbMerge
2016-04-21 11:38 - 2016-04-21 11:38 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-04-15 16:11 - 2016-04-15 16:11 - 00069770 _____ C:\Users\David\Desktop\David you are invited.htm
2016-04-15 16:11 - 2016-04-15 16:11 - 00000000 ____D C:\Users\David\Desktop\David you are invited_files
2016-04-13 03:19 - 2016-04-01 04:55 - 00394952 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-04-13 03:19 - 2016-04-01 04:11 - 00346320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2016-04-13 03:19 - 2016-03-31 10:24 - 25817600 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-04-13 03:19 - 2016-03-31 10:10 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-04-13 03:19 - 2016-03-31 10:10 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2016-04-13 03:19 - 2016-03-31 10:01 - 02892800 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-04-13 03:19 - 2016-03-31 09:58 - 00571904 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-04-13 03:19 - 2016-03-31 09:58 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2016-04-13 03:19 - 2016-03-31 09:57 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-04-13 03:19 - 2016-03-31 09:57 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2016-04-13 03:19 - 2016-03-31 09:57 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2016-04-13 03:19 - 2016-03-31 09:55 - 06052352 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-04-13 03:19 - 2016-03-31 09:52 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-04-13 03:19 - 2016-03-31 09:51 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2016-04-13 03:19 - 2016-03-31 09:49 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-04-13 03:19 - 2016-03-31 09:47 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-04-13 03:19 - 2016-03-31 09:47 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2016-04-13 03:19 - 2016-03-31 09:47 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-04-13 03:19 - 2016-03-31 09:47 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2016-04-13 03:19 - 2016-03-31 09:41 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2016-04-13 03:19 - 2016-03-31 09:38 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-04-13 03:19 - 2016-03-31 09:33 - 20352512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-04-13 03:19 - 2016-03-31 09:32 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2016-04-13 03:19 - 2016-03-31 09:30 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2016-04-13 03:19 - 2016-03-31 09:29 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2016-04-13 03:19 - 2016-03-31 09:27 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2016-04-13 03:19 - 2016-03-31 09:26 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-04-13 03:19 - 2016-03-31 09:25 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-04-13 03:19 - 2016-03-31 09:23 - 00496640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-04-13 03:19 - 2016-03-31 09:23 - 00152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2016-04-13 03:19 - 2016-03-31 09:22 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2016-04-13 03:19 - 2016-03-31 09:22 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2016-04-13 03:19 - 2016-03-31 09:22 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2016-04-13 03:19 - 2016-03-31 09:22 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2016-04-13 03:19 - 2016-03-31 09:21 - 02285056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-04-13 03:19 - 2016-03-31 09:18 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2016-04-13 03:19 - 2016-03-31 09:18 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2016-04-13 03:19 - 2016-03-31 09:16 - 00476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2016-04-13 03:19 - 2016-03-31 09:15 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-04-13 03:19 - 2016-03-31 09:15 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2016-04-13 03:19 - 2016-03-31 09:15 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2016-04-13 03:19 - 2016-03-31 09:15 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2016-04-13 03:19 - 2016-03-31 09:13 - 00806400 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-04-13 03:19 - 2016-03-31 09:13 - 00725504 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2016-04-13 03:19 - 2016-03-31 09:12 - 02131968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-04-13 03:19 - 2016-03-31 09:12 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2016-04-13 03:19 - 2016-03-31 09:09 - 15415808 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-04-13 03:19 - 2016-03-31 09:08 - 00416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2016-04-13 03:19 - 2016-03-31 09:04 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2016-04-13 03:19 - 2016-03-31 09:03 - 00091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2016-04-13 03:19 - 2016-03-31 09:01 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2016-04-13 03:19 - 2016-03-31 09:01 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2016-04-13 03:19 - 2016-03-31 09:00 - 04611072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-04-13 03:19 - 2016-03-31 09:00 - 02596864 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-04-13 03:19 - 2016-03-31 09:00 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2016-04-13 03:19 - 2016-03-31 08:59 - 00130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2016-04-13 03:19 - 2016-03-31 08:54 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2016-04-13 03:19 - 2016-03-31 08:53 - 02056192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2016-04-13 03:19 - 2016-03-31 08:53 - 00693248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-04-13 03:19 - 2016-03-31 08:52 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2016-04-13 03:19 - 2016-03-31 08:51 - 13811712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-04-13 03:19 - 2016-03-31 08:48 - 01547264 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-04-13 03:19 - 2016-03-31 08:36 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-04-13 03:19 - 2016-03-31 08:35 - 02121216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-04-13 03:19 - 2016-03-31 08:32 - 01311744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-04-13 03:19 - 2016-03-31 08:30 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2016-04-13 03:19 - 2016-03-30 03:23 - 03216896 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-04-13 03:19 - 2016-03-18 08:34 - 05551336 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-04-13 03:19 - 2016-03-18 08:34 - 00706280 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2016-04-13 03:19 - 2016-03-18 08:34 - 00154344 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-04-13 03:19 - 2016-03-18 08:34 - 00095464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-04-13 03:19 - 2016-03-18 08:31 - 01732864 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2016-04-13 03:19 - 2016-03-18 08:31 - 00631176 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2016-04-13 03:19 - 2016-03-18 08:28 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2016-04-13 03:19 - 2016-03-18 08:28 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2016-04-13 03:19 - 2016-03-18 08:28 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2016-04-13 03:19 - 2016-03-18 08:28 - 00215552 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2016-04-13 03:19 - 2016-03-18 08:28 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2016-04-13 03:19 - 2016-03-18 08:28 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2016-04-13 03:19 - 2016-03-18 08:28 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2016-04-13 03:19 - 2016-03-18 08:28 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2016-04-13 03:19 - 2016-03-18 08:28 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2016-04-13 03:19 - 2016-03-18 08:28 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2016-04-13 03:19 - 2016-03-18 08:27 - 01212928 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2016-04-13 03:19 - 2016-03-18 08:27 - 00344064 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-04-13 03:19 - 2016-03-18 08:27 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2016-04-13 03:19 - 2016-03-18 08:27 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2016-04-13 03:19 - 2016-03-18 08:27 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2016-04-13 03:19 - 2016-03-18 08:26 - 02084864 _____ (Microsoft Corporation) C:\Windows\system32\ole32.dll
2016-04-13 03:19 - 2016-03-18 08:26 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2016-04-13 03:19 - 2016-03-18 08:24 - 00316416 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2016-04-13 03:19 - 2016-03-18 08:24 - 00312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2016-04-13 03:19 - 2016-03-18 08:24 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2016-04-13 03:19 - 2016-03-18 08:24 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2016-04-13 03:19 - 2016-03-18 08:23 - 01464320 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-04-13 03:19 - 2016-03-18 08:23 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2016-04-13 03:19 - 2016-03-18 08:23 - 00731136 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-04-13 03:19 - 2016-03-18 08:23 - 00419840 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00880640 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00463872 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00059904 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00034816 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:20 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 08:06 - 03998952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2016-04-13 03:19 - 2016-03-18 08:06 - 03943144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2016-04-13 03:19 - 2016-03-18 08:03 - 01314112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2016-04-13 03:19 - 2016-03-18 08:01 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2016-04-13 03:19 - 2016-03-18 08:01 - 00666112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2016-04-13 03:19 - 2016-03-18 08:01 - 00275456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2016-04-13 03:19 - 2016-03-18 08:01 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2016-04-13 03:19 - 2016-03-18 08:01 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2016-04-13 03:19 - 2016-03-18 08:00 - 00171520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2016-04-13 03:19 - 2016-03-18 08:00 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2016-04-13 03:19 - 2016-03-18 08:00 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2016-04-13 03:19 - 2016-03-18 07:59 - 00251392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2016-04-13 03:19 - 2016-03-18 07:59 - 00141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2016-04-13 03:19 - 2016-03-18 07:59 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2016-04-13 03:19 - 2016-03-18 07:58 - 01414144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ole32.dll
2016-04-13 03:19 - 2016-03-18 07:57 - 00260608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2016-04-13 03:19 - 2016-03-18 07:57 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2016-04-13 03:19 - 2016-03-18 07:57 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2016-04-13 03:19 - 2016-03-18 07:57 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2016-04-13 03:19 - 2016-03-18 07:56 - 00553984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2016-04-13 03:19 - 2016-03-18 07:55 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00644096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 07:23 - 00148480 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2016-04-13 03:19 - 2016-03-18 07:22 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2016-04-13 03:19 - 2016-03-18 07:22 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2016-04-13 03:19 - 2016-03-18 07:21 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2016-04-13 03:19 - 2016-03-18 07:14 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2016-04-13 03:19 - 2016-03-18 07:13 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2016-04-13 03:19 - 2016-03-18 07:11 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2016-04-13 03:19 - 2016-03-18 07:08 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-04-13 03:19 - 2016-03-18 07:07 - 00291328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-04-13 03:19 - 2016-03-18 07:07 - 00129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-04-13 03:19 - 2016-03-18 07:05 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2016-04-13 03:19 - 2016-03-18 07:05 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2016-04-13 03:19 - 2016-03-18 07:00 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2016-04-13 03:19 - 2016-03-18 07:00 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2016-04-13 03:19 - 2016-03-18 07:00 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2016-04-13 03:19 - 2016-03-18 07:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2016-04-13 03:19 - 2016-03-18 06:59 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2016-04-13 03:19 - 2016-03-18 06:59 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 06:59 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 06:59 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2016-04-13 03:19 - 2016-03-18 06:59 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2016-04-13 03:19 - 2016-03-16 09:46 - 00760320 _____ (Microsoft Corporation) C:\Windows\system32\samsrv.dll
2016-04-13 03:19 - 2016-03-16 09:46 - 00106496 _____ (Microsoft Corporation) C:\Windows\system32\samlib.dll
2016-04-13 03:19 - 2016-03-16 09:23 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\samlib.dll
2016-04-13 03:19 - 2016-03-12 04:27 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-04-13 03:19 - 2016-03-12 04:05 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2016-04-13 03:19 - 2016-03-07 04:23 - 01885696 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2016-04-13 03:19 - 2016-03-07 04:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2016-04-13 03:19 - 2016-03-07 04:08 - 01240576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2016-04-13 03:19 - 2016-03-07 04:08 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2016-04-12 23:51 - 2016-04-12 23:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Raw Image Viewer
2016-04-12 23:51 - 2016-04-12 23:51 - 00000000 ____D C:\Program Files (x86)\Raw Image Viewer
2016-04-11 20:57 - 2016-04-26 21:51 - 00000000 ____D C:\Users\David\AppData\LocalLow\uTorrent
2016-04-11 11:56 - 2016-04-11 11:56 - 00000000 ____D C:\Users\David\AppData\Local\{6F00555C-B600-4F47-9542-3D14B028719F}
2016-04-04 17:57 - 2016-04-04 18:01 - 00003418 _____ C:\Windows\System32\Tasks\CMDLine

