Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange connections from Svchost(NetworkService)


  • This topic is locked This topic is locked
23 replies to this topic

#1 HairyApricot

HairyApricot

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 15 June 2016 - 11:56 AM

I was referred to this forum by one of the Global Moderators.

 

So a week ago I made this post: http://www.bleepingcomputer.com/forums/t/616398/why-is-svchostexenetworkservice-making-strange-connections-when-i-boot-up/#entry4015948

 

To recap:

When I first log in to my PC, I got connections via Svchost(NetworkService) to a few IP addresses including an addr.btopenworld, 104.16.93.188, 93.184.220.20, comodoca.crl and apps.digsigtrust. The most data received seems to be from the 93.184.220.20. I first noticed all this months ago but couldn't find a reason, and various tools and scanner turned up nothing, my pc continued to run fine. The connections also occurred when connecting to Steam and when Premiere Pro or other adobe products were transmitting usage data. It also occasionally does it while I use chrome. I used Process Explorer and the service within Network Service that was making the connections was CryptSvc.

 

My work PC makes a connection like the ones described above when it boots up, though its to akamai. My brothers computer also had many of the same connections that mine did. So now I want to actually know what is causing these checks? I have checked startup programs on my PC, all I have is Avast, intel usbmon 3.0 and something by creative technologies that I believe is sound related. Does anyone else experience similar connections?

 

I am on Window 7N, my connection is BT using a TP-Link adapter and a router.

 

Any help is appreciated, thank you    :)

 

Just some more info. MalwareBytes, Avast and HitmanPro turned up nothing. AdwCleaner found a file, but it seems to be an auto generated file when you save in Deus Ex Human Revolution, so it was a false positive. I ran TDSSKiller. It found 1 suspicious file. RzWizardService.exe located inside Razer file. I have a Razer keyboard, and the reason it flagged it was it was not digitally signed. Removed the file anyway but it seems to have been a false positive :/

 

FRST Logs attached

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:15-06-2016
Ran by James (administrator) on HAIRYAPRICOT (15-06-2016 17:40:19)
Running from C:\Users\James\Downloads
Loaded Profiles: James (Available Profiles: James & DefaultAppPool)
Platform: Windows 7 Professional N Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Advanced Micro Devices) C:\Program Files\AMD\{920DEC42-4CA5-4d1d-9487-67BE645CDDFC}\amdacpusrsvc.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Microsoft Corporation) C:\Windows\System32\perfmon.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MBCfg64] => C:\Windows\system32\RunDLL32.exe C:\Windows\system32\MBCfg64.dll,RunDLLEntry MBCfg64
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7390608 2016-04-21] (AVAST Software)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2014-02-21] (Intel Corporation)
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2016-04-01] ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2016-04-01] ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2016-04-01] ()
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-04-21] (AVAST Software)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-04-20] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-04-20] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-04-20] (Microsoft Corporation)
GroupPolicyScripts: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 192.168.1.254
Tcpip\..\Interfaces\{3A65B9BC-ADC6-43D5-9E84-DFFA3F2F58CB}: [DhcpNameServer] 192.168.1.254 192.168.1.254
 
Internet Explorer:
==================
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2016-03-16] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll [2015-01-22] (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL [2016-03-16] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2016-04-20] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-01-22] (Oracle Corporation)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [2016-03-16] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll [2015-01-22] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL [2016-03-16] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-04-20] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-01-22] (Oracle Corporation)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)
 
