Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

may have TDSS, Edge and Chrome redirect at random


  • This topic is locked This topic is locked
17 replies to this topic

#1 snm77

snm77

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 28 June 2016 - 08:03 PM

Any help much appreciated.  This started on 6/22/2016.

My stepdad installed a "driver finder" software thinking it was a Windows 10 driver for an old slide printer he had, and infected the daylights out of his system.  I have followed several of the malware and rootkit removal guides here on bleepingcomputer.com, None have worked, many hrelped.  I have run rkill (according to instructions) TDSS rootkit remover, adwcleaner, installed malwarebytes and purchased the pro license (on a clean machine). JRT.exeand now FRST64.exe

 

I had to take a break for a few days, so here is an example of Malwarebytes protectionlog, might give a clue to what is remaining on the system, still caussing redirects.  I have checked for easy stuff like a system configured proxy setting, there is none, I've reset both Edge and Chrome to defualt, no dice.  Still get redirected at random.  Malwarebyte is now stopping most of the redirects, but the ones that redirect to an s3 address it doesn't seem to stop - and those are usually scareware, claiming to be MS or the FBi shutting down PC, etc.  You know - bullbleep :)

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
 
Protection, 6/22/2016 7:52 PM, SYSTEM, LSPC, Protection, Malware Protection, Starting, 
Protection, 6/22/2016 7:52 PM, SYSTEM, LSPC, Protection, Malware Protection, Started, 
Protection, 6/22/2016 7:52 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Starting, 
Protection, 6/22/2016 7:52 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Started, 
Update, 6/22/2016 7:53 PM, SYSTEM, LSPC, Manual, Remediation Database, 2016.2.12.1, 2016.6.21.1, 
Update, 6/22/2016 7:53 PM, SYSTEM, LSPC, Manual, Rootkit Database, 2016.2.8.1, 2016.5.27.1, 
Update, 6/22/2016 7:53 PM, SYSTEM, LSPC, Manual, IP Database, 2016.2.8.1, 2016.6.22.2, 
Update, 6/22/2016 7:53 PM, SYSTEM, LSPC, Manual, Domain Database, 2016.2.16.8, 2016.6.22.12, 
Detection, 6/22/2016 7:53 PM, SYSTEM, LSPC, Protection, Malware Protection, File, PUP.Optional.PCSpeedUp, C:\Program Files (x86)\PC Speed Up\PCSUUCC.exe, Quarantine, [c0a64d144653d75f1e640f2ce31e8f71]
Detection, 6/22/2016 7:53 PM, SYSTEM, LSPC, Protection, Malware Protection, File, PUP.Optional.MaxDriverUpdater, C:\Program Files (x86)\Max Driver Updater\uninstaller.exe, Quarantine, [d78f1d449cfdab8b2c8838a0867c9967]
Update, 6/22/2016 7:53 PM, SYSTEM, LSPC, Manual, Malware Database, 2016.2.16.6, 2016.6.22.7, 
Protection, 6/22/2016 7:53 PM, SYSTEM, LSPC, Protection, Refresh, Starting, 
Protection, 6/22/2016 7:53 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Stopping, 
Protection, 6/22/2016 7:53 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Stopped, 
Protection, 6/22/2016 7:53 PM, SYSTEM, LSPC, Protection, Refresh, Success, 
Protection, 6/22/2016 7:53 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Starting, 
Protection, 6/22/2016 7:53 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Started, 
Detection, 6/22/2016 7:57 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 185.17.184.11, sethealer.net, 52279, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 6/22/2016 7:57 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 185.17.184.11, sethealer.net, 52279, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 6/22/2016 7:57 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 185.17.184.11, supportt.biz, 52280, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 6/22/2016 7:57 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 185.17.184.11, supportt.biz, 52280, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 6/22/2016 7:57 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 185.17.184.11, supportt.biz, 52289, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 6/22/2016 7:57 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 185.17.184.11, supportt.biz, 52291, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 6/22/2016 7:58 PM, JohnR, LSPC, Protection, Malware Protection, File, PUP.Optional.DNSUnlocker.ACMB2, C:\ProgramData\e6b54835-3f41-0\e6b54835-3f41-0.d, Quarantine, [718ea8570a8f75c1f92a0fb44fb31ee2]
Detection, 6/22/2016 7:58 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 185.17.184.11, sethealer.net, 52319, Outbound, C:\Windows\System32\svchost.exe, 
Detection, 6/22/2016 7:58 PM, JohnR, LSPC, Protection, Malware Protection, File, PUP.Optional.DNSUnlocker.ACMB2, C:\ProgramData\e6b54835-0101-1\e6b54835-0101-1.d, Quarantine, [2dd2a6593c5d86b05dc61fa4cf33a45c]
Scan, 6/22/2016 8:16 PM, SYSTEM, LSPC, Manual, Start:6/22/2016 7:53 PM, Duration:21 min 5 sec, Threat Scan, Completed, 3 Malware Detections, 224 Non-Malware Detections, 
Protection, 6/22/2016 8:19 PM, SYSTEM, LSPC, Protection, Malware Protection, Starting, 
Protection, 6/22/2016 8:19 PM, SYSTEM, LSPC, Protection, Malware Protection, Started, 
Protection, 6/22/2016 8:19 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Starting, 
Protection, 6/22/2016 8:19 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Started, 
Detection, 6/22/2016 8:23 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 65.52.33.232, feed.helperbar.com, 49789, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Detection, 6/22/2016 8:23 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 65.52.33.232, feed.helperbar.com, 49789, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Detection, 6/22/2016 8:23 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 65.52.33.232, feed.helperbar.com, 49790, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Protection, 6/22/2016 8:30 PM, SYSTEM, LSPC, Protection, Malware Protection, Starting, 
Protection, 6/22/2016 8:30 PM, SYSTEM, LSPC, Protection, Malware Protection, Started, 
Protection, 6/22/2016 8:30 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Starting, 
Protection, 6/22/2016 8:30 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Started, 
Detection, 6/22/2016 8:58 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 65.52.33.232, feed.helperbar.com, 50943, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Detection, 6/22/2016 8:58 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 65.52.33.232, feed.helperbar.com, 50943, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Detection, 6/22/2016 8:58 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 65.52.33.232, feed.helperbar.com, 50944, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Scan, 6/22/2016 9:09 PM, SYSTEM, LSPC, Manual, Start:6/22/2016 8:43 PM, Duration:20 min 32 sec, Threat Scan, Completed, 0 Malware Detections, 18 Non-Malware Detections, 
Scan, 6/22/2016 9:14 PM, SYSTEM, LSPC, Manual, Start:6/22/2016 9:14 PM, Duration:0 min 16 sec, Threat Scan, Cancelled, 0 Malware Detections, 0 Non-Malware Detections, 
Detection, 6/22/2016 9:19 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 146.148.46.20, www.liveadexchanger.com, 51687, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Detection, 6/22/2016 9:19 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 146.148.46.20, www.liveadexchanger.com, 51687, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Detection, 6/22/2016 9:19 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 146.148.46.20, www.liveadexchanger.com, 51688, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Detection, 6/22/2016 9:19 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 146.148.46.20, www.liveadexchanger.com, 51689, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Scan, 6/22/2016 9:42 PM, SYSTEM, LSPC, Manual, Start:6/22/2016 9:15 PM, Duration:27 min 44 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections, 
Protection, 6/22/2016 9:46 PM, SYSTEM, LSPC, Protection, Malware Protection, Starting, 
Protection, 6/22/2016 9:46 PM, SYSTEM, LSPC, Protection, Malware Protection, Started, 
Protection, 6/22/2016 9:46 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Starting, 
Protection, 6/22/2016 9:46 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Started, 
Detection, 6/22/2016 10:18 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 65.52.33.232, feed.helperbar.com, 50899, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Detection, 6/22/2016 10:18 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 65.52.33.232, feed.helperbar.com, 50899, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Detection, 6/22/2016 10:18 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Domain, 65.52.33.232, feed.helperbar.com, 50900, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Detection, 6/22/2016 10:19 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, IP, 92.241.162.3, giraffetraffic.com, 50969, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Detection, 6/22/2016 10:19 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, IP, 92.241.162.3, giraffetraffic.com, 50969, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Protection, 6/22/2016 10:38 PM, SYSTEM, LSPC, Protection, Malware Protection, Starting, 
Protection, 6/22/2016 10:38 PM, SYSTEM, LSPC, Protection, Malware Protection, Started, 
Protection, 6/22/2016 10:38 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Starting, 
Protection, 6/22/2016 10:38 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Started, 
Detection, 6/22/2016 10:42 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, IP, 92.241.162.3, giraffetraffic.com, 49838, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Detection, 6/22/2016 10:42 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, IP, 92.241.162.3, giraffetraffic.com, 49838, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Detection, 6/22/2016 10:42 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, IP, 92.241.162.3, giraffetraffic.com, 49839, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Update, 6/22/2016 11:01 PM, SYSTEM, LSPC, Scheduler, Failed, Unable to access update server, 
Update, 6/22/2016 11:01 PM, SYSTEM, LSPC, Scheduler, Malware Database, 2016.6.22.7, 2016.6.23.1, 
Protection, 6/22/2016 11:01 PM, SYSTEM, LSPC, Protection, Refresh, Starting, 
Protection, 6/22/2016 11:01 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Stopping, 
Protection, 6/22/2016 11:01 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Stopped, 
Protection, 6/22/2016 11:01 PM, SYSTEM, LSPC, Protection, Refresh, Success, 
Protection, 6/22/2016 11:01 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Starting, 
Protection, 6/22/2016 11:01 PM, SYSTEM, LSPC, Protection, Malicious Website Protection, Started, 
 
(end)
 