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-28 22:46 - 2015-12-01 15:58 - 00000000 ____D C:\FRST
2016-04-28 22:46 - 2014-11-24 21:24 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3514529109-4073190309-4292251120-1002UA.job
2016-04-28 22:29 - 2015-11-16 12:54 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-04-28 22:27 - 2015-11-16 12:54 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-04-28 22:23 - 2012-02-02 20:05 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-04-28 22:16 - 2009-07-14 14:43 - 00786578 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-28 22:16 - 2009-07-14 14:15 - 00031296 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-04-28 22:16 - 2009-07-14 14:15 - 00031296 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-04-28 22:16 - 2009-07-14 12:50 - 00000000 ____D C:\Windows\inf
2016-04-28 22:15 - 2012-01-06 15:12 - 00000000 ____D C:\Users\David\AppData\Local\Htc
2016-04-28 22:14 - 2008-01-13 13:23 - 00000000 ____D C:\Users\David\AppData\Roaming\Skype
2016-04-28 22:11 - 2014-11-25 07:17 - 00000562 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3514529109-4073190309-4292251120-1002.job
2016-04-28 22:09 - 2015-08-17 09:53 - 00000000 ____D C:\ProgramData\boost_interprocess
2016-04-28 22:09 - 2014-03-13 16:46 - 00000000 ____D C:\Users\David\AppData\Local\Deployment
2016-04-28 22:09 - 2012-02-02 20:05 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-04-28 22:08 - 2014-04-30 09:50 - 00000000 ____D C:\Users\David\AppData\Local\HTC MediaHub
2016-04-28 22:07 - 2012-02-02 19:59 - 00000000 ____D C:\ProgramData\NVIDIA
2016-04-28 22:07 - 2009-07-14 14:38 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-28 16:17 - 2012-02-20 17:21 - 01287132 _____ C:\Windows\ntbtlog.txt
2016-04-28 14:47 - 2012-02-02 20:08 - 00000000 ____D C:\ProgramData\Norton
2016-04-28 14:44 - 2012-06-07 09:24 - 00007667 _____ C:\Users\David\AppData\Local\Resmon.ResmonCfg
2016-04-28 13:48 - 2015-06-01 18:49 - 00000658 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-3514529109-4073190309-4292251120-1002.job
2016-04-28 13:16 - 2009-07-14 15:02 - 00000000 ____D C:\Windows\system32\FxsTmp
2016-04-28 09:23 - 2014-11-24 21:24 - 00000856 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3514529109-4073190309-4292251120-1002Core.job
2016-04-28 09:17 - 2012-02-02 20:04 - 00000000 ____D C:\Windows\System32\Tasks\Lenovo
2016-04-28 09:17 - 2012-02-02 20:00 - 00003020 _____ C:\Windows\System32\Tasks\PMTask
2016-04-28 09:17 - 2009-07-14 12:50 - 00000000 __RSD C:\Windows\Media
2016-04-28 09:16 - 2012-02-02 20:04 - 00000000 ____D C:\Windows\Downloaded Installations
2016-04-28 09:16 - 2012-02-02 19:50 - 00000000 ____D C:\Program Files\Lenovo
2016-04-27 12:56 - 2013-05-21 12:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2016-04-26 21:52 - 2014-08-08 17:27 - 00000000 ____D C:\Program Files\PeerBlock
2016-04-26 21:52 - 2012-02-11 15:29 - 00000000 ____D C:\Users\David\AppData\Local\Google
2016-04-26 21:51 - 2012-12-09 20:28 - 00000000 ____D C:\Users\David\AppData\Roaming\uTorrent
2016-04-25 20:24 - 2009-07-14 12:50 - 00000000 ____D C:\Windows\rescache
2016-04-25 18:15 - 2009-07-14 14:15 - 00467896 _____ C:\Windows\system32\FNTCACHE.DAT
2016-04-21 11:41 - 2013-08-19 03:00 - 00000000 ____D C:\Windows\system32\MRT
2016-04-21 11:38 - 2012-12-12 11:50 - 00002617 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Lync 2010 Attendee.lnk
2016-04-21 11:38 - 2012-12-12 11:50 - 00000000 ____D C:\Program Files (x86)\Microsoft Lync Attendee
2016-04-21 11:38 - 2012-02-12 23:27 - 135176864 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-04-21 11:34 - 2013-10-20 20:14 - 00000000 ____D C:\ProgramData\Oracle
2016-04-21 11:33 - 2015-09-02 11:36 - 00000000 ____D C:\Users\David\.oracle_jre_usage
2016-04-21 11:33 - 2014-10-29 13:17 - 00097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2016-04-21 11:33 - 2014-10-29 13:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-04-21 11:33 - 2014-10-29 13:17 - 00000000 ____D C:\Program Files (x86)\Java
2016-04-21 08:50 - 2012-02-17 07:48 - 00000000 ____D C:\Users\David\AppData\Local\CrashDumps
2016-04-19 09:13 - 2013-05-21 12:07 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-04-19 09:13 - 2013-05-21 11:59 - 00000000 ____D C:\Program Files\Microsoft Office 15
2016-04-16 14:28 - 2009-07-14 14:38 - 00032644 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-04-15 09:18 - 2015-06-01 18:49 - 00003684 _____ C:\Windows\System32\Tasks\G2MUploadTask-S-1-5-21-3514529109-4073190309-4292251120-1002
2016-04-15 09:18 - 2014-11-25 07:17 - 00003588 _____ C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-3514529109-4073190309-4292251120-1002
2016-04-14 19:07 - 2014-05-10 15:27 - 00000316 _____ C:\Windows\Tasks\NetBak-Thinking-David-Job1.job
2016-04-14 06:08 - 2012-02-02 20:00 - 02872488 _____ (Lenovo Group Limited) C:\Windows\system32\PWMCP64V.cpl
2016-04-14 06:08 - 2012-02-02 20:00 - 02692776 ____N (Lenovo Group Limited) C:\Windows\PWMBTHLV.EXE
2016-04-14 06:08 - 2012-02-02 20:00 - 00029512 _____ (Lenovo.) C:\Windows\system32\Drivers\DZHDD64.SYS
2016-04-14 06:08 - 2012-02-02 20:00 - 00029008 _____ (Lenovo Group Limited) C:\Windows\system32\Drivers\TPPWR64V.SYS
2016-04-12 09:14 - 2016-03-21 13:26 - 00000000 ____D C:\Users\David\AppData\Local\Screencast-O-Matic-v2
2016-04-08 17:44 - 2008-01-13 13:22 - 00000000 ____D C:\ProgramData\Skype
2016-04-08 17:43 - 2014-09-26 10:18 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-04-08 06:26 - 2012-02-02 20:05 - 00002166 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-04-06 19:10 - 2014-04-30 09:45 - 00000000 ____D C:\Temp
2016-04-06 14:22 - 2011-05-03 23:52 - 00000000 ____D C:\Users\David\AppData\Roaming\AUSkey
2016-04-06 11:29 - 2009-12-28 17:24 - 00000000 ____D C:\Users\David\AppData\Local\Citrix
2016-04-04 10:55 - 2012-02-24 10:22 - 00000000 ____D C:\Users\David\AppData\Local\CutePDF Writer
2016-04-03 16:53 - 2016-01-31 13:59 - 00000000 ____D C:\Program Files (x86)\PRTG Network Monitor
2016-04-03 16:53 - 2012-05-21 18:15 - 00000000 ____D C:\ProgramData\Temp
2016-03-30 17:31 - 2016-01-31 13:59 - 00000000 ____D C:\Program Files\WinPcap

==================== Files in the root of some directories =======

2014-07-09 09:02 - 2014-07-09 09:02 - 0205422 _____ () C:\Users\David\AppData\Roaming\2SQL.zip
2015-03-25 12:08 - 2015-06-12 16:34 - 0000034 _____ () C:\Users\David\AppData\Roaming\AdobeWLCMCache.dat
2014-07-09 12:01 - 2014-07-09 12:01 - 0022976 _____ (Intel Corporation) C:\Users\David\AppData\Roaming\JomCap.dll
2014-05-02 17:30 - 2014-05-02 17:37 - 0038418 _____ () C:\Users\David\AppData\Roaming\Microsoft Excel 97-2003.ADR
2012-02-13 16:44 - 2011-08-10 10:06 - 0223808 _____ () C:\Users\David\AppData\Roaming\wanancsp.dat
2013-09-18 17:13 - 2013-09-18 19:17 - 0000600 _____ () C:\Users\David\AppData\Local\PUTTY.RND
2012-06-07 09:24 - 2016-04-28 14:44 - 0007667 _____ () C:\Users\David\AppData\Local\Resmon.ResmonCfg
2014-08-27 21:19 - 2014-08-27 21:19 - 0015036 _____ () C:\Users\David\AppData\Local\WiDiSetupLog.20140827.211905.wdl
2014-08-27 21:23 - 2014-08-27 21:23 - 0015869 _____ () C:\Users\David\AppData\Local\WiDiSetupLog.20140827.212325.wdl
2014-08-27 22:38 - 2014-08-27 22:39 - 0015758 _____ () C:\Users\David\AppData\Local\WiDiSetupLog.20140827.223854.wdl
2014-08-27 22:39 - 2014-08-27 22:43 - 0015870 _____ () C:\Users\David\AppData\Local\WiDiSetupLog.20140827.223956.wdl
2014-10-28 11:19 - 2014-10-28 11:20 - 0015870 _____ () C:\Users\David\AppData\Local\WiDiSetupLog.20141028.121955.wdl
2014-10-28 11:31 - 2014-10-28 11:32 - 0015870 _____ () C:\Users\David\AppData\Local\WiDiSetupLog.20141028.123146.wdl
2014-12-14 22:43 - 2014-12-14 22:44 - 0015868 _____ () C:\Users\David\AppData\Local\WiDiSetupLog.20141214.234356.wdl
2014-12-14 22:48 - 2014-12-14 22:49 - 0015870 _____ () C:\Users\David\AppData\Local\WiDiSetupLog.20141214.234842.wdl
2014-12-14 22:49 - 2014-12-14 22:49 - 0015868 _____ () C:\Users\David\AppData\Local\WiDiSetupLog.20141214.234924.wdl
2012-08-14 22:22 - 2014-01-29 18:14 - 0000952 ___SH () C:\ProgramData\KGyGaAvL.sys

Files to move or delete:
====================
C:\Users\David\hex2text.exe
C:\Users\David\humbole.bat
C:\Users\David\Nightly.bat
C:\Users\David\Run.bat
C:\Users\David\sed.exe
C:\Users\David\wbstatus.bat


Some files in TEMP:
====================
C:\Users\David\AppData\Local\Temp\mpegc.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-04-28 09:13

==================== End of FRST.txt ============================

--- END ---

 

 

Here are the results from FRST - Addition.txt:

--- BEGIN ---

Additional scan result of Farbar Recovery Scan Tool (x64) Version:27-04-2016
Ran by David (2016-04-28 22:47:19)
Running from C:\Users\David\Desktop
Windows 7 Professional Service Pack 1 (X64) (2012-02-11 05:56:44)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3514529109-4073190309-4292251120-500 - Administrator - Disabled)
David (S-1-5-21-3514529109-4073190309-4292251120-1002 - Administrator - Enabled) => C:\Users\David
Guest (S-1-5-21-3514529109-4073190309-4292251120-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3514529109-4073190309-4292251120-1003 - Limited - Enabled)
PRTGAdmin (S-1-5-21-3514529109-4073190309-4292251120-1004 - Administrator - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Norton 360 (Enabled - Up to date) {53C7D717-52E2-B95E-FA61-6F32ECC805DB}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton 360 (Enabled - Up to date) {E8A636F3-74D8-B6D0-C0D1-5440974F4F66}
FW: Norton 360 (Enabled) {6BFC5632-188D-B806-D13E-C607121B42A0}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\uTorrent) (Version: 3.4.6.42094 - BitTorrent Inc.)
2SQL Version 5.5.5 (HKLM-x32\...\2SQL for Microsoft Access 2010/SQL Server 2008 R2_is1) (Version: 5.5.5 - ConvertU2 Technologies Pty Ltd)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.010.20060 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 16.0.0.245 - Adobe Systems Incorporated)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 3.2.0.129 - Adobe Systems Incorporated)
Adobe Flash Player 18 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 18.0.0.232 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AUSkey software 1.4.0.3 (HKLM-x32\...\{1976B721-8F15-4B86-92D2-725364AF8CE0}) (Version: 1.4.0.3 - ABR)
AutoRotation (HKLM-x32\...\{8C94F0BE-D9D6-4AA9-A27E-7FBBB8DFA70F}) (Version: 1.00.0000 - Samsung Electronics Co. Ltd)
AVS Video Editor 6.5 (HKLM-x32\...\AVS Video Editor_is1) (Version: 6.5.1.246 - Online Media Technologies Ltd.)
Broadcom InConcert Maestro (HKLM\...\{57DD35E9-D9BB-4089-BB05-EF933C586CB3}) (Version: 1.0.1.1500 - Broadcom Corporation)
BS.Player FREE (HKLM-x32\...\BSPlayerf) (Version: 2.63.1071 - AB Team, d.o.o.)
Burn.Now 4.5 (x32 Version: 4.5.0 - Corel Corporation) Hidden
calibre 64bit (HKLM\...\{9B70C080-F90A-49EA-B8A4-3E4D7BDDA853}) (Version: 2.36.0 - Kovid Goyal)
Canon Easy-WebPrint EX (HKLM-x32\...\Easy-WebPrint EX) (Version: 1.4.0.0 - Canon Inc.)
Canon IJ Network Scanner Selector EX (HKLM-x32\...\Canon_IJ_Network_Scanner_Selector_EX) (Version:  - Canon Inc.)
Canon IJ Network Tool (HKLM-x32\...\Canon_IJ_Network_UTILITY) (Version: 3.2.0 - Canon Inc.)
Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version:  - Canon Inc.)
Canon MX720 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX720_series) (Version: 1.00 - Canon Inc.)
Canon MX720 series On-screen Manual (HKLM-x32\...\Canon MX720 series On-screen Manual) (Version: 7.6.0 - Canon Inc.)
Canon My Image Garden (HKLM-x32\...\Canon My Image Garden) (Version: 1.1.2 - Canon Inc.)
Canon My Image Garden Design Files (HKLM-x32\...\Canon My Image Garden Design Files) (Version: 1.0.1 - Canon Inc.)
Canon My Printer (HKLM-x32\...\CanonMyPrinter) (Version: 3.1.0 - Canon Inc.)
Canon Quick Menu (HKLM-x32\...\CanonQuickMenu) (Version: 2.1.0 - Canon Inc.)
Canon Speed Dial Utility (HKLM-x32\...\Speed Dial Utility) (Version: 1.3.0 - Canon Inc.)
Cisco Systems VPN Client 5.0.07.0290 (HKLM\...\{467D5E81-8349-4892-9E81-C3674ED8E451}) (Version: 5.0.7 - Cisco Systems, Inc.)
Cisco WebEx Meetings (HKLM-x32\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Citrix Online Launcher (HKLM-x32\...\{09DA5EE2-7E46-4DC4-96F9-BFEE50D40659}) (Version: 1.0.408 - Citrix)
Citrix Receiver (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 13.3.0.55 - Citrix Systems, Inc.)
Conexant 20672 SmartAudio HD (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.32.23.5 - Conexant)
Core FTP LE (x64) (HKLM-x32\...\CoreFTP(x64)) (Version:  - )
Corel Burn.Now Lenovo Edition (HKLM-x32\...\InstallShield_{A3BE3F1E-2472-4211-8735-E8239BE49D9F}) (Version: 4.5.0 - Corel Corporation)
Corel DVD MovieFactory 7 (x32 Version: 7.0.0 - Corel Corporation) Hidden
Corel DVD MovieFactory Lenovo Edition (HKLM-x32\...\InstallShield_{50F68032-B5B7-4513-9116-C978DBD8F27A}) (Version: 7.0.0 - Corel Corporation)
Corel WinDVD (HKLM-x32\...\{5C1F18D2-F6B7-4242-B803-B5A78648185D}) (Version: 10.0.5.828 - Corel Inc.)
Create Recovery Media (HKLM-x32\...\{50DC5136-21E8-48BC-97E5-1AD055F6B0B6}) (Version: 1.20.0.00 - Lenovo Group Limited)
Custom UI Editor for Microsoft Office (HKLM-x32\...\{C644FAAE-42FD-4FEC-B170-AB40B128B9AF}) (Version: 3.14.1592 - Microsoft Corporation)
CutePDF Writer 2.8 (HKLM\...\CutePDF Writer Installation) (Version:  - )
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Direct DiscRecorder (x32 Version: 1.00.0000 - Corel Corporation) Hidden
Disable AMT Profile Synchronization Pop-up for Windows XP/Vista/7 (HKLM\...\DisableAMTPopup) (Version: 1.00 - )
Dolby Home Theater v4 (HKLM-x32\...\{B26438B4-BF51-49C3-9567-7F14A5E40CB9}) (Version: 7.2.7000.4 - Dolby Laboratories Inc)
easyFBT 2015 (HKLM-x32\...\{DDA6CDAE-33B7-492F-98D1-20C95EA9A419}) (Version: 15.1.0.6 - One Plus One Solutions Pty Limited)
ECI Client v6.0 (HKLM-x32\...\{DE730F37-A198-4112-A3B6-97786F34354A}) (Version: v6.0.1 - Australian Taxation Office)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
Evernote v. 4.2.3 (HKLM-x32\...\{F761359C-9CED-45AE-9A51-9D6605CD55C4}) (Version: 4.2.3.15 - Evernote Corp.)
Extended Asian Language font pack for Adobe Reader XI (HKLM-x32\...\{AC76BA86-7AD7-2530-0000-A00000000049}) (Version: 11.0.09 - Adobe Systems Incorporated)
Full Desktop (HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\gateway-5a812d51@@XenApp:Full Desktop) (Version: 1.0 - Delivered by Citrix)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 49.0.2623.112 - Google Inc.)
Google Talk Plugin (HKLM-x32\...\{F9B579C2-D854-300A-BE62-A09EB9D722E4}) (Version: 5.41.3.0 - Google)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.7619.1252 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.29.5 - Google Inc.) Hidden
GoToMeeting 7.16.0.4800 (HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\GoToMeeting) (Version: 7.16.0.4800 - CitrixOnline)
HTC BMP USB Driver (HKLM-x32\...\{31A559C1-9E4D-423B-9DD3-34A6C5398752}) (Version: 1.0.5375 - HTC)
HTC Driver Installer (HKLM-x32\...\{4CEEE5D0-F905-4688-B9F9-ECC710507796}) (Version: 4.17.0.001 - HTC Corporation)
HTC Sync (HKLM-x32\...\{1F9E5C64-165D-4679-BBB3-498D216D017B}) (Version: 3.3.7 - HTC Corporation)
HTC Sync Manager (HKLM-x32\...\{231D0C79-98A6-4693-A366-36DE7D7346EC}) (Version: 3.1.69.5 - HTC)
Icecream PDF Split and Merge version 2.2 (HKLM-x32\...\{95DC4DB4-99FB-4FB2-ADBD-97F194EDEB4D}_is1) (Version: 2.2 - Icecream Apps)
Integrated Camera Driver Installer Package Ver.1.1.0.1147 (HKLM-x32\...\{B2CA6F37-1602-4823-81B5-0384B6888AA6}) (Version: 1.1.0.1147 - RICOH)
Integrated Camera TWAIN (HKLM-x32\...\{9CA0DEE4-E84B-466F-9B96-FC255F3A929F}) (Version: 1.0.11.1223 - Chicony Electronics Co.,Ltd.)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1011 - Intel Corporation)
Intel® Identity Protection Technology 1.2.32.0 (HKLM-x32\...\{2D793E41-F598-1014-9984-F3B169A93F79}) (Version: 1.2.32.0 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.1.80.1211 - Intel Corporation)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 18.7 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2538 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{7991b5ae-96d7-4df2-97fb-a605b7cb638b}) (Version: 17.12.0 - Intel Corporation)
IPTInstaller (HKLM-x32\...\{08208143-777D-4A06-BB54-71BF0AD1BB70}) (Version: 4.0.9 - HTC)
Java 8 Update 91 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.14 - Oracle Corporation)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Lenovo Auto Scroll Utility (HKLM\...\LenovoAutoScrollUtility) (Version: 1.11 - )
Lenovo Battery Utility 2015 2.2 (HKLM-x32\...\{62D5A67D-E5CC-4D79-8998-DCFDB7750346}_is1) (Version: 2.2 - Lenovo Corp)
Lenovo Patch Utility (HKLM-x32\...\{24E92E7A-6848-4747-A3EA-3AAC0576BE52}) (Version: 1.0.1.1 - Lenovo Group Limited)
Lenovo Patch Utility (x32 Version: 1.3.2.4 - Lenovo Group Limited) Hidden
Lenovo Patch Utility 64 bit (HKLM\...\{0369F866-2CE0-4EB9-B426-88FA122C6E82}) (Version: 1.3.0.9 - Lenovo Group Limited)
Lenovo Patch Utility 64 bit (HKLM\...\{39A04221-294E-4D90-A0F2-CCB1EF15CB56}) (Version: 1.2.0.1 - Lenovo Group Limited)
Lenovo Power Management Driver (HKLM\...\Power Management Driver) (Version: 1.67.11.08 - Lenovo)
Lenovo Registration (HKLM-x32\...\{6707C034-ED6B-4B6A-B21F-969B3606FBDE}) (Version: 1.0.4 - Lenovo Inc.)
Lenovo Service Bridge (HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\cbe8636f7dd0cf1d) (Version: 1.6.3.1 - Lenovo)
Lenovo SimpleTap (HKLM\...\{EFC9FE7C-ECE8-4282-8F77-FEDCAD374C77}) (Version: 3.0.0010.00 - Lenovo Group Limited)
Lenovo Solution Center (HKLM\...\{49277B39-D2E8-4342-9CE8-FC080C3FA344}) (Version: 2.8.007.00 - Lenovo Group Limited)
Lenovo System Interface Driver (HKLM\...\LENOVO.SMIIF) (Version: 1.05 - )
Lenovo System Update (HKLM-x32\...\{25C64847-B900-48AD-A164-1B4F9B774650}) (Version: 5.07.0022 - Lenovo)
Lenovo User Guide (HKLM-x32\...\{13F59938-C595-479C-B479-F171AB9AF64F}) (Version: 1.0.0008.00 - Lenovo)
Lenovo Warranty Information (HKLM-x32\...\{FD4EC278-C1B1-4496-99ED-C0BE1B0AA521}) (Version: 1.0.0005.00 - Lenovo)
Lenovo Welcome (HKLM-x32\...\Lenovo Welcome_is1) (Version: 3.00.006.0 - Lenovo)
Lexmark Printer Software Uninstall (HKLM-x32\...\Lexmark Printer Software Uninstall) (Version:  - )
Logitech Unifying Software 2.00 (HKLM\...\Logitech Unifying) (Version: 2.00.43 - Logitech)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Message Center Plus (HKLM\...\{EE4D9822-C7F3-4386-8703-889CDDA22FAA}) (Version: 3.4.0001.00 - Lenovo Group Limited)
Metric Collection SDK (x32 Version: 1.1.0005.00 - Lenovo Group Limited) Hidden
Metric Collection SDK 35 (x32 Version: 1.2.0001.00 - Lenovo Group Limited) Hidden
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Chart Controls for Microsoft .NET Framework 3.5 (HKLM-x32\...\{41785C66-90F2-40CE-8CB5-1C94BFC97280}) (Version: 3.5.30730.0 - Microsoft Corporation)
Microsoft Lync 2010 Attendee (HKLM-x32\...\{09335E49-1C8F-4973-9929-941BE9C6EF33}) (Version: 4.0.7577.4498 - Microsoft Corporation)
Microsoft Lync Web App Plug-in (HKLM\...\{1E9C25E0-B68A-4A73-8B11-BC3C2EE88ACF}) (Version: 15.8.8308.866 - Microsoft Corporation)
Microsoft Office Outlook Connector (HKLM-x32\...\{95140000-0081-0409-0000-0000000FF1CE}) (Version: 14.0.6123.5001 - Microsoft Corporation)
Microsoft Office Professional 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\OneDriveSetup.exe) (Version: 17.3.6201.1019 - Microsoft Corporation)
Microsoft OneNote 2013 - en-us (HKLM\...\OneNoteFreeRetail - en-us) (Version: 15.0.4815.1001 - Microsoft Corporation)
Microsoft Project Professional 2010 (HKLM-x32\...\Office14.PRJPROR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visio Premium 2010 (HKLM-x32\...\Office14.VISIOR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Visio Professional 2013 - en-us (HKLM\...\VisioProRetail - en-us) (Version: 15.0.4815.1001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Mobile Broadband Drivers (HKLM-x32\...\{EA9640BE-414E-4195-B53B-7905BF1A5A09}) (Version: 6.4.1.6 - Ericsson AB)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (HKLM-x32\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2721691) (HKLM-x32\...\{355B5AC0-CEEE-42C5-AD4D-7F3CFD806C36}) (Version: 4.30.2114.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM-x32\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB973685) (HKLM-x32\...\{859DFA95-E4A6-48CD-B88E-A3E483E89B44}) (Version: 4.30.2107.0 - Microsoft Corporation)
MultiScreen (HKLM-x32\...\{E36E864B-BFB6-440A-9A23-2B0BEDE59A92}) (Version: 1.00.0000 - Samsung Electronics Ltd.)
MYOB AccountRight Premier v19.10 (HKLM-x32\...\InstallShield_{14CD4651-23C3-4D99-9A13-D1DBE4835E16}) (Version: 19.10.0 - MYOB Technology Pty Ltd)
MYOB AccountRight Premier v19.10 (x32 Version: 19.10.0 - MYOB Technology Pty Ltd) Hidden
MYOB ODBC Direct v10 AUS (x32 Version: 10.0.0 - MYOB Technology Pty Ltd) Hidden
MyPhoneExplorer (HKLM-x32\...\MPE) (Version: 1.8.2 - F.J. Wechselberger)
Norton 360 (HKLM-x32\...\N360) (Version: 22.6.0.142 - Symantec Corporation)
Norton Identity Safe (HKLM-x32\...\NST) (Version: 2014.7.11.42 - Symantec Corporation)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.3.2 - Notepad++ Team)
NVIDIA 3D Vision Driver 354.45 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 354.45 - NVIDIA Corporation)
NVIDIA Graphics Driver 354.45 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 354.45 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.34.4 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.4 - NVIDIA Corporation)
NVIDIA nView 146.78 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView) (Version: 146.78 - NVIDIA Corporation)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4815.1001 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4815.1001 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4815.1001 - Microsoft Corporation) Hidden