FireFox:
========
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-01-22] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-01-22] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2016-04-07] (Adobe Systems)
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-01-22] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-01-22] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2015-11-03] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll [2012-04-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2015-03-03] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-11] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2016-04-07] (Adobe Systems)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.84\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.84\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.84\pdf.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll => No File
CHR Profile: C:\Users\James\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (uBlock Origin) - C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2016-05-07]
CHR Extension: (Do Not Track) - C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckdcpbflcbeillmamogkpmdhnbeggfja [2015-01-04]
CHR Extension: (Reddit Enhancement Suite) - C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2016-03-18]
CHR Extension: (Chrome Web Store Payments) - C:\Users\James\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 AdobeUpdateService; C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe [694464 2016-04-07] (Adobe Systems Incorporated)
R2 amdacpusrsvc; C:\Program Files\AMD\{920DEC42-4CA5-4d1d-9487-67BE645CDDFC}\amdacpusrsvc.exe [121856 2016-03-21] (Advanced Micro Devices) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [243296 2016-04-21] (AVAST Software)
S3 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2829552 2016-03-08] (Microsoft Corporation)
S3 Creative ALchemy AL6 Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [79360 2015-01-04] (Creative Labs) [File not signed]
S3 Creative Audio Engine Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2015-01-04] (Creative Labs) [File not signed]
S4 CTAudSvcService; C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe [406016 2011-09-14] (Creative Technology Ltd) [File not signed]
S3 fussvc; C:\Program Files (x86)\Windows Kits\8.0\App Certification Kit\fussvc.exe [139776 2012-07-25] (Microsoft Corporation) [File not signed]
S3 GalaxyClientService; C:\Program Files (x86)\GalaxyClient\GalaxyClientService.exe [246328 2016-05-25] (GOG.com)
S3 GalaxyCommunication; C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe [6167096 2016-05-25] (GOG.com)
S3 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [355232 2015-08-09] (Intel Corporation)
S3 Te.Service; C:\Program Files (x86)\Windows Kits\8.0\Testing\Runtimes\TAEF\Wex.Services.exe [126976 2012-07-25] (Microsoft Corporation) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S3 AvastVBoxSvc; "C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe" [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 amdacpksd; C:\Windows\system32\drivers\amdacpksd.sys [296648 2016-03-21] (Advanced Micro Devices)
R3 arusb_win7x; C:\Windows\System32\DRIVERS\arusb_win7x.sys [769024 2010-02-23] (Atheros Communications, Inc.)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-04-21] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [107792 2016-04-21] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-04-21] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-04-21] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1070904 2016-04-21] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [465792 2016-04-21] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [166432 2016-04-21] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [287528 2016-04-21] (AVAST Software)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2014-04-11] (Intel Corporation)
R2 IntelHaxm; C:\Windows\System32\DRIVERS\IntelHaxm.sys [84992 2014-11-18] (Intel  Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [129312 2014-09-30] (Intel Corporation)
R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2012-06-22] (Corel Corporation)
S3 VSPerfDrv110; C:\Program Files (x86)\Microsoft Visual Studio 11.0\Team Tools\Performance Tools\x64\VSPerfDrv110.sys [70264 2012-07-13] (Microsoft Corporation)
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S2 VBoxAswDrv; \??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-15 17:40 - 2016-06-15 17:40 - 00014099 _____ C:\Users\James\Downloads\FRST.txt
2016-06-15 17:39 - 2016-06-15 17:39 - 00000000 ____D C:\Users\James\Downloads\FRST-OlderVersion
2016-06-13 19:45 - 2016-06-13 19:45 - 00119056 _____ C:\Users\James\AppData\Local\GDIPFONTCACHEV1.DAT
2016-06-13 19:00 - 2016-06-13 19:01 - 05117560 _____ C:\Windows\system32\FNTCACHE.DAT
2016-06-13 18:50 - 2016-06-13 18:50 - 00017228 _____ C:\Users\James\Documents\cc_20160613_185000.reg
2016-06-13 18:49 - 2016-06-13 18:49 - 00002798 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2016-06-12 15:29 - 2016-06-12 15:29 - 00030456 _____ C:\Users\James\AppData\Local\recently-used.xbel
2016-06-11 17:51 - 2016-06-11 17:52 - 00209384 _____ C:\TDSSKiller.3.1.0.9_11.06.2016_17.51.16_log.txt
2016-06-11 17:49 - 2016-06-11 17:50 - 00006906 _____ C:\TDSSKiller.3.1.0.9_11.06.2016_17.49.14_log.txt
2016-06-11 17:49 - 2016-06-11 17:49 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2016-06-11 17:45 - 2016-06-11 17:45 - 00000000 ____D C:\TDSSKiller_Quarantine
2016-06-11 17:43 - 2016-06-11 17:47 - 00418414 _____ C:\TDSSKiller.3.1.0.9_11.06.2016_17.43.27_log.txt
2016-06-11 17:34 - 2016-06-15 17:40 - 00000000 ____D C:\FRST
2016-06-11 17:33 - 2016-06-15 17:39 - 02385920 _____ (Farbar) C:\Users\James\Downloads\FRST64.exe
2016-06-05 09:34 - 2016-06-05 09:39 - 83842428 _____ C:\Users\James\Documents\Bootlog-2.pml
2016-06-05 09:33 - 2016-06-05 09:39 - 328408312 _____ C:\Users\James\Documents\Bootlog.pml
2016-06-05 09:33 - 2016-06-05 09:39 - 301079611 _____ C:\Users\James\Documents\Bootlog-1.pml
2016-06-04 10:27 - 2016-06-04 10:27 - 00000000 ____D C:\Users\James\Downloads\SysinternalsSuite
2016-05-16 20:12 - 2016-04-14 14:49 - 00603648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll
2016-05-16 20:12 - 2016-04-14 14:21 - 00647680 _____ (Microsoft Corporation) C:\Windows\system32\d3d10level9.dll
2016-05-16 19:48 - 2016-04-23 18:08 - 00394960 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-05-16 19:48 - 2016-04-23 17:24 - 00346312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2016-05-16 19:48 - 2016-04-23 06:25 - 25816064 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-05-16 19:48 - 2016-04-23 06:16 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-05-16 19:48 - 2016-04-23 06:16 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2016-05-16 19:48 - 2016-04-23 06:01 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2016-05-16 19:48 - 2016-04-23 06:00 - 02893312 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-05-16 19:48 - 2016-04-23 06:00 - 00571904 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-05-16 19:48 - 2016-04-23 06:00 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-05-16 19:48 - 2016-04-23 06:00 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2016-05-16 19:48 - 2016-04-23 06:00 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2016-05-16 19:48 - 2016-04-23 05:52 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-05-16 19:48 - 2016-04-23 05:51 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2016-05-16 19:48 - 2016-04-23 05:48 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-05-16 19:48 - 2016-04-23 05:47 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-05-16 19:48 - 2016-04-23 05:47 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2016-05-16 19:48 - 2016-04-23 05:47 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-05-16 19:48 - 2016-04-23 05:47 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2016-05-16 19:48 - 2016-04-23 05:46 - 06052352 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-05-16 19:48 - 2016-04-23 05:40 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2016-05-16 19:48 - 2016-04-23 05:36 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-05-16 19:48 - 2016-04-23 05:29 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2016-05-16 19:48 - 2016-04-23 05:27 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2016-05-16 19:48 - 2016-04-23 05:25 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2016-05-16 19:48 - 2016-04-23 05:24 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-05-16 19:48 - 2016-04-23 05:21 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-05-16 19:48 - 2016-04-23 05:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2016-05-16 19:48 - 2016-04-23 05:20 - 00152064 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2016-05-16 19:48 - 2016-04-23 05:11 - 20350464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-05-16 19:48 - 2016-04-23 05:09 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2016-05-16 19:48 - 2016-04-23 05:08 - 00497152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-05-16 19:48 - 2016-04-23 05:08 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2016-05-16 19:48 - 2016-04-23 05:08 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2016-05-16 19:48 - 2016-04-23 05:07 - 00725504 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2016-05-16 19:48 - 2016-04-23 05:07 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2016-05-16 19:48 - 2016-04-23 05:07 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2016-05-16 19:48 - 2016-04-23 05:06 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2016-05-16 19:48 - 2016-04-23 05:06 - 00806400 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-05-16 19:48 - 2016-04-23 05:05 - 02131968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-05-16 19:48 - 2016-04-23 05:04 - 02285568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2016-05-16 19:48 - 2016-04-23 05:02 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2016-05-16 19:48 - 2016-04-23 05:01 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2016-05-16 19:48 - 2016-04-23 05:00 - 15415808 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-05-16 19:48 - 2016-04-23 04:59 - 00476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2016-05-16 19:48 - 2016-04-23 04:58 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-05-16 19:48 - 2016-04-23 04:58 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2016-05-16 19:48 - 2016-04-23 04:58 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2016-05-16 19:48 - 2016-04-23 04:51 - 02596864 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-05-16 19:48 - 2016-04-23 04:50 - 00416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2016-05-16 19:48 - 2016-04-23 04:45 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2016-05-16 19:48 - 2016-04-23 04:44 - 00091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2016-05-16 19:48 - 2016-04-23 04:43 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2016-05-16 19:48 - 2016-04-23 04:41 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2016-05-16 19:48 - 2016-04-23 04:40 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2016-05-16 19:48 - 2016-04-23 04:39 - 01547776 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-05-16 19:48 - 2016-04-23 04:39 - 00130048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2016-05-16 19:48 - 2016-04-23 04:36 - 04611072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-05-16 19:48 - 2016-04-23 04:33 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2016-05-16 19:48 - 2016-04-23 04:31 - 00693248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-05-16 19:48 - 2016-04-23 04:30 - 02056192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2016-05-16 19:48 - 2016-04-23 04:30 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2016-05-16 19:48 - 2016-04-23 04:28 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-05-16 19:48 - 2016-04-23 04:26 - 13811200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-05-16 19:48 - 2016-04-23 04:12 - 02121216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-05-16 19:48 - 2016-04-23 04:09 - 01312256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-05-16 19:48 - 2016-04-23 04:07 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2016-05-16 19:48 - 2016-04-09 08:02 - 00631176 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2016-05-16 19:48 - 2016-04-09 08:01 - 05546216 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-05-16 19:48 - 2016-04-09 08:01 - 00706280 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2016-05-16 19:48 - 2016-04-09 08:01 - 00154344 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-05-16 19:48 - 2016-04-09 08:01 - 00095464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-05-16 19:48 - 2016-04-09 07:59 - 03998952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2016-05-16 19:48 - 2016-04-09 07:59 - 03943144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2016-05-16 19:48 - 2016-04-09 07:59 - 01732864 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2016-05-16 19:48 - 2016-04-09 07:58 - 01212928 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2016-05-16 19:48 - 2016-04-09 07:58 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2016-05-16 19:48 - 2016-04-09 07:58 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2016-05-16 19:48 - 2016-04-09 07:58 - 00344064 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-05-16 19:48 - 2016-04-09 07:58 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2016-05-16 19:48 - 2016-04-09 07:58 - 00215552 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2016-05-16 19:48 - 2016-04-09 07:58 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2016-05-16 19:48 - 2016-04-09 07:58 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2016-05-16 19:48 - 2016-04-09 07:58 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2016-05-16 19:48 - 2016-04-09 07:58 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2016-05-16 19:48 - 2016-04-09 07:58 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2016-05-16 19:48 - 2016-04-09 07:58 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2016-05-16 19:48 - 2016-04-09 07:58 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2016-05-16 19:48 - 2016-04-09 07:58 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2016-05-16 19:48 - 2016-04-09 07:58 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2016-05-16 19:48 - 2016-04-09 07:58 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 01464320 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 01314112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 01163264 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00880640 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00730624 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00463872 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00419840 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00316416 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00312320 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00059904 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00034816 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:57 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00666112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00644096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00553472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00342528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00275456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00260608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00251392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00223232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00171520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 07:54 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2016-05-16 19:48 - 2016-04-09 06:52 - 00148480 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2016-05-16 19:48 - 2016-04-09 06:52 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2016-05-16 19:48 - 2016-04-09 06:52 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2016-05-16 19:48 - 2016-04-09 06:51 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2016-05-16 19:48 - 2016-04-09 06:48 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2016-05-16 19:48 - 2016-04-09 06:47 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2016-05-16 19:48 - 2016-04-09 06:44 - 00291328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-05-16 19:48 - 2016-04-09 06:44 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-05-16 19:48 - 2016-04-09 06:44 - 00129536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-05-16 19:48 - 2016-04-09 06:43 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2016-05-16 19:48 - 2016-04-09 06:43 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2016-05-16 19:48 - 2016-04-09 06:42 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2016-05-16 19:48 - 2016-04-09 06:38 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2016-05-16 19:48 - 2016-04-09 06:38 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2016-05-16 19:48 - 2016-04-09 06:38 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2016-05-16 19:48 - 2016-04-09 06:38 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2016-05-16 19:48 - 2016-04-09 06:37 - 00036352 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptbase.dll
2016-05-16 19:48 - 2016-04-09 06:37 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 06:37 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 06:37 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2016-05-16 19:48 - 2016-04-09 06:37 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2016-05-16 19:48 - 2016-04-06 16:27 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\jnwmon.dll
2016-05-16 19:47 - 2016-04-09 08:01 - 00986344 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2016-05-16 19:47 - 2016-04-09 08:01 - 00264936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgmms1.sys
2016-05-16 19:47 - 2016-04-09 07:57 - 00405504 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2016-05-16 19:47 - 2016-04-09 07:57 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\cdd.dll
2016-05-16 19:47 - 2016-04-09 07:54 - 00312832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2016-05-16 19:47 - 2016-04-09 06:49 - 03217408 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-05-16 19:45 - 2016-04-09 05:20 - 01230848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2016-05-16 19:45 - 2016-04-09 04:52 - 01424896 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-15 17:39 - 2009-07-14 06:12 - 00863968 _____ C:\Windows\system32\PerfStringBackup.INI
2016-06-15 17:39 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\inf
2016-06-15 17:36 - 2015-07-20 18:10 - 00004184 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-06-15 17:34 - 2015-01-26 16:41 - 00000091 _____ C:\HaxLogs.txt
2016-06-15 17:34 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-06-13 21:38 - 2015-01-04 22:56 - 00007628 _____ C:\Users\James\AppData\Local\Resmon.ResmonCfg
2016-06-13 21:38 - 2015-01-04 20:09 - 00065536 _____ C:\Windows\system32\spu_storage.bin
2016-06-13 20:40 - 2015-01-04 21:15 - 00000000 ____D C:\Program Files (x86)\Steam
2016-06-13 19:37 - 2009-07-14 05:50 - 00020336 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-06-13 19:37 - 2009-07-14 05:50 - 00020336 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-06-13 19:16 - 2015-01-04 20:10 - 00000000 __SHD C:\Users\James\IntelGraphicsProfiles
2016-06-13 18:58 - 2015-01-04 22:40 - 00000000 ____D C:\Users\James\AppData\Local\Adobe
2016-06-13 18:57 - 2015-06-07 22:51 - 00000000 ____D C:\Users\James\AppData\Local\CrashDumps
2016-06-12 18:17 - 2015-01-04 21:31 - 00000000 ____D C:\Users\James\AppData\Roaming\Audacity
2016-06-12 15:35 - 2015-01-04 21:46 - 00000000 ____D C:\Users\James\AppData\Roaming\vlc
2016-06-12 15:29 - 2015-01-10 21:27 - 00000000 ____D C:\Users\James\AppData\Local\gtk-2.0
2016-06-12 15:29 - 2015-01-10 21:25 - 00000000 ____D C:\Users\James\.gimp-2.8
2016-06-12 11:24 - 2015-01-07 17:10 - 00000000 ____D C:\ProgramData\boost_interprocess
2016-06-09 17:42 - 2015-01-04 17:54 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-06-09 17:42 - 2015-01-04 17:54 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-06-08 19:37 - 2016-03-19 14:22 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-06-05 09:42 - 2009-07-14 04:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2016-06-04 23:46 - 2016-04-04 17:25 - 11438608 _____ (SurfRight B.V.) C:\Users\James\Downloads\hitmanpro_x64.exe
2016-06-04 23:42 - 2015-01-04 17:54 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-04 23:42 - 2015-01-04 17:54 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-04 22:09 - 2015-05-14 19:44 - 00000000 ____D C:\Program Files (x86)\GalaxyClient
2016-06-04 22:08 - 2015-01-04 17:54 - 00003906 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-06-04 22:08 - 2015-01-04 17:54 - 00003654 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-06-04 17:27 - 2015-01-04 22:21 - 00000000 ____D C:\Users\James\AppData\Local\Dxtory Software
2016-05-22 10:43 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\system32\NDF
2016-05-21 12:55 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\rescache
2016-05-16 20:01 - 2011-04-12 08:43 - 00000000 ____D C:\Program Files\Windows Journal
2016-05-16 19:58 - 2015-01-05 01:11 - 00000000 ____D C:\Windows\system32\MRT
2016-05-16 19:51 - 2015-01-05 01:11 - 139319312 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
 
