Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My AntiVirus program keeps detecting trojans - JS/Nemucod & W97M/Downloader


  • Please log in to reply
5 replies to this topic

#1 froman

froman

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 07 May 2016 - 05:58 PM

Back in late March, I noticed that my anti virus software (McAfee) had been silently detecting and quarantining various trojans on a weekly basis since November 2015. I posted a topic on this forum, followed the instructions given to me, and the problem appeared to be resolved. Unfortunately, this resolution was only temporary. As of April 30th, I am once again seeing the same trojans being detected and quarantined 

 

Recent quarantined trojans are as follows:

JS/Nemucod.il

JS/Nemucod.ik

JS/Nemucod.eq

Generic Packed.js

w97M/Downloader.bct

 

The locations where these threats were detected are:

C:\\Windows\Temp\MCE00000\MCE00001

C:\Users\[computer name]\AppData\Local\Google\Chrome\User Data\Default\Cache

 

Oddly - or maybe not - I "don't currently have permission to access" the Temp folder, and the AppData folder was initially hidden when I checked to see if I could access that folder. Presumably I can regain access to the Temp folder easily enough, but figured I'd go through the steps advised here before clicking any further.  

 

Anyhow, FRST.txt report is as follows, and Addition.txt is attached:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
Ran by orion (administrator) on -O- (07-05-2016 14:21:22)
Running from C:\Users\orion\Desktop
Loaded Profiles: orion (Available Profiles: orion)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfemms.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(arvato digital services llc) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(arvato digital services llc) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
() C:\Program Files\CyberLink\Shared files\RichVideo64.exe
() C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe
(Western Digital) C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
(Western Digital ) C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe
(UC-Logic Technology Corp.) C:\Windows\System32\drivers\WTSrv.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Western Digital ) C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek semiconductor) C:\Windows\RTFTrack.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Lenovo) C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Manager\utility.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(cyberlink) C:\Program Files (x86)\CyberLink\Shared files\brs.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
(Tablet Driver) C:\Windows\SysWOW64\WTClient.exe
(Western Digital) C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ADS\Adobe Desktop Service.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\HEX\Adobe CEF Helper.exe
() C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\AMCore\mcshield.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(McAfee, Inc.) C:\Program Files\mcafee\msc\McAPExe.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\CSP\1.8.267.0\McCSPServiceHost.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\platform\CommonBuild\McCBEntAndInstru.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\platform\McUICnt.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Security, Inc.) C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\platform\CommonBuild\McCBEntAndInstru.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\platform\McUICnt.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\platform\CommonBuild\McCBEntAndInstru.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\platform\McUICnt.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\platform\McUICnt.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\platform\CommonBuild\McCBEntAndInstru.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\platform\McUICnt.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\platform\Core\mchost.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\AppVShNotify.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Nvtmru] => "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [286056 2013-09-24] (Intel Corporation)
HKLM\...\Run: [RtsFT] => C:\windows\RTFTrack.exe [6340312 2013-09-02] (Realtek semiconductor)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1703424 2013-08-11] (IDT, Inc.)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM\...\Run: [OnekeyStudio] => C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe [4196432 2012-09-14] (Lenovo)
HKLM\...\Run: [Energy Manager] => C:\Program Files (x86)\Lenovo\Energy Manager\Energy Manager.exe [15813616 2014-02-06] (Lenovo(beijing) Limited)
HKLM\...\Run: [Lenovo Utility] => C:\Program Files (x86)\Lenovo\Energy Manager\Utility.exe [80880 2014-02-06] (Lenovo(beijing) Limited)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2234144 2014-01-20] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\windows\system32\rundll32.exe C:\windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500936 2015-07-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [UpdateP2GShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [214312 2011-12-06] (CyberLink Corp.)
HKLM-x32\...\Run: [BDRegion] => C:\Program Files (x86)\Cyberlink\Shared files\brs.exe [179976 2013-08-25] (cyberlink)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1075296 2013-04-25] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2303152 2015-07-23] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [WTClient] => C:\windows\SysWOW64\WTClient.exe [40832 2013-05-14] (Tablet Driver)
HKLM-x32\...\Run: [WD Drive Unlocker] => C:\Program Files (x86)\Western Digital\WD Security\WDDriveAutoUnlock.exe [1688008 2012-06-13] (Western Digital)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5235128 2012-06-14] (Western Digital Technologies, Inc.)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2211250516-935607534-4216707785-1002\...\Run: [Power2GoExpress] => NA
HKU\S-1-5-21-2211250516-935607534-4216707785-1002\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\windows\system32\Ribbons.scr [132608 2014-10-28] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2015-07-22] ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2015-07-22] ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2015-07-22] ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{BF9667A4-BCC0-498F-BD5A-A5D97C9C0F86}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{C6982153-E3AE-4F71-869A-E1EC502146AF}: [DhcpNameServer] 192.168.1.254
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2211250516-935607534-4216707785-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo13.msn.com/?pc=LCJB
HKU\S-1-5-21-2211250516-935607534-4216707785-1002\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = hxxp://home.lenovo.com
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-2211250516-935607534-4216707785-1002 -> {81D652D6-F481-4BD6-9648-4D88B615979B} URL = 
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2016-03-16] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2016-04-22] (Microsoft Corporation)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll [2016-03-03] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll [2016-03-03] (McAfee, Inc.)
 
FireFox:
========
FF ProfilePath: C:\Users\orion\AppData\Roaming\Mozilla\Firefox\Profiles\yavxrjx3.default
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2016-03-03] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2015-07-23] (Adobe Systems)
FF Plugin: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\Win64Plugin\npAdobeExManDetectX64.dll [2013-12-02] (Adobe Systems)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-09-03] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-03] (Intel Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [2016-03-03] ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2015-02-25] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-05] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-05] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2015-07-23] (Adobe Systems)
FF Plugin-x32: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll [2013-12-02] (Adobe Systems)
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2016-04-02] [not signed]
 