On Screen Display (HKLM\...\OnScreenDisplay) (Version: 6.73.01 - )
Online Plug-in (x32 Version: 13.3.0.55 - Citrix Systems, Inc.) Hidden
PeerBlock 1.2 (r693) (HKLM\...\{015C5B35-B678-451C-9AEE-821E8D69621C}_is1) (Version: 1.2.0.693 - PeerBlock, LLC)
Power Manager (HKLM-x32\...\{DAC01CEE-5BAE-42D5-81FC-B687E84E8405}) (Version: 6.68.10 - Lenovo Group Limited)
QNAP Finder (HKLM-x32\...\QNAP_FINDER) (Version:  - )
QNAP NetBak Replicator (HKLM-x32\...\NetBak) (Version: 4.5.1.1007 - QNAP Systems, Inc.)
QuickTime 7 (HKLM-x32\...\{627FFC10-CE0A-497F-BA2B-208CAC638010}) (Version: 7.77.80.95 - Apple Inc.)
RapidBoot (HKLM\...\{5E2652DF-743F-482B-A593-C95F431A5769}) (Version: 1.11 - Lenovo)
RapidDrive Advanced version 1.0.12 (HKLM-x32\...\{F8F9F1AC-5CB0-4DBB-87FA-1A6BC4EA02E5}_is1) (Version: 1.0.12 - LENOVO, Inc.)
RAW Image Viewer (HKLM-x32\...\{3C867AA0-22EC-4B27-8C60-A354AA37D68C}_is1) (Version:  - IdeaMK)
Registry Patch to Enable Maximum Power Saving on WiFi Adapters for Windows 7 (HKLM\...\EnablePS) (Version: 1.00 - )
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.1.36.0 - Renesas Electronics Corporation)
Renesas Electronics USB 3.0 Host Controller Driver (x32 Version: 2.1.36.0 - Renesas Electronics Corporation) Hidden
RICOH_Media_Driver_v2.14.18.01 (HKLM-x32\...\{FE041B02-234C-4AAA-9511-80DF6482A458}) (Version: 2.14.18.01 - RICOH)
RoboCache (HKLM-x32\...\{D64D5555-9C89-4CAB-84E0-244225A0C41C}) (Version: 1.1.1 - ManuSoft)
Safari (HKLM-x32\...\{C779648B-410E-4BBA-B75B-5815BCEFE71D}) (Version: 5.34.57.2 - Apple Inc.)
Samsung_MonSetup (HKLM-x32\...\{8EA79DBF-D637-448A-89D6-410A087A4493}) (Version: 1.00.0000 - Samsung)
Screen Recorder Launcher (HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\ScreenRecorderLauncher) (Version: 2.0 - )
Self-service Plug-in (x32 Version: 3.3.0.27839 - Citrix Systems, Inc.) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-003B-0000-0000-0000000FF1CE}_Office14.PRJPROR_{58FA40EF-ABA9-4FED-AD3D-318A6073934D}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-0057-0000-0000-0000000FF1CE}_Office14.VISIOR_{359ADBEC-068A-4CC9-9174-77AB8EDB867A}) (Version:  - Microsoft)
SHAREit (HKLM-x32\...\SHAREit_is1) (Version: 3.2.0.543 - Lenovo)
Skype™ 7.21 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.21.100 - Skype Technologies S.A.)
ThinkPad Bluetooth with Enhanced Data Rate Software (HKLM\...\{C6C9D5F7-630C-4125-8C4E-94AF77C1896E}) (Version: 6.4.0.1500 - Broadcom Corporation)
ThinkPad FullScreen Magnifier (HKLM\...\ThinkPad FullScreen Magnifier) (Version: 2.42 - )
ThinkPad UltraNav Driver (HKLM\...\SynTPDeinstKey) (Version: 16.2.19.14 - )
ThinkPad UltraNav Utility (HKLM-x32\...\{17CBC505-D1AE-459D-B445-3D2000A85842}) (Version: 2.13.0 - Lenovo)
ThinkVantage Access Connections (HKLM-x32\...\{8E537894-A559-4D60-B3CB-F4485E3D24E3}) (Version: 6.25.65 - Lenovo)
ThinkVantage Active Protection System (HKLM\...\{46A84694-59EC-48F0-964C-7E76E9F8A2ED}) (Version: 1.79.00.03 - Lenovo)
ThinkVantage AutoLock (HKLM\...\{E224B44B-B5EB-4af3-A80A-A255358E241A}_is1) (Version: 1.07 - Lenovo)
ThinkVantage Communications Utility (HKLM\...\{88C6A6D9-324C-46E8-BA87-563D14021442}_is1) (Version: 2.11.0.0 - Lenovo)
ThinkVantage Fingerprint Software (HKLM\...\{F58DA859-016E-492D-A588-317D9BB28002}) (Version: 5.9.9.7282 - Authentec Inc.)
ThinkVantage GPS (HKLM-x32\...\{6DB21B2C-2BEF-44B4-B264-8EC2BC2369C6}) (Version: 2.81 - Lenovo)
VIP Access (HKLM-x32\...\{E8D46836-CD55-453C-A107-A59EC51CB8DC}) (Version: 2.0.5.13 - VeriSign)
Windows Driver Package - Intel (e1cexpress) Net  (12/21/2010 11.8.84.0) (HKLM\...\6D23A494E9A245843FB8584D9307D3E328DF8613) (Version: 12/21/2010 11.8.84.0 - Intel)
Windows Driver Package - Intel System  (09/10/2010 9.2.0.1011) (HKLM\...\0CDBDD444A1F5FFEA227B4E7DCE195F11F08240A) (Version: 09/10/2010 9.2.0.1011 - Intel)
Windows Driver Package - Intel System  (09/10/2010 9.2.0.1011) (HKLM\...\8058FF31D7C7F4818DC176DAF53CD379968C86E4) (Version: 09/10/2010 9.2.0.1011 - Intel)
Windows Driver Package - Intel System  (11/20/2010 9.2.0.1016) (HKLM\...\43B5066463CEBC83E99586A67037B6F9FC4193FE) (Version: 11/20/2010 9.2.0.1016 - Intel)
Windows Driver Package - Intel USB  (12/21/2010 9.2.0.1021) (HKLM\...\0DD5528A211904214F70A66DE6ADBD378B21566D) (Version: 12/21/2010 9.2.0.1021 - Intel)
Windows Driver Package - Lenovo (LenovoRd) SmartCardReader  (05/11/2009 4.1.0.1) (HKLM\...\9B84710FFAE6C50914FCE568B59E426F1386E7F6) (Version: 05/11/2009 4.1.0.1 - Lenovo)
Windows Driver Package - Lenovo 1.61.00.11 (11/11/2010 1.61.00.11) (HKLM\...\466E9B20D871055D6D3CDA2CDD1D355E978A61AF) (Version: 11/11/2010 1.61.00.11 - Lenovo)
Windows Driver Package - Synaptics (SynTP) Mouse  (05/19/2011 15.3.8.0) (HKLM\...\DDD8A532E361E9A878EBEF69C338B306810DF059) (Version: 05/19/2011 15.3.8.0 - Synaptics)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
WinPcap 4.1.3 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2980 - CACE Technologies)
XnView 2.32 (HKLM-x32\...\XnView_is1) (Version: 2.32 - Gougelet Pierre-e)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\David\AppData\Local\Microsoft\OneDrive\17.3.6201.1019\amd64\FileCoAuthLib64.dll ()
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\David\AppData\Local\Microsoft\OneDrive\17.3.6201.1019\FileCoAuth.exe (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\David\AppData\Local\Citrix\GoToMeeting\4670\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.)
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{e8c77137-e224-5791-b6e9-ff0305797a13}\InprocServer32 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Systems)
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll (Google Inc.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0097AE7D-1466-4DAA-A344-ECD4E678BFFD} - System32\Tasks\NetBak-Thinking-David-Job1 => C:\Program Files\QNAP\NetBak\NetBak.exe [2015-10-07] (QNAP Systems, Inc.)
Task: {04A321C5-F4D5-4293-8DCD-6C81BA7AB480} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-02-09] (Microsoft Corporation)
Task: {11EDD87F-945A-4EDC-95AD-E08DE5693A0B} - System32\Tasks\TVT\TVSUUpdateTask => C:\Program Files (x86)\Lenovo\System Update\tvsuShim.exe [2016-01-13] ()
Task: {131D564D-95F7-46DB-A520-D0D31435CE8A} - System32\Tasks\Lenovo\Lenovo Solution Center Launcher => C:\Program Files\lenovo\lenovo solution center\App\LSCService.exe [2016-01-08] (Lenovo)
Task: {1E0CED7A-AEFB-40E9-949C-436BA3A951DF} - System32\Tasks\Norton 360\Norton Error Analyzer => C:\Program Files (x86)\Norton 360\Engine\22.6.0.142\SymErr.exe [2016-02-11] (Symantec Corporation)
Task: {2647E977-EC14-4D09-9B28-5A64C9A8C5FD} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton 360\Upgrade.exe [2016-02-26] (Symantec Corporation)
Task: {2BE665AE-26C5-4782-8933-8EFE02AA15C0} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2015-10-30] (Microsoft Corporation)
Task: {2F5AC320-D965-4C5F-90B6-707FBDDFEACF} - System32\Tasks\PMTask => C:\Program Files (x86)\ThinkPad\Utilities\PwmIdTsv.exe [2016-04-14] (Lenovo Group Limited)
Task: {320C5F88-9412-4004-B0B1-56438A9BD2B3} - System32\Tasks\CMDLine => \NAS\Documents\Consultancy\Helping Hand\Development\cmdline.bat
Task: {338DF1F9-F0C8-4E10-BD94-B48DB4ABF71B} - System32\Tasks\Lenovo\SimpleTap\Start SimpleTap for Thinking.David => C:\Program Files\Lenovo\SimpleTap\SimpleTap.exe [2011-12-21] (Lenovo)
Task: {3D9AF38E-04AE-4B99-9858-0897D9FBEE47} - System32\Tasks\G2MUploadTask-S-1-5-21-3514529109-4073190309-4292251120-1002 => C:\Users\David\AppData\Local\Citrix\GoToMeeting\4800\g2mupload.exe [2016-04-15] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {3DDDBC9A-186B-47B3-B3C2-A33835EF96FA} - System32\Tasks\NetBak-Thinking-David-AutoStartup => C:\Program Files\QNAP\NetBak\NetBak.exe [2015-10-07] (QNAP Systems, Inc.)
Task: {3E80E80B-1C20-4DDA-8306-5B0C6021F918} - System32\Tasks\DiskUpdate => C:\SWTOOLS\OSFIXES\DISKUPDT\DiskUpdate.exe [2009-02-10] ()
Task: {42A49916-8422-485F-8D37-F0855E758956} - System32\Tasks\Lenovo\Message Center Plus Launcher => C:\Program Files (x86)\Lenovo\message center plus\mcplaunch.exe [2015-03-23] (Lenovo)
Task: {4B1DAD20-46BF-407C-AE7D-B0BD0E748D16} - System32\Tasks\Norton Identity Safe\Norton Error Processor => C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\SymErr.exe [2014-01-31] (Symantec Corporation)
Task: {4BE3582C-03AB-434E-A0C8-2653F93892DE} - System32\Tasks\Lenovo\LSC\LSCHardwareScanPostpone => C:\Program Files\Lenovo\Lenovo Solution Center\LSC.exe [2016-01-08] ()
Task: {4BF3734F-477C-44CF-91B0-63107A0B2EC1} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3514529109-4073190309-4292251120-1002UA => C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe [2015-09-01] (Google Inc.)
Task: {546BBFCB-6B0B-40CB-9F47-0803101CBDE1} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program => C:\Program Files\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2013-08-08] (Lenovo)
Task: {5BBDBE02-720A-4F56-9894-341FE67CAD7D} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2015-10-30] (Microsoft Corporation)
Task: {5E60276C-2A8B-48CA-9EE9-1134DE9A5A6E} - System32\Tasks\G2MUpdateTask-S-1-5-21-3514529109-4073190309-4292251120-1002 => C:\Users\David\AppData\Local\Citrix\GoToMeeting\4800\g2mupdate.exe [2016-04-15] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {641988FA-6C31-471F-B560-1678F60DB853} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3514529109-4073190309-4292251120-1002Core => C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe [2015-09-01] (Google Inc.)
Task: {6A07AA93-CC94-4EE8-BA8C-E240337DAD53} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-31] (Google Inc.)
Task: {758E3EDE-6FD5-4911-BA15-DD1F232932B6} - System32\Tasks\Norton Identity Safe\Norton Error Analyzer => C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\SymErr.exe [2014-01-31] (Symantec Corporation)
Task: {773501A7-DE99-4CBB-87F6-C82E7420527B} - System32\Tasks\Lenovo\LSC\Lenovo Solution Center Notifications => C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe [2016-01-08] (Lenovo)
Task: {7F452EC9-70D7-4408-87B2-5044D9FBD8EC} - System32\Tasks\Lenovo\LSC\LSCHardwareScan => C:\Program Files\Lenovo\Lenovo Solution Center\LSC.exe [2016-01-08] ()
Task: {82EE52E5-91EC-4E1C-A011-1764EFB5C232} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-31] (Google Inc.)
Task: {84A17430-E0FD-40D5-886D-D08F5436BA91} - System32\Tasks\Synaptics TouchPad Enhancements => Program Files\Synaptics\SynTP\SynTPEnh.exe
Task: {8E70DBCE-E01E-4901-9783-B329DC9A8B40} - System32\Tasks\Lenovo\Lenovo Service Bridge\S-1-5-21-3514529109-4073190309-4292251120-1002 => Rundll32.exe dfshim.dll,ShOpenVerbShortcut C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo\Lenovo Service Bridge.appref-ms
Task: {9A51F902-A50C-4A7B-A963-205248C53418} - System32\Tasks\PCDoctorBackgroundMonitorTask-Delay => C:\Program Files\PC-Doctor\uaclauncher.exe
Task: {9CCFFD7B-2009-4575-9C60-9D0AC8B087E2} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-12-13] (Adobe Systems Incorporated)
Task: {A1D072CF-0D40-4ABB-A8C2-EB44DC96DFBD} - System32\Tasks\Microsoft\Windows\SyncCenter\S-1-5-21-3514529109-4073190309-4292251120-1002\{750FDF10-2A26-11D1-A3EA-080036587F03}\Offline Files Sync Schedule 1 => C:\Windows\system32\mobsync.exe [2010-11-21] (Microsoft Corporation)
Task: {A8EB77E8-074B-4EA2-B1BA-3410D1858C72} - System32\Tasks\MCP => C:\Program Files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe [2015-03-23] (Lenovo)
Task: {AEBC2F5A-CC74-4AEF-AF51-7BE022C50742} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 35 => C:\Program Files (x86)\Lenovo\Customer Feedback Program 35\Lenovo.TVT.CustomerFeedback.Agent35.exe [2015-08-17] (Lenovo)
Task: {AEEFE17C-A8EC-425D-809F-1EFAE7D019DA} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton 360\Engine\22.6.0.142\WSCStub.exe [2016-02-26] (Symantec Corporation)
Task: {BEDCA02C-A242-4A48-AB70-4235D5D062EE} - System32\Tasks\Launch HTC Sync Loader => C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe [2012-05-29] ()
Task: {C22A66FC-3591-4F77-9BDE-04E0C3057F00} - System32\Tasks\Norton 360\Norton Error Processor => C:\Program Files (x86)\Norton 360\Engine\22.6.0.142\SymErr.exe [2016-02-11] (Symantec Corporation)
Task: {C4247DFF-6D42-4419-9CEE-0DCC715AF0B2} - System32\Tasks\StartRapidDriveAdvancedServiceTask => net
Task: {E79AE6A2-8884-4D9C-8BED-7CEACE588FA3} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-02-09] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3514529109-4073190309-4292251120-1002.job => C:\Users\David\AppData\Local\Citrix\GoToMeeting\4800\g2mupdate.exe
Task: C:\Windows\Tasks\G2MUploadTask-S-1-5-21-3514529109-4073190309-4292251120-1002.job => C:\Users\David\AppData\Local\Citrix\GoToMeeting\4800\g2mupload.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3514529109-4073190309-4292251120-1002Core.job => C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3514529109-4073190309-4292251120-1002UA.job => C:\Users\David\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\NetBak-Thinking-David-Job1.job => C:\Program Files\QNAP\NetBak\NetBak.exe
Task: C:\Windows\Tasks\PCDoctorBackgroundMonitorTask-Delay.job => C:\Program Files\PC-Doctor\uaclauncher.exeq-backgroundmon scripts\backgroundmon.xml