==================== Files in the root of some directories =======
 
2016-06-12 15:29 - 2016-06-12 15:29 - 0030456 _____ () C:\Users\James\AppData\Local\recently-used.xbel
2015-01-04 22:56 - 2016-06-13 21:38 - 0007628 _____ () C:\Users\James\AppData\Local\Resmon.ResmonCfg
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-05-30 23:18
 
==================== End of FRST.txt ============================
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version:15-06-2016
Ran by James (2016-06-15 17:40:58)
Running from C:\Users\James\Downloads
Windows 7 Professional N Service Pack 1 (X64) (2015-01-04 16:43:54)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2976423211-1815451802-357841541-500 - Administrator - Disabled)
James (S-1-5-21-2976423211-1815451802-357841541-1000 - Administrator - Enabled) => C:\Users\James
Guest (S-1-5-21-2976423211-1815451802-357841541-501 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
ACP Application (Version: 2016.0321.0955.20 - Advanced Micro Devices, Inc.) Hidden
Adobe Audition CC 2015 (HKLM-x32\...\{839A3566-AED6-4787-A849-5CBE2B1DC6AE}) (Version: 8.0 - Adobe Systems Incorporated)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 3.6.0.248 - Adobe Systems Incorporated)
Adobe Media Encoder CC 2014 (HKLM-x32\...\{663DEEEF-EF34-4DCB-8687-73A7AA146E02}) (Version: 8.2.0 - Adobe Systems Incorporated)
Adobe Media Encoder CC 2015 (HKLM-x32\...\{0FAC7130-BEC5-47A5-8813-1D339B8326ED}) (Version: 9.0.0 - Adobe Systems Incorporated)
Adobe Photoshop CC 2015 (HKLM-x32\...\{793C2BF7-A4FE-4608-91C9-9282C5801C21}) (Version: 16.1 - Adobe Systems Incorporated)
Adobe Premiere Pro CC 2014 (HKLM-x32\...\{07BE616F-9E42-4C90-AF4F-0F32A5B088E7}) (Version: 8.2.0 - Adobe Systems Incorporated)
Adobe Premiere Pro CC 2015 (HKLM-x32\...\{38C72D42-0672-43B1-9E05-E7631684F9A1}) (Version: 9.0.0 - Adobe Systems Incorporated)
Alternative Look for Yennefer (HKLM-x32\...\Alternative Look for Yennefer_is1) (Version: 1.0.0.0 - GOG.com)
AMD Install Manager (HKLM\...\AMD Catalyst Install Manager) (Version: 9.0.000.4 - Advanced Micro Devices, Inc.)
Audacity 2.0.6 (HKLM-x32\...\Audacity_is1) (Version: 2.0.6 - Audacity Team)
Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 11.2.2261 - AVAST Software)
Beard and Hairstyle Set (HKLM-x32\...\Beard and Hairstyle Set_is1) (Version: 1.0.0.0 - GOG.com)
BioShock Infinite (HKLM-x32\...\Steam App 8870) (Version:  - Irrational Games)
bl (x32 Version: 1.0.0 - Your Company Name) Hidden
Blend for Visual Studio 2012 (x32 Version: 5.0.30709.0 - Microsoft Corporation) Hidden
Blend for Visual Studio 2012 ENU resources (x32 Version: 5.0.30709.0 - Microsoft Corporation) Hidden
Catalyst Control Center Next Localization BR (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHS (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHT (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CS (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DA (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DE (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization EL (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization ES (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FI (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FR (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization HU (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization IT (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization JA (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization KO (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NL (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NO (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization PL (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization RU (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization SV (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TH (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TR (Version: 2016.0321.1015.16463 - Advanced Micro Devices, Inc.) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.17 - Piriform)
DARK SOULS III (HKLM\...\Steam App 374320) (Version:  - FromSoftware, Inc.)
Dishonored (HKLM-x32\...\Steam App 205100) (Version: 1.0 - Bethesda Softworks)
Dotfuscator and Analytics Community Edition (x32 Version: 5.5.4521.29298 - PreEmptive Solutions) Hidden
Dxtory version 2.0.126 (HKLM-x32\...\Dxtory2.0_is1) (Version: 2.0.126 - ExKode Co. Ltd.)
Elgato Game Capture HD (HKLM-x32\...\{BE184330-F4FA-439D-9FBC-6A621D069668}) (Version: 2.10.64.871 - Elgato Systems GmbH)
Entity Framework Designer for Visual Studio 2012 - enu (HKLM-x32\...\{0A1A1D48-DB23-443A-BC7B-49255D138020}) (Version: 11.1.20702.00 - Microsoft Corporation)
F.E.A.R. 3 (HKLM-x32\...\Steam App 21100) (Version:  - Day 1 Studios)
Fallout 3 - Game of the Year Edition (HKLM-x32\...\Steam App 22370) (Version:  - Bethesda Game Studios)
Fallout 4 (HKLM-x32\...\Steam App 377160) (Version:  - Bethesda Game Studios)
Fallout: New Vegas (HKLM-x32\...\Steam App 22380) (Version:  - Obsidian Entertainment)
Game Capture HD v2.3.3.38 (HKLM-x32\...\Software_Elgato_Game Capture HD) (Version: 2.3.3.38 - Elgato Systems)
Game Capture HD60 v2.1.1.3 (HKLM-x32\...\Software_Elgato_Game Capture HD60) (Version: 2.1.1.3 - Elgato Systems)
GIMP 2.8.14 (HKLM\...\GIMP-2_is1) (Version: 2.8.14 - The GIMP Team)
GOG Galaxy (HKLM-x32\...\{7258BA11-600C-430E-A759-27E2C691A335}_is1) (Version:  - GOG.com)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 51.0.2704.84 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.30.3 - Google Inc.) Hidden
Hyper Light Drifter (HKLM\...\Steam App 257850) (Version:  - Heart Machine)
IIS 8.0 Express (HKLM\...\{7BF61FA9-BDFB-4563-98AD-FCB0DA28CCC7}) (Version: 8.0.1557 - Microsoft Corporation)
IIS Express Application Compatibility Database for x64 (HKLM\...\{9f4f4a9b-eec5-4906-92fe-d1f43ccf5c8d}.sdb) (Version:  - )
IIS Express Application Compatibility Database for x86 (HKLM\...\{fdfba1f3-74ae-4255-9c10-a0f552b4610f}.sdb) (Version:  - )
Intel® Chipset Device Software (x32 Version: 10.0.13 - Intel® Corporation) Hidden
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 10.0.0.1204 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.14.4264 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 3.0.0.16 - Intel Corporation)
Intel® Hardware Accelerated Execution Manager (HKLM\...\{ECCB31F5-435D-4F37-A98D-5854D3C62718}) (Version: 1.1.1 - Intel Corporation)
Java 8 Update 31 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418031F0}) (Version: 8.0.310 - Oracle Corporation)
Java 8 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
Lagarith Lossless Codec (1.3.27) (HKLM-x32\...\{F59AC46C-10C3-4023-882C-4212A92283B3}_is1) (Version:  - )
LocalESPC (x32 Version: 8.59.25584 - Microsoft Corporation) Hidden
LocalESPCui for en-us (x32 Version: 8.59.25584 - Microsoft) Hidden
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Matrox VFW Software Codecs, build 2.0.0.11381  (HKLM\...\Matrox VFW Software Codecs) (Version:  - Matrox Electronic Systems)
Microsoft .NET Framework 4.5 Multi-Targeting Pack (HKLM-x32\...\{5CBFF3F3-2D40-34EE-BCA5-A95BC19E400D}) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft .NET Framework 4.5 SDK (HKLM-x32\...\{1948E039-EC79-4591-951D-9867A8C14C90}) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft ASP.NET MVC 3 (HKLM-x32\...\{DCDEC776-BADD-48B9-8F9A-DFF513C3D7FA}) (Version: 3.0.20105.0 - Microsoft Corporation)
Microsoft ASP.NET Web Pages (HKLM-x32\...\{631471BE-DEAB-454B-A9AC-CE3EB42C28B3}) (Version: 1.0.20105.0 - Microsoft Corporation)
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{59E4543A-D49D-4489-B445-473D763C79AF}) (Version: 2.0.672.0 - Microsoft Corporation)
Microsoft Help Viewer 2.0 (HKLM-x32\...\Microsoft Help Viewer 2.0) (Version: 2.0.50727 - Microsoft Corporation)
Microsoft Office 365 ProPlus - en-us (HKLM\...\O365ProPlusRetail - en-us) (Version: 15.0.4815.1001 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.10411.0 - Microsoft Corporation)
Microsoft Silverlight 4 SDK (HKLM-x32\...\{189AEA94-DAFB-487A-8CEE-F9D3DDE0A748}) (Version: 4.0.60310.0 - Microsoft Corporation)