Chrome: 
=======
CHR StartupUrls: Default -> "hxxp://google.com/"
CHR Profile: C:\Users\orion\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\orion\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-05]
CHR Extension: (Google Drive) - C:\Users\orion\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-23]
CHR Extension: (YouTube) - C:\Users\orion\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (Google Search) - C:\Users\orion\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-01]
CHR Extension: (Google Docs Offline) - C:\Users\orion\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-26]
CHR Extension: (Gmail) - C:\Users\orion\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-07]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 0215461462043051mcinstcleanup; C:\windows\TEMP\021546~1.EXE [918056 2015-11-27] (McAfee, Inc.)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2829552 2016-03-08] (Microsoft Corporation)
S2 CLKMSVC10_3A60B698; C:\Program Files (x86)\Lenovo\PowerDVD10\NavFilter\kmsvc.exe [243464 2013-08-26] (CyberLink)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [453520 2016-01-03] (McAfee, Inc.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [14696 2013-09-24] (Intel Corporation)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel® Corporation)
R2 Intel® Wireless Bluetooth® 4.0 Radio Management; C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe [155448 2013-09-20] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-09-03] (Intel Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [863448 2016-03-03] (McAfee, Inc.)
S3 McAWFwk; c:\Program Files\Common Files\mcafee\ActWiz\McAWFwk.exe [334608 2013-07-24] (McAfee, Inc.)
R2 McBootDelayStartSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [453520 2016-01-03] (McAfee, Inc.)
R2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.8.267.0\McCSPServiceHost.exe [1696712 2016-02-23] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [453520 2016-01-03] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [453520 2016-01-03] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [681680 2016-02-26] (McAfee, Inc.)
S4 McOobeSv2; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [453520 2016-01-03] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [453520 2016-01-03] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [453520 2016-01-03] (McAfee, Inc.)
R3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [234192 2015-11-18] (McAfee, Inc.)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [380896 2016-01-21] (McAfee, Inc.)
R2 mfevtp; C:\windows\system32\mfevtps.exe [275368 2015-11-18] (McAfee, Inc.)
R2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [453520 2016-01-03] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [284912 2013-08-23] ()
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1593632 2014-01-20] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [16939296 2014-01-20] (NVIDIA Corporation)
R2 PEFService; C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe [896456 2016-03-02] (Intel Security, Inc.)
R2 PSI_SVC_2; c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe [277360 2014-04-30] (arvato digital services llc)
R2 PSI_SVC_2_x64; c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [336824 2010-11-30] (arvato digital services llc)
R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390632 2012-04-24] ()
R2 STacSV; C:\Program Files\IDT\WDM\STacSV64.exe [338944 2013-08-11] (IDT, Inc.) [File not signed]
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 VeriFaceSrv; C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe [68368 2014-02-06] ()
R2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1151424 2012-06-14] (Western Digital )
R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [248248 2012-06-13] (Western Digital)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WDRulesService; C:\Program Files (x86)\Western Digital\WD SmartWare\WDRulesEngine.exe [1177536 2012-06-14] (Western Digital )
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
R2 WinTabService; C:\Windows\System32\Drivers\WTSRV.EXE [78064 2013-05-14] (UC-Logic Technology Corp.)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3667696 2013-08-23] (Intel® Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 btmaux; C:\Windows\system32\DRIVERS\btmaux.sys [132920 2013-04-23] (Motorola Solutions, Inc.)
R3 btmhsf; C:\Windows\system32\DRIVERS\btmhsf.sys [1386296 2013-08-19] (Motorola Solutions, Inc.)
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [79248 2015-11-25] (McAfee, Inc.)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [207208 2015-05-19] (McAfee, Inc.)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [118216 2013-09-09] (Intel Corporation)
R0 IntelHSWPcc; C:\Windows\System32\drivers\IntelPcc.sys [74344 2013-07-02] (Intel Corporation)
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-04-30] (Malwarebytes)
S3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-09-03] (Intel Corporation)
R3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [419624 2015-11-25] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [351144 2015-11-25] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [83096 2015-11-25] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [496368 2015-11-25] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [846080 2015-11-25] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [539496 2015-11-20] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [109480 2015-11-20] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [245096 2015-11-25] (McAfee, Inc.)
R3 NETwNb64; C:\Windows\system32\DRIVERS\NETwbw02.sys [3589600 2013-09-19] (Intel Corporation)
S3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew02.sys [4649440 2013-06-18] (Intel Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [39200 2013-12-27] (NVIDIA Corporation)
R3 PTSimHid; C:\Windows\System32\drivers\PTSimHid.sys [22912 2013-05-14] (UC-Logic Technology Corp.)
R3 rtsuvc; C:\Windows\system32\DRIVERS\rtsuvc.sys [8874712 2013-09-02] (Realtek Semiconductor Corp.)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [34544 2013-08-14] (Synaptics Incorporated)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
S3 wsvd; C:\Windows\system32\DRIVERS\wsvd.sys [102376 2012-06-13] ("CyberLink)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-05-07 14:21 - 2016-05-07 14:21 - 00024538 _____ C:\Users\orion\Desktop\FRST.txt
2016-05-06 10:01 - 2016-05-07 13:18 - 00003846 _____ C:\windows\System32\Tasks\Intel Security DAT Reputation (AMCore) periodic endpoint safety pulse
2016-04-30 12:04 - 2016-04-30 12:04 - 00001871 _____ C:\Users\Public\Desktop\McAfee LiveSafe.lnk
2016-04-30 12:04 - 2016-04-30 12:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2016-04-30 11:42 - 2016-05-02 22:41 - 00000000 ____D C:\Users\orion\Desktop\new music
2016-04-22 07:03 - 2016-04-03 23:35 - 00046768 _____ (Microsoft Corporation) C:\windows\system32\CompatTelRunner.exe
2016-04-22 07:03 - 2016-04-02 06:26 - 01386496 _____ (Microsoft Corporation) C:\windows\system32\appraiser.dll
2016-04-22 07:03 - 2016-04-02 06:26 - 01169408 _____ (Microsoft Corporation) C:\windows\system32\aeinv.dll
2016-04-22 07:03 - 2016-03-28 06:21 - 00698368 _____ (Microsoft Corporation) C:\windows\system32\generaltel.dll
2016-04-22 07:03 - 2016-03-28 06:21 - 00499200 _____ (Microsoft Corporation) C:\windows\system32\devinv.dll
2016-04-22 07:03 - 2016-03-28 06:21 - 00279040 _____ (Microsoft Corporation) C:\windows\system32\invagent.dll
2016-04-22 07:03 - 2016-03-28 06:21 - 00215040 _____ (Microsoft Corporation) C:\windows\system32\aepic.dll
2016-04-22 07:03 - 2016-03-28 06:21 - 00076800 _____ (Microsoft Corporation) C:\windows\system32\acmigration.dll
2016-04-22 07:03 - 2016-02-08 18:31 - 22365472 _____ (Microsoft Corporation) C:\windows\system32\shell32.dll
2016-04-22 07:03 - 2016-02-08 18:31 - 19794896 _____ (Microsoft Corporation) C:\windows\SysWOW64\shell32.dll
2016-04-22 07:03 - 2016-02-08 18:31 - 02757616 _____ (Microsoft Corporation) C:\windows\explorer.exe
2016-04-22 07:03 - 2016-02-08 18:31 - 02412576 _____ (Microsoft Corporation) C:\windows\SysWOW64\explorer.exe
2016-04-22 07:03 - 2016-02-08 18:31 - 00273264 _____ (Microsoft Corporation) C:\windows\system32\SystemSettingsAdminFlows.exe
2016-04-22 07:03 - 2016-02-08 13:55 - 02712576 _____ (Microsoft Corporation) C:\windows\SysWOW64\ExplorerFrame.dll
2016-04-22 07:03 - 2016-02-08 13:15 - 02551808 _____ (Microsoft Corporation) C:\windows\SysWOW64\themecpl.dll
2016-04-22 07:03 - 2016-02-08 13:02 - 01197056 _____ (Microsoft Corporation) C:\windows\SysWOW64\usercpl.dll
2016-04-22 07:03 - 2016-02-08 12:48 - 12879360 _____ (Microsoft Corporation) C:\windows\SysWOW64\twinui.dll
2016-04-22 07:03 - 2016-02-08 12:43 - 00524288 _____ (Microsoft Corporation) C:\windows\SysWOW64\SettingSyncHost.exe