FRST log
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 28-06-2016
Ran by JohnR (administrator) on LSPC (28-06-2016 20:24:04)
Running from C:\Users\JohnR\Desktop
Loaded Profiles: JohnR (Available Profiles: JohnR)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Softex Inc.) C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Elements 13 Organizer\PhotoshopElementsFileAgent.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Garmin Ltd. or its subsidiaries) C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\utilities\ibtsiva.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
() C:\Program Files\AVAST Software\SecureLine\vpnsvc.exe
() C:\Program Files\CyberLink\Shared files\RichVideo64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Validity Sensors, Inc.) C:\Windows\System32\valWBFPolicyService.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler64.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Microsoft Corporation) C:\Windows\System32\LocationNotificationWindows.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
() C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\platform\McA3350.tmp
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\CSP\1.9.741.0\McCSPServiceHost.exe
(Intel Security, Inc.) C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\systemcore\mfemms.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\systemcore\mfefire.exe
(McAfee, Inc.) C:\Program Files\mcafee\msc\McAPExe.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\systemcore\mfefire.exe
(AgileBits) C:\Program Files (x86)\1Password 4\1Password.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
() C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.526.11220.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
(Dropbox, Inc.) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\platform\McUICnt.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Security) C:\Program Files\Common Files\McAfee\ClientAnalytics\McClientAnalytics.exe
(Intel Security) C:\Program Files\Common Files\McAfee\ClientAnalytics\McClientAnalytics.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8492800 2015-06-24] (Realtek Semiconductor)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2473800 2014-09-08] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [SimplePass] => C:\Program Files\Hewlett-Packard\SimplePass\ClientCore.exe [3962936 2014-03-28] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBroker] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe [415288 2014-03-28] (Hewlett-Packard)
HKLM\...\Run: [OPBHOBrokerDesktop] => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe [415288 2014-03-28] (Hewlett-Packard)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [557984 2014-08-27] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-09-23] (Apple Inc.)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [126240 2014-04-01] (Hewlett-Packard Company)
HKLM-x32\...\Run: [Adobe Version Cue CS2] => C:\Users\JohnR\Documents\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe [856064 2005-04-04] (Adobe Sytems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 7.0] => C:\Users\JohnR\Documents\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe [483328 2004-12-14] (Adobe Systems Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\HP\HP System Event\HPMSGSVC.exe [653576 2015-06-29] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [Agile1pAgent] => C:\Program Files (x86)\1Password 4\Agile1pAgent.exe [4882360 2016-02-23] (AgileBits)
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [24105936 2016-06-13] (Dropbox, Inc.)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [55264 2016-03-10] (Malwarebytes)
HKU\S-1-5-21-535504277-1051878557-1753778751-1001\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1400232 2016-05-05] (Garmin Ltd. or its subsidiaries)
HKU\S-1-5-21-535504277-1051878557-1753778751-1001\...\RunOnce: [Uninstall C:\Users\JohnR\AppData\Local\Microsoft\OneDrive\17.3.6281.1202_1\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\JohnR\AppData\Local\Microsoft\OneDrive\17.3.6281.1202_1\amd64"
ShellIconOverlayIdentifiers: [ DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt3] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt4] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt5] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt6] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt7] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt8] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt3] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt4] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt5] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt6] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt7] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-06-13] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt8] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.34.dll [2016-06-13] (Dropbox, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk [2016-06-22]
ShortcutTarget: Adobe Acrobat Speed Launcher.lnk -> C:\Windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk [2016-06-22]
ShortcutTarget: Adobe Gamma.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\avast! SecureLine.lnk [2016-06-22]
ShortcutTarget: avast! SecureLine.lnk -> C:\Program Files\AVAST Software\SecureLine\SecureLine.exe (AVAST Software)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickScan (OpticFilm 7200).lnk [2016-06-22]
ShortcutTarget: QuickScan (OpticFilm 7200).lnk -> C:\Program Files (x86)\Plustek\OpticFilm 7200\QuickScan.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickScan (OpticFilm 7400).lnk [2016-06-22]
ShortcutTarget: QuickScan (OpticFilm 7400).lnk -> C:\Program Files (x86)\Plustek\OpticFilm 7400\QuickScan_x64.exe ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.20.1
Tcpip\Parameters: [NameServer] 8.8.8.8,8.8.8.4
Tcpip\..\Interfaces\{53e33042-f8e5-48e0-a4b6-7ad633743d45}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{53e33042-f8e5-48e0-a4b6-7ad633743d45}: [DhcpNameServer] 192.168.20.1
Tcpip\..\Interfaces\{5c4095e4-cc19-49e2-a788-81168f045730}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{5c4095e4-cc19-49e2-a788-81168f045730}: [DhcpNameServer] 40.22.1.11
ManualProxies: 
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp13.msn.com
HKU\S-1-5-21-535504277-1051878557-1753778751-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-535504277-1051878557-1753778751-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp13.msn.com
HKU\S-1-5-21-535504277-1051878557-1753778751-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://js.redirect.hp.com/jumpstation?bd=all&c=144&locale=ww_ww&pf=cnnb&s=ieHPtab&tp=iehome
BHO: 1Password -> {037C06D5-3893-49E8-9AC0-41F7524AFBF5} -> C:\Program Files (x86)\1Password 4\x64\Agile1pIE4.dll [2016-02-23] (AgileBits)
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2016-05-17] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2016-05-17] (Microsoft Corporation)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2016-02-25] (HP)
BHO-x32: 1Password -> {037C06D5-3893-49E8-9AC0-41F7524AFBF5} -> C:\Program Files (x86)\1Password 4\x86\Agile1pIE4.dll [2016-02-23] (AgileBits)
BHO-x32: AcroIEHlprObj Class -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Users\JohnR\Documents\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14] (Adobe Systems Incorporated)
BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll [2014-07-25] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: AcroIEToolbarHelper Class -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Users\JohnR\Documents\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14] (Adobe Systems Incorporated)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2016-02-25] (HP)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Users\JohnR\Documents\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14] (Adobe Systems Incorporated)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2016-04-19] (Microsoft Corporation)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll [2016-05-24] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll [2016-05-24] (McAfee, Inc.)
 
FireFox:
========
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2016-05-24] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1204144.dll [2013-09-05] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-06-19] ()
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2014-06-19] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.56 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2014-09-03] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2014-09-03] (Intel Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [2016-05-24] ()
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2015-05-20] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-06-22] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-06-22] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-04-26] (VideoLAN)
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2016-06-20] [not signed]
 