Microsoft Silverlight 5 SDK (HKLM-x32\...\{E1FBB3D4-ADB0-4949-B101-855DA061C735}) (Version: 5.0.61118.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Command Line Utilities  (HKLM\...\{9D573E71-1077-4C7E-B4DB-4E22A5D2B48B}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Data-Tier App Framework  (HKLM\...\{36E619BC-A234-4EC3-849B-779A7C865A45}) (Version: 11.0.2316.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Data-Tier App Framework  (HKLM-x32\...\{FBA6F90E-36EC-4FC9-9B25-3834E3BD46A8}) (Version: 11.0.2316.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Express LocalDB  (HKLM\...\{13D558FE-A863-402C-B115-160007277033}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Management Objects  (HKLM-x32\...\{DA1C1761-5F4F-4332-AB9D-29EDF3F8EA0A}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Management Objects  (x64) (HKLM\...\{FA0A244E-F3C2-4589-B42A-3D522DE79A42}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Native Client  (HKLM\...\{49D665A2-4C2A-476E-9AB8-FCC425F526FC}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Transact-SQL Compiler Service  (HKLM\...\{BEB0F91E-F2EA-48A1-B938-7857ABF2A93D}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Transact-SQL ScriptDom  (HKLM\...\{0E8670B8-3965-4930-ADA6-570348B67153}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 T-SQL Language Service  (HKLM-x32\...\{6D6D43E5-218C-4B05-92D3-2240810F4760}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server Compact 4.0 SP1 x64 ENU (HKLM\...\{78909610-D229-459C-A936-25D92283D3FD}) (Version: 4.0.8876.1 - Microsoft Corporation)
Microsoft SQL Server Data Tools - enu (11.1.20627.00) (HKLM-x32\...\{FA804794-2CCB-4301-954F-2C2894698876}) (Version: 11.1.20627.00 - Microsoft Corporation)
Microsoft SQL Server Data Tools Build Utilities - enu (11.1.20627.00) (HKLM-x32\...\{790E9425-8570-493F-9AE7-81AFC9E46930}) (Version: 11.1.20627.00 - Microsoft Corporation)
Microsoft SQL Server System CLR Types (HKLM-x32\...\{A47FD1BF-A815-4A76-BE65-53A15BD5D25D}) (Version: 10.50.1600.1 - Microsoft Corporation)
Microsoft SQL Server System CLR Types (x64) (HKLM\...\{4701DEDE-1888-49E0-BAE5-857875924CA2}) (Version: 10.50.1600.1 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2012 (HKLM-x32\...\{E2082604-4BA5-44BB-BBFB-AF0F3CB8C6AB}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2012 (x64) (HKLM\...\{F1949145-EB64-4DE7-9D81-E6D27937146C}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026 (HKLM-x32\...\{74d0e5db-b326-4dae-a6b2-445b9de1836e}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.31125 - Microsoft Corporation)
Microsoft Visual Studio Professional 2012 (HKLM-x32\...\{20fc1ec7-3058-48d4-80f8-e1cfd52391c7}) (Version: 11.0.50727.26 - Microsoft Corporation)
Microsoft Web Deploy 3.0 (HKLM\...\{AA72C306-30BE-4BB1-9E42-59552BAD2CDF}) (Version: 3.1236.1631 - Microsoft Corporation)
Microsoft Web Deploy dbSqlPackage Provider - enu (HKLM-x32\...\{E4C33F5B-1B2F-466E-957E-B274F08151A0}) (Version: 10.3.20225.0 - Microsoft Corporation)
Microsoft Web Platform Installer 4.0 (HKLM\...\{E2B8249D-895C-4685-8C83-00F3B1A13028}) (Version: 4.0.1622 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM-x32\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
New Quest - Contract Missing Miners (HKLM-x32\...\New Quest - Contract Missing Miners_is1) (Version: 1.0.0.0 - GOG.com)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.7.3 - Notepad++ Team)
NVIDIA PhysX (HKLM-x32\...\{46ED2B64-85C7-4E1F-920C-A555B21F2E4C}) (Version: 9.11.1111 - NVIDIA Corporation)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4815.1001 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4815.1001 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4815.1001 - Microsoft Corporation) Hidden
ph (x32 Version: 1.0.0 - Your Company Name) Hidden
Portal (HKLM-x32\...\Steam App 400) (Version:  - Valve)
Portal 2 (HKLM-x32\...\Steam App 620) (Version:  - Valve)
PreEmptive Analytics Visual Studio Components (x32 Version: 1.0.2180.1 - PreEmptive Solutions) Hidden
Prerequisites for SSDT  (HKLM-x32\...\{9169C939-ED01-446A-BD0C-29873BAF4E48}) (Version: 11.0.2100.60 - Microsoft Corporation)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7256 - Realtek Semiconductor Corp.)
Skype™ 7.8 (HKLM-x32\...\{6A0549A9-1B96-498C-ACBC-3943001FEB19}) (Version: 7.8.102 - Skype Technologies S.A.)
Sound Blaster X-Fi MB3 (HKLM-x32\...\{3689CE39-3173-4952-B7AF-F1A9D6F9A288}) (Version: 1.00.03 - Creative Technology Limited)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
Temerian Armor Set (HKLM-x32\...\Temerian Armor Set_is1) (Version: 1.0.0.0 - GOG.com)
The Elder Scrolls V: Skyrim (HKLM-x32\...\Steam App 72850) (Version:  - Bethesda Game Studios)
The Witcher 3 - Wild Hunt (HKLM-x32\...\1207664643_is1) (Version: 1.0.6.0 - GOG.com)
TP-LINK Wireless Client Utility (HKLM-x32\...\{5EF44D3A-E86E-434C-8418-71E277C565DF}) (Version: 2.0 - TP-LINK)
Undertale (HKLM-x32\...\Steam App 391540) (Version:  - tobyfox)
Update for  (KB2504637) (HKLM-x32\...\{CFEF48A8-BFB8-3EAC-8BA5-DE4F8AA267CE}.KB2504637) (Version: 1 - Microsoft Corporation)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
WCF Data Services 5.0 (for OData v3) Primary Components (x32 Version: 5.0.50628.0 - Microsoft Corporation) Hidden
WCF Data Services Tools for Microsoft Visual Studio 2012 (x32 Version: 5.0.50710.0 - Microsoft Corporation) Hidden
WCF RIA Services V1.0 SP2 (HKLM-x32\...\{3A523AF9-D32F-4C85-8388-0335731F3405}) (Version: 4.1.61829.0 - Microsoft Corporation)
WhoCrashed 5.03 (HKLM\...\WhoCrashed_is1) (Version:  - Resplendence Software Projects Sp.)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-2976423211-1815451802-357841541-1000_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {060C4E3E-8B93-4E83-8004-948B4AD3E63C} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2015-10-28] (Microsoft Corporation)
Task: {2400F326-A83A-4CA5-9D73-3CF640E415AC} - System32\Tasks\AdobeAAMUpdater-1.0-HairyApricot-James => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2016-03-22] (Adobe Systems Incorporated)
Task: {3C07178A-1EA8-43E1-95EB-A99BCA7C7206} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2016-06-02] (AVAST Software)
Task: {5624929B-BB5F-4AB7-A8DC-8F42139016CC} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2015-10-28] (Microsoft Corporation)
Task: {5681E3BC-CCA2-4659-AFC5-FBE46C976729} - System32\Tasks\AMD Updater => C:\Program Files\AMD\CIM\\Bin64\InstallManagerApp.exe [2016-03-21] (Advanced Micro Devices, Inc.)
Task: {573B23D4-3568-4EE1-9D11-49F2667D4D47} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-04-15] (Piriform Ltd)
Task: {77A9275D-99DA-4D7D-9B77-A57806F62000} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-31] (Google Inc.)
Task: {AF9FF0DB-1C47-4A67-A639-A5D1ACD2AC6C} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-02-09] (Microsoft Corporation)
Task: {B5B06214-9C4B-4901-B596-2BB86F8C5D82} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-31] (Google Inc.)
Task: {C32DCEBB-BEB6-4958-AE9F-B218B768B6E7} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2016-04-21] (AVAST Software)
Task: {CCA7E94D-BF05-4064-96FC-C153588104BB} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE15\OLicenseHeartbeat.exe [2016-03-16] (Microsoft Corporation)
Task: {EC3C55AF-96BB-4686-8A24-AF36BF31FE97} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-02-09] (Microsoft Corporation)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-04-01 23:18 - 2016-04-01 23:18 - 00426160 _____ () C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll
2015-10-28 19:12 - 2015-09-01 17:04 - 08901184 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2015-01-04 18:07 - 2013-01-25 12:08 - 00089600 _____ () C:\Windows\SYSTEM32\CmdRtr64.DLL
2015-01-04 18:07 - 2013-01-25 12:06 - 00328704 _____ () C:\Windows\SYSTEM32\APOMgr64.DLL
2016-04-21 19:41 - 2016-04-21 19:41 - 00123344 _____ () C:\Program Files\AVAST Software\Avast\log.dll
2016-04-21 19:41 - 2016-04-21 19:41 - 00135816 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2016-06-13 19:22 - 2016-06-13 19:22 - 02932736 _____ () C:\Program Files\AVAST Software\Avast\defs\16061301\algo.dll
2016-06-15 17:36 - 2016-06-15 17:36 - 02934272 _____ () C:\Program Files\AVAST Software\Avast\defs\16061500\algo.dll
2016-04-21 19:41 - 2016-04-21 19:41 - 00478144 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2016-01-06 18:43 - 2016-01-06 18:43 - 40539648 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2016-06-09 17:41 - 2016-06-04 02:56 - 01745560 _____ () C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.84\libglesv2.dll