2016-04-22 07:03 - 2016-02-08 12:40 - 00539648 _____ (Microsoft Corporation) C:\windows\SysWOW64\hgcpl.dll
2016-04-22 07:03 - 2016-02-08 12:39 - 00305152 _____ (Microsoft Corporation) C:\windows\SysWOW64\stobject.dll
2016-04-22 07:03 - 2016-02-08 12:37 - 00141312 _____ (Microsoft Corporation) C:\windows\SysWOW64\SettingMonitor.dll
2016-04-22 07:03 - 2016-02-08 12:35 - 00954880 _____ (Microsoft Corporation) C:\windows\SysWOW64\twinui.appcore.dll
2016-04-22 07:03 - 2016-02-08 12:34 - 00667648 _____ (Microsoft Corporation) C:\windows\SysWOW64\SettingSyncCore.dll
2016-04-22 07:03 - 2016-02-08 12:33 - 00520192 _____ (Microsoft Corporation) C:\windows\SysWOW64\SettingSync.dll
2016-04-22 07:03 - 2016-02-08 11:50 - 03120640 _____ (Microsoft Corporation) C:\windows\system32\ExplorerFrame.dll
2016-04-22 07:03 - 2016-02-08 10:55 - 02592256 _____ (Microsoft Corporation) C:\windows\system32\themecpl.dll
2016-04-22 07:03 - 2016-02-08 10:33 - 01278464 _____ (Microsoft Corporation) C:\windows\system32\usercpl.dll
2016-04-22 07:03 - 2016-02-08 10:12 - 14466560 _____ (Microsoft Corporation) C:\windows\system32\twinui.dll
2016-04-22 07:03 - 2016-02-08 10:02 - 00653824 _____ (Microsoft Corporation) C:\windows\system32\SettingSyncHost.exe
2016-04-22 07:03 - 2016-02-08 10:00 - 00599552 _____ (Microsoft Corporation) C:\windows\system32\hgcpl.dll
2016-04-22 07:03 - 2016-02-08 09:58 - 00336384 _____ (Microsoft Corporation) C:\windows\system32\stobject.dll
2016-04-22 07:03 - 2016-02-08 09:55 - 00173056 _____ (Microsoft Corporation) C:\windows\system32\SettingMonitor.dll
2016-04-22 07:03 - 2016-02-08 09:53 - 02171904 _____ (Microsoft Corporation) C:\windows\system32\SystemSettingsAdminFlowUI.dll
2016-04-22 07:03 - 2016-02-08 09:53 - 01348096 _____ (Microsoft Corporation) C:\windows\system32\AppXDeploymentServer.dll
2016-04-22 07:03 - 2016-02-08 09:50 - 01220096 _____ (Microsoft Corporation) C:\windows\system32\twinui.appcore.dll
2016-04-22 07:03 - 2016-02-08 09:50 - 00841728 _____ (Microsoft Corporation) C:\windows\system32\SettingSyncCore.dll
2016-04-22 07:03 - 2016-02-08 09:48 - 00655872 _____ (Microsoft Corporation) C:\windows\system32\SettingSync.dll
2016-04-22 07:03 - 2016-02-08 09:47 - 02819584 _____ (Microsoft Corporation) C:\windows\system32\SettingsHandlers.dll
2016-04-22 07:03 - 2016-02-08 09:44 - 00955392 _____ (Microsoft Corporation) C:\windows\system32\AppXDeploymentExtensions.dll
2016-04-22 07:03 - 2016-02-06 15:41 - 00316760 ____C (Microsoft Corporation) C:\windows\system32\Drivers\volsnap.sys
2016-04-22 07:03 - 2016-02-05 07:46 - 01455104 _____ (Microsoft Corporation) C:\windows\system32\VSSVC.exe
2016-04-22 07:03 - 2016-02-03 08:14 - 00080896 _____ (Microsoft Corporation) C:\windows\system32\Drivers\IPMIDrv.sys
2016-04-22 07:03 - 2016-02-02 11:16 - 00112640 _____ (Microsoft Corporation) C:\windows\system32\Drivers\rasl2tp.sys
2016-04-22 07:03 - 2016-02-02 10:51 - 00162304 _____ (Microsoft Corporation) C:\windows\system32\WsmAuto.dll
2016-04-22 07:03 - 2016-02-02 10:19 - 00144384 _____ (Microsoft Corporation) C:\windows\SysWOW64\WsmAuto.dll
2016-04-22 07:03 - 2016-02-02 10:01 - 00031744 _____ (Microsoft Corporation) C:\windows\system32\WsmAgent.dll
2016-04-22 07:03 - 2016-02-02 09:51 - 02609152 _____ (Microsoft Corporation) C:\windows\system32\WsmSvc.dll
2016-04-22 07:03 - 2016-02-02 09:48 - 00285184 _____ (Microsoft Corporation) C:\windows\system32\WsmWmiPl.dll
2016-04-22 07:03 - 2016-02-02 09:46 - 00026112 _____ (Microsoft Corporation) C:\windows\SysWOW64\WsmAgent.dll
2016-04-22 07:03 - 2016-02-02 09:41 - 02170880 _____ (Microsoft Corporation) C:\windows\SysWOW64\WsmSvc.dll
2016-04-22 07:03 - 2016-02-02 09:39 - 00236032 _____ (Microsoft Corporation) C:\windows\SysWOW64\WsmWmiPl.dll
2016-04-22 07:03 - 2016-01-27 08:18 - 00817664 _____ (Microsoft Corporation) C:\windows\system32\rpcss.dll
2016-04-22 07:03 - 2016-01-21 12:35 - 00952928 _____ (Microsoft Corporation) C:\windows\system32\mfmp4srcsnk.dll
2016-04-22 07:03 - 2016-01-21 11:42 - 00786152 _____ (Microsoft Corporation) C:\windows\SysWOW64\mfmp4srcsnk.dll
2016-04-22 07:03 - 2014-11-07 19:38 - 00166912 _____ (Microsoft Corporation) C:\windows\system32\AppxAllUserStore.dll
2016-04-22 07:03 - 2014-11-07 19:17 - 00143360 _____ (Microsoft Corporation) C:\windows\SysWOW64\AppxAllUserStore.dll
2016-04-22 07:02 - 2016-03-10 12:19 - 07452512 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2016-04-22 07:02 - 2016-03-10 12:17 - 01663192 _____ (Microsoft Corporation) C:\windows\system32\winload.efi
2016-04-22 07:02 - 2016-03-10 12:17 - 01523216 _____ (Microsoft Corporation) C:\windows\system32\winload.exe
2016-04-22 07:02 - 2016-03-10 12:17 - 01490128 _____ (Microsoft Corporation) C:\windows\system32\winresume.efi
2016-04-22 07:02 - 2016-03-10 12:17 - 01358960 _____ (Microsoft Corporation) C:\windows\system32\winresume.exe
2016-04-22 07:02 - 2016-03-10 12:17 - 01133752 _____ (Microsoft Corporation) C:\windows\system32\KernelBase.dll
2016-04-22 07:02 - 2016-03-10 10:48 - 00862720 _____ (Microsoft Corporation) C:\windows\SysWOW64\KernelBase.dll
2016-04-22 07:02 - 2016-03-10 10:43 - 00161280 _____ (Microsoft Corporation) C:\windows\SysWOW64\msorcl32.dll
2016-04-22 07:02 - 2016-03-10 09:55 - 00166400 _____ (Microsoft Corporation) C:\windows\system32\mtxoci.dll
2016-04-22 07:02 - 2016-03-10 09:42 - 00116736 _____ (Microsoft Corporation) C:\windows\SysWOW64\mtxoci.dll
2016-04-22 07:02 - 2016-02-05 12:07 - 00378712 _____ (Microsoft Corporation) C:\windows\system32\Drivers\storport.sys
2016-04-22 07:02 - 2016-02-04 11:07 - 00222720 _____ (Microsoft Corporation) C:\windows\system32\dhcpsapi.dll
2016-04-22 07:02 - 2016-02-04 10:35 - 00142848 _____ (Microsoft Corporation) C:\windows\SysWOW64\dhcpsapi.dll
2016-04-22 07:02 - 2016-02-03 08:11 - 01673728 _____ (Microsoft Corporation) C:\windows\system32\workfolderssvc.dll
2016-04-22 07:02 - 2016-02-02 10:18 - 01574912 _____ (Microsoft Corporation) C:\windows\system32\wbengine.exe
2016-04-22 07:02 - 2016-02-02 10:15 - 00787456 _____ (Microsoft Corporation) C:\windows\system32\WorkfoldersControl.dll
2016-04-22 07:02 - 2016-01-31 10:17 - 00779264 _____ (Microsoft Corporation) C:\windows\system32\WindowsAnytimeUpgradeui.exe
2016-04-22 07:02 - 2016-01-26 12:15 - 00072024 _____ (Microsoft Corporation) C:\windows\system32\Drivers\vpci.sys
2016-04-22 07:02 - 2016-01-21 22:22 - 02487296 _____ (Microsoft Corporation) C:\windows\system32\storagewmi.dll
2016-04-22 07:02 - 2016-01-21 22:11 - 01482240 _____ (Microsoft Corporation) C:\windows\SysWOW64\storagewmi.dll
2016-04-22 07:02 - 2016-01-20 15:40 - 00099672 ____C (Microsoft Corporation) C:\windows\system32\Drivers\disk.sys
2016-04-22 06:57 - 2016-02-06 16:05 - 00551256 ____C (Microsoft Corporation) C:\windows\system32\Drivers\vhdmp.sys
2016-04-22 06:57 - 2016-02-05 08:11 - 00845312 _____ (Microsoft Corporation) C:\windows\system32\BFE.DLL
2016-04-22 06:57 - 2016-02-05 08:11 - 00422400 _____ (Microsoft Corporation) C:\windows\system32\FWPUCLNT.DLL
2016-04-22 06:57 - 2016-02-05 08:07 - 00272384 _____ (Microsoft Corporation) C:\windows\SysWOW64\FWPUCLNT.DLL
2016-04-22 06:57 - 2016-02-05 08:02 - 01083904 _____ (Microsoft Corporation) C:\windows\system32\IKEEXT.DLL
2016-04-22 06:57 - 2016-02-04 09:23 - 00713216 _____ (Microsoft Corporation) C:\windows\system32\nshwfp.dll
2016-04-22 06:57 - 2016-02-04 09:22 - 00561664 _____ (Microsoft Corporation) C:\windows\SysWOW64\nshwfp.dll
2016-04-21 10:08 - 2016-03-30 17:54 - 25817600 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2016-04-21 10:08 - 2016-03-30 17:31 - 02892800 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2016-04-21 10:08 - 2016-03-30 17:28 - 00571904 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2016-04-21 10:08 - 2016-03-30 17:25 - 06052352 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2016-04-21 10:08 - 2016-03-30 17:17 - 00817664 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2016-04-21 10:08 - 2016-03-30 17:03 - 20352512 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2016-04-21 10:08 - 2016-03-30 16:56 - 00145408 _____ (Microsoft Corporation) C:\windows\system32\iepeers.dll
2016-04-21 10:08 - 2016-03-30 16:56 - 00092160 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2016-04-21 10:08 - 2016-03-30 16:55 - 00315392 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2016-04-21 10:08 - 2016-03-30 16:53 - 00496640 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2016-04-21 10:08 - 2016-03-30 16:51 - 02285056 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2016-04-21 10:08 - 2016-03-30 16:50 - 01032704 _____ (Microsoft Corporation) C:\windows\system32\inetcomm.dll
2016-04-21 10:08 - 2016-03-30 16:45 - 00262144 _____ (Microsoft Corporation) C:\windows\system32\webcheck.dll