Chrome: 
=======
CHR HomePage: Default -> hxxps://www.google.com/
CHR StartupUrls: Default -> "hxxps://www.google.com/"
CHR Profile: C:\Users\JohnR\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\JohnR\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-06-27]
CHR Extension: (Google Docs) - C:\Users\JohnR\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-06-27]
CHR Extension: (Google Sheets) - C:\Users\JohnR\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-06-27]
CHR Extension: (Google Docs Offline) - C:\Users\JohnR\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-06-27]
CHR Extension: (AdBlock) - C:\Users\JohnR\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-06-22]
CHR Extension: (Ghostery) - C:\Users\JohnR\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2016-06-22]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 0325481466882982mcinstcleanup; C:\WINDOWS\TEMP\032548~1.EXE [962400 2016-04-12] (McAfee, Inc.)
S3 Adobe LM Service; C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [72704 2015-06-13] (Adobe Systems) [File not signed]
R2 AdobeActiveFileMonitor13.0; C:\Program Files\Adobe\Elements 13 Organizer\PhotoshopElementsFileAgent.exe [231120 2015-01-30] (Adobe Systems Incorporated)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-09-02] (Apple Inc.)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [3009776 2016-05-27] (Microsoft Corporation)
S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-02-05] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-02-05] (Dropbox, Inc.)
R2 Garmin Device Interaction Service; C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe [795152 2016-05-05] (Garmin Ltd. or its subsidiaries)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [599864 2016-04-23] (McAfee, Inc.)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [28552 2016-04-26] (Hewlett-Packard Company)
R2 HPWMISVC; c:\Program Files (x86)\HP\HP System Event\HPWMISVC.exe [602888 2015-06-29] (Hewlett-Packard Development Company, L.P.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [16232 2014-06-25] (Intel Corporation)
R2 ibtsiva.exe; C:\Program Files (x86)\Intel\Bluetooth\utilities\ibtsiva.exe [121288 2014-08-13] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [373160 2015-12-19] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887256 2014-05-13] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2014-09-03] (Intel Corporation)
S3 iumsvc; C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [178312 2015-09-25] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [154584 2014-09-03] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [989192 2016-05-24] (McAfee, Inc.)
S3 McAWFwk; C:\Program Files\Common Files\McAfee\ActWiz\McAWFwk.exe [332528 2014-03-12] (McAfee, Inc.)
R2 mcbootdelaystartsvc; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [599864 2016-04-23] (McAfee, Inc.)
R2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\1.9.741.0\\McCSPServiceHost.exe [1903320 2016-04-18] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [599864 2016-04-23] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [599864 2016-04-23] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [795528 2016-04-20] (McAfee, Inc.)
S4 McOobeSv2; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [599864 2016-04-23] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [599864 2016-04-23] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [599864 2016-04-23] (McAfee, Inc.)
R3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [232688 2016-03-07] (McAfee, Inc.)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [382456 2016-04-01] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [277744 2016-03-07] (McAfee, Inc.)
R2 ModuleCoreService; C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe [1424352 2016-04-21] (McAfee, Inc.)
R2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [599864 2016-04-23] (McAfee, Inc.)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1795912 2014-09-08] (NVIDIA Corporation)
S2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [19438920 2014-09-08] (NVIDIA Corporation)
R2 omniserv; C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe [88064 2014-03-28] (Softex Inc.) [File not signed]
R2 PEFService; C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe [1029856 2016-04-21] (Intel Security, Inc.)
R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [389896 2014-04-14] ()
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [303360 2015-06-24] (Realtek Semiconductor)
R2 SecureLine; C:\Program Files\AVAST Software\SecureLine\VpnSvc.exe [592392 2016-05-24] ()
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [260216 2015-12-09] (Synaptics Incorporated)
R2 valWBFPolicyService; C:\Windows\system32\valWBFPolicyService.exe [32768 2013-08-01] (Validity Sensors, Inc.) [File not signed]
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [78632 2016-03-11] (McAfee, Inc.)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91912 2013-11-12] (CyberLink)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [207968 2016-02-24] (McAfee, Inc.)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [263952 2015-07-14] (Intel Corporation)
R1 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [140672 2016-03-10] (Malwarebytes)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-06-28] (Malwarebytes)
R3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [65408 2016-03-10] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [129312 2014-09-30] (Intel Corporation)
R3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [419624 2016-03-11] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [349480 2016-03-11] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [83608 2016-03-11] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [493352 2016-03-11] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [842536 2016-03-11] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [543488 2016-02-10] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [109480 2016-02-10] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [243496 2016-03-11] (McAfee, Inc.)
R3 NETwNb64; C:\Windows\System32\drivers\Netwbw02.sys [3506464 2015-12-16] (Intel Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19272 2014-09-08] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [38048 2014-09-04] (NVIDIA Corporation)
R0 PxHlpa64; C:\Windows\System32\drivers\PxHlpa64.sys [56336 2013-09-03] (Corel Corporation)
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [30448 2014-06-16] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [71288 2015-12-09] (Synaptics Incorporated)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2013-07-22] (Hewlett-Packard Development Company, L.P.)
U0 xoeyj; C:\Windows\System32\drivers\havg.sys [79064 2016-06-28] (Malwarebytes)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-28 20:24 - 2016-06-28 20:24 - 00029087 _____ C:\Users\JohnR\Desktop\FRST.txt
2016-06-28 20:23 - 2016-06-28 20:24 - 00000000 ____D C:\FRST
2016-06-28 20:22 - 2016-06-28 20:22 - 00079064 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\havg.sys
2016-06-28 20:21 - 2016-06-28 20:23 - 02389504 _____ (Farbar) C:\Users\JohnR\Desktop\FRST64.exe
2016-06-28 20:07 - 2016-06-28 20:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2016-06-25 15:29 - 2016-06-28 12:16 - 00004208 _____ C:\WINDOWS\System32\Tasks\Intel Security DAT Reputation (AMCore) Post DAT update endpoint safety pulse
2016-06-25 15:21 - 2016-06-25 15:21 - 00001095 _____ C:\Users\JohnR\Desktop\JRT.txt
2016-06-25 15:20 - 2016-06-25 15:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2016-06-25 15:15 - 2016-06-25 15:15 - 05581640 _____ ( ) C:\Users\JohnR\Downloads\Zemana.AntiMalware.Setup (1).exe
2016-06-25 15:03 - 2016-06-25 15:03 - 05581640 _____ ( ) C:\Users\JohnR\Downloads\Zemana.AntiMalware.Setup.exe
2016-06-25 15:02 - 2016-06-25 15:10 - 01610816 _____ (Malwarebytes) C:\Users\JohnR\Desktop\JRT.exe
2016-06-24 15:19 - 2016-06-28 20:01 - 00004020 _____ C:\WINDOWS\System32\Tasks\Intel Security DAT Reputation (AMCore) periodic endpoint safety pulse
2016-06-22 22:36 - 2016-06-22 22:36 - 00012872 _____ (SurfRight B.V.) C:\WINDOWS\system32\bootdelete.exe
2016-06-22 22:29 - 2016-06-22 22:32 - 00101632 _____ C:\TDSSKiller.3.1.0.9_22.06.2016_22.29.47_log.txt
2016-06-22 22:22 - 2016-06-22 22:22 - 00000560 _____ C:\TDSSKiller.3.1.0.9_22.06.2016_22.22.04_log.txt
2016-06-22 21:48 - 2016-06-22 22:37 - 00000000 ____D C:\ProgramData\HitmanPro
2016-06-22 21:44 - 2016-06-22 21:44 - 00003384 _____ C:\WINDOWS\System32\Tasks\{37D25D1B-3948-41E1-9289-16324910E262}
2016-06-22 21:38 - 2016-06-22 21:38 - 00000134 _____ C:\WINDOWS\A11U.INI
2016-06-22 21:38 - 2016-06-22 21:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Plustek OpticFilm 7200 V3.3.0.4
2016-06-22 21:36 - 2016-06-22 21:36 - 00000000 ____D C:\Users\JohnR\Downloads\7200-V3304_11Lv2_a11
2016-06-22 21:35 - 2016-06-22 21:35 - 10732945 _____ C:\Users\JohnR\Downloads\7200-V3304_11Lv2_a11.zip
2016-06-22 21:17 - 2016-06-22 21:49 - 11438608 _____ (SurfRight B.V.) C:\Users\JohnR\Desktop\HitmanPro_x64.exe
2016-06-22 21:09 - 2016-06-22 21:09 - 00000091 _____ C:\Users\JohnR\Desktop\clean.bat
2016-06-22 20:59 - 2016-06-22 21:01 - 00101790 _____ C:\TDSSKiller.3.1.0.9_22.06.2016_20.59.40_log.txt
2016-06-22 20:57 - 2016-06-22 20:58 - 00002351 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-06-22 20:55 - 2016-06-28 20:05 - 00000916 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-22 20:55 - 2016-06-25 15:09 - 00000912 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-22 20:55 - 2016-06-22 21:00 - 00003974 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2016-06-22 20:55 - 2016-06-22 21:00 - 00003742 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2016-06-22 20:55 - 2016-06-22 20:55 - 00987728 _____ (Google Inc.) C:\Users\JohnR\Downloads\ChromeSetup (1).exe
2016-06-22 20:53 - 2016-06-22 20:53 - 00000151 _____ C:\WINDOWS\A1AU.INI
2016-06-22 20:53 - 2016-06-22 20:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Plustek OpticFilm 7400 V4.2.0.5
2016-06-22 20:53 - 1999-05-05 06:22 - 00008944 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Drivers\USBSCAN.SYS
2016-06-22 20:53 - 1999-05-05 06:22 - 00008944 _____ (Microsoft Corporation) C:\WINDOWS\system\Usbscan.sys
2016-06-22 20:53 - 1997-01-22 20:26 - 00565760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MSVCP50.DLL
2016-06-22 20:52 - 2016-06-22 21:38 - 00000000 ____D C:\Program Files (x86)\Plustek
2016-06-22 20:52 - 2016-06-22 20:52 - 00000000 ____D C:\Users\JohnR\Downloads\OpticFilmOF7400-V4205_13L
2016-06-22 20:51 - 2016-06-22 20:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2016-06-22 20:51 - 2013-08-12 17:51 - 00000000 ____D C:\Users\JohnR\Downloads\OpticFilm 7400 V4.2.0.5
2016-06-22 20:50 - 2016-06-22 20:51 - 01378550 _____ (Igor Pavlov) C:\Users\JohnR\Downloads\7z1602-x64.exe
2016-06-22 20:50 - 2016-06-22 20:50 - 27804130 _____ C:\Users\JohnR\Downloads\OpticFilmOF7400-V4205_13L.zip
2016-06-22 20:40 - 2016-06-22 20:41 - 00101790 _____ C:\TDSSKiller.3.1.0.9_22.06.2016_20.40.58_log.txt
2016-06-22 20:38 - 2016-06-22 22:45 - 00003234 _____ C:\Users\JohnR\Desktop\Rkill.txt
2016-06-22 20:38 - 2016-06-22 20:38 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\JohnR\Downloads\iExplore.exe
2016-06-22 20:38 - 2016-06-22 20:38 - 00001021 _____ C:\Users\JohnR\Desktop\iExplore.exe - Shortcut.lnk
2016-06-22 20:37 - 2016-06-22 20:37 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\JohnR\Downloads\rkill.com
2016-06-22 20:35 - 2016-06-22 20:38 - 00101790 _____ C:\TDSSKiller.3.1.0.9_22.06.2016_20.35.56_log.txt
2016-06-22 20:23 - 2016-06-25 15:05 - 00000000 ____D C:\AdwCleaner
2016-06-22 20:15 - 2016-06-22 20:15 - 00001040 _____ C:\results.txt