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Users\David\Desktop\Windows Backup Status.lnk -> C:\Users\David\wbstatus.bat ()

==================== Loaded Modules (Whitelisted) ==============

2012-02-13 18:15 - 2009-11-05 07:40 - 00085504 _____ () C:\Windows\System32\cpwmon64.dll
2014-03-19 09:50 - 2015-10-13 05:34 - 00105640 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2012-02-02 19:59 - 2015-12-22 10:33 - 00020624 _____ () C:\Program Files\NVIDIA Corporation\CoProcManager\detoured.dll
2013-01-18 11:09 - 2015-11-05 21:21 - 00126256 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2013-10-17 14:27 - 2013-10-17 14:27 - 00166912 _____ () C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
2015-07-22 01:02 - 2015-07-22 01:02 - 00803488 _____ () C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll
2015-10-30 02:19 - 2015-09-02 01:34 - 08901184 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2012-02-02 20:00 - 2016-04-14 06:08 - 00107008 ____N () C:\Program Files (x86)\ThinkPad\Utilities\US\PWMRT64V.DLL
2010-12-19 09:20 - 2010-12-19 09:20 - 00173856 _____ () C:\Program Files\ThinkPad\Bluetooth Software\btkeyind.dll
2012-06-19 00:54 - 2012-06-19 00:54 - 00222720 _____ () C:\Program Files (x86)\Notepad++\NppShell_05.dll
2015-10-07 19:31 - 2015-10-07 19:31 - 00142512 _____ () C:\Program Files\QNAP\NetBak\RdiffDll.dll
2016-02-25 14:12 - 2016-02-25 14:12 - 00821240 _____ () C:\Program Files (x86)\HTC\HTC Sync Manager\HTC Sync\adb.exe
2012-02-02 19:58 - 2011-03-06 20:37 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2012-02-02 19:54 - 2010-10-26 09:40 - 00049056 ____N () C:\Program Files\CONEXANT\ForteConfig\fmapp.exe
2012-02-17 00:48 - 2009-08-11 12:57 - 00303104 _____ () C:\Program Files (x86)\MultiScreen\MultiScreen.exe
2012-02-17 00:36 - 2008-10-01 14:46 - 00036864 _____ () C:\Program Files (x86)\MagicTune Premium\GammaTray.exe
2015-07-22 01:02 - 2015-07-22 01:02 - 31535264 _____ () C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
2010-12-19 09:20 - 2010-12-19 09:20 - 00171296 _____ () C:\Program Files\ThinkPad\Bluetooth Software\Bluetooth Headset Helper.exe
2012-05-29 09:06 - 2012-05-29 09:06 - 00655360 _____ () C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe
2015-06-08 12:07 - 2015-06-08 12:07 - 00065776 _____ () C:\Program Files (x86)\Lenovo\Access Connections\ACSonyEricssonHlpr.dll
2010-03-23 12:26 - 2010-03-23 12:26 - 00201512 _____ () C:\Program Files (x86)\Cisco Systems\VPN Client\vpnapi.dll
2014-03-21 15:05 - 2014-03-21 15:05 - 00031080 _____ () C:\Program Files (x86)\HTC\HTC Sync Manager\DbAccess.dll
2016-02-25 14:11 - 2016-02-25 14:11 - 00607016 _____ () C:\Program Files (x86)\HTC\HTC Sync Manager\sqlite3.dll
2014-03-21 15:06 - 2014-03-21 15:06 - 00059752 _____ () C:\Program Files (x86)\HTC\HTC Sync Manager\NAdvLog.dll
2014-03-21 15:06 - 2014-03-21 15:06 - 00036216 _____ () C:\Program Files (x86)\HTC\HTC Sync Manager\NFileCacheDBAccess.dll
2014-03-21 15:06 - 2014-03-21 15:06 - 00080248 _____ () C:\Program Files (x86)\HTC\HTC Sync Manager\ninstallerhelper.dll
2014-03-21 15:08 - 2014-03-21 15:08 - 00129376 _____ () C:\Program Files (x86)\HTC\HTC Sync Manager\zlib1.dll
2014-03-21 15:09 - 2014-03-21 15:09 - 00223592 _____ () C:\Program Files (x86)\HTC\HTC Sync Manager\DevConnMon.dll
2012-02-02 19:58 - 2011-03-11 04:36 - 00065576 ____R () C:\Program Files (x86)\Mobile Broadband drivers\WMCore\MBMDebug.dll
2015-02-25 11:32 - 2015-12-22 10:33 - 00020808 _____ () C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll
2012-02-17 00:48 - 2009-08-11 12:54 - 00094208 _____ () C:\Program Files (x86)\MultiScreen\TitleBar.dll
2012-02-02 20:08 - 2011-10-01 09:27 - 00218624 _____ () C:\Program Files (x86)\Lenovo\RapidDrive Advanced\SSDetectPartition.dll
2014-08-27 20:56 - 2011-06-29 18:09 - 02085888 _____ () C:\Program Files\Lenovo\AutoLock\cv210.dll
2014-08-27 20:56 - 2011-06-29 18:09 - 02201088 _____ () C:\Program Files\Lenovo\AutoLock\cxcore210.dll
2012-02-17 00:48 - 2009-08-11 12:54 - 00053248 _____ () C:\Program Files (x86)\MultiScreen\SmartMouseDll.dll
2012-02-17 00:48 - 2009-08-11 12:56 - 00053248 _____ () C:\Program Files (x86)\MultiScreen\MGResEng.dll
2012-05-29 09:06 - 2012-05-29 09:06 - 00104448 _____ () C:\Program Files (x86)\HTC\HTC Sync 3.0\OutputLog.dll
2012-05-29 09:06 - 2012-05-29 09:06 - 00516599 _____ () C:\Program Files (x86)\HTC\HTC Sync 3.0\sqlite3.dll
2012-05-29 09:06 - 2012-05-29 09:06 - 00094208 _____ () C:\Program Files (x86)\HTC\HTC Sync 3.0\fdHttpd.dll
2012-05-29 09:06 - 2012-05-29 09:06 - 00393216 _____ () C:\Program Files (x86)\HTC\HTC Sync 3.0\HtcDetect.dll
2012-05-29 09:06 - 2012-05-29 09:06 - 00151552 _____ () C:\Program Files (x86)\HTC\HTC Sync 3.0\htcDisk.dll
2012-05-29 09:06 - 2012-05-29 09:06 - 00172032 _____ () C:\Program Files (x86)\HTC\HTC Sync 3.0\htcDetectLegend.dll
2012-05-29 09:06 - 2012-05-29 09:06 - 00559244 _____ () C:\Program Files (x86)\HTC\HTC Sync 3.0\sqlite3.7.dll
2012-05-29 09:06 - 2012-05-29 09:06 - 01515520 _____ () C:\Program Files (x86)\HTC\HTC Sync 3.0\Maps\R66Api.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\Temp:9A870F8B [992]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\europcar.com.au -> hxxps://www.europcar.com.au