2016-04-21 10:08 - 2016-03-30 16:43 - 00806400 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2016-04-21 10:08 - 2016-03-30 16:43 - 00725504 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2016-04-21 10:08 - 2016-03-30 16:43 - 00379392 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2016-04-21 10:08 - 2016-03-30 16:42 - 02131968 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2016-04-21 10:08 - 2016-03-30 16:39 - 15415808 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2016-04-21 10:08 - 2016-03-30 16:30 - 04611072 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2016-04-21 10:08 - 2016-03-30 16:30 - 02596864 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2016-04-21 10:08 - 2016-03-30 16:30 - 00279040 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2016-04-21 10:08 - 2016-03-30 16:30 - 00128000 _____ (Microsoft Corporation) C:\windows\SysWOW64\iepeers.dll
2016-04-21 10:08 - 2016-03-30 16:27 - 00880128 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcomm.dll
2016-04-21 10:08 - 2016-03-30 16:24 - 00230400 _____ (Microsoft Corporation) C:\windows\SysWOW64\webcheck.dll
2016-04-21 10:08 - 2016-03-30 16:23 - 02056192 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2016-04-21 10:08 - 2016-03-30 16:23 - 00693248 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2016-04-21 10:08 - 2016-03-30 16:23 - 00330752 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2016-04-21 10:08 - 2016-03-30 16:21 - 13811712 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2016-04-21 10:08 - 2016-03-30 16:18 - 01547264 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2016-04-21 10:08 - 2016-03-30 16:05 - 02121216 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2016-04-21 10:08 - 2016-03-30 16:02 - 01311744 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2016-04-21 10:07 - 2016-03-30 16:45 - 00663552 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2016-04-21 10:07 - 2016-03-30 16:06 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2016-04-21 10:07 - 2016-03-30 16:00 - 00710144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2016-04-21 10:06 - 2016-03-15 16:00 - 00561952 _____ (Microsoft Corporation) C:\windows\system32\Drivers\cng.sys
2016-04-21 10:06 - 2016-03-15 07:14 - 01441792 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2016-04-21 10:06 - 2016-03-11 07:48 - 00833024 _____ (Microsoft Corporation) C:\windows\system32\samsrv.dll
2016-04-21 10:06 - 2016-03-10 11:22 - 00201728 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb20.sys
2016-04-21 10:06 - 2016-03-10 11:21 - 00401920 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb.sys
2016-04-21 10:06 - 2016-03-10 11:20 - 00284672 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb10.sys
2016-04-21 10:06 - 2016-03-10 10:44 - 00445440 _____ (Microsoft Corporation) C:\windows\system32\certcli.dll
2016-04-21 10:06 - 2016-03-10 10:16 - 00324096 _____ (Microsoft Corporation) C:\windows\SysWOW64\certcli.dll
2016-04-21 10:06 - 2016-03-10 10:03 - 00111616 _____ (Microsoft Corporation) C:\windows\system32\samlib.dll
2016-04-21 10:06 - 2016-03-10 09:48 - 00064512 _____ (Microsoft Corporation) C:\windows\SysWOW64\samlib.dll
2016-04-21 10:06 - 2016-03-03 09:47 - 02345472 _____ (Microsoft Corporation) C:\windows\system32\msxml3.dll
2016-04-21 10:06 - 2016-03-03 09:33 - 01556992 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml3.dll
2016-04-21 10:06 - 2016-03-03 09:13 - 00059392 _____ (Microsoft Corporation) C:\windows\system32\basesrv.dll
2016-04-21 10:06 - 2016-03-02 18:39 - 01661576 _____ (Microsoft Corporation) C:\windows\system32\ole32.dll
2016-04-21 10:06 - 2016-03-02 18:39 - 01212248 _____ (Microsoft Corporation) C:\windows\SysWOW64\ole32.dll
2016-04-21 10:05 - 2016-03-29 07:05 - 04175872 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2016-04-12 00:27 - 2016-04-12 00:27 - 00116039 _____ C:\Users\orion\Desktop\CC Confirmation.pdf
2016-04-09 19:48 - 2016-05-06 10:01 - 00004020 _____ C:\windows\System32\Tasks\Intel Security DAT Reputation (AMCore) Post DAT update endpoint safety pulse
2016-04-08 09:46 - 2016-04-08 09:46 - 00001050 _____ C:\Users\orion\Desktop\MBAM_scan_results.txt
2016-04-08 09:21 - 2016-04-30 20:20 - 00192216 _____ (Malwarebytes) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2016-04-08 09:21 - 2016-04-08 09:21 - 00001125 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-04-08 09:21 - 2016-04-08 09:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-04-08 09:21 - 2016-04-08 09:21 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-04-08 09:21 - 2016-04-08 09:21 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-04-08 09:21 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2016-04-08 09:21 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\windows\system32\Drivers\mbamchameleon.sys
2016-04-08 09:21 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\windows\system32\Drivers\mbam.sys
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-05-07 14:21 - 2016-04-06 22:39 - 00000000 ____D C:\FRST
2016-05-07 14:19 - 2015-01-03 11:37 - 00000000 ____D C:\Users\orion\Documents\Outlook Files
2016-05-07 13:51 - 2015-07-19 08:47 - 00000914 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA1d0c23a264fed80.job
2016-05-07 13:51 - 2015-05-25 22:41 - 00000914 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA1d09776a062d5c0.job
2016-05-07 13:46 - 2014-05-10 16:16 - 00000914 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA1cf6ca5d30f39b0.job
2016-05-07 13:34 - 2013-08-22 08:20 - 00000000 ____D C:\windows\CbsTemp
2016-05-07 13:32 - 2015-04-29 08:45 - 00000000 ____D C:\windows\system32\appraiser
2016-05-07 13:32 - 2015-04-07 09:06 - 00000000 ___SD C:\windows\SysWOW64\GWX
2016-05-07 13:32 - 2015-04-07 09:06 - 00000000 ___SD C:\windows\system32\GWX
2016-05-07 13:31 - 2014-04-05 22:16 - 00003598 _____ C:\windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2211250516-935607534-4216707785-1002
2016-05-07 13:23 - 2015-12-04 08:46 - 00000914 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA1d12eaae5b624b4.job
2016-05-07 12:29 - 2014-04-06 00:07 - 00002226 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-05-07 12:29 - 2014-04-06 00:07 - 00002214 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-05-07 12:22 - 2014-04-06 00:16 - 00000000 ____D C:\Users\orion\AppData\Local\Adobe
2016-05-06 10:08 - 2013-08-22 08:36 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-05-06 10:07 - 2014-12-26 21:14 - 00000000 ____D C:\Program Files\Microsoft Office 15
2016-05-06 10:05 - 2013-08-22 08:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-05-06 10:05 - 2013-08-22 08:36 - 00000000 ____D C:\windows\AppReadiness
2016-05-06 10:01 - 2013-08-22 06:25 - 00262144 ___SH C:\windows\system32\config\ELAM
2016-05-06 09:57 - 2013-08-22 06:36 - 00000000 ____D C:\windows\Inf
2016-05-02 21:31 - 2013-10-07 11:27 - 00865408 _____ C:\windows\system32\PerfStringBackup.INI
2016-04-30 17:40 - 2013-08-22 08:36 - 00000000 ____D C:\windows\rescache
2016-04-30 15:55 - 2014-04-06 17:15 - 00000000 ____D C:\ProgramData\boost_interprocess
2016-04-30 12:04 - 2014-02-06 16:03 - 00000000 ____D C:\Program Files (x86)\McAfee
2016-04-27 21:04 - 2015-12-04 08:46 - 00000910 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore1d12eaae593ae71.job
2016-04-27 21:04 - 2014-05-10 16:16 - 00000910 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore1cf6ca5d2e8e0ff.job
2016-04-27 21:04 - 2014-04-05 22:16 - 00000000 ___DO C:\Users\orion\SkyDrive
2016-04-27 21:03 - 2013-08-22 07:45 - 00000006 ____H C:\windows\Tasks\SA.DAT
2016-04-27 21:02 - 2013-08-22 07:44 - 05074664 _____ C:\windows\system32\FNTCACHE.DAT
2016-04-27 10:23 - 2014-02-06 16:13 - 00016896 _____ C:\windows\system32\VfService.trf
2016-04-27 10:23 - 2013-08-22 06:25 - 00524288 ___SH C:\windows\system32\config\BBI
2016-04-27 10:20 - 2013-08-22 08:36 - 00000000 ___RD C:\windows\ToastData
2016-04-27 10:15 - 2014-05-04 22:13 - 00001456 _____ C:\Users\orion\AppData\Local\Adobe Save for Web 13.0 Prefs
2016-04-27 10:12 - 2014-02-06 16:02 - 00000000 ____D C:\ProgramData\McAfee
2016-04-27 10:10 - 2015-07-29 07:30 - 00003344 _____ C:\windows\System32\Tasks\McAfee Remediation (Prepare)
2016-04-22 07:23 - 2014-04-13 20:11 - 00000000 ____D C:\windows\system32\MRT
2016-04-22 07:19 - 2014-04-13 20:11 - 135176864 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2016-04-22 06:56 - 2016-03-09 07:40 - 01737080 _____ (Microsoft Corporation) C:\windows\system32\ntdll.dll
2016-04-22 06:56 - 2016-03-09 07:40 - 01501488 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntdll.dll
2016-04-22 06:56 - 2016-03-09 07:40 - 00246784 _____ (Microsoft Corporation) C:\windows\system32\microsoft-windows-system-events.dll
2016-04-21 10:05 - 2016-01-13 11:24 - 00177488 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecpkg.sys
2016-04-08 09:11 - 2014-06-29 19:04 - 00000000 ____D C:\Users\orion\AppData\LocalLow\Temp
2016-04-08 09:04 - 2016-04-06 09:08 - 00000000 ____D C:\Users\orion\Desktop\Anti-Virus software
 