2016-06-22 20:00 - 2016-06-22 20:23 - 03703360 _____ C:\Users\JohnR\Desktop\adwcleaner_5.200.exe
2016-06-22 19:52 - 2016-06-28 14:51 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-06-22 19:52 - 2016-06-22 20:15 - 00001172 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-06-22 19:52 - 2016-06-22 19:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-06-22 19:52 - 2016-06-22 19:52 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-06-22 19:52 - 2016-06-22 19:52 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-06-22 19:52 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2016-06-22 19:52 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-06-22 19:52 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-06-22 19:51 - 2016-06-22 19:51 - 22851472 _____ (Malwarebytes ) C:\Users\JohnR\Downloads\mb123.exe
2016-06-22 19:44 - 2016-06-22 19:52 - 00202124 _____ C:\TDSSKiller.3.1.0.9_22.06.2016_19.44.00_log.txt
2016-06-22 19:41 - 2016-06-22 19:43 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\JohnR\Desktop\footrub.com
2016-06-22 15:06 - 2016-06-27 11:03 - 00037888 _____ C:\Users\JohnR\Desktop\2016 06 JuneJuly.xls
2016-06-22 14:30 - 2016-06-22 14:30 - 04784128 _____ C:\Users\JohnR\Downloads\plustek_opticfilm_7200_manual_pdf.iso
2016-06-16 17:51 - 2016-06-16 17:52 - 01225680 _____ (Copyright © 2015 eSupport.com, Inc • All Rights Reserved ) C:\Users\JohnR\Downloads\driveragent-setup-1278.exe
2016-06-16 17:51 - 2016-06-16 17:52 - 01225680 _____ (Copyright © 2015 eSupport.com, Inc • All Rights Reserved ) C:\Users\JohnR\Downloads\driveragent-setup-1278 (2).exe
2016-06-16 17:51 - 2016-06-16 17:52 - 01225680 _____ (Copyright © 2015 eSupport.com, Inc • All Rights Reserved ) C:\Users\JohnR\Downloads\driveragent-setup-1278 (1).exe
2016-06-16 17:51 - 2016-06-16 17:51 - 08601238 _____ C:\Users\JohnR\Downloads\7200_a11__driver_v3301 (1).zip
2016-06-16 17:50 - 2016-06-16 17:50 - 08601238 _____ C:\Users\JohnR\Downloads\7200_a11__driver_v3301.zip
2016-06-16 17:24 - 2016-06-16 17:24 - 00000000 ____D C:\Users\JohnR\Downloads\OF8_QuickGuide
2016-06-16 17:23 - 2016-06-16 17:23 - 13427018 _____ C:\Users\JohnR\Downloads\OF8_QuickGuide (1).zip
2016-06-16 17:22 - 2016-06-16 17:23 - 13427018 _____ C:\Users\JohnR\Downloads\OF8_QuickGuide.zip
2016-06-14 14:56 - 2016-05-28 00:57 - 01594416 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2016-06-14 14:56 - 2016-05-28 00:57 - 01372312 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2016-06-14 14:56 - 2016-05-28 00:29 - 22379008 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2016-06-14 14:56 - 2016-05-28 00:29 - 00045568 _____ (Adobe Systems) C:\WINDOWS\system32\atmlib.dll
2016-06-14 14:56 - 2016-05-28 00:27 - 00050176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MosHostClient.dll
2016-06-14 14:56 - 2016-05-28 00:22 - 00087040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MapsBtSvc.dll
2016-06-14 14:56 - 2016-05-28 00:22 - 00059904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MosStorage.dll
2016-06-14 14:56 - 2016-05-28 00:19 - 24605696 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2016-06-14 14:56 - 2016-05-28 00:18 - 07977472 _____ (Microsoft Corporation) C:\WINDOWS\system32\mos.dll
2016-06-14 14:56 - 2016-05-28 00:18 - 00460800 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapConfiguration.dll
2016-06-14 14:56 - 2016-05-28 00:17 - 00630784 _____ (Microsoft Corporation) C:\WINDOWS\system32\MessagingDataModel2.dll
2016-06-14 14:56 - 2016-05-28 00:15 - 01056256 _____ (Microsoft Corporation) C:\WINDOWS\system32\JpMapControl.dll
2016-06-14 14:56 - 2016-05-28 00:15 - 00853504 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapsStore.dll
2016-06-14 14:56 - 2016-05-28 00:15 - 00349696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MapConfiguration.dll
2016-06-14 14:56 - 2016-05-28 00:14 - 00988160 _____ (Microsoft Corporation) C:\WINDOWS\system32\NMAA.dll
2016-06-14 14:56 - 2016-05-28 00:14 - 00606208 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2016-06-14 14:56 - 2016-05-28 00:14 - 00499712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MessagingDataModel2.dll
2016-06-14 14:56 - 2016-05-28 00:13 - 00939520 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapControlCore.dll
2016-06-14 14:56 - 2016-05-28 00:12 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\JpMapControl.dll
2016-06-14 14:56 - 2016-05-28 00:11 - 00784896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NMAA.dll
2016-06-14 14:56 - 2016-05-28 00:11 - 00711680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MapControlCore.dll
2016-06-14 14:56 - 2016-05-28 00:11 - 00504320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2016-06-14 14:56 - 2016-05-28 00:08 - 06295552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mos.dll
2016-06-14 14:56 - 2016-05-28 00:06 - 07200256 _____ (Microsoft Corporation) C:\WINDOWS\system32\BingMaps.dll
2016-06-14 14:56 - 2016-05-28 00:03 - 05205504 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\BingMaps.dll
2016-06-14 14:56 - 2016-05-28 00:00 - 01707520 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ActiveSyncProvider.dll
2016-06-14 14:56 - 2016-05-27 23:58 - 01996288 _____ (Microsoft Corporation) C:\WINDOWS\system32\ActiveSyncProvider.dll
2016-06-14 14:55 - 2016-05-28 02:13 - 01401024 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2016-06-14 14:55 - 2016-05-28 02:13 - 01184960 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2016-06-14 14:55 - 2016-05-28 02:13 - 00514752 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2016-06-14 14:55 - 2016-05-28 02:13 - 00290496 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2016-06-14 14:55 - 2016-05-28 02:13 - 00092352 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2016-06-14 14:55 - 2016-05-28 02:13 - 00046784 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2016-06-14 14:55 - 2016-05-28 01:25 - 04268880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\setupapi.dll
2016-06-14 14:55 - 2016-05-28 01:23 - 00388384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ws2_32.dll
2016-06-14 14:55 - 2016-05-28 01:23 - 00312160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mswsock.dll
2016-06-14 14:55 - 2016-05-28 01:22 - 07474528 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2016-06-14 14:55 - 2016-05-28 01:22 - 04387680 _____ (Microsoft Corporation) C:\WINDOWS\system32\setupapi.dll
2016-06-14 14:55 - 2016-05-28 01:22 - 00428896 _____ (Microsoft Corporation) C:\WINDOWS\system32\hal.dll
2016-06-14 14:55 - 2016-05-28 01:22 - 00211296 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\tpm.sys
2016-06-14 14:55 - 2016-05-28 01:22 - 00118624 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\partmgr.sys
2016-06-14 14:55 - 2016-05-28 01:20 - 00430312 _____ (Microsoft Corporation) C:\WINDOWS\system32\ws2_32.dll
2016-06-14 14:55 - 2016-05-28 01:18 - 00357216 _____ (Microsoft Corporation) C:\WINDOWS\system32\mswsock.dll
2016-06-14 14:55 - 2016-05-28 01:16 - 00026408 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2016-06-14 14:55 - 2016-05-28 01:09 - 00501600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupEngine.dll
2016-06-14 14:55 - 2016-05-28 01:09 - 00170848 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetworkUXBroker.exe
2016-06-14 14:55 - 2016-05-28 01:09 - 00084832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupApi.dll
2016-06-14 14:55 - 2016-05-28 01:08 - 00693600 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupEngine.dll
2016-06-14 14:55 - 2016-05-28 01:08 - 00258912 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ufx01000.sys
2016-06-14 14:55 - 2016-05-28 01:08 - 00115040 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupApi.dll
2016-06-14 14:55 - 2016-05-28 01:07 - 03675512 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2016-06-14 14:55 - 2016-05-28 01:07 - 02921880 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2016-06-14 14:55 - 2016-05-28 01:07 - 01322248 _____ (Microsoft Corporation) C:\WINDOWS\system32\ole32.dll
2016-06-14 14:55 - 2016-05-28 01:07 - 00957608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ole32.dll
2016-06-14 14:55 - 2016-05-28 01:07 - 00808288 _____ (Microsoft Corporation) C:\WINDOWS\system32\WWAHost.exe
2016-06-14 14:55 - 2016-05-28 01:07 - 00703840 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WWAHost.exe
2016-06-14 14:55 - 2016-05-28 01:07 - 00331616 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\pci.sys
2016-06-14 14:55 - 2016-05-28 01:06 - 22561256 _____ (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
2016-06-14 14:55 - 2016-05-28 01:06 - 04074160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\explorer.exe
2016-06-14 14:55 - 2016-05-28 01:06 - 00730344 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Internal.Shell.Broker.dll
2016-06-14 14:55 - 2016-05-28 01:06 - 00303216 _____ (Microsoft Corporation) C:\WINDOWS\system32\LockAppHost.exe
2016-06-14 14:55 - 2016-05-28 01:06 - 00254656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LockAppHost.exe
2016-06-14 14:55 - 2016-05-28 01:05 - 04515264 _____ (Microsoft Corporation) C:\WINDOWS\explorer.exe
2016-06-14 14:55 - 2016-05-28 01:04 - 00604928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2016-06-14 14:55 - 2016-05-28 01:04 - 00431296 _____ (Microsoft Corporation) C:\WINDOWS\system32\bcryptprimitives.dll
2016-06-14 14:55 - 2016-05-28 01:04 - 00360480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\bcryptprimitives.dll
2016-06-14 14:55 - 2016-05-28 01:04 - 00161632 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
2016-06-14 14:55 - 2016-05-28 01:04 - 00111064 _____ (Microsoft Corporation) C:\WINDOWS\system32\ncryptsslp.dll
2016-06-14 14:55 - 2016-05-28 01:04 - 00097096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ncryptsslp.dll
2016-06-14 14:55 - 2016-05-28 01:03 - 00131248 _____ (Microsoft Corporation) C:\WINDOWS\system32\gpapi.dll
2016-06-14 14:55 - 2016-05-28 00:58 - 01996640 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgkrnl.sys
2016-06-14 14:55 - 2016-05-28 00:58 - 00379232 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\atmfd.dll
2016-06-14 14:55 - 2016-05-28 00:57 - 02548944 _____ (Microsoft Corporation) C:\WINDOWS\system32\d3d10warp.dll
2016-06-14 14:55 - 2016-05-28 00:57 - 02195632 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\d3d10warp.dll
2016-06-14 14:55 - 2016-05-28 00:57 - 00649792 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxgi.dll
2016-06-14 14:55 - 2016-05-28 00:57 - 00636304 _____ (Microsoft Corporation) C:\WINDOWS\system32\fontdrvhost.exe
2016-06-14 14:55 - 2016-05-28 00:57 - 00577376 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms2.sys
2016-06-14 14:55 - 2016-05-28 00:57 - 00546456 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fontdrvhost.exe
2016-06-14 14:55 - 2016-05-28 00:57 - 00521664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxgi.dll
2016-06-14 14:55 - 2016-05-28 00:57 - 00316256 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\atmfd.dll
2016-06-14 14:55 - 2016-05-28 00:35 - 00123392 _____ (Microsoft Corporation) C:\WINDOWS\system32\tdlrecover.exe
2016-06-14 14:55 - 2016-05-28 00:35 - 00089088 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapsCSP.dll
2016-06-14 14:55 - 2016-05-28 00:35 - 00031744 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dumpsdport.sys
2016-06-14 14:55 - 2016-05-28 00:31 - 00091648 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\tdlrecover.exe
2016-06-14 14:55 - 2016-05-28 00:31 - 00088576 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\olepro32.dll
2016-06-14 14:55 - 2016-05-28 00:31 - 00066560 _____ (Microsoft Corporation) C:\WINDOWS\system32\MosHostClient.dll
2016-06-14 14:55 - 2016-05-28 00:29 - 00079360 _____ (Microsoft Corporation) C:\WINDOWS\system32\adhsvc.dll