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 12:04 - 2009-06-11 06:30 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\David\Pictures\P1020272.JPG
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: SDRSVC => 3
MSCONFIG\Services: wbengine => 3

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{930E33EE-28DE-441B-9A07-B27535C4EAAA}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
FirewallRules: [{DDEF3A8D-E451-48D4-A062-A676E84BE58E}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
FirewallRules: [{20A86D67-BD88-47E1-9E07-DD6B758BB9B7}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{E628B83B-0E11-453A-BEE3-69DE0B566E0C}] => (Allow) LPort=2869
FirewallRules: [{D34B82B3-49F3-4DC3-AB9F-2B4CDFD9FA55}] => (Allow) LPort=1900
FirewallRules: [{D5E97B58-30AD-4DF5-9DD9-60ABC6B068DF}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{459C9330-0AF4-4AC7-BF0A-ED3F8F4C2E48}] => (Allow) C:\Program Files (x86)\Windows Live\Mesh\MOE.exe
FirewallRules: [{999C60EA-3495-4B41-9F37-511F5CFE4D14}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [TCP Query User{70EEABB5-5F21-44FB-AA97-22127DF514B5}C:\users\david\appdata\local\akamai\netsession_win.exe] => (Allow) C:\users\david\appdata\local\akamai\netsession_win.exe
FirewallRules: [UDP Query User{E0453474-DB66-438C-9B77-2CAB1B12B8E4}C:\users\david\appdata\local\akamai\netsession_win.exe] => (Allow) C:\users\david\appdata\local\akamai\netsession_win.exe
FirewallRules: [TCP Query User{CBA53CCE-7390-4B98-A6DC-4F1245D8589D}C:\users\david\appdata\local\akamai\netsession_win.exe] => (Allow) C:\users\david\appdata\local\akamai\netsession_win.exe
FirewallRules: [UDP Query User{89119F50-FAB3-4854-808D-D916262EB4F5}C:\users\david\appdata\local\akamai\netsession_win.exe] => (Allow) C:\users\david\appdata\local\akamai\netsession_win.exe
FirewallRules: [{480A40B3-D1B8-4990-BD0B-58115052A34D}] => (Allow) C:\Program Files (x86)\Microsoft Lync Attendee\AttendeeCommunicator.exe
FirewallRules: [{3A254E6A-7955-49B7-8C81-8804421540FF}] => (Allow) C:\Users\David\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{2EC6C4AA-9C32-4F61-A09D-18971227EF23}] => (Allow) C:\Users\David\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{AE0F5571-A64C-4D47-8B4E-5D79DBBDD0AD}] => (Allow) C:\Program Files (x86)\HTC\HTC Sync Manager\HTCSyncManager.exe
FirewallRules: [{D875FD67-B4CA-42C4-8F04-938960EAA594}] => (Allow) C:\Users\David\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{7F946AE8-EBBA-45DF-847B-108F1D6A5F7D}] => (Allow) C:\Users\David\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{7F11C1F9-7548-4C13-BBB6-3E0602F83561}] => (Allow) C:\Program Files (x86)\HTC\HTC Sync Manager\HTCSyncManager.exe
FirewallRules: [{5F8C0AE2-A154-4E56-87C4-87DF5334EC31}] => (Allow) C:\Program Files (x86)\HTC\HTC Sync Manager\HTCSyncManager.exe
FirewallRules: [TCP Query User{EAD54EAC-99ED-49C8-8D97-34827C5FB2FF}C:\program files (x86)\qnap\finder\finder.exe] => (Allow) C:\program files (x86)\qnap\finder\finder.exe
FirewallRules: [UDP Query User{FE4F8B43-29C5-4A8E-8D49-63B50981A601}C:\program files (x86)\qnap\finder\finder.exe] => (Allow) C:\program files (x86)\qnap\finder\finder.exe
FirewallRules: [{9FFFEAC1-1221-433F-8141-298C130CC63B}] => (Allow) C:\Program Files (x86)\HTC\HTC Sync Manager\HTCSyncManager.exe
FirewallRules: [{880AA532-E790-4870-B1DD-E93E3656E586}] => (Allow) C:\Program Files (x86)\HTC\HTC Sync Manager\HTCSyncManager.exe
FirewallRules: [{B480FCF4-81B9-42BC-8C20-1424E373CD98}] => (Allow) C:\Program Files (x86)\HTC\HTC Sync Manager\HTCSyncManager.exe
FirewallRules: [{1476A106-5CF5-45E6-9F81-103DEA774B78}] => (Allow) C:\Program Files (x86)\HTC\HTC Sync Manager\HTCSyncManager.exe
FirewallRules: [{2017362A-B68B-458C-9EC3-A9871F82C1B5}] => (Allow) C:\Users\David\AppData\Local\Microsoft\OneDrive\OneDrive.exe
FirewallRules: [{92DCAD2F-2F8E-48B8-8FCF-8FE79CBE29BE}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe
FirewallRules: [{31758A6A-926A-4A51-A079-3DFFBB121F04}] => (Allow) C:\Program Files (x86)\HTC\HTC Sync Manager\HTCSyncManager.exe
FirewallRules: [{BF0D8D5C-BDDB-472B-8DB1-24B12ACE3A8C}] => (Allow) C:\Program Files (x86)\HTC\HTC Sync Manager\HTCSyncManager.exe
FirewallRules: [TCP Query User{8E40521F-3F57-4A83-9B07-051746C6B3D9}C:\users\david\appdata\local\microsoft\lwaplugin\x86\15.8\lwaplugin.exe] => (Allow) C:\users\david\appdata\local\microsoft\lwaplugin\x86\15.8\lwaplugin.exe
FirewallRules: [UDP Query User{75817BBF-4510-4FF4-A456-2B7D569AF380}C:\users\david\appdata\local\microsoft\lwaplugin\x86\15.8\lwaplugin.exe] => (Allow) C:\users\david\appdata\local\microsoft\lwaplugin\x86\15.8\lwaplugin.exe
FirewallRules: [{3FBEAF0F-EF32-40AE-A90D-C8961745476F}] => (Allow) C:\Program Files (x86)\HTC\HTC Sync Manager\HTCSyncManager.exe
FirewallRules: [{4AE668F3-91E9-4121-8B6E-23C6A4201050}] => (Allow) C:\Program Files (x86)\Lenovo\System Update\uncserver.exe
FirewallRules: [{F1CFE397-99F7-4CE3-9FE3-566FE54B10A1}] => (Allow) C:\Program Files (x86)\Lenovo\System Update\uncserver.exe
FirewallRules: [{13FDEE9E-338B-4CA1-80E5-1F5B0FA746A6}] => (Allow) C:\Program Files (x86)\HTC\HTC Sync Manager\HTCSyncManager.exe
FirewallRules: [{8B8AAB5F-B833-479E-A1AD-4757A482C57E}] => (Allow) C:\Program Files (x86)\HTC\HTC Sync Manager\HTCSyncManager.exe
FirewallRules: [{9D86CC0E-362D-49A0-B40F-A10C18522F9E}] => (Allow) C:\Program Files (x86)\Lenovo\SHAREit\SHAREit.exe
FirewallRules: [{41FFC8BE-53E0-4752-8572-57322C7DB53A}] => (Allow) C:\Program Files (x86)\Lenovo\SHAREit\SHAREit.exe
FirewallRules: [{0EC8B98A-C6E9-41EB-BD93-E98DD109958C}] => (Allow) C:\Program Files (x86)\HTC\HTC Sync Manager\HTCSyncManager.exe
FirewallRules: [{B3CA0CF1-E765-4D1F-9345-934B45A59F6D}] => (Allow) C:\Program Files (x86)\HTC\HTC Sync Manager\HTCSyncManager.exe
FirewallRules: [{64C7AF2B-EA66-4917-8F18-83B2383BEAF1}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{B23F90A5-FB18-4E54-A056-AF82B538042C}] => (Block) LPort=443

==================== Restore Points =========================

27-04-2016 16:28:52 Removed AccdbMerge Pro
28-04-2016 09:17:25 Installed Power Manager
28-04-2016 14:56:58 Norton_Power_Eraser_20160428145658769

==================== Faulty Device Manager Devices =============

Name: Lexmark X422
Description: Lexmark X422
Class Guid: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Manufacturer: Lexmark
Service: usbscan
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Cisco Systems VPN Adapter for 64-bit Windows
Description: Cisco Systems VPN Adapter for 64-bit Windows
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Cisco Systems
Service: CVirtA
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (04/28/2016 10:11:24 PM) (Source: RapidDrive Advanced Service) (EventID: 12293) (User: )
Description: General Error: Disk serial number is empty..    at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk.GetPhysicalSerialNumber(String driveLetter)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk..ctor(DriveInfo drive)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.DiskManager.EnumerateDrives()

Error: (04/28/2016 10:11:23 PM) (Source: RapidDrive Advanced Service) (EventID: 12293) (User: )
Description: General Error: Disk serial number is empty..    at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk.GetPhysicalSerialNumber(String driveLetter)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk..ctor(DriveInfo drive)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.DiskManager.EnumerateDrives()

Error: (04/28/2016 10:11:22 PM) (Source: RapidDrive Advanced Service) (EventID: 12293) (User: )
Description: General Error: Disk serial number is empty..    at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk.GetPhysicalSerialNumber(String driveLetter)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk..ctor(DriveInfo drive)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.DiskManager.EnumerateDrives()

Error: (04/28/2016 10:11:21 PM) (Source: RapidDrive Advanced Service) (EventID: 12293) (User: )
Description: General Error: Disk serial number is empty..    at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk.GetPhysicalSerialNumber(String driveLetter)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk..ctor(DriveInfo drive)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.DiskManager.EnumerateDrives()