2016-06-09 17:41 - 2016-06-04 02:56 - 00091288 _____ () C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.84\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\31289661.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\31289661.sys => ""="Driver"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE trusted site: HKU\S-1-5-21-2976423211-1815451802-357841541-1000\...\sharepoint.com -> hxxps://qubstudentcloud.sharepoint.com
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 03:34 - 2009-06-10 22:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2976423211-1815451802-357841541-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\James\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\Services: AdobeUpdateService => 3
MSCONFIG\Services: AMD External Events Utility => 2
MSCONFIG\Services: amdacpusrsvc => 2
MSCONFIG\Services: cphs => 3
MSCONFIG\Services: Creative ALchemy AL6 Licensing Service => 3
MSCONFIG\Services: Creative Audio Engine Licensing Service => 3
MSCONFIG\Services: CTAudSvcService => 2
MSCONFIG\Services: GalaxyClientService => 3
MSCONFIG\Services: GalaxyCommunication => 3
MSCONFIG\Services: gupdate => 3
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: IAStorDataMgrSvc => 2
MSCONFIG\Services: igfxCUIService1.0.0.0 => 2
MSCONFIG\Services: RzWizardService => 2
MSCONFIG\Services: SkypeUpdate => 2
MSCONFIG\Services: Steam Client Service => 3
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Killer Network Manager.lnk => C:\Windows\pss\Killer Network Manager.lnk.CommonStartup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Adobe Creative Cloud => "C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" --showwindow=false --onOSstartup=true
MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
MSCONFIG\startupreg: Dxtory Update Checker 2.0 => C:\Program Files (x86)\ExKode\Dxtory2.0\UpdateChecker.exe
MSCONFIG\startupreg: GalaxyClient => 
MSCONFIG\startupreg: Raptr => "C:\Program Files (x86)\Raptr\raptrstub.exe" --startup
MSCONFIG\startupreg: RTHDVCPL => "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s
MSCONFIG\startupreg: RzWizard => C:\Program Files (x86)\Razer\RzWizard\RzWizard.exe
MSCONFIG\startupreg: Skype => "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
MSCONFIG\startupreg: Sound Blaster X-Fi MB 3 => "C:\Program Files (x86)\Creative\Sound Blaster X-Fi MB3\Sound Blaster X-Fi MB3\SBXFIMB3.exe" /r
MSCONFIG\startupreg: StartCCC => "C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
MSCONFIG\startupreg: StartCN => "C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe" atlogon
MSCONFIG\startupreg: UpdReg => C:\Windows\UpdReg.EXE
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{7F27600A-A4C4-4D58-9D00-B368F0B33634}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{8C7A04CF-6A37-4935-B882-56EDCC17EEAB}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{9F9EDC52-A8B6-4B21-BB7E-07AF915629AF}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{71D642AA-4E80-4744-A8DD-2A5ACB28BA0A}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{A19655D6-4F03-46F1-9226-019FC8FA333D}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{91DB82A9-25C9-4B55-8526-ECAAC06DCBF6}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Skyrim\SkyrimLauncher.exe
FirewallRules: [{55378C91-6C4B-4E85-9CA4-BFA31DD3ECB6}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Skyrim\SkyrimLauncher.exe
FirewallRules: [{6A161F3E-7880-4311-B15A-B8193319157C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Fallout New Vegas\FalloutNVLauncher.exe
FirewallRules: [{6F29D556-4E19-4E96-833A-2F3DF98ACD35}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Fallout New Vegas\FalloutNVLauncher.exe
FirewallRules: [{F5B2237D-60C5-425E-AC9D-18679AA07FD9}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Fallout 3 goty\FalloutLauncher.exe
FirewallRules: [{F3F90EC4-2CDE-41A3-9AFA-7DF904DA1DC9}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Fallout 3 goty\FalloutLauncher.exe
FirewallRules: [{D9370DB5-2696-42C5-BC97-E9026A986506}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Portal 2\portal2.exe
FirewallRules: [{0AD95419-B843-4C5C-9575-D2773D65D6E7}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Portal 2\portal2.exe
FirewallRules: [{E31C3393-F40C-422D-B090-3D5D40A52986}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Portal\hl2.exe
FirewallRules: [{760B06BF-46FC-4A07-8942-6B92594A972A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Portal\hl2.exe
FirewallRules: [{25370342-0BE2-4ABB-91FC-D99CF971C4FD}] => (Allow) C:\Program Files (x86)\Microsoft Visual Studio 11.0\Common7\IDE\devenv.exe
FirewallRules: [{A6D28DAC-4F9E-46AD-A3AE-3180A17FEBB7}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\BioShock Infinite\Binaries\Win32\BioShockInfinite.exe
FirewallRules: [{FFD043AF-CBB8-43D6-A832-1652CB29C6BD}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\BioShock Infinite\Binaries\Win32\BioShockInfinite.exe
FirewallRules: [{71083E46-92FD-43B8-8472-69E2E44B7FB2}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\outlook.exe
FirewallRules: [TCP Query User{170D81C3-BE21-4542-8ED5-982F1F21407B}C:\users\James\downloads\eclipse-java-luna-sr2-win32-x86_64\eclipse\eclipse.exe] => (Allow) C:\users\James\downloads\eclipse-java-luna-sr2-win32-x86_64\eclipse\eclipse.exe
FirewallRules: [UDP Query User{452FE1D6-9EBC-4CD8-8F25-C326C2380290}C:\users\James\downloads\eclipse-java-luna-sr2-win32-x86_64\eclipse\eclipse.exe] => (Allow) C:\users\James\downloads\eclipse-java-luna-sr2-win32-x86_64\eclipse\eclipse.exe
FirewallRules: [{4C7C0C4E-C4EA-4636-A29E-FD55D1F63A9E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\F.E.A.R. 3\F.E.A.R. 3.exe
FirewallRules: [{3DD72C96-1820-4956-ABC3-ABEAF09B268C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\F.E.A.R. 3\F.E.A.R. 3.exe
FirewallRules: [{E63709D2-1934-46E2-81FC-0D631F3C90D3}] => (Allow) E:\SteamLibrary\steamapps\common\Dishonored\Binaries\Win32\Dishonored.exe
FirewallRules: [{168EE444-3313-4D06-9BD0-E500A66C6E68}] => (Allow) E:\SteamLibrary\steamapps\common\Dishonored\Binaries\Win32\Dishonored.exe
FirewallRules: [TCP Query User{13F44B19-FADD-4917-AC4B-24C374183626}C:\users\James\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Allow) C:\users\James\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [UDP Query User{0D6CC184-05B6-4D60-A9FF-669D6573E67E}C:\users\James\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Allow) C:\users\James\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [{ED44E0F5-455E-45AA-890E-B52BE7B8A6FE}] => (Allow) E:\SteamLibrary\steamapps\common\Fallout 4\Fallout4Launcher.exe
FirewallRules: [{E5F185D2-66D2-4826-A4A3-5EE26785DE25}] => (Allow) E:\SteamLibrary\steamapps\common\Fallout 4\Fallout4Launcher.exe
FirewallRules: [{B78BF348-11B1-4E1E-B297-5F752BEBE2A7}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\Lync.exe
FirewallRules: [{653B8535-B69D-4176-8E74-2E253BD82AEC}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\Lync.exe
FirewallRules: [{E93333D7-DAB6-4647-9158-2C33C1F5BEE6}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exe
FirewallRules: [{30AEF147-EA88-46EA-8B40-031AC07E61FF}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exe
FirewallRules: [{DEC54F7F-C313-4FB7-BB5D-4F70307F0D86}] => (Allow) E:\SteamLibrary\steamapps\common\Undertale\UNDERTALE.exe
FirewallRules: [{05E56975-2B15-41B9-A424-B4CD68053583}] => (Allow) E:\SteamLibrary\steamapps\common\Undertale\UNDERTALE.exe
FirewallRules: [{CC00B484-A4BD-4B2E-8C0D-116CE6FFBBA2}] => (Block) C:\Windows\explorer.exe
FirewallRules: [{F7236924-C0DD-4E6A-9ED0-734DCCF5A43E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\HyperLightDrifter\HyperLightDrifter.exe
FirewallRules: [{54713672-BB5B-4630-A5C3-A7A24A6C3255}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\HyperLightDrifter\HyperLightDrifter.exe
FirewallRules: [{23605C17-633A-4E7A-9A81-C2ECE234021C}] => (Block) %ProgramFiles% (x86)\ExKode\Dxtory2.0\Dxtory.exe
FirewallRules: [{C15AE72B-4CAC-4A08-952E-3D4F3C6542BA}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{A3CD5B15-2A83-4477-B94E-FA7DD6959D5E}] => (Block) %ProgramFiles% (x86)\ExKode\Dxtory2.0\Dxtory64.exe
FirewallRules: [{63964C9E-3589-4DB9-B0D2-C39672232917}] => (Block) %SystemRoot%\System32\DeviceDisplayObjectProvider.exe
FirewallRules: [{69A4938F-F25F-42A6-AF48-EF8ACCA87C40}] => (Allow) E:\SteamLibrary\steamapps\common\DARK SOULS III\Game\DarkSoulsIII.exe
FirewallRules: [{10BA5E09-EE94-4750-A767-611A102570DB}] => (Allow) E:\SteamLibrary\steamapps\common\DARK SOULS III\Game\DarkSoulsIII.exe
 