2016-06-14 14:55 - 2016-05-28 00:29 - 00019456 _____ (Microsoft Corporation) C:\WINDOWS\system32\httpprxp.dll
2016-06-14 14:55 - 2016-05-28 00:28 - 00166400 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusNotification.exe
2016-06-14 14:55 - 2016-05-28 00:28 - 00118272 _____ (Microsoft Corporation) C:\WINDOWS\system32\fontsub.dll
2016-06-14 14:55 - 2016-05-28 00:28 - 00090112 _____ (Microsoft Corporation) C:\WINDOWS\system32\FwRemoteSvr.dll
2016-06-14 14:55 - 2016-05-28 00:27 - 00028672 _____ (Microsoft Corporation) C:\WINDOWS\system32\mapsupdatetask.dll
2016-06-14 14:55 - 2016-05-28 00:26 - 00199168 _____ (Microsoft Corporation) C:\WINDOWS\system32\InstallAgent.exe
2016-06-14 14:55 - 2016-05-28 00:26 - 00157184 _____ (Microsoft Corporation) C:\WINDOWS\system32\dmcertinst.exe
2016-06-14 14:55 - 2016-05-28 00:26 - 00145920 _____ (Microsoft Corporation) C:\WINDOWS\system32\omadmclient.exe
2016-06-14 14:55 - 2016-05-28 00:26 - 00120320 _____ (Microsoft Corporation) C:\WINDOWS\system32\MapsBtSvc.dll
2016-06-14 14:55 - 2016-05-28 00:26 - 00074752 _____ (Microsoft Corporation) C:\WINDOWS\system32\MosStorage.dll
2016-06-14 14:55 - 2016-05-28 00:25 - 00112640 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bthenum.sys
2016-06-14 14:55 - 2016-05-28 00:25 - 00037376 _____ (Adobe Systems) C:\WINDOWS\SysWOW64\atmlib.dll
2016-06-14 14:55 - 2016-05-28 00:24 - 00218624 _____ (Microsoft Corporation) C:\WINDOWS\system32\cdd.dll
2016-06-14 14:55 - 2016-05-28 00:24 - 00124928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\Ndu.sys
2016-06-14 14:55 - 2016-05-28 00:24 - 00093696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fontsub.dll
2016-06-14 14:55 - 2016-05-28 00:24 - 00091136 _____ (Microsoft Corporation) C:\WINDOWS\system32\browserbroker.dll
2016-06-14 14:55 - 2016-05-28 00:24 - 00086528 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppCapture.dll
2016-06-14 14:55 - 2016-05-28 00:24 - 00072704 _____ (Microsoft Corporation) C:\WINDOWS\system32\moshost.dll
2016-06-14 14:55 - 2016-05-28 00:24 - 00067072 _____ (Microsoft Corporation) C:\WINDOWS\system32\dhcpcsvc6.dll
2016-06-14 14:55 - 2016-05-28 00:24 - 00053760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\FwRemoteSvr.dll
2016-06-14 14:55 - 2016-05-28 00:23 - 00155136 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\hidclass.sys
2016-06-14 14:55 - 2016-05-28 00:23 - 00086016 _____ (Microsoft Corporation) C:\WINDOWS\system32\dhcpcsvc.dll
2016-06-14 14:55 - 2016-05-28 00:22 - 00406528 _____ (Microsoft Corporation) C:\WINDOWS\system32\MusUpdateHandlers.dll
2016-06-14 14:55 - 2016-05-28 00:22 - 00368640 _____ (Microsoft Corporation) C:\WINDOWS\system32\usocore.dll
2016-06-14 14:55 - 2016-05-28 00:22 - 00278528 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\netbt.sys
2016-06-14 14:55 - 2016-05-28 00:22 - 00269824 _____ (Microsoft Corporation) C:\WINDOWS\system32\moshostcore.dll
2016-06-14 14:55 - 2016-05-28 00:22 - 00163328 _____ (Microsoft Corporation) C:\WINDOWS\system32\tetheringservice.dll
2016-06-14 14:55 - 2016-05-28 00:22 - 00161280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\InstallAgent.exe
2016-06-14 14:55 - 2016-05-28 00:22 - 00079872 _____ (Microsoft Corporation) C:\WINDOWS\system32\cryptsvc.dll
2016-06-14 14:55 - 2016-05-28 00:21 - 00550912 _____ (Microsoft Corporation) C:\WINDOWS\system32\StoreAgent.dll
2016-06-14 14:55 - 2016-05-28 00:21 - 00239104 _____ (Microsoft Corporation) C:\WINDOWS\system32\BrokerLib.dll
2016-06-14 14:55 - 2016-05-28 00:21 - 00207360 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupSvc.dll
2016-06-14 14:55 - 2016-05-28 00:21 - 00190464 _____ (Microsoft Corporation) C:\WINDOWS\system32\wscsvc.dll
2016-06-14 14:55 - 2016-05-28 00:20 - 00641536 _____ (Microsoft Corporation) C:\WINDOWS\system32\enterprisecsps.dll
2016-06-14 14:55 - 2016-05-28 00:20 - 00511488 _____ (Microsoft Corporation) C:\WINDOWS\system32\newdev.dll
2016-06-14 14:55 - 2016-05-28 00:20 - 00332288 _____ (Microsoft Corporation) C:\WINDOWS\system32\polstore.dll
2016-06-14 14:55 - 2016-05-28 00:20 - 00267264 _____ (Microsoft Corporation) C:\WINDOWS\system32\dhcpcore6.dll
2016-06-14 14:55 - 2016-05-28 00:20 - 00199168 _____ (Microsoft Corporation) C:\WINDOWS\system32\GnssAdapter.dll
2016-06-14 14:55 - 2016-05-28 00:20 - 00174080 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingsHandlers_Privacy.dll
2016-06-14 14:55 - 2016-05-28 00:20 - 00057344 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dhcpcsvc6.dll
2016-06-14 14:55 - 2016-05-28 00:19 - 00764928 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakradiag.dll
2016-06-14 14:55 - 2016-05-28 00:19 - 00567808 _____ (Microsoft Corporation) C:\WINDOWS\system32\MBMediaManager.dll
2016-06-14 14:55 - 2016-05-28 00:19 - 00414720 _____ (Microsoft Corporation) C:\WINDOWS\system32\bcastdvr.exe
2016-06-14 14:55 - 2016-05-28 00:19 - 00355840 _____ (Microsoft Corporation) C:\WINDOWS\system32\dhcpcore.dll
2016-06-14 14:55 - 2016-05-28 00:19 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dhcpcsvc.dll
2016-06-14 14:55 - 2016-05-28 00:18 - 11545088 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinui.dll
2016-06-14 14:55 - 2016-05-28 00:18 - 00610816 _____ (Microsoft Corporation) C:\WINDOWS\system32\rastls.dll
2016-06-14 14:55 - 2016-05-28 00:18 - 00591360 _____ (Microsoft Corporation) C:\WINDOWS\system32\vpnike.dll
2016-06-14 14:55 - 2016-05-28 00:18 - 00392192 _____ (Microsoft Corporation) C:\WINDOWS\system32\IPSECSVC.DLL
2016-06-14 14:55 - 2016-05-28 00:18 - 00380416 _____ (Microsoft Corporation) C:\WINDOWS\system32\SystemEventsBrokerServer.dll
2016-06-14 14:55 - 2016-05-28 00:18 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\system32\VEEventDispatcher.dll
2016-06-14 14:55 - 2016-05-28 00:17 - 09918976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinui.dll
2016-06-14 14:55 - 2016-05-28 00:17 - 00963072 _____ (Microsoft Corporation) C:\WINDOWS\system32\iphlpsvc.dll
2016-06-14 14:55 - 2016-05-28 00:17 - 00485888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\newdev.dll
2016-06-14 14:55 - 2016-05-28 00:17 - 00415232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\StoreAgent.dll
2016-06-14 14:55 - 2016-05-28 00:17 - 00315392 _____ (Microsoft Corporation) C:\WINDOWS\system32\RDXTaskFactory.dll
2016-06-14 14:55 - 2016-05-28 00:17 - 00278016 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Internal.Management.dll
2016-06-14 14:55 - 2016-05-28 00:17 - 00173056 _____ (Microsoft Corporation) C:\WINDOWS\system32\mdmmigrator.dll
2016-06-14 14:55 - 2016-05-28 00:16 - 19344384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2016-06-14 14:55 - 2016-05-28 00:16 - 00690176 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv2.sys
2016-06-14 14:55 - 2016-05-28 00:16 - 00684544 _____ (Microsoft Corporation) C:\WINDOWS\system32\StructuredQuery.dll
2016-06-14 14:55 - 2016-05-28 00:16 - 00592896 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppContracts.dll
2016-06-14 14:55 - 2016-05-28 00:16 - 00503808 _____ (Microsoft Corporation) C:\WINDOWS\system32\tileobjserver.dll
2016-06-14 14:55 - 2016-05-28 00:16 - 00406528 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv.sys
2016-06-14 14:55 - 2016-05-28 00:16 - 00291328 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\polstore.dll
2016-06-14 14:55 - 2016-05-28 00:16 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dhcpcore6.dll
2016-06-14 14:55 - 2016-05-28 00:15 - 00794624 _____ (Microsoft Corporation) C:\WINDOWS\system32\winhttp.dll
2016-06-14 14:55 - 2016-05-28 00:15 - 00535040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rastls.dll
2016-06-14 14:55 - 2016-05-28 00:15 - 00293888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dhcpcore.dll
2016-06-14 14:55 - 2016-05-28 00:15 - 00237056 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srvnet.sys
2016-06-14 14:55 - 2016-05-28 00:14 - 18674176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2016-06-14 14:55 - 2016-05-28 00:14 - 01716736 _____ (Microsoft Corporation) C:\WINDOWS\system32\SRHInproc.dll
2016-06-14 14:55 - 2016-05-28 00:14 - 00965632 _____ (Microsoft Corporation) C:\WINDOWS\system32\SRH.dll
2016-06-14 14:55 - 2016-05-28 00:14 - 00784384 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2016-06-14 14:55 - 2016-05-28 00:14 - 00219136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\VEEventDispatcher.dll
2016-06-14 14:55 - 2016-05-28 00:14 - 00200192 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Internal.Management.dll
2016-06-14 14:55 - 2016-05-28 00:13 - 01387520 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kbase.sys
2016-06-14 14:55 - 2016-05-28 00:13 - 00990208 _____ (Microsoft Corporation) C:\WINDOWS\system32\SharedStartModel.dll
2016-06-14 14:55 - 2016-05-28 00:13 - 00982016 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppxPackaging.dll
2016-06-14 14:55 - 2016-05-28 00:13 - 00954368 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bthport.sys
2016-06-14 14:55 - 2016-05-28 00:13 - 00587776 _____ (Microsoft Corporation) C:\WINDOWS\system32\bisrv.dll
2016-06-14 14:55 - 2016-05-28 00:13 - 00467456 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppContracts.dll
2016-06-14 14:55 - 2016-05-28 00:13 - 00084992 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\BTHUSB.SYS
2016-06-14 14:55 - 2016-05-28 00:12 - 00614400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\winhttp.dll
2016-06-14 14:55 - 2016-05-28 00:12 - 00521728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\StructuredQuery.dll
2016-06-14 14:55 - 2016-05-28 00:11 - 01445888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SRHInproc.dll
2016-06-14 14:55 - 2016-05-28 00:11 - 00890368 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AppxPackaging.dll
2016-06-14 14:55 - 2016-05-28 00:11 - 00799744 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SRH.dll
2016-06-14 14:55 - 2016-05-28 00:11 - 00687616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2016-06-14 14:55 - 2016-05-28 00:11 - 00128512 _____ (Microsoft Corporation) C:\WINDOWS\system32\httpprxm.dll
2016-06-14 14:55 - 2016-05-28 00:09 - 01073152 _____ (Microsoft Corporation) C:\WINDOWS\system32\RDXService.dll
2016-06-14 14:55 - 2016-05-28 00:08 - 13385728 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2016-06-14 14:55 - 2016-05-28 00:06 - 12128256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2016-06-14 14:55 - 2016-05-28 00:06 - 01339904 _____ (Microsoft Corporation) C:\WINDOWS\system32\gpsvc.dll
2016-06-14 14:55 - 2016-05-28 00:05 - 03994624 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingsHandlers_nt.dll
2016-06-14 14:55 - 2016-05-28 00:05 - 03664896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2016-06-14 14:55 - 2016-05-28 00:05 - 02582016 _____ (Microsoft Corporation) C:\WINDOWS\system32\MFMediaEngine.dll
2016-06-14 14:55 - 2016-05-28 00:05 - 01797120 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Immersive.dll
2016-06-14 14:55 - 2016-05-28 00:04 - 06973952 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Data.Pdf.dll
2016-06-14 14:55 - 2016-05-28 00:04 - 00555520 _____ (Microsoft Corporation) C:\WINDOWS\system32\SyncController.dll
2016-06-14 14:55 - 2016-05-28 00:04 - 00450560 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SyncController.dll
2016-06-14 14:55 - 2016-05-28 00:03 - 05323776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Data.Pdf.dll
2016-06-14 14:55 - 2016-05-28 00:03 - 02609664 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetworkMobileSettings.dll
2016-06-14 14:55 - 2016-05-28 00:03 - 01185280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LocationFramework.dll
2016-06-14 14:55 - 2016-05-28 00:03 - 00693760 _____ (Microsoft Corporation) C:\WINDOWS\system32\internetmail.dll