==================== Files in the root of some directories =======
 
2014-08-17 10:36 - 2014-09-07 20:32 - 0000132 _____ () C:\Users\orion\AppData\Roaming\Adobe IllExport Filter CS6 Prefs
2015-11-12 10:18 - 2015-11-12 10:18 - 0000132 _____ () C:\Users\orion\AppData\Roaming\Adobe PNG Format CS6 Prefs
2014-04-12 16:08 - 2014-04-12 16:08 - 0000694 _____ () C:\Users\orion\AppData\Local\7396d5af-93b3-4d36-bfec-04bbd1449761.dat
2014-05-04 22:13 - 2016-04-27 10:15 - 0001456 _____ () C:\Users\orion\AppData\Local\Adobe Save for Web 13.0 Prefs
2014-02-06 15:46 - 2014-02-06 15:46 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-04-17 14:19
 
==================== End of FRST.txt ============================

 

 

 



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 07 May 2016 - 08:25 PM

Hello froman and Welcome to the BleepingComputer. :welcome:

My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you were doing and describe the problems you encountered as precisely as you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If you haven't answered within 5 days, I am assuming that you don't need help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all malware. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator the computer. How is open as administrator the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to get help here

Thanks
 
Addition.txt is created by default from the first run of FRST, can you check inside this folder: C:\FRST\Logs I need to see that log before we progress. If no Addition log inside the Logs folder run FRST scan one more time, ensure "Addition" is checked in the optional scan box...
Attached Images

Ashampoo_Snap_20140927_13h17m38s_001_Far


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 froman

froman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 08 May 2016 - 09:54 AM

Thanks for the quick response!
I thought I attached the Addition.txt to my original post, but apparently I forgot. Anyhow, I have copied it below.
Before continuing much further, I need clarification on one of the instructions in your response.
You instruct me to:  
  • Ensure your external and/or USB drives are inserted during always the scan.

I have an external hard drive that I use to occasionally backup my data. This external drive was not connected when I scanned with FRST.

Should I connect the drive and then run the scan again? If so, let me know and I will do that and then provide the new log files. If it is not necessary to scan with the external drive connected, then here is the Addition.txt log that was missing from my original post:

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by orion (2016-05-07 14:22:10)
Running from C:\Users\orion\Desktop
Windows 8.1 (X64) (2014-04-06 05:10:44)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2211250516-935607534-4216707785-500 - Administrator - Disabled)
Guest (S-1-5-21-2211250516-935607534-4216707785-501 - Limited - Disabled)
orion (S-1-5-21-2211250516-935607534-4216707785-1002 - Administrator - Enabled) => C:\Users\orion
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {DA9F8ED0-D0DE-39CC-F55A-51AB4CC1B556}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {61FE6F34-F6E4-3642-CFEA-6AD93746FFEB}
FW: McAfee Firewall (Enabled) {E2A40FF5-9AB1-3894-DE05-F89EB212F22D}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.010.20060 - Adobe Systems Incorporated)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 3.2.0.129 - Adobe Systems Incorporated)
Adobe Photoshop CS6 (HKLM-x32\...\{74EB3499-8B95-4B5C-96EB-7B342F3FD0C6}) (Version: 13.0 - Adobe Systems Incorporated)
Alcor Micro USB Card Reader (HKLM-x32\...\AmUStor) (Version: 20.2.1245.53580 - Alcor Micro Corp.)
Alcor Micro USB Card Reader (x32 Version: 20.2.1245.53580 - Alcor Micro Corp.) Hidden
Autodesk SketchBook Express 6.2 (HKLM-x32\...\{34CBACD3-040E-43D6-86C1-9FBE44B180BF}) (Version: 6.2.0000 - Autodesk)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Corel Painter Lite - IPM (Version: 1.01 - Corel Corporation) Hidden
Corel Painter Lite (HKLM\...\_{16E336F3-CA33-4D5C-B3E7-042C5873E69E}) (Version: 1.0.1010.0 - Corel Corporation)
CyberLink PhotoDirector 3 (HKLM-x32\...\InstallShield_{39337565-330E-4ab6-A9AE-AC81E0720B10}) (Version: 3.0.1.4107 - CyberLink Corp.)
CyberLink PowerDirector 10 (HKLM-x32\...\InstallShield_{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}) (Version: 10.0.0.2810 - CyberLink Corp.)
CyberLink PowerDirector 10 (Version: 10.0.0.2810 - CyberLink Corp.) Hidden
Dolby Digital Plus Home Theater (HKLM\...\{7E3D8FA1-6092-469A-955B-68FC4A2C67CA}) (Version: 7.3.2.2 - Dolby Laboratories Inc)
Energy Manager (HKLM-x32\...\InstallShield_{AC768037-7079-4658-AC24-2897650E0ABE}) (Version: 1.0.0.31 - Lenovo)
Energy Manager (x32 Version: 1.0.0.31 - Lenovo) Hidden
GeForce Experience NvStream Client Components (Version: 1.6.28 - NVIDIA Corporation) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 50.0.2661.94 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.29.5 - Google Inc.) Hidden
IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6490.0 - IDT)
Intel Collaborative Processor Performance Control (HKLM-x32\...\0E7DAF70-FB54-4B91-B192-7E771C25AEEB) (Version: 1.0.0.1013 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.14.1724 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3316 - Intel Corporation)
Intel® PROSet/Wireless Software for Bluetooth® Technology(patch version 3.0.1337.1) (HKLM\...\{302600C1-6BDF-4FD1-1307-148929CC1385}) (Version: 3.1.1307.0362 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.5.1000 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{e1172fd4-a6d9-4cfa-8256-268f728fec31}) (Version: 16.5.3 - Intel Corporation)
Lenovo EasyCamera (HKLM-x32\...\{E0A7ED39-8CD6-4351-93C3-69CCA00D12B4}) (Version: 6.2.9200.10245 - Realtek Semiconductor Corp.)
Lenovo OneKey Recovery (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 8.0.0.2105 - CyberLink Corp.)
Lenovo OneKey Recovery (Version: 8.0.0.2105 - CyberLink Corp.) Hidden
Lenovo PowerDVD10 (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.5630.52 - CyberLink Corp.)
Lenovo PowerDVD10 (x32 Version: 10.0.5630.52 - CyberLink Corp.) Hidden
Lenovo Reach (HKLM-x32\...\{0B5E0E89-4BCA-4035-BBA1-D1439724B6E2}) (Version: 1.1.0.166 - Stoneware, Inc.)
Lenovo VeriFace (HKLM\...\Lenovo VeriFace) (Version: 5.0.13.5261 - Lenovo)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Manga Studio (HKLM-x32\...\{CFA66508-B19D-4032-AB0A-EBBA2BDF1368}) (Version: 5.0.0 - Smith Micro)
Maxthon Cloud Browser (HKLM-x32\...\Maxthon3) (Version: 4.1.2.4000 - Maxthon International Limited)
McAfee LiveSafe (HKLM-x32\...\MSC) (Version: 14.0.7086 - McAfee, Inc.)
Microsoft Office Home and Business 2013 - en-us (HKLM\...\HomeBusinessRetail - en-us) (Version: 15.0.4815.1002 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft SkyDrive (HKU\S-1-5-21-2211250516-935607534-4216707785-1002\...\SkyDriveSetup.exe) (Version: 16.4.6013.0910 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{6AFCA4E1-9B78-3640-8F72-A7BF33448200}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Mozilla Firefox 44.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 44.0.2 (x86 en-US)) (Version: 44.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 44.0.2 - Mozilla)
NVIDIA GeForce Experience 1.8.2 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 1.8.2 - NVIDIA Corporation)
NVIDIA Graphics Driver 327.02 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 327.02 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.13.0725 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.0725 - NVIDIA Corporation)
NVIDIA Virtual Audio 1.2.20 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_VirtualAudio.Driver) (Version: 1.2.20 - NVIDIA Corporation)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4815.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4815.1002 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4815.1002 - Microsoft Corporation) Hidden
Onekey Theater (HKLM-x32\...\{91CC5BAE-A098-40D3-A43B-C0DC7CE263FE}) (Version: 3.0.1.2 - Lenovo)
Painter Lite - Content (Version: 1.0 - Corel Corporation) Hidden
Painter Lite - Core (Version: 1.0 - Corel Corporation) Hidden
Painter Lite - Corex64 (Version: 1.0 - Corel Corporation) Hidden
Painter Lite - EN (Version: 1.0 - Corel Corporation) Hidden
Painter Lite - Setup Files (Version: 1.0 - Corel Corporation) Hidden
PDF Settings CS6 (x32 Version: 11.0 - Adobe Systems Incorporated) Hidden
Power2Go (HKLM-x32\...\{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 5.6.0.10525 - CyberLink Corp.)
Qualcomm Atheros Inc.® AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 2.1.0.21 - Qualcomm Atheros Inc.)
SHIELD Streaming (Version: 1.7.306 - NVIDIA Corporation) Hidden
SketchUp 2014 (HKLM-x32\...\{F246092E-FA0B-47C8-9D3E-CF8C210293C8}) (Version: 14.1.1282 - Trimble Navigation Limited)
StageLight version 1.0.0.3508 (HKLM\...\StageLight) (Version: version 1.0.0.3508 - Open Labs, LLC.)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 17.0.9.1 - Synaptics Incorporated)
Tablet Driver V5.02 (HKLM-x32\...\TabletDriver) (Version:  - )
UserGuide (HKLM-x32\...\InstallShield_{F07C2CF8-4C53-4EC3-8162-A6221E36EB88}) (Version: 1.0.0.15 - Lenovo)
UserGuide (x32 Version: 1.0.0.15 - Lenovo) Hidden
WD Drive Utilities (HKLM-x32\...\{439A51F7-84B1-4603-BEC8-647EB2AC307F}) (Version: 1.0.1.5 - Western Digital)
WD Security (HKLM-x32\...\{8172B41A-9BB5-4A64-BF28-1FB5FE43C3FF}) (Version: 1.0.1.5 - Western Digital)
WD SmartWare (HKLM\...\{22A51951-1F45-4C8A-B888-306527F9C45F}) (Version: 1.6.2.6 - Western Digital)
Windows Driver Package - Lenovo (ACPIVPC) System  (02/17/2013 9.52.0.776) (HKLM\...\35DD26BE48DAF4A9F35F969F3CB1E3E1435E661E) (Version: 02/17/2013 9.52.0.776 - Lenovo)
Windows Driver Package - Lenovo (WUDFRd) LenovoVhid  (07/25/2013 10.30.0.288) (HKLM\...\6BCA401E9CBEED970D75F55FA5320F60D11984E9) (Version: 07/25/2013 10.30.0.288 - Lenovo)
WordPerfect Office X7 - Common Files (x32 Version: 17.2 - Corel Corporation) Hidden
WordPerfect Office X7 - Common Files English (x32 Version: 17.2 - Corel Corporation) Hidden
WordPerfect Office X7 - IPM Content TBYB  (x32 Version: 17.0 - Corel Corporation) Hidden
WordPerfect Office X7 - IPM TBYB (x32 Version: 17.2 - Corel Corporation) Hidden
WordPerfect Office X7 - Lightning Files (x32 Version: 17.2 - Corel Corporation) Hidden
WordPerfect Office X7 - Lightning Files English (x32 Version: 17.2 - Corel Corporation) Hidden
WordPerfect Office X7 - Oxford (x32 Version: 17.1 - Corel Corporation) Hidden
WordPerfect Office X7 - Presentations Files (x32 Version: 17.2 - Corel Corporation) Hidden
WordPerfect Office X7 - Presentations Files English (x32 Version: 17.2 - Corel Corporation) Hidden
WordPerfect Office X7 - Quattro Pro Files (x32 Version: 17.2 - Corel Corporation) Hidden
WordPerfect Office X7 - Quattro Pro Files English (x32 Version: 17.2 - Corel Corporation) Hidden
WordPerfect Office X7 - Setup Files (x32 Version: 17.2 - Corel Corporation) Hidden
WordPerfect Office X7 - System Files (x32 Version: 17.2 - Corel Corporation) Hidden
WordPerfect Office X7 - WordPerfect Files (x32 Version: 17.2 - Corel Corporation) Hidden
WordPerfect Office X7 - WordPerfect Files English (x32 Version: 17.2 - Corel Corporation) Hidden