Error: (04/28/2016 10:11:20 PM) (Source: RapidDrive Advanced Service) (EventID: 12293) (User: )
Description: General Error: Disk serial number is empty..    at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk.GetPhysicalSerialNumber(String driveLetter)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk..ctor(DriveInfo drive)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.DiskManager.EnumerateDrives()

Error: (04/28/2016 10:11:09 PM) (Source: RapidDrive Advanced Service) (EventID: 12293) (User: )
Description: General Error: Disk serial number is empty..    at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk.GetPhysicalSerialNumber(String driveLetter)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk..ctor(DriveInfo drive)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.DiskManager.EnumerateDrives()

Error: (04/28/2016 10:11:08 PM) (Source: RapidDrive Advanced Service) (EventID: 12293) (User: )
Description: General Error: Disk serial number is empty..    at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk.GetPhysicalSerialNumber(String driveLetter)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk..ctor(DriveInfo drive)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.DiskManager.EnumerateDrives()

Error: (04/28/2016 10:11:07 PM) (Source: RapidDrive Advanced Service) (EventID: 12293) (User: )
Description: General Error: Disk serial number is empty..    at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk.GetPhysicalSerialNumber(String driveLetter)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk..ctor(DriveInfo drive)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.DiskManager.EnumerateDrives()

Error: (04/28/2016 10:11:06 PM) (Source: RapidDrive Advanced Service) (EventID: 12293) (User: )
Description: General Error: Disk serial number is empty..    at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk.GetPhysicalSerialNumber(String driveLetter)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk..ctor(DriveInfo drive)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.DiskManager.EnumerateDrives()

Error: (04/28/2016 10:11:05 PM) (Source: RapidDrive Advanced Service) (EventID: 12293) (User: )
Description: General Error: Disk serial number is empty..    at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk.GetPhysicalSerialNumber(String driveLetter)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.Disk..ctor(DriveInfo drive)
   at Lenovo.RapidDriveAdvanced.DataProvidersAndWatchServices.DiskManager.EnumerateDrives()


System errors:
=============
Error: (04/28/2016 10:09:09 PM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\PROGRA~2\COMMON~1\INSTAL~1\UPDATE~1\agent.exe -Embedding740{FFF2D28F-E4EE-44D9-8104-8E71556757F6}

Error: (04/28/2016 10:08:25 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Norton Identity Safe service failed to start due to the following error:
%%1053

Error: (04/28/2016 10:08:25 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Norton Identity Safe service to connect.

Error: (04/28/2016 04:17:04 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (04/28/2016 04:17:04 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (04/28/2016 04:16:59 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (04/28/2016 04:12:48 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (04/28/2016 04:12:48 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1068fdPHost{D3DCB472-7261-43CE-924B-0704BD730D5F}

Error: (04/28/2016 04:12:48 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1068fdPHost{145B4335-FE2A-4927-A040-7C35AD3180EF}

Error: (04/28/2016 04:12:32 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068


CodeIntegrity:
===================================
  Date: 2014-01-13 20:07:06.033
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\cryptnet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-13 20:07:05.803
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\cryptnet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-13 20:07:05.583
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\cryptnet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-13 20:07:05.233
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\cryptnet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-13 20:07:04.953
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\cryptnet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-13 20:07:04.633
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\cryptnet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-13 20:07:04.373
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\cryptnet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-13 20:07:04.133
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\cryptnet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-13 20:07:03.903
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\cryptnet.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-13 20:07:03.513
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\cryptnet.dll because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Core™ i7-2640M CPU @ 2.80GHz
Percentage of memory in use: 33%
Total physical RAM: 8074.23 MB
Available physical RAM: 5406.55 MB
Total Virtual: 16146.66 MB
Available Virtual: 13028.42 MB

==================== Drives ================================

Drive c: (Windows7_OS) (Fixed) (Total:131.96 GB) (Free:19.62 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive f: (BACKUP) (Removable) (Total:0.97 GB) (Free:0.86 GB) FAT
Drive q: (Lenovo_Recovery) (Fixed) (Total:15.62 GB) (Free:5.64 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 149.1 GB) (Disk ID: 1A23200D)
Partition 1: (Active) - (Size=1.5 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=132 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=15.6 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 990 MB) (Disk ID: 01E9F56B)
Partition 1: (Active) - (Size=990 MB) - (Type=06)

==================== End of Addition.txt ============================

--- END ---

 

 

Thank you.



#4 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:14 AM

Posted 28 April 2016 - 09:35 AM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt
 
CreateRestorePoint:
CloseProcesses:
FF NetworkProxy: "ftp", "220.173.139.172"
FF NetworkProxy: "ftp_port", 8080
FF NetworkProxy: "gopher", "220.173.139.172"
FF NetworkProxy: "gopher_port", 8080
FF NetworkProxy: "http", "220.173.139.172"
FF NetworkProxy: "http_port", 8080
FF NetworkProxy: "no_proxies_on", "*.local"
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "socks", "220.173.139.172"
FF NetworkProxy: "socks_port", 8080
FF NetworkProxy: "ssl", "220.173.139.172"
FF NetworkProxy: "ssl_port", 8080
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\MountPoints2: {25a01f47-4d87-11e1-86fc-806e6f6e6963} - Q:\LenovoQDrive.exe
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\MountPoints2: {50e07675-caa4-11e5-a586-028037ec0200} - E:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\MountPoints2: {ac8ce2c3-cff8-11e3-b48f-028037ec0200} - D:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\MountPoints2: {ec067731-cdfb-11e5-ba86-028037ec0200} - E:\HTC_Sync_Manager_PC.exe
GroupPolicyScripts: Restriction <======= ATTENTION
ProxyServer: [S-1-5-21-3514529109-4073190309-4292251120-1002] => 220.173.139.172:8080
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> DefaultScope {A2B6DCA7-91B3-4ABE-8908-967880222CB4} URL = hxxp://www.google.com.au/search?hl=en&source=hp&q={searchTerms}&btnG=Google+Search&meta=&aq=f&oq=&rlz=1I7LENP_enAU470
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {07921B9E-C4E0-41BE-9E2B-F17685907888} URL = hxxp://en.wikipedia.org/w/index.php?title=Special:Search&search={searchTerms}
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {39A5CE29-F8BE-425B-BB52-3D9FCEC0586E} URL = hxxp://www.linkedin.com/search/fpsearch?name={searchTerms}
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {595C041B-BAFB-4893-88F4-E049DB531B6E} URL = hxxp://abr.business.gov.au/search.aspx?SearchText={searchTerms}&StartSearch=True&bqs=1
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxps://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {903BF549-8979-484A-A2BD-097AF77D6FE0} URL = hxxp://dictionary.reference.com/browse/{searchTerms}?r=75&src=ref&ch=dic
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {A2B6DCA7-91B3-4ABE-8908-967880222CB4} URL = hxxp://www.google.com.au/search?hl=en&source=hp&q={searchTerms}&btnG=Google+Search&meta=&aq=f&oq=&rlz=1I7LENP_enAU470
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxps://nortonsafe.search.ask.com/web?q={searchTerms}&o=APN11913&l=dis&prt=NSBU&chn=1000&geo=AU&ver=22&locale=en_AU&gct=kwd&qsrc=2869
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {CB81E7B2-E6A9-42F6-BBA0-2ACF465F2F87} URL = hxxp://www.facebook.com/#/search/?ref=search&q={searchTerms}&init=quick
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {F94E17F4-1DB4-4700-8ADF-F1DB0605668F} URL = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=871A8FAE-CBEB-4251-B84D-A34A4ED0D763&apn_sauid=B0F14DB3-F3ED-4CC5-8D1E-F01470E19596
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\gcswf32.dll => No File
CHR Plugin: (Norton Confidential) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\2012.5.0.140_0\npcoplgn.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll => No File
R3 QDrive; \??\C:\Users\David\AppData\Local\Temp\QDrive.sys [X]
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
AlternateDataStreams: C:\ProgramData\Temp:9A870F8B [992]
EmptyTemp:
RemoveProxy:
End


NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST / FSRT64 again like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

---

Download and run Chrome Software Cleaner

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 Primo2

Primo2
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 28 April 2016 - 07:38 PM

Below is the Fixlog.txt.

Note that Norton blocked some further "Trojan Bedep Activity" while I had my PC on to run this Fix.

A couple of questions:

1. Is it possible to identify when these exploits were installed? (was it only yesterday when activity was noticed, or some time ago?)

2. Can you let me know if/when my infected PC needs to be connected to the Internet while performing these actions, otherwise I'd prefer to keep it disconnected.

Thanks very much.

 

Fix result of Farbar Recovery Scan Tool (x64) Version:27-04-2016
Ran by David (2016-04-29 09:09:30) Run:1
Running from C:\Users\David\Desktop
Loaded Profiles: David (Available Profiles: David)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
FF NetworkProxy: "ftp", "220.173.139.172"
FF NetworkProxy: "ftp_port", 8080
FF NetworkProxy: "gopher", "220.173.139.172"
FF NetworkProxy: "gopher_port", 8080
FF NetworkProxy: "http", "220.173.139.172"
FF NetworkProxy: "http_port", 8080
FF NetworkProxy: "no_proxies_on", "*.local"
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "socks", "220.173.139.172"
FF NetworkProxy: "socks_port", 8080
FF NetworkProxy: "ssl", "220.173.139.172"
FF NetworkProxy: "ssl_port", 8080
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\MountPoints2: {25a01f47-4d87-11e1-86fc-806e6f6e6963} - Q:\LenovoQDrive.exe
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\MountPoints2: {50e07675-caa4-11e5-a586-028037ec0200} - E:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\MountPoints2: {ac8ce2c3-cff8-11e3-b48f-028037ec0200} - D:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\...\MountPoints2: {ec067731-cdfb-11e5-ba86-028037ec0200} - E:\HTC_Sync_Manager_PC.exe
GroupPolicyScripts: Restriction <======= ATTENTION
ProxyServer: [S-1-5-21-3514529109-4073190309-4292251120-1002] => 220.173.139.172:8080
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> DefaultScope {A2B6DCA7-91B3-4ABE-8908-967880222CB4} URL = hxxp://www.google.com.au/search?hl=en&source=hp&q={searchTerms}&btnG=Google+Search&meta=&aq=f&oq=&rlz=1I7LENP_enAU470
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {07921B9E-C4E0-41BE-9E2B-F17685907888} URL = hxxp://en.wikipedia.org/w/index.php?title=Special:Search&search={searchTerms}
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {39A5CE29-F8BE-425B-BB52-3D9FCEC0586E} URL = hxxp://www.linkedin.com/search/fpsearch?name={searchTerms}
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {595C041B-BAFB-4893-88F4-E049DB531B6E} URL = hxxp://abr.business.gov.au/search.aspx?SearchText={searchTerms}&StartSearch=True&bqs=1
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxps://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {903BF549-8979-484A-A2BD-097AF77D6FE0} URL = hxxp://dictionary.reference.com/browse/{searchTerms}?r=75&src=ref&ch=dic
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {A2B6DCA7-91B3-4ABE-8908-967880222CB4} URL = hxxp://www.google.com.au/search?hl=en&source=hp&q={searchTerms}&btnG=Google+Search&meta=&aq=f&oq=&rlz=1I7LENP_enAU470
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxps://nortonsafe.search.ask.com/web?q={searchTerms}&o=APN11913&l=dis&prt=NSBU&chn=1000&geo=AU&ver=22&locale=en_AU&gct=kwd&qsrc=2869
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {CB81E7B2-E6A9-42F6-BBA0-2ACF465F2F87} URL = hxxp://www.facebook.com/#/search/?ref=search&q={searchTerms}&init=quick
SearchScopes: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002 -> {F94E17F4-1DB4-4700-8ADF-F1DB0605668F} URL = hxxp://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=871A8FAE-CBEB-4251-B84D-A34A4ED0D763&apn_sauid=B0F14DB3-F3ED-4CC5-8D1E-F01470E19596
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\gcswf32.dll => No File
CHR Plugin: (Norton Confidential) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\2012.5.0.140_0\npcoplgn.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll => No File
R3 QDrive; \??\C:\Users\David\AppData\Local\Temp\QDrive.sys [X]
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\David\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
AlternateDataStreams: C:\ProgramData\Temp:9A870F8B [992]
EmptyTemp:
RemoveProxy:
End
*****************