2016-06-14 14:55 - 2016-05-28 00:03 - 00417792 _____ (Microsoft Corporation) C:\WINDOWS\system32\dmenrollengine.dll
2016-06-14 14:55 - 2016-05-28 00:02 - 03590144 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
2016-06-14 14:55 - 2016-05-28 00:02 - 02061824 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MFMediaEngine.dll
2016-06-14 14:55 - 2016-05-28 00:02 - 01534464 _____ (Microsoft Corporation) C:\WINDOWS\system32\LocationFramework.dll
2016-06-14 14:55 - 2016-05-28 00:02 - 00103424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\updatepolicy.dll
2016-06-14 14:55 - 2016-05-28 00:01 - 01799680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Logon.dll
2016-06-14 14:55 - 2016-05-28 00:01 - 01582080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Immersive.dll
2016-06-14 14:55 - 2016-05-28 00:01 - 01500160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2016-06-14 14:55 - 2016-05-28 00:01 - 00111104 _____ (Microsoft Corporation) C:\WINDOWS\system32\updatepolicy.dll
2016-06-14 14:55 - 2016-05-28 00:00 - 05660160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
2016-06-14 14:55 - 2016-05-28 00:00 - 03585536 _____ (Microsoft Corporation) C:\WINDOWS\system32\SystemSettingsThresholdAdminFlowUI.dll
2016-06-14 14:55 - 2016-05-28 00:00 - 02635776 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Logon.dll
2016-06-14 14:55 - 2016-05-28 00:00 - 02230272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2016-06-14 14:55 - 2016-05-28 00:00 - 02168320 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentServer.dll
2016-06-14 14:55 - 2016-05-28 00:00 - 01730560 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2016-06-14 14:55 - 2016-05-28 00:00 - 00162816 _____ (Microsoft Corporation) C:\WINDOWS\system32\enrollmentapi.dll
2016-06-14 14:55 - 2016-05-28 00:00 - 00151040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mdmregistration.dll
2016-06-14 14:55 - 2016-05-28 00:00 - 00090624 _____ (Microsoft Corporation) C:\WINDOWS\system32\DeviceEnroller.exe
2016-06-14 14:55 - 2016-05-27 23:59 - 00176640 _____ (Microsoft Corporation) C:\WINDOWS\system32\mdmregistration.dll
2016-06-14 14:55 - 2016-05-27 23:58 - 07832576 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2016-06-14 14:55 - 2016-05-27 23:58 - 04896256 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2016-06-14 14:55 - 2016-05-27 23:58 - 02755584 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2016-06-14 14:55 - 2016-05-27 23:58 - 02066432 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentExtensions.dll
2016-06-14 14:55 - 2016-05-27 23:57 - 02281472 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2016-06-14 14:55 - 2016-05-27 23:55 - 01390080 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Shell.dll
2016-06-14 14:55 - 2016-05-27 23:53 - 00076800 _____ (Microsoft Corporation) C:\WINDOWS\system32\ngcpopkeysrv.dll
2016-06-14 11:49 - 2016-06-14 11:49 - 00000132 _____ C:\Users\JohnR\AppData\Roaming\Adobe GIF Format CC Prefs
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-28 20:22 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\ADFS
2016-06-28 20:09 - 2016-02-05 18:55 - 00000916 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job
2016-06-28 20:03 - 2015-10-30 03:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-06-28 20:03 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-06-28 14:33 - 2015-05-20 14:57 - 00004144 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{1D009E52-2F50-4540-B4B8-4965D02166EC}
2016-06-28 14:25 - 2015-05-22 09:27 - 00000000 ____D C:\Users\JohnR\AppData\Local\Adobe
2016-06-28 11:55 - 2015-12-17 05:06 - 00973984 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-06-28 11:55 - 2015-10-30 03:21 - 00000000 ____D C:\WINDOWS\INF
2016-06-28 11:52 - 2016-02-05 19:08 - 00000000 ___RD C:\Users\JohnR\Dropbox
2016-06-25 15:31 - 2015-08-23 16:38 - 00003126 _____ C:\WINDOWS\System32\Tasks\McAfeeLogon
2016-06-25 15:31 - 2015-08-23 16:38 - 00000000 ____D C:\WINDOWS\System32\Tasks\McAfee
2016-06-25 15:29 - 2015-05-12 14:48 - 00000000 ____D C:\Program Files (x86)\McAfee
2016-06-25 15:20 - 2015-05-20 14:46 - 00000000 ____D C:\Users\JohnR\Documents\Youcam
2016-06-25 15:20 - 2014-11-12 03:46 - 00000000 ____D C:\Program Files (x86)\Dropbox
2016-06-25 15:09 - 2016-02-05 18:55 - 00000912 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job
2016-06-25 15:09 - 2015-12-17 04:59 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2016-06-25 15:09 - 2015-05-20 14:42 - 00000000 __SHD C:\Users\JohnR\IntelGraphicsProfiles
2016-06-25 15:08 - 2016-03-24 13:43 - 00000342 _____ C:\WINDOWS\Tasks\HPCeeScheduleForJohnR.job
2016-06-25 15:08 - 2015-12-17 05:28 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-06-25 15:07 - 2015-10-30 02:28 - 00786432 ___SH C:\WINDOWS\system32\config\BBI
2016-06-24 12:20 - 2016-01-12 18:28 - 00051712 _____ C:\Users\JohnR\Desktop\2016  LS Income Expenses.xls
2016-06-24 11:52 - 2015-05-21 08:25 - 00000000 ____D C:\Users\JohnR\Documents\Financial
2016-06-23 16:38 - 2016-03-24 13:43 - 00003234 _____ C:\WINDOWS\System32\Tasks\HPCeeScheduleForJohnR
2016-06-22 21:45 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\System
2016-06-22 21:45 - 2014-11-12 03:39 - 00000000 ____D C:\Program Files\7-Zip
2016-06-22 21:38 - 2014-11-12 03:41 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2016-06-22 21:12 - 2015-05-12 14:38 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2016-06-22 21:11 - 2015-05-12 14:38 - 00000000 ____D C:\ProgramData\WildTangent
2016-06-22 21:11 - 2015-05-12 14:38 - 00000000 ____D C:\Program Files (x86)\WildTangent Games
2016-06-22 20:56 - 2015-12-11 18:32 - 00000000 ____D C:\Program Files (x86)\Google
2016-06-22 20:17 - 2015-10-30 03:24 - 00000000 ___HD C:\WINDOWS\ELAMBKUP
2016-06-22 20:16 - 2015-12-31 10:23 - 00001031 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk
2016-06-22 20:16 - 2015-12-17 05:15 - 00001519 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-06-22 20:16 - 2015-12-17 05:06 - 00000000 ____D C:\Users\JohnR
2016-06-22 20:16 - 2015-08-22 23:12 - 00002368 _____ C:\Users\JohnR\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2016-06-22 20:16 - 2015-06-26 11:00 - 00002489 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Serif PagePlus X8.lnk
2016-06-22 20:16 - 2015-06-25 18:04 - 00002535 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2016-06-22 20:16 - 2015-06-13 11:18 - 00001214 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe GoLive CS2.lnk
2016-06-22 20:16 - 2015-06-13 11:15 - 00002475 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Distiller 7.0.lnk
2016-06-22 20:16 - 2015-06-13 11:15 - 00002469 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Designer 7.0.lnk
2016-06-22 20:16 - 2015-06-13 11:15 - 00002463 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat 7.0 Professional.lnk
2016-06-22 20:16 - 2015-06-13 11:09 - 00002817 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Illustrator CS2.lnk
2016-06-22 20:16 - 2015-06-13 11:04 - 00001236 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe InDesign CS2.lnk
2016-06-22 20:16 - 2015-06-13 10:59 - 00002254 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CS2.lnk
2016-06-22 20:16 - 2015-06-13 10:59 - 00002251 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe ImageReady CS2.lnk
2016-06-22 20:16 - 2015-06-13 10:57 - 00002222 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Help Center.lnk
2016-06-22 20:16 - 2015-06-13 10:56 - 00002204 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Bridge.lnk
2016-06-22 20:16 - 2015-05-22 09:51 - 00001073 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop Elements 13.lnk
2016-06-22 20:15 - 2016-05-24 10:41 - 00001964 _____ C:\Users\Public\Desktop\Garmin Express.lnk
2016-06-22 20:15 - 2016-05-16 17:57 - 00001140 _____ C:\Users\Public\Desktop\VLC media player.lnk
2016-06-22 20:15 - 2016-04-02 11:34 - 00002541 _____ C:\Users\Public\Desktop\TurboTax 2015.lnk
2016-06-22 20:15 - 2016-02-13 13:12 - 00001509 _____ C:\Users\JohnR\Desktop\People (2).lnk
2016-06-22 20:15 - 2016-02-05 19:08 - 00001306 _____ C:\Users\JohnR\Desktop\Dropbox.lnk
2016-06-22 20:15 - 2016-01-21 09:47 - 00001819 _____ C:\Users\JohnR\Desktop\1Password 4.lnk
2016-06-22 20:15 - 2015-12-31 10:23 - 00001019 _____ C:\Users\JohnR\Desktop\Audacity.lnk
2016-06-22 20:15 - 2015-12-19 13:28 - 00001505 _____ C:\Users\JohnR\Desktop\People.lnk
2016-06-22 20:15 - 2015-11-14 09:03 - 00002307 _____ C:\Users\JohnR\Desktop\HP Support Assistant.lnk
2016-06-22 20:15 - 2015-10-13 23:30 - 00001823 _____ C:\Users\Public\Desktop\iTunes.lnk
2016-06-22 20:15 - 2015-06-30 13:50 - 00002410 _____ C:\Users\Public\Desktop\Meridian Pro.lnk
2016-06-22 20:15 - 2015-06-13 11:55 - 00001572 _____ C:\Users\JohnR\Desktop\Photoshop - Shortcut.lnk
2016-06-22 20:15 - 2015-06-13 11:15 - 00002256 _____ C:\Users\Public\Desktop\Adobe Acrobat 7.0 Professional.lnk
2016-06-22 20:15 - 2015-05-22 09:51 - 00001055 _____ C:\Users\Public\Desktop\Adobe Photoshop Elements 13.lnk
2016-06-22 20:15 - 2015-05-20 14:42 - 00002107 _____ C:\Users\Public\Desktop\Snapfish.lnk
2016-06-22 20:15 - 2015-05-20 14:42 - 00001332 _____ C:\Users\Public\Desktop\HP Smart Friend.lnk
2016-06-22 20:15 - 2015-05-12 14:54 - 00002159 _____ C:\Users\Public\Desktop\Connected Drive.lnk
2016-06-22 20:15 - 2015-05-12 14:54 - 00001630 _____ C:\Users\Public\Desktop\Connected Photo.lnk
2016-06-22 20:15 - 2015-05-12 14:49 - 00001937 _____ C:\Users\Public\Desktop\McAfee LiveSafe - Internet Security.lnk
2016-06-22 20:15 - 2015-05-12 14:45 - 00002131 _____ C:\Users\Public\Desktop\Priceline.com.lnk
2016-06-22 20:15 - 2015-05-12 14:36 - 00002517 _____ C:\Users\Public\Desktop\Evernote.lnk
2016-06-22 20:15 - 2015-05-12 14:34 - 00002145 _____ C:\Users\Public\Desktop\Connected Music.lnk
2016-06-22 15:42 - 2015-10-30 03:24 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-06-22 15:41 - 2015-05-20 15:18 - 00000000 ____D C:\Program Files\Microsoft Office 15
2016-06-22 07:07 - 2015-10-30 02:28 - 00008192 ___SH C:\WINDOWS\system32\config\ELAM
2016-06-20 14:19 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\rescache
2016-06-17 08:39 - 2015-10-30 03:11 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-06-16 09:37 - 2015-08-27 14:36 - 00000000 ____D C:\Users\JohnR\Documents\John
2016-06-16 08:04 - 2015-05-20 21:08 - 00000000 __RHD C:\Users\Public\AccountPictures
2016-06-16 03:35 - 2015-12-17 04:54 - 00360544 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-06-16 03:32 - 2015-10-30 03:24 - 00000000 ___SD C:\WINDOWS\system32\DiagSvcs
2016-06-16 03:32 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\SystemResetPlatform
2016-06-16 03:32 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\bcastdvr
2016-06-14 18:40 - 2016-03-23 14:42 - 00000000 ____D C:\Users\JohnR\Documents\AARP & Encore
2016-06-14 18:17 - 2015-05-22 10:21 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-06-14 18:13 - 2015-05-22 10:21 - 142482544 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-06-14 15:05 - 2015-06-15 11:34 - 00000302 _____ C:\WINDOWS\system32\ricdb.ini
2016-06-14 14:33 - 2015-10-30 03:26 - 00828408 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2016-06-14 14:33 - 2015-10-30 03:26 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2016-06-13 11:47 - 2015-05-20 14:42 - 00000000 ____D C:\Users\JohnR\AppData\Local\Packages
2016-06-11 17:06 - 2015-05-12 14:48 - 00000000 ____D C:\Program Files\Common Files\McAfee
2016-06-07 23:22 - 2016-05-16 17:58 - 00000000 ____D C:\Users\JohnR\AppData\Roaming\vlc
2016-06-07 22:47 - 2016-05-16 18:00 - 00000000 ____D C:\Users\JohnR\AppData\Roaming\dvdcss
2016-05-30 09:16 - 2015-06-30 13:51 - 00000000 ____D C:\Users\JohnR\.Meridian3
2016-05-30 08:41 - 2015-06-30 13:50 - 00000000 ____D C:\ProgramData\SWRoes
 