WordPerfect Office X7 - WPD format Props x64 (Version: 17.2 - Corel Corporation) Hidden
WordPerfect Office X7 - WT (x32 Version: 17.0 -  Corel Corporation) Hidden
WordPerfect Office X7 (HKLM-x32\...\_{64A329FC-D1B2-4354-922D-21F7EC777E10}) (Version: 17.0.0.366 - Corel Corporation)
WordPerfect Office X7 (x32 Version: 17.2 - Corel Corporation) Hidden
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0711E688-AF23-4303-8168-68F02E667FEA} - System32\Tasks\McAfee Remediation (Prepare) => C:\Program Files\Common Files\AV\McAfee Anti-Virus And Anti-Spyware\upgrade.exe [2016-03-01] (McAfee, Inc.)
Task: {1A864FD1-F779-4880-B1B4-CF25EE68E5FE} - System32\Tasks\Intel Security DAT Reputation (AMCore) periodic endpoint safety pulse => C:\Program Files\Common Files\McAfee\AMContent\scanners\x86_64\datrep\54.0\mcdatrep.exe [2016-02-18] (McAfee, Inc.)
Task: {1F6FFD6C-5A86-4902-AEA2-611365D40B9C} - System32\Tasks\GoogleUpdateTaskMachineUA1d0c23a264fed80 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {26CA248A-E30C-4D6F-9F08-B287DC54C3C6} - System32\Tasks\GoogleUpdateTaskMachineCore1cf6ca5d2e8e0ff => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {47CC9604-8CD6-48D2-BF94-47D2B2338781} - System32\Tasks\GoogleUpdateTaskMachineUA1d12eaae5b624b4 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {558E272D-A1F8-411E-AA15-89A5BC78716F} - System32\Tasks\Microsoft\Windows\Setup\gwx\rundetector => C:\Windows\system32\GWX\GWXDetector.exe [2016-04-26] (Microsoft Corporation)
Task: {579B92A7-7F22-4140-8346-4EA1BE123A31} - System32\Tasks\McAfee\McAfee Auto Maintenance Task Agent
Task: {5B2651DB-F156-4417-8DED-D0DBE708AFB8} - System32\Tasks\PDVDServ Task => C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.EXE [2013-03-08] (CyberLink Corp.)
Task: {62438DEF-7403-44B6-89A7-25EFEF094469} - System32\Tasks\McAfee\McAfee Idle Detection Task
Task: {62439B19-54BB-4066-8448-833F7F3E5218} - System32\Tasks\Maxthon Update => C:\Program Files (x86)\Maxthon\Bin\mxup.exe [2013-08-01] (Maxthon International ltd.)
Task: {662AA4CE-D797-4197-A011-930DAE9660CF} - System32\Tasks\Intel Security DAT Reputation (AMCore) Post DAT update endpoint safety pulse => C:\Program Files\Common Files\McAfee\AMContent\scanners\x86_64\datrep\54.0\mcdatrep.exe [2016-02-18] (McAfee, Inc.)
Task: {9A291795-A8E1-47ED-BAE6-B2B5C44BF019} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-02-09] (Microsoft Corporation)
Task: {A1713B45-EBB6-4611-B59C-620F26258DEA} - System32\Tasks\Synaptics TouchPad Enhancements => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2013-08-14] (Synaptics Incorporated)
Task: {A38640B9-8FD7-45EF-BB03-2994FE5F8F0A} - System32\Tasks\AdobeAAMUpdater-1.0-MicrosoftAccount-frorion@hotmail.com => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2015-07-22] (Adobe Systems Incorporated)
Task: {AC708D98-8E99-492A-B9B3-E9FA6AB91C4E} - System32\Tasks\GoogleUpdateTaskMachineCore1d12eaae593ae71 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {B5BDEEC9-3A66-4189-AE2F-84BDC90EC20B} - System32\Tasks\GoogleUpdateTaskMachineUA1cf6ca5d30f39b0 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {B6CE290B-5EC7-428D-BD6E-95479FC4D646} - System32\Tasks\McAfeeLogon => C:\Program Files\Common Files\mcafee\platform\McUICnt.exe [2016-01-03] (McAfee, Inc.)
Task: {BEC68B32-FEBF-4B02-B230-66E796880DFE} - System32\Tasks\GoogleUpdateTaskMachineUA1d09776a062d5c0 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {D57C4EF3-7D79-4104-AE9E-167E956EC58E} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\windows\system32\MRT.exe [2016-04-22] (Microsoft Corporation)
Task: {DA6FA2F3-2999-45E7-9901-7E451F735079} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-02-09] (Microsoft Corporation)
Task: {DCCE146C-3972-4AE0-8368-2F65AF32F2C4} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-12-14] (Adobe Systems Incorporated)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore1cf6ca5d2e8e0ff.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore1d12eaae593ae71.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA1cf6ca5d30f39b0.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA1d09776a062d5c0.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA1d0c23a264fed80.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA1d12eaae5b624b4.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2014-12-28 13:13 - 2015-10-13 05:34 - 00105640 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2014-02-06 16:07 - 2012-04-24 03:43 - 00390632 ____N () C:\Program Files\CyberLink\Shared files\RichVideo64.exe
2014-02-06 16:13 - 2014-02-06 16:13 - 00068368 _____ () C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfConnectorService.exe
2014-02-06 16:13 - 2014-02-06 16:13 - 00669288 _____ () C:\Program Files (x86)\Lenovo\Lenovo VeriFace\VfDataStorageInterface.dll
2015-07-22 01:02 - 2015-07-22 01:02 - 00803488 _____ () C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll
2015-11-01 06:39 - 2015-09-01 09:04 - 08901184 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2015-07-22 01:02 - 2015-07-22 01:02 - 31535264 _____ () C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
2015-07-22 15:32 - 2015-07-22 15:32 - 36732592 _____ () C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\CEF\libcef.dll
2014-02-06 15:43 - 2013-09-03 16:53 - 01242584 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Windows:nlsPreferences [386]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcapexe => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McNaiAnn => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfemms => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Service"
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 06:25 - 2013-08-22 06:25 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2211250516-935607534-4216707785-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\orion\Desktop\-O- Drive\activism\web development\sperel.org\WWWebsite\v08 - free stuff\themes\wallpapers\SperelEscape_1680x1050.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{8345C1C9-006B-400D-9EEA-DB35AC019A26}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [{62D49F0F-655E-4D23-A9FE-10B2A6D0EAFF}] => (Allow) C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe
FirewallRules: [{FA9B00E4-C40B-450E-B166-1AF967D8E4F0}] => (Allow) C:\Program Files (x86)\Maxthon\Bin\MxUp.exe
FirewallRules: [{30AA0A37-4F5E-4E2A-89DE-48992BC7C7B5}] => (Allow) C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe
FirewallRules: [{EF2429CF-A655-4BF8-8342-FC74F22DDED1}] => (Allow) C:\Program Files (x86)\Maxthon\Bin\MxUp.exe
FirewallRules: [{5DFA0747-3BE3-470B-A065-8B9662DDB705}] => (Allow) C:\Program Files\CyberLink\PowerDirector10\PDR10.EXE
FirewallRules: [{BEA836C2-C060-4358-9B63-20739EE84A29}] => (Allow) C:\Program Files (x86)\Lenovo\PowerDVD10\PowerDVD Cinema\PowerDVDCinema10.exe
FirewallRules: [{AA94A74A-89D2-4AA9-9A86-8CBE324EEF9F}] => (Allow) C:\Program Files (x86)\Lenovo\PowerDVD10\PowerDVD10.EXE
FirewallRules: [{A46C3B59-6F03-4C25-A787-DC530AB83D0C}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{36B03C65-8491-4180-99F8-EF8F7F293244}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{697FC251-0D2D-4B0B-BCEF-4CD4F9BB4667}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{6C4D7730-601E-4C77-9018-F6E6FE945C3A}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{C033E608-CFC6-43DB-9618-D1DEA6BBB0ED}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{79C90621-E228-489E-8BFA-91E2601BAA2F}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{27087A75-3A85-43CD-96AC-5F31A259D348}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{D7620DD8-E07F-4793-B82F-1E316930DB6C}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{2785D55C-21B3-441C-A67F-FD93EF0F384C}] => (Allow) C:\Users\orion\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
FirewallRules: [{7A1067FF-F442-4CAC-8BFF-B5E8D0ECEACF}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{AFD837E4-78E0-45DC-8353-12BC78E1E78E}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{2075CF6C-E7A3-4677-96F7-FBBED745F773}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\outlook.exe
FirewallRules: [{3ED8DA8B-742A-48B9-B039-60410D680769}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{4F3AB08C-6114-4A25-8A20-61FBCFB00F66}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{4AF2CF5F-0868-449B-A5D1-0EDA0FE5A231}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
22-04-2016 07:14:14 Windows Update
01-05-2016 17:29:58 Scheduled Checkpoint
07-05-2016 13:32:05 Windows Update
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (04/27/2016 10:08:19 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program LiveComm.exe version 17.5.9600.20911 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 228
 