Restore point was successfully created.
Processes closed successfully.
Firefox Proxy settings were reset.
FF NetworkProxy: "ftp_port", 8080 => not found
FF NetworkProxy: "gopher", "220.173.139.172" => not found
FF NetworkProxy: "gopher_port", 8080 => not found
FF NetworkProxy: "http", "220.173.139.172" => not found
FF NetworkProxy: "http_port", 8080 => not found
FF NetworkProxy: "no_proxies_on", "*.local" => not found
FF NetworkProxy: "share_proxy_settings", true => not found
FF NetworkProxy: "socks", "220.173.139.172" => not found
FF NetworkProxy: "socks_port", 8080 => not found
FF NetworkProxy: "ssl", "220.173.139.172" => not found
FF NetworkProxy: "ssl_port", 8080 => not found
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{25a01f47-4d87-11e1-86fc-806e6f6e6963}" => key removed successfully
HKCR\CLSID\{25a01f47-4d87-11e1-86fc-806e6f6e6963} => key not found.
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{50e07675-caa4-11e5-a586-028037ec0200}" => key removed successfully
HKCR\CLSID\{50e07675-caa4-11e5-a586-028037ec0200} => key not found.
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ac8ce2c3-cff8-11e3-b48f-028037ec0200}" => key removed successfully
HKCR\CLSID\{ac8ce2c3-cff8-11e3-b48f-028037ec0200} => key not found.
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ec067731-cdfb-11e5-ba86-028037ec0200}" => key removed successfully
HKCR\CLSID\{ec067731-cdfb-11e5-ba86-028037ec0200} => key not found.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{07921B9E-C4E0-41BE-9E2B-F17685907888}" => key removed successfully
HKCR\CLSID\{07921B9E-C4E0-41BE-9E2B-F17685907888} => key not found.
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{39A5CE29-F8BE-425B-BB52-3D9FCEC0586E}" => key removed successfully
HKCR\CLSID\{39A5CE29-F8BE-425B-BB52-3D9FCEC0586E} => key not found.
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{595C041B-BAFB-4893-88F4-E049DB531B6E}" => key removed successfully
HKCR\CLSID\{595C041B-BAFB-4893-88F4-E049DB531B6E} => key not found.
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => key removed successfully
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found.
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{903BF549-8979-484A-A2BD-097AF77D6FE0}" => key removed successfully
HKCR\CLSID\{903BF549-8979-484A-A2BD-097AF77D6FE0} => key not found.
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A2B6DCA7-91B3-4ABE-8908-967880222CB4}" => key removed successfully
HKCR\CLSID\{A2B6DCA7-91B3-4ABE-8908-967880222CB4} => key not found.
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" => key removed successfully
HKCR\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} => key not found.
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CB81E7B2-E6A9-42F6-BBA0-2ACF465F2F87}" => key removed successfully
HKCR\CLSID\{CB81E7B2-E6A9-42F6-BBA0-2ACF465F2F87} => key not found.
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F94E17F4-1DB4-4700-8ADF-F1DB0605668F}" => key removed successfully
HKCR\CLSID\{F94E17F4-1DB4-4700-8ADF-F1DB0605668F} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\ppGoogleNaClPluginChrome.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\pdf.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\gcswf32.dll => not found.
C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\2012.5.0.140_0\npcoplgn.dll => not found.
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll => not found.
C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll => not found.
c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll => not found.
QDrive => Service stopped successfully.
QDrive => service removed successfully
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}" => key removed successfully
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}" => key removed successfully
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}" => key removed successfully
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}" => key removed successfully
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}" => key removed successfully
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}" => key removed successfully
"HKU\S-1-5-21-3514529109-4073190309-4292251120-1002_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}" => key removed successfully
C:\ProgramData\Temp => ":9A870F8B" ADS removed successfully.

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-3514529109-4073190309-4292251120-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========

EmptyTemp: => 1 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 09:09:51 ====



#6 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:14 AM

Posted 29 April 2016 - 01:18 AM

Hello,

we need a Internet Connection while our Tools are running!

:step1: Run Malwarebytes Anti-Rootkit again: Right-click mbar.exe and select Run As Administrator
  • Scan your system for malware
  • If malware is found, click on the Cleanup
  • button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • then please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step2: Double click on AdwCleaner.exe to run the tool again.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • When the scan has finished, the actual line should say "Pending. Please uncheck elements you do not want to remove". Look through the scan results and uncheck any entries that you do not wish to remove.
  • This time, click on the Cleaning button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

***


:step3: Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 Primo2

Primo2
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 29 April 2016 - 03:52 AM

Hi,
 
On turning on the PC and enabling its Network connection, Norton again detected excessive network traffic going from my PC to the Internet and offered to run Power Eraser, which I declined.
Norton also continued to block "Trojan Bedep Activity".
 
On running MBAR, it immediately displayed the dialog box which it had previously, stating that: Registry value "AppInit_Dlls" has been found, which may be caused by rootkit activity.  I again answered "No" to having it removed.
 
I then allowed MBAR to Update its version, before pressing Scan.

MBAR's Scan ran for a while, and then displayed a dialog box stating that "The system volume seems inaccessible or encrypted. Scan can't continue.". Attached File  mbar error.JPG   15.08KB   0 downloads

Below is the contents of the MBAR-log-***.txt file, as requested.  I have also attached a copy of system-log.txt, which includes data previously reported plus more. Attached File  system-log.txt   56.12KB   0 downloads

 

I have turned my PC off once again, as I am concerned that the longer it is left active (especially with Networking enabled) the more damage is being done by the remaining malware.

 

Thanks.

----------

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org

Database version:
  main:    v2016.04.29.02
  rootkit: v2016.04.17.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.18282
David :: THINKING [administrator]

29/04/2016 5:44:05 PM
mbar-log-2016-04-29 (17-44-05).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 0
Time elapsed: 2 minute(s), 2 second(s) [aborted]

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 



#8 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:14 AM

Posted 29 April 2016 - 04:18 AM

Thank you,

Your system has a serious infection with a backdoor called Bedep. This also explains the resistance towards malware removal tools.

Please read the warning below before you proceed.
 

goGMWSt.gifBackdoor Warning

------------------------------

One or more of the identified malware is known to use a backdoor, that allows attackers to remotely control your computer, download/execute files and steal system, financial & personal information.

If your computer has been used for online banking, has credit card information or other sensitive data, using a non-compromised computer/device you should immediately change all account information (including those used for Email, eBay, Paypal, online forums, etc).

Banking and credit card institutions should be notified of the possible security breach. Please read the following article for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Whilst the identified malware can be removed, there is no way to guarantee the trustworthiness of your computer unless you reformat your hard drive and reinstall your Operating System. This is due to the nature of the malware, which allows a remote attacker to make any kind of modification. Many experts in the security community believe that once compromised with this type of malware, the best course of action is to reformat/reinstall. Please read the following articles for more information.

You now have the choice between cleaning the malware present or reformatting your computer. Ultimately, the decision is yours, and what you're most comfortable with. Once you've read the articles linked above, let me know if you have any questions, and how you wish to proceed.


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 Primo2

Primo2
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 29 April 2016 - 06:47 AM

Hi Jo,

 

Yes, as in my first post, Norton also identified Bedep.

 

Given your "Backdoor Warning" quote, I should keep the PC disconnected from the Internet and will do a reformat and full reinstall.

 

I have most of my important files backed up, but need to have a last look on the PC to see if I've missed anything.

1. Is booting it in Safe mode a "safe" thing to do, or could malicious code still become active?

2. If not, what type of access method would you recommend? (it's a laptop, so its probably NOT practical to remove the solid state hard drive and mount it elsewhere)

3. Even if I were to boot the PC from a CD or USB drive, do I still need to somehow clean my C drive's boot sector first?

4. As per the question in my previous post, were you able to tell how recently the PC was infected?

 

Thanks.



#10 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:14 AM

Posted 29 April 2016 - 07:57 AM

I cannot date the infection, but most likely it happened during the last 3 ... 5 days.

---

I would not copy the files using windows but use a bootable live linux disk to take Windows out of the picture.

The point of using a Linux boot CD/DVD is that it is not vulnerable to any Windows malware vector, both because it is Linux, and because its launch media is a read-only medium so cannot receive any infection. If you then copy data files to a USB flash drive or HDD while the Linux OS is running the computer, any Windows infection vector such as an auto-run infector is inactive so cannot infect the removable drive.

This doesn't prevent a copied file from already containing some kind of malware, but the same principle could be applied to checking the copied files, by booting from a non-Windows environment and scanning the drive contents. Two facilities I use for this purpose are Kaspersky Rescue and EmsiSoft Emergency Kit:

http://support.kaspersky.com/viruses/rescuedisk

http://www.emsisoft.com.au/en/software/eek/


If you decide to use a live linux disk you can burn a Parted Magic iso to disk. It can be downloaded here. See this guide on using it to recover files to an external USB drive.

---


The best course of action is to wipe the drive clean, reformat and reinstall the OS.

Please read:
When should I re-format? How should I reinstall?

Reformat means that all data on your system gets wiped out and the operating system needs to be reinstalled. So you have to back up all personal files, e.g., to an external drive, before you attempt a reformat.
You should not use your infected computer to access any important accounts. The malware will just steal your credentials again, even after a password change. Access your accounts and change your passwords only from a clean system.

You will need the following things for reformatting your system:
  • Storage device to back up your data, e.g., external harddrive
  • Windows Installation Disk or Installation USB
  • Driver Installation Disk or Installation USB
  • Windows Product Key
  • Microsoft Office Product Key
Do you have all these?
 

***


Here are some Preventive tips to reduce the potential for spyware infection in the future

:step1: Browse more secure
  • WOT - Know which websites to trust
    Web of Trust - this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam.
  • Make sure you keep your Windows OS current.
    • Windows XP users can visit Windows update regularly to download and install any critical updates and service packs.
    • Windows Vista / 7 / 8 users can update via
      Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane).
    :step3: Avoid P2P
    • If you think you're using a "safe" P2P program, only the program is safe, not the data.
    • You will share files from unsafe sources, and these may be infected.
    • Some bad guys use P2P filesharing as an important chanel to spread their wares.
    :step4: Use only one anti-virus software and keep it up-to-date.

    :step5: Firewall
    Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    :step6: Backup regularly
    You never know when your PC will become unstable or become so infected that you can't recover it.

    :step7: Use Strong passwords!

    :step8: Email attachments
    Do not open any unknown email attachments, which you received without asking for it!


    Extra note:
    Keep your Browser, Java, pdf Reader and Adobe Flash Up to Date.
    And you could install Malwarebytes Anti-Exploit to run alongside your traditional anti-virus or anti-malware products.

    Make sure your programs are up to date - because older versions may contain Security Leaks.

    ***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:14 AM

Posted 04 May 2016 - 03:49 AM

Hi,

it has been several days since I sent my last set of instructions to help with your computer problem.

Please let me know if you are having problems and still need help.

Note: Thread will be closed if no response after 3 days.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#12 Primo2

Primo2
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 04 May 2016 - 03:59 AM

Hi Jo,

 

I have recovered my documents and reformatted the drive.

I am still in the process of re-installing everything back again... it will take a while!

Happy for you to close this thread now.

Thank you very much for your assistance.

 

Cheers.



#13 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:14 AM

Posted 04 May 2016 - 04:15 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users