==================== Files in the root of some directories =======
 
2016-06-14 11:49 - 2016-06-14 11:49 - 0000132 _____ () C:\Users\JohnR\AppData\Roaming\Adobe GIF Format CC Prefs
2016-03-30 15:41 - 2016-03-30 15:41 - 0000132 _____ () C:\Users\JohnR\AppData\Roaming\Adobe PNG Format CC Prefs
2016-05-13 18:24 - 2016-05-13 18:24 - 0007598 _____ () C:\Users\JohnR\AppData\Local\Resmon.ResmonCfg
2016-04-02 11:34 - 2016-04-04 10:22 - 0000469 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2015-05-25 11:51 - 2015-06-06 19:35 - 0001895 _____ () C:\ProgramData\StreamingMediaTechnologyLog.txt
 
Some files in TEMP:
====================
C:\Users\JohnR\AppData\Local\Temp\1Password-4.6.0.598.exe
C:\Users\JohnR\AppData\Local\Temp\1Password-4.6.0.604.exe
C:\Users\JohnR\AppData\Local\Temp\COMAP.EXE
C:\Users\JohnR\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpy1vznl.dll
C:\Users\JohnR\AppData\Local\Temp\libeay32.dll
C:\Users\JohnR\AppData\Local\Temp\msvcr120.dll
C:\Users\JohnR\AppData\Local\Temp\sqlite3.dll
C:\Users\JohnR\AppData\Local\Temp\xkHhXirpXp.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-06-23 12:36
 
==================== End of FRST.txt ============================

Attached Files


Edited by hamluis, 28 June 2016 - 08:23 PM.


BC AdBot (Login to Remove)

 


#2 snm77

snm77
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 28 June 2016 - 08:30 PM

Sorry for the multiple posts- I was trying from the infected machine, and it was erroring out on a Cloudflare page and the forum was not shoing my posts - of course, as soon as I logged in with a clean machine they were all there - apologies :(



#3 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 29 June 2016 - 06:54 PM

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the Malware Removal forum and wait for help.

Failure to post replies within 4 days will result in this thread being closed.


Hello snm77,

My name is mAL_rEm018, but feel free to call me mAL.  I will be helping you with your malware related problems. :)

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


Because of this, I advise you to backup any personal files and folders before you start.


Cobian Backup
DriveImage XML


To make sure everything goes smoothly, I would like you to observe the following rules:

  • You must have Administrator rights, permissions for this computer.
  • Please reply to this thread.  Do not start another topic.
  • Perform all actions in the order given.
  • If you don't know, stop and ask!
  • DO NOT run any other fix or removal tools unless instructed to do so!
  • Don't attempt to install any new software (other than those I ask you to) until your computer is clean.
  • DO NOT post for help at any other forum.  Applying fixes from multiple help sites can cause problems.
  • I advise you to print the instructions if possible, since your internet connection might not be available during some of the fixes.
  • Absence of symptoms does not mean that everything is clear, therefore stick with this topic until I give you the "all clear".

I am currently reviewing you logs and will return as soon as possible, with additional instructions.


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#4 snm77

snm77
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 29 June 2016 - 08:51 PM

Thank you so much!  

 

I have admin rights on the machine, FYI, both McAfee firewall and Malwaybytes pro are running on the system at the moment,  If I need to stop either one as part of the solution, just let me know.



#5 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 29 June 2016 - 08:54 PM

Hello snm77,


Let's make a backup of your Registry before we begin..

  • Please download TCRB to your Desktop.
  • Open Tweaking.com Registry Backup.
  • Click on the Backup Registry tab and ensure that all options are checked.
  • Press on Backup Now.
  • Wait until the backup is complete and exit the program.


It is clear from the logs that you've supplied that you have made several attempts at self-help prior to coming here to Bleeping Computer. It appears you've run a number of tools, and I need to see the logs that those tools created.

That does not mean I want you to run those tools again, it means I need to see the logs that were created when you ran them earlier.

Each will have created a report, and unless you have deleted them, or moved them, then they should be in the following locations ....