Start Time: 01d19ecd7201c863
 
Termination Time: 4294967295
 
Application Path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\LiveComm.exe
 
Report Id: a23b3506-0c9a-11e6-8374-0c54a5bb3b65
 
Faulting package full name: microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe
 
Faulting package-relative application ID: ppleae38af2e007f4358a809ac99a64a67c1
 
Error: (04/08/2016 09:09:42 AM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.
 
 
Operation:
   Gathering Writer Data
 
Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {f81fe7b0-8416-4e07-a5ec-240e6a9868ee}
 
Error: (04/06/2016 08:22:18 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SynTPEnh.exe, version: 17.0.9.1, time stamp: 0x520af771
Faulting module name: SynTPEnh.exe, version: 17.0.9.1, time stamp: 0x520af771
Exception code: 0xc0000005
Fault offset: 0x000000000007fac2
Faulting process id: 0xea8
Faulting application start time: 0xSynTPEnh.exe0
Faulting application path: SynTPEnh.exe1
Faulting module path: SynTPEnh.exe2
Report Id: SynTPEnh.exe3
Faulting package full name: SynTPEnh.exe4
Faulting package-relative application ID: SynTPEnh.exe5
 
Error: (04/04/2016 10:22:17 PM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2006) (User: NT AUTHORITY)
Description: There was an error with the Windows Location Provider database
 
Error: (03/08/2016 09:48:40 AM) (Source: MsiInstaller) (EventID: 1024) (User: -O-)
Description: Product: Adobe Acrobat Reader DC - Update '{AC76BA86-7AD7-0000-2550-AC0F0A4E5C00}' could not be installed. Error code 1625. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127
 
Error: (03/03/2016 11:17:41 AM) (Source: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe) (EventID: 1) (User: )
Description: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exeCan't get user token [1008]
 
Error: (02/25/2016 08:33:07 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SynTPEnh.exe, version: 17.0.9.1, time stamp: 0x520af771
Faulting module name: SynTPEnh.exe, version: 17.0.9.1, time stamp: 0x520af771
Exception code: 0xc0000005
Fault offset: 0x000000000007fac2
Faulting process id: 0x2044
Faulting application start time: 0xSynTPEnh.exe0
Faulting application path: SynTPEnh.exe1
Faulting module path: SynTPEnh.exe2
Report Id: SynTPEnh.exe3
Faulting package full name: SynTPEnh.exe4
Faulting package-relative application ID: SynTPEnh.exe5
 
Error: (02/19/2016 08:55:26 AM) (Source: MsiInstaller) (EventID: 1024) (User: -O-)
Description: Product: Adobe Acrobat Reader DC - Update '{AC76BA86-7AD7-0000-2550-AC0F0A4E5B00}' could not be installed. Error code 1625. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127
 
Error: (02/10/2016 02:26:14 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\windows\system32\svchost.exe -k netsvcs; Description = Windows Update; Error = 0x81000101).
 
Error: (02/01/2016 10:51:16 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Painter Lite x64.exe, version: 1.0.1010.0, time stamp: 0x5075dc69
Faulting module name: MSVCR100.dll, version: 10.0.40219.325, time stamp: 0x4df2bcac
Exception code: 0x40000015
Fault offset: 0x00000000000761c9
Faulting process id: 0x27bc
Faulting application start time: 0xPainter Lite x64.exe0
Faulting application path: Painter Lite x64.exe1
Faulting module path: Painter Lite x64.exe2
Report Id: Painter Lite x64.exe3
Faulting package full name: Painter Lite x64.exe4
Faulting package-relative application ID: Painter Lite x64.exe5
 
 
System errors:
=============
Error: (05/07/2016 12:23:58 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
%%1
 
Error: (05/06/2016 10:00:20 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
%%1
 
Error: (05/03/2016 09:32:49 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
%%1
 
Error: (05/02/2016 09:32:50 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
%%1
 
Error: (05/01/2016 03:46:50 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Interactive Services Detection service terminated with the following error: 
%%1
 
Error: (04/30/2016 12:03:52 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: 1053mcpltsvcUnavailable{20966775-18A4-4299-B8E3-772C336B52A7}
 
Error: (04/30/2016 12:03:52 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The McAfee Platform Services service failed to start due to the following error: 
%%1053
 
Error: (04/30/2016 12:03:52 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the McAfee Platform Services service to connect.
 
Error: (04/30/2016 12:03:51 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: 1053mcpltsvcUnavailable{20966775-18A4-4299-B8E3-772C336B52A7}
 
Error: (04/30/2016 12:03:51 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The McAfee Platform Services service failed to start due to the following error: 
%%1053
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-4700MQ CPU @ 2.40GHz
Percentage of memory in use: 22%
Total physical RAM: 16308.27 MB
Available physical RAM: 12707.77 MB
Total Virtual: 18740.27 MB
Available Virtual: 15091.36 MB
 
==================== Drives ================================
 
Drive c: (Windows8_OS) (Fixed) (Total:891.88 GB) (Free:807.5 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (LENOVO) (Fixed) (Total:25 GB) (Free:22.32 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 95EDE799)
 
Partition: GPT.
 

==================== End of Addition.txt ============================ 



#4 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 08 May 2016 - 02:05 PM

Hi again,
 

FW: McAfee Firewall (Enabled)
Windows Firewall is enabled.

Please do disable Windows Firewall.

=====

Multiple Firewall Programs installed!

I do not recommend that you have more than one anti-virus product installed and running on your computer at a time.

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause.  Firewall programs take up an enormous amount of your computer's resources when they are actively scanning your computer.  Having two     Firewall programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

===============================================================================
Your PC seems clean. But, Let's check even so

=====================================================

This just is info:

Decryptor Released for the Nemucod Trojan's .CRYPTED Ransomware
http://www.bleepingcomputer.com/news/security/decryptor-released-for-the-nemucod-trojans-crypted-ransomware/

==========================================================

Step 1:
 Emsisoft Emergency Kit Scan:

  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double click on the EmsisoftEmergencyKit.exe icon, click Run then Extract
  • Double click the Start Emsisoft Emergency Kit icon that will appear after extraction
  • Click Yes to update the program
  • Once the update is completed click the Back button
  • Click on 2. Scan (not Quick Scan or Smart Scan)
  • Click Yes to detect Potentially Unwanted Programs (PUPs)
  • Patiently wait for the thorough scan to complete, this can be a lengthy process
  • Once completed click Quarantine selected objects (if computer is clean you will not have this option) then click OK
  • Click View Report
  • Attach the report to your reply
  • Close the program then click Close

Step 2:

MalwareBytes Anti-Rootkit scan:

  • Close all the running processes
  • Be sure to temporarily disable all antivirus/anti-spyware softwares
  • Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.
  • Note: Malwarebytes Anti-Rootkit requires administrative privileges to function properly.

:step1: Download MalwareBytes Anti-Rootkit software from here to your desktop.

  • Right-click on Mbar 1.09.1.1004.exe and select Run As Administrator  to launch the application.

:step2: Open a folder with MBAR name on desktop.
:step3: The MBAR folder in the list you find.
:step4: Click once. :step5:  Now click the OK button. :step6: Click the OK button again.

Ashampoo_Snap_2015.05.21_21h16m53s_002__
 
:step7: Then Next and click on the Uptade button
:step8: Now click on the scan button

  • When finished updating, click 'Next' then 'Scan'.
  • If you are told you have the 'AppInit_Dlls rootkit', choose not to fix it and proceed with the scan.
  • With some infections, you may see two messages boxes:
  • Could not load protection driver'. Click 'OK'.
  • Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart, then continue with the rest of these instructions.
  • If malware is found, do NOT press the 'Cleanup' button yet. Click 'Exit'.
  • Please  attach the two log files created by the tool within the folder from which it was run.
  • The logs will be named mbar-log-YYYY-MM-DD (##-##-##).txt and system-log.txt

Step 3:

RogueKiller scan:

  • Please download and run RogueKiller  32/64 bit to your desktop
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
  • Click Scan to scan the system.
  • When the scan completes > Close out the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!
  • Post back the report which should be located on your desktop.

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 froman

froman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:08 PM

Posted 09 May 2016 - 09:47 PM

Well, something odd happened. 

I saw your response yesterday, but I had some work that I needed to finish, so I did my work and then shut down the computer without performing any of the steps that you advised.

I intended to perform your instructions this morning, but when I turned on my computer it launched into 'Automatic Repair'. This was odd because I had no indication of any new problems the night before. Aside from the detected trojans, my computer was operating just fine. 

 

The Automatic Repair failed, and I was left with the following options:

1) Proceed to Windows 8.1

2) Restart with the possibly that Automatic Repair would not fail

3) Reset the computer and lose all files and installed programs

4) Refresh the computer - which would let me keep my files but lose my installed programs

 

Steps 1 and 2 both looped back the 'Automatic Repair Failed' screen, so I chose to Refresh the computer.

That got me back up and running, though I do have to reinstall a few programs.

 

Everything seems to be working fine, but now I am wondering why the Automatic Repair process occurred, and whether or not the cause of the problem was fixed by the Refresh procedure.

At the moment, I have no specific problems to report.

Should I run another FRST scan and post the logs?

Please advise.



#6 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:08 AM

Posted 10 May 2016 - 12:32 PM

Hi,

 

Glad to hear that everything is running well. We can close this thread, If not a problem.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users