==================== Restore Points =========================
 
29-03-2016 16:12:55 Device Driver Package Install: Advanced Micro Devices Sound, video and game controllers
02-04-2016 14:48:48 Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026
02-04-2016 14:49:27 Windows Update
08-04-2016 17:40:02 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
08-04-2016 17:40:19 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
13-04-2016 18:24:55 Windows Update
21-04-2016 21:01:22 Scheduled Checkpoint
01-05-2016 14:39:51 Scheduled Checkpoint
08-05-2016 18:55:27 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
08-05-2016 18:56:04 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
08-05-2016 18:56:41 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
08-05-2016 18:57:41 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
08-05-2016 19:14:05 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
08-05-2016 19:14:22 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
08-05-2016 19:14:49 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
08-05-2016 19:15:09 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
08-05-2016 20:31:27 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
08-05-2016 20:31:39 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
08-05-2016 20:32:03 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
08-05-2016 20:32:26 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
08-05-2016 20:46:23 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
08-05-2016 20:46:47 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
08-05-2016 20:47:30 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
08-05-2016 20:48:00 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
08-05-2016 20:52:27 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
08-05-2016 20:52:40 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
08-05-2016 21:05:34 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
08-05-2016 21:05:55 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
08-05-2016 21:06:17 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
08-05-2016 21:06:42 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
08-05-2016 21:15:22 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
08-05-2016 21:15:34 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
08-05-2016 21:15:56 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
08-05-2016 21:16:19 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
08-05-2016 21:27:23 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
08-05-2016 21:27:35 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
08-05-2016 21:28:02 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
08-05-2016 21:28:20 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
08-05-2016 21:35:58 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
08-05-2016 21:36:15 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
08-05-2016 21:36:36 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
08-05-2016 21:36:56 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
08-05-2016 22:01:18 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
08-05-2016 22:01:37 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
08-05-2016 22:02:00 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
08-05-2016 22:02:19 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
12-05-2016 19:40:50 Removed Adobe Acrobat Reader DC.
16-05-2016 19:48:51 Windows Update
16-05-2016 20:12:53 Windows Update
16-05-2016 22:31:33 Windows Modules Installer
16-05-2016 22:35:03 Windows Modules Installer
 
==================== Faulty Device Manager Devices =============
 
Name: Ethernet Controller
Description: Ethernet Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (06/15/2016 05:35:51 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (06/13/2016 07:30:33 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (06/13/2016 07:21:58 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (06/13/2016 07:15:43 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (06/13/2016 07:09:45 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (06/13/2016 07:02:12 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (06/13/2016 06:44:59 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (06/12/2016 09:47:03 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (06/11/2016 05:49:00 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (06/11/2016 03:26:29 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa
Faulting module name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa
Exception code: 0xc0000005
Fault offset: 0x000040cd
Faulting process id: 0xef0
Faulting application start time: 0xRootkitRevealer.exe0
Faulting application path: RootkitRevealer.exe1
Faulting module path: RootkitRevealer.exe2
Report Id: RootkitRevealer.exe3
 
 
System errors:
=============
Error: (06/15/2016 05:35:00 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The VBoxAsw Support Driver service failed to start due to the following error: 
%%3 = The system cannot find the path specified.
 
 
Error: (06/13/2016 07:30:26 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Net.Tcp Listener Adapter service depends on the Net.Tcp Port Sharing Service service which failed to start because of the following error: 
%%1053 = The service did not respond to the start or control request in a timely fashion.
 
 
Error: (06/13/2016 07:30:26 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The VBoxAsw Support Driver service failed to start due to the following error: 
%%3 = The system cannot find the path specified.
 
 
Error: (06/13/2016 07:30:25 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Net.Tcp Port Sharing Service service failed to start due to the following error: 
%%1053 = The service did not respond to the start or control request in a timely fashion.
 
 
Error: (06/13/2016 07:30:25 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Net.Tcp Port Sharing Service service to connect.
 
Error: (06/13/2016 07:27:11 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for Start with the following error: 
%%5 = Access is denied.
 
 
Error: (06/13/2016 07:21:41 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Net.Tcp Listener Adapter service depends on the Net.Tcp Port Sharing Service service which failed to start because of the following error: 
%%1053 = The service did not respond to the start or control request in a timely fashion.
 
 
Error: (06/13/2016 07:21:41 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The VBoxAsw Support Driver service failed to start due to the following error: 
%%3 = The system cannot find the path specified.
 
 
Error: (06/13/2016 07:21:40 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Net.Tcp Port Sharing Service service failed to start due to the following error: 
%%1053 = The service did not respond to the start or control request in a timely fashion.
 
 
Error: (06/13/2016 07:21:40 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Net.Tcp Port Sharing Service service to connect.
 
 
CodeIntegrity:
===================================
  Date: 2015-11-07 16:40:13.303
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-11-07 16:40:13.299
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-11-07 16:40:13.295
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-11-07 16:40:13.284
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-11-07 16:40:13.278
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-11-07 16:40:13.274
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_f3153036f55ab3f5\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-11-07 16:40:13.058
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-11-07 16:40:13.054
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-11-07 16:40:13.050
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
  Date: 2015-11-07 16:40:13.040
  Description: Windows is unable to verify the integrity of the file \Device\HarddiskVolume3\$Windows.~BT\Updates\Critical\8e08ca47-f6ba-409d-82de-698e324c0004\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.10074.1_none_96f694b33cfd42bf\werfault.exe because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-4690K CPU @ 3.50GHz
Percentage of memory in use: 25%
Total physical RAM: 8077.24 MB
Available physical RAM: 6031.58 MB
Total Virtual: 16152.66 MB
Available Virtual: 13948.98 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:1862.79 GB) (Free:1621.25 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
==================== End of Addition.txt ============================

Attached Files


Edited by HairyApricot, 15 June 2016 - 04:52 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:26 AM

Posted 20 June 2016 - 12:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/617403 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 21 June 2016 - 04:24 AM

I still require help, thank you


Edited by HairyApricot, 21 June 2016 - 04:25 AM.


#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:26 AM

Posted 22 June 2016 - 07:56 AM

HairyApricot:

:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum. My name is Phil and I am a trainee in the Bleeping Computer Malware Removal Study Hall. I would like to address you by your first name, if that is alright with you since we will be working together.