C:\Users\JohnR\Desktop\JRT.txt
C:\TDSSKiller.3.1.0.9_22.06.2016_22.29.47_log.txt
C:\TDSSKiller.3.1.0.9_22.06.2016_22.22.04_log.txt
C:\Users\JohnR\Desktop\Rkill.txt
C:\AdwCleaner[S*] and/or [C*]  * is the number of times the tool has been executed.


.... if they are not in those locations, then please run a search for them to see if they are present somewhere else on your machine.

If you can't find them, then please let me know.


As you mentioned in your first post, you recently ran Malwarebytes Anti-Malware.  I would also like to see the log that was created..


  • Please open Malwarebytes Anti-Malware.
  • Click History and then select Application Logs.
  • Double-click on the scan log by looking at the timestamp (it should be in the following order: Day/Month/Year Time)
  • Click Export and select Text file (*.txt).
  • In the File name: box, please write MBAM Log and save it to your desktop.
  • Once the process is over, a message will appear stating that the file has been successfully exported.  Click OK.
  • Please post the contents of MBAM Log.txt in your next reply.

-----------------------------------------
In your next reply, I would like to see..

  • Did you have trouble performing any of the steps?
  • JRT.txt
  • TDSS Killer logs
  • Rkill.txt
  • AdwCleaner log(s)
  • MBAM log

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#6 snm77

snm77
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 29 June 2016 - 10:04 PM

test reply.  I could not reply with all the data, saving the request timed out.  Seeing if any reply will go through.



#7 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 29 June 2016 - 10:10 PM

test reply.  I could not reply with all the data, saving the request timed out.  Seeing if any reply will go through.

Is this an error you get when running the TCRB backup? 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#8 snm77

snm77
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 29 June 2016 - 10:24 PM

No, that was a test to see if I could post at all. The regbackup ran fine, and I have the files you want,, but I cannot post them inline - on a totally clean machine, when i attempt to post all the logs inline, the post simply never happens and I get stuck with a "saving post" message in the lower right corner.

 

Would it be OK if I attached the files you requested instead of trying to post them inline?



#9 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 29 June 2016 - 10:34 PM

Would it be OK if I attached the files you requested instead of trying to post them inline?

Yes, feel free to attach the logs. :)


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#10 snm77

snm77
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 29 June 2016 - 10:52 PM

Attached File  Rkill.txt   2.82KB   3 downloads

Attached File  MBAM Log 20160622_19_53.txt   1.03KB   5 downloadsAttached File  MBAM Log 20160622_19_53.txt   1.03KB   5 downloads

Attached File  JRT.txt   555bytes   3 downloads

 

 

 

 

 

OK then, I've attempted to attach all the logs you requested, everything run since the infection started.

Attached Files



#11 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 30 June 2016 - 03:47 PM

Hello snm77,

Thank you for adding the logs requested.  It will take me a while to go through them, so in the meantime I would like you to do a search using FRST.
 

  • Double click Frst64.exe to launch it.
  • FRST will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Copy/Paste or Type the following line into the Search: box.

babylon;Bandoo;CleverSearch;conduit;datamngr;Fun4IM;iLivid;Istartsurf;kelkoopartners;Luckysearches;QuickSurf;Searchnu;Searchqu;SharkManCoupon;sushileads;SweetIM;SweetPacks;TidyNetwork;trolltech;wajam;whitesmoke;WNetEnhance;Wordinator;WordSurfer

  • Press the Search Registry button.
  • When finished searching a log will open on your Desktop ... Search.txt
  • Please post it in your next reply.


-----------------------------------------
In your next reply, I would like to see..

  • Search.txt

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#12 snm77

snm77
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 30 June 2016 - 04:02 PM

Farbar Recovery Scan Tool (x64) Version: 29-06-2016
Ran by JohnR (2016-06-30 17:01:41)
Running from C:\Users\JohnR\Desktop
Boot Mode: Normal
 
================== Search Registry: "babylon;Bandoo;CleverSearch;conduit;datamngr;Fun4IM;iLivid;Istartsurf;kelkoopartners;Luckysearches;QuickSurf;Searchnu;Searchqu;SharkManCoupon;sushileads;SweetIM;SweetPacks;TidyNetwork;trolltech;wajam;whitesmoke;WNetEnhance;Wordinator;WordSurfer" ===========
 
 
===================== Search result for "babylon" ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
"DllName"="BabylonToolbar.dll"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
"DllName"="BabylonToolbarTlbr.dll"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
"DllName"="BabylonToolbar.dll"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
"DllName"="BabylonToolbarTlbr.dll"
 
 
===================== Search result for "conduit" ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966]
"91E442DFEFE6D2A449A8D0544D1C86EB"="C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\iSyncConduit.dll"
 
 
===================== Search result for "Searchqu" ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1B217815-E578-4C96-8A2D-1B30392F0F91}]
""="ISearchQueryHelperPriv"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{69563521-C154-4B45-B884-035872E3F96A}]
""="ISearchQueryCondition"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CAC6C3B8-3C64-4DFD-AD9F-479E4D4065A4}]
""="__x_Windows_CApplicationModel_CSearch_CISearchQueryLinguisticDetailsFactory"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{46A1205B-69C9-4745-B72F-A8A4FC8F24AE}]
""="__x_Windows_CApplicationModel_CSearch_CISearchQueryLinguisticDetails"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
""="ISearchQueryHelper"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Search.SearchQueryLinguisticDetails]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Search.SearchQueryLinguisticDetails]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\WindowsRuntime\CLSID\{a7544317-65bb-3802-9376-3d59fa0a45b3}]
"ActivatableClassId"="Windows.ApplicationModel.Search.SearchQueryLinguisticDetails"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\Interface\{1B217815-E578-4C96-8A2D-1B30392F0F91}]
""="ISearchQueryHelperPriv"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\Interface\{69563521-C154-4B45-B884-035872E3F96A}]
""="ISearchQueryCondition"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\Interface\{CAC6C3B8-3C64-4DFD-AD9F-479E4D4065A4}]
""="__x_Windows_CApplicationModel_CSearch_CISearchQueryLinguisticDetailsFactory"
 
 
===================== Search result for "trolltech" ==========
 
[HKEY_USERS\S-1-5-21-535504277-1051878557-1753778751-1001\SOFTWARE\Trolltech]
 
====== End of Search ======


#13 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 01 July 2016 - 04:27 PM

Hello snm77,

I apologize for the delay.  It's a holiday here and I didn't have much time to go on the computer today.  I will have a post ready for you within a few hours.

mAL


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed


#14 snm77

snm77
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 01 July 2016 - 05:02 PM

I understand. thanks again for your help!



#15 mAL_rEm018

mAL_rEm018

  • Malware Response Team
  • 307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 01 July 2016 - 09:27 PM

Hello snm77,

Please answer the following questions..

  • Are you aware of the following IP Address: 40.22.1.11?  It seems to be related to Eli Lilly and Company.

    Tcpip\..\Interfaces\{5c4095e4-cc19-49e2-a788-81168f045730}: [DhcpNameServer] 40.22.1.11

  • Did you set your IE Start Page to about:blank?

    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    HKU\S-1-5-21-535504277-1051878557-1753778751-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

  • I see there is a batch file on your desktop.  Did you create or download it from the internet?

    C:\Users\JohnR\Desktop\clean.bat

  • There are two shortcuts on your desktop.  Can you tell me if you created them and to what do they lead to (folder, program, etc..)?

    2016-06-22 20:15 - 2016-02-13 13:12 - 00001509 _____ C:\Users\JohnR\Desktop\People (2).lnk
    2016-06-22 20:15 - 2015-12-19 13:28 - 00001505 _____ C:\Users\JohnR\Desktop\People.lnk


Please run the following fix..



  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
  • Copy/Paste the contents of the code box below into Notepad.
CreateRestorePoint:

HKLM-x32\...\Run: [] => [X]
ManualProxies:
2016-06-22 19:41 - 2016-06-22 19:43 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\JohnR\Desktop\footrub.com
2016-06-25 15:09 - 2015-12-17 04:59 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
C:\Users\JohnR\AppData\Local\Temp\1Password-4.6.0.598.exe
C:\Users\JohnR\AppData\Local\Temp\1Password-4.6.0.604.exe
C:\Users\JohnR\AppData\Local\Temp\COMAP.EXE
C:\Users\JohnR\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpy1vznl.dll
C:\Users\JohnR\AppData\Local\Temp\libeay32.dll
C:\Users\JohnR\AppData\Local\Temp\msvcr120.dll
C:\Users\JohnR\AppData\Local\Temp\sqlite3.dll
C:\Users\JohnR\AppData\Local\Temp\xkHhXirpXp.exe
Task: {1A66044E-B0E2-41EE-A8DB-E1F95C3ADB95} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {20A5378C-5656-4E48-894F-1D3816968A93} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {3375035E-39B4-47DE-9A6B-D79349514B86} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {5EE70536-842C-406B-B5F2-89A2C83FCB30} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {74DD0F24-4932-4D54-8FB9-8D702069E964} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {7DCEC939-8939-4E9F-B35C-CA35870B3DCA} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {8176361B-6C53-4BF3-A972-90EE3784F7A8} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {84BC1C9C-4B87-496C-BF11-21C03FF26F27} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {87EF293E-3BB9-4D75-A536-E69AE3313DE5} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {96744FD0-E28C-4161-9F7D-78836DE653C2} - \{0D040B47-7804-0E7F-7911-090B080D1105} -> No File <==== ATTENTION
Task: {C8804D75-B46D-44CA-B241-2A2C1FC0D881} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {E6FA50B7-856F-4D81-8354-585DD067A092} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Shortcut: C:\Users\Public\Desktop\HP Smart Friend.lnk -> hxxp://js.redirect.hp.com/jumpstation?bd=all&c=143&locale=en_us&pf=cnnb&s=sf_volume_dti_nb&tp=dticon (No File)
 
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_USERS\S-1-5-21-535504277-1051878557-1753778751-1001\SOFTWARE\Trolltech]

Hosts:
CMD: ipconfig /flushdns
EmptyTemp:
CreateRestorePoint:
  •  
  • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system



  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log

How is your computer behaving at this point?


-----------------------------------------
In your next reply, I would like to see..


  • Answer to my questions.
  • fixlog.txt
  • Update of your computer performance.

 


Teacher at the Malware Removal University.

Member of UNITE

 

Failure to post replies within 4 days will result in this thread being closed





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users