I will be assisting you with your computer issues. All of my proposed fixes and suggestions must be approved by a fully-qualified Malware Removal Instructor. This will delay response times somewhat, but I will endeavor to respond within a reasonable time, normally 48 hours after your last post.

I will need some time to review your FRST logs and consult with the Malware Response Instructor (MRI) who will be assigned to supervise this topic. That could take a few days. Once I have reviewed my proposed response with the assigned MRI, I will reply to you with initial instructions.

PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues. It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#5 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:26 AM

Posted 22 June 2016 - 12:40 PM

HairyApricot:


Thank you for your patience while I analyzed your FRST logs and consulted with the Malware Response Instructor assigned to your topic.

 


:step1: I note that there is a group policy scripts restriction on your computer. Did you set it? This can sometimes occur as a result of a malware infection.

 


:step2: I am going to clean up some orphaned entries on your computer. I am not seeing any indication of active malware, which is good news! :thumbup2:

Please copy and paste the text in the code box below into Notepad and save the file as fixlist.txt to your Downloads folder: C:\Users\James\Downloads, which is where FRST64.exe was located when you ran your scans. Please ensure that it is still in that folder.

NOTE: It's important that both files, FRST64.exe and fixlist.txt are both in the same folder or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.

Run FRST64.exe and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please copy and paste it into your reply.
 

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.84\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.84\pdf.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll => No File
S3 AvastVBoxSvc; "C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe" [X]
S2 VBoxAswDrv; \??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [X]

The previous Malware Response Team member who assisted you did not find anything suspicious about the ongoing, sporadic network traffic that you expressed concerns about. I concur with his assessment. You have a lot of programs on your computer, so there is bound to be significant network traffic, from time to time, as the programs "call home." :) Let's just have a look at your network configuration.
 

 

 

:step3: Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Devices

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run from.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

 

 

I will await the fixlog.txt file and your MiniToolBox log after you have run the fixlist.txt file and MiniToolBox.

If you have other concerns, please explain them in as much detail as possible.
 

 

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#6 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 22 June 2016 - 02:53 PM

Hi Phil, thank you for your help :)

 

I am not sure whether or not I set that policy. Where would I check?

 

Here is the MiniToolBox log:

 

MiniToolBox by Farbar  Version: 17-06-2016
Ran by James (administrator) on 22-06-2016 at 20:46:37
Running from "C:\Users\James\Downloads"
Microsoft Windows 7 Professional N  Service Pack 1 (X64)
Model: Z97X-Gaming 5 Manufacturer: Gigabyte Technology Co., Ltd.
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
========================= IP Configuration: ================================
 
TP-LINK Wireless N Adapter = Wireless Network Connection (Connected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : HairyApricot
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : home
 
Wireless LAN adapter Wireless Network Connection:
 
   Connection-specific DNS Suffix  . : home
   Description . . . . . . . . . . . : TP-LINK Wireless N Adapter
   Physical Address. . . . . . . . . : D8-5D-4C-92-CF-F2
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::f4ab:5020:1fb4:3d26%13(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.68(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 22 June 2016 20:30:42
   Lease Expires . . . . . . . . . . : 23 June 2016 20:30:53
   Default Gateway . . . . . . . . . : 192.168.1.254
   DHCP Server . . . . . . . . . . . : 192.168.1.254
   DHCPv6 IAID . . . . . . . . . . . : 215506252
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-B3-FC-E6-D8-5D-4C-92-CF-F2
   DNS Servers . . . . . . . . . . . : 192.168.1.254
                                       192.168.1.254
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter isatap.home:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Local Area Connection* 9:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Local Area Connection* 11:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : home
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  BTHomeHub.home
Address:  192.168.1.254
 
Name:    google.com
Address:  216.58.213.174
 
 
Pinging google.com [216.58.213.174] with 32 bytes of data:
Reply from 216.58.213.174: bytes=32 time=21ms TTL=54
Reply from 216.58.213.174: bytes=32 time=21ms TTL=54
 
Ping statistics for 216.58.213.174:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 21ms, Maximum = 21ms, Average = 21ms
Server:  BTHomeHub.home
Address:  192.168.1.254
 
Name:    yahoo.com
Addresses:  98.139.183.24
 206.190.36.45
 98.138.253.109
 
 
Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=126ms TTL=48
Reply from 98.139.183.24: bytes=32 time=125ms TTL=48
 
Ping statistics for 98.139.183.24:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 125ms, Maximum = 126ms, Average = 125ms
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 13...d8 5d 4c 92 cf f2 ......TP-LINK Wireless N Adapter
  1...........................Software Loopback Interface 1
 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.68     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link      192.168.1.68    281
     192.168.1.68  255.255.255.255         On-link      192.168.1.68    281
    192.168.1.255  255.255.255.255         On-link      192.168.1.68    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.1.68    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.1.68    281
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 13    281 fe80::/64                On-link
 13    281 fe80::f4ab:5020:1fb4:3d26/128
                                    On-link
  1    306 ff00::/8                 On-link
 13    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
 
========================= Devices: ================================
 
Name: Ethernet Controller
Description: Ethernet Controller
Class Guid: 
Manufacturer: 
Service: 
Device ID: PCI\VEN_1969&DEV_E091&SUBSYS_E0001458&REV_10\FF2D1AF0FCAA14FF00
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
**** End of log ****
 
Here is the Fixlog:
 
Fix result of Farbar Recovery Scan Tool (x64) Version: 20-06-2016 01
Ran by James (2016-06-22 20:28:06) Run:1
Running from C:\Users\James\Downloads
Loaded Profiles: James & DefaultAppPool (Available Profiles: James & DefaultAppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.84\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.84\pdf.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll => No File
S3 AvastVBoxSvc; "C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe" [X]
S2 VBoxAswDrv; \??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [X]
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.84\ppGoogleNaClPluginChrome.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.84\pdf.dll => not found.
C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll => not found.
AvastVBoxSvc => service could not remove
VBoxAswDrv => service could not remove
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 62135561 B
Java, Flash, Steam htmlcache => 380036220 B
Windows/system/drivers => 1312336 B
Edge => 0 B
Chrome => 488052633 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 66228 B
systemprofile32 => 66660 B
LocalService => 0 B
NetworkService => 0 B
James => 64715617 B
DefaultAppPool => 0 B
 
RecycleBin => 0 B
EmptyTemp: => 958.2 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 20:28:59 ====
 
So maybe 2 more things. Several months ago I was asked to enter a captcha on google becuase of unusual network activity. I assume this is just random as I could find none. I have noticed an Excel process running and then terminating sometimes, though only recently. The actual program doesn't run, but it does show up in resource monitor. Not sure if that is worth noting or not. Also I use chrome, so would that toolbox not have missed any info on it?
 
Once again, thank you for you assistance Phil :)

Edited by HairyApricot, 22 June 2016 - 02:54 PM.


#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:26 AM

Posted 23 June 2016 - 11:51 AM

HairyApricot:
 
 
Thank you for your logs.
 

I am not sure whether or not I set that policy. Where would I check?

 
If the computer is running fine, you can safely ignore that Group Policy Script Restriction.
 
If you wanted to, you could check here and see if all looks good to you. If there is a policy/script you don't want or don't recognize, you could delete it, BUT only after you have "Googled" it to make sure that it is not something that Windows 7 Pro x64 creates by default or that was done by legitimate security software applications. What the FRST logs show is that a "restriction" has been set on the Group Policy Script Editor, which is not normally seen, but for which there could be legitimate explanations, such as being caused by one or more of the anti-malware/anti-virus tools that you ran, or being restricted by AVAST. Malware is known to sometimes exploit the the Group Policy capability for its own nefarious purposes. There is a good article here. You can Google "Malware and Windows 7 Group Policy" and you will come up with some more information on this issue.  It is not really an issue unless you want to create some Group Policy Scripts.
 
 

So maybe 2 more things. Several months ago I was asked to enter a captcha on google becuase of unusual network activity. I assume this is just random as I could find none. I have noticed an Excel process running and then terminating sometimes, though only recently. The actual program doesn't run, but it does show up in resource monitor. Not sure if that is worth noting or not. Also I use chrome, so would that toolbox not have missed any info on it?

 
Well I can explain the Google "captcha".  It happens to me quite frequently when I am examining FRST logs and I am researching file names, service names, etc.  Google detects a large number of queries coming from the computer and suspects that it might be a part of a DDoS attack (Distributed Denial of Service); i.e., that a person or persons are spamming their servers.  This is just an automated Google security feature and it is absolutely nothing to be concerned about.
 
I am assuming that Excel is simply "calling home" to verify that it is legitimate, or checking for updates, or whatever else that Microsoft has programmed it to do.  There are all kinds of communications going on in the background with most computer programs and their "home base." There is no need for concern unless it is a malware program calling its "home base."  If you check your FRST Addition.txt file, you will see a number of Microsoft Office scheduled tasks such as:
 

Task: {060C4E3E-8B93-4E83-8004-948B4AD3E63C} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2015-10-28] (Microsoft Corporation)
Task: {5624929B-BB5F-4AB7-A8DC-8F42139016CC} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2015-10-28] (Microsoft Corporation)
Task: {AF9FF0DB-1C47-4A67-A639-A5D1ACD2AC6C} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-02-09] (Microsoft Corporation)
Task: {CCA7E94D-BF05-4064-96FC-C153588104BB} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE15\OLicenseHeartbeat.exe [2016-03-16] (Microsoft Corporation)
Task: {EC3C55AF-96BB-4686-8A24-AF36BF31FE97} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2016-02-09] (Microsoft Corporation)

 

 

Chrome is programmed differently from IE and Firefox. MiniToolBox can only access what is local to your computer so it can reset IE and Firefox.  Chrome does not store much information locally, so MiniToolBox can't reset what Chrome stores in the "cloud" on its servers.  Nonetheless, all of your browsers are using your network capability and the MiniToolBox scan shows that all is as it should be.  No need for concern.
 

 

The bottom line is that I think that you are good to go.  I commend you for your diligence in exploring what to you, appeared to be, unusual and potentially unwanted network traffic, but all does seem well.  It is better to be overly cautious than be overly bold with the proliferation of malware out there in cyberspace. :thumbup2:
 
Is there any other assistance that you require; or, should I request a Moderator to conclude this topic as "resolved"?
 
Thank you and have a great day.
 
Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#8 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 23 June 2016 - 12:33 PM

Hi Phil

 

Thank you for everything. The only thing left I would want to ask about was ESET Online Scanner. I ran it a week ago. It scanned my internal hard drive fine. Only thing it flagged was the installer for ccleaner because it gives the option of the google taskbar. However when it got to the external drive, the scan would get a good way in. Then black bars appeared over the info on it like files scanner, current amount scanned, infected files etc. Then the program window would go grey. It was still running though, but about a minute later it would stop. Not hang, just go down to very low cpu usage, and the window couldn't be interacted with. It also did something odd with the pinned items on my task manager. However this problem did not occur in safe mode, and the scan found the same on the internal drive, which is fine, and nothing on the external.

 

Sorry for this question, I was just curious why it happened.

Thanks :)



#9 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:26 AM

Posted 26 June 2016 - 06:25 AM

HairyApricot:

 

Thank you for your post.  I sincerely apologize for having missed your response.  I am subscribed to this topic, but wasn't notified that you had responded, so I missed your reply.  Humble apologies.

 

I want to confer with the Malware Response Instructor assigned to your topic before responding to your question.  In the interim, you could do a cold boot, shut down your computer normally, completely power down and unplug power cord, (remove battery as well, if it is a laptop), and then hold the power switch down for about 30 seconds. Re-connect everything and reboot normally and try ESET again.  It is my understanding that ESET online scanning is primarily designed to scan internal drives, but I could be mistaken.

 

Please let me know how you make out.  Thank you, have a great day, and be assured that I will be checking manually for your responses in this topic daily.  This is the second time that has happened to me this week: not being notified of a response to a subscribed topic.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#10 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 26 June 2016 - 10:41 AM

Hi phil. Yeah it worked fine when I scanned them one at a time, just not all at once in normal mode, I had to do it in safe mode. Is there a reason why shutting it down like this will change anything?



#11 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:26 AM

Posted 26 June 2016 - 02:28 PM

HairyApricot:

Thank you for your post. Once again, I did not get notified by email of your latest response. I have "unsubscribed" and then "subscribed" again to this topic, so hopefully that will clear the clog in the pipe! :)

I was checking back to your topic because the Malware Response Instructor (MRI) and I had conferred this morning, and I was going to post to you again, but I see that you got ESET to run.
 

Hi phil. Yeah it worked fine when I scanned them one at a time, just not all at once in normal mode, I had to do it in safe mode.


The MRI indicated that you should be able to run a simultaneous ESET Online Scan, in Normal Boot Mode, of both internal and external drives. The trick might be that you did not wait long enough. ESET Online scans can sometimes appear to have gone unresponsive for periods of time. That is due to how "deep" it is diving into the innards of your computer, and the nature of the beast.

If you want, you can follow the instructions below and see if you can get ESET to scan both internal and external drives in Normal Boot Mode. This is entirely optional, since the other ESET scans that you ran were not detecting any threats.


ESET Online Scanner with External Device

--------------------

I'd like us to scan your computer with ESET OnlineScan. This process may take several hours; that is normal..
  • Download esetsmartinstaller_enu.exe and save it to your Desktop.
  • Double click the ESET icon on your Desktop.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Click Advanced settings.
  • Check the following items:

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive(s) you wish to scan, then click OK.
  • Click Start.
  • ESET will then download updates and begin scanning your computer.
  • If no threats are found,, click Uninstall application on close and click Finish.
  • If threats are found, click List of found threats.
  • Click Export to text file.
  • Save the file on your Desktop as ESET.txt.
  • Click Back.
  • Check Uninstall application on close and Delete quarantined files.
  • Click Finish.
  • Close the ESET Online Scanner window.
  • Copy and paste the contents of ESET.txt into your reply.
.
 

Is there a reason why shutting it down like this will change anything?


Indeed there is. Warm booting does not completely clear the computer and reset everything. See this article from Microsoft. You can also "google" warm boots versus cold boots and you will find lots of information there. It is amazing to me how many really weird problems are resolved by a cold boot. It is my first diagnostic step. If you launch the "Windows Repair (All In One)" tool by Tweaking Computer, you will see a cold boot is one of their preliminary diagnostic steps. That tool is available for download here at BC.

With laptops, it also necessary not just to unplug them, but also to remove the battery to ensure that the motherboard loses power, causing components to reset to their default state. Pressing and holding the "Power" button down, when all power sources have been unplugged from the computer/laptop, just hastens, and ensures, that the capacitors on the motherboard, and other boards, such as GPU, drive controllers, etc., also lose any residual power and are reset back to default states. The only thing that doesn't lose power is the BIOS CMOS, because it has its own battery, and removing that is not usually desirable, since the BIOS loses any custom configuration information, as well as the date and time.


If you decide to run the ESET scan, in Normal Boot Mode, of both internal and external drives, please let me know how you made out.

Is there any other assistance that you would like or any other information that I might be able to provide to you?

Have a great day.

Regards,
-Phil

Member of the Unified Network of Instructors and Trusted Eliminators


#12 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 26 June 2016 - 02:56 PM

Huh, didn't cold boot, but ran it there again, last time I ran it was 2 weeks ago. Included my other hard drive as well. Ran fine, no threats at all. Maybe I just didn't leave it long enough last time :/



#13 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:26 AM

Posted 27 June 2016 - 03:04 PM

HairyApricot:
 
That is great news that the ESET scans ran fine and revealed no threats.  :thumbup2:
 
Although I am not seeing any active malware on your computer, I would recommend that you run an Malwarebytes Anti-Malware scan.

Malwarebytes Anti-Malware Free and Malwarebytes Chameleon Including External Drive

----------

  • Download Malwarebytes Anti-Malware Free and save it to your Desktop.
  • Double click the desktop icon, click Run, then Yes.
  • Click OK for English, then click Next.
  • Select I accept the agreement, then continue to click Next, then finally click Install.
  • Uncheck Enable free trial of Malwarebytes Anti-Malware Premium, if you do not want the free trial of the paid version, then click Finish.
  • On the Dashboard, select Settings.
  • Click on Detection and Protection.
  • Ensure that Scan for rootkits is checked. If not, check it.
  • If you are notified the Database is out of date, click Update Now.
  • Attach any external drives you want to scan, if not already attached.
  • Click the Scan button near the top.
  • Select Custom Scan, then click Configure Scan.
  • Place a check mark in any additonal drives you would like to scan.
  • Click Scan now.

----------
Note: If Malwarebytes will not launch please do the following to launch Malwarebytes Chameleon:
Click Start (Start, Search, All files and folders for Windows XP), then type mbam.
Double click one of the four following files (if one does not work try the next one, and so on) - A black command window will open. Follow those instructions until the Malwarebytes program starts the scan.

mbam-chameleon.scr
mbam-chameleon
mbam-chameleon.exe
mbam-chameleon.com

----------

  • When completed, click the down arrow on Export Log and select Text file (*.txt).
  • Save the file to your desktop as MBAM.txt.
  • Click Apply Actions, then restart your computer, if requested.
  • Please copy and paste the contents of MBAM.txt into your next reply.

.

 

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#14 HairyApricot

HairyApricot
  • Topic Starter

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Local time:08:26 AM

Posted 28 June 2016 - 05:40 PM

Hi Phil

 

Here is the MalwareBytes scan result:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 28/06/2016
Scan Time: 21:05
Logfile: mbamresult.txt
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.06.28.06
Rootkit Database: v2016.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: James
 
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 747453
Time Elapsed: 2 hr, 30 min, 53 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#15 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:26 AM

Posted 30 June 2016 - 08:32 AM

HairyApricot:

 

Thanks for your post.  The MBAM log is clean, just as I had hoped!  :thumbup2:

 

I think that you are good to go.  Is there anything else that I can do for you?

 

Have a great day.

 

Regards,

-Phil

 

Member of the Unified Network of Instructors and Trusted Eliminators